订阅 0 0 1711

《网络安全法》首次修订要点解读（双语）

2022-09-23 13:52

作者：陈文昊王艺

本文共计3117字，阅读约需8分钟

《网络安全法》首次修订要点解读

Interpretation of key points of the first revision of the Cybersecurity Law

引言

《中华人民共和国网络安全法》（“《网络安全法》”）自2017年施行以来，为维护网络空间主权和国家安全、社会公共利益，保护公民、法人和其他组织的合法权益，提供了有力法律保障。2022年9月14日，国家互联网信息办公室（“网信办”）发布了《关于修改〈中华人民共和国网络安全法〉的决定（征求意见稿）》（“《网络安全法》修订稿”），《网络安全法》迎来首次修订。《网络安全法》的修订旨在做好《网络安全法》与新实施法律之间的衔接协调，并进一步完善法律责任制度、保障网络安全。本文梳理了《网络安全法》修订稿中值得关注的六大要点，并阐述了我们的观察及建议，以供贵司参阅。

Since its implementation in 2017, the Cybersecurity Law of the People’s Republic of China (the “CSL”) has provided a powerful framework for safeguarding cyberspace sovereignty and national security, social and public interests, and protecting the legitimate rights and interests of citizens and companies. On September 14, 2022, the Cyberspace Administration of China (the “CAC”) promulgated the Decision on Amending the Cybersecurity Law (Draft for Comment) (the “Revised Draft of the CSL”), which is the first revision of the CSL. The revision of the CSL aims to coordinate the CSL and the newly implemented laws, and further improve the legal liability system to ensure cybersecurity. This article lists six key points of the Revised Draft of the CSL and elaborates our observations and suggestions for your reference.

一、《网络安全法》修订稿变化要点解读

I. Key Points of the Revised Draft of the CSL

1. 对齐《个人信息保护法》中的最高处罚机制

Parallel the maximum penalty with that in the Personal Information Protection Law

在处罚机制方面，《网络安全法》修订稿将《网络安全法》中原有的“违反本法”、“拒不改正或情节严重”两档处罚机制调整为“违反本法”、“拒不改正或情节严重”、“情节特别严重”的三档处罚机制，并将“情节特别严重”一档的最高处罚机制对齐《个人信息保护法》中“五千万元以下或者上一年度营业额百分之五以下罚款”的罚则，一方面体现与《个人信息保护法》的衔接，一方面也使违反《网络安全法》的成本大幅度增加。

The CSL stipulates two levels of penalty in the case of “violation this law” and “refusal to make rectifications or serious circumstance”. The Revised Draft of the CSL adds a new level of penalty in the case of “especially serious circumstance”. In addition, the highest-level of punishment in the case of “especially serious circumstance” is aligned with the penalty stipulated in the Personal Information Protection Law (the “PIPL”), which is “a fine of not more than 50 million yuan or not more than 5% of its turnover of the previous year”. On the one hand, it reflects the coordination with the PIPL, and on the other hand, it also greatly increases the cost of violating the CSL.

2. 对责任人员的处罚力度加大

Upgrade penalties for responsible personnel

《网络安全法》修订稿吸收了《个人信息保护法》针对直接负责的主管人员和其他直接责任人员的“资格罚”机制，规定在违法情节特别严重的情况下，直接负责的主管人员和其他直接责任人员可以被禁止在一定期限内担任相关企业的董事、监事、高级管理人员或者从事网络安全管理和网络运营关键岗位的工作。同时，针对责任人员的最高罚款金额也提高到了100万元。由此，网络安全负责人等相关岗位人员的法律风险进一步提高，与数据安全负责人、个人信息保护负责人基本上实现了责任对齐。

The Revised Draft of the CSL incorporates the “qualification penalty” mechanism in the PIPL for the person directly in charge and other directly liable persons, which stipulates that under the circumstance of “especially serious circumstance”, the person directly in charge and other directly liable persons can be prohibited from acting as directors, supervisors, senior executives of relevant enterprises, or working on key positions relating to cybersecurity management and network operations for a certain period of time. At the same time, the maximum fine for responsible persons has also been raised to 1 million yuan. As a result, the legal risk of person-in-charge of cybersecurity has been further increased, and the responsibilities of the person-in-charge of cybersecurity. the person-in-charge of data security and the person-in-charge of personal information protection have basically been aligned.

3. 对CIIO的影响

Impact on CIIO

对于CIIO的认定、以及CIIO自己所采购的网络产品和服务，是否可能影响国家安全，需要做好自查，避免触犯最高处罚金额。这一处罚机制，将对很多CIIO或者可能存在被认定为CIIO的企业存在非常大的威慑力，面临高额成本去替换原有网络产品和服务的风险。

To avoid maximum penalty amount for affecting national security, CIIO need to do self-examination on the issues of identification, procurement of network products and services. This penalty mechanism will be a very strong deterrent to many CIIOs or companies that may have been identified as CIIOs, as they need to pay a lot and replace their original network products and services which may bring high risks.

4.网络运营者的责任

Responsibility of Network Operators

若网络运营者未按要求认证或检测并销售或提供网络关键设备或网络安全专用产品，则企业及直接责任人员均面临着较高的处罚风险。此外，对于公安机关、国家安全机关依法维护国家安全和侦查犯罪的活动，网络运营者应当提供技术支持和协助，否则将面临处罚。

If the network operator sells or provides network critical equipment or network security products without required test, the enterprise and people in charge are facing a higher risk of punishment. In addition, network operators should provide technical support and assistance for public security organs, state security organs to maintain national security and investigation of crime activities, otherwise they will face punishment.

5. 其它处罚对象

Other penalty objects

对于实施编造、传播虚假信息扰乱经济秩序和社会秩序，以及侵害他人名誉、隐私、知识产权和其他合法权益（这个范畴可能会和竞争性利益、数据产权话题挂钩）的组织或者个人，也会面临最高处罚机制的适用风险。

Organizations or individuals who commit the act of fabricating or disseminating false information to disturb the economic and social order, as well as infringe upon the reputation, privacy, intellectual property rights and other legitimate rights and interests of others, will also face the risk of applying the maximum penalty mechanism.

二、我们的观察及建议

II. Our Observations and Suggestions

1. 重新梳理《网络安全法》义务清单并做好风险评估工作

Reexamine the list of obligations under the CSL and initiate the risk assessment work

鉴于《网络安全法》修订稿进一步提升了处罚上限，我们建议企业重新对照《网络安全法》修订稿做好《网络安全法》相关义务清单的梳理，并对照义务清单及时做好风险盘点与评估、差距分析与整改工作，避免适用最高处罚机制。

Given that the Revised Draft of the CSL has further raised the upper limit of penalties, to avoid the application of the highest penalty, we suggest enterprises to reexamine the list of obligations relating to cybersecurity in accordance with the Revised Draft of the CSL, and conduct risk inventory, risk assessment, gap analysis and rectification work in a timely manner in accordance with the list of obligations.

2. 做好是否适用国家安全审查的排查工作

Check whether the national security review is applicable

针对CIIO及可能被认定为CIIO的企业，应当注意排查自身所采购的网络产品和服务是否可能影响国家安全，并在可能影响国家安全的情况下及时申报国家安全审查，同时在必要的情况下，也需及时更换网络产品和服务，避免因使用未经安全审查或者安全审查未通过的网络产品或者服务而面临“上一年度营业额百分之五以下罚款”的高额罚款。

To avoid facing a high fine of “not more than 5% of its turnover of the previous year” due to the use of network products and/or services which have not undergo or have failed in the security review, CIIOs and enterprises that may be identified as CIIOs should check whether the network products and services they purchase may affect national security, and timely apply for national security review if they may affect national security. At the same time, enterprises may need to timely replace network products and services if necessary.

3.关注义务与处罚机制

Focus on the obligation and punishment mechanism

对于数据出境，需要注意《数据出境安全评估办法》以及其他法律法规的义务和处罚机制的设置，对于数据出境安全评估应该非常重视，避免触发多条红线。

For outbound data transfer, we need to pay attention to Outbound Data Transfer Security Assessment Measures and other laws and regulations on the setting of obligations and penalty mechanisms, and we should pay great attention to the outbound data transfer security assessment to avoid triggering multiple red lines.

4.建立事前审核机制

Establish a prior review mechanism

对于企业或者个人的信息传播行为，需要注意做好事前审核机制的建立，完善当前企业的内容发布前的审核机制以及做好自身网络产品的合法性评估工作，避免传播虚假信息，避免侵害他人名誉、隐私、知识产权和其他合法权益，否则面临最高处罚机制适用风险。

For the information dissemination behavior of enterprises or individuals, attention needs to be paid to the establishment of a good prior review mechanism before the release of corporate content as well as to do a good job of assessing the legality of their own network products to avoid spreading false information and infringing on the reputation, privacy, intellectual property rights and other legitimate rights and interests of others, otherwise, people who has the above behaviors will face the risk of applying the highest penalty mechanism.

5.对网络安全负责人开展培训

Train the person in charge of network security

对于企业的网络安全负责人以及其他直接负责人员，建议有针对性开展相关培训，提高“自身履职意识”和“风险意识”，避免未来适用《网络安全法》的100万罚款或者资格罚，甚至可能面临刑事责任的法律风险。

It is recommended to carry out targeted training to improve "awareness of their own performance" and "risk awareness" of the people in charge of network security and other directly responsible personnel to avoid the application of the CSL’s 1 million fine, qualification penalty, and even criminal liability.

推荐新闻