At a time when both the Communist Party of China (CCP) and its central government, the State Council, are emphasizing the need to establish procedure-based, impartial, and civil administrative law enforcement with strict accountability systems, China’s internet regulator, the Cyberspace Administration of China (CAC), in September issued two related draft documents that would both strengthen and nominally constrain its enforcement authority:

• A proposed amendment of the 2016 Cybersecurity Law (CSL), published by the CAC on September 14 for a short comment period, would increase existing and add new punishments for various violations, and bring them more in line with subsequent legislation—the Data Security Law (DSL) and the Personal Information Protection Law (PIPL), both adopted in 2021, and the Administrative Punishment Law (APL), which was substantially revised also in 2021.
• A more extensive revision of CAC’s 2017 procedures for enforcing internet information content requirements (the 2017 Procedures) would expand and assert enforcement authority in the additional areas of cybersecurity, data security, and personal information protection addressed in the CSL, DSL, and PIPL (the Three Laws). Published on September 8, the draft Provisions on Procedures for Administrative Law Enforcement by Cyberspace Departments (the Draft Procedures) also assert its enforcement authority in those areas. They incorporate some, but not all, recently-added requirements of the APL. This draft follows an announcement in August that CAC had separated out the cyber law enforcement and supervision functions from a pre-existing bureau into a stand-alone bureau, tasked with wielding the "sword" of cyber law enforcement to pressure and deter serious violations. (Read a full translation of the Draft Procedures here.)

The proposed CSL amendments set stricter liabilities for violations of the CSL to conform to the PIPL’s provisions on the maximum fines and other punishments for both the companies and individuals directly responsible, and specify some additional punishments, such as closing websites (but not taking down apps). The proposed revisions in the Draft Procedures would primarily impose additional procedural obligations on cyberspace departments—defined to include the national CAC and local cyberspace administrations—when they issue such fines and impose other forms of administrative punishment on the public. Although an “explanation” published by the drafting entity usually accompanies such drafts, none was released with the Draft Procedures. One new provision (Article 32) gives cyberspace departments the authority to seal and seize items in personal information protection cases, which implements Article 63(4) of the PIPL concerning equipment or articles used to engage in illegal activities and is authorized under the 2011 Administrative Compulsion Law. However, most of the revisions take their new language from the text of the revised APL. These include:

• The principle of combining punishment with education and ensuring punishments are appropriate (Article 3);
• Not imposing more than one fine for the same violation, even if it contravenes more than one law (Article 16);
• Emphasizing that law enforcement personnel must have necessary qualifications and proactively show them to the parties (Article 19);
• Excluding illegally obtained evidence (Article 22);
• Providing additional grounds for not imposing punishments for first-time offenses with minor consequences that are rectified and where there is evidence of no subjective fault (Article 33);
• Expanding the scope of situations under which a party can request a hearing to include where a proposed punishment would confiscate a relatively large amount of income or high value assets, lower qualification levels, close down business, or restrict employment; other relatively major administrative punishments; and other circumstances prescribed in laws, regulations, and rules, in addition to the original circumstances of revoking licenses, suspending production or business, and imposing a relatively large fine (Article 35);
• Improving requirements for the hearing record, on which the punishment decision should be based (Article 36);
• Requiring legal review of proposed punishments by qualified personnel in certain cases, including those involving major private or public interests, or that are particularly difficult and complex (Article 40);
• Setting a 90-day deadline for reaching a decision under ordinary procedures, subject to extenuating circumstances (Article 44);
• Archiving a record of the entire process from initiation and investigation through decision and enforcement (Article 51); and
• Providing for supervision by the public of the administrative punishment process, including by means of appeals or reporting on alleged abuses (Article 52).

While many new provisions give the parties greater protection, the procedural additions appear to have been carefully selected. Neither the original version nor the Draft Procedures incorporate all APL requirements, including:

• Administrative separation of powers provisions that require that personnel chairing a hearing may not have been involved in investigating the case, and those collecting fines may not have been involved in making the punishment decision;
• A statute of limitations after which CAC could not impose punishment, whereas the APL sets a normal two-year limit, which would extend to five years in cases involving the life, health and safety of citizens, or financial security, and causing harmful consequences;
• A requirement to publicize the administrative organs that can impose administrative punishments, the bases for case filing, punishment execution procedures and channels to obtain remedies;
• The right for parties or relevant personnel to refuse to accept an investigation or inspection if law enforcement personnel fail to produce valid credentials;
• Disclosure of punishment decisions that have a certain social impact; and
• The parties’ right to seek compensation when their rights and interests are impaired in the course of law enforcement.

The CCP has arranged for CAC to be granted certain authority pursuant to laws promulgated by China’s national legislature and regulations by the State Council. In addition, as evidenced by the Procedures, CAC does in practice often comply generally with administrative law requirements, although not those relating to information disclosure. CAC and its lower-level counterparts, which answer to the Communist Party of China (CCP) and not the State Council, are not administrative organs, however. They therefore do not appear technically to be subject to the APL’s requirements that CAC chooses not to adopt.

Moreover, even if CAC is empowered by and often adheres to relevant laws and regulations, it is not clear that it is subject to statutory remedies, which are also stipulated in the Procedures and other rules issued by CAC, including administrative reconsideration, lawsuits, and compensation. First, no information is available on whether the CAC has been or can be subjected to administrative reconsideration, which is an internal appeals process handled by the department that took the action that a party is disputing (the governing law for which is undergoing revision at the moment, including to strengthen review of challenged administrative enforcement actions). Nor does CAC appear to be subject to lawsuits, as are most administrative agencies other than those engaged in national defense and foreign affairs. Not many cases appear to have been attempted against the CAC bureaucracy, and none at the central level have been located. Lastly, compensation is available under the State Compensation Law and the APL for injury due to actions taken by administrative organs or their personnel, but the CAC rules do not mention any right to compensation, so its availability from CAC is not certain.

The CAC has been an active rulemaker, authoring many of the more than 100 foundational regulations and departmental rules on cyber governance implemented since the CCP’s 18^th National Party Congress in 2012. It is also an increasingly active enforcer. While CAC itself imposed the extraordinary fine of $1.2 billion on ride-hailing giant Didi for national security, PIPL and other violations, CAC typically asks its lower-level counterparts to carry out most punishments, including holding preliminary talks to seek rectification and risk reduction—which are authorized under the Procedures and the Three Laws—as well as imposing fines. In cases to date, the full decisions have not been made public. In the absence of any legal commitment to transparency or full compliance with relevant administrative law regarding its processes and decisions, it will be important to monitor how CAC handles its expanding enforcement authority.