On May 14, 2025, the Standing Committee of the National People’s Congress of China unveiled its work plan for the year, highlighting a significant agenda outlined in the draft amendment to the 2017 Cybersecurity Law. The Cyberspace Administration of China (CAC) proposed this amendment, which has raised alarms among human rights organizations, particularly ARTICLE 19. They argue that these proposed changes deepen the already troubling patterns of digital repression in China, further entrenching the country’s repressive cybersecurity framework.
Understanding China’s Cybersecurity Governance Framework
The 2017 Cybersecurity Law marked a crucial point in China’s digital governance, establishing stringent regulations on data localization, real-name verification, and stringent monitoring of online activities. It empowered the CAC with extensive regulatory authority, thereby extending significant control over both Critical Information Infrastructure (CII) operators and non-CII actors. This consolidation of authority allowed for a sweeping surveillance state that mirrored the CCP’s broader efforts to control information and maintain social stability.
As stipulated in recent discussions, the upcoming amendment aims to align the Cybersecurity Law with newer legislations, such as the Data Security Law from 2021. However, it is crucial to note that this alignment seems less about enhancing digital security and more about reinforcing China’s framework of cyber sovereignty—a core aspect of its authoritative governance model.
Amplified Penalties and Broadening Scope
One of the most alarming aspects of the proposed amendment is the substantial increase in penalties for vague violations of cybersecurity laws. Revised Article 59 notably doubles the maximum penalty for non-compliance, with potential fines reaching up to 10 million yuan (approximately $1.39 million USD). This introduces significant financial liability for senior management, effectively outsourcing the enforcement of compliance to them in a manner that is likely to create a culture of fear among operators.
Additionally, the amendment expands the types of entities held accountable. While previous laws targeted websites, the new regulations could also encompass applications, further tightening the grip on digital entities and ensuring that even minor infractions can result in severe repercussions.
Heightened Censorship and Surveillance Obligations
The provision to reinforce censorship and surveillance underpins the entire amendment, with Article 64 mandating a proactive role for network operators in managing user data. This requirement not only encourages but compels the filtering and surveillance of user-generated content. Operators must swiftly halt the transmission of ‘prohibited’ information, delete such content, and report it to authorities—a process that transforms them into de facto monitors for the state.
The consequences of non-compliance are severe, ranging from suspension of affected websites to revocation of business licenses. Such measures reflect a broader trend of intertwining national security concerns with digital governance, creating an increasingly hostile environment for digital freedom and expression.
The Implications of Cyber Sovereignty
Underpinning this amendment is the notion of cyber sovereignty, with China aiming to position itself as a global leader in cybersecurity norms. By emphasizing the need for localized data management and strict controls on information flow, the CAC explicitly states its intention to project this model of governance internationally. This goal raises considerable concerns for global human rights, as it poses a threat to the principles of internet freedom and democratic institutions worldwide.
As China’s model of cybersecurity governance continues to gain traction, it risks normalizing repression under the guise of security, potentially influencing other nations to adopt similar frameworks.
Conclusion: A Call for Vigilance
China’s draft amendment to the Cybersecurity Law represents not just a reinforcement of state control but an aggressive assertion of its ambitions to dominate the global cybersecurity landscape. Instead of addressing genuine cybersecurity vulnerabilities, it doubles down on existing oppressive measures against freedom of expression.
The international community, particularly actors in internet governance, must remain vigilant in observing these developments. By doing so, they can better prepare to counter the gradual normalization of China’s oppressive digital regulation, safeguarding the principles of human rights and internet freedoms that underpin a democratic society. The necessity for a balanced approach to cybersecurity—one that respects human rights while addressing the imperative for security—has never been more pressing.