New PRC Cybercrime Law Heralds Digital Iron Curtain

New PRC Cybercrime Law Heralds Digital Iron Curtain

Executive Summary

• The Ministry of Public Security’s draft Cybercrime Prevention and Control Law marks a seminal shift from reactive policing to preventive governance, codifying a regulatory system designed to eliminate all remaining digital gray zones.
• By outlawing privacy-enhancing tools based on function rather than intent, enforcing real-name registration down to the network infrastructure layer, and nationalizing the discovery of cybersecurity vulnerabilities, the legislation effectively eradicates technical anonymity and centralizes state control over critical zero-day resources.
• The draft leverages administrative power through exorbitant fines and extrajudicial detention, enabling public security bureaus (PSBs) to bypass the formal justice system and impose crippling penalties on ordinary netizens, technical facilitators, and private enterprises.
• Projecting control globally, the legislation formalizes border controls and authorizes the freezing of assets linked to “fake information,” providing a robust domestic legal foundation for transnational repression against foreign entities, international personnel, and the Chinese diaspora.

Digital governance in the People’s Republic of China (PRC) is poised to enter a new phase. On January 31, the Ministry of Public Security (MPS) released the Cybercrime Prevention and Control Law (Draft) (网络犯罪防治法 (征求意见稿)) for public comment (MPS, January 31). [1] Recognizing that technical blockades are no longer sufficient, Beijing is building a robust legal framework to expand and codify its digital control apparatus. For over two decades, the Great Firewall (GFW)—an umbrella term for the PRC’s Internet censorship systems—has served as the primary instrument of digital control. [2] The draft law shifts the regulatory focus from technical censorship operations to substantive legal sanctions.

According to the “explanation” (说明) that accompanied the MPS’s draft law, the rapid development of the Internet has facilitated the migration of traditional crimes online, forming “massive and deeply entrenched black and grey industrial chains” (体系庞大、盘根错节的黑灰产业链条) (MPS, January 31). The authorities concede that reactive enforcement for individual cases cannot halt increasing cybercrime. In response, the proposed legislation establishes an operational doctrine based on the principles of “combining crackdowns with prevention, prioritizing prevention, governing the ecology, and collaborative linkage” (坚持“打防结合、防范为先、生态治理、协同联动”的原则).

This official emphasis on “prevention” and “ecological governance” reflects a broader Party-state logic of “source governance” (源头治理). A key feature of the Party’s approach to social management (it received mentions in both the 12th Five-Year Plan and the 18th Party Congress report), source governance focuses on preemptively dealing with social problems before they emerge or escalate (National Development and Reform Commission, September 2011; Xinhua, November 8, 2012; Party Members’ Net, February 25, 2013). [3] Although the draft is ostensibly aimed at combating telecom fraud and online gambling, it uses these issues as a pretext to neutralize perceived threats, including unauthorized technological capabilities and the networks of citizens who rely on them.

By defining the “evasion of supervision systems” (规避监管) as a punishable offense, the draft targets a broad ecosystem of technical facilitators and independent researchers, not just the users of privacy-enhancing tools. Beyond domestic surveillance, it also empowers police authorities to impose exorbitant administrative fines and administrative detention, which bypasses judicial oversight, while formalizing long-arm jurisdiction to threaten foreign entities, individuals, and the Chinese diaspora.

Elimination of Gray Zones

To eliminate the remaining digital gray zones that threaten Party-state interests, the draft law systematically targets the entire ecosystem of digital circumvention. It establishes strict legal prohibitions on privacy-enhancing tools and their technical facilitators, eradicates network-level anonymity, and centralizes state control over cybersecurity vulnerabilities.

The official rationale frames the draft law’s sweeping prohibition of privacy and circumvention tools as necessary to cut off the “material supply and technical support” (物料供应、技术支持) components of the cybercrime ecosystem. By formalizing a blanket ban on such technologies, it marks a definitive shift from targeting illicit online behavior to penalizing the underlying tools themselves. In doing so, it ends any lingering pretense of technical neutrality. Article 14 explicitly forbids any individual or organization from engaging in the “illegal production, sale, provision, or use” (非法制作、销售、提供、使用) of restricted tools. Specifically, Item 6 of the article introduces a sweeping prohibition against equipment, software, or services “specifically used to commit cyber illegalities and crimes or having the function of evading supervision systems” (专门用于实施网络违法犯罪或者具有规避监管制度功能的设备、软件、工具、服务). In the PRC’s legal lexicon, “supervision” encompasses the totality of the state’s monitoring apparatus, including real-name registration and GFW filtering. Therefore, privacy-enhancing technologies (PETs), such as virtual private networks (VPNs) and end-to-end encrypted messaging applications, have become strictly prohibited. By relying on a function-based standard, the legislation lowers evidentiary thresholds for police action, removing the need to prove criminal intent. Of particular concern, this functional ban poses an operational threat to international businesses that rely on corporate VPNs for secure cross-border communications. Because the draft offers no explicit exemptions for legitimate commercial use, multinational companies face a stark dilemma: either risk massive legal liability or transition to state-approved, monitored network channels that compromise their proprietary data.

Beyond targeting end-users, the regulatory dragnet extends to the very ecosystem that supports Internet freedom, explicitly penalizing technical assistance for accessing “illegal information” (违法信息) from abroad. Article 44 codifies the GFW’s operations into formal law, mandating that network operators block illicit information originating from outside the PRC. Crucially, it prohibits individuals and organizations from supplying technical tools or services that help others circumvent information controls to access or share blocked content. The stipulation is designed to disrupt the networks of developers, tutorial writers, and technical enthusiasts who have historically connected the Chinese intranet to the global Internet. By outlawing the act of “helping” others access blocked content, the state aims to isolate Chinese people within a strictly monitored national network. This turns a common technical workaround into a high-stakes legal risk.

To enforce these prohibitions, the draft law integrates real-name registration from the application layer down to the physical and network infrastructure, eliminating digital anonymity in the process. Articles 11–13 prohibit the disruption of real-name management systems. Specifically, Article 12(3) outlaws IP address switching tools, batch phone card control tools, and other means to evade network operators’ account registration review rules. The clause precisely targets dynamic IP proxies or jumping servers. This creates a one-to-one mapping between a user’s physical identity and their digital footprint, making technical anonymity virtually impossible to achieve. For activists and dissidents who rely on IP obfuscation to avoid detection, the measures represent a closing of the final technical loopholes used for safe communication.

Parallel to restricting circumvention tools, the state is moving to monopolize the discovery of network vulnerabilities to ensure the security apparatus maintains an offensive edge in cyberspace. Articles 24–25 impose a strict administrative approval regime on “white hat” security research and penetration testing: Independent researchers are now prohibited from conducting “network security vulnerability probing and penetration testing” (网络安全漏洞探测、渗透性测试) on critical systems (level three and above), without explicit approval from provincial-level cyberspace administrations or public security bureaus (PSBs), or authorization from industry regulators or network operators. [4] Furthermore, the draft mandates that even authorized testing must be “reported to county-level and higher public security organs five working days prior to the implementation of the activity” (在活动实施五个工作日前向县级以上公安机关报告). Coupled with Article 24’s ban on the unauthorized “discovery, collection, and publication of network product vulnerabilities” (网络产品安全漏洞发现、收集、发布等), the strict prior notification mechanism would ensure that the Party-state has first access to newly discovered flaws. Such hoarding of technical vulnerabilities not only stifles independent cybersecurity innovation but also increases the systemic risk to global supply chains, as these flaws may be weaponized as zero-day vulnerabilities for state-sponsored espionage or domestic surveillance before they can be patched.

Weaponization of Administrative Penalties

In the PRC legal system, administrative violations encompass a wide spectrum of offenses, including acts that would be classified as misdemeanors, or even felonies, in Western jurisdictions. [5] A critical difference, however, is that PSBs are the main adjudicators of these penalties. The draft law categorizes digital circumvention as a severe administrative offense, empowering the police to impose exorbitant fines and arbitrary detention. Because these measures inherently lack judicial review, their expanded use effectively bypasses the formal justice system. This creates a parallel mechanism that cripples targeted individuals and generates lucrative revenue streams for local governments.

This administrative expansion aligns directly with the MPS’s goal, stated in its explanation, to “move regulatory checkpoints forward to strengthen administrative supervision” (做到关口前移，强化行政监管). By shifting enforcement to the administrative level, the draft law establishes a system of “fiscal policing,” whereby punitive financial penalties can target anyone attempting to bypass censorship without formal criminal trials. The draft introduces a structure of cascading fines that punishes activities even when they generate “no illegal income” (没有违法所得). Under Article 57, anyone who evades real-name registration, including through using foreign SIM cards or IP proxies, faces fines of up to RMB 200,000 ($29,000). Authorities can also place violators on a blacklist, restricting their access to basic telecommunications and financial services. Moving up the chain, Articles 58 and 59 empower police to impose fines of up to RMB 500,000 ($72,500) on non-profit activists, open-source developers, and digital rights defenders who produce or provide circumvention tools. This represents a massive escalation from previous regulations, providing the state with a low-cost mechanism to paralyze dissenters and enforce compliance while avoiding the international scrutiny often triggered by criminal prosecutions.

Beyond inflicting financial ruin, the draft law institutionalizes extrajudicial detention for the immediate physical removal of targets. Articles 57–61 uniformly empower PSBs to impose up to 15 days of “administrative detention” (拘留) for violations under “serious circumstances” (情节严重的)—a threshold left strategically vague. Such discretionary power enables the rapid removal of perceived troublemakers from society during sensitive political periods. Administrative detention in the PRC requires no prosecutorial approval and no court appearance, thus enabling the system to focus on “preventive” suppression. Consequently, the state drastically lowers the evidentiary threshold required to strip citizens of their liberty.

Complementing these individual sanctions, the law expands the corporate liability regime that forces telecommunications, financial, and Internet service providers to serve as the front-line enforcers of state regulations. Article 60 mandates that service providers who “fail to fulfill cybercrime prevention and control obligations” (未落实网络犯罪防治义务), including the failure to monitor, discover, and block illegal information, can face enterprise fines of up to RMB 5 million ($725,000). Simultaneously, the “directly responsible personnel” (直接负责的主管人员) face personal fines of up to RMB 200,000 ($29,000). The mandate ensures that companies across these critical sectors must internalize the state’s surveillance mission to guarantee their own survival. Fear of these massive penalties will inevitably lead to over-compliance, where firms implement censorship and monitoring regimes even more robust than those explicitly required by law.

The result is a governance model where the distinction between criminal and administrative law is blurred to the advantage of the security services. Police authorities can now ignore procedural safeguards in the criminal code by employing administrative penalties instead. Crucially, the framework creates incentives that enforcement units, particularly those under fiscal strain, may exploit for revenue generation. The ability to levy massive fines on digital infractions allows local governments to target ordinary citizens and private enterprises to supplement depleted budgets (China Brief, February 3).

Lawfare and Long-Arm Jurisdiction

To project its digital censorship and deterrence capabilities globally, the draft law establishes a comprehensive framework for lawfare and long-arm jurisdiction. This extraterritorial expansion provides domestic legal cover for transnational repression, asset weaponization, and the policing of global discourse.

The draft’s explanation explicitly notes the transnational nature of modern cybercrime, mandating measures for “cross-border cybercrime sanctions and the supervision of cross-border network services” (跨境网络犯罪制裁、跨境网络服务监管). Under Article 54, authorities can “seal, seize, and freeze” (查封、扣押、冻结) and ultimately “confiscate” (没收) the criminal proceeds—as well as any enterprises, securities, or real estate invested with those proceeds—of foreign entities and individuals deemed to have committed cybercrimes, and can further restrict their direct or indirect investments. The provision poses a substantial operational risk to multinational corporations and investors. If a foreign entity is accused of violating the new cyber regulations, its legitimate business revenues and investments could easily be reclassified as “criminal proceeds,” leading to the immediate expropriation of its assets. The threat of expropriation transforms foreign investment in the PRC into a mechanism that ensures compliance with Beijing’s digital dictates.

Alongside the confiscation of criminal proceeds, Article 55 directly targets “overseas institutions, organizations, and individuals” (境外机构、组织、个人) who manufacture or spread “fake information” (虚假信息) that damages the PRC’s “national sovereignty, security, development interests, or public interests” (国家主权、安全、发展利益或者公共利益). Such broad wording introduces long-arm jurisdiction that can easily be weaponized against political speech. The Party-state defines “fake information” as reporting or analysis that contradicts its official narrative, including reports on the human rights situation in Xinjiang, Xi Jinping’s policy failures, or the PRC’s structural economic challenges. This clause is a direct legal tool against overseas political dissidents, circumvention facilitators, non-governmental organizations, and media organizations. The provision authorizes the freezing of assets, entry bans, and the restriction of direct or indirect investments in the PRC. This not only infringes upon the property rights of overseas entities but also constitutes a textbook case of transnational repression against dissidents, subjecting ordinary individuals to the same sanctions previously used against U.S. Secretary of State Marco Rubio (PRC Ministry of Foreign Affairs, July 13, 2020, August 10, 2020).

In tandem with these measures, the draft law weaponizes border controls to punish both domestic and international targets. Article 56 grants “municipal-level and higher PSBs” (设区的市级以上公安机关) the power to impose an additional six-month to three-year “exit ban” on PRC citizens after they have completed criminal sentences for cyber-related offenses. The law simultaneously authorizes “relevant competent departments” (有关主管部门) to ban the entry of foreign personnel who violate the provisions of Chapter III of the draft law. This dual-track system creates tailored risks: for foreign executives, technical experts, and researchers traveling to the PRC, past digital activity could be used as a legal pretext to deny them entry as part of a broader strategy of political coercion; for the Chinese diaspora—including foreign permanent residents—returning to the PRC risks becoming a one-way trip, as their overseas digital footprint could trigger criminal penalties and subsequent exit bans.

Conclusion

The draft Cybercrime Prevention and Control Law is poised to drop a legal iron curtain over the PRC’s digital landscape. It signals Beijing’s intent to transcend mere technical filtering, codifying instead a system of absolute “preventive governance.” By proposing to empower PSBs with unchecked administrative authority, the Party-state seeks to formally eradicate the last remaining digital gray zones. If enacted, this architecture would subordinate the judicial process to the brute force of administrative policing, ensuring that any attempt to bypass state surveillance is met with immediate extrajudicial suppression.

For the United States and the broader international community, the legislation’s externalities demand immediate attention. The draft illustrates how Beijing intends to weaponize its domestic legal apparatus for global coercion. The proposed hoarding of network vulnerabilities would directly degrade global cybersecurity, while the expansion of long-arm jurisdiction would hold foreign capital, foreigners, and the Chinese diaspora hostage to the Party-state’s political red lines. The public comment period closed on March 2, paving the way for the draft to be submitted to the National People’s Congress (NPC). Given its inclusion in the legislative plan, formal enactment is likely by late 2027—prior to the conclusion of the current legislative term. While the ongoing legislative review and pushback—such as from economic agencies aiming to accommodate foreign investment—may soften certain implementation details, the overarching mandate of “preventive governance” will undoubtedly remain intact. As this framework advances toward implementation, foreign entities must recognize that the era of regulatory ambiguity is over. Engaging with the PRC’s digital ecosystem will soon carry unprecedented legal, financial, and physical risks.

Notes

[1] Observers have criticized the MPS’s leading role in drafting this legislation, arguing that it inevitably expands police power by allowing the agency to act as both the architect and enforcer of the law. While this criticism is entirely valid, such a dynamic reflects standard legislative practice in the PRC. With the exception of major, cross-departmental laws, drafting responsibilities are routinely delegated to the functional ministry overseeing the specific portfolio. In the legislative plan of the 14th National People’s Congress (NPC), the State Council was tasked with drafting the Cybercrime Prevention and Control Law, which it subsequently subcontracted to the MPS as the primary agency in charge. See Gazette of the Standing Committee of the National People’s Congress (全国人民代表大会常务委员会公报), 2023, No. 6, p. 773.

[2] For detailed research into how the GFW operates, see the blogposts and papers published by Great Firewall Report, at https://gfw.report/en/.

[3] For more on the Party’s approach to social management techniques, and how it links to its national defense mobilization system, see Samantha Hoffman, Mobilizing the State, (Washington, D.C.: The Jamestown Foundation) 2025 (forthcoming).

[4] The PRC has five levels of information security based on the potential consequences of damages to information systems (see KPMG China, May 2019; DataGuidance, February 10, 2023).

[5] Unlike Western legal systems, which generally process misdemeanors and felonies through the judicial branch, the PRC employs a bifurcated sanctioning system. Because the statutory thresholds for formal prosecution under the Criminal Law (刑法) are relatively high, a wide range of offenses—including many that would constitute misdemeanors or lower-level felonies in the West—are classified as “administrative violations” (行政违法). These are governed by parallel statutes, most notably the Public Security Administration Punishments Law (治安管理处罚法) and now the draft Cybercrime Prevention and Control Law. They are adjudicated directly by administrative organs, primarily the police, without prosecutorial review or a court trial. For a comprehensive academic analysis of this administrative-criminal divide and the expansive punitive powers of the Chinese police, see Sarah Biddulph, Legal Reform and Administrative Detention Powers in China (Cambridge University Press, 2007).