(New York) – The Chinese government’s proposed law to combat cybercrime extends far beyond addressing legitimate legal concerns and contains sweeping provisions that pose a significant threat to human rights, Human Rights Watch said today.
China’s Ministry of Public Security on January 31, 2026, published a 68-article Draft Law on Cybercrime Prevention and Control. If enacted, the bill would bring together rules that govern China’s telecommunication, internet, and banking systems under a single framework, strengthening authorities’ ability to trace user activity across platforms. The bill also expands police and other authorities’ ability to suspend access to financial accounts and communication services and bar people from leaving the country in cybercrime-related cases without meaningful oversight or redress provisions. Notably, the draft law has problematic extraterritorial reach.
“The draft cybercrime law reflects President Xi Jinping’s broad efforts to restrict digital and physical spaces by allowing state security to expand and tighten social controls, including beyond borders,” said Yalkun Uluyol, China researcher at Human Rights Watch. “The law would further undermine online anonymity, chill free speech, and restrict access to information.”
Many of the bill’s restrictive regulatory practices already exist under Chinese law, such as the Cybersecurity Law of 2016 and Data Security Law of 2021. However, the draft law consolidates and further formalizes them. The provisions address legitimate law enforcement concerns such as criminal activities online, including fraud, child pornography, and illicit financial transactions. However, they also threaten internationally protected rights to privacy, freedom of expression, and access to information.
The vague and overbroad nature of many of the offenses—such as “disrupting online order,” harming “national security” and “public interest,” “disrupting the real-name management system,” and “disseminating false information”—allows the government to punish legitimate speech and activities. Although such vague terminology is not new under Chinese law, its use in the draft cybercrimes law poses a significant threat to basic freedoms.
The draft law consolidates and reinforces existing mandatory real‑name registration across telecommunication, internet, and banking systems services (articles 11 to 13). While such requirements already exist in Chinese law, the bill requires ongoing or “dynamic” reverification of identity when these platforms are handling accounts in high crime areas or during high crime periods, or when they notice “abnormal operations” of the accounts, suggesting automated or algorithmic-based identity checks (动态身份核验, article 16). China’s real-name registration requirement allows the authorities to identify online commentators or tie mobile use to specific individuals, limiting anonymous expression, infringing on privacy rights, and chilling free speech.
Articles 19 to 33 list conduct prohibited under the “governance of the cybercrime ecosystem,” which include vague terms such as “publishing information that goes against social order and good custom for the generation of … advertising revenue” (article 28(4)). These articles also contain undue restrictions on legitimate cybersecurity research (articles 24 and 25). Such provisions risk criminalizing legitimate activities, such as those carried out by journalists, human rights defenders, and security researchers.
Article 62 also allows the police and other administrative authorities to “record in the credit files of individuals” who violate the draft law. And article 57 allows the police to “blacklist” people from using basic services such as opening a sim card without a clear removal mechanism, transparency, or redress mechanisms, practices that may be used to punish dissidents.
Articles 34 to 51 list provisions outlining extensive obligations of telecommunication, internet, and banking service providers in China to constantly monitor user behavior, and report broadly problematic behaviors such as artificial intelligence-generated “rumors” (article 40(10)) to public security organs and other relevant authorities. Article 51 also requires these service providers to provide technical assistance and decryption to the police for broad purposes to “safeguard national security” and “investigate terrorist activities.”
The 2018 report of the United Nations special rapporteur on freedom of opinion and expression states that governments should not impose “laws or arrangements that would require the ‘proactive’ monitoring or filtering of content, which is both inconsistent with the right to privacy and likely to amount to prepublication censorship.” Compelled decryption without safeguards also raises mass surveillance risks. The authorities may “block illegal information that originates outside the territory of the PRC [People’s Republic of China]” and network operators should promptly block them and report them to public security organs (article 44).
The draft law also prohibits tools and services that enable people to obtain or spread such information. While China already blocks foreign information through practice such as with the “Great Firewall” and bans the unapproved provision of virtual private networks to circumvent such restrictions, the bill embeds such prohibitions into the cybercrime law framework.
Such provisions contravene the right to seek, receive, and impart information “regardless of frontiers” under article 19 of the Universal Declaration of Human Rights, whose provisions are considered reflective of customary international law, and article 19(2) of the International Covenant on Civil and Political Rights, which China has signed but not yet ratified.
The draft law not only extends this abusive cybercrime regime to citizens abroad (article 2) but also to “overseas individuals and organizations providing internet service … to users in the PRC” (article 53). The law would also allow relevant authorities to punish these foreign entities for producing or disseminating information that “harms the interests” of the Chinese government by freezing their funds and investments in China and barring them from entering China (article 55).
The draft law provisions allow for up to 5,000,000 Chinese yuan (US$725,000) fines and 15 days in detention for “serious” violations related to cybercrimes. The authorities may also restrict “Chinese citizens … from leaving the country for six months to three years after their punishment is completed” (article 56), which violates their right to freedom of movement, protected under international human rights law. China’s Criminal Law already punishes cybercrimes under articles 285, 286, and 287, which includes detention, imprisonment, and fines; it also includes extensive punishments for peaceful speech and activities.
The draft law on cybercrime is inconsistent with China’s international human rights law obligations and violates the rights of internet users in China and abroad, Human Rights Watch said.
“The draft cybercrimes law is part of the Chinese government’s ‘digital authoritarianism,’ through which the authorities are weaving a set of laws to restrict the remaining pockets of freedom that people once enjoyed in cyberspace,” Uluyol said. “Concerned governments should press the Chinese government to scrap the proposed law.”
