The State Internet Information Office has imposed administrative penalties related to network security review on CNKI

On September 6, 2023, the State Internet Information Office issued a notice on its official website, announcing that CNKI had made a decision on administrative penalties related to network security review according to law, ordered it to stop illegal handling of personal information, and imposed a fine of 50 million yuan. This news quickly attracted widespread attention from all sectors of society, not only because CNKI, as the largest academic literature database platform in China, has long served higher education and research institutions, but also because this punishment is another benchmark fine issued against large data platforms since the full implementation of the Cybersecurity Law, Data Security Law, and Personal Information Protection Law.

This cybersecurity review began in June 2022. At that time, the Cyberspace Administration of China, together with relevant departments, initiated a review of CNKI in accordance with the National Security Law, Cybersecurity Law, and Data Security Law. After more than a year of review, it was finally determined that CNKI had multiple illegal facts. The notice pointed out that multiple mobile applications operated by CNKI have violated relevant provisions of the Personal Information Protection Law by forcibly collecting non essential personal information, collecting personal information without user consent, failing to provide account cancellation functions, and not fully explaining personal information processing rules in privacy policies. At the same time, the review also found that CNKI has problems such as inadequate data security management systems, insufficient data security technology protection capabilities, and failure to fulfill network security protection obligations, which constitute the situation where network operators fail to fulfill their security protection obligations as stipulated in the Cybersecurity Law.

As an important component of China's knowledge infrastructure project, CNKI has accumulated a massive collection of academic journals, theses, conference papers, newspapers, yearbooks, and other resources over the past 20 years. Its database covers the vast majority of domestic scientific research outputs, and its user base covers almost all universities, research institutes, and a large number of enterprises and institutions. This high degree of resource concentration makes it a natural gathering point for personal information and important data. Taking dissertations as an example, hundreds of thousands of new doctoral and master's theses are added each year, each containing personal information such as the author's name, school, major, supervisor, and contact information. Some confidential or non-public theses are also circulated within a specific scope. The vast amount of data and complex collection scenarios, without rigorous compliance frameworks and security protections, can easily evolve into risks of personal information leakage and data abuse.

According to the details publicly released by the Cyberspace Administration of China, multiple apps on CNKI require users to enable non essential permissions for address book, location, and storage when registering, and do not provide a rejection option; When users cancel their accounts, unreasonable conditions are set or processing is delayed, and some users' cancellation applications have not been completed for several months after submission; The privacy policy's provisions regarding personal information export, third-party sharing, and data retention period are vague, making it difficult for users to know how their information is being processed. These behaviors are not unique to HowNet, which once became a common problem in the mobile Internet industry. However, as the head platform serving the national scientific research infrastructure, its compliance standards should have been stricter.

It is worth noting that the legal basis for this punishment not only includes the recently implemented Personal Information Protection Law, but also cites the Cybersecurity Law and the Data Security Law. The punishment structure that combines the three laws releases the regulatory authorities' systematic requirements for "data lifecycle compliance". In other words, the platform must not only ensure the legality and legitimacy of the personal information collection process, but also establish a data security management system covering all aspects such as collection, storage, use, processing, transmission, provision, disclosure, and deletion, implement the network security level protection system, and fulfill the obligation of emergency response to security incidents. CNKI was fined 50 million yuan, which is lower than the previous punishment amount for some multinational technology giants, but its warning effect directly points to local large data platforms - no enterprise can be exempted from data compliance responsibilities due to "public welfare" or "scientific research attributes".

On the day of the announcement of the punishment decision, CNKI issued a response statement on its official website and social media platforms, expressing sincere acceptance and firm obedience to the administrative punishment decision of the cyberspace administration department, and having formulated a detailed rectification plan. The statement stated that CNKI will conduct a comprehensive self inspection of personal information protection compliance, optimize mobile application permission management, improve user account cancellation processes, revise privacy policies, and prominently highlight key terms; At the same time, we will increase investment in data security technology, establish a data security officer system, and regularly conduct compliance audits and employee training. Whether this series of commitments can be implemented will become a touchstone for observing the platform's sincerity in rectification.

Looking back on the past two years, CNKI has gone through anti-monopoly investigations, huge fines, and public questioning, and has suddenly been pushed from an academic infrastructure that has been quietly operating for more than 20 years to the forefront of public scrutiny. In May 2022, the State Administration for Market Regulation launched an investigation into CNKI's suspected monopolistic behavior. In December of the same year, an administrative penalty decision was made, ordering CNKI to cease exclusive cooperation, not restrict competition, and imposing a fine of 5% of its 2021 domestic sales revenue in China, totaling 87.6 million yuan. The dual regulatory hammer of anti-monopoly and cybersecurity review reflects the country's deep reflection on the development model of platform economy - whether it is academic resources or social entertainment, no platform can deviate from the bottom line of fair competition and protection of user rights by taking advantage of its market dominance or data advantage.

From an industry perspective, the CNKI case is another cybersecurity enforcement case targeting US listed companies and critical information infrastructure operators, following Didi, BOSS Zhipin, and Manbang. However, unlike the aforementioned companies, CNKI has not been listed, and its violations mainly focus on domestic personal information processing and data security obligations. This indicates that regulatory authorities have extended their scrutiny of data compliance from cross-border listed companies to all large domestic data platforms, no longer based on whether they involve overseas listings as the starting threshold. In the future, any platform that has a high market share in a specific industry, possesses a vast amount of sensitive information, and serves critical infrastructure may be included in the scope of normalized network security review.

For both the academic community and research users, the compliance rectification of CNKI is equally related to their immediate interests. For many years, college teachers and students have complained about CNKI not only about download fees and exclusive copyrights, but also about privacy anxieties such as difficulty in account cancellation, forced authorization of personal papers, and collection of unnecessary information. If this punishment can truly promote CNKI to simplify the registration process, open account cancellation, and clarify personal information processing rules, it will undoubtedly improve user experience and reshape the trust relationship between the platform and users. Furthermore, this also provides a reference compliance template for other academic databases, online education platforms, and knowledge payment products.

Cybersecurity review and administrative penalties have never been ends, but means. In answering questions from reporters, the State Internet Information Office stressed that the purpose of this punishment is to "punish violations and guide standardized development". The accumulation of over 20 years on CNKI has made it an irreplaceable national knowledge infrastructure. However, in the new era of digitalization, intelligence, and rule of law, infrastructure must first become a benchmark for compliance. A fine of 50 million yuan is a heavy compliance cost, but it is also a worthwhile governance investment. When every paper, every report, and every user's personal information can flow on a secure track, CNKI can truly shoulder its historical mission entrusted to it.