laitimes

The full text of the "People's Republic of China Cybersecurity Law" is here→

Cybersecurity Law of the People's Republic of China

(Adopted at the 24th Session of the Standing Committee of the 12th National People's Congress on November 7, 2016)

  Chapter I: General Provisions

  Article 1: This Law is drafted so as to ensure network security, to preserve cyberspace sovereignty and national security, and the societal public interest, to protect the lawful rights and interests of citizens, legal persons, and other organizations, and to promote the healthy development of economic and social informatization.

  Article 2: This Law applies to the construction, operation, maintenance, and use of networks within the mainland territory of the People's Republic of China, as well as to the oversight and management of network security.

  Article 3: The state persists in placing equal emphasis on network security and informatization development, following the principles of active utilization, scientific development, lawful management, and ensuring security, advancing the establishment of network infrastructure and interconnection, encouraging innovation and application of network technology, supporting the cultivation of network security talent, establishing and completing network security safeguard systems, and increasing network security protection capabilities.

  Article 4: The state is to draft and continuously improve network security strategies, clarifying the basic requirements and main goals for ensuring network security, and proposing network security policies, work tasks, and measures in key areas.

  Article 5: The State is to employ measures to monitor, defend, and address network security risks and threats originating from within or outside the territory of the People's Republic of China, protect critical information infrastructure from attacks, intrusions, interference, and destruction, lawfully punish illegal and criminal activities on the Internet, and preserve security and order in cyberspace.

  Article 6: The state advocates online conduct that is honest and trustworthy, healthy, and civilized, promotes the dissemination of the Core Socialist Values, employs measures to increase the entire society's awareness and level of network security, and forms a positive environment for the entire society to participate in the promotion of network security.

  Article 7: The state is to actively carry out international exchanges and cooperation in areas such as cyberspace governance, research and development of cyber technology and the formulation of standards, and combating cyber violations and crimes, promoting the construction of a peaceful, secure, open, and cooperative cyberspace, and establishing a multilateral, democratic, and transparent cyber governance system.

  Article 8: The state internet information departments are responsible for the overall planning and coordination of network security efforts and related oversight and management efforts. In accordance with the provisions of this Law and relevant laws and administrative regulations, the State Council's departments in charge of telecommunications, public security departments, and other relevant organs are responsible for network security protection, oversight, and management efforts within the scope of their respective duties.

  The network security protection and oversight and management duties of the relevant departments of local people's governments at the county level or above are to be determined in accordance with relevant state provisions.

  Article 9: Network operators carrying out business and service activities must comply with laws and administrative regulations, respect social mores, abide by commercial ethics, be honest and trustworthy, perform network security protection obligations, accept government and societal oversight, and bear social responsibility.

  Article 10: The construction or operation of networks, or the provision of services through networks, shall follow the provisions of laws, administrative regulations, and the mandatory requirements of national standards, and employ technical measures and other necessary measures to ensure network security and stable operations, effectively respond to network security incidents, prevent illegal and criminal online activities, and preserve the integrity, confidentiality, and availability of network data.

  Article 11: In accordance with their charters, network-related industry organizations are to strengthen industry self-discipline, draft network security code of conduct, guide members to strengthen network security protections, increase the level of network security protections, and promote the healthy development of the industry.

  Article 12: The state protects the rights of citizens, legal persons, and other organizations to use the network in accordance with law, promoting the popularization of network access, increasing the level of network services, providing the public with safe and convenient network services, and ensuring the orderly and free flow of network information in accordance with law.

  Any individual or organization's use of the Internet shall abide by the Constitution and laws, abide by public order, respect social morality, and must not be endangered

Harming network security, networks must not be used to engage in activities such as endangering national security, honor, and interests, inciting subversion of state power, overthrowing the socialist system, inciting separatism, undermining national unity, advocating terrorism or extremism, advocating ethnic hatred and ethnic discrimination, disseminating violent, obscene, and pornographic information, fabricating or disseminating false information to disrupt economic and social order, and infringing on others' reputation, privacy, intellectual property rights, and other lawful rights and interests.

  Article 13: The state supports research and development of online products and services that are conducive to the healthy growth of minors, lawfully punishes the use of networks to engage in activities that endanger minors' physical and psychological health, and provides minors with a safe and healthy online environment.

  Article 14: All individuals and organizations have the right to report conduct endangering network security to departments such as for internet information, telecommunications, and public security. The department receiving the report shall promptly handle it in accordance with law; and where it is not the department's duties, it shall be promptly transferred to the department that has the authority to handle it.

  Relevant departments shall keep the informant's relevant information confidential and protect the informant's lawful rights and interests.

  Chapter II: Network Security Support and Promotion

  Article 15: The state is to establish and improve a system of network security standards. The standardization administrative department of the State Council and other relevant departments of the State Council shall, on the basis of their respective duties, organize the formulation and timely revision of national and industry standards related to network security management and network products, services, and operational security.

  The state supports enterprises, research institutions, institutions of higher learning, and network-related industry organizations in participating in the formulation of national and industry standards for network security.

  Article 16: The State Council and the people's governments of provinces, autonomous regions, and directly governed municipalities shall make overall plans, increase investment, support key network security technology industries and projects, support the research, development, and application of network security technology, promote safe and credible network products and services, protect intellectual property rights in network technology, and support enterprises, research institutions, and institutions of higher learning in participating in national network security technology innovation projects.

  Article 17: The state is to advance the establishment of a socialized network security service system, encouraging relevant enterprises and institutions to carry out security services such as network security certification, testing, and risk assessment.

  Article 18: The State encourages the development of technologies for the security protection and use of online data, promotes the opening of public data resources, and promotes technological innovation and economic and social development.

  The state supports innovating network security management methods, using new network technologies to increase the level of network security protection.

  Article 19: All levels of people's government and their relevant departments shall organize and carry out regular network security publicity and education, and guide and urge relevant units to do a good job of network security publicity and education.

  Mass media shall conduct targeted publicity and education on network security for the public.

  Article 20: The state supports enterprises, institutions of higher learning, vocational schools, and other education and training institutions in carrying out education and training related to network security, employing multiple methods to cultivate network security talent, and promoting exchanges of network security talent.

Chapter III: Network Operation Security

   Section 1: Ordinary Provisions

  Article 21: The state implements a tiered network security protection system. Network operators shall, in accordance with the requirements of the tiered network security protection system, perform the following security protection obligations to ensure that the network is protected from interference, destruction, or unauthorized access, and to prevent network data from being leaked, stolen, or tampered with:

  (1) Draft internal security management systems and operating procedures, designate persons responsible for network security, and implement responsibility for network security protections;

  (2) Employing technical measures to prevent computer viruses, network attacks, network intrusions, and other conduct that endangers network security;

  (3) Employ technical measures to monitor and record network operation status and network security incidents, and retain relevant network logs for at least 6 months in accordance with provisions;

  (4) Employing measures such as data classification, backup and encryption of important data;

  (5) Other obligations provided for by laws and administrative regulations.

  Article 22: Network products and services shall comply with the mandatory requirements of relevant national standards. Providers of network products and services must not set up malicious programs; When it is discovered that their network products or services have security flaws, vulnerabilities, or other risks, they shall immediately employ remedial measures, promptly inform users in accordance with provisions, and report to the relevant regulatory departments.

  Providers of network products and services shall continue to provide security maintenance for their products and services; The provision of security maintenance shall not be terminated within the prescribed or agreed upon time period.

  Where network products and services have the function of collecting user information, their providers shall clearly indicate and obtain consent from users; Where users' personal information is involved, the provisions of this Law and relevant laws and administrative regulations on the protection of personal information shall also be complied with.

  Article 23: Critical network equipment and special network security products shall be sold or provided only after a qualified institution has passed security certification or met the requirements for security testing in accordance with the mandatory requirements of relevant national standards. The State Internet Information Department, in conjunction with the relevant departments of the State Council, is to draft and publish a catalog of critical network equipment and special network security products, and promote mutual recognition of security certifications and security testing results, to avoid duplicate certifications and testing.

  Article 24: Network operators handling network access and domain name registration services for users, handling formalities for accessing networks such as fixed and mobile phones, or providing users with services such as information release and instant messaging, shall require users to provide real identity information when signing agreements with users or confirming the provision of services. Where users do not provide real identity information, network operators must not provide them with relevant services.

  The State implements the online trusted identity strategy, supports the research and development of secure and convenient electronic identity authentication technologies, and promotes mutual recognition between different electronic identity authentications.

  Article 25: Network operators shall draft emergency response plans for network security incidents, promptly addressing security risks such as system vulnerabilities, computer viruses, network attacks, and network intrusions; In the event of an incident that endangers network security, immediately initiate an emergency response plan, employ corresponding remedial measures, and report to the relevant competent departments in accordance with provisions.

  Article 26: Carrying out activities such as network security certification, testing, and risk assessment, and releasing network security information such as system vulnerabilities, computer viruses, network attacks, and network intrusions to the public, shall comply with relevant state provisions.

  Article 27: Individuals and organizations must not engage in activities that endanger network security, such as illegally invading others' networks, interfering with the normal functions of others' networks, or stealing network data; Programs and tools must not be provided specifically for engaging in activities that endanger network security, such as invading networks, interfering with normal network functions and protective measures, or stealing network data; Where they clearly know that others are engaged in activities that endanger network security, they must not provide them with assistance such as technical support, advertising and promotion, or payment and settlement.

  Article 28: Network operators shall provide technical support and assistance to public security organs and state security organs in lawfully preserving national security and investigating criminal activities.

  Article 29: The state supports cooperation among network operators in areas such as the collection, analysis, reporting, and emergency response of network security information, to increase network operators' capacity to ensure security.

  Relevant industry organizations are to establish and complete network security protection norms and coordination mechanisms for their respective industries, strengthen the analysis and assessment of network security risks, periodically issue risk warnings to members, and support and assist members in responding to network security risks.

  Article 30: Information obtained by internet information departments and relevant departments in the course of performing network security protection duties may only be used as needed to preserve network security, and must not be used for other purposes.

   Section 2: Operational Security of Critical Information Infrastructure

  Article 31: The State implements key protections on the basis of the tiered network security protection system for important industries and fields such as public communications and information services, energy, transportation, water conservancy, finance, public services, and e-government, as well as other critical information infrastructure that might seriously endanger national security, the national economy, the people's livelihood, or the public interest once it is destroyed, loses its functionality, or has data leaked. The State Council is to formulate measures for the specific scope and security protection of critical information infrastructure.

  The State encourages network operators other than critical information infrastructure to voluntarily participate in the critical information infrastructure protection system.

  Article 32: In accordance with the division of duties and labor provided by the State Council, the departments responsible for critical information infrastructure security protection efforts are to separately draft and organize the implementation of critical information infrastructure security plans for that industry or field, and guide and oversee efforts to protect critical information infrastructure operations.

  Article 33: The construction of critical information infrastructure shall ensure that it has the performance to support the stable and continuous operation of operations, and ensure that security technical measures are planned, constructed, and used simultaneously.

  Article 34: In addition to the provisions of article 21 of this Law, critical information infrastructure operators shall also perform the following security protection obligations:

  (1) Set up a special safety management body and the person in charge of security management, and conduct security background reviews of the person in charge and personnel in key positions;

  (2) Periodically conduct network security education, technical training, and skills evaluations for employees;

  (3) Conduct disaster recovery backup of important systems and databases;

  (4) Formulate emergency response plans for network security incidents, and periodically conduct drills;

  (5) Other obligations provided for by laws and administrative regulations.

  Article 35: Where critical information infrastructure operators' procurement of network products and services might impact national security, they shall pass a national security review organized by the State Internet Information Department in conjunction with the relevant departments of the State Council.

  Article 36: Critical information infrastructure operators procuring network products and services shall sign security and confidentiality agreements with the providers in accordance with provisions, clarifying security and confidentiality obligations and responsibilities.

  Article 37: Personal information and important data collected and produced by critical information infrastructure operators in the course of operations within the mainland territory of the People's Republic of China shall be stored within the mainland. Where it is truly necessary to provide it overseas due to operational needs, a security assessment shall be conducted in accordance with the measures formulated by the State Internet Information Department in conjunction with the relevant departments of the State Council; Where laws and administrative regulations provide otherwise, follow those provisions.

  Article 38: Critical information infrastructure operators shall conduct inspections and assessments of their network security and possible risks at least once a year, either on their own or by retaining network security service establishments, and report the circumstances of the testing and assessments and improvement measures to the relevant departments responsible for critical information infrastructure security protection efforts.

  Article 39: The State Internet Information Department shall coordinate the following measures for the security protection of critical information infrastructure by relevant departments:

  (1) Conduct spot checks and testing of critical information infrastructure security risks, propose improvement measures, and when necessary, may retain network security service establishments to conduct testing and assessment of network security risks;

  (2) Periodically organize critical information infrastructure operators to conduct network security emergency drills, increasing the level of response to network security incidents and their ability to coordinate and cooperate;

  (3) Promote the sharing of network security information between relevant departments, critical information infrastructure operators, relevant research institutions, network security service bodies, and so forth;

  (4) Provide technical support and assistance in emergency response to network security incidents and restoration of network functions.

  Chapter IV: Network Information Security

  Article 40: Network operators shall keep the user information they collect strictly confidential, and establish and complete systems for the protection of user information.

  Article 41: Network operators' collection and use of personal information shall follow the principles of legality, propriety, and necessity, disclose rules for collection and use, clearly indicate the purpose, methods, and scope of information collection and use, and obtain the consent of the person being collected.

  Network operators must not collect personal information unrelated to the services they provide, must not collect or use personal information in violation of the provisions of laws, administrative regulations, or agreements between the parties, and shall handle the personal information they store in accordance with the provisions of laws and administrative regulations and agreements with users.

  Article 42: Network operators must not leak, alter, or destroy the personal information they collect; Personal information shall not be provided to others without the consent of the person being collected. However, this does not apply if a specific individual cannot be identified after processing and cannot be restored.

  Network operators shall employ technical measures and other necessary measures to ensure the security of the personal information they collect, and prevent information leaks, damages, or losses. When leaks, damages, or losses of personal information occur or may occur, remedial measures shall be immediately employed, and users shall be promptly informed and reported to the relevant competent departments in accordance with provisions.

  Article 43: Where individuals discover that network operators have collected or used their personal information in violation of the provisions of laws, administrative regulations, or agreements between the parties, they have the right to request that the network operators delete their personal information; Where it is discovered that the network operator's personal information collected or stored is incorrect, they have the right to request that the network operator correct it. Network operators shall employ measures to delete or correct them.

  Article 44: Personal information must not be stolen or obtained by other illegal means, and personal information must not be illegally sold or illegally provided to others.

  Article 45: Departments and their staffs with network security oversight and management duties in accordance with law must strictly preserve the confidentiality of personal information, privacy, and commercial secrets that they learn of in the performance of their duties, and must not leak, sell, or illegally provide them to others.

  Article 46: All individuals and organizations shall be responsible for their use of the internet, and must not set up websites or communication groups for illegal or criminal activities such as committing fraud, teaching criminal methods, or producing or selling prohibited or controlled items, and must not use the network to publish information related to committing fraud, producing or selling prohibited or controlled items, or other illegal or criminal activities.

  Article 47: Network operators shall strengthen the management of information published by their users, and where they discover information that laws or administrative regulations prohibit the publication or transmission of, they shall immediately stop the transmission of that information, employ measures to address it such as erasing it, prevent the spread of the information, store relevant records, and report to the relevant competent departments.

  Article 48: Electronic information sent by any individual or organization, or application software provided, must not set up malicious programs, and must not contain information that laws or administrative regulations prohibit the publication or transmission of.

  Electronic information sending service providers and application software download service providers shall perform security management obligations, and where they know that their users have the conduct provided for in the preceding paragraph, they shall stop providing services, employ measures such as elimination, store relevant records, and report to the relevant competent departments.

  Article 49: Network operators shall establish systems for complaints and reports on network information security, publish information such as the methods for complaints and reports, and promptly accept and handle complaints and reports related to network information security.

  Network operators shall cooperate with oversight and inspections carried out by internet information departments and relevant departments in accordance with law.

  Article 50: Where the state internet information departments and relevant departments perform network information security oversight and management duties in accordance with law, and discover information that laws or administrative regulations prohibit the publication or transmission of, they shall request that the network operators stop the transmission, employ measures to address it such as erasure, and store relevant records; For the above-mentioned information originating outside the territory of the People's Republic of China, the relevant institutions shall be notified to employ technical measures and other necessary measures to block the transmission.

Chapter V: Monitoring, Early Warning, and Emergency Response

  Article 51: The state is to establish systems for network security monitoring, early warning, and information circulation. The state internet information departments shall coordinate relevant departments to strengthen efforts to collect, analyze, and report network security information, and uniformly release network security monitoring and early warning information in accordance with provisions.

  Article 52: Departments responsible for critical information infrastructure security protection efforts shall establish and complete systems for network security monitoring, early warning, and information reporting in that industry or field, and report network security monitoring and early warning information in accordance with provisions.

  Article 53: The State Internet Information Department is to coordinate with relevant departments to establish and complete network security risk assessment and emergency response work mechanisms, draft emergency response plans for network security incidents, and periodically organize drills.

  Departments responsible for critical information infrastructure security protection efforts shall draft emergency response plans for network security incidents in that industry or field, and periodically organize drills.

  Emergency response plans for network security incidents shall be graded based on factors such as the degree of harm and scope of impact after the incident, and provide for corresponding emergency response measures.

  Article 54: When the risk of a network security incident increases, the relevant departments of people's governments at the provincial level or above shall employ the following measures in accordance with the scope of authority and procedures provided, and on the basis of the characteristics of the network security risk and the harm that might be caused:

  (1) Request that relevant departments, bodies, and personnel promptly collect and report relevant information, and strengthen monitoring of network security risks;

  (2) Organize relevant departments, institutions, and professionals to analyze and assess information on network security risks, and predict the likelihood of incidents, the scope of impact, and the degree of harm;

  (3) Publish early warnings of network security risks to the public, and publish measures to avoid or mitigate harms.

  Article 55: When a network security incident occurs, an emergency response plan for the network security incident shall be immediately initiated, an investigation and assessment of the network security incident shall be conducted, and network operators shall be required to employ technical measures and other necessary measures to eliminate potential security risks, prevent the expansion of harm, and promptly release warning information related to the public to the public.

  Article 56: Where in the course of performing network security oversight and management duties, the relevant departments of people's governments at the provincial level or above discover that there are relatively large security risks or security incidents have occurred in the network, they may give a talk to the network operator's legally-designated representative or principle responsible person in accordance with the scope of authority and procedures provided. Network operators shall employ measures as required to carry out corrections and eliminate hidden dangers.

  Article 57: Where emergencies or production safety accidents occur as a result of network security incidents, they shall be handled in accordance with the provisions of the Emergency Response Law of the People's Republic of China, the Production Safety Law of the People's Republic of China, and other relevant laws and administrative regulations.

  Article 58: As needed to preserve national security and social public order, or to handle major social security emergencies, temporary measures such as restrictions on network communications may be employed in specific areas upon the decision or approval of the State Council.

  Chapter VI: Legal Responsibility

  Article 59: Where network operators do not perform the network security protection obligations provided for in articles 21 and 25 of this Law, the relevant competent departments are to order corrections and give warnings; where corrections are refused or lead to consequences such as endangering network security, a fine of between 10,000 and 100,000 RMB is to be given, and a fine of between 5,000 and 50,000 RMB is to be given to the directly responsible managers.

  Where critical information infrastructure operators do not perform the network security protection obligations provided for in articles 33, 34, 36, or 38 of this Law, the relevant competent departments are to order corrections and give warnings; where corrections are refused or consequences such as endangering network security are caused, a fine of between 100,000 and 1,000,000 RMB is to be given, and the directly responsible managers are to be fined between 10,000 and 100,000 RMB.

  Article 60: Where the provisions of paragraphs 1 and 2 of article 22 and paragraph 1 of article 48 of this Law are violated by any of the following conduct, the relevant competent departments are to order corrections and give warnings; where corrections are refused or lead to consequences such as endangering network security, a fine of between 50,000 and 500,000 RMB is to be given, and a fine of between 10,000 and 100,000 RMB is to be given to the directly responsible managers:

  (1) Setting up malicious programs;

  (2) Failing to immediately take remedial measures for risks such as security defects or vulnerabilities in their products or services, or failing to promptly inform users and report to the relevant competent departments in accordance with provisions;

  (3) Terminating the provision of security maintenance for its products and services without authorization.

  Article 61: Where network operators violate the provisions of paragraph 1 of article 24 of this Law by failing to require users to provide true identity information, or by providing relevant services to users who do not provide true identity information, the relevant competent departments are to order corrections; where corrections are refused or the circumstances are serious, a fine of between 50,000 and 500,000 RMB is to be given, and the relevant competent departments may order that the relevant operations be suspended, suspended for rectification, closed websites, revoke relevant business permits or business licenses, and give the directly responsible managers and other directly responsible personnel a fine of between 10,000 and 100,000 RMB.

  Article 62: Where the provisions of article 26 of this Law are violated by carrying out activities such as network security certification, testing, or risk assessment, or by publishing network security information such as system vulnerabilities, computer viruses, network attacks, or network intrusions to the public, the relevant competent departments are to order corrections and give warnings; where corrections are refused or the circumstances are serious, a fine of between 10,000 and 100,000 RMB is to be given, and the relevant competent departments may order that the relevant operations be suspended, suspended for rectification, closed websites, revoke relevant business permits or business licenses, and give the directly responsible managers and other directly responsible personnel a fine of between 5,000 and 50,000 RMB.

  Article 63: Where the provisions of article 27 of this Law are violated by engaging in activities that endanger network security, or by providing programs or tools specifically for use in activities endangering network security, or by providing technical support, advertising, promotion, payment and settlement assistance, and other such assistance to others engaging in activities endangering network security, but it does not constitute a crime, the public security organs are to confiscate unlawful gains, detain them for up to 5 days, and may give a concurrent fine of between 50,000 and 500,000 RMB; where the circumstances are more serious, they are to be detained for between 5 and 15 days, and may be concurrently fined between 100,000 and 1,000,000 RMB.

  Where units exhibit the conduct in the preceding paragraph, the public security organs are to confiscate unlawful gains, give a fine of between 100,000 and 1,000,000 RMB, and punish the directly responsible managers and other directly responsible personnel in accordance with the provisions of the preceding paragraph.

  Persons who violate the provisions of article 27 of this Law and receive public security administrative punishments must not engage in work in key positions in network security management and network operations for five years; Persons who receive criminal punishment must not engage in work in key positions in network security management and network operations for life.

  Article 64: Where network operators or providers of network products or services violate the provisions of paragraph 3 of article 22 or articles 41-43 of this Law by infringing on the right to have personal information protected in accordance with law, the relevant competent departments are to order corrections, and may give warnings, confiscation of unlawful gains, and fines of between 1 and 10 times the value of unlawful gains, and where there are no unlawful gains, give a fine of up to 1,000,000 RMB. The directly responsible managers and other directly responsible personnel are to be fined between 10,000 and 100,000 RMB; where the circumstances are serious, they may also be ordered to suspend relevant operations, suspend operations for rectification, close down websites, revoke relevant business permits, or revoke business licenses.

  Where the provisions of article 44 of this Law are violated by stealing or otherwise illegally obtaining, illegally selling, or illegally providing personal information to others, but it does not constitute a crime, the public security organs are to confiscate the unlawful gains and give a concurrent fine of between 1 and 10 times the value of the unlawful gains, and where there are no unlawful gains, give a fine of up to 1,000,000 RMB.

  Article 65: Where critical information infrastructure operators violate the provisions of article 35 of this Law by using network products or services that have not been reviewed or have not passed security reviews, the relevant regulatory departments are to order them to stop using them and give a fine of between 1 and 10 times the amount of the purchase; The directly responsible managers and other directly responsible personnel are to be fined between 10,000 and 100,000 RMB.

  Article 66: Where critical information infrastructure operators violate the provisions of article 37 of this Law by storing network data outside the mainland, or providing network data overseas, the relevant competent departments are to order corrections, give warnings, confiscate unlawful gains, and give a fine of between 50,000 and 500,000 RMB, and may order a suspension of operations, suspension of operations for rectification, closure of websites, revocation of relevant business permits, or revocation of business licenses; The directly responsible managers and other directly responsible personnel are to be fined between 10,000 and 100,000 RMB.

  Article 67: Where the provisions of article 46 of this Law are violated by setting up websites or communication groups for the purpose of carrying out illegal or criminal activities, or using networks to publish information related to the commission of illegal or criminal activities, which does not constitute a crime, the public security organs are to detain them for up to 5 days.

  may also give a concurrent fine of between 10,000 and 100,000 RMB; where the circumstances are more serious, they are to be detained for between 5 and 15 days, and may be concurrently fined between 50,000 and 500,000 RMB. Shut down websites and communication groups used to carry out illegal and criminal activities.

  Where units have conduct in the preceding paragraph, the public security organs are to give a fine of between 100,000 and 500,000 RMB, and punish the directly responsible managers and other directly responsible personnel in accordance with the provisions of the preceding paragraph.

  Article 68: Where network operators violate the provisions of article 47 of this Law by failing to stop the transmission of information that laws or administrative regulations prohibit the publication or transmission of, employ measures such as erasing it, or store relevant records, the relevant competent departments are to order corrections, give warnings, and confiscate unlawful gains; where corrections are refused or the circumstances are serious, a fine of between 100,000 and 500,000 RMB is to be given, and an order may be made to suspend relevant operations, suspend operations for rectification, close down websites, revoke relevant business permits or business licenses, and give directly responsible managers and other directly responsible personnel a fine of between 10,000 and 100,000 RMB.

  Where electronic information sending service providers or application software download service providers do not perform the security management obligations provided for in paragraph 2 of article 48 of this Law, punishment is to be given in accordance with the provisions of the preceding paragraph.

  Article 69: Where network operators violate the provisions of this Law by exhibiting any of the following conduct, the relevant regulatory departments are to order corrections; where corrections are refused or the circumstances are serious, a fine of between 50,000 and 500,000 RMB is to be given, and the directly responsible managers and other directly responsible personnel are to be fined between 10,000 and 100,000 RMB.

  (1) Failing to follow the requirements of relevant departments to employ measures such as stopping the transmission or erasing of information that laws or administrative regulations prohibit the publication or transmission of;

  (2) Refusing or obstructing the supervision and inspection carried out by relevant departments in accordance with law;

  (3) Refusal to provide technical support and assistance to public security organs or state security organs.

  Article 70: Where paragraph 2 of article 12 of this Law and other laws or administrative regulations prohibit the publication or transmission of information, punishment is to be given in accordance with the provisions of relevant laws and administrative regulations.

  Article 71: Where there is illegal conduct provided for in this Law, it is to be recorded in the credit archives in accordance with the provisions of relevant laws and administrative regulations, and it is to be announced.

  Article 72: Where state organ government affairs network operators do not perform the network security protection obligations provided for in this Law, the organ at the level above or relevant organs is to order corrections; The directly responsible managers and other directly responsible personnel are to be given sanctions in accordance with law.

  Article 73: Where internet information departments and relevant departments violate the provisions of article 30 of this Law by using information obtained in the performance of network security protection duties for other purposes, the directly responsible managers and other directly responsible personnel are to be given sanctions in accordance with law.

  Where the staff of internet information departments and relevant departments neglect their duties, abuse their authority, or twist the law for personal gain, and it does not constitute a crime, sanctions are to be given in accordance with law.

  Article 74: Where the provisions of this Law are violated by causing harm to others, civil liability is to be borne in accordance with law.

  Where the provisions of this Law are violated and constitute a violation of the administration of public security, a public security administrative sanction shall be given in accordance with law; where a crime is constituted, criminal responsibility is pursued in accordance with law.

  Article 75: Where foreign institutions, organizations, or individuals engage in activities that endanger the critical information infrastructure of the People's Republic of China, such as attacking, intruding, interfering, or sabotaging, causing serious consequences, legal responsibility is to be pursued in accordance with law; The public security department and relevant departments of the State Council may also decide to freeze assets or take other necessary sanctions against the institution, organization, or individual.

  Chapter VII Supplementary Provisions

  Article 76: The meanings of the following terms in this Law:

  (1) "Network" refers to a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges, and processes information in accordance with certain rules and procedures.

  (2) "Network security" refers to the ability to prevent attacks, intrusions, interference, sabotage, and illegal use of networks, as well as accidents, by taking necessary measures to prevent attacks, intrusions, interference, destruction, and illegal use of networks, as well as the ability to ensure the integrity, confidentiality, and availability of network data.

  (3) "Network operators" refers to network owners, managers, and network service providers.

  (4) "Network data" refers to all kinds of electronic data collected, stored, transmitted, processed, and generated through networks.

  (5) "Personal information" refers to all kinds of information recorded electronically or otherwise that can identify a natural person's personal identity alone or in combination with other information, including but not limited to a natural person's name, date of birth, ID number, personal biometric information, address, telephone number, and so forth.

  Article 77: In addition to complying with this Law, operational security protections for networks that store and handle information involving state secrets shall also comply with the provisions of secrecy laws and administrative regulations.

  Article 78: Security protections for military networks are to be provided for separately by the Central Military Commission.

  Article 79: This Law takes effect on June 1, 2017.

Source: Xinhua News Agency

Read on