PRC Cybersecurity Law
中华人民共和国网络安全法
Critical information required to be stored in China.
(Adopted at the 24th Session of the Standing Committee of the 12th National People's Congress on November 7 2016 and effective as of June 1 2017.)
PRC President's Order (No.53 of the 12th NPC)
Part One: General Provisions
Article 1: This Law has been formulated in order to ensure cybersecurity, safeguard cyberspace sovereignty, national security and the public interest, protect the lawful rights and interests of citizens, legal persons and other organizations and promote the healthy development of economic and social informatization.
Article 2: This Law shall govern the construction, operation, maintenance and use of networks in the People's Republic of China as well as the regulation of cybersecurity.
Article 3: The state views cybersecurity and information-based development as equally important, adheres to the policy of active use, rational development, lawful administration and assurance of security, promotes the construction and interconnection of network infrastructure, promotes innovation in, and application of, network technology and supports the nurturing of cybersecurity talent, the establishment and improvement of cybersecurity assurance systems and the enhancement of cybersecurity protection capabilities.
Article 4: The state will formulate and continuously improve cybersecurity strategies, expressly set forth the basic requirements in respect of, and the major objectives, of the assurance of cybersecurity and propose policies and work tasks and measures relating to cybersecurity in key sectors.
Article 5: The state will take measures to monitor, prevent and deal with cybersecurity risks and threats originating both within and outside the People's Republic of China, protect critical information infrastructure from attack, intrusion, interference and destruction, punish in accordance with the law illegal and criminal activities conducted online and safeguard cyberspace security and order.
Article 6: The state advocates for bona fide, healthy and appropriate online acts, promotes the dissemination of core socialist values and will take measures to enhance the entire society's awareness and level of cybersecurity so as to give rise to a favorable environment in which the entire society participates in promoting cybersecurity.
Article 7: The state will actively carry out international exchanges and cooperation in cyberspace governance, research and development of network technologies, formulation of standards for network technologies, and cracking down on illegal and criminal acts conducted online, promote the creation of a peaceful, safe, open and cooperative cyberspace, and establish a multilateral, democratic and transparent network governance regime.
Article 8: The state's cyberspace administration shall be responsible for overall coordination of cybersecurity work and related oversight work. The State Council's department in charge of telecommunications, public security department and other relevant departments shall be responsible for cybersecurity protection and oversight work falling within their respective purviews in accordance with this Law and related laws and administrative regulations.
The cybersecurity protection and oversight duties of relevant departments of people's governments at the county level and above shall be determined in accordance with relevant state provisions.
Article 9: A network operator must, when carrying on business and service activities, abide by laws and administrative regulations, comply with social ethics, observe commercial ethics, act in good faith, perform its cybersecurity protection obligations, submit to the scrutiny of the government and the public and assume social responsibility.
Article 10: In constructing and operating a network or providing services through a network, technical and other necessary measures shall be taken in accordance with the provisions of laws and administrative regulations and the mandatory requirements of state standards in order to ensure cybersecurity and stable operation, effectively respond to cybersecurity incidents, guard against illegal and criminal activities conducted online and safeguard the integrity, confidentiality and usability of network data.
Article 11: A network-related industry organization shall, in accordance with its charter, strengthen industry self-regulation, formulate codes of conduct for cybersecurity, guide members in strengthening cybersecurity protection, enhance the level of cybersecurity protection and promote the healthy development of the industry.
Article 12: The state protects the right of citizens, legal persons and other organizations to use networks in accordance with the law, promotes widespread cyber access, enhances the level of network services, provides secure and convenient network services for the public and ensures the orderly and free flow of network information in accordance with the law.
Any individual or organization that uses a network shall comply with the Constitution and laws, conform to public order, respect social ethics, may not jeopardize cybersecurity and may not use a network to engage in activities that jeopardize national security, reputation or interests, that foment the overthrow of state power or the subversion of the socialist system, that foment the division of the nation or the undermining of national unity, that advocate terrorism or extremism, interethnic hatred or racial discrimination, that disseminate violent, obscene or pornographic information, that fabricate and disseminate false information to disturb the economic order or social order or that harm or infringe another's reputation, privacy, intellectual property or other lawful rights and interests.
Article 13: The state supports the research and development of network products and services that are conducive to the healthy development of minors and punishes in accordance with the law those who use networks to engage in activities that are harmful to the physical and mental health of minors in order to provide a safe and healthy cyber environment for minors.
Article 14: Any individual or organization has the right to report acts that jeopardize cybersecurity to the cyberspace administration, telecommunications department, public security department or other such department. A department receiving such a report shall handle it in accordance with the law in a timely manner. If the report falls outside the purview of the authority, it shall transfer the same to the department with the authority to deal with it in a timely manner.
The relevant department shall keep the relevant information of the person making the report confidential and protect such person's lawful rights and interests.
Part Two: Cybersecurity Support and Promotion
Article 15: The state shall establish and improve a system of standards for cybersecurity. The administrative department in charge of standardization and other relevant departments of the State Council shall arrange for the formulation and the revision as appropriate of state standards and industry standards for the administration of cybersecurity and for network products, services and secure operation within their respective purviews.
The state supports the participation of enterprises, research institutions, institutions of higher education and network-related industry organizations in the formulation of state and industry standards for cybersecurity.
Article 16: The State Council and the people's governments of the provinces, autonomous regions and municipalities directly under the central government shall handle overall planning, increase their input, support key cybersecurity technology industries and projects, support the research, development and application of cybersecurity technologies, promote secure and dependable network products and services, protect the intellectual property in network technologies and support the participation of enterprises, research institutions and institutions of higher education in state cybersecurity technology innovation projects.
Article 17: The state promotes the development of a public-oriented cybersecurity service system and encourages relevant enterprises and institutions to engage in the provision of security services such as cybersecurity certification, testing and risk assessment.
Article 18: The state encourages the development of technologies for security protection and use of network data, promotes accessibility to public data resources, and spurs on technological innovation and social and economic development.
The state supports the creation of innovative cybersecurity administration methods and the application of new network technologies to enhance the level of cybersecurity protection.
Article 19: People's governments at every level and their relevant departments shall arrange for the regular conduct of publicity and instruction on cybersecurity, and guide and procure the due publicizing of, and instruction on, cybersecurity by relevant entities.
Mass media shall conduct publicity and instruction on cybersecurity directed at the public.
Article 20: The state supports enterprises and educational and training institutions, such as institutions of higher education and vocational schools, in providing instruction and training on cybersecurity, taking various means to nurture cybersecurity talent and promoting the exchange of cybersecurity talent.
Part Three: Security of Network Operation
Section One: General Provisions
Article 21: The state implements a system of graduated cybersecurity protection. A network operator shall perform the security protection obligations set forth below in accordance with the requirements of the system of graduated cybersecurity protection so as to ensure that its network is not subject to interference, disruption or unauthorized access and to prevent the leaking, theft or alteration of network data:
(1) formulating internal security management systems and operational rules, appointing a person in charge of cybersecurity and assigning responsibilities for cybersecurity protection;
(2) taking technical measures to guard against computer viruses and acts that jeopardize cybersecurity, such as cyberattacks and network intrusions;
(3) taking technical measures to monitor and record network operation status and cybersecurity incidents, and retaining relevant network logs for not less than six months in accordance with provisions;
(4) taking measures such as data classification and the backup and encryption of important data; and
(5) other obligations as specified in laws and administrative regulations.
Article 22: Network products and services shall comply with the mandatory requirements of relevant state standards. Providers of network products and services may not insert malicious programs therein. If a provider of network products or services discovers a security flaw, vulnerability or other such risk in one of its products or services, it shall promptly take remedial measures, and inform users thereof and report the same to the relevant competent department in accordance with provisions in a timely manner.
A provider of network products or services shall provide continuous security maintenance for its products or services, and may not terminate the provision of security maintenance during the specified period of time or that agreed with the parties concerned.
If a network product or service has a user information collection function, its provider shall expressly make the same known to users and secure their consent therefor. If personal information of users is involved, the provider shall additionally comply with the provisions of this Law and relevant laws and administrative regulations on the protection of personal information.
Article 23: Critical network equipment and dedicated cybersecurity products may only be sold or provided after security certification or being found to satisfy requirements after security testing by a qualified institution in accordance with the mandatory requirements of relevant state standards. The state's cyberspace administration, together with relevant State Council departments, shall formulate and publish a list of critical network equipment and dedicated cybersecurity products and promote the mutual recognition of security certification and security testing results so as to avoid duplication of certification and testing.
Article 24: When a network operator carries out network access or domain name registration service, or carries out procedures for network access by landline telephone, mobile phone, etc. for a user, or provides information dissemination, instant messaging or other such service to a user, it shall, when executing the agreement or confirming provision of the service with the user, require the user to provide true identity information. If the user fails to provide true identity information, the network operator may not provide such user with the relevant service.
The state implements a strategy of trusted identities in cyberspace, supports the research and development of secure and convenient electronic identity authentication technologies and promotes mutual recognition between different electronic identity authentications.
Article 25: A network operator shall formulate a contingency plan for cybersecurity incidents and deal with security risks such as system vulnerabilities, computer viruses, cyberattacks and network intrusions in a timely manner. Once an incident that jeopardizes cybersecurity occurs, it shall promptly put the contingency plan into action, adopt the corresponding remedial measures and report the same to the relevant competent department in accordance with provisions.
Article 26: Those that carry out activities such as cybersecurity certification, testing or risk assessment, or publicize cybersecurity information, such as that on system vulnerabilities, computer viruses, cyberattacks or network intrusions, shall comply with relevant state provisions.
Article 27: No individual or organization may engage in activities that jeopardize cybersecurity, such as illegally intruding into another's network, interfering with the normal functions of another's network or stealing network data; and may not provide programs or tools specifically used to engage in network intrusion, interfere with normal network functions and preventive measures, steal network data or other such activities that jeopardize cybersecurity. If such a person or organization knows that a third party is engaging in activities that jeopardize cybersecurity, he/she/it may not provide such party assistance such as technical support, advertising promotion or payment settlement.
Article 28: A network operator shall provide technical support and assistance to the public security authority or national security authority in its activities of safeguarding national security or investigating crimes in accordance with the law.
Article 29: The state supports cooperation among network operators in cybersecurity information collection, analysis and circulation, emergency handling, etc. so as to enhance their security assurance capabilities.
A relevant industry organization shall establish and improve a code of, and a cooperation mechanism for, cybersecurity protection for its industry, strengthen the analysis and assessment of cybersecurity risks, regularly provide risk alerts to members and support and assist members in responding to cybersecurity risks.
Article 30: Cyberspace administrations and relevant departments may only use the information to which they are privy in performing their cybersecurity protection duties for the purposes of safeguarding cybersecurity, and may not use the same for other purposes.
Section Two: Security of the Operation of Critical Information Infrastructure
Article 31: The state implements, on the basis of the graduated cybersecurity protection system, key protection for important industries and sectors, such as public communications and information services, energy, transportation, water resources, finance, public services and electronic governmental affairs, and other critical information infrastructure that, in the event of a damage thereto, loss of function thereof or leak of data therefrom, could seriously jeopardize national security, national economy, people's livelihoods or the public interest. The specific scope of, and security protection measures for, critical information infrastructure shall be formulated by the State Council.
The state encourages operators of networks that fall outside the scope of critical information infrastructure to voluntarily join the critical information infrastructure protection regime.
Article 32: Based on the division of duties specified by the State Council, departments responsible for the work of protecting the security of critical information infrastructure shall each prepare and arrange for the implementation of the critical information infrastructure security plan for its industry or sector, and guide and monitor the work of security protection for the operation of the critical information infrastructure.
Article 33: When constructing critical information infrastructure, it shall be ensured that it has the ability to support stable and continuous operation of the business, and it shall be ensured that security technical measures are planned, constructed and used in tandem.
Article 34: In addition to those specified in Article 21 hereof, an operator of critical information infrastructure shall perform the following security protection obligations;
(1) establishing a dedicated security management body and appointing a person responsible for security management, and conducting a background security check of such person and the personnel in key jobs;
(2) regularly giving instruction in cybersecurity and technical training to cybersecurity employees and assessing their skills;
(3) making disaster recovery backups of important systems and databases;
(4) formulating a cybersecurity incident contingency plan and regularly conducting drills thereof; and
(5) other obligations as specified in laws and administrative regulations.
Article 35: When an operator of critical information infrastructure procures network goods or services, and the same could affect national security, the same shall be submitted for a national security review arranged by the state's cyberspace administration in concert with relevant State Council departments.
Article 36: When an operator of critical information infrastructure procures network goods or services, it shall execute a security and confidentiality agreement with the provider in accordance with provisions, expressly specifying the security and confidentiality obligations and responsibilities.
Article 37: The personal information and important data collected and generated by an operator of critical information infrastructure in the course of its operations in the People's Republic of China shall be stored in China. If, for business purposes, the same genuinely needs to be provided to a foreign party, a security assessment shall be conducted in accordance with the measures formulated by the state's cyberspace administration together with relevant State Council departments. If laws or administrative regulations provide otherwise, such provisions shall prevail.
Article 38: An operator of critical information infrastructure shall itself conduct or engage a cybersecurity service institution to conduct testing on, and an assessment of, the security of, and the potential risks existing in, its network at least once per year and submit the outcome of such testing and assessment and improvement measures to the relevant department in charge of the work of protecting the security of critical information infrastructure.
Article 39: The state's cyberspace administration shall centrally coordinate relevant departments in taking the following measures in respect of the protection of the security of critical information infrastructure:
(1) conducting random testing of the risks to the security of the critical information infrastructure, recommending improvement measures and, if necessary, engaging a cybersecurity service institution to conduct testing and an assessment of the security risks existing in the network;
(2) regularly arranging for the operator of the critical information infrastructure to conduct cybersecurity emergency response drills so as to enhance its level of response to cybersecurity incidents and its collaboration and cooperation capacity;
(3) promoting the sharing of cybersecurity information among relevant departments, operators of critical information infrastructure and relevant research institutions, cybersecurity service institutions, etc.; and
(4) providing technical support for, and assistance in, the emergency handling of cybersecurity incidents and the restoration of network functions, etc.
Part Four: Security of Network Information
Article 40: A network operator shall keep the user information it collects strictly confidential, and establish and improve a user information protection system.
Article 41: When collecting and using personal information, a network operator shall comply with the principles of lawfulness, legitimacy and necessity, make public its rules for the collection and use of such information, expressly state its purpose for, method of, and scope of, collecting and using the same, and secure the consent of the persons whose information it collects.
A network operator may not collect personal information unrelated to the services it provides, may not collect and use personal information in a manner that violates laws, administrative regulations or the agreement between the parties and it shall dispose of the personal information it stores in accordance with laws, administrative regulations and the agreement with users.
Article 42: A network operator may not divulge, alter or damage the personal information it collects; and, without the consent of the persons whose information it collects, it may not provide their personal information to others, unless, after processing, such information cannot identity specific persons and cannot be restored to its original state.
A network operator shall take technical and other necessary measures to ensure the security of the personal information it collects, and prevent the leaking, damage or loss thereof. If the leaking, damage or loss of personal information has occurred or could occur, it shall take remedial measures forthwith, and inform users thereof and report the same to the relevant competent departments in accordance with provisions in a timely manner.
Article 43: If an individual discovers that a network operator collects and uses his/her personal information in a manner that violates laws or administrative regulations or the agreement between the parties, he/she has the right to demand that the network operator delete his/her personal information. If he/she discovers errors in the personal information collected and stored by the network operator, he/she has the right to demand that the network operator correct the same. The network operator shall take measures to delete or correct the same.
Article 44: No individual or organization may steal or use other illegal means to obtain personal information, and may not illegally sell or illegally provide such personal information to a third party.
Article 45: A department that bears a duty of overseeing cybersecurity in accordance with the law and its working personnel must maintain the strict confidentiality of the personal information, privacy and trade secrets to which they are privy in the course of performing their duties, and may not disclose, sell or illegally provide the same to a third party.
Article 46: Each individual and organization shall be liable for their acts of using a network, may not establish a website or distribution group used to commit fraud, convey means of committing a crime, produce or sell banned or controlled goods or other such illegal or criminal activities, and may not use a network to disseminate information relating to the commission of fraud, the production or sale of banned or controlled goods or other illegal or criminal activities.
Article 47: A network operator shall strengthen its management of the information posted by its users, and if it discovers information the dissemination or transmission of which is prohibited by laws or administrative regulations, it shall promptly halt the communication of such information, take handling measures such as deletion, prevent the information from proliferating, keep relevant records and report the same to the relevant competent department.
Article 48: Electronic information sent or application software provided by any individual or organization may not contain malicious programs or information the dissemination or transmission of which is prohibited by laws or administrative regulations.
An electronic information sending service provider or application software download service provider shall perform its security management obligations, and if it learns that a user has committed an act as set forth in the preceding paragraph, it shall cease providing services thereto, take handling measures such as deletion, keep relevant records and report the same to the relevant competent department.
Article 49: A network operator shall establish a network information security complaint and reporting system, publish information such as the means of filing complaints and reports, and accept and deal with complaints and reports relating to the security of network information in a timely manner.
A network operator shall cooperate in monitoring inspections conducted by the cyberspace administration and relevant departments in accordance with the law.
Article 50: If the state's cyberspace administration or a relevant department discovers information the dissemination or transmission of which is prohibited by laws or administrative regulations in the course of performing its duty of overseeing the security of network information in accordance with the law, it shall require the network operator to halt the transmission thereof, take handling measures such as deletion and keep relevant records. With respect to information as mentioned above originating outside the People's Republic of China, it shall notify the relevant organization to take technical and other necessary measures to block the distribution thereof.
Part Five: Monitoring, Early Warning and Emergency Handling
Article 51: The state will establish a system for cybersecurity monitoring, early warning and information circulation. The state's cyberspace administration shall centrally coordinate relevant departments in strengthening the collection, analysis and circulation of cybersecurity information and, in accordance with provisions, centrally issue cybersecurity monitoring and early warning information.
Article 52: A department responsible for the work of protecting the security of critical information infrastructure shall establish and improve a cybersecurity monitoring, early warning and information circulation system for its industry or sector, and submit cybersecurity monitoring and early warning information in accordance with provisions.
Article 53: The state's cyberspace administration shall coordinate relevant departments in establishing and improving a cybersecurity risk assessment and emergency response mechanism, formulate cybersecurity incident contingency plans and regularly arrange for drills thereof.
A department responsible for the work of protecting the security of critical information infrastructure shall formulate cybersecurity incident contingency plans for its industry or sector and regularly arrange for drills thereof.
A cybersecurity incident contingency plan shall rank cybersecurity incidents based on factors such as the degree of harm and extent of the impact after the occurrence of an incident, and specify the corresponding emergency handling measures.
Article 54: When the risk of the occurrence of a cybersecurity incident increases, the relevant departments of the people's government at the provincial level or above shall take the following measures on the basis of their specified authority and by the specified procedure and based on the features of the cybersecurity risk and the harm it could cause:
(1) requiring relevant departments, organizations and individuals to collect and report relevant information, and strengthen their monitoring of the cybersecurity risk in a timely manner;
(2) arranging for relevant departments, organizations and specialists to analyze and assess the cybersecurity risk, and forecast the probability of the incident occurring, the extent of its impact and the degree of harm it would cause; and
(3) issuing to the public an early cybersecurity risk warning and publishing measures to avoid or mitigate the harm.
Article 55: Once a cybersecurity incident occurs, the cybersecurity incident contingency plan shall be promptly put into action, the cybersecurity incident shall be investigated and assessed, the network operator shall be requested to take technical and other necessary measures to eliminate the latent security risk and prevent the harm from spreading, and public-related warning information shall be made available to the public in a timely manner.
Article 56: If a relevant department of a people's government at the provincial level or above discovers in the course of performing its cybersecurity oversight duties that a network has a relatively major security risk or that a security incident has occurred, it may, based on its specified authority and by the specified procedure, summon the legal representative or main person in charge of the operator of the network for a talk. The network operator shall take measures, carry out rectification and eliminate the latent risk as requested.
Article 57: If, as the result of a cybersecurity incident, a contingency or work safety related accident occurs, the same shall be handled in accordance with relevant laws and administrative regulations such as the PRC Law on Responding to Contingencies and the PRC Work Safety Law.
Article 58: For the purposes of safeguarding national security or public order or handling a major sudden public security incident, temporary measures such as limiting network communication in a specific region may be taken, subject to a decision or the approval of the State Council.
Part Six: Legal Liability
Article 59: If a network operator fails to perform the cybersecurity protection obligations set forth in Article 21 or 25 hereof, the relevant competent department shall order it to rectify the matter and give it a warning. If it refuses to rectify the matter or cybersecurity is jeopardized or other such consequence results, a fine of not less than Rmb10,000 and not more than Rmb100,000 shall be imposed, and the manager directly responsible shall be fined not less than Rmb5,000 and not more than Rmb50,000.
If an operator of critical information infrastructure fails to perform the cybersecurity protection obligations set forth in Article 33, 34, 36 or 38 hereof, the relevant competent department shall order it to rectify the matter and give it a warning. If it refuses to rectify the matter or cybersecurity is jeopardized or other such consequence results, a fine of not less than Rmb100,000 and not more than Rmb1 million shall be imposed, and the manager directly responsible shall be fined not less than Rmb10,000 and not more than Rmb100,000.
Article 60: If the first or second paragraph of Article 22 or the first paragraph of Article 48 hereof is violated by committing any of the acts set forth below, the relevant competent department shall order rectification of the matter and give a warning. If the perpetrator refuses to rectify the matter or cybersecurity is jeopardized or other such consequence results, a fine of not less than Rmb50,000 and not more than Rmb500,000 shall be imposed, and the manager directly responsible shall be fined not less than Rmb10,000 and not more than Rmb100,000:
(1) a malicious program is inserted;
(2) a remedial measure is not promptly taken in respect of a security flaw, vulnerability, or other such risk in its product or service, or users are not informed thereof and a report is not made to the relevant competent department in accordance with provisions in a timely manner; or
(3) the provision of security maintenance for its product or service is terminated without authorization.
Article 61: If a network operator violates the first paragraph of Article 24 hereof by failing to require a user to provide true identity information or providing relevant services to a user that fails to provide true identity information, the relevant competent department shall order rectification of the matter. If the network operator refuses to rectify the matter or the circumstances are serious, a fine of not less than Rmb50,000 and not more than Rmb500,000 shall be imposed, and the relevant competent department may order it to suspend the relevant business, suspend operations and undergo rectification, shut down its website, revoke the relevant business permit or revoke its business license, and it shall fine the manager directly responsible and the other directly responsible persons not less than Rmb10,000 and not more than Rmb100,000.
Article 62: If cybersecurity certification, testing, risk assessment or other such activity is engaged in or cybersecurity information on system vulnerabilities, computer viruses, cyberattacks, network intrusions, etc. is made public in a manner that violates Article 26 hereof, the relevant competent department shall order rectification of the matter and give a warning. If the perpetrator refuses to rectify the matter or the circumstances are serious, a fine of not less than Rmb10,000 and not more than Rmb100,000 shall be imposed, and the relevant competent department may order it to suspend the relevant business, suspend operations and undergo rectification, shut down its website, revoke the relevant business permit or revoke its business license, and it shall fine the manager directly responsible and the other directly responsible persons not less than Rmb5,000 and not more than Rmb50,000.
Article 63: If Article 27 hereof is violated by engaging in activities that jeopardize cybersecurity, or by providing programs or tools specifically used to engage in activities that jeopardize cybersecurity or providing assistance such as technical support, advertising promotion or payment settlement for the engagement in activities that jeopardize cybersecurity by a third party, but the same is insufficient to constitute a criminal offense, the public security authority shall confiscate the illegal income, impose a sentence of up to five days of detention and may impose a fine of not less than Rmb50,000 and not more than Rmb500,000; and if the circumstances are relatively serious, it shall impose a sentence of not less than 5 days and not more than 15 days of detention and may impose a fine of not less than Rmb100,000 and not more than Rmb1 million.
If an entity commits any of the acts set forth in the preceding paragraph, the public security authority shall confiscate the illegal income, impose a fine of not less than Rmb100,000 and not more than Rmb1 million and impose penalties on the manager directly responsible and the other directly responsible persons in accordance with the preceding paragraph.
A person who is the recipient of public security administration penalties for violation of Article 27 hereof may not engage in cybersecurity management or a key job in network operation for five years; a person who is the recipient of criminal penalties for the foregoing may not engage in cybersecurity management or a key job in network operation for life.
Article 64: If a network operator or a network product or service provider violates the third paragraph of Article 22, or any of Articles 41 to 43 hereof by infringing the right of lawful protection of personal information, the relevant competent department shall order rectification of the matter and, depending on the circumstances, singly or in combination, give a warning, confiscate the illegal income, and/or impose a fine of not less than the equivalent of and not more than 10 times the illegal income or, if there is no illegal income, a fine of up to Rmb1 million, and it shall fine the manager directly responsible and the other directly responsible persons not less than Rmb10,000 and not more than Rmb100,000. If the circumstances are serious, it may additionally order the network operator or the network product or service provider to suspend the relevant business, suspend operations and undergo rectification, shut down its website, revoke the relevant business permit or revoke its business license.
If a network operator or a network product or service provider violates Article 44 hereof by stealing or otherwise illegally obtaining, illegally selling or illegally providing to a third party personal information, but the same is insufficient to constitute a criminal offense, the public security authority shall confiscate the illegal income, and impose a fine of not less than the equivalent of and not more than 10 times the illegal income or, if there is no illegal income, a fine of up to Rmb1 million.
Article 65: If an operator of critical information infrastructure violates Article 35 hereof by using a network product or service that has not undergone or failed a security review, the relevant competent department shall order it to cease using the same and impose a fine of not less than the equivalent of and not more than 10 times the procurement amount thereof; and it shall fine the manager directly responsible and the other directly responsible persons not less than Rmb10,000 and not more than Rmb100,000.
Article 66: If an operator of critical information infrastructure violates Article 37 hereof by storing network data outside China or providing network data to a party outside China, the relevant competent department shall order it to rectify the matter, give it a warning, confiscate its illegal income and impose a fine of not less than Rmb50,000 and not more than Rmb500,000 and may order it to suspend the relevant business, suspend operations and undergo rectification, shut down its website, revoke the relevant business permit or revoke its business license; and it shall fine the manager directly responsible and the other directly responsible persons not less than Rmb10,000 and not more than Rmb100,000.
Article 67: If Article 46 hereof is violated by establishing a website or distribution group used to commit illegal or criminal activities or using a network to convey information on committing illegal or criminal activities, but the same is insufficient to constitute a criminal offense, the public security authority shall impose a sentence of up to five days of detention and may impose a fine of not less than Rmb10,000 and not more than Rmb100,000. If the circumstances are relatively serious, it shall impose a sentence of not less than 5 days and not more than 15 days of detention and may impose a fine of not less than Rmb50,000 and not more than Rmb500,000. The website or distribution group used to commit the illegal or criminal activities shall be shut down or closed.
If an entity commits any of the acts set forth in the preceding paragraph, the public security authority shall impose a fine of not less than Rmb100,000 and not more than Rmb500,000 and impose penalties on the manager directly responsible and the other directly responsible persons in accordance with the preceding paragraph.
Article 68: If a network operator violates Article 47 hereof by failing to halt the transmission of information the dissemination or transmission of which is prohibited by laws or regulations, to take handling measures such as deletion thereof or to keep relevant records, the relevant competent department shall order rectification of the matter, give a warning and confiscate the illegal income. If the network operator refuses to rectify the matter or the circumstances are serious, the relevant competent department shall impose a fine of not less than Rmb100,000 and not more than Rmb500,000, and may order it to suspend the relevant business, suspend operations and undergo rectification, shut down its website, revoke the relevant business permit or revoke its business license, and fine the manager directly responsible and the other directly responsible persons not less than Rmb10,000 and not more than Rmb100,000.
If an electronic information sending service provider or application software download service provider fails to perform its security management obligations specified in the second paragraph of Article 48 hereof, it shall be penalized in accordance with the preceding paragraph.
Article 69: If a network operator violates this Law by committing any of the acts set forth below, the relevant competent department shall order it to rectify the matter; if it refuses to rectify the matter or the circumstances are serious, the relevant competent department shall fine it not less than Rmb50,000 and not more than Rmb500,000 and fine the manager directly responsible and the other directly responsible persons not less than Rmb10,000 and not more than Rmb100,000:
(1) failing to take handling measures against information the dissemination or transmission of which is prohibited by laws or administrative regulations such as halting the transmission thereof and deleting the same as demanded by a relevant department;
(2) refusing or obstructing a monitoring inspection lawfully conducted by a relevant department; or
(3) refusing to provide technical support or assistance to the public security authority or national security authority.
Article 70: If information the dissemination or transmission of which is prohibited by the second paragraph of Article 12 hereof or other laws and administrative regulations is disseminated or transmitted, penalties shall be imposed in accordance with the relevant laws or administrative regulations.
Article 71: If an illegal act as specified herein is committed, the same shall be recorded in the integrity file and made public in accordance with relevant laws and administrative regulations.
Article 72: If the operator of the governmental affairs network of a state authority fails to perform the cybersecurity protection obligations specified herein, it shall be ordered to rectify the matter by the authority at the next higher level or the relevant department; and the managing officer directly responsible and the other directly responsible persons shall be sanctioned in accordance with the law.
Article 73: If a cyberspace administration or relevant department violates Article 30 hereof by using information to which it was privy in the course of performing its cybersecurity protection duties for other purposes, the managing officer directly responsible and the other directly responsible persons shall be sanctioned in accordance with the law.
If a member of the working personnel of a cyberspace administration or relevant department is derelict in his/her duties, abuses his/her authority or practices favoritism by committing fraud, but the same is insufficient to constitute a criminal offense, he/she shall be sanctioned in accordance with the law.
Article 74: If this Law is violated and the same causes injury to a third party, civil liability shall be borne in accordance with the law.
If a violation hereof constitutes a violation of public security administration, public security administration penalties shall be imposed in accordance with the law. If it constitutes a criminal offense, criminal liability shall be pursued in accordance with the law.
Article 75: If a foreign institution, organization or individual engages in activities such as attack, intrusion, interference or damage that jeopardizes critical information infrastructure of the People's Republic of China, resulting in serious consequences, its/his/her legal liability shall be pursued in accordance with the law; and the public security department and relevant departments of the State Council may decide to freeze the property of, or impose other necessary sanctions against, such institution, organization or individual.
Part Seven: Supplementary Provisions
Article 76: The following terms herein shall have the meanings assigned to them below:
(1) "network" means a system comprised of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information in accordance with certain rules and procedures;
(2) "cybersecurity" means the capacity, through the taking of necessary measures, to prevent network attacks, intrusions, interference, damage or unauthorized use and accidents so as to procure the stable and reliable operation of the network and ensure the integrity, confidentiality and usability of network data;
(3) "network operator" means a network owner, manager and/or network service provider;
(4) "network data" means various types of electronic data collected, stored, transmitted, processed and generated by means of a network; and
(5) "personal information" means various types of information recorded electronically or otherwise that singly or in combination with other information can identify the identity of a natural person, and includes but is not limited to a natural person's name, date of birth, identity document number, personal biometric information, address and telephone number.
Article 77: Protection of the security of the operation of networks that store and process information that involves state secrets shall, in addition to complying with this Law, comply with laws and administrative regulations on confidentiality.
Article 78: The protection of the security of military networks shall be provided for separately by the Central Military Commission.
Article 79: This Law shall be effective as of June 1 2017.
(第十二届全国人民代表大会常务委员会第二十四次会议于二零一六年十一月七日通过,自二零一七年六月一日起施行。)
中华人民共和国主席令 (十二届第53号)
This premium content is reserved for
China Law & Practice Subscribers.
A Premium Subscription Provides:
- A database of over 3,000 essential documents including key PRC legislation translated into English
- A choice of newsletters to alert you to changes affecting your business including sector specific updates
- Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
Already a subscriber? Log In Now