Opinions concerning Appropriately Limiting Specific Gravely Untrustworthy Persons from Riding Trains for a Certain Period, and Promoting the Construction of the Social Credit System

Posted on

FGCJ (2018)384

All provincial, autonomous region, municipal and Xinjiang Production-Construction Corps social credit system construction leading work units, spiritual civilization offices, higher-level people’s courts, finance offices (bureaus), human resources and social security offices (bureaus), the State Administration of Taxation, local taxation bureaus, all delegated agencies of the China Securities Regulatory commission, railway transportation enterprises, the Academy of Railway Science, and all railway public security bureaus: Read the rest of this entry »

Microblog Information Service Management Regulations

Posted on Updated on

Article 1: In order to stimulate the healthy and orderly development of microblog information services, protect the lawful rights and interests of citizens, legal persons and other organizations, and safeguard national security and the public interest, on the basis of the “Cybersecurity Law of the People’s Republic of China” and the “State Council Notice concerning Authorizing the Cyberspace Administration of China to take Responsibility for Internet Information Content Work”, these Regulations are formulated. Read the rest of this entry »

Report concerning the Inspection of the Implementation of the “Cybersecurity Law of the People’s Republic of China” and the “National People’s Congress Standing Committee Decisions concerning strengthening Online Information Protection”

Posted on Updated on

Presented at the 31st Meeting of the 12th National People’s Congress Standing Committee on 24 December 2017

Wang Shengjun

Cybersecurity affects the long-term governance of the Party, affects a long period of peace and order for the country, and affects economic and social development as well as the personal interests of the popular masses. General Secretary Xi Jinping has emphatically pointed out that without cybersecurity, there is no national security, without informatization, there is no modernization. The National People’s Congress attaches high importance to cybersecurity work, deliberated and passed the “National People’s Congress Standing Committee Decision concerning Strengthening Network and Information Security Protection” in December 2012, and deliberated and passed the “Cybersecurity Law of the People’s Republic of China” in November 2016 (hereafter referred to as the “Law and Decision”). On the basis of the 2017 supervisory work plan, the National People’s Congress Standing Committee Law Enforcement Inspection Group has conducted a review of the implementation situation of the “Law and Decision” from August to October 2017. Now, on behalf of the Law Enforcement Inspection Group, I report to the Standing Committee.

I, The work situation of law enforcement inspection. 

The Cybersecurity Law took effect on 1 June of this year. Opening a law enforcement inspection of a newly formulated law, having effect for less than three months, is a first in the NPCSC’s supervision work. Committee chair Zhang Dejiang attached full importance to this law enforcement inspection, and provided important instructions, pointing out that cybersecurity affects the country’s long term peace and order, and affects economic and social development as well as the well-being of the popular masses. The NPCSC launching law enforcement inspection in the same year that the Cybersecurity Law has taken effect, is an implementation of the spirit of the important instructions of General Secretary Xi Jinping concerning “we must establish a correct cybersecurity view”, to supervise relevant parties to further strengthen legal propaganda, strengthen the cybersecurity awareness of all of society, grasp the formulation of accompanying laws and policies, ensure the effective implementation of the law, strive to upgrade cyberspace governance levels and realistically safeguarding security in national cyberspace and the lawful rights and interests of the people. We hope that the inspection group have meticulously organized this law enforcement inspection, persisted in problem-based guidance, and found through in facts. On the basis of the spirit of the instructions of Committee chair Zhang Dejiang, the Internal Judicial Committee, Finance and Economics Committee, Education, Science, Culture and Health Committee and the Standing Committee Office researched the matter repeatedly, and established the five focus points of this law enforcement inspection: the first is the situation of conducting legal propaganda and education work; the second is the situation of formulating accompanying regulations and rules; the third is the situation of strengthening critical information infrastructure protection and implementing the multi-level protection system for cybersecurity; the fourth is the situation of bringing online unlawful information under control and safeguarding the benign ecology of cyberspace; and the fifth is the implementation of the citizens’ personal information protection system, and investigating and prosecution unlawful and criminal acts violating citizens’ personal information and related matters.

On 25 August, the Law Enforcement Inspection Group convened its first plenary meeting to convey the important instructions of Committee chair Zhang Dejiang. The meeting heard the reports of the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, the State Administration of Press, Publications, Radio, Film and Television and the Supreme People’s Court concerning the implementation situation of the “Law and Decision”, the Ministry of Education, the Ministry of Science and Technology and the Ministry of Traffic and Transportation submitted written reporting materials. 

On the basis of arrangements, deputy Committee chair and Chef Secretary Wang Zhen, Deputy Committee Chairs Shen Yueyue, Zhang Ping, Wan Exiang, Chen Zhu and myself participated in this law enforcement inspection. The Inspection Group visited six provinces (regions, municipalities) Inner Mongolia, Heilongjiang, Fujian, Henan, Guangdong and Chongqing to conduct investigation, in that period, the Inspection Group heard reports from relevant provincial, municipal and county governments, successively convening over 30 discussion meetings, and inspected several cybersecurity command platforms and critical infrastructure operating work units on the ground. Furthermore, it also entrusted 12 provincial (regional, municipal) People’s Congresses to conduct an investigation of the implementation situation of the “Law and Decision within their administrative area.

In order to deeply understand the implementation situation of the “Law and Decision”, this law enforcement inspection conducted several new trials in terms of methods and approaches: first, it invited third-party expert bodies to participate. From early September until mid-October, the Inspection Group selected 20 important information systems in each of the six provinces (regions, municipalities) for on-the-ground inspection, and entrusted the China Information Security Monitoring Centre with conducting a vulnerability sweep and a mock attack, and issued a specialized monitoring report on the basis of the situation of monitored systems’ cybersecurity. The Inspection Group also entrusted the China Youth Daily Social Survey Centre with conducting popular opinion surveys in 31 provinces (regions, municipalities) on the basis of questions in 10 areas of the “Law and Decision” that closely affect the public, and they issued a survey report. In total, 10370 people participated in this survey. The orderly participation of third-party bodies strengthened the expertise, authority, objectivity and fairness of this inspection. Second, expert participation. Considering the strong specialized nature of cybersecurity, during the law enforcement inspection period, the Inspection Group successively invited 21 cybersecurity experts and technical personnel having engaged in cybersecurity work for a long time from the State Information Technology Security Research Centre and other such work units, to provide technical support to the Investigation Group, and strengthen the focus and efficacy of the inspection. Third, random spot checks. Each small inspection group randomly selected several critical information infrastructure operating work units according to the requirements of the inspection plan, and conducted preliminary spot checks unannounced. Six small inspection groups conducted random spot checks on 13 work units in total. 120 important information systems were monitored remotely, and were also selected randomly by the Law Enforcement Inspection Group, and monitoring was completed under circumstances where the operating work units was not aware of the matter.

II, The method and efficacy of implementing the “Law and Decision””

In recent years, all levels’ Party Committees and governments have earnestly organized study of General Secretary Xi Jinping’s series of important speeches and important judgments concerning cybersecurity, deeply implemented the Centre’s strategic arrangements concerning “building a strong cyber power”, entered cybersecurity into the overall picture of economic and social development and into comprehensive planning and arrangements, forcefully advanced cybersecurity and network information protection work, and legal implementation has seen vigorous results.

(1) Deeply conducting propaganda and education, strengthening cybersecurity awareness.

First, strengthening the entire people’s cybersecurity awareness has been made into a basic task. 9 departments including the Cyberspace Administration of China, the Ministry of Industry and Information Technology and the Ministry of Public Security have, for four successive years, organized and launched Cybersecurity Week and themed days and propaganda activities, lectures, forums, etc. during this period of events annually have exceeded 10.000 in number, with an annual average coverage of around 200 million people. After the promulgation of the Cybersecurity Law, all localities have conducted propaganda and explanation of the core content of the law through newspapers and magazines, radio and television stations, portal websites, governmental microblogs and public channels, etc. Second, strengthening legal propaganda and education in focus work units and focus sectors. The Ministry of Industry and Information Technology has entered learning about the “Law and Decision” into annual assessment standards for basic telecommunications operating enterprises, and organized learning sessions at focus Internet enterprises such as Baidu, Alibaba, Tencent, etc. The Ministry of Public Security has organized concentrated study sessions for the public security bodies nationwide, over 200 Central ministries and commissions as well as Central enterprises, and over 260 information security enterprises and related personnel. The State Administration of Press, Publications, Radio, Film and Television has organized cybersecurity knowledge and skill training and competition activities. Provinces (regions) such as Inner Mongolia and Heilongjiang have conducted focus training for professional backbones in focus work units and focus sectors who are responsible for cybersecurity. Third, closely grasping the critical minority of leading cadres, and making enhancing the cybersecurity awareness of leading cadres into the heaviest of heavies. Localities such as Guangdong and Fujian have promoted leading cadres to take the lead in knowing the law, understanding the law and using the law through organizing cybersecurity and informatization-themed deliberation classes for leading cadres, and other such methods. The Ministry of Traffic and Transportation Party Group’s members have taken the lead in study, and organized a “special training class for bureau-level leading cadres on cybersecurity”, the Ministry of education has organized cybersecurity training classes for the education system, and has conducted topical training for responsible persons in all provincial education administration departments, directly subordinate higher education institute and directly subordinate ministry bodies. All localities have made younger netizens into a focus point for law popularization, launched activities such as “cybersecurity entering campuses and entering households”, “strive to be a netizen with good ‘four haves'”, etc. guiding broad youth into going online in a lawful, civilized and healthy manner.

(2) Formulating accompanying regulations and policies, building cybersecurity structures and systems

In order to support the implementation of the “Law and Decision”, in recent years, relevant state Council departments have published the “National Cyberspace Security Strategy”, the “Telecommunications Cybersecurity Protection Management Rules”, the “Telecommunications and Internet User Personal Information Protection Regulations”, the “Telephone User Real Identity Information Registration Regulations”, the “Press, Publications, Radio, Film and Television Cybersecurity Management Rules”, the “Public Internet Cybersecurity Sudden Incident Emergency Response Plan” and other such accompanying riles, plans and policy documents. The Cybersecurity Administration of China has, together with relevant departments, published the “Some Opinions concerning Strengthening National Cybersecurity Standardization Work”, accelerated the formulation work of cybersecurity standards, and 198 national cybersecurity standards have been published. The Supreme Court and the Supreme Procuratorate have published the “Interpretation concerning Some Questions on Applicable Law when Handling Criminal Cases of Infringement of Citizens’ Personal Information”. Some provinces have also launched accompanying regulation drafting work, the Inner Mongolia Autonomous Region People’s Congress Standing Committee formulated the “Computer Information System Security Protection Rules”, the Fujian Province People’s Congress Standing Committee passed the “Fujian Province Telecommunications Infrastructure Construction and Protection Regulations”, the Guangdong Province People’s Congress Standing Committee published the “Decision concerning Implementing Telecommunications Users Real Identity Information Registration System”, the Heilongjiang Province People’s Congress Standing Committee published the “Industrial Information Security Management Regulations”. Chongqing Municipality persisted in equally stressing cybersecurity and informatization development, strengthening the construction of e-government systems and perfecting governmental website management structures. A series of accompanying regulations, rules and policy documents have been published, assisting in the implementation of the “Law and Decision”.

(3) Enhancing security protection capabilities, striving to ensure the security of network operations

First, strengthening critical information infrastructure protection. In 2016, the Cyberspace Administration of China and other departments organized the launch of critical information infrastructure investigation and inspection work, they conducted spot-checks and technological surveys of 11.000 important infrastructure systems’ operational security state, completed cybersecurity risk assessments in multiple focus sectors including finance, energy, telecommunications, transportation, radio and television, education, healthcare, social security, etc., putting forward over 4000 improvement suggestions. Second, launching network infrastructure protection work. The Ministry of Industry and Information Technology has launched network infrastructure investigation work, completely combing through network infrastructure and information systems, at present, all sectors in total have been determined to contain 11590 critical network infrastructure systems and important information systems. Since 2017, over 900 focus network systems and industrial control systems have been subject to supervision and spot-checks, and 78980 vulnerabilities have been notified for rectification. Third, deeply advancing multi-level cybersecurity protection.  140.000 information systems have already been filed, among whom 1.7000 are third-tier or higher important information systems, this basically covers all critical information infrastructure. At the same time, regularized inspection has been launched for information systems entered into multi-level protection, in recent years, the total of all kinds of security vulnerabilities that have been discovered and rectified approaches 400.000. Fourth, establishing reporting and early warning systems. The Ministry of Public Security has taken the lead in establishing a national cybersecurity reporting and early warning mechanism, with a notification scope already covering 100 Central Party and government bodies, 101 Central enterprises, 31 provinces (regions, municipalities) and the Xinjiang Production-Construction Corps, all localities have also established cybersecurity and information security notification mechanism, to notify and deal with all kinds of vulnerabilities and threats in real time. The Ministry of Education has established security supervision and early warning mechanisms for important websites and information systems in the education system, having already handled 35.000 security threats in total. Fifth, vigorously launching the construction of coordinated joint action platforms for cybersecurity. The Cyberspace Administration of China has taken the lead in establishing emergency response technology support and assistance mechanisms for critical information infrastructure, it has incessantly upgraded the overall emergency response capabilities, security protection capabilities and coordinated joint action capabilities for critical information infrastructures. Sixth, forcefully conducting cybersecurity special campaign work. The Ministry of Public Security has, together with relevant work unit, conducted large-scale special Internet enterprise defence campaigns, website security, as well as Internet and email security special governance campaigns, discovering and rectifying a batch of deep cybersecurity problems and vulnerabilities.

(4) Controlling information violating laws and regulations, and safeguarding a clear and crisp cyberspace

All localities and all relevant departments have earnestly implemented the requirements of the law, soundly performed online ideological work, and firmly cleaned up information violating laws and regulations of all kinds. Through launching a series of campaigns including “sweeping pornography and beating illegality”, the “Web Sword” etc., targeting information propagating terror, violence, obscenity or sex, etc. on Internet sites, application software, blogs, microblogs, public accounts, instant messaging tools or online streaming. Since 2015, the Cyberspace Administration of China and other departments have, according to the law, held talks with over 2200 websites violating laws or regulations, cancelled the permit or filing of websites breaking laws or regulations or closed unlawful websites in over 13.000 cases, relevant websites have, according to user service agreements, closed nearly 10 million accounts violating laws or regulations, creating a powerful deterrence against all kinds of online unlawful conduct. The China Youth Daily Social Survey Centre provided the inspection group with a large-scale survey analysis report (hereafter simply named “mass survey report” which suggests that among the 10370 people participating in the survey, over 90% of respondents affirm the efficacy of governance, and 63,5% among them believe that information violating laws and regulations online including information harming national security, propagating terror, violence, obscenity or sex has clearly reduced. The legal implementation competent departments have also established an online information patrol mechanism and public reporting platforms, to timely clean up information violating laws and regulations. Chongqing and other such localities give high regard to strengthening online content construction, vigorously creating excellent online works and strengthening online positive propaganda.

(5) Strengthening personal information protection, attacking unlawful and criminal infringement of user information security

In comprehensively implementing real identity system requirements for online access (website filing and domain names / IP addresses), fixed telephones and mobile telephones, in all cases where users do not provide real identity information, operators no longer provide related services to them. In the past five years, telecommunications enterprises have organized the accompanying registration of 300 million old users who had not yet submitted their real name, and ceased the provision of services according to the law to over 10 million users who refused to amend their registration. In order to ensure user information security, relevant departments have guided all network operating work units to further strengthen internal control and management structures, requiring them to implement strict management over application, use and period of validity of major operations such as mass data export, reproduction, information deletion, etc., preventing the mass leak of user information through workflows. Henan Province has strengthened security protection of critical systems for user information storage, enhancing capabilities to protect against hacking attacks. With regard to the trend of high incidence of user personal information crimes, the Ministry of Public Security has arranged and launched a dedicated attack campaign, establishing anti-fraud centres in 31 provinces (regions, municipalities) and the Xinjiang Production-Construction Corps, it comprehensively coordinated the attack against the use of citizens’ personal information to conduct telecommunications and online fraud crimes, in the past two years, over 3700 cases of criminal infringement of personal information were cracked, and over 11.000 criminal suspects were arrested. Between 2014 and September 2017, courts nationwide tried 1529 criminal cases where networks were used to infringe citizens’ personal information, gaining relatively good legal effects and social effects.

(6) Expanding support strength, advancing critical cybersecurity technology innovation.

In order to implement the requirements of the Cybersecurity Law to “support focus cybersecurity technology industries and projects, and support the research, development and utilization of cybersecurity technology”, the Ministry of Science and Technology, jointly with the Cyberspace Administration of China, composed dedicated research plans, based on the current development status of cyberspace security, focusing on raising our country’s critical information infrastructure and data security protection capabilities, supporting trusted management of cyberspace and data asset protection, enhancing cyberspace protection capabilities and other such goals, this established research directions in several focus points. In order to expand support to research, development and application support of cybersecurity technology the Ministry of Science and Technology and the Ministry of Industry and Information Technology gave priority to initiating the “Cyberspace Security Focus Earmarks” in the “13th Five-Year Plan Period” national focus research and development plan, with a State-issued funding input of 1.384 billion Yuan, they systematically arranged 47 research tasks, striving to basically create an indigenous and controllable core cybersecurity technology system by the year 2020. Furthermore, in the “Science and Technology Innovation 2030 – Major Projects”, they gave priority to arranging a batch of major cybersecurity research projects, providing technical support to enhancing our country’s information supervision and management, leak and theft of confidential information prevention, cyber defence, etc. The Ministry of Education has innovated cybersecurity talent education models, adding a first-tier cyberspace security discipline, issuing the “Opinions concerning Strengthening Cybersecurity Discipline Construction and Talent Training” together with relevant departments, initiating first-rate cybersecurity academy construction demonstration projects, and thus providing talent support for cybersecurity technology innovation.

III, Difficulties and problems existing in work

The inspection situation shows that various localities still display some difficulties and problems in implementing the “Law and Decision” and in safeguarding aspects of cybersecurity.

(1) Cybersecurity awareness urgently remains to be strengthened

Many critical information infrastructure operating work units have an insufficient understanding of the importance of cybersecurity, they believe that their being cyberattacked is only a low-probability matter, and they lack understanding of the harm from cyberattacks they may receive. In the area of informatization, they are “high on construction, low on security; high on use, low on protection”, they lack awareness about active defence, and are unwilling to conduct the necessary investment in security protection; when handling the relationship between the usability and security of business information systems, they often more emphasize usability, and when there is a conflict with the later, often reduce security requirements. Quite a few local governments’ and departments’ leading cadres cannot understand cybersecurity from the height of national security, they have not entered cybersecurity work on the important work agenda for that level’s government or department, or they only give it priority in name, “saying it is easy, but treating it as secondary, and forgetting it when busy”. The social public’s cybersecurity awareness is generally not strong, the “Mass Survey Report” indicates that 55,4% of respondents believe that many people around them lack a cybersecurity awareness, and “know that cybersecurity exists but do not know much about it”.

(2) Basic cybersecurity construction is generally weak

First, the construction of cybersecurity state sensing platforms is lagging behind.  Cybersecurity risks have a strong hidden component, sensing the security state is the most basic and fundamental work to do cybersecurity well. In safeguarding cybersecurity, it is first and foremost necessary to know where the risks are, what the risks are, and when the risks emerge. But quite a few provinces have not yet initiated the construction of cybersecurity state sensing platforms, they cannot realize all-weather, real-time, dynamic monitoring of the cybersecurity risk in important information systems. Second, the construction of disaster-proof back-up systems is generally lagging behind. Quite a few work units operating critical information infrastructure relating to the national economy and the people’s welfare have not conducted remote disaster-proof backups of important data according to legal provision, but have only adopted several simple data back-up measures, some have even not conducted disaster-proof backups, and cannot effectively respond to major data security risks. In several provinces, multiple important information systems have not conducted remote disaster-proof backups according to legal requirements. Third, indigenization levels in important industrial control enterprises’ equipment and control systems remains to be increased. Several important industrial control enterprises heavily rely on foreign technology, not only are production control systems built by foreign companies, but foreign products are also used as accompanying network and security equipment, the deployment of network and security equipment is controlled by foreign personnel, enterprises’ internal personnel even does not hold security equipment deployment and management powers. In some provinces, the indigenization level of important industrial control enterprises’ production control systems is less than 20%. Fourth, emergency response plans are treated as a mere formality. Some cybersecurity emergency response plans are biased towards the elimination of equipment blockages, and their content dealing with cyberattacks, information leaks and other such cyberspace security incidents is relatively limited; some emergency response plans lack feasibility; some emergency response plans have not been revised for a long time, and can no longer respond to  the present type of cybersecurity incidents; many work units have not truly organized emergency response drills because they have insufficient conditions to have emergency response drills; quite a few localities and sectors have insufficient funds to be used to resolve cybersecurity problems, and after problems are discovered, they can often not be resolved timely because of funding shortages.

(3) Prominent cybersecurity risks and vulnerabilities

In order to understand the situation of online operations, the law enforcement inspection group entrusted the China Information Security Monitoring Centre with conducting remote penetration tests and vulnerability scans of 120 randomly selected critical information infrastructure systems (60 portal websites and 60 operational systems). This Centre issued a report that stated that among the 120 critical information infrastructure systems undergoing remote monitoring, 30 contained security vulnerabilities, including 12 high-risk vulnerabilities, some provincial-level departments’ comprehensive Internet supervision and management platforms among them contained three high-risk vulnerabilities of unauthorized uploads, unauthorized downloads, and unauthorized deletion, gravely threatening the security of systems and servers, they also contained grave risks of user information leaks. The remote monitoring also discovered that multiple city-level government portal websites contained the risk that pages might be distorted. The law enforcement inspection group’s on-sit spot checks discovered that multiple work units have not retained network daily records according to laws and regulations, this may lead to the impossibility to timely conduct tracing and response measures when a cybersecurity incident occurs; some work units have not conducted risk assessments of important information systems, and lack knowledge of the cybersecurity situation they may face. The inspection also discovered that in multiple work units, the security construction of intranets and private networks has not been given sufficient attention, some work units have not arranged for any security protection equipment of their intranet systems, and not conducted vulnerability scans for a long time, and thus major cybersecurity risks exists. Following the advance of informatization construction in all areas and all localities, the datafication, onlinification and remotization of all sectors and all areas is becoming ever clearer, putting forward higher requirements for cybersecurity.

(4) The situation in user personal information protection work is grim

The “mass survey report” demonstrates that the implementation of many structures in the “Law and Decision” concerning user personal information protection is not ideal: 52.1% percent of interviewees believe that the provisions in the law concerning “online service providers and other enterprise and undertaking work units must, when collecting and using citizens’ personal electronic information during their business operations, indicate the purpose, method and scope for the collection and use of information” has been implemented badly or mediocrely; 49.6% of interviewees have encountered excessive collection of personal information, and 18.3% among them have regularly encountered excessive collection of user information; 61.2% of people have encountered “dictator clauses” where relevant enterprises use their own advantageous position to force the collection and use of user information, and if this is not accepted, the product in question cannot be used, or services received; 52.5% of people believe that law enforcements’ protection of user information has ordinary or bad results, quite a few people reflect that after discovering that their personal information was leaked or abused,  it was relatively widespread that reporting was difficult, filing complaints was difficult, and filing cases was difficult. Many interviewees reflected that the problems of excessive collection of user information and infringement of personal privacy exist in a widespread manner in free-of-charge applications, but it seems as if there is no supervision, management or lawful punishment whatsoever. The investigation discovered that some Internet companies and public service departments stored large amounts of citizens’ personal information, but security protection technology was gravely lagging behind, making it easy for law-breakers to steal and abuse it. Several work units’ internal control systems are not perfected or not implemented, a small number of “inside ghosts” have taken the risks in pursuit of unlawful gain, leading to large-scale leaks of user information. In several places at present, the use of networks to illegally collect, steal, peddle and use users’ information has created black industry chains. Cases recently uncovered by public security department recently demonstrate the features of user information leaks such as they have multiple channels, costs for unlawful acts of theft are low, the difficulty of investigation is high, etc., furthermore, law-breakers’ used methods are incessantly improving, cases of “targeted fraud” triggered by user information leaks are increasing, creating grave harm to the popular masses’ asset security.

(5) Cybersecurity law enforcement structures remain to be further smoothened

The phenomenon of “nine dragons ruling the water” in cybersecurity supervision and management still exists, problems such as unclear duties and responsibilities, each fighting their own battles, law enforcement shifts responsibility, efficiency is low, etc., still have not been effectively resolved, the comprehensive coordination role with which the law endowed cybersecurity and informatization departments has been insufficiently unhindered. In several localities, multi-headed management problems in network and information security are relatively prominent, but after information leaks, abuses of user personal information and other such information security incidents occur, users regulatory run into the problems that there is no door to complain to, or departments shift responsibility between them or dispute over trifles. The “mass survey report” reveals that 18.9% of interviewees reflect that, after encountering cybersecurity problems, they do not know which department to go to to file a report or complaint, and even if they have reported the matter, it is often not dealt with or there is no result. Multiple network operating work units participating in the discussions reflect that problems exist in administrative law enforcement, such as different law enforcement departments conduct duplicate inspections of the same work unit or the same item, and even that inspection standards are not identical, different law-implementation competent departments collect data but “interconnection and interaction” cannot yet be realized, regularly bringing increased and extra burdens to network operators. Quite a few people believe that if it is impossible to rationally structure and precisely delineate duties and responsibilities between departments, it will lead to the problem that law enforcement is not coordinated in the process of implementing the multi-level protection system and critical information infrastructure protection system. Furthermore, the investigation discovered that urban rail transport control systems and other such industrial control systems have unclear cybersecurity management responsibility boundaries, operating work units’ implementation of cybersecurity responsibility contains difficulties; supervision, management and administrative law enforcement powers in the telecommunications sector are gravely insufficient, law enforcement forces are not suited to the present sever situation that cybersecurity incidents occur at high frequency.

(6) Accompanying regulations to the Cybersecurity Law remain to be perfected

Quite a few work units reflected that as the basic law in the area of cybersecurity management, quite a few elements from the Cybersecurity Law are principle-type provisions, and true “implementation” still relies on the perfection of accompanying regulations. For example, even though the Cybersecurity Law contains provisions on data security and use, data operations in practice are relatively complicated, and data desensitization standards, inter-enterprise data sharing norms etc. still need relevant regulations and rules to clarify them; the Cybersecurity Law only clarified that critical information infrastructure operators’ data export activities require assessment, but it has not further clarified whether a security assessment is to be conducted for the export of important data held by other network operators. The critical information infrastructure protection system is an important system in the Cybersecurity Law, but understandings at present are not yet uniform with regard to what is critical information infrastructure, standards and procedures to designate critical information infrastructure, etc. this needs to be clarified through accompanying regulations. How critical information infrastructure is to conduct annual inspections and evaluations, how network operators and management departments are to uniformly publish cybersecurity early warning information, how to support indigenous intellectual property rights in cybersecurity, etc., are also waiting for accompanying regulations and rules to be clarified.

(7) There is a cybersecurity talent shortage

Among the 10370 people participating in the investigation, over 69% of interviewees believe that within their work unit or among the people they know, the specialist technical talents who are able to engage in cybersecurity protection with skill is relatively low in number, it is impossible to satisfy real needs, 21.6& among these interviewees believe that within their work unit, there is basically no-one who is well acquainted with cybersecurity protection technology. The investigation situation shows that, regardless of whether a region is economically developed or relatively backward, cybersecurity technology talents are relatively lacking in all cases, existing network operating work units’ technology talents are mostly biased towards systems use, operational maintenance, their capability for cybersecurity risk supervision and control, emergency response and comprehensive defence is insufficient, and it is difficult to respond to the needs of protecting cybersecurity. Some critical information infrastructure core business systems, even though protection systems are installed, upgrades or patches cannot be applied to security software because of a lack of high-level security technology talent, and so this means cybersecurity security protection products can play an effective role with difficulty. Quite a few government portal websites do not have specialized cybersecurity technology talents, website management personnel has not accepted systematic cybersecurity skills training. Furthermore, cybersecurity competent departments’ specialized talents are clearly insufficient in number. Under factor constraints such as personnel appointment, duties, remuneration, etc., many local cybersecurity and informatization, public security, telecommunications management, industry and information technology, and other which work units often are unable to recruit or retain specialized technical talents, first-line law enforcement personnel’s specialist training and skills can hardly gain competence for regularized supervision, management and law enforcement duties for network operational security.

IV, Some suggestions

On the basis of the inspection situation, the inspection group has put forward the following suggestions for further implementing the “Law and Decision”.

(1) Further raising understanding of the importance of cybersecurity

In the information age, cybersecurity has become the fifth space outside terrestrial, maritime, aerial and outer space, it has become a new frontier for national interests and a new area for the strategic game between all major countries worldwide, cybersecurity can affect the entire picture of national security with one move, it has become a national security problem of a fundamental and comprehensive nature. The 19th Party Congress report stressed that cybersecurity and other such non-traditional security matters are one of the common challenges that humanity faces, we must persist in the overall national security view, make the people’s security into the purpose, make political security into the foundation, comprehensively manage external security and internal security, territorial security and citizens’ security, traditional security and non-traditional security, our own security and common security, perfect national security structures and systems, and strengthen the construction of national security capabilities. We must further deepen understanding of the importance of strengthening cybersecurity work under new circumstances, incessantly strengthen our sense of urgency and self-consciousness in implementing the Cybersecurity Law and other such laws and regulations. The competent departments for implementation of law and other related work units must, in integration with their work reality, further strengthen propaganda and training about the Cybersecurity Law, incessantly let the broad network operators, critical information infrastructure operating work units and their relevant personnel be able to know the content of the law, they must also strengthen propaganda for the social public in ways that are pleasing to see and hear, let the broad public understand the close relationship between cybersecurity and themselves, and strengthen the cybersecurity awareness of all of society.

(2) Correctly dealing with the relationship between security and development. 

General Secretary Xi Jinping pointed out that cybersecurity and informatization are mutually accompanying. Security is the precondition for development, development is the guarantee for security, security and development must be advanced simultaneously. We must fully understand the role of the Internet in state management, economic development and social governance, continue to advance e-government, e-commerce and new smart city construction, incessantly enhance technological convergence, operational convergence and data convergence, create information “arteries” for economic and social development. We must, according to the requirements in the Cybersecurity Law to “equally stress maintaining cybersecurity and informatization development”, persist in grasping network and informatization development with one hand, and grasping cybersecurity with the other, “grasp with both hands, both hands must be tight”. In cybersecurity, we must give high regard to traditional information security and ideological security, and create a cyberspace with a clear atmosphere, brimming with positive energy, we must also give high regard to enhancing capabilities to defend against attacks, effectively prevent cyber attacks, and realistically safeguard the security of networks and information systems. We must scientifically formulate cybersecurity standards for different sectors and different work units, and earnestly research and resolve the problem that “cybersecurity compliance costs are excessively high” put forward by several work units. Encourage and support the development of the cybersecurity industry, give rein to the role of social forces, and provide secure products and services.

(3) Accelerate the perfection of accompanying regulations and rules of the Cybersecurity Law.

We must accelerate the legislative progress of the “Critical Information Infrastructure Protection Regulations” and the “Cybersecurity Multi-Level Protection Regulations”, make clear provisions on issues that, in practice everyone universally feels are difficult to grasp, such as what is critical information infrastructure, how to determine critical information infrastructure, etc., and further clarify the departmental duties and responsibilities in the process of implementing the multi-level protection system and the critical information infrastructure protection system. Cybersecurity and informatization, telecommunications and public security departments must formulate accompanying regulations or documents as quickly as possible, and create detailed structure for elements of the law such as personal information and important data export security assessment, online data management, cybersecurity monitoring and early warning, information reporting, cybersecurity review, cybersecurity certification and security monitoring result mutual recognition, etc. Several administrative regulations and departmental rules already formulated earlier should also be timely corrected and perfected on the basis of the requirements of the Cybersecurity Law as well as new issues and new questions that were encountered. On the basis of the need to prevent and attack online unlawful and criminal acts, strengthen Internet criminal legislation, research the formulation of a law to prevent and address online unlawful and criminal acts, and promote the effective linkage of administrative punishment and criminal punishment of online unlawful and criminal acts. 

(4) Striving to enhance cybersecurity protection capabilities

First, accelerating cybersecurity state sensing platform construction. We must integrate resources from all departments to establish a unified all-weather cybersecurity sensing platform, in order to discover risks and sense risks well, and thereby build uniform and high-efficiency cybersecurity risk discovery mechanisms, notification mechanisms, intelligence sharing mechanisms, deliberation and response mechanisms, and to accurately grasp the laws, trends and tendencies occurring in cybersecurity risks. Second, organizing and conducting risk assessment according to the law. We must, as quickly as possible, perfect cybersecurity risk assessment mechanisms, strengthen assessment in important sectors and areas such as finance, energy, transportation, etc., and on the basis of the assessment situation, adjust cybersecurity work plans and protection measures at suitable times. Third, regularly organizing emergency response drills. Organize critical information infrastructure operating work units to regularly conduct emergency response drills, to ensure that important information systems involving national security, or involving the national economy and the people’s livelihoods to be able to effectively respond against organized, high-strength cyberattacks. Fourth, we must earnestly implement the requirements of the law, accelerate the construction of disaster-proof backups in critical information infrastructure, and regularly conduct testing of their disaster-proof efficacy, enhancing the capabilities of information systems to be resilient to disasters, mitigate disasters and recover. We must supervise network operating work units in earnestly implementing the provisions of the law and preserve network daily records according to the law. Fifth, we must strengthen the construction of cybersecurity confidentiality protection systems, enhance the capabilities of cybersecurity secrecy protection equipment, and enhance the construction of cybersecurity secrecy protection technology safeguard infrastructure. Sixth, we must forcefully advance the domestic production replacement project. Strengthen technological research and development, progressively raise the degree of domestically produced content in information control systems in important industries and enterprises, and increase the indigenous and controllable capabilities in critical information infrastructure and cybersecurity equipment. 

(5) Progressively strengthening users’ personal information protection

First, we must accelerate the progress of the personal information protection legislation. Through specialized legislation, clarify the principles and procedures for network operators to collect user information, clarify their secrecy protection and [general] protection duties of collected information, and the liability they shall bear for improper use and weak protection, as well as supervision, inspection and assessment measures. Second, strengthening security protection. Strengthen the construction of data security supervision and management methods, implement tiered and categorized management for data resources, promote the research, development and deployment of security technologies for preventing data disclosure, preventing distortion and preventing leaks in the big data landscape. Third, we must earnestly research the scope and methods for user real-name registration systems, and resolutely avoid the problems that information collection subjects are excessively many in number, and real-name registration items are excessive. All localities and aal work units shall have a clear legal basis for any real identity registration system. We must enhance real identity information collection methods, and reduce the content of real identity information content. Fourth, strengthening supervision and inspection. Establish third-party assessment mechanisms, supervise network operators and public service work units in strictly collecting user information according to the law, establishing and completing internal management mechanisms, and effectively reducing the risk of “inside demons” stealing data. Fifth, further strengthening attack. Public security bodies must strengthen the attack against cyberattacks, online fraud, online harmful information and other such unlawful and criminal activities, sever online criminal profit chains, continue to shape a high-pressure situation, implement the provisions of the law on protecting citizens’ personal information, and ensure that the broad citizens’ lawful rights and interests are not harmed. Sixth, we must perfect complaints reception mechanisms. Research the establishment of uniform and highly effective user information security incident complaint reception mechanisms, to provide a convenience for user complaints and reporting, and safeguard the popular masses’ lawful rights and interests. 

(6) Strengthening comprehensive coordination in cybersecurity work

Cybersecurity work involves many domains, has a broad scope, brings heavy tasks, great difficulties, and is strongly systemic, general and coordinated in nature. To respond to complex cybersecurity situations, we must ensure uniform planning, uniform arrangements, uniform standards and uniform progress. We must incessantly perfect online law enforcement coordination mechanisms, complete standardized law enforcement suited to the features of networks as quickly as possible. We must implement regulations related to the Cybersecurity Law, strengthen the construction of cybersecurity law enforcement teams and law enforcement capabilities, strengthen the comprehensive coordination duties and responsibilities of cybersecurity and informatization departments, clarify the boundaries of and interfaces between all functional departments’ powers and responsibilities, create coordinated action mechanisms for departments including cybersecurity and informatization, industry and information technology, public security, secrecy protection, etc., we must both prevent functional overlap and multi-headed management, while also avoiding  a pushing away of law enforcement responsibilities, and blank spots in management, incessantly raise law enforcement efficiency, effectively safeguarding cyberspace security. Considering the strong cross-regional nature of the Internet, and the fact that land boundaries are not clear, we must complete and perfect cybersecurity non-local law enforcement cooperation mechanisms, and realize interregional law enforcement joint action.  We must also eliminate departmental interests, cut through data and information barriers, reduce duplicate construction, establish shared data platforms, substantially ensure that data collected by different departments can be shared, and raise cybersecurity protection capabilities.

(7) Accelerating the construction of cybersecurity talent teams

Cybersecurity is one of the areas where technological renewal happens the most quickly, competition in cyberspace fundamentally is a competition over talent; to construct a cyber power, the most crucial resource is talent. We must give high regard to cybersecurity talent training work, we must not only foster technical talents proficient in information system use and protection, but we must also foster large batches of talents who are able to conduct cybersecurity risk supervision and control, emergency response and comprehensive protection, and thereby satisfy the demands put forward in the implementation of the Cybersecurity Law. We must further strengthen the construction of cybersecurity academic disciplines, optimize the structuring of teacher teams, reform talent fostering models, foster ever more applied talents who can satisfy practical requirements. We must encourage reforms of network and informatization talents develop mechanisms systems and mechanisms to be conducted and trialled with priority, research the establishment of cybersecurity special talent training, management and incentive mechanisms, strengthen fostering, guidance and support of high-end cybersecurity talents and urgently required talents, ensure that Party and government bodies and critical information infrastructure operating work units are able to find and recruit, use well and can retain “high-end, capable and sharp” specialized talents proficient in cybersecurity technology.

At present, the Internet has deeply merged with all areas of economic development and social life, it has profoundly transformed people’s ways of production and life. We must earnestly study and comprehensively implement the spirit of the 19th Party Congress and especially Xi Jinping Thought on Socialism with Chinese characteristics for a new era, further raise our political stance, firmly establish correct cybersecurity views, further strengthen our sense of urgency and sense of awareness in implementing the law, advance all structures of the “Law and Decision” towards complete implementation, substantially safeguard cyberspace sovereignty and the direct personal interests of the popular masses, and provide firm guarantees for victoriously constructing a moderately prosperous society, gaining magnificent victories for Socialism with Chinese characteristics in a new era, and realizing the Chinese Dream of the great rejuvenation of the Chinese nation.

全国人民代表大会常务委员会执法检查组关于检查《中华人民共和国网络安全法》、《全国人民代表大会常务委员会关于加强网络信息保护的决定》实施情况的报告

——2017年12月24日在第十二届全国人民代表大会常务委员会第三十一次会议上
王胜俊

全国人民代表大会常务委员会:

网络安全事关党的长期执政,事关国家长治久安,事关经济社会发展和人民群众切身利益。习近平总书记强调指出,没有网络安全就没有国家安全,没有信息化就没有现代化。全国人大常委会高度重视网络安全工作,2012年12月审议通过《全国人民代表大会常务委员会关于加强网络信息保护的决定》,2016年11月审议通过《中华人民共和国网络安全法》(以下简称“一法一决定”)。根据2017年监督工作计划,全国人大常委会执法检查组于2017年8月至10月对“一法一决定”的实施情况进行了检查。现在,我代表执法检查组向常委会作报告。

一、执法检查的工作情况

网络安全法是今年6月1日开始施行的。一部新制定的法律实施不满3个月即启动执法检查,这在全国人大常委会监督工作中尚属首次。张德江委员长十分重视这次执法检查,作了重要批示,指出:网络安全事关国家长治久安,事关经济社会发展和人民群众福祉。全国人大常委会在网络安全法实施当年就开展执法检查,要贯彻落实习近平总书记关于“要树立正确的网络安全观”的重要指示精神,督促有关方面进一步加强法律宣传,增强全社会网络安全意识,抓紧配套法规政策制定,确保法律有效实施,着力提升网络空间治理水平,切实维护国家网络空间安全和人民群众合法权益。希望检查组精心组织好这次执法检查,坚持问题导向,务求取得实效。根据张德江委员长的批示精神,内务司法委员会、财政经济委员会、教育科学文化卫生委员会和常委会办公厅等单位反复研究,确定了这次执法检查的五个重点:一是开展法律宣传教育的情况;二是制定配套法规规章的情况;三是强化关键信息基础设施保护及落实网络安全等级保护制度的情况;四是治理网络违法违规信息,维护网络空间良好生态的情况;五是落实公民个人信息保护制度,查处侵犯公民个人信息及相关违法犯罪的情况。

8月25日,执法检查组召开第一次全体会议,传达张德江委员长的重要批示。会议听取了国家互联网信息办公室、工业和信息化部、公安部、国家新闻出版广电总局、最高人民法院关于“一法一决定”贯彻实施情况的汇报,教育部、科技部、交通运输部等单位提交了书面汇报材料。

根据安排,王晨副委员长兼秘书长、沈跃跃、张平、万鄂湘、陈竺副委员长和我六位副委员长参加这次执法检查。检查组赴内蒙古、黑龙江、福建、河南、广东、重庆等6省(区、市)进行检查,期间,检查组听取了有关省、市、县政府的汇报,先后召开30余次座谈会,实地考察了部分网络安全指挥平台和关键信息基础设施运营单位。另外,还委托12个省(区、市)人大常委会对本行政区域“一法一决定”实施情况进行检查。

为了深入了解“一法一决定”实施情况,这次执法检查在方式方法上作了一些新的尝试:一是请第三方专业机构参与。9月上旬至10月中旬,检查组在实地检查的6个省(区、市)各选取20个重要信息系统,委托中国信息安全测评中心进行漏洞扫描和模拟攻击,并就所检测系统的网络安全情况出具专业检测报告。检查组还委托中国青年报社社会调查中心就“一法一决定”中与公众关系密切的10个方面的问题,在全国31个省(区、市)进行了民意调查,出具了调查报告。共有10370人参与这次调查。第三方机构的有序参与,增强了本次检查的专业性、权威性和客观公正性。二是专家参与。考虑到网络安全专业性较强,执法检查期间,检查组先后从国家信息技术安全研究中心等单位聘请21名网络安全专家和长期从事网络安全工作的专业技术人员参加检查,为检查组提供技术支持,增强检查的针对性和实效性。三是随机抽查。各检查小组均按检查方案要求,随机选取若干关键信息基础设施运营单位,在不打招呼的情况下进行临时抽查。6个检查小组共对13个单位进行了随机抽查。远程检测的120个重要信息系统也均由执法检查组随机选取,在运营单位不知情的情况下完成检测。

二、贯彻实施“一法一决定”的做法和成效

近年来,各级党委政府认真组织学习习近平总书记系列重要讲话和关于网络安全的重要论述,深入贯彻中央关于“建设网络强国”的战略部署,把网络安全纳入经济社会发展全局来统筹谋划部署,大力推进网络安全和网络信息保护工作,法律实施取得了积极成效。

(一)深入开展宣传教育,增强网络安全意识

一是把增强全民网络安全意识作为基础工程。国家互联网信息办公室、工业和信息化部、公安部等9部门连续四年组织开展网络安全周和主题日宣传活动,每年活动期间组织的讲座论坛等都超过1万场次,年均覆盖人数约2亿人。网络安全法颁布后,各地均通过报刊杂志、电台电视台、门户网站、政务微信微博等,对法律核心内容进行宣传解读。二是加强重点单位、重点行业法律宣传教育。工业和信息化部将学习“一法一决定”情况纳入各基础电信运营企业的年度考核指标,并组织百度、阿里、腾讯等重点互联网企业开展学习。公安部组织全国公安机关、200多个中央部委和中央企业、260多家信息安全企业相关人员进行集中学习。国家新闻出版广电总局组织开展了网络安全知识技能练兵和竞赛活动。内蒙古、黑龙江等省(区)对重点单位、重点行业负责网络安全的业务骨干进行了重点培训。三是紧紧抓住领导干部这个关键少数,把提升领导干部的网络安全意识作为重中之重。广东、福建等地通过举办领导干部网络安全和信息化专题研讨班等形式,推动领导干部率先知法懂法用法。交通运输部党组成员带头学习,并举办了“交通运输网络安全局级领导专题培训班”,教育部举办了教育系统网络安全培训班,对各省级教育行政部门、直属高校、部直属机关负责人进行专题培训。四是加强重点人群宣传教育。各地把青少年网民作为普法重点,开展了“网络安全进校园、进家庭”、“争做四有好网民”等活动,引导广大青少年依法、文明、健康上网。

(二)制定配套法规政策,构建网络安全制度体系

为配合“一法一决定”实施,近年来,国务院相关部门出台了《国家网络空间安全战略》《通信网络安全防护管理办法》《电信和互联网用户个人信息保护规定》《电话用户真实身份信息登记规定》《新闻出版广播影视网络安全管理办法》《公共互联网网络安全突发事件应急预案》等配套规章、规划和政策文件。国家互联网信息办公室会同有关部门出台了《关于加强国家网络安全标准化工作的若干意见》,加快了网络安全国家标准制定工作,目前已发布198项网络安全国家标准。最高法院、最高检察院出台了《关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释》。一些省份也开展了配套法规立法工作,内蒙古自治区人大常委会制定了《计算机信息系统安全保护办法》,福建省人大常委会通过了《福建省电信设施建设与保护条例》,广东省人大常委会出台了《关于落实电信用户真实身份信息登记制度的决定》,黑龙江省人大常委会制定了《工业信息安全管理条例》。重庆市坚持网络安全与信息化发展并重,加强电子政务制度建设,完善了政府网站管理制度。一系列配套法规、规章和政策文件出台,助推了“一法一决定”的贯彻实施。

(三)提升安全防范能力,着力保障网络运行安全

一是强化关键信息基础设施防护。2016年,国家互联网信息办公室等部门组织开展了关键信息基础设施摸底排查工作,对1.1万个重要信息系统安全运行状况进行抽查和技术检测,完成了对金融、能源、通信、交通、广电、教育、医疗、社保等多个重点行业的网络安全风险评估,提出整改建议4000余条。二是开展网络基础设施防护工作。工业和信息化部开展了网络基础设施摸底工作,全面梳理网络设施和信息系统,目前全行业共确定关键网络设施和重要信息系统11590个。2017年以来,监督抽查重点网络系统和工业控制系统900余个,通知整改漏洞78980个。三是深入推进网络安全等级保护。已累计受理备案14万个信息系统,其中三级以上重要信息系统1.7万个,基本涵盖了所有关键信息基础设施。同时,对纳入等级保护的信息系统开展常态化检查,近年来累计发现整改各类安全漏洞近40万个。四是建立通报预警机制。公安部牵头建立了国家网络安全通报预警机制,通报范围已覆盖100个中央党政军机构、101家央企、31个省(区、市)和新疆生产建设兵团,各地也都建立了网络安全与信息安全通报机制,实时通报处置各类隐患漏洞。教育部建立了教育系统重要网站和信息系统安全监测预警机制,已累计通报处置安全威胁3.5万个。五是积极开展网络安全协调联动平台建设。国家互联网信息办公室牵头建立了关键信息基础设施应急技术支持和协助机制,不断提升关键信息基础设施整体应急反应能力、安全保障能力和协调联动能力。六是大力开展网络安全专项整治工作。公安部会同有关单位组织开展了大型互联网企业专项保卫行动、网站安全和互联网电子邮件安全专项整治行动,发现整改了一批网络安全深层次问题和隐患。

(四)治理违法违规信息,维护网络空间清朗

各地各有关部门认真落实法律要求,扎实做好网络意识形态工作,坚决清理各类违法违规信息。通过开展“扫黄打非”、“剑网”等系列行动,对互联网站、应用程序、论坛、博客、微博、公众账号、即时通讯工具、网络直播中宣扬恐怖暴力、淫秽色情等信息及时清理。2015年以来,国家互联网信息办公室等部门依法约谈违法违规网站2200余家,取消违法违规网站许可或备案、关停违法网站13000多家,有关网站按照用户服务协议关闭违法违规账号近1000万个,对网上各类违法行为形成有力震慑。中国青年报社社会调查中心提供给检查组的万人调查分析报告(以下简称“万人调查报告”)显示,在参与调查的10370人中,超过90%的受访者对治理成效给予肯定,其中有63.5%的人认为近年来网络上危害国家安全、宣扬恐怖暴力、淫秽色情等违法违规信息明显减少。法律实施主管部门还建立了网络信息巡查机制和公众举报平台,及时清理违法违规信息。重庆等地重视加强网络内容建设,积极创作优秀网络作品,做强网上正面宣传。

(五)加强个人信息保护,打击侵犯用户信息安全违法犯罪

全面落实网络接入(网站备案和域名/IP地址)、固定电话、移动电话实名制办理要求,凡用户不提供真实信息的,运营者不再为其提供相关服务。五年来,组织电信企业对3亿多未实名的老用户进行补登记,对拒不补登记的1000余万用户依法暂停提供服务。为确保用户信息安全,有关部门指导各网络运营单位进一步强化了内控管理制度,要求对批量导出、复制、销毁信息等重大操作的申请、使用和有效期实行严格管理,从工作流程上防止用户信息的批量泄露。河南省加强对保存用户信息关键系统的安全防护,提升防止黑客攻击能力。针对侵犯用户个人信息犯罪高发态势,公安部部署开展专项打击行动,在31个省(区、市)和新疆生产建设兵团公安机关建立了反诈骗中心,统筹协调打击利用公民个人信息实施的电信网络诈骗犯罪,近两年,共侦破侵犯个人信息犯罪相关案件3700余起,抓获犯罪嫌疑人11000余名。2014年至2017年9月,全国法院共审理利用网络侵犯公民个人信息犯罪案件1529件,取得了较好的法律效果和社会效果。

(六)加大支持力度,推进网络安全核心技术创新

为落实网络安全法“扶持重点网络安全技术产业和项目,支持网络安全技术的研究开发和利用”等要求,科技部会同国家互联网信息办公室共同编制了专项研究计划,立足网络空间安全发展现状,围绕提高我国关键信息基础设施和数据安全的防护能力、支撑网络空间可信管理和数字资产保护、提升网络空间防护能力等目标,确立若干重点研究方向。为了加大对网络安全技术研究开发和应用的支持,科技部、工业和信息化部等部门,在“十三五”国家重点研发计划中优先启动了“网络空间安全重点专项”,投入国拨经费13.84亿元,系统部署了47项研究任务,力争到2020年,基本形成自主可控的网络空间安全核心技术体系。另外,在“科技创新2030——重大项目”中,也将优先安排一批网络空间安全重大研究项目,为提升我国信息监管、泄密窃密防范、网络防御等提供技术支持。教育部创新网络安全人才培养模式,增设了网络空间安全一级学科,与有关部门共同下发了《关于加强网络安全学科建设和人才培养的意见》,启动了一流网络安全学院建设示范项目,为网络安全技术创新提供人才支持。

三、工作中存在的困难和问题

从检查情况看,各地在贯彻实施“一法一决定”、维护网络安全方面还存在一些困难和问题。

(一)网络安全意识亟待增强

许多关键信息基础设施运营单位对网络安全的重要性认识不到位,认为受到网络攻击只是小概率事件,对可能受到的网络攻击的危害性缺乏认知。在信息化方面“重建设、轻安全;重使用、轻防护”,缺乏主动防御意识,不愿在安全防护方面进行必要投入;在处理业务信息系统可用性和安全性的关系时,往往更重视可用性,在二者有冲突时,往往会降低安全性要求。不少地方政府和部门领导干部不能从国家安全的高度认识网络安全,没有把网络安全工作列入本级政府和部门工作重要议程,或者只是口头上重视,“说起来重要,干起来次要,忙起来不要”。社会公众网络安全意识总体不强,“万人调查报告”显示,有55.4%的受访者认为,他们身边的许多人缺乏网络安全意识,对网络安全“知其然不知其所以然”。

(二)网络安全基础建设总体薄弱

一是网络安全态势感知平台建设滞后。网络安全风险具有很强的隐蔽性,感知安全态势是做好网络安全最基本最基础的工作。维护网络安全,首先要知道风险在哪里,是什么样的风险,什么时候发生风险。但不少省份尚未启动网络安全态势感知平台建设,不能实现对重要信息系统网络安全风险的全天候实时、动态监测。二是容灾备份体系建设总体滞后。不少关系国计民生的关键信息基础设施运营单位没有按照法律规定对重要数据进行异地容灾备份,而仅仅采取了一些简单的数据备份措施,有的甚至尚未进行过容灾备份,不能有效应对重大网络安全风险。在有些省份,多数重要信息系统未按法律要求进行异地容灾备份。三是重要工业控制企业的设备和控制系统国产化程度有待提高。一些重要工控企业对外国技术依赖严重,不仅生产控制系统由国外公司建设,配套的网络及安全设备也采用国外产品,网络及安全设备的配置由外方人员操控,企业内部人员甚至不掌握安全设备配置和管理权限。在有的省份,重要工控企业的生产控制系统国产化率不足20%。四是应急预案流于形式。有的网络安全应急预案侧重于设备设施障碍的排除,针对网络攻击、信息泄露等网络空间安全事件的内容较少;有的应急预案缺乏可操作性;有的应急预案长期未修订,已不能应对当下的网络安全事件;许多单位由于应急演练相关条件不足,未真正举行过应急演练;不少地方和行业用于解决网络安全问题的经费不足,发现了问题后,往往因经费缺乏不能及时解决。

(三)网络安全风险和隐患突出

为了解网络运行情况,执法检查组委托中国信息安全测评中心对随机选取的120个关键信息基础设施(60个门户网站和60个业务系统)进行了远程渗透测试和漏洞扫描。该中心出具的报告显示,本次远程测试的120个关键信息基础设施中,共存在30个安全漏洞,包括高危漏洞13个,其中某省级部门互联网监管综合平台存在越权上传、越权下载、越权删除文件等3个高危漏洞,严重威胁了系统及服务器安全,也存在严重的用户信息泄露风险。远程检测还发现,多个设区的市政府门户网站存在页面被篡改风险。执法检查组现场抽查时发现,许多单位没有依照法律规定留存网络日志,这可能导致发生网络安全事件时无法及时进行追溯和处置;有的单位从未对重要信息系统进行风险评估,对可能面临的网络安全态势缺乏认知。检查还发现,在许多单位,内网和专网安全建设没有引起足够重视,有的单位对内网系统未部署任何安全防护设施,长期不进行漏洞扫描,存在重大网络安全隐患。随着各地区各领域信息化建设的推进,各行业各领域数据化、在线化、远程化趋势更加明显,对网络安全提出了更高要求。

(四)用户个人信息保护工作形势严峻

“万人调查报告”显示,“一法一决定”关于用户个人信息保护的多项制度落实得并不理想:有52.1%的受访者认为,法律关于“网络服务提供者和其他企业事业单位在业务活动中收集、使用公民个人电子信息,必须明示收集、使用信息的目的、方式和范围”的规定执行得不好或者一般;有49.6%的受访者曾遇到过度收集用户信息现象,其中18.3%的受访者经常遇到过度采集用户信息现象;有61.2%的人遇到过有关企业利用自己的优势地位强制收集、使用用户信息,如果不接受就不能使用该产品或接受服务的“霸王条款”;有52.5%的人认为执法部门保护用户信息的成效一般或者不好,不少人反映,在发现本人信息被泄露或者被滥用后,举报难、投诉难、立案难现象比较普遍。许多受访者反映,当前免费应用程序普遍存在过度收集用户信息、侵犯个人隐私问题,但几乎没有受到任何监管和依法惩处。检查发现,有的互联网公司和公共服务部门存储了大量公民个人信息,但安防技术严重滞后,容易被不法分子窃取和盗用。一些单位内控制度不完善或不落实,少数“内鬼”为牟取不法利益铤而走险,致使用户信息大批量泄露。当前在一些地方,利用网络非法采集、窃取、贩卖和利用用户信息已形成黑色产业链。从公安部门近期破获的案件看,用户信息泄露呈现渠道多、窃取违法行为成本低、追查难度大等特点,而且违法分子使用的手段不断升级,因用户信息泄露引发的“精准诈骗”案件增多,给人民群众财产安全造成严重危害。

(五)网络安全执法体制有待进一步理顺

网络安全监管“九龙治水”现象仍然存在,权责不清、各自为战、执法推诿、效率低下等问题尚未有效解决,法律赋予网信部门的统筹协调职能履行不够顺畅。一些地方网络信息安全多头管理问题比较突出,但在发生信息泄露、滥用用户个人信息等信息安全事件后,用户又经常遇到投诉无门、部门之间推诿扯皮的问题。“万人调查报告”显示,有18.9%的受访者反映,在遇到网络安全问题后,他们不知该向哪个部门举报和投诉,即使举报了也往往不予处理或者没有结果。参加座谈的多数网络运营单位反映,行政执法过程中存在不同执法部门对同一单位、同一事项重复检查且检查标准不一等问题,不同法律实施主管机关采集的数据还不能实现“互联互通”,经常给网络运营商增加额外负担。不少人认为,如果不能合理定位,准确厘清部门之间的职责,等级保护制度和关键信息基础设施保护制度落实过程中也会产生执法不协调问题。另外,检查发现,城市轨道交通控制系统等工控系统网络安全管理责任边界不清,运营单位落实网络安全责任制存在困难;通信行业监管和行政执法力量严重不足,执法力量与当前网络安全事件频发多发的严峻形势不相适应。

(六)网络安全法配套法规有待完善

不少单位反映,作为网络安全管理方面的基础性法律,网络安全法不少内容还只是原则性规定,真正“落地”还有赖于配套制度的完善。比如,网络安全法虽然对数据安全和利用作了规定,但现实中数据运用比较复杂,数据脱敏标准、企业间数据共享规则等,仍然需要有关法规规章予以明确;网络安全法仅明确了关键信息基础设施运营者数据出境需进行评估,但其他网络运营者掌握的重要数据出境是否进行安全评估,尚待进一步明确。关键信息基础设施保护制度是网络安全法一项重要制度,但对于什么是关键信息基础设施、关键信息基础设施认定的标准和程序等,目前认识尚不一致,需要配套法规予以明确。关键信息基础设施如何进行年度检测评估、网络运营者和管理部门如何统一发布网络安全预警信息、如何扶持网络安全自主知识产权等,也有待于配套法规规章予以明确。

(七)网络安全人才短缺

参与调查的10370人中,有超过69%的受访者认为,所在单位或者熟悉的人中,能够熟练从事网络安全防护的专业技术人才较少,无法满足现实需要,其中有21.6%的受访者认为所在单位基本上无人熟悉网络安全防护技术。从检查的情况看,不管是经济发达地区还是相对落后地区,网络安全技术人才都比较匮乏,现有的网络运营单位技术人才多侧重于系统使用、操作维护,对网络安全风险的监控、应急处置和综合防护能力不足,难以适应保障网络安全的需要。有的关键信息基础设施核心业务系统虽然安装了防护系统,但由于缺乏高水平的安全技术人才,不能对安全软件进行升级和打补丁,从而使网络安全防护产品难以有效发挥作用。不少政府门户网站没有专门的网络安全技术人才,网站管理人员没有接受过系统的网络安全技能培训。另外,网络安全主管部门专业人才也明显不足。受到编制、职务、薪资等因素制约,许多地方网信、公安、通信管理、工信等单位往往招不到或留不住专业技术人才,一线执法人员的专业素养和技能难以胜任网络运行安全常态化监管执法职责。

四、几点建议

根据检查情况,检查组对进一步贯彻实施“一法一决定”提出以下建议。

(一)进一步提高对网络安全重要性的认识

在信息时代,网络空间已经成为继陆地、海洋、天空、外层空间之外,人类活动的第五空间,成为国家利益的新边疆和世界各主要国家战略博弈的新领域,网络安全对国家安全牵一发而动全身,已成为基础性、全局性的国家安全问题。党的十九大报告强调,网络安全等非传统安全是人类面临的共同挑战之一,要坚持总体国家安全观,以人民安全为宗旨,以政治安全为根本,统筹外部安全和内部安全、国土安全和国民安全、传统安全和非传统安全、自身安全和共同安全,完善国家安全制度体系,加强国家安全能力建设。要进一步深化对新形势下加强网络安全工作重要性的认识,不断增强贯彻落实网络安全法等法律法规的紧迫感和自觉性。法律实施主管机关和其他相关单位要结合工作实际,进一步加大对网络安全法的宣传培训力度,不仅让广大网络运营商、关键信息基础设施运营单位的相关人员能够熟知法律内容,还要以喜闻乐见的方式加强对社会公众的宣传,让广大公众认识到网络安全与自身的密切关系,增强全社会的网络安全意识。

(二)正确处理安全和发展的关系

习近平总书记强调指出,网络安全和信息化是相辅相成的。安全是发展的前提,发展是安全的保障,安全和发展要同步推进。要充分认识到互联网在国家管理、经济发展和社会治理中的作用,继续推进电子政务、电子商务、新型智慧型城市建设,不断推进技术融合、业务融合、数据融合,打通经济社会发展的信息“大动脉”。要按照网络安全法“坚持网络安全与信息化发展并重”的要求,坚持一手抓网络和信息化发展,一手抓网络安全,“两手抓,两手都要硬”。对于网络安全,既要重视传统的信息安全和意识形态安全,营造风清气正、正能量充沛的网络空间,也要高度重视攻防能力提升,有效防范网络攻击,切实维护网络信息系统安全。要科学制定不同行业、不同单位的网络安全标准,认真研究解决有些单位提出的“网络安全合规成本过高”的问题。鼓励和支持网络安全产业的发展,发挥社会力量的作用,提供安全的产品和服务。

(三)加快完善网络安全法配套法规规章

要加快《关键信息基础设施安全保护条例》《网络安全等级保护条例》的立法进程,对实践中大家普遍感觉难以把握的问题,如什么是关键信息基础设施、如何认定关键信息基础设施等作出明确规定,并对等级保护制度和关键信息基础设施保护制度落实过程中的部门职责进一步予以明确。网信、工信、公安等部门要尽快制定配套规章或者文件,细化法律中个人信息和重要数据出境安全评估、网络数据管理、网络安全监测预警和信息通报、网络安全审查、网络安全认证和安全检测结果互认等制度。此前已制定的一些行政法规和部门规章也应根据网络安全法的要求以及法律实施中遇到的新情况新问题,及时予以修改完善。根据防范和打击网络违法犯罪的需要,加强互联网刑事立法,研究制定网络违法犯罪防治法,推动网络违法犯罪行政处罚与刑事处罚的有效衔接。

(四)着力提升网络安全防护能力

一是加快网络安全态势感知平台建设。要整合各部门资源,建立统一的全天候网络安全感知平台,以更好地发现风险、感知风险,进而构建统一高效的网络安全风险发现机制、报告机制、情报共享机制、研判处置机制,准确把握网络安全风险发生的规律、动向、趋势。二是依法组织开展风险评估。要尽快完善网络安全风险评估机制,加强对金融、能源、交通等重要行业和领域的评估,根据评估情况,适时调整网络安全工作方案和保护措施。三是定期组织应急演练。组织关键信息基础设施运营单位定期进行应急演练,使事关国家安全、关系国计民生的重要信息系统能够有效应对有组织的高强度网络攻击。四是要认真落实法律要求,加快关键信息基础设施数据的容灾备份建设,并定期开展灾备效果验证,提升信息系统的抗灾、减灾和恢复能力。要督促网络运营单位认真落实法律规定,依法留存网络日志。五是要加强网络安全保密保障体系建设,提升网络安全保密装备能力,推进网络安全保密技术保障基础设施建设。六是要大力推进国产化替代工程。加大技术研发力度,逐步提高重要工业企业信息控制系统的国产化率,提升关键信息基础设施和网络安全设备的自主可控能力。

(五)进一步加大用户个人信息保护力度

一是要加快个人信息保护法立法进程。通过专门立法,明确网络运营者收集用户信息的原则、程序,明确其对收集到的信息的保密和保护义务,不当使用、保护不力应当承担的责任,以及监督检查和评估措施。二是加强安全防护。强化数据安全监管手段建设,实施数据资源分级分类管理,推动大数据场景下的数据防窃密、防篡改、防泄露等安全技术的研发和部署。三是要认真研究用户实名制的范围和方式,坚决避免信息采集主体过多、实名登记事项过滥问题。各地区各单位对某一事项实施实名登记制度,应当有明确的法律依据。要改进实名信息采集方式,减少实名信息采集的内容。四是加大监督检查力度。建立第三方评估机制,督促网络运营和公共服务单位严格依法收集用户信息,建立健全内部管理制度,有效降低“内鬼”窃密风险。五是进一步加大打击力度。公安机关要加大对网络攻击、网络诈骗、网络有害信息等违法犯罪活动的打击力度,切断网络犯罪利益链条,持续形成高压态势,落实法律保护公民个人信息的规定,使广大公民的合法权益免受侵害。六是要完善投诉受理机制。研究建立统一高效的用户信息安全事件投诉受理机制,为用户投诉、举报提供便利,维护人民群众合法权益。

(六)强化网络安全工作统筹协调

网络安全工作涉及领域多、范围广、任务重、难度大,系统性、整体性、协同性很强。应对复杂的网络安全态势,必须做到统一谋划、统一部署、统一标准、统一推进。要不断完善网络执法协作机制,尽快健全适应网络特点的规范化执法体系。要落实网络安全法相关规定,加强网络安全执法队伍和执法能力建设,强化网信部门的统筹协调职责,明确各职能部门的权责界限和接口,形成网信、工信、公安、保密等各部门协调联动机制,既要防止职能交叉、多头管理,又要避免执法推责、管理空白,不断提高执法效率,有效维护网络空间的安全。考虑到互联网跨区域性强、地域边界不明显的特点,要健全完善网络安全异地执法协作机制,实现区域之间执法联动。还要破除部门利益,打通数据和信息壁垒,减少重复建设,建立共享数据平台,切实做到不同部门收集的数据能够共享,提高网络安全防范能力。

(七)加快网络安全人才队伍建设

网络安全是技术更新最快的领域之一,网络空间的竞争,归根到底是人才的竞争;建设网络强国,最关键的资源是人才。要高度重视网络安全人才培养工作,不仅要培养精通信息系统使用和维护的技术人才,还要培养大批能够开展网络安全风险监控、应急处置和综合防护的人才,从而满足网络安全法实施提出的要求。要进一步加强网络安全学科建设,优化师资队伍结构,改革人才培养模式,培养更多满足实践需要的应用型人才。要鼓励网络和信息化人才发展体制机制改革先行先试,研究建立网络安全特殊人才培养、管理和激励制度,加大对网络安全高端人才、紧缺人才的培养、引进和支持力度,使党政机关、关键信息基础设施运营单位能够招得进、用得好、留得住精通网络安全技术的“高、精、尖”专业人才。

当前,互联网已深度融入经济发展和社会生活的方方面面,深刻改变着人们的生产和生活方式。我们要认真学习、全面贯彻党的十九大精神特别是习近平新时代中国特色社会主义思想,进一步提高政治站位,牢固树立正确的网络安全观,进一步增强贯彻实施法律的紧迫感和自觉性,推进“一法一决定”各项制度全面落实,切实维护网络空间主权和人民群众切身利益,为决胜全面建成小康社会、夺取新时代中国特色社会主义伟大胜利、实现中华民族伟大复兴的中国梦提供坚强保障。

以上报告,请审议。

“Proposal for International Cooperation on the “One Belt, One Road” Digital Economy”

Posted on Updated on

The digital economy is a driver for global economic growth that becomes more important every day, and is playing an ever more important role in accelerating economic development, enhancing labour productivity in existing industries, fostering new markets and new industrial growth points, realizing inclusive growth and sustainable growth. In order to expand cooperation in the digital economy area, as countries supporting the “One Belt, One Road” initiative, we will, on the basis of the principles of interconnection and interaction, innovation and development, openness and cooperation, harmony and inclusivity, mutual benefit and win-win, explore the common use of digital opportunities and response to challenge, strive to realize an interconnected and interactive “Digital Silk Road” through strengthening policy communication, infrastructure linkages, trade facilitation, financial flows and interlinking popular sentiment, and forge a mutually beneficial, win-win “community of interests” and a “community of destiny” for common development and flourishing. To this end, on the basis of voluntarity and non-restraint, we put forward the following proposal:

<!–more–>

1. Expanding broadband access, raising broadband quality. Build and perfect regional telecommunications, Internet, satellite navigation and other such important information infrastructure, stimulate interconnection and interaction, explore the expansion of high-speed Internet access and connectivity measures at a bearable price, stimulate broadband network coverage, improve service capabilities and quality.

2. Stimulating the digital transformation. Stimulate the digitization of agricultural production, operations and management, as well as the networked transformation of agricultural product distribution. Encourage digital technologies to converge with the manufacturing sector, build an ever more linked, networked and smart manufacturing sector. Use information and telecommunications technology to improve cultural education, healthcare and medicine, environmental protection, urban planning and other public services. Stimulate the sustained development of service sectors such as smart logistics, online tourism, mobile payment, digital creativity and the shared economy. 

3. Stimulate e-commerce cooperation. Explore the feasibility of establishing information sharing, mutual trust and mutual recognition mechanisms for cross-border e-commerce credit, customs passage, inspection, quarantine, consumer protection and other such areas, strengthen cooperation in areas such as financial payment, storage and logistics, technology services, offline exhibitions, etc. Strengthen cooperation in consumer rights protection.  

4. Support Internet start-ups and innovation. Encourage the promotion of Internet-based research, development and innovation through beneficial and transparent legal frameworks, and support Internet-based start-ups. Use the Internet to stimulate innovation in products, services, processes, organizational and commercial models. 

5. Stimulate the development of small, mid-size and micro enterprises. Stimulate small, mid-size and micro enterprises to use information and telecommunication technologies to conduct innovation, raise competitiveness and open up new market sales channels through policy support. Promote the provision of required digital infrastructure to small, mid-size and micro enterprises at bearable prices. Encourage small, mid-size and micro enterprises to provide information and telecommunication products and services to public departments, and enter into global value chains. 

6. Strengthen digitized skills training. Increase the public’s digitized skills levels, ensure that they obtain gains from the development of the digital economy. Launch on-the-job training for digital skills, enhance employees’ digital skills. Encourage government departments, universities, research bodies and enterprises to vigorously launch training programmes, and stimulate the popularization and improvement of digital skills. 

7. Stimulating investment in the information and telecommunications technology area. Improve the commercial environment through stimulating research, development and innovation as well as investment, including cross-border investment in the digital economy. Promote all kinds of financial bodies, multilateral development bodies, etc., to invest in information and telecommunications technology infrastructure and applications, guide commercial share investment funds as well as social funds to invest in the area of the digital economy, encourage public-private partnership relations and other such forms of participation. Encourage the organization of investment information exchange activities between information and telecommunications technology enterprises and financial bodies, encourage reciprocal investment in the information and telecommunications technology area.

8. Promoting inter-city digital economy cooperation. Stimulate relevant cities to launch twinning cooperation, support the establishment of strategic cooperation relationships between twinned cities, drive international traffic and logistics, enhance quality and increase efficiency through constructing information infrastructure, promoting information sharing, stimulating information technology cooperation, and stimulating Internet trading services. Explore the establishment of “Digital Silk Road” economic cooperation demonstration areas. Encourage and support relevant cities in establishing “Digital Silk Road” economic demonstration areas within these cities, promote profound bilateral cooperation in areas such as information infrastructure, smart cities, e-commerce, long-distance healthcare, “Internet Plus”, the Internet of Things, artificial intelligence, etc.

9. Increasing digital inclusivity. Adopt many kinds of policy measures and technological measures to reduce the digital divide, including the digital divide between countries and within countries, and forcefully stimulate the proliferation of the Internet. Stimulate the use of digital technologies in school education and non-official education, promote the realization of broadband access for schools and equip them with online learning environments, so that ever more students can use digitized tools and resources in pursuit of learning. Strengthen the development of digital content such as excellent online games, cartoons, audiovisual materials, literature, music and knowledge resources, and stimulate exchange between the cultures of all countries, and a meeting of people’s hearts.

10. Encouraging and fostering transparent digital economy policies. Develop and maintain an open, transparent and inclusive digital economy policy formulation method. Encourage the dissemination of related and publishable government data, and understand the potential of these in driving new technologies, new products and new services. Encourage online open tendering and procurement, support enterprises in innovating digital product production and services, and simultaneously ensure that demand is market-led. 

11. Furthering international standardization cooperation. Propose the formulation and application of international standards for technology products and services developed through joint coordination, these international standards should maintain consistency with international norms including the norms and principles of the World Trade Organization. 

12. Strengthening confidence and trust. Strengthen the feasibility, completeness, secrecy and reliability of online transactions. Encourage the development of secure information infrastructure, in order to stimulate trustworthy, stable and reliable Internet applications. Strengthen international cooperation in the area of online trading, jointly attack cybercrime and protect the information and telecommunications technology environment. Through ensuring and respecting privacy and protecting personal data, establish confidence among users, this is a critical factor influencing the development of the digital economy.

13. Encourage and stimulate cooperation while respecting autonomous development paths. Encourage all countries along the Belt and Road to strengthen exchange and enhance mutual understanding, strengthen cooperation in policy formulation, supervision and management, reduce, eliminate or prevent unnecessary differences in supervision and management requirement, in order to liberate the vitality of the digital economy, simultaneously understand that all countries should preserve consistency with their international legal obligations, and that they will plan their development path no the basis of their own development situation, historical and cultural traditions, national legal systems and national development strategies.

14. Encouraging the joint construction of a peaceful, secure, open, cooperative and ordered cyberspace. Support information and telecommunication technology policies that safeguard the global nature of the Internet, permit Internet users to  lawfully and autonomously choose the information, knowledge and services they obtain online. Understand that cybersovereignty must be fully respected, safeguard cybersecurity, determinedly attack cyberterrorism and cybercrime, protect personal privacy and information security, and promote the establishment of a multilateral, democratic and transparent international Internet governance system. 

15. Encouraging the establishment of multi-level exchange mechanisms. Stimulate all sides, governments, enterprises, scientific research bodies, and sectoral organizations to communicate and interact, share viewpoints, and promote cooperation in the digital economy. Strengthen training, research and cooperation in the area of the digital economy. Strengthen exchanges about policy formulation and legislative experiences among the “Belt-Road Initiative” countries, and share best practices. Launch the construction of digital technology capabilities, welcome and encourage the United Nations Trade and Development Committee, the United Nations Industrial Development Organization, the Organization for Economic Cooperation and Development, the International Telecommunications Union and other such international organizations to play an important role in driving international cooperation on the “Belt-Road Initiative” digital economy.

(Signed by China, Laos, Saudi Arabia, Serbia, Thailand, Turkey and the United Arab Emirates)

《“一带一路”数字经济国际合作倡议》全文如下:

    数字经济是全球经济增长日益重要的驱动力,在加速经济发展、提高现有产业劳动生产率、培育新市场和产业新增长点、实现包容性增长和可持续增长中正发挥着重要作用。为拓展数字经济领域的合作,作为支持“一带一路”倡议的相关国家,我们将本着互联互通、创新发展、开放合作、和谐包容、互利共赢的原则,探讨共同利用数字机遇、应对挑战,通过加强政策沟通、设施联通、贸易畅通、资金融通和民心相通,致力于实现互联互通的“数字丝绸之路”,打造互利共赢的“利益共同体”和共同发展繁荣的“命运共同体”。为此,在基于自愿、不具约束力基础上,我们提出以下倡议:

    1.扩大宽带接入,提高宽带质量。建设完善区域通信、互联网、卫星导航等重要信息基础设施,促进互联互通,探索以可负担的价格扩大高速互联网接入和连接的方式,促进宽带网络覆盖、提高服务能力和质量。

    2.促进数字化转型。促进农业生产、运营、管理的数字化,以及农产品配送的网络化转型。鼓励数字技术与制造业融合,建设一个更加连接的、网络化、智能化的制造业。利用信息通信技术改善文化教育、健康医疗、环境保护、城市规划和其他公共服务。促进智慧物流、在线旅游、移动支付、数字创意和分享经济等服务业的持续发展。

    3.促进电子商务合作。探索在跨境电子商务信用、通关和检验检疫、消费者保护等领域建立信息共享和互信互认机制的可行性,加强金融支付、仓储物流、技术服务、线下展示等方面的合作。加强消费者权益保护合作。 4.支持互联网创业创新。鼓励通过有利和透明的法律框架,推动基于互联网的研发和创新,支持基于互联网的创业。利用互联网促进产品、服务、流程、组织和商业模式的创新。

    5.促进中小微企业发展。通过政策支持,促进中小微企业使用信息通信技术进行创新、提高竞争力、开辟新的市场销售渠道。推动以可负担的价格为中小微企业运营提供所需的数字基础设施。鼓励中小微企业为公共部门提供信息通信产品和服务,融入全球价值链。

    6.加强数字化技能培训。提升公众数字化技能水平,确保从数字经济发展中获益。开展数字技能的在职培训,提升从业人员的数字技能。鼓励政府部门、大学和研究机构、企业积极开展培训项目,促进数字技能的普及和提升。

    7.促进信息通信技术领域的投资。通过促进研发和创新(RDI)以及投资,包括数字经济跨境投资等方面的政策框架,改善商业环境。推动各类金融机构、多边开发机构等投资信息通信技术基础设施和应用,引导商业股权投资基金以及社会基金向数字经济领域投资,鼓励公私伙伴关系(PPP)等参与形式。鼓励组织信息通信技术企业和金融机构间的投资信息交流活动,鼓励在信息通信技术领域相互投资。

    8.推动城市间的数字经济合作。推动有关城市开展对点合作,支持对点城市间建立战略合作关系,通过信息基础设施建设、推动信息共享、促进信息技术合作、推进互联网经贸服务和加强人文交流,带动国际交通物流提质增效。探索建设“数字丝绸之路”经济合作试验区。鼓励支持有关城市在各自城市分别建立“数字丝绸之路”经济合作试验区,推动双方在信息基础设施、智慧城市、电子商务、远程医疗、 “互联网+”、物联网、人工智能等领域的深度合作。

    9.提高数字包容性。采取多种政策措施和技术手段来缩小数字鸿沟,包括各国之间和各国之内的数字鸿沟,大力推进互联网普及。促进数字技术在学校教育及非正式教育中的使用,推动实现学校宽带接入并具备网络教学环境,越来越多的学生可以利用数字化工具和资源进行学习。加强各自的优秀网络游戏、动漫、影视、文学、音乐和知识资源等数字内容开发,促进各国文化交流、民心交融。

    10.鼓励培育透明的数字经济政策。发展和保持公开、透明、包容的数字经济政策制定方式。鼓励发布相关的、可公开的政府数据,并认识到这些对于带动新技术、新产品、新服务的潜力。鼓励在线公开招标采购,支持企业创新数字产品生产和服务,同时保持需求由市场主导。

    11.推进国际标准化合作。倡导共同协作开发相关技术产品和服务的国际标准的制定和应用,这些国际标准应与包括世贸组织规则和原则在内的国际规则保持一致。

    12.增强信心和信任。增强在线交易的可用性、完整性、保密性和可靠性。鼓励发展安全的信息基础设施,以促进可信、稳定和可靠的互联网应用。加强在线交易方面的国际合作,共同打击网络犯罪和保护信息通信技术环境。通过确保尊重隐私和个人数据保护,树立用户信心,这是影响数字经济发展的关键因素。

    13.鼓励促进合作并尊重自主发展道路。鼓励沿线各国加强交流、增进相互了解,加强政策制定、监管领域的合作,减少、消除或防止不必要的监管要求的差异,以释放数字经济的活力,同时认识到所有国家应与其国际法律义务保持一致,并根据各自的发展情况、历史文化传统、国家法律体系和国家发展战略来规划发展道路。

    14.鼓励共建和平、安全、开放、合作、有序的网络空间。支持维护互联网全球属性的信息通信技术政策,允许互联网使用者依法自主选择获得在线信息、知识和服务。认识到必须充分尊重网络主权,维护网络安全,坚决打击网络恐怖主义和网络犯罪,保护个人隐私和信息安全,推动建立多边、民主、透明的国际互联网治理体系。

    15.鼓励建立多层次交流机制。促进政府、企业、科研机构、行业组织等各方沟通交流、分享观点,推动数字经济合作。加强数字经济方面的培训和研究合作。加强“一带一路”国家间交流政策制定和立法经验,分享最佳实践。开展数字技术能力建设,欢迎和鼓励联合国贸易和发展会议、联合国工业发展组织、经济合作与发展组织、国际电信联盟和其他国际组织,在推动“一带一路”数字经济国际合作中发挥重要作用。

Internet News Information Service Work Unit Content Management Staff Management Rules

Posted on Updated on

Chapter I: General provisions

Article 1: In order to strengthen management of content management staff in Internet news information service work units, safeguard the lawful rights and interests of staff and the social public, and stimulate the healthy and orderly development of internet news information services, on the basis of the “Cybersecurity Law of the People’s Republic of China” and the “Internet News Information Management Regulations”, these Rules are formulated. Read the rest of this entry »

Security Assessment and Management Regulations concerning New Technologies and New Applications in Internet News Information Services

Posted on Updated on

Article 1: In order to standardize security assessment and management work concerning new technologies and new applications in Internet news information services, safeguard national security and the public interest, protect the lawful rights and interests of citizens, legal persons and other organizations, on the basis of the “Cybersecurity Law of the People’s Republic of China”, and the “Internet News Information Service Management Regulations”, these Regulations are formulated.

Article 2: These Regulations apply to national, provincial, autonomous region and municipal Internet information offices’ organization and execution of security assessments of new technologies and new applications concerning Internet news information services. Read the rest of this entry »

What did Xi Jinping say about cyberspace?

Posted on

Yesterday, Xi Jinping presented his political report to the 19th Party Congress – a 32000 word behemoth comprehensively covering all areas of economic, political and social life. The report announces a new era in China’s historical progress. In CCP theory, history is divided in stages, which are characterised by various contradictions that are subordinate manifestations of one fundamental contradiction. Once that contradiction is solved, history moves to the next phase. Xi now announced that the primary contradiction is no longer the one defined by Deng Xiaoping: the tension between China’s material poverty and the needs of its population. Instead, Xi claims the major problem that must now be solved is China’s imbalanced development. In other words, GDP growth at all costs is out, in favour of a more comprehensive approach to social and economic governance. Technology will obviously play a central role in this regard, as a governance tool and a potential economic growth pole, but also as a source of potential risk and disruption. The journal China Information Security very usefully listed the excerpts referring to cybersecurity and informatization, which are translated here:

I, The work from the past five years and historical changes

Public culture service levels have incessantly risen, literature and art creation continues to flourish, cultural undertakings and cultural industries thrive and develop, Internet construction, management and use has incessantly been perfected, and the entire people’s fitness and competitive sports levels have developed comprehensively.

III, The thought and basic orientation of Socialism with Chinese Characteristics for a New Era and

(4) Persisting in new development ideas. […] Push forward the synchronized development of new kinds of industrialization, informatization, urbanization and agricultural modernization, actively participate in and promote the progress of economic globalization, and develop and ever higher-level, open economy, incessantly expand our country’s economic strength and comprehensive national strength.

(10) Persist in the overall view of national security. […] Comprehensively manage external security and internal security, territorial security and citizens’ security, traditional security and non-traditional security, our own security and common security, perfect national security structures and systems, strengthen the construction of national security capabilities, and determinedly defend the country’s sovereignty, security and development interests.

V, Implement new development ideas, build modernized economic systems

(1) Deepen supply-side structural reform. […] Accelerate the development of advanced manufacturing sectors, promote the profound convergence of the Internet, big data, artificial intelligence and the real economy, foster new growth points and create new drivers in areas such as mid- and high-end consumption, innovative leadership, greenness and low-carbon, the sharing economy, modern supply chains, human capital services and other such areas. […] Strengthen the construction of basic infrastructure networks for irrigation, railways, roads, waterways, aviation, pipelines, the electricity grid, information, logistics, etc.

(2) Accelerate the construction of an innovative country. […] Strengthen the use of basic research, expand the implementation of national major science and technology programmes, give prominence to critical and common technologies, advanced forerunner technologies, modern engineering technologies, disruptive technology innovation, in order to provide powerful support for the construction of a strong science and technology country, a strong quality country, a strong aviation country, a strong cyber country, a strong transportation country, a strong digital country and a smart society.

VII, Persist in cultural self-confidence, promote the flourishing and ascendance of Socialist culture

(1) Firmly grasp leadership power in ideological work. […] Deepen Marxist theory research and construction, accelerate the construction of philosophy and social science with Chinese characteristics, and strengthen the construction of new types of think tanks with Chinese characteristics. Give high regard to construction and innovation in means of dissemination, and raise the communication power, guiding power, influence and credibility of news and public opinion. Strengthen the construction of Internet content, establish comprehensive network governance systems, and create a clear and crisp cyber space.

VIII, Raising, guaranteeing and improving people’s living standards, strengthening and innovating social governance

(1) Giving priority to development of education. […] Promote the integrated development of urban and rural compulsory education, give high regard to rural compulsory education, run preschool education, special education and online education well, universalize education at the higher secondary stage, and strive to let every child enjoy fair and high-quality education.

(7) Effectively safeguard national security. National security is an important cornerstone to bring peace and stability to the nation, safeguarding national security is the locus of the fundamental interest of the people of all ethnicities in the entire country. We must perfect the national security strategy and national security policies, firmly safeguard national political security, and comprehensively advance security work in all areas. Complete national security systems, strengthen legal guarantees for national security, and raise capabilities to guard against and resist security risks. Closely guard against and resolutely attack all kinds of infiltration, subversive and destructive activities, violent and terrorist activities, ethnic separatist activities, and religious extremist activities. Strengthen national security education, strengthen the national security consciousness of the entire Party and the people in the entire country, and promote all of society to create and safeguard powerful polled efforts for national security.

X, Firmly march the path of a strong military with Chinese characteristics, comprehensively move national defence and military modernization forward

Adapt to new global military changes and development trends and national security demands, raise construction quality and efficiency, ensure that mechanization is basically realized by 2020, that informatization concentration sees major progress, and strategic capabilities increase greatly.

The military must prepare to wage war, all work must target the norm of combat effectiveness, the focus must be on waging war and waging war victoriously. Firmly prepare for military struggles in all strategic orientations, comprehensively advance military struggle preparation in traditional security areas and new strategic areas, develop new kinds of battle forces and protection forces, launch combat-type military training, strengthen the use of military forces, accelerate the development of military smartification, raise joint warfare capabilities and all-area warfare capabilities based on online information systems, effectively mould situations, manage and control crises, contain war, and fight war victoriously.

XII, Persist in the path of peaceful development, promote the construction of a community of common destiny for humanity.

At the same time, the world faces prominent instabilities and indeterminacies, global economic growth drivers are insufficient, the difference between rich and poor grows graver daily, regional hotspots and problems rise one after another, terrorism, cybersecurity, major epidemics, climate change and other such non-traditional security threats continue to proliferate, humanity faces many common challenges.

XIII, Unwaveringly, comprehensively and strictly govern the Party, incessantly raise the Party’s governing ability and leadership levels.

Strengthen reform and innovation skills, maintain a tenacious and enterprising spiritual bearing, be good at integrating real creativeness in moving work forward, and be good at using Internet technologies and informatized means to carry out work.

Internet User Public Account Information Service Management Regulations

Posted on Updated on

Article 1: These Regulations are formulated in order to standardize Internet user public account information services, safeguard national security and the public interest, protect the lawful rights and interests of citizens, legal persons and other organizations, on the basis of the “Cybersecurity Law of the People’s Republic of China” and the “State Council Notice concerning Authorizing the Cyberspace Administration of China to Be Responsible for Internet Information Content Management Work”.

Article 2: These Regulations shall be observed when providing or using Internet user public accounts to engage in information dissemination services within the territory of the People’s Republic of China. 

Internet user public account information service providers as mentioned in these Regulations, refers to online platforms providing Internet user public account registration and use services. Internet user public account information service users as mentioned in these Regulations, refers to bodies or individuals using or operating Internet user public accounts to provide information dissemination services. 

Article 3: the Cyberspace Administration of China is responsible for Internet user public account information service supervision, management and law enforcement work nationwide, local Internet information offices are responsible for Internet user public account information service supervision, management and law enforcement work within their administrative areas, on the basis of their duties and responsibilities.

Article 4: Internet user public account information service providers and users shall uphold the correct orientation, carry forward the Socialist core value view, foster vigorous and healthy online culture, and maintain a benign online ecology.

All levels’ Party and government departments, enterprise and undertaking work units and people’s organizations are encouraged to register and use Internet user public accounts to disseminate government affairs information or public service information, serving economic and social development and satisfying the public’s information demand. 

Internet user public account information service providers shall cooperate with Party and government bodies, enterprise and undertaking work units and people’s organizations to enhance government information dissemination and public service levels, provide the necessary technical support and information security protection.

Article 5: Internet user public account information service providers shall bear dominant responsibility for information content security management, allocate specialist personnel and technical capabilities suited to the business scale, install general editors and other such positions responsible for information content security, establish and complete management structures for user registration, information examination and verification, emergency response, security protection, etc.

Internet user public account information service providers shall formulate and publish management norms and platform conventions, and conclude service agreements with users, clarifying both sides’ rights and interests.

Article 6: Internet user public account information service providers shall, according to the principle of “real name back stage, voluntary at the front of the stage”, conduct authentication of the real identity information of users, based on organization and body codes, identity card numbers, mobile telephone numbers, etc. Where users do not provide real identity information, no information dissemination services may be provided to them. 

Internet user public account information service providers shall establish a tiered credit management system for Internet user public account information service users, and provide corresponding services on the basis of credit tiers.

Article 7: Internet user public account information service providers shall check users’ account information, service qualifications, service scope and other such information, categorize them and add symbols, and file them with the local provincial, autonomous region or municipal Internet information office in a categorized manner. 

Internet user public account information service providers shall establish databases on the basis of users public account’s registration subjects, disseminated content, account subscription numbers, article reading numbers, etc., implement tiered and categorized management of Internet user public accounts, formulate concrete management rules and file them with the national or provincial, autonomous region and municipal Internet information offices. 

Internet user public account information service providers shall set a reasonable upper limit to the number of registered public account by the same subject on the same platform; where the same subject registers multiple accounts on the same platform, or a user operates multiple accounts in the form of a group, company or alliance, they shall be required to provide basic information on registration subjects, business scope, account list, etc., this will be filed with the local provincial, autonomous region or municipal Internet information office.

Article 8: Internet news information service providers who have lawfully obtained Internet news information gathering and dissemination qualifications, they may gather and disseminate news information through establishing a user public account. 

Article 9: Internet user public account information service providers shall adopt the necessary measures to protect users’ personal information security, they may not leak, distort or damage it, and may not illegally sell or illegally provide it to other persons.

Internet user public account information service provides shall, after a user terminates service use, provide them with account cancellation services.

Article 10: Internet user public account information service users shall bear responsibility for the secure management of information dissemination and operations, observe laws, regulations and relevant State provisions on news information management, intellectual property protection, cybersecurity protection, etc., and safeguard the online communication order.

Article 11: Internet user public account information service users may not disseminate information content prohibited by laws, regulations and relevant State provisions through public accounts.

Internet user public account information service providers shall strengthen supervision and management of public accounts on their platforms, where they discover the dissemination or transmission of unlawful information, they shall immediately adopt deletion and other such measures to deal with it, prevent transmission and diffusion, preserve relevant records, and report the matter to the relevant competent authorities.

Article 12: Internet user public account information service providers launching online public account messages, posts, comments and other such interactive functions, shall conduct security assessments according to relevant regulations.

Internet user public account information service providers shall, according to the principle of tiered and categorized management, conduct supervision and management of user public account messages, posts, comments, etc., set up by users, provide management powers to users, and provide them with support to conduct management of interactive segments. 

Internet user public account information service users shall conduct real-time management of user public account messages, posts, comments and other such interactive segments. Where management is weak, and information content prohibited by laws, regulations and relevant State provisions emerges, Internet user public account information service providers shall, on the basis of the user agreement, limit or cancel messaging, posting, commenting and other such interactive functions.

Article 13: Interactive user account information service providers shall, according to the law, adopt measures to deal with Internet user public accounts violating laws and regulations, service agreements and platform conventions, such as warning, correction, limiting functions, suspending renewal, account closure, etc., preserve relevant records and report the situation to the relevant competent department.

Internet user public account information service providers shall establish blacklist management systems, to blacklist public accounts and registration subjects gravely violating laws and conventions, adopt measures such as account closure, prohibition of re-registration, etc. in view of circumstances, preserve relevant records, and report the matter to the relevant competent department. 

Article 14: Internet sectoral organizations are encouraged to guide and promote Internet user public account information service providers and users to formulate sectoral conventions, strengthen sectoral self-discipline, and bear social responsibility.

Internet sectoral enterprises are encouraged to establish authoritative specialized mediation mechanisms with participation from multiple parties, to coordinate the resolution of sectoral disputes.

Article 15: Internet user public account information service providers and users shall accept supervision from the social public and sectoral organizations. 

Internet user public account information service providers shall set up convenient reporting interfaces, complete complaints and  reporting channels, perfect mechanisms to screen malicious reports, for report acceptance, feedback, etc. timely and fairly  deal with complaints and reports. National and local Internet information offices will, on the basis of their duties and responsibilities, conduct supervision and inspection of the report reception and implementation situation.

Article 16: Internet user public account information service providers and users shall cooperate with relevant competent departments conducting supervision and inspection according to the law, and provide the necessary technical support and assistance.

Internet user public account information service providers shall record Internet user public account information service users’ disseminated content and daily records, and preserve this for no less than six months according to regulations.

Article 17: Internet user public account information service providers and users violating these Regulations, will be punished by the relevant department according to relevant laws and regulations.

Article 18: These Regulations will take effect on 8 October 2017.

互联网用户公众账号信息服务管理规定
第一条 为规范互联网用户公众账号信息服务,维护国家安全和公共利益,保护公民、法人和其他组织的合法权益,根据《中华人民共和国网络安全法》《国务院关于授权国家互联网信息办公室负责互联网信息内容管理工作的通知》,制定本规定。
  第二条 在中华人民共和国境内提供、使用互联网用户公众账号从事信息发布服务,应当遵守本规定。
  本规定所称互联网用户公众账号信息服务,是指通过互联网站、应用程序等网络平台以注册用户公众账号形式,向社会公众发布文字、图片、音视频等信息的服务。
  本规定所称互联网用户公众账号信息服务提供者,是指提供互联网用户公众账号注册使用服务的网络平台。本规定所称互联网用户公众账号信息服务使用者,是指注册使用或运营互联网用户公众账号提供信息发布服务的机构或个人。
  第三条 国家互联网信息办公室负责全国互联网用户公众账号信息服务的监督管理执法工作,地方互联网信息办公室依据职责负责本行政区域内的互联网用户公众账号信息服务的监督管理执法工作。
  第四条 互联网用户公众账号信息服务提供者和使用者,应当坚持正确导向,弘扬社会主义核心价值观,培育积极健康的网络文化,维护良好网络生态。
  鼓励各级党政机关、企事业单位和人民团体注册使用互联网用户公众账号发布政务信息或公共服务信息,服务经济社会发展,满足公众信息需求。
  互联网用户公众账号信息服务提供者应当配合党政机关、企事业单位和人民团体提升政务信息发布和公共服务水平,提供必要的技术支撑和信息安全保障。
  第五条 互联网用户公众账号信息服务提供者应当落实信息内容安全管理主体责任,配备与服务规模相适应的专业人员和技术能力,设立总编辑等信息内容安全负责人岗位,建立健全用户注册、信息审核、应急处置、安全防护等管理制度。
  互联网用户公众账号信息服务提供者应当制定和公开管理规则和平台公约,与使用者签订服务协议,明确双方权利义务。
  第六条 互联网用户公众账号信息服务提供者应当按照“后台实名、前台自愿”的原则,对使用者进行基于组织机构代码、身份证件号码、移动电话号码等真实身份信息认证。使用者不提供真实身份信息的,不得为其提供信息发布服务。
  互联网用户公众账号信息服务提供者应当建立互联网用户公众账号信息服务使用者信用等级管理体系,根据信用等级提供相应服务。
  第七条 互联网用户公众账号信息服务提供者应当对使用者的账号信息、服务资质、服务范围等信息进行审核,分类加注标识,并向所在地省、自治区、直辖市互联网信息办公室分类备案。
  互联网用户公众账号信息服务提供者应当根据用户公众账号的注册主体、发布内容、账号订阅数、文章阅读量等建立数据库,对互联网用户公众账号实行分级分类管理,制定具体管理制度并向国家或省、自治区、直辖市互联网信息办公室备案。
  互联网用户公众账号信息服务提供者应当对同一主体在同一平台注册公众账号的数量合理设定上限;对同一主体在同一平台注册多个账号,或以集团、公司、联盟等形式运营多个账号的使用者,应要求其提供注册主体、业务范围、账号清单等基本信息,并向所在地省、自治区、直辖市互联网信息办公室备案。
  第八条 依法取得互联网新闻信息采编发布资质的互联网新闻信息服务提供者,可以通过开设的用户公众账号采编发布新闻信息。
  第九条 互联网用户公众账号信息服务提供者应当采取必要措施保护使用者个人信息安全,不得泄露、篡改、毁损,不得非法出售或者非法向他人提供。
  互联网用户公众账号信息服务提供者在使用者终止使用服务后,应当为其提供注销账号的服务。
  第十条 互联网用户公众账号信息服务使用者应当履行信息发布和运营安全管理责任,遵守新闻信息管理、知识产权保护、网络安全保护等法律法规和国家有关规定,维护网络传播秩序。
  第十一条 互联网用户公众账号信息服务使用者不得通过公众账号发布法律法规和国家有关规定禁止的信息内容。
  互联网用户公众账号信息服务提供者应加强对本平台公众账号的监测管理,发现有发布、传播违法信息的,应当立即采取消除等处置措施,防止传播扩散,保存有关记录,并向有关主管部门报告。
  第十二条 互联网用户公众账号信息服务提供者开发上线公众账号留言、跟帖、评论等互动功能,应当按有关规定进行安全评估。
  互联网用户公众账号信息服务提供者应当按照分级分类管理原则,对使用者开设的用户公众账号的留言、跟帖、评论等进行监督管理,并向使用者提供管理权限,为其对互动环节实施管理提供支持。
  互联网用户公众账号信息服务使用者应当对用户公众账号留言、跟帖、评论等互动环节进行实时管理。对管理不力、出现法律法规和国家有关规定禁止的信息内容的,互联网用户公众账号信息服务提供者应当依据用户协议限制或取消其留言、跟帖、评论等互动功能。
  第十三条 互联网用户公众账号信息服务提供者应当对违反法律法规、服务协议和平台公约的互联网用户公众账号,依法依约采取警示整改、限制功能、暂停更新、关闭账号等处置措施,保存有关记录,并向有关主管部门报告。
  互联网用户公众账号信息服务提供者应当建立黑名单管理制度,对违法违约情节严重的公众账号及注册主体纳入黑名单,视情采取关闭账号、禁止重新注册等措施,保存有关记录,并向有关主管部门报告。
  第十四条 鼓励互联网行业组织指导推动互联网用户公众账号信息服务提供者、使用者制定行业公约,加强行业自律,履行社会责任。
  鼓励互联网行业组织建立多方参与的权威专业调解机制,协调解决行业纠纷。
  第十五条 互联网用户公众账号信息服务提供者和使用者应当接受社会公众、行业组织监督。
  互联网用户公众账号信息服务提供者应当设置便捷举报入口,健全投诉举报渠道,完善恶意举报甄别、举报受理反馈等机制,及时公正处理投诉举报。国家和地方互联网信息办公室依据职责,对举报受理落实情况进行监督检查。
  第十六条 互联网用户公众账号信息服务提供者和使用者应当配合有关主管部门依法进行的监督检查,并提供必要的技术支持和协助。
  互联网用户公众账号信息服务提供者应当记录互联网用户公众账号信息服务使用者发布内容和日志信息,并按规定留存不少于六个月。
  第十七条 互联网用户公众账号信息服务提供者和使用者违反本规定的,由有关部门依照相关法律法规处理。
  第十八条 本规定自2017年10月8日起施行。

Provisions on the Management of Internet Forum Community Services

Posted on Updated on

This translation was completed by ChinaLawTranslate, and is republished here with kind permission

Article 1: These Provisions are formulated on the basis of the “Cybersecurity Law of the P.R.C.”and the“State Council’s Notification of Authorization of the State Internet Information Office to be Responsible for Efforts to promote the healthy and orderly development of the internet forum community industry, so as to standardize Internet forum community services, stimulate the healthy and orderly development of Internet forum community services, protect the lawful rights and interests of citizens, legal persons, and other organizations, safeguard national security and the public interest. Read the rest of this entry »

Internet Domain Name Management Rules

Posted on Updated on

Ministry of Industry and Information Technology Decree

No .43

The “Internet Domain Name Management Rules” were deliberated and passed at the 32nd Ministerial meeting of the Ministry of Industry and Information Technology on 16 August 2017, are hereby promulgated, and take effect on 1 November 2017. The “Internet Domain Name Management Rules” (then-Ministry of Information Industry Decree No. 30) promulgated by the then-Ministry of Information Industry on 5 November 2004 are abolished at the same time.

Minister Miao Wei

24 August 2017

Internet Domain Name Management Rules

Chapter I: General Provisions

Article 1: These Rules are formulated in order to standardize domain name services, protect users’ lawful rights and interests, ensure the secure and reliable operation of the Internet domain name system, promote the development and application of Mandarin-language domain names and national top-level domain name domain names, and stimulate the healthy development of the Chinese Internet, on the basis of regulations such as the “Administrative Licencing Law of the People’s Republic of China”, the “State Council Decision on Determining Administrative Licences and Administrative Examination and Approval Programmes that Need to Be Maintained”, etc., and with reference to international Internet domain name management norms. 

Article 2: These Rules shall be followed when engaging in Internet domain name services and their related activities such as operational maintenance, supervision and management within the territory of the People’s Republic of China

Internet domain name services as mentioned in these Rules (hereafter simply named domain name services) refers to engaging in activities such as domain name root server operation and maintenance, top-level domain name operation and management, domain name registration, domain name resolution, etc.

Article 3: The Ministry of Industry and Information Technology implements supervision and management over domain name services nationwide, its main duties and responsibilities are:

(1) Formulating Internet domain name management rules and policies;

(2) Formulating development plans for the Internet domain name system and domain name resources;

(3) Managing domestic domain name root server operating bodies and domain name registration management bodies;

(4) Being responsible for the network and information security management of domain name systems;

(5) Protecting users’ personal information and lawful rights and interests according to the law;

(6) Being responsible for domain name-related international coordination;

(7) Managing domestic domain name resolution services;

(8) Managing other domain name service-related activities.

Article 4: All provincial, autonomous region and municipal telecommunications management bureaus implement supervision and management over domain name services within their administrative areas, their main duties and responsibilities are:

(1) Implementing and enforcing domain name management laws, administrative regulations, rules and policies;

(2) Managing domain name registration service bodies within their administrative areas;

(3) Assisting the Ministry of Industry and Information Technology in conducting management of domain name root server operating bodies and domain name registration management bodies within their administrative areas;

(4) Being responsible for the network and information security of domain name systems within their administrative areas;

(5) Protecting users’ personal information and lawful rights and interests according to the law;

(6) Managing domain name resolution services within their administrative areas;

(7) Managing other domain name service-related activities within their administrative areas.

Article 5: The Chinese Internet domain name system is announced by the Ministry of Industry and Information Industry. On the basis of the actual circumstances of domain name development, the Ministry of Industry and Information Technology may adjust the Chinese Internet domain name system.

Article 6: “.cn” and “.中国” are China’s national top-level domain names.

Mandarin-language domain names are an important component part of the Chinese Internet domain name system. The State encourages and supports technological research and broad application of Mandarin-language domain names.

Article 7: Those providing domain name services, shall abide by relevant State laws and regulation, and conform with relevant technological norms and standards.

Article 8: No organization or individual may impede the secure and stable operation of the Internet domain name system.

Chapter II: Domain name management

Article 9: Those establishing domain name root servers and domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies within the borders, shall obtain corresponding licenses on the basis of these Rules from the Ministry of Industry and Information Technology or provincial, autonomous region and municipal telecommunications management bureau (hereafter generally designated as telecommunication management bodies).

Article 10: Those applying to establish domain name root servers and domain name root server operating bodies, shall meet the following conditions:

(1) Setting up the domain name root server within the borders, and conforming to Internet development-related plans and secure and stable operating requirements for the domain name system;

(2) Being a lawfully established legal person, the said legal person and their main investors and main business management personnel have a good credit record;

(3) Having premises, funding, environments, specialist personnel and technical capabilities to ensure the secure and reliable operation of the domain name root server, as well as information management systems conform to telecommunications management bodies’ requirements;

(4) Having complete network and information security protection measures, including management personnel, network and information security management systems, emergency response plans and related technical and management measures, etc.;

(5) Having the capacity to protect users’ personal information, the capacity to provide long-term services and complete service withdrawal mechanisms;

(6) Other conditions provided in laws or administrative regulations.

Article 11: Those applying to establish a domain name registration management body shall meet the following conditions:

(1) Establishing the domain name management system inside the borders, and holding top-level domain names in conformity with related laws and regulations as well as requirements for the secure and stable operation of domain name systems;

(2) Being a lawfully established legal person, the said legal person and their main investors and main business management personnel have a good credit record; 

(3) Having a perfected business development plan and technical plan, as well as the premises, funding and specialist personnel corresponding to engaging in top-level domain name operations and management, as well as information management systems conform to telecommunications management bodies’ requirements;

(4) Having complete network and information security protection measures, including management personnel, network and information security management systems, emergency response plans and related technical and management measures, etc.;

(5) Having the capacity to conduct real identity information verification and protect users’ personal information , the capacity to provide long-term services and complete services withdrawal mechanisms;

(6) Having complete domain name registration service management structures and supervision mechanisms over domain name registration service bodies;

(7) Other conditions as provided in laws and administrative regulations.

Article 12: Those applying to establish a domain name registration service body shall meet the following conditions:

(1) Establishing the domain name registration service system, registration database and corresponding domain name resolution systems within the borders;

(2) Being a lawfully established legal person, the said legal person and their main investors and main business management personnel have a good credit record; 

(3) Having the premises, funding and specialist personnel corresponding to engaging in domain name registration, as well as information management systems conform to telecommunications management bodies’ requirements;

(4)  Having the capacity to conduct real identity information verification and protect users’ personal information , the capacity to provide long-term services and complete services withdrawal mechanisms;

(5) Having complete domain name registration service management structures and supervision mechanisms over domain name registration agents;

(6) Having complete network and information security protection measures, including management personnel, network and information security management systems, emergency response plans and related technical and management measures, etc.;

(7) Other conditions provided in laws and administrative regulations.

Article 13: Those applying to establish a domain name root server or root server operating body, or a domain name registration management body, shall submit application materials to the Ministry of Industry and Information Technology. Those applying to establish a domain name registration service body, shall submit application materials to the local provincial, autonomous region and municipal telecommunications management bureau.

The application materials shall include:

(1) The applicant work unit’s basic situation as well as a commitment letter signed by its legal representative to do business sincerely and according to the law;

(2) Materials proving the implementation of effective management of domain name services, including materials proving relevant systems, premises and service capabilities, management rules, agreements signed with other bodies, etc.;

(3) Network and information security protection structures and measures;

(4) Materials proving the applicant work unit’s reputation.

Article 14: Where application materials are complete and conform to statutory forms, telecommunication management bodies shall issue an application acceptance notification letter to the applicant work unit; where application materials are not complete or do not conform to statutory forms, telecommunication management bodies shall notify the applicant work unit on the spot or once in writing within five working days about the complete content they need to supplement; where it is not accepted, they shall issue a non-acceptance notification letter and explain the reasons. 

Article 15 Telecommunication management bodies shall complete inspection within twenty working days from the date of acceptance, and make a decision on granting a licence or not granting a licence. Where a decision cannot be made within twenty working days, with the approval of the responsible person of the telecommunication management body, an extension of ten working days is permitted, and the applicant work unit will be notified about the reasons for the extended time limit. Where it is necessary to organize expert appraisal, the appraisal time is not counted into the inspection period.

Where a licence is granted, corresponding licence documents shall be issued; where a licence is not granted, the applicant work unit shall be notified in writing and the reasons explained.

Article 16: Licences of domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies are valid for a period of five years.

Article 17: Where a change occurs in the name, address, legal representative or other such information of domain name root server operating bodies, domain name registration management bodies or domain name registration service bodies, they shall conduct modification formalities within twenty working days from the day the change occurs with the original licence-issuing body.

Article 18: Where, within a licence’s period of validity, a domain name root server operating body, domain name registration management body, or domain name registration service body plans to terminate corresponding services, they shall notify users in writing thirty days in advance, put forward feasible plans to deal with the aftermath, and submit a written application to the original licence-issuing body.

After the original licence-issuing body receives the application, it shall publish it to society for thirty days. The publication period concludes within sixty days, and the original licence-issuing body shall complete inspection and make a decision. 

Article 19: Where it is required to continue engaging in domain name services when a licence’s period of validity expires, an extension shall be applied for with the original licence-issuing body ninety days in advance; where it is not required to continue engaging in domain name services, the original licence-issuing body shall be notified ninety days in advance, and aftermath work conducted.

Article 20: Where a domain name registration service body entrusts a domain name registration agency body to conduct market sales and other such work, it shall conduct supervision and management of the domain name registration agency body’s work.

Domain name registration agency body entrusted with conducting market sales and other such work shall, in that process, actively indicate the agency relationship, and explicitly clarify the domain name registration service body’s name and agency relationship in the domain name registration service contract.

Article 21: Domain name registration management bodies and domain name registration service bodies shall establish corresponding emergency response back-up systems within the borders and regularly back up domain name registration data.

Article 22: Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall indicate information related to their licence in a clear location on the front page of their website and their business premises. Domain name registration management bodies shall also show a list of domain name registration service bodies with which they cooperate.

Domain name registration agency bodies shall indicate the name of the domain name registration service body for which they are agents in a clear location on the front page of their website and their business premises. 

Chapter III: Domain name services

Article 23: Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall provide secure, convenient and stable services to users.

Article 24: Domain name registration management bodies shall, on the basis of these Rules, formulate domain name registration implementation rules and publish them to society.

Article 25: Domain name registration management bodies shall, conduct domain name registration services through domain name registration service bodies licenced by telecommunication management bodies.

Domain name registration service bodies shall provide services according to the domain name registration service items licenced by telecommunication management bodies, they may not provide domain name registration services for domain name registration management bodies who do not have a telecommunication management body licence.

Article 26: “First application, first registration” is implemented for domain name registration services in principle, where related domain name registration implementation rules provide otherwise, those provisions are followed.

Article 27: In order to uphold the national interest and the social public interest, domain name registration management bodies shall establish reserved domain name registration word systems.

Article 28: Domain names registered and used by any organization or individual may not contain the following content:

(1) Content violating the basic principles determined in the Constitution;

(2) Content harming national security, divulging State secrets, subverting the national regime, or destroying national unity;

(3) Content harming the country’s honour and interest;

(4) Content inciting ethnic hatred or ethnic discrimination, or destroying ethnic unity;

(5) Content destroying State religious policies, propagating heresy and feudal superstition;

(6) Content disseminating rumours, upsetting social order, or destroying social stability;

(7) Content disseminating obscenity, sex, gambling, violence, homicide or terror, or inciting crime;

(8) Content insulting or slandering other persons, or harming other persons’ lawful rights and interests.

(9) Other content prohibited by laws and administrative regulations.

Domain name registration management bodies and domain name registration service bodies may not provide services to domain names containing content listed in the previous Paragraph.

Article 29: Domain name registration service bodies may not use fraudulent, coercive or other such improper means to require other persons to register domain names. 

Article 30: Domain name registration service bodies providing domain name registration services shall require domain name registration applicants to provide domain name holders’ real, accurate and complete identity information and other such domain name registration information.

Domain name registration management bodies and domain name registration service bodies shall check the veracity and completeness of domain name registration information.

Where domain name registration applicants provide inaccurate or incomplete domain name registration information, domain name registration service bodies shall require correction. Where applicants do not correct the matter or provide untrue domain name registration information, domain name registration service bodies may not provide domain name registration services to them.

Article 31: Domain name registration service bodies shall publish domain name registration service content, time limits and fees, to ensure service quality, and provide public inquiry services of domain name registration information.

Article 32: Domain name registration management bodies and domain name registration service bodies shall store and protect users’ personal information according to the law. Without user agreement, users’ personal information may not be provided to other persons, except where laws and regulations provide otherwise.

Article 33: Where a change occurs in domain name holders’ contact method and other such information, they shall conduct domain name registration information modification formalities within thirty days after the change with the domain name registration service body.

Where domain name holders transfer domain names to other persons, the assignee shall abide by domain name registration-related requirements. 

Article 34: Domain name holders have the right to choose or change domain name registration service bodies. Where a domain name registration service body is changed, the original domain name registration service body shall cooperate with the domain name holder to transfer their domain name registration-related information. 

Without proper reason, domain name registration service bodies may not impede domain name holders’ changing domain name registration service bodies.

Article 35: Domain name registration management bodies and domain name registration service bodies shall establish complaints acceptance mechanisms, and publish complaints acceptance methods in a clear location on the front page of their website and their business premises.

Domain name registration management bodies and domain name registration service bodies shall handle complaints timely; where they cannot be handled timely, the reasons and handling period shall be explained.

Article 36: In the provision of domain name resolution services, relevant laws, regulations and standards shall be observed, corresponding technical, service and network and information protection capabilities possessed, network and information security protection measures implemented, daily domain name resolution records recorded and preserved according to the law, daily records and modification records maintained, and resolution service quality and resolution system security guaranteed. Where it involved commercial telecommunications business, a telecommunications business licence shall be obtained according to the law.

Article 37: In the provision of domain name resolution services, it is prohibited to alter resolution information without authorization. 

No organization or individual may maliciously direct domain name resolution towards other persons’ IP addresses.

Article 38: In the provision of domain name resolution services, it is prohibited to provide domain name aliasing for domain name with content listed in Article 28 Paragraph I of these Rules.

Article 39: Of those engaging in Internet information services, the domain names they use shall conform to laws, regulations and the relevant requirements of telecommunication management bodies, and may not use domain names to conduct unlawful acts.

Article 40: Domain name registration management bodies and domain name registration service bodies shall cooperate with relevant State departments conducting inspection work according to the law, and adopt measures such as cessation of resolution, etc. against domain names where unlawful acts occur according to telecommunication management bodies’ requirements.

Where domain name registration management bodies and domain name registration service bodies discover the domain names to which they provide services publish or transmit information of which the publication or transmission is prohibited by laws and administrative regulations, they shall immediately adopt measures in response, such as deletion, cessation of resolution, etc., prevent the spread of the information, preserve relevant records, and notify the matter to relevant departments.

Article 41: Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall abide by relevant State laws, regulations and standards, implement network and information security protection measures, deploy the necessary network and telecommunications emergency response equipment, establish and complete technical network and information security monitoring  methods and emergency response structures. When a network or information incident occurs on a domain name system, it shall be reported to the telecommunication management body within 24 hours.

When required for national security and to deal with emergencies or incidents, domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall submit to the uniform commands and coordination of telecommunication management bodies, and abide by telecommunication management bodies’ management requirements. 

Article 42: Where any organization or individual believes that a domain name registered or used by another person harms their lawful rights and interests, they may apply for mediation with a domain name dispute settlement body or file a lawsuit with a People’s Court according to the law.

Article 43: Where one of the following circumstances is present with a registered domain name, the domain name registration service body shall cancel it, and notify the domain name holder:

(1) The domain name holder applies for domain name cancellation;

(2) Domain name holders submitted false domain name registration information;

(3) It shall be closed on the basis of a People’s Court judgment, or a domain name dispute settlement body verdict;

(4) Other circumstances where laws and administrative regulations provide for cancellation. 

Chapter IV: Supervision and inspection

Article 44: Telecommunication management bodies shall strengthen supervision and inspection of domain name services. Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall accept and cooperate with supervision and inspection by telecommunication management bodies.

Domain name service sectoral self-discipline and management is encouraged, public supervision of domain name services is encouraged.

Article 45: Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall, according to telecommunication management bodies’ requirements, regularly report business development situations, operations security situations, network and information security responsibility situation, the complaints and dispute handling situation and other such information.

Article 47: When telecommunication management bodies carry out supervision and inspection, they shall examine the materials submitted by domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies, and inspect the situation of their executing laws, regulations and relevant provisions of telecommunication management bodies.

Telecommunication management bodies may entrust specialized third-party bodies to conduct relevant supervision and inspection activities.

Article 47: Telecommunication management bodies shall establish credit-recording structures for domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies, and enter their violations of these Rules and the administrative punishment they receive into the credit file.

Article 48: Telecommunication management bodies conducting supervision and inspection may not impede the regular commercial and service activities of domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies, they may not accept any fees, and may not leak the domain name registration information they learn.

Chapter V: Punitive provisions

Article 49: Where, in violation of the provisions of Article 9 of these Rules, a domain name root server or domain name root server operating body, domain name registration management body or domain name registration service body is established without a licence or authorization, telecommunication management bodies shall, on the basis of the provisions of Article 81 of the “Administrative Licensing Law of the People’s Republic of China”, adopt measures to stop the matter, and in view of the gravity of circumstances, issue a warning or a fine of more than 10.000 Yuan but less than 30.000 Yuan.

Article 50: Where, in violation of the provisions of these Rules, a domain name registration management body or domain name registration service body commits one of the following acts, the telecommunication management body will order correction within a limited time on the basis of their duties and powers, and in view of the gravity of circumstances, impose a fine of 10.000 Yuan or more but less than 30.000 Yuan, and publish the matter to society:

(1) Providing domain name registration services to unlicensed domain name registration management bodies, or conducting domain name registration services through unlicensed domain name registration service bodies;

(2) Not providing services according to the licenced domain name registration service items;

(3) Not checking the veracity and completeness of domain name registration information;

(4) Obstructing domain name holders to change domain name registration service bodies without proper reason.

Article 51: Where, in violation of the provisions of these Regulations, domain name resolution services are provided and one of the following acts committed, the telecommunication management body will order correction within a limited time, and may, in view of the gravity of circumstances, impose a fine of 10.000 Yuan or more but less than 30.000 Yuan, and publish the matter to society;

(1) Altering domain name resolution information without authorization or maliciously directing domain name resolution towards other persons. IP addresses;

(2) Providing domain name aliasing for domain name with content listed in Article 28 Paragraph I of these Rules;

(3) Not implementing network and information security protection measures;

(4) Not recording and preserving daily domain name resolution records according to the law, maintaining daily records and modification records;

(5) Not dealing with domain names where unlawful activities according to requirements.

Article 52: Where the provisions of Article 17, Article 18 Paragraph I, Article 21, Article 22, Article 28 Paragraph II, Article 29, Article 31, Article 32, Article 35 Paragraph I, Article 40 Paragraph II or Article 41 of these Rules are violated, the telecommunication management body will order correction within a limited time on the basis of their duties and powers, may additionally impose a fine of 10.000 Yuan or more but less than 30.000 Yuan, and publish the matter to society.

Article 53: Where laws or administrative regulations provide otherwise on relevant unlawful conduct, the provisions of those laws and administrative regulations are implemented. 

Article 54: Where any organization or individual registers or uses domain names in violation of the provisions of Article 28 Paragraph I of these Rules, constituting a crime, criminal liability will be prosecuted according to the law; where the matter does not constitute a crime, relevant departments will punish the matter according to the law.

Chapter VI: Supplementary provisions

Article 55: The meaning of the following terms in these Rules is:

(1) Domain name: refers to a hierarchically structured character indication to identify and locate a computer on the Internet, corresponding with that computer’s IP address.

(2) Mandarin-language domain name: refers to a domain name using Mandarin characters.

(3) Top-level domain name: refers to the first-level name of the root node in the domain name system.

(4) Domain name server: refers to servers with domain name system root node functioning (including mirror servers).

(5) Domain name root server operating body: refers to a body that lawfully obtained a licence and undertakes domain name root server operations, maintenance and management work.

(6) Domain name registration management body: refers to a body that lawfully obtained a licence and undertakes top-level domain name operations and management work. 

(7) Domain name registration service body: refers to a body that lawfully obtained a licence, accepts domain name registration applications and completes the registration of a domain name in the top-level domain name database.

(8) Domain name registration agency body: refers to a body that is entrusted by domain name registration service bodies to accept domain name registration applications, and indirectly complete domain name registration in the top-level domain name database.

(9) Domain name management system: refers to the main information system required by domain name registration management bodies to conduct top-level domain name operations and management work within the borders, and includes registration management systems, registration databases, domain name resolution systems, domain name information inquiry systems, identity information inspection systems, etc.

(10) Domain name aliasing: refers to the transfer of a visit of one domain name to another domain name and IP address or online information service connected with or directed by that domain name.

Article 56: The time periods provided in these Rules, except where working days are determined, are all natural days.

Article 57: Those conducting domain name services without obtaining corresponding licences before these Rules took effect, shall conduct licensing formalities according to the provisions of these Rules within 12 months from the date these Regulations take effect.

For domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies that already obtained a licence before these Rules took effect, the provisions of Article 16 of these Rules shall apply to the period of validity of their licence, the period of validity will be computed form the day these Rules take effect.

Article 58: These Rules take effect on 1 November 2017. The “Chinese Internet Domain Name Management Rules (then-Ministry of Information Industry Decree No. 30) promulgated on 5 November 2004 are abolished at the same time. Where inconsistencies exist between these Rules and relevant provisions promulgated before these Regulations took effect, these Rules shall be implemented.

中华人民共和国工业和信息化部令

第 43 号

《互联网域名管理办法》已经2017年8月16日工业和信息化部第32次部务会议审议通过,现予公布,自2017年11月1日起施行。原信息产业部2004年11月5日公布的《中国互联网络域名管理办法》(原信息产业部令第30号)同时废止。
部 长  苗 圩
2017年8月24日

互联网域名管理办法

第一章 总  则

第一条 为了规范互联网域名服务,保护用户合法权益,保障互联网域名系统安全、可靠运行,推动中文域名和国家顶级域名发展和应用,促进中国互联网健康发展,根据《中华人民共和国行政许可法》、《国务院对确需保留的行政审批项目设定行政许可的决定》等规定,参照国际上互联网域名管理准则,制定本办法。
第二条 在中华人民共和国境内从事互联网域名服务及其运行维护、监督管理等相关活动,应当遵守本办法。
本办法所称互联网域名服务(以下简称域名服务),是指从事域名根服务器运行和管理、顶级域名运行和管理、域名注册、域名解析等活动。
第三条 工业和信息化部对全国的域名服务实施监督管理,主要职责是:
(一)制定互联网域名管理规章及政策;
(二)制定中国互联网域名体系、域名资源发展规划;
(三)管理境内的域名根服务器运行机构和域名注册管理机构;
(四)负责域名体系的网络与信息安全管理;
(五)依法保护用户个人信息和合法权益;
(六)负责与域名有关的国际协调;
(七)管理境内的域名解析服务;
(八)管理其他与域名服务相关的活动。
第四条 各省、自治区、直辖市通信管理局对本行政区域内的域名服务实施监督管理,主要职责是:
(一)贯彻执行域名管理法律、行政法规、规章和政策;
(二)管理本行政区域内的域名注册服务机构;
(三)协助工业和信息化部对本行政区域内的域名根服务器运行机构和域名注册管理机构进行管理;
(四)负责本行政区域内域名系统的网络与信息安全管理;
(五)依法保护用户个人信息和合法权益;
(六)管理本行政区域内的域名解析服务;
(七)管理本行政区域内其他与域名服务相关的活动。
第五条 中国互联网域名体系由工业和信息化部予以公告。根据域名发展的实际情况,工业和信息化部可以对中国互联网域名体系进行调整。
第六条 “.CN”和“.中国”是中国的国家顶级域名。
中文域名是中国互联网域名体系的重要组成部分。国家鼓励和支持中文域名系统的技术研究和推广应用。
第七条 提供域名服务,应当遵守国家相关法律法规,符合相关技术规范和标准。
第八条 任何组织和个人不得妨碍互联网域名系统的安全和稳定运行。

第二章 域名管理

第九条 在境内设立域名根服务器及域名根服务器运行机构、域名注册管理机构和域名注册服务机构的,应当依据本办法取得工业和信息化部或者省、自治区、直辖市通信管理局(以下统称电信管理机构)的相应许可。
第十条 申请设立域名根服务器及域名根服务器运行机构的,应当具备以下条件:
(一)域名根服务器设置在境内,并且符合互联网发展相关规划及域名系统安全稳定运行要求;
(二)是依法设立的法人,该法人及其主要出资者、主要经营管理人员具有良好的信用记录;
(三)具有保障域名根服务器安全可靠运行的场地、资金、环境、专业人员和技术能力以及符合电信管理机构要求的信息管理系统;
(四)具有健全的网络与信息安全保障措施,包括管理人员、网络与信息安全管理制度、应急处置预案和相关技术、管理措施等;
(五)具有用户个人信息保护能力、提供长期服务的能力及健全的服务退出机制;
(六)法律、行政法规规定的其他条件。
第十一条 申请设立域名注册管理机构的,应当具备以下条件:
(一)域名管理系统设置在境内,并且持有的顶级域名符合相关法律法规及域名系统安全稳定运行要求;
(二)是依法设立的法人,该法人及其主要出资者、主要经营管理人员具有良好的信用记录;
(三)具有完善的业务发展计划和技术方案以及与从事顶级域名运行管理相适应的场地、资金、专业人员以及符合电信管理机构要求的信息管理系统;
(四)具有健全的网络与信息安全保障措施,包括管理人员、网络与信息安全管理制度、应急处置预案和相关技术、管理措施等;
(五)具有进行真实身份信息核验和用户个人信息保护的能力、提供长期服务的能力及健全的服务退出机制;
(六)具有健全的域名注册服务管理制度和对域名注册服务机构的监督机制;
(七)法律、行政法规规定的其他条件。
第十二条 申请设立域名注册服务机构的,应当具备以下条件:
(一)在境内设置域名注册服务系统、注册数据库和相应的域名解析系统;
(二)是依法设立的法人,该法人及其主要出资者、主要经营管理人员具有良好的信用记录;
(三)具有与从事域名注册服务相适应的场地、资金和专业人员以及符合电信管理机构要求的信息管理系统;
(四)具有进行真实身份信息核验和用户个人信息保护的能力、提供长期服务的能力及健全的服务退出机制;
(五)具有健全的域名注册服务管理制度和对域名注册代理机构的监督机制;
(六)具有健全的网络与信息安全保障措施,包括管理人员、网络与信息安全管理制度、应急处置预案和相关技术、管理措施等;
(七)法律、行政法规规定的其他条件。
第十三条 申请设立域名根服务器及域名根服务器运行机构、域名注册管理机构的,应当向工业和信息化部提交申请材料。申请设立域名注册服务机构的,应当向住所地省、自治区、直辖市通信管理局提交申请材料。
申请材料应当包括:
(一)申请单位的基本情况及其法定代表人签署的依法诚信经营承诺书;
(二)对域名服务实施有效管理的证明材料,包括相关系统及场所、服务能力的证明材料、管理制度、与其他机构签订的协议等;
(三)网络与信息安全保障制度及措施;
(四)证明申请单位信誉的材料。
第十四条 申请材料齐全、符合法定形式的,电信管理机构应当向申请单位出具受理申请通知书;申请材料不齐全或者不符合法定形式的,电信管理机构应当场或者在5个工作日内一次性书面告知申请单位需要补正的全部内容;不予受理的,应当出具不予受理通知书并说明理由。
第十五条 电信管理机构应当自受理之日起20个工作日内完成审查,作出予以许可或者不予许可的决定。20个工作日内不能作出决定的,经电信管理机构负责人批准,可以延长10个工作日,并将延长期限的理由告知申请单位。需要组织专家论证的,论证时间不计入审查期限。
予以许可的,应当颁发相应的许可文件;不予许可的,应当书面通知申请单位并说明理由。
第十六条 域名根服务器运行机构、域名注册管理机构和域名注册服务机构的许可有效期为5年。
第十七条 域名根服务器运行机构、域名注册管理机构和域名注册服务机构的名称、住所、法定代表人等信息发生变更的,应当自变更之日起20日内向原发证机关办理变更手续。
第十八条 在许可有效期内,域名根服务器运行机构、域名注册管理机构、域名注册服务机构拟终止相关服务的,应当提前30日书面通知用户,提出可行的善后处理方案,并向原发证机关提交书面申请。
原发证机关收到申请后,应当向社会公示30日。公示期结束60日内,原发证机关应当完成审查并做出决定。
第十九条 许可有效期届满需要继续从事域名服务的,应当提前90日向原发证机关申请延续;不再继续从事域名服务的,应当提前90日向原发证机关报告并做好善后工作。
第二十条 域名注册服务机构委托域名注册代理机构开展市场销售等工作的,应当对域名注册代理机构的工作进行监督和管理。
域名注册代理机构受委托开展市场销售等工作的过程中,应当主动表明代理关系,并在域名注册服务合同中明示相关域名注册服务机构名称及代理关系。
第二十一条 域名注册管理机构、域名注册服务机构应当在境内设立相应的应急备份系统并定期备份域名注册数据。
第二十二条 域名根服务器运行机构、域名注册管理机构、域名注册服务机构应当在其网站首页和经营场所显著位置标明其许可相关信息。域名注册管理机构还应当标明与其合作的域名注册服务机构名单。
域名注册代理机构应当在其网站首页和经营场所显著位置标明其代理的域名注册服务机构名称。

第三章 域名服务

第二十三条 域名根服务器运行机构、域名注册管理机构和域名注册服务机构应当向用户提供安全、方便、稳定的服务。
第二十四条 域名注册管理机构应当根据本办法制定域名注册实施细则并向社会公开。
第二十五条 域名注册管理机构应当通过电信管理机构许可的域名注册服务机构开展域名注册服务。
域名注册服务机构应当按照电信管理机构许可的域名注册服务项目提供服务,不得为未经电信管理机构许可的域名注册管理机构提供域名注册服务。
第二十六条 域名注册服务原则上实行“先申请先注册”,相应域名注册实施细则另有规定的,从其规定。
第二十七条 为维护国家利益和社会公众利益,域名注册管理机构应当建立域名注册保留字制度。
第二十八条 任何组织或者个人注册、使用的域名中,不得含有下列内容:
(一)反对宪法所确定的基本原则的;
(二)危害国家安全,泄露国家秘密,颠覆国家政权,破坏国家统一的;
(三)损害国家荣誉和利益的;
(四)煽动民族仇恨、民族歧视,破坏民族团结的;
(五)破坏国家宗教政策,宣扬邪教和封建迷信的;
(六)散布谣言,扰乱社会秩序,破坏社会稳定的;
(七)散布淫秽、色情、赌博、暴力、凶杀、恐怖或者教唆犯罪的;
(八)侮辱或者诽谤他人,侵害他人合法权益的;
(九)含有法律、行政法规禁止的其他内容的。
域名注册管理机构、域名注册服务机构不得为含有前款所列内容的域名提供服务。
第二十九条 域名注册服务机构不得采用欺诈、胁迫等不正当手段要求他人注册域名。
第三十条 域名注册服务机构提供域名注册服务,应当要求域名注册申请者提供域名持有者真实、准确、完整的身份信息等域名注册信息。
域名注册管理机构和域名注册服务机构应当对域名注册信息的真实性、完整性进行核验。
域名注册申请者提供的域名注册信息不准确、不完整的,域名注册服务机构应当要求其予以补正。申请者不补正或者提供不真实的域名注册信息的,域名注册服务机构不得为其提供域名注册服务。
第三十一条 域名注册服务机构应当公布域名注册服务的内容、时限、费用,保证服务质量,提供域名注册信息的公共查询服务。
第三十二条 域名注册管理机构、域名注册服务机构应当依法存储、保护用户个人信息。未经用户同意不得将用户个人信息提供给他人,但法律、行政法规另有规定的除外。
第三十三条 域名持有者的联系方式等信息发生变更的,应当在变更后30日内向域名注册服务机构办理域名注册信息变更手续。
域名持有者将域名转让给他人的,受让人应当遵守域名注册的相关要求。
第三十四条 域名持有者有权选择、变更域名注册服务机构。变更域名注册服务机构的,原域名注册服务机构应当配合域名持有者转移其域名注册相关信息。
无正当理由的,域名注册服务机构不得阻止域名持有者变更域名注册服务机构。
电信管理机构依法要求停止解析的域名,不得变更域名注册服务机构。
第三十五条 域名注册管理机构和域名注册服务机构应当设立投诉受理机制,并在其网站首页和经营场所显著位置公布投诉受理方式。
域名注册管理机构和域名注册服务机构应当及时处理投诉;不能及时处理的,应当说明理由和处理时限。
第三十六条 提供域名解析服务,应当遵守有关法律、法规、标准,具备相应的技术、服务和网络与信息安全保障能力,落实网络与信息安全保障措施,依法记录并留存域名解析日志、维护日志和变更记录,保障解析服务质量和解析系统安全。涉及经营电信业务的,应当依法取得电信业务经营许可。
第三十七条 提供域名解析服务,不得擅自篡改解析信息。
任何组织或者个人不得恶意将域名解析指向他人的IP地址。
第三十八条 提供域名解析服务,不得为含有本办法第二十八条第一款所列内容的域名提供域名跳转。
第三十九条 从事互联网信息服务的,其使用域名应当符合法律法规和电信管理机构的有关规定,不得将域名用于实施违法行为。
第四十条 域名注册管理机构、域名注册服务机构应当配合国家有关部门依法开展的检查工作,并按照电信管理机构的要求对存在违法行为的域名采取停止解析等处置措施。
域名注册管理机构、域名注册服务机构发现其提供服务的域名发布、传输法律和行政法规禁止发布或者传输的信息的,应当立即采取消除、停止解析等处置措施,防止信息扩散,保存有关记录,并向有关部门报告。
第四十一条 域名根服务器运行机构、域名注册管理机构和域名注册服务机构应当遵守国家相关法律、法规和标准,落实网络与信息安全保障措施,配置必要的网络通信应急设备,建立健全网络与信息安全监测技术手段和应急制度。域名系统出现网络与信息安全事件时,应当在24小时内向电信管理机构报告。
因国家安全和处置紧急事件的需要,域名根服务器运行机构、域名注册管理机构和域名注册服务机构应当服从电信管理机构的统一指挥与协调,遵守电信管理机构的管理要求。
第四十二条 任何组织或者个人认为他人注册或者使用的域名侵害其合法权益的,可以向域名争议解决机构申请裁决或者依法向人民法院提起诉讼。
第四十三条 已注册的域名有下列情形之一的,域名注册服务机构应当予以注销,并通知域名持有者:
(一)域名持有者申请注销域名的;
(二)域名持有者提交虚假域名注册信息的;
(三)依据人民法院的判决、域名争议解决机构的裁决,应当注销的;
(四)法律、行政法规规定予以注销的其他情形。

第四章 监督检查

第四十四条 电信管理机构应当加强对域名服务的监督检查。域名根服务器运行机构、域名注册管理机构、域名注册服务机构应当接受、配合电信管理机构的监督检查。
鼓励域名服务行业自律管理,鼓励公众监督域名服务。
第四十五条 域名根服务器运行机构、域名注册管理机构、域名注册服务机构应当按照电信管理机构的要求,定期报送业务开展情况、安全运行情况、网络与信息安全责任落实情况、投诉和争议处理情况等信息。
第四十六条 电信管理机构实施监督检查时,应当对域名根服务器运行机构、域名注册管理机构和域名注册服务机构报送的材料进行审核,并对其执行法律法规和电信管理机构有关规定的情况进行检查。
电信管理机构可以委托第三方专业机构开展有关监督检查活动。
第四十七条 电信管理机构应当建立域名根服务器运行机构、域名注册管理机构和域名注册服务机构的信用记录制度,将其违反本办法并受到行政处罚的行为记入信用档案。
第四十八条 电信管理机构开展监督检查,不得妨碍域名根服务器运行机构、域名注册管理机构和域名注册服务机构正常的经营和服务活动,不得收取任何费用,不得泄露所知悉的域名注册信息。

第五章 罚  则

第四十九条 违反本办法第九条规定,未经许可擅自设立域名根服务器及域名根服务器运行机构、域名注册管理机构、域名注册服务机构的,电信管理机构应当根据《中华人民共和国行政许可法》第八十一条的规定,采取措施予以制止,并视情节轻重,予以警告或者处1万元以上3万元以下罚款。
第五十条 违反本办法规定,域名注册管理机构或者域名注册服务机构有下列行为之一的,由电信管理机构依据职权责令限期改正,并视情节轻重,处1万元以上3万元以下罚款,向社会公告:
(一)为未经许可的域名注册管理机构提供域名注册服务,或者通过未经许可的域名注册服务机构开展域名注册服务的;
(二)未按照许可的域名注册服务项目提供服务的;
(三)未对域名注册信息的真实性、完整性进行核验的;
(四)无正当理由阻止域名持有者变更域名注册服务机构的。
第五十一条 违反本办法规定,提供域名解析服务,有下列行为之一的,由电信管理机构责令限期改正,可以视情节轻重处1万元以上3万元以下罚款,向社会公告:
(一)擅自篡改域名解析信息或者恶意将域名解析指向他人IP地址的;
(二)为含有本办法第二十八条第一款所列内容的域名提供域名跳转的;
(三)未落实网络与信息安全保障措施的;
(四)未依法记录并留存域名解析日志、维护日志和变更记录的;
(五)未按照要求对存在违法行为的域名进行处置的。
第五十二条 违反本办法第十七条、第十八条第一款、第二十一条、第二十二条、第二十八条第二款、第二十九条、第三十一条、第三十二条、第三十五条第一款、第四十条第二款、第四十一条规定的,由电信管理机构依据职权责令限期改正,可以并处1万元以上3万元以下罚款,向社会公告。
第五十三条 法律、行政法规对有关违法行为的处罚另有规定的,依照有关法律、行政法规的规定执行。
第五十四条 任何组织或者个人违反本办法第二十八条第一款规定注册、使用域名,构成犯罪的,依法追究刑事责任;尚不构成犯罪的,由有关部门依法予以处罚。

第六章 附  则

第五十五条 本办法下列用语的含义是:
(一)域名:指互联网上识别和定位计算机的层次结构式的字符标识,与该计算机的IP地址相对应。
(二)中文域名:指含有中文文字的域名。
(三)顶级域名:指域名体系中根节点下的第一级域的名称。
(四)域名根服务器:指承担域名体系中根节点功能的服务器(含镜像服务器)。
(五)域名根服务器运行机构:指依法获得许可并承担域名根服务器运行、维护和管理工作的机构。
(六)域名注册管理机构:指依法获得许可并承担顶级域名运行和管理工作的机构。
(七)域名注册服务机构:指依法获得许可、受理域名注册申请并完成域名在顶级域名数据库中注册的机构。
(八)域名注册代理机构:指受域名注册服务机构的委托,受理域名注册申请,间接完成域名在顶级域名数据库中注册的机构。
(九)域名管理系统:指域名注册管理机构在境内开展顶级域名运行和管理所需的主要信息系统,包括注册管理系统、注册数据库、域名解析系统、域名信息查询系统、身份信息核验系统等。
(十)域名跳转:指对某一域名的访问跳转至该域名绑定或者指向的其他域名、IP地址或者网络信息服务等。
第五十六条 本办法中规定的日期,除明确为工作日的以外,均为自然日。
第五十七条 在本办法施行前未取得相应许可开展域名服务的,应当自本办法施行之日起12个月内,按照本办法规定办理许可手续。
在本办法施行前已取得许可的域名根服务器运行机构、域名注册管理机构和域名注册服务机构,其许可有效期适用本办法第十六条的规定,有效期自本办法施行之日起计算。
第五十八条 本办法自2017年11月1日起施行。2004年11月5日公布的《中国互联网络域名管理办法》(原信息产业部令第30号)同时废止。本办法施行前公布的有关规定与本办法不一致的,按照本办法执行。

Public Internet Cybersecurity Threat Monitoring and Mitigation Measures

Posted on Updated on

This translation was kindly provided by John Costello

Ministry of Industry and Information Technology Network [2017] No. 202

Provincial, autonomous region, and municipal communications authorities, China Telecom Group Corporation, China Mobile Communications Corporation, China Unicom Group Corporation, China National Computer Emergency Technical Team/Coordination Center of China (CNCERT), China Information Communications Research Institute, National Industrial Information Security Development Research Center, China Internet Association, domain name registration management and service organs, internet companies, and cybersecurity enterprises:

In order to deepen the implementation of the spirit of General Secretary Xi Jinping’s important speeches on cybersecurity, actively respond to the dire and complex cybersecurity situation, to move forward robust public internet cybersecurity threat monitoring and mitigation mechanism, safeguard the legitimate rights and interests of citizens, legals person, and other organizations, and in accordance with “Cybersecurity Law of the People’s Republic of China” and other relevant laws and regulations, the “Public Internet Cybersecurity Threat Monitoring and Mitigation Measures”. Hereby issued to you, please realistically and effectively implement and carry out.

Ministry of Industry and Information Technology Read the rest of this entry »

A Next Generation Artificial Intelligence Development Plan

Posted on Updated on

This documents was translated jointly by Graham Webster, Paul Triolo, Elsa Kania, and Rogier Creemers. John Costello assisted with helpful comments. An analysis of this document can be found on the New America website.

State Council Notice on the Issuance of the Next Generation Artificial Intelligence Development Plan

Completed: July 8, 2017

Released: July 20, 2017

 

A Next Generation Artificial Intelligence Development Plan

 

The rapid development of artificial intelligence (AI) will profoundly change human society and life and change the world. To seize the major strategic opportunity for the development of AI, to build China’s first-mover advantage in the development of AI, to accelerate the construction of an innovative nation and global power in science and technology, in accordance with the requirements of the CCP Central Committee and the State Council, this plan has been formulated.

I.  The Strategic Situation

Read the rest of this entry »

Critical Information Infrastructure Security Protection Regulations

Posted on Updated on

This document was translated jointly by Graham Webster, Paul Triolo and Rogier Creemers

CAC Notice concerning the Public Solicitation of Opinions on the “Critical Information Infrastructure Security Protection Regulations (Opinion-seeking Draft)”

http://www.cac.gov.cn/2017-07/11/m_1121294220.htm

In order to guarantee the security of critical information infrastructure, based on the “Cybersecurity Law of the People’s Republic of China”, our Administration, jointly with relevant departments, has drafted the “Critical Information Infrastructure Security Protection Regulations (Opinion-seeking Draft)”, which is now made public for open solicitation of opinions. Relevant work units and individuals from all circles may, before 10 August, put forward opinions through the following ways:

1, Sending opinions in a letter form to: Beijing Xicheng Chegongzhuang Avenue 11, CAC Cybersecurity Coordination Bureau, Post Code 100044, and clearly indicate “opinion solicitation” on the envelope

2, Sending an e-mail to: security@cac.gov.cn.

CAC

10 July 2017

Critical Information Infrastructure Security Protection Regulations

(Opinion-seeking draft)

Chapter 1: General principles Read the rest of this entry »

Implementing Rules for the Management of Internet News Information Service Licences

Posted on Updated on

Article 1: In order to further raise the standardization and scientization levels of Internet news information service licence management, and stimulate the healthy and orderly development of Internet news information services, on the basis of the “Administrative Licensing Law of the People’s Republic of China” and the “Internet News Information Service Management Regulations” (hereafter simply named “Regulations”), these Implementing Rules are formulated.

Article 2: These Implementing Rules apply to national and provincial, autonomous region and municipal Internet information offices’ implementation of Internet news information service licensing. Read the rest of this entry »

National Intelligence Law of the People’s Republic of China (Draft)

Posted on Updated on

Chapter I: General Provisions

Article 1: In order to strengthen and guarantee national intelligence work, and safeguard national security and interests, on the basis of the Constitution, this Law is formulated.

Article 2: National intelligence work shall persist in an overall national security view, provide intelligence reference for major national policy decisions, provide intelligence support for preventing and dissolving risks endangering national security, and safeguard the national regime, sovereignty, unity, independence and territorial integrity, the prosperity of the people, economic and social sustainable development and other major national interests. Read the rest of this entry »

Interim Security Review Measures for Network Products and Services

Posted on Updated on

This translation was kindly provided by Paul Triolo

Article 1 These Measures are developed with a view to enhancing the secure and controllable levels of network products and services, guarding against cyber security risks, and safeguarding the national security, and in accordance with the laws and regulations such as National Security Law of the People’s Republic of China and the Cybersecurity Law of the People’s Republic of China.

Article 2 Important network products and services procured for use in networks and information systems that touch on national security are subject to a cybersecurity review.

Article 3 A cybersecurity review shall be conducted for network products and services and their supply chains, in a manner that combines enterprise commitments with public supervision, combines third-party assessments with government continuous regulation, and combines laboratory testing with on-site checks, on-line monitoring and background investigations. Read the rest of this entry »

Internet News Information Service Management Regulations

Posted on Updated on

Chapter I: General Provisions

Article 1: In order to strengthen Internet information content management and stimulate the healthy and orderly development of Internet news information services, on the basis of the “Cybersecurity Law of the People’s Republic of China”, the “Internet Information Service Management Rules”, and the “State Council Notice concerning Authorizing the State Internet Information Office to Take Responsibility of Internet Information Content Management Work”, these Regulations are formulated.

Read the rest of this entry »

Regulations for Internet Content Management Administration Law Enforcement Procedures

Posted on Updated on

This translation was kindly provided by John Costello

State Internet Information Office

Decree No. 2

“Regulations for Internet Content Management Administration Law Enforcement Procedures” approved in a meeting of the State Internet Information Office is hereby announced, to be implemented from June 1, 2017 onward.

Director Xu Lin

May 2, 2017

Regulations for Internet Content Management Administration Law Enforcement Procedures Read the rest of this entry »

Encryption Law of the People’s Republic of China (Opinion-seeking Draft)

Posted on Updated on

This translation was created jointly with Paul Triolo and John Costello

Table of contents

Chapter I: General principles

Chapter II: The use of encryption

Chapter III: Encryption security

Chapter IV: Stimulating the development of encryption

Chapter V: Supervision and management

Chapter VI: Legal liability

Chapter VII: Supplementary provisions

Chapter I: General principles

Read the rest of this entry »

Circular of the State Internet Information Office on the Public Consultation on the Measures for the Assessment of Personal Information and Important Data Exit Security (Draft for Soliciting Opinions)

Posted on Updated on

This translation was kindly provided by Paul Triolo

To safeguard personal information and important data security, to safeguard cyberspace sovereignty and national security, and social and public interests, and promote the orderly free flow of network information according to the law, according to the People’s Republic of China National Security Law, the People’s Republic of China Cybersecurity Law, and other laws and regulations , our office has worked with relevant departments and drafted the “Personal Information and Important Data Outbound Security Assessment Measures (draft)”, is now open to the public for comments.

Relevant units and people of all walks of life may submit their views by May 11, 2017, in the following manner:

First, through a letter to the views sent to: Beijing Dongcheng District Chaoyang Gate Street 225, the State Internet Information Office Cybersecurity Coordination Bureau, Zip code: 100010, and in the envelope marked “comments”.

Second, by e-mail to: security@cac.gov.cn.

State Internet Information Office

April 11, 2017

Annex

Personal Information and Important Data Outbound Security Assessment Measures (draft)

Article 1 These Measures have been drafted in order to protect the security of personal information and important data, safeguard cyberspace sovereignty and national security, and social and public interests, while protecting the legitimate interests of citizens, legal persons and other organizations, in accordance with the People’s Republic of China National Security Law, the People’s Republic of China Cybersecurity Law, and other laws and regulations.

Article 2 The personal information and important data collected and generated by network operators within the People’s Republic of China during operations shall be stored within the [national] territory. If the business requirements make it necessary to provide data outside of China, a security assessment shall be carried out in accordance with these Measures.

Article 3 The security assessment for outbound data shall follow the principle of impartiality, objectivity and validity, protect the security of personal information and important data, and promote the orderly and free flow of network information according to law.

Article 4 Where personal information leaves China’s borders, the purpose, scope, content, recipient and destination country of the data shall be explained to the subject of the personal information and agreed upon. Minors’ personal information is subject to the consent of their guardian.

Article 5 State cybersecurity and informatization departments shall coordinate the outbound data outbound security assessment work and guide the industry regulatory or supervisory departments in organizing the outbound data security assessment.

Article 6 Industry regulatory or supervisory departments shall be responsible for the security assessment of the industry outbound data and shall regularly organize the inspection of the specific industry outbound data.

Article 7 Network operators shall, before data leaves China’s borders, on their own initiative organize the conduct of a security assessment for outbound data and be responsible for the evaluation results.

Article 8 The outbound data security assessment shall focus on the following:

(A) the necessity of outbound data;

(B) the conditions touching on personal information, including the amount, scope, type, and sensitivity, and whether or not the subject of the personal information agrees that his/her personal information can leave China’s borders;

(C) the conditions touching on important data, including the amount, scope, type and sensitivity level of important data;

(D) the security protection measures and capability level of the data receiving party, and the cybersecurity environment in the country and region;

(E) risks such as disclosure, damage, tampering and abuse after the data leaves China’s borders and after re-transfer;

(F) the risks that may be brought to national security, social and public interests, and personal legitimate interests arising from the data leaving China’s borders and outbound data collection;

(G) other important matters that need to be assessed.

Article 9 If outbound data is stored in one of the following circumstances, network operators should report to the industry regulators or supervisory authorities and organize a security assessment:

(A) the [data set] contains or has accumulated personal information of more than 500,000 people;

(B) the amount of data is over 1000 GB;

(C) the data includes sector data on nuclear facilities, chemical and biological facilities, the national defense industry, or population health, large-scale engineering activities, the marine environment, and sensitive geographic information data;

(D) the data includes cybersecurity information including system vulnerabilities and security protection for critical information infrastructure;

(E) personal information and important data provided by critical information infrastructure operators to [parties] outside China;

(F) other data that could affect national security and social and public interests that industry regulators or supervisory departments consider should be assessed.

For areas where the is no clear industry regulator or supervisory department, an assessment shall be organized by national cybersecurity and informatization departments.

Article 10 The security assessment organized by industry regulatory or supervisory departments shall be completed within 60 working days, and feedback on the security assessment shall be provided to the network operator in a timely manner and reported to the national cybersecurity and informatization departments.

Article 11 In any of the following circumstances, data shall not be allowed to leave the country:

(A) personal information leaving China’s borders without the consent of the subject of the personal information, or that may be against the interests of the individual;

(B) there is a risk that the data leaving China’s borders could impact national politics, the economy, S&T, and national defense, and could affect national security and harm social and public interests;

(C) other data that national cybersecurity and informatization departments, public security departments, state security departments, and other relevant departments deem cannot leave China.

Article 12 Network operators should, according to business development and the network operation situation, annually conduct at least once a security assessment of outbound data, ad in a timely manner assess the situation and report to industry regulatory and supervisory departments.

When the data receiver changes, or there is a relatively large change in the destination, scope, quantity, type of data, etc., or a major security incident occurs with the data receiver or outbound data, a new security assessment should be conducted.

Article 13 Any individual or organization shall have the right to report to the relevant cybersecurity and informatization departments, public security department, and other relevant departments any violations of relevant laws and regulations and these Measures in terms of providing data outside of China’s borders.

Article 14 Whoever violates the provisions of these Measures shall be punished in accordance with the relevant laws and regulations.

Article 15 Agreements between the Chinese government and other countries and regions on outbound data shall be carried out in accordance with the provisions of the agreement.

Data involving state secret information shall be handled in accordance with the relevant provisions.

Article 16 Security assessment work for the personal information and important data sent outside China’s borders that was collected and produced by other individuals and organizations within the territory of the People’s Republic of China shall be carried out in accordance with the present Measures.

Article 17 The definitions for the following terms used in the present Measures:

A network operator is the owner of a network, a manager, and a network service provider.

Outbound data refers to personal and important information co9llection and generated by network operators during operations within the territory of the People’s Republic of China, and provided to overseas institutions, organizations, or individuals.

Personal information refers to various types of information recorded by electronic or other means capable of identifying a person’s personal identity alone or in combination with other information, including but not limited to the name of the natural person, date of birth, identity document number, personal biometric information, telephone number and so on. Important data refers to data that is closely related to national security, economic development, and social and public interests, with specific reference to national relevant standards and important data identification guidelines.

Article 18 These Measures shall come into force on the day X of 2017.

Office of the Central Cybersecurity and Informatization Leading Small Group

(Cyberspace Administration of China)

Cybersecurity Coordination Bureau

国家互联网信息办公室关于《个人信息和重要数据出境安全评估办法(征求意见稿)》公开征求意见的通知

为保障个人信息和重要数据安全,维护网络空间主权和国家安全、社会公共利益,促进网络信息依法有序自由流动,依据《中华人民共和国国家安全法》《中华人民共和国网络安全法》等法律法规,我办会同相关部门起草了《个人信息和重要数据出境安全评估办法(征求意见稿)》,现向社会公开征求意见。有关单位和各界人士可以在2017年5月11日前,通过以下方式提出意见:

一、通过信函方式将意见寄至:北京市东城区朝阳门内大街225号国家互联网信息办公室网络安全协调局,邮编:100010,并在信封上注明“征求意见”。

二、通过电子邮件方式发送至:security@cac.gov.cn。

附件:个人信息和重要数据出境安全评估办法(征求意见稿)

国家互联网信息办公室

2017年4月11日

附件

个人信息和重要数据出境安全评估办法

(征求意见稿)

第一条 为保障个人信息和重要数据安全,维护网络空间主权和国家安全、社会公共利益,保护公民、法人和其他组织的合法利益,根据《中华人民共和国国家安全法》《中华人民共和国网络安全法》等法律法规,制定本办法。

第二条 网络运营者在中华人民共和国境内运营中收集和产生的个人信息和重要数据,应当在境内存储。因业务需要,确需向境外提供的,应当按照本办法进行安全评估。

第三条 数据出境安全评估应遵循公正、客观、有效的原则,保障个人信息和重要数据安全,促进网络信息依法有序自由流动。

第四条 个人信息出境,应向个人信息主体说明数据出境的目的、范围、内容、接收方及接收方所在的国家或地区,并经其同意。未成年人个人信息出境须经其监护人同意。

第五条 国家网信部门统筹协调数据出境安全评估工作,指导行业主管或监管部门组织开展数据出境安全评估。

第六条 行业主管或监管部门负责本行业数据出境安全评估工作,定期组织开展本行业数据出境安全检查。

第七条 网络运营者应在数据出境前,自行组织对数据出境进行安全评估,并对评估结果负责。

第八条 数据出境安全评估应重点评估以下内容:

(一)数据出境的必要性;

(二)涉及个人信息情况,包括个人信息的数量、范围、类型、敏感程度,以及个人信息主体是否同意其个人信息出境等;

(三)涉及重要数据情况,包括重要数据的数量、范围、类型及其敏感程度等;

(四)数据接收方的安全保护措施、能力和水平,以及所在国家和地区的网络安全环境等;

(五)数据出境及再转移后被泄露、毁损、篡改、滥用等风险;

(六)数据出境及出境数据汇聚可能对国家安全、社会公共利益、个人合法利益带来的风险;

(七)其他需要评估的重要事项。

第九条 出境数据存在以下情况之一的,网络运营者应报请行业主管或监管部门组织安全评估:

(一)含有或累计含有50万人以上的个人信息;

(二)数据量超过1000GB;

(三)包含核设施、化学生物、国防军工、人口健康等领域数据,大型工程活动、海洋环境以及敏感地理信息数据等;

(四)包含关键信息基础设施的系统漏洞、安全防护等网络安全信息;

(五)关键信息基础设施运营者向境外提供个人信息和重要数据;

(六)其他可能影响国家安全和社会公共利益,行业主管或监管部门认为应该评估。

行业主管或监管部门不明确的,由国家网信部门组织评估。

第十条 行业主管或监管部门组织的安全评估,应当于六十个工作日内完成,及时向网络运营者反馈安全评估情况,并报国家网信部门。

第十一条 存在以下情况之一的,数据不得出境:

(一)个人信息出境未经个人信息主体同意,或可能侵害个人利益;

(二)数据出境给国家政治、经济、科技、国防等安全带来风险,可能影响国家安全、损害社会公共利益;

(三)其他经国家网信部门、公安部门、安全部门等有关部门认定不能出境的。

第十二条 网络运营者应根据业务发展和网络运营情况,每年对数据出境至少进行一次安全评估,及时将评估情况报行业主管或监管部门。

当数据接收方出现变更,数据出境目的、范围、数量、类型等发生较大变化,数据接收方或出境数据发生重大安全事件时,应及时重新进行安全评估。

第十三条 对违反相关法律法规和本办法向境外提供数据的行为,任何个人和组织有权向国家网信部门、公安部门等有关部门举报。

第十四条 违反本办法规定的,依照有关法律法规进行处罚。

第十五条 我国政府与其他国家、地区签署的关于数据出境的协议,按照协议的规定执行。
涉及国家秘密信息的按照相关规定执行。

第十六条 其他个人和组织在中华人民共和国境内收集和产生的个人信息和重要数据出境的安全评估工作参照本办法执行。

第十七条 本办法下列用语的含义:

网络运营者,是指网络的所有者、管理者和网络服务提供者。

数据出境,是指网络运营者将在中华人民共和国境内运营中收集和产生的个人信息和重要数据,提供给位于境外的机构、组织、个人。

个人信息,是指以电子或者其他方式记录的能够单独或者与其他信息结合识别自然人个人身份的各种信息,包括但不限于自然人的姓名、出生日期、身份证件号码、个人生物识别信息、住址、电话号码等。

重要数据,是指与国家安全、经济发展,以及社会公共利益密切相关的数据,具体范围参照国家有关标准和重要数据识别指南。

第十八条 本办法自2017年 月 日起实施。