"Cybersecurity Law of the People's Republic of China"

Chapter 1 General Provisions

Article 1 This law is enacted in order to ensure network security, maintain cyberspace sovereignty and national security, and social and public interests, protect the legitimate rights and interests of citizens, legal persons, and other organizations, and promote the healthy development of economic and social informatization.

Article 2 This Law shall apply to the construction, operation, maintenance and use of networks within the territory of the People's Republic of China, as well as the supervision and management of network security.

Article 3 The state attaches equal importance to network security and informatization development, follows the principles of active utilization, scientific development, legal management, and ensuring security, promotes network infrastructure construction and interconnection, encourages network technology innovation and application, and supports the training of network security talents, Establish and improve the network security system and improve network security protection capabilities.

Article 4: The state formulates and continuously improves network security strategies, clarifies the basic requirements and main goals for ensuring network security, and proposes network security policies, work tasks and measures in key areas.

Article 5 The state takes measures to monitor, defend, and deal with network security risks and threats originating from within and outside the People's Republic of China, protect critical information infrastructure from attacks, intrusions, interference, and destruction, punish illegal and criminal network activities in accordance with the law, and maintain the network Space security and order.

Article 6: The state advocates honest, trustworthy, healthy and civilized online behavior, promotes the dissemination of socialist core values, takes measures to improve the network security awareness and level of the whole society, and forms a good environment for the whole society to jointly participate in promoting network security.

Article 7 The state actively carries out international exchanges and cooperation in cyberspace governance, network technology research and development and standard formulation, and combating network crimes, promotes the construction of a peaceful, secure, open, and cooperative cyberspace, and establishes a multilateral, democratic, and transparent network governance system.

Article 8: The national cybersecurity and informatization department is responsible for overall coordination of network security work and related supervision and management work. The telecommunications department under the State Council, the public security department and other relevant agencies shall be responsible for network security protection, supervision and management within the scope of their respective responsibilities in accordance with the provisions of this Law and relevant laws and administrative regulations.

The network security protection and supervision and management responsibilities of relevant departments of local people's governments at or above the county level shall be determined in accordance with relevant national regulations.

Article 9 When conducting business and service activities, network operators must abide by laws and administrative regulations, respect social ethics, abide by business ethics, be honest and trustworthy, perform network security protection obligations, accept supervision from the government and society, and assume social responsibilities.

Article 10 When constructing and operating a network or providing services through the network, technical measures and other necessary measures shall be taken in accordance with the provisions of laws, administrative regulations and the mandatory requirements of national standards to ensure the security and stable operation of the network and effectively respond to network security incidents. Prevent illegal and criminal activities on the Internet and maintain the integrity, confidentiality and availability of network data.

Article 11 Network-related industry organizations shall, in accordance with their charters, strengthen industry self-discipline, formulate network security codes of conduct, guide members to strengthen network security protection, improve network security protection levels, and promote the healthy development of the industry.

Article 12 The state protects the rights of citizens, legal persons and other organizations to use the Internet in accordance with the law, promotes the popularization of network access, improves network service levels, provides safe and convenient network services to society, and ensures the orderly and free flow of network information in accordance with the law.

Any individual or organization using the Internet must abide by the Constitution and laws, abide by public order, respect social ethics, and must not endanger network security. They must not use the Internet to endanger national security, honor and interests, incite subversion of state power, overthrow the socialist system, incite secession, Undermining national unity, advocating terrorism and extremism, advocating ethnic hatred and ethnic discrimination, spreading violent and obscene information, fabricating and disseminating false information to disrupt economic and social order, and infringing on others' reputation, privacy, intellectual property rights and other legitimate rights and interests. and other activities.

Article 13: The state supports the research and development of network products and services that are conducive to the healthy growth of minors, punishes in accordance with the law the use of the Internet to engage in activities that endanger the physical and mental health of minors, and provides a safe and healthy network environment for minors.

Article 14: Any individual or organization has the right to report behaviors that endanger network security to the cybersecurity, telecommunications, public security and other departments. The department that receives the report shall handle it in a timely manner and in accordance with the law; if the report does not fall within the responsibilities of the department, it shall be promptly transferred to the department with the authority to handle it.

Relevant departments should keep the relevant information of the whistleblower confidential and protect the legitimate rights and interests of the whistleblower.

Chapter 2 Network Security Support and Promotion

Article 15: The state establishes and improves the network security standard system. The standardization administrative department of the State Council and other relevant departments of the State Council shall, in accordance with their respective responsibilities, organize the formulation and timely revision of national and industry standards related to network security management and network products, services and operation security.

The state supports enterprises, research institutions, universities, and network-related industry organizations to participate in the formulation of national and industry standards for network security.

Article 16 The State Council and the people's governments of provinces, autonomous regions and municipalities directly under the Central Government shall make overall plans, increase investment, support key network security technology industries and projects, support the research, development and application of network security technology, and promote safe and trustworthy network products and services. Protect network technology intellectual property rights and support enterprises, research institutions, universities, etc. in participating in national network security technology innovation projects.

Article 17 The state promotes the construction of a socialized network security service system and encourages relevant enterprises and institutions to carry out network security certification, testing, risk assessment and other security services.

Article 18: The state encourages the development of network data security protection and utilization technologies, promotes the opening of public data resources, and promotes technological innovation and economic and social development.

The state supports the innovation of network security management methods, the use of new network technologies, and the improvement of network security protection levels.

Article 19 People's governments at all levels and their relevant departments shall organize and carry out regular network security publicity and education, and guide and urge relevant units to do a good job in network security publicity and education.

Mass media should carry out targeted publicity and education on network security to the society.

Article 20: The state supports enterprises and educational and training institutions such as universities and vocational schools to carry out cybersecurity-related education and training, adopts various methods to cultivate cybersecurity talents, and promotes the exchange of cybersecurity talents.

Chapter 3 Network Operation Security

Section 1 General Provisions

Article 21: The state implements a network security level protection system. Network operators shall, in accordance with the requirements of the network security level protection system, perform the following security protection obligations to protect the network from interference, destruction or unauthorized access, and to prevent network data from being leaked or stolen or tampered with:

(1) Develop internal security management systems and operating procedures, determine the person in charge of network security, and implement network security protection responsibilities;
(2) Take technical measures to prevent computer viruses, network attacks, network intrusions and other behaviors that endanger network security;
(3) Take technical measures to monitor and record network operating status and network security events, and retain relevant network logs for no less than six months in accordance with regulations;
(4) Take measures such as data classification, important data backup and encryption;
(5) Other obligations stipulated in laws and administrative regulations.

Article 22 Network products and services should comply with the mandatory requirements of relevant national standards. Providers of network products and services are not allowed to set up malicious programs; when they discover that their network products and services have security flaws, vulnerabilities and other risks, they should immediately take remedial measures, promptly notify users in accordance with regulations, and report to the relevant competent authorities.

Providers of network products and services shall continue to provide security maintenance for their products and services; they shall not terminate the provision of security maintenance within the period specified by regulations or agreed upon by the parties.

If network products or services have the function of collecting user information, their providers shall make this clear to users and obtain consent; if users' personal information is involved, they shall also comply with the provisions of this Law and relevant laws and administrative regulations on the protection of personal information.

Article 23: Key network equipment and network security-specific products must be in accordance with the mandatory requirements of relevant national standards, and may not be sold or provided until they have passed security certification by a qualified institution or have passed security testing. The national cybersecurity and informatization department, together with relevant departments of the State Council, formulates and publishes catalogs of key network equipment and network security-specific products, and promotes mutual recognition of security certification and security testing results to avoid repeated certification and testing.

Article 24 Network operators handle network access and domain name registration services for users, handle network access procedures such as fixed telephone and mobile phone calls, or provide users with information release, instant messaging and other services. After signing an agreement with the user or confirming the provision of services, When doing so, users should be required to provide their true identity information. If users do not provide their true identity information, network operators are not allowed to provide relevant services.

The state implements the network trusted identity strategy, supports the research and development of safe and convenient electronic identity authentication technology, and promotes mutual recognition between different electronic identity authentications.

Article 25 Network operators shall formulate contingency plans for network security incidents and promptly deal with security risks such as system vulnerabilities, computer viruses, network attacks, and network intrusions; when an incident endangering network security occurs, immediately activate the contingency plan and take appropriate measures. remedial measures and report to relevant authorities in accordance with regulations.

Article 26: To carry out network security certification, testing, risk assessment and other activities, and to release network security information such as system vulnerabilities, computer viruses, network attacks, and network intrusions to the public, relevant national regulations must be observed.

Article 27 No individual or organization may engage in activities that endanger network security, such as illegally intruding into other people's networks, interfering with normal functions of other people's networks, stealing network data, etc.; shall not provide services specifically designed to intrude into networks, interfere with normal network functions and protective measures, or steal network data. Network data and other programs and tools that endanger network security activities; if you know that others are engaged in activities that endanger network security, you are not allowed to provide them with technical support, advertising promotion, payment and settlement and other assistance.

Article 28: Network operators shall provide technical support and assistance to public security organs and national security organs in their activities to safeguard national security and investigate crimes in accordance with the law.

Article 29: The state supports cooperation between network operators in the collection, analysis, reporting and emergency response of network security information, and improves the security assurance capabilities of network operators.

Relevant industry organizations have established and improved network security protection norms and collaboration mechanisms in the industry, strengthened the analysis and assessment of network security risks, regularly issued risk warnings to members, and supported and assisted members in responding to network security risks.

Article 30: Information obtained by cybersecurity and informatization departments and relevant departments in performing network security protection duties can only be used to maintain network security and may not be used for other purposes.

Section 2 Operational Security of Critical Information Infrastructure

Article 31 The state controls important industries and fields such as public communications and information services, energy, transportation, water conservancy, finance, public services, and e-government, as well as other areas that may seriously endanger national security if they are damaged, lose their functions, or have data leaked. , critical information infrastructure for the national economy, people's livelihood, and public interests, implement key protection on the basis of the network security level protection system. The specific scope and security protection measures for critical information infrastructure shall be formulated by the State Council.

The state encourages network operators other than critical information infrastructure to voluntarily participate in the critical information infrastructure protection system.

Article 32 In accordance with the division of responsibilities stipulated by the State Council, the departments responsible for the security protection of critical information infrastructure shall prepare and organize the implementation of critical information infrastructure security plans for their own industries and fields, and guide and supervise the security protection of critical information infrastructure operations. Work.

Article 33: The construction of critical information infrastructure shall ensure that it has the performance to support the stable and continuous operation of business, and ensure the simultaneous planning, construction and use of security technical measures.

Article 34 In addition to the provisions of Article 21 of this Law, operators of critical information infrastructure shall also perform the following security protection obligations:

(1) Set up a special safety management organization and a person in charge of safety management, and conduct safety background checks on the person in charge and personnel in key positions;
(2) Regularly conduct network security education, technical training and skill assessment for practitioners;
(3) Carry out disaster recovery backup of important systems and databases;
(4) Develop an emergency plan for network security incidents and conduct regular drills;
(5) Other obligations stipulated in laws and administrative regulations.

Article 35 If operators of critical information infrastructure purchase network products and services that may affect national security, they shall pass a national security review organized by the national cyberspace department in conjunction with relevant departments of the State Council.

Article 36: When operators of critical information infrastructure purchase network products and services, they shall sign a security and confidentiality agreement with the provider in accordance with regulations to clarify security and confidentiality obligations and responsibilities.

Article 37: Personal information and important data collected and generated by operators of critical information infrastructure during operations within the territory of the People's Republic of China shall be stored within the territory of the People's Republic of China. If it is indeed necessary to provide information overseas due to business needs, a security assessment shall be conducted in accordance with the methods formulated by the national cybersecurity and informatization department in conjunction with relevant departments of the State Council; if laws and administrative regulations provide otherwise, such provisions shall prevail.

Article 38 Operators of critical information infrastructure shall, by themselves or entrust a network security service agency, conduct testing and assessment of the security and possible risks of their networks at least once a year, and submit the testing and assessment results and improvement measures to the relevant responsible persons. Department responsible for the security protection of critical information infrastructure.

Article 39: The national cybersecurity and informatization department shall coordinate relevant departments to adopt the following measures for the security protection of critical information infrastructure:

(1) Conduct random checks and tests on security risks of critical information infrastructure, propose improvement measures, and if necessary, entrust a network security service agency to conduct detection and assessment of security risks existing in the network;
(2) Regularly organize operators of critical information infrastructure to conduct network security emergency drills to improve their ability to respond to network security incidents and their coordination capabilities;
(3) Promote the sharing of cybersecurity information among relevant departments, operators of critical information infrastructure, relevant research institutions, network security service agencies, etc.;
(4) Provide technical support and assistance for emergency response to network security incidents and restoration of network functions.

Chapter 4 Network Information Security

Article 40 Network operators shall strictly keep the user information they collect confidential and establish and improve user information protection systems.

Article 41: Network operators shall collect and use personal information in accordance with the principles of legality, legitimacy and necessity, disclose collection and use rules, clearly state the purpose, method and scope of collecting and using information, and obtain the consent of the persons being collected.

Network operators shall not collect personal information unrelated to the services they provide, shall not collect or use personal information in violation of the provisions of laws, administrative regulations and the agreements between the parties, and shall handle and store it in accordance with the provisions of laws, administrative regulations and the agreements with users. personal information.

Article 42: Network operators are not allowed to leak, tamper with, or damage the personal information they collect; they are not allowed to provide personal information to others without the consent of the person being collected. However, this does not apply to cases where a specific individual cannot be identified after processing and cannot be restored.

Network operators should take technical measures and other necessary measures to ensure the security of the personal information they collect and prevent information leakage, damage, and loss. When personal information is leaked, damaged, or lost or is likely to occur, remedial measures should be taken immediately, users should be promptly informed in accordance with regulations, and reported to the relevant competent authorities.

Article 43 If an individual discovers that a network operator has collected or used his or her personal information in violation of laws, administrative regulations or the agreement between the two parties, he or she has the right to request the network operator to delete his or her personal information; If the information is incorrect, you have the right to request the network operator to correct it. Network operators should take measures to delete or correct it.

Article 44: No individual or organization may steal or obtain personal information in other illegal ways, and may not illegally sell or illegally provide personal information to others.

Article 45: Departments and their staff responsible for network security supervision and management in accordance with the law must strictly keep personal information, privacy and business secrets learned in the performance of their duties strictly confidential, and must not leak, sell or illegally provide them to others.

Article 46 Any individual or organization shall be responsible for their use of the Internet and shall not establish websites or communication groups for committing fraud, teaching criminal methods, producing or selling prohibited items, controlled items and other illegal and criminal activities, and shall not use Publish information online involving fraud, production or sale of prohibited items, controlled items and other illegal and criminal activities.

Article 47 Network operators should strengthen the management of information released by their users. If they discover information that is prohibited from being released or transmitted by laws or administrative regulations, they should immediately stop transmitting the information, take disposal measures such as elimination, prevent the spread of information, and preserve it. relevant records and reported to the relevant competent authorities.

Article 48: Electronic information sent and application software provided by any individual or organization must not be installed with malicious programs, and must not contain information that is prohibited from being released or transmitted by laws and administrative regulations.

Electronic information transmission service providers and application software download service providers shall perform security management obligations. If they learn that their users have committed the acts specified in the preceding paragraph, they shall stop providing services, take disposal measures such as elimination, save relevant records, and report them to the relevant competent authorities. Report.

Article 49: Network operators shall establish a network information security complaint and reporting system, publish information such as complaints and reporting methods, and promptly accept and handle complaints and reports related to network information security.

Network operators shall cooperate with the supervision and inspections carried out by the cybersecurity and informatization departments and relevant departments in accordance with the law.

Article 50: The national cybersecurity and informatization department and relevant departments perform network information security supervision and management responsibilities in accordance with the law. If they discover information that is prohibited from being released or transmitted by laws and administrative regulations, they shall require the network operator to stop the transmission, take disposal measures such as elimination, and keep relevant records. ; For the above-mentioned information originating from outside the territory of the People's Republic of China, relevant agencies should be notified to take technical measures and other necessary measures to block dissemination.

Chapter 5 Monitoring, Early Warning and Emergency Response

Article 51: The state establishes a network security monitoring, early warning and information reporting system. The national cybersecurity and informatization department shall coordinate and coordinate relevant departments to strengthen the collection, analysis and reporting of cybersecurity information, and uniformly release cybersecurity monitoring and early warning information in accordance with regulations.

Article 52: The department responsible for the security protection of critical information infrastructure shall establish and improve the network security monitoring, early warning and information reporting system for this industry and field, and submit network security monitoring and early warning information in accordance with regulations.

Article 53: The national cybersecurity and informatization department shall coordinate with relevant departments to establish and improve cybersecurity risk assessment and emergency response mechanisms, formulate contingency plans for cybersecurity incidents, and organize regular drills.

Departments responsible for the security protection of critical information infrastructure should formulate emergency plans for network security incidents in their own industry and field, and organize regular drills.

The network security incident emergency plan shall classify network security incidents according to factors such as the degree of harm and scope of impact after the incident occurs, and stipulate corresponding emergency response measures.

Article 54: When the risk of a cybersecurity incident increases, the relevant departments of the people's government at or above the provincial level shall take the following measures in accordance with the prescribed authority and procedures and based on the characteristics of the cybersecurity risk and the possible harm:

(1) Require relevant departments, institutions and personnel to collect and report relevant information in a timely manner and strengthen monitoring of network security risks;
(2) Organize relevant departments, institutions and professionals to analyze and evaluate network security risk information and predict the possibility, scope of impact and degree of harm of events;
(3) Issue network security risk warnings to the public and issue measures to avoid and mitigate harm.

Article 55 When a network security incident occurs, a network security incident emergency plan shall be launched immediately, the network security incident shall be investigated and evaluated, and network operators shall be required to take technical measures and other necessary measures to eliminate safety hazards, prevent the expansion of harm, and promptly Release public-related warning information to the society.

Article 56 If the relevant departments of the people's governments at or above the provincial level, while performing their network security supervision and management responsibilities, discover that there are major security risks or security incidents occur in the network, they may, in accordance with the prescribed authority and procedures, the legal representative of the network operator. Interview with the person or person in charge. Network operators should take measures as required to make rectifications and eliminate hidden dangers.

Article 57 If an emergency or production safety accident occurs due to a network security incident, it shall be handled in accordance with the provisions of the "Emergency Response Law of the People's Republic of China", the "Work Safety Law of the People's Republic of China" and other relevant laws and administrative regulations. .

Article 58: Due to the need to maintain national security and social public order and deal with major social security emergencies, temporary measures such as restrictions on network communications in specific areas may be adopted upon decision or approval of the State Council.

Chapter 6 Legal Liability

Article 59 If a network operator fails to perform its network security protection obligations stipulated in Articles 21 and 25 of this Law, the relevant competent authorities shall order it to make corrections and issue a warning; if it refuses to make corrections or causes consequences such as endangering network security, If a violation occurs, a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed, and the directly responsible person in charge shall be fined not less than RMB 5,000 but not more than RMB 50,000.

If the operator of critical information infrastructure fails to perform the network security protection obligations stipulated in Articles 33, 34, 36, and 38 of this Law, the relevant competent authorities shall order it to make corrections and issue a warning. ; Whoever refuses to correct or causes consequences such as endangering network security shall be fined not less than 100,000 yuan but not more than 1 million yuan, and the directly responsible person in charge shall be fined not less than 10,000 yuan but not more than 100,000 yuan.

Article 60 Anyone who violates the provisions of Paragraph 1 and Paragraph 2 of Article 22 and Paragraph 1 of Article 48 of this Law and commits any of the following acts shall be ordered to make corrections and given a warning by the relevant competent authorities; those who refuse to make corrections shall Or causing consequences such as endangering network security, a fine of not less than 50,000 yuan but not more than 500,000 yuan shall be imposed, and the directly responsible person in charge shall be fined not less than 10,000 yuan but not more than 100,000 yuan:

(1) Setting up malicious programs;
(2) Failure to take immediate remedial measures for security defects, vulnerabilities and other risks in its products and services, or failure to promptly notify users and report to the relevant competent authorities in accordance with regulations;
(3) Terminating the security maintenance provided for its products and services without authorization.

Article 61 If a network operator violates the provisions of Paragraph 1 of Article 24 of this Law by failing to require users to provide true identity information, or providing relevant services to users who do not provide true identity information, the relevant competent authorities shall order corrections; Those who refuse to make corrections or if the circumstances are serious shall be fined not less than RMB 50,000 but not more than RMB 500,000, and the relevant competent authorities may order them to suspend relevant business, suspend operations for rectification, close websites, revoke relevant business licenses or revoke business licenses, and those directly responsible shall The person in charge and other directly responsible personnel shall be fined not less than RMB 10,000 but not more than RMB 100,000.

Article 62 Anyone who violates the provisions of Article 26 of this Law by carrying out network security certification, testing, risk assessment and other activities, or releasing network security information such as system vulnerabilities, computer viruses, network attacks, and network intrusions to the public shall be punished by the relevant authorities. The competent authorities shall order corrections and give warnings; if they refuse to make corrections or the circumstances are serious, they shall be fined not less than RMB 10,000 but not more than RMB 100,000, and may be ordered by the relevant competent authorities to suspend relevant business, suspend operations for rectification, close websites, revoke relevant business licenses, or The business license shall be revoked, and the directly responsible person in charge and other directly responsible personnel shall be fined not less than RMB 5,000 but not more than RMB 50,000.

Article 63 Violates the provisions of Article 27 of this Law by engaging in activities that endanger network security, or providing programs and tools specifically used to engage in activities that endanger network security, or providing technical support, If assistance in advertising, promotion, payment and settlement, etc. does not constitute a crime, the illegal income shall be confiscated by the public security organs, and the person shall be detained for not more than five days, and may also be fined not less than 50,000 yuan but not more than 500,000 yuan; if the circumstances are more serious, the person shall be fined not less than five days. Detention for less than 15 days and a fine of not less than RMB 100,000 but not more than RMB 1,000,000 may be imposed.

If a unit commits the acts mentioned in the preceding paragraph, the public security organs shall confiscate the illegal gains and impose a fine of not less than 100,000 yuan but not more than 1 million yuan, and the directly responsible person in charge and other directly responsible personnel shall be punished in accordance with the provisions of the preceding paragraph.

Persons who violate the provisions of Article 27 of this Law and are punished by public security management shall not be allowed to work in key positions of network security management and network operations within five years; persons who are subject to criminal penalties shall be prohibited from working in key positions of network security management and network operations for life. Work.

Article 64: Network operators or providers of network products or services violate the provisions of Article 22, paragraph 3, and Articles 41 to 43 of this Law, and infringe upon the right of personal information to be protected in accordance with the law. , the relevant competent departments shall order corrections, and may impose a warning, confiscation of illegal income, or a fine of not less than one time but not more than ten times the illegal income, or a fine of not more than one million yuan if there is no illegal income, or a fine of not more than one million yuan, and those directly responsible may be fined according to the circumstances. The person in charge and other directly responsible persons shall be fined not less than RMB 10,000 but not more than RMB 100,000; if the circumstances are serious, they may be ordered to suspend the relevant business, suspend business for rectification, close the website, revoke the relevant business license or revoke the business license.

If a person violates the provisions of Article 44 of this Law by stealing or obtaining by other illegal means, illegally selling or illegally providing personal information to others, which does not constitute a crime, the illegal gains shall be confiscated by the public security organs and a fine of not less than one time and ten times the illegal gains shall be imposed. If there is no illegal income, a fine of not more than one million yuan will be imposed.

Article 65 If an operator of critical information infrastructure violates the provisions of Article 35 of this Law and uses network products or services that have not been subject to security review or have failed security review, the relevant competent authorities shall order them to stop using them and impose a penalty of the purchase amount. A fine of not less than one time but not more than ten times shall be imposed; the directly responsible person in charge and other directly responsible personnel shall be fined not less than RMB 10,000 but not more than RMB 100,000.

Article 66: If an operator of critical information infrastructure violates the provisions of Article 37 of this Law by storing network data overseas or providing network data overseas, the relevant competent authorities shall order it to make corrections, issue a warning, and confiscate the illegal gains. A fine of not less than RMB 50,000 but not more than RMB 500,000 may be imposed, and the person in charge may be ordered to suspend relevant business, suspend business for rectification, close the website, revoke the relevant business license or revoke the business license; the directly responsible person in charge and other directly responsible personnel shall be fined RMB 10,000. A fine of not less than 100,000 yuan but not more than 100,000 yuan is imposed.

Article 67: Anyone who violates the provisions of Article 46 of this Law by establishing a website or communication group for the purpose of committing illegal and criminal activities, or using the Internet to publish information involving the implementation of illegal and criminal activities, which does not constitute a crime, shall be prosecuted by the public security organs. Those who are detained for not less than five days may be fined not less than 10,000 yuan but not more than 100,000 yuan; if the circumstances are serious, those who are detained for not less than five days but not more than 15 days may be fined not less than 50,000 yuan but not more than 500,000 yuan. Close websites and communication groups used to carry out illegal and criminal activities.

If a unit commits the acts mentioned in the preceding paragraph, the public security organ shall impose a fine of not less than 100,000 yuan but not more than 500,000 yuan, and the directly responsible person in charge and other directly responsible personnel shall be punished in accordance with the provisions of the preceding paragraph.

Article 68 If a network operator violates the provisions of Article 47 of this Law and fails to stop transmitting, take disposal measures such as elimination, or preserve relevant records for information prohibited from being released or transmitted by laws or administrative regulations, the relevant competent authorities shall order it to make corrections. , give a warning and confiscate illegal gains; if you refuse to make corrections or the circumstances are serious, you will be fined not less than RMB 100,000 but not more than RMB 500,000, and may be ordered to suspend relevant business, suspend business for rectification, close the website, revoke the relevant business license or revoke the business license. , the directly responsible person in charge and other directly responsible personnel shall be fined not less than RMB 10,000 but not more than RMB 100,000.

If an electronic information transmission service provider or an application software download service provider fails to perform the security management obligations stipulated in Paragraph 2 of Article 48 of this Law, it shall be punished in accordance with the provisions of the preceding paragraph.

Article 69 If a network operator violates the provisions of this Law and commits any of the following acts, the relevant competent authorities shall order it to make corrections; if it refuses to make corrections or the circumstances are serious, it shall be fined not less than RMB 50,000 but not more than RMB 500,000, and those directly responsible shall be The person in charge and other directly responsible personnel shall be fined not less than RMB 10,000 but not more than RMB 100,000:

(1) Failing to take disposal measures such as stopping transmission or erasing information that is prohibited from being released or transmitted by laws and administrative regulations in accordance with the requirements of relevant departments;
(2) Refusing or obstructing the supervision and inspection carried out by relevant departments in accordance with the law;
(3) Refusing to provide technical support and assistance to public security organs and national security organs.

Article 70: Anyone who publishes or transmits information prohibited from publishing or transmitting information prohibited by paragraph 2 of Article 12 of this Law and other laws and administrative regulations shall be punished in accordance with the provisions of relevant laws and administrative regulations.

Article 71 Anyone who commits any illegal act specified in this Law shall be recorded in the credit file and made public in accordance with the provisions of relevant laws and administrative regulations.

Article 72: If an operator of a government network of a state agency fails to perform its network security protection obligations stipulated in this Law, its superior agency or relevant agency shall order it to make corrections; the directly responsible person in charge and other directly responsible personnel shall be punished in accordance with the law.

Article 73 If the cybersecurity and informatization departments and relevant departments violate the provisions of Article 30 of this Law and use the information obtained in the performance of network security protection duties for other purposes, the directly responsible person in charge and other directly responsible personnel shall be punished in accordance with the law. Punishment.

If staff members of the cybersecurity and informatization departments and relevant departments neglect their duties, abuse their power, engage in malpractice for personal gain, and this does not constitute a crime, they shall be punished in accordance with the law.

Article 74 Anyone who violates the provisions of this Law and causes damage to others shall bear civil liability in accordance with the law.

Anyone who violates the provisions of this Law and constitutes a violation of public security management shall be subject to public security management penalties in accordance with the law; if it constitutes a crime, criminal liability shall be pursued in accordance with the law.

Article 75 If overseas institutions, organizations, or individuals engage in activities that endanger the critical information infrastructure of the People's Republic of China, such as attacks, intrusions, interference, or destruction, resulting in serious consequences, they shall be held legally responsible in accordance with the law; the public security department of the State Council and relevant departments shall also It may decide to freeze the property or take other necessary sanctions against the institution, organization or individual.

Chapter 7 Supplementary Provisions

Article 76 The meanings of the following terms in this Law:

(1) Network refers to a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges, and processes information in accordance with certain rules and procedures.
(2) Network security refers to taking necessary measures to prevent attacks, intrusions, interference, destruction, illegal use and accidents on the network, keeping the network in a stable and reliable operating state, and ensuring the integrity and confidentiality of network data , usability capabilities.
(3) Network operators refer to the owners, managers and network service providers of the network.
(4) Network data refers to various electronic data collected, stored, transmitted, processed and generated through the Internet.
(5) Personal information refers to various information recorded electronically or by other means that can identify a natural person's personal identity alone or in combination with other information, including but not limited to the natural person's name, date of birth, ID number, and personal biometric information. , address, phone number, etc.

Article 77: In addition to complying with this Law, the operational security protection of networks that store and process state secret information must also comply with the provisions of confidentiality laws and administrative regulations.

Article 78: The security protection of military networks shall be separately stipulated by the Central Military Commission.

Article 79 This Law shall come into effect on June 1, 2017.

National laws and regulations database link
View original link

Back to blog