(Passed on 28 December 2012 at the 30th Committee Meeting of the 11th National People’s Congress Standing Committee”
In order to protect network information security, protect the lawful interests of citizens, legal persons and other organizations, safeguard national security and social order, the following decision is hereby made:
I, The State protects electronic information by which the individual identity of citizens can be distinguished as well as involving citizens’ individual privacy.
No organization or individual may steal or obtain in other illegal manners obtain citizens’ individual electronic information, sell or illegally provide citizens’ individual electronic information to other persons.
II, Network service providers and other enterprise and undertaking work units that collect or use citizens’ individual electronic information during their business activities, shall abide by the principles of legality, legitimacy and necessity, clearly indicate the objective, methods and scope for collection and use of information, and obtain agreement from the person whose data is collected, they may not violate the provisions of laws and regulations, and the agreement between both sides, in collecting or using information.
Network service providers and other enterprise and undertaking work units collecting or using citizens’ individual electronic information shall make public their collection and use rules.
III, Network service providers, other enterprise and undertaking work unit and their staff must strictly preserve the secrecy of citizens’ individual electronic information they collect in their business activities, they may not divulge, distort, or damage it, and may not sell or illegally provide it to other persons.
IV, Network service providers and other enterprise and undertaking work units shall adopt technological measures and other necessary measures to ensure information security and prevent that citizens’ individual electronic information collected during business activities is divulged, damaged or lost. When divulging, damage to or loss of information occurs or may occur, remedial measures shall be adopted immediately.
V, Network service providers shall strengthen management of information disseminated by users, where it occurs that information violated by laws or regulations is published or disseminated, handling measures such as ceasing the dissemination of the said information, deleting it, etc., relevant records are to be preserved, and the relevant controlling departments informed.
VI, Network service providers that handle website access services for users, handle fixed telephone, mobile telephone and other surfing formalities, or provide information publication services to users, shall, when concluding agreements with users or affirming the provision of service, require users to provide real identity information.
VII, No organization or individual may, without having obtained agreement of or a request from the electronic information receiver, or where the electronic information receiver has clearly indicated refusal, send commercial electronic information to fixed telephones, mobile telephones and individual e-mail boxes.
VIII, Where citizens discover that their individual identity has been divulged, individual privacy has been disseminated or other network information infringes their lawful rights and interests, or are harassed by commercial electronic information, they have the power to require the network service provider to delete the relevant information or adopt other necessary measures to cease this.
IX, Any work unit or individual has the power to report or file accusations with the relevant controlling departments against unlawful or criminal acts of stealing citizens’ individual electronic information or gaining it by other illegal means, selling it or providing it illegally to other persons, as well as other unlawful and criminal acts concerning network information; departments receiving reports and accusations shall timely deal with them according to the law. The infringed person may file a lawsuit according to the law.
X, Relevant controlling department shall, within the scope of duties and responsibilities of each, carry out their duties according to the law, adopt technological measures and other necessary measures to guard against, prevent, investigate and prosecute unlawful or criminal acts of stealing citizens’ individual electronic information or gaining it by other illegal means, selling it or providing it illegally to other persons, as well as other unlawful and criminal acts concerning network information. When relevant controlling departments carry out their duties according to the law, network service providers shall grant cooperation and provide technological support.
State organs and their staff shall protect the secrecy of citizens’ individual electronic information that they learn when carrying out their duties, may not divulge, distort or damage it, and may not sell or illegally provide it to other persons.
XI, Acts violating this Decision, are subject to warnings, fines, confiscation of unlawful income, cancellation of permits or cancellation of fines, closure of websites, prohibition of relevant responsible personnel to engage in network service business and other punishments, they are entered into social credit files and published; where acts constitute violations of public order management, public order management punishments are imposed according to the law. Where they constitute a crime, criminal liability is prosecuted according to the law. Where other persons’ civil rights are infringed, civil liability is borne according to the law.
XII, This Decision takes effect on the date of promulgation.