The Situation of the Revision of the Cybersecurity Law (Draft)

This is the National People’s Congress’ official explanation of the changes made in the Second Reading Draft of the Cybersecurity Law.

I, Some Standing Committee Members suggested that the content of Article 11 of the Draft, concerning the national cybersecurity strategy, be moved to the General Principles, to clarify its important position. Some Standing Committee Members, localities and departments pointed out that, in order to better maintain sovereignty in cyberspace, and to vigorously and actively respond to cyber attacks and destruction at home and abroad, State measures to maintain cybersecurity should be further strengthened, in the corresponding articles, content concerning resisting domestic and foreign cybersecurity threats, protection of the security of critical information infrastructure, punishment of online law-breaking and crime, maintaining order in cyberspace, etc., has been added. The Legal Committee praised the abovementioned opinion, and suggested the following revision be made to the draft: first, the content of Article 11 be moved to the General Principles, and be revised as: the State formulates and incessantly perfects a cybersecurity strategy, which clarifies the basic requirements and main objectives of ensuring cybersecurity, puts forward cybersecurity policies, work tasks and measures for focus areas (Second Reading Draft Article 4); second, a provision is added: the State adopts measures to monitor, defend against, and deal with cybersecurity risks and threats originating from inside and outside of the territory of the People’s Republic of China, to protect critical information infrastructure from attack, intrusion, interference and destruction, to punish unlawful and criminal cyber activities according to the law, and maintain security and order in cyberspace (Second Reading Draft Article 5).  

II, Some Standing Committee Members and localities, departments and members of the public pointed out that, in order to clean up the online environment, safeguard national security and the public interest, network usage activities should be further standardized, and carrying forward the Socialist core value view should be stressed. The Legal Committee researched the matter, and suggested the following revisions to the draft: first, to add “promoting the dissemination of the Socialist core value view” to Article 4 of the Draft (Second Reading Draft Article 6). Second, in Article 9 Paragraph II of the Draft, it is added that it is prohibited to use the network to engage in activities including “inciting subversion of the national regime and the overthrow of the Socialist system”, “violating other persons’ reputation or privacy”, etc. (Second Reading Draft Article 12 Paragraph II); and provisions are added in Article 58 of the Draft, that those publishing or disseminating the abovementioned unlawful information will be punished according to the provisions of laws and administrative regulations. (Second Reading Draft Article 27).

III, Some Standing Committee members, localities, departments and members of the public proposed, in order to create a desirable online environment and order, the social responsibility of network operators should be further strengthened, and the duties of network operators to preserve daily network records for a particular period of time as well as to cooperate with relevant departments carrying out monitoring and inspection should be clarified. Legal Committee members researched the matter, and suggested the following provisions should be added: first, network operators must abide by laws and administrative regulations, observe social morals and commercial ethics, be sincere and trustworthy, carry out their cybersecurity protection duties, accept supervision from government and the social public, and bear social responsibility (Second Reading Draft Article 9); second, network operators are to preserve daily network records for no less than six months (Second Reading Draft Article 12 Paragraph III); third, network operators shall cooperate with relevant departments who carry out monitoring and inspection according to the law (Second Reading Draft Article 47 Paragraph II).

IV, Some Standing Committee members, localities, departments and experts proposed, in order to move cybersecurity and development forward in a more coordinated manner, to add content concerning supporting the popularization of secure and reliable network products, perfect the cybersecurity services system, stimulate the application of big data, innovate cybersecurity management methods, etc. The Legal Committee researched the matter, and suggested the following provisions be added to the Draft: first, “promoting the popularization of secure and trustworthy network products and services” was added to Article 14 (Second Revision Draft Article 15). Second, the provision was added that the State moves forward the construction of socialized cybersecurity services systems, encourages enterprises and bodies to launch cybersecurity authentication, monitoring and risk assessment services (Second Reading Draft Article 16). Third, the provision was added that the State encourages the research and development of online data security protection and usage technologies, stimulates the openness of public data resources, promotes technological innovation and economic and social development; supports the innovation of cybersecurity management methods, the use of new network technologies, and the enhancement of cybersecurity protection levels (Second Reading Draft Article 17).

V, Some localities and departments proposed, in order to strengthen the focus and efficiency of online identity management structures, to clarify that instant communication services implement real-name user management in Article 20 of the draft, and to add content concerning implementing the online trustworthy identity strategy. The Legal Committee researched the matter, and suggested the following provisions be added to Article 20 Paragraph I of the draft, that network operators shall, when providing instant communications and other such services to users, require users to provide accurate identity information; in Paragraph II, it was added that the State implements an online trustworthy identity strategy. (Second Reading Draft Article 23)

VI, Some localities, departments and enterprises put forward that at present, some individuals and bodies wilfully publish cybersecurity information concerning system leaks, etc., which has a significant influence on maintaining cybersecurity, and should be standardized. The Legal Committee researched the matter, and suggested the addition of the following provisions: Those engaging in cybersecurity authentication, monitoring, risk assessment and other such activities, and publishing cybersecurity information concerning system leaks, computer viruses, cyber attacks, cyber intrusions, etc., to society, shall abide by relevant State regulations. (Second Reading Draft Article 25)

VII, Some localities, departments and enterprises put forward that there was an overlap in the Draft provisions concerning the protection of critical information infrastructure and the tiered cybersecurity protection system, on the basis of the tiered cybersecurity protection system, critical information infrastructure should be given focus protection. Some Standing Committee members, localities and departments suggested to not enumerate the categories of critical information infrastructure, and to allow the State Council to formulate supplementary regulations to clarify the matter. The Legal Committee researched the matter, and suggested that Article 25 of the Draft were revised as follows: The State implements focus protection of critical information infrastructure that, whenever it is destroyed, ceases to function or leaks data, may gravely harm national security, the national economy and people’s livelihoods, or the public interest, and implements focus protection on the basis of the tiered cybersecurity protection system. The concrete scope and security protection rules for critical information infrastructure will be formulated by the State Council (Second Reading Draft Article 29 Paragraph I)

VIII, Article 31 of the Draft provides that operators of critical information infrastructure shall store important data, such as citizens’ personal information collected or produced during operations, within the territory of our country; where it is necessary to store or provide data abroad because of business needs, security assessments shall be conducted according to regulations. A number of departments, enterprises and experts suggested to further clarify that important data to be stored within the territory is data collected or produced during operations within the territory of our country. Some localities, departments and members of the public pointed out that important business data of operators of critical information infrastructure should also be stored within the territory. The Legal Committee researched the matter, and suggested the above provisions in the Draft should be amended as follows: operators of critical information infrastructure shall store citizens’ personal information and important business data collected or produced during operations within the territory of the People’s Republic of China, within the territory. Where it needs to be provided abroad because of business reasons, a security assessment shall be conducted according to rules jointly formulated by the State Internet information department and the relevant State Council departments. (Second Reading Draft Article 35)

IX, Some enterprises and experts put forward that, in the protection of critical information infrastructure, network operators should be encouraged to voluntarily participate in the national critical information infrastructure protection system, and network operators, specialized bodies and relevant government departments should be stimulated to share cybersecurity information, and simultaneously strengthen protection of this kind of information. The Legal Committee researched the matter, and suggested to add the following provisions to the Draft: first, the State encourages network operators other than critical information infrastructure to voluntarily participate in the protection system of critical information infrastructure (Article 29 Paragraph II of the Second Reading Draft); second, information obtained in the protection of critical information infrastructure by the State Internet information department and relevant departments may only be used for the protection of cybersecurity, and may not be used for other purposes (Second Reading Draft Article 38).

X, Some Standing Committee members, localities and departments suggested to expand punishment for acts harming cybersecurity, and to add measures including face-to-face talks, entry into credit records and employment prohibitions. The Legal Committee researched the matter, and suggested the following provisions be added to the Draft: first, relevant departments may, according to the provided powers and procedures, invite the statutory representative or other main responsible persons of operators on whose networks relatively large security risks exist or where security incidents occur, for a face-to-face talk (Second Reading Draft Article 54); second, persons wilfully engaging in acts harming cybersecurity, who receive public order management punishments or criminal punishments, may not take up key position in network operations and cybersecurity management for the rest of their lives (Second Reading Draft Article 61 Paragraph III); third, those committing unlawful act in violation of the provision of this law, will have them entered in their credit file according to the provisions of relevant laws and administrative regulations, and the matter will be made public. (Second Revision Draft Article 68)

Furthermore, some language alterations were made to the Draft.

 

   网络安全法(草案)的修改情况

    一、有的常委会组成人员建议，将草案第十一条关于国家网络安全战略的内容移至总则中规定，明确其重要地位。一些常委会组成人员和地方、部门提出，为了更好地维护网络空间主权，积极主动应对境内外的网络攻击和破坏，应当进一步强化国家维护网络安全的措施，在相关条款中增加抵御境内外网络安全威胁、保护关键信息基础设施安全、惩治网络违法犯罪、维护网络空间秩序等内容。法律委员会赞同上述意见，建议对草案作以下修改：一是，将草案第十一条的内容移至总则，修改为：国家制定并不断完善网络安全战略，明确保障网络安全的基本要求和主要目标，提出重点领域的网络安全政策、工作任务和措施（草案二次审议稿第四条）；二是，增加规定：国家采取措施，监测、防御、处置来源于中华人民共和国境内外的网络安全风险和威胁，保护关键信息基础设施免受攻击、侵入、干扰和破坏，依法惩治网络违法犯罪活动，维护网络空间安全和秩序（草案二次审议稿第五条）。

二、一些常委会组成人员和地方、部门、社会公众提出，为净化网络环境，维护国家安全、公共利益，应当进一步规范网络使用行为，强调弘扬社会主义核心价值观。法律委员会经研究，建议对草案作以下修改：一是，在草案第四条中增加“推动传播社会主义核心价值观”（草案二次审议稿第六条）。二是，在草案第九条第二款中增加不得利用网络从事“煽动颠覆国家政权和推翻社会主义制度”、“侵害他人名誉、隐私”等活动（草案二次审议稿第十二条第二款）；并在草案第五十八条中增加规定，发布或者传输上述违法信息的，依照有关法律、行政法规的规定处罚（草案二次审议稿第六十七条）。

三、一些常委委员和地方、部门、社会公众提出，为营造良好的网络环境和秩序，应当进一步强化网络运营者的社会责任，明确网络运营者留存网络日志的期限以及配合有关部门监督检查的义务。法律委员会经研究，建议在草案中增加以下规定：一是，网络运营者必须遵守法律、行政法规，遵守社会公德、商业道德，诚实信用，履行网络安全保护义务，接受政府和社会公众的监督，承担社会责任（草案二次审议稿第九条）；二是，网络运营者留存网络日志不得少于六个月（草案二次审议稿第二十条第三项）；三是，网络运营者对有关部门依法实施的监督检查应当予以配合（草案二次审议稿第四十七条第二款）。

四、一些常委委员和地方、部门、企业、专家提出，为协同推进网络安全与发展，建议增加支持推广安全可信的网络产品、完善网络安全服务体系、促进大数据应用、创新网络安全管理方式等内容。法律委员会经研究，建议在草案中增加以下规定：一是，在草案第十四条中增加“推广安全可信的网络产品和服务”（草案二次审议稿第十五条）。二是，增加规定：国家推进网络安全社会化服务体系建设，鼓励企业、机构开展网络安全认证、检测和风险评估等服务（草案二次审议稿第十六条）。三是，增加规定：国家鼓励开发网络数据安全保护和利用技术，促进公共数据资源开放，推动技术创新和经济社会发展；支持创新网络安全管理方式，运用网络新技术，提升网络安全保护水平（草案二次审议稿第十七条）。四是，增加大数据应用必须对公民个人信息进行无法识别特定个人处理的规定，进一步明确公民个人信息使用规则（草案二次审议稿第四十一条第一款）。

五、一些地方、部门提出，为增强网络身份管理制度的针对性和有效性，建议在草案第二十条中明确对即时通讯服务实行用户实名管理，并增加实施网络可信身份战略的内容。法律委员会经研究，建议在草案第二十条第一款中增加规定，网络运营者为用户提供即时通讯等服务，应当要求用户提供真实身份信息；在第二款中增加国家实施网络可信身份战略。（草案二次审议稿第二十三条）

六、一些地方、部门和企业提出，当前一些个人和机构随意发布系统漏洞等网络安全信息，对维护网络安全影响较大，应予规范。法律委员会经研究，建议增加规定：开展网络安全认证、检测、风险评估等活动，向社会发布系统漏洞、计算机病毒、网络攻击、网络侵入等网络安全信息，应当遵守国家有关规定。（草案二次审议稿第二十五条）

七、一些地方、部门和企业提出，草案规定的关键信息基础设施保护制度与网络安全等级保护制度在管理对象上有交叉，应在网络安全等级保护制度的基础上，对关键信息基础设施予以重点保护。一些常委委员和地方、部门建议对关键信息基础设施的范围不作列举，可由国务院制定配套规定予以明确。法律委员会经研究，建议将草案第二十五条修改为：国家对一旦遭到破坏、丧失功能或者数据泄露，可能严重危害国家安全、国计民生、公共利益的关键信息基础设施，在网络安全等级保护制度的基础上，实行重点保护。关键信息基础设施的具体范围和安全保护办法由国务院制定。（草案二次审议稿第二十九条第一款）

八、草案第三十一条规定，关键信息基础设施的运营者应当在我国境内存储在运营中收集和产生的公民个人信息等重要数据；因业务需要，确需在境外存储或者向境外提供的，应当按照规定进行安全评估。一些部门、企业和专家建议进一步明确应在境内存储的重要数据为在我国境内运营中收集和产生的数据。有的地方、部门和社会公众提出，关键信息基础设施运营者的重要业务数据也应存储在境内。法律委员会经研究，建议将草案的上述规定修改为：关键信息基础设施的运营者在中华人民共和国境内运营中收集和产生的公民个人信息和重要业务数据应当在境内存储。因业务需要，确需向境外提供的，应当按照国家网信部门会同国务院有关部门制定的办法进行安全评估。（草案二次审议稿第三十五条）

九、有的企业、专家提出，在关键信息基础设施保护中，应当鼓励网络运营者自愿参与国家关键信息基础设施保护体系，促进网络运营者、专业机构和政府有关部门之间的网络安全信息共享，同时加强对这些信息的保护。法律委员会经研究，建议在草案中增加以下规定：一是，国家鼓励关键信息基础设施以外的网络运营者自愿参与关键信息基础设施保护体系（草案二次审议稿第二十九条第二款）；二是，国家网信部门和有关部门在关键信息基础设施保护中获取的信息，只能用于维护网络安全的需要，不得用于其他用途（草案二次审议稿第三十八条）。

十、一些常委委员和地方、部门建议，加大对危害网络安全行为的惩戒力度，增加约谈、记入信用档案、从业禁止等惩戒措施。法律委员会经研究，建议在草案中增加以下规定：一是，对网络存在较大安全隐患或者发生安全事件的运营者，有关部门可以按照规定的权限和程序对其法定代表人或主要负责人进行约谈（草案二次审议稿第五十四条）；二是，对故意从事危害网络安全的活动受到治安管理处罚或者刑事处罚的人员，终身不得从事网络安全管理和网络运营关键岗位的工作（草案二次审议稿第六十一条第三款）；三是，对有本法规定的违法行为的，依照有关法律、行政法规的规定记入信用档案，并予以公示（草案二次审议稿第六十八条）。

此外，还对草案作了一些文字修改。