This is the National People’s Congress’ official explanation of the changes made in the Second Reading Draft of the Cybersecurity Law.
I, Some Standing Committee Members suggested that the content of Article 11 of the Draft, concerning the national cybersecurity strategy, be moved to the General Principles, to clarify its important position. Some Standing Committee Members, localities and departments pointed out that, in order to better maintain sovereignty in cyberspace, and to vigorously and actively respond to cyber attacks and destruction at home and abroad, State measures to maintain cybersecurity should be further strengthened, in the corresponding articles, content concerning resisting domestic and foreign cybersecurity threats, protection of the security of critical information infrastructure, punishment of online law-breaking and crime, maintaining order in cyberspace, etc., has been added. The Legal Committee praised the abovementioned opinion, and suggested the following revision be made to the draft: first, the content of Article 11 be moved to the General Principles, and be revised as: the State formulates and incessantly perfects a cybersecurity strategy, which clarifies the basic requirements and main objectives of ensuring cybersecurity, puts forward cybersecurity policies, work tasks and measures for focus areas (Second Reading Draft Article 4); second, a provision is added: the State adopts measures to monitor, defend against, and deal with cybersecurity risks and threats originating from inside and outside of the territory of the People’s Republic of China, to protect critical information infrastructure from attack, intrusion, interference and destruction, to punish unlawful and criminal cyber activities according to the law, and maintain security and order in cyberspace (Second Reading Draft Article 5).
II, Some Standing Committee Members and localities, departments and members of the public pointed out that, in order to clean up the online environment, safeguard national security and the public interest, network usage activities should be further standardized, and carrying forward the Socialist core value view should be stressed. The Legal Committee researched the matter, and suggested the following revisions to the draft: first, to add “promoting the dissemination of the Socialist core value view” to Article 4 of the Draft (Second Reading Draft Article 6). Second, in Article 9 Paragraph II of the Draft, it is added that it is prohibited to use the network to engage in activities including “inciting subversion of the national regime and the overthrow of the Socialist system”, “violating other persons’ reputation or privacy”, etc. (Second Reading Draft Article 12 Paragraph II); and provisions are added in Article 58 of the Draft, that those publishing or disseminating the abovementioned unlawful information will be punished according to the provisions of laws and administrative regulations. (Second Reading Draft Article 27).
III, Some Standing Committee members, localities, departments and members of the public proposed, in order to create a desirable online environment and order, the social responsibility of network operators should be further strengthened, and the duties of network operators to preserve daily network records for a particular period of time as well as to cooperate with relevant departments carrying out monitoring and inspection should be clarified. Legal Committee members researched the matter, and suggested the following provisions should be added: first, network operators must abide by laws and administrative regulations, observe social morals and commercial ethics, be sincere and trustworthy, carry out their cybersecurity protection duties, accept supervision from government and the social public, and bear social responsibility (Second Reading Draft Article 9); second, network operators are to preserve daily network records for no less than six months (Second Reading Draft Article 12 Paragraph III); third, network operators shall cooperate with relevant departments who carry out monitoring and inspection according to the law (Second Reading Draft Article 47 Paragraph II).
IV, Some Standing Committee members, localities, departments and experts proposed, in order to move cybersecurity and development forward in a more coordinated manner, to add content concerning supporting the popularization of secure and reliable network products, perfect the cybersecurity services system, stimulate the application of big data, innovate cybersecurity management methods, etc. The Legal Committee researched the matter, and suggested the following provisions be added to the Draft: first, “promoting the popularization of secure and trustworthy network products and services” was added to Article 14 (Second Revision Draft Article 15). Second, the provision was added that the State moves forward the construction of socialized cybersecurity services systems, encourages enterprises and bodies to launch cybersecurity authentication, monitoring and risk assessment services (Second Reading Draft Article 16). Third, the provision was added that the State encourages the research and development of online data security protection and usage technologies, stimulates the openness of public data resources, promotes technological innovation and economic and social development; supports the innovation of cybersecurity management methods, the use of new network technologies, and the enhancement of cybersecurity protection levels (Second Reading Draft Article 17).
V, Some localities and departments proposed, in order to strengthen the focus and efficiency of online identity management structures, to clarify that instant communication services implement real-name user management in Article 20 of the draft, and to add content concerning implementing the online trustworthy identity strategy. The Legal Committee researched the matter, and suggested the following provisions be added to Article 20 Paragraph I of the draft, that network operators shall, when providing instant communications and other such services to users, require users to provide accurate identity information; in Paragraph II, it was added that the State implements an online trustworthy identity strategy. (Second Reading Draft Article 23)
VI, Some localities, departments and enterprises put forward that at present, some individuals and bodies wilfully publish cybersecurity information concerning system leaks, etc., which has a significant influence on maintaining cybersecurity, and should be standardized. The Legal Committee researched the matter, and suggested the addition of the following provisions: Those engaging in cybersecurity authentication, monitoring, risk assessment and other such activities, and publishing cybersecurity information concerning system leaks, computer viruses, cyber attacks, cyber intrusions, etc., to society, shall abide by relevant State regulations. (Second Reading Draft Article 25)
VII, Some localities, departments and enterprises put forward that there was an overlap in the Draft provisions concerning the protection of critical information infrastructure and the tiered cybersecurity protection system, on the basis of the tiered cybersecurity protection system, critical information infrastructure should be given focus protection. Some Standing Committee members, localities and departments suggested to not enumerate the categories of critical information infrastructure, and to allow the State Council to formulate supplementary regulations to clarify the matter. The Legal Committee researched the matter, and suggested that Article 25 of the Draft were revised as follows: The State implements focus protection of critical information infrastructure that, whenever it is destroyed, ceases to function or leaks data, may gravely harm national security, the national economy and people’s livelihoods, or the public interest, and implements focus protection on the basis of the tiered cybersecurity protection system. The concrete scope and security protection rules for critical information infrastructure will be formulated by the State Council (Second Reading Draft Article 29 Paragraph I)
VIII, Article 31 of the Draft provides that operators of critical information infrastructure shall store important data, such as citizens’ personal information collected or produced during operations, within the territory of our country; where it is necessary to store or provide data abroad because of business needs, security assessments shall be conducted according to regulations. A number of departments, enterprises and experts suggested to further clarify that important data to be stored within the territory is data collected or produced during operations within the territory of our country. Some localities, departments and members of the public pointed out that important business data of operators of critical information infrastructure should also be stored within the territory. The Legal Committee researched the matter, and suggested the above provisions in the Draft should be amended as follows: operators of critical information infrastructure shall store citizens’ personal information and important business data collected or produced during operations within the territory of the People’s Republic of China, within the territory. Where it needs to be provided abroad because of business reasons, a security assessment shall be conducted according to rules jointly formulated by the State Internet information department and the relevant State Council departments. (Second Reading Draft Article 35)
IX, Some enterprises and experts put forward that, in the protection of critical information infrastructure, network operators should be encouraged to voluntarily participate in the national critical information infrastructure protection system, and network operators, specialized bodies and relevant government departments should be stimulated to share cybersecurity information, and simultaneously strengthen protection of this kind of information. The Legal Committee researched the matter, and suggested to add the following provisions to the Draft: first, the State encourages network operators other than critical information infrastructure to voluntarily participate in the protection system of critical information infrastructure (Article 29 Paragraph II of the Second Reading Draft); second, information obtained in the protection of critical information infrastructure by the State Internet information department and relevant departments may only be used for the protection of cybersecurity, and may not be used for other purposes (Second Reading Draft Article 38).
X, Some Standing Committee members, localities and departments suggested to expand punishment for acts harming cybersecurity, and to add measures including face-to-face talks, entry into credit records and employment prohibitions. The Legal Committee researched the matter, and suggested the following provisions be added to the Draft: first, relevant departments may, according to the provided powers and procedures, invite the statutory representative or other main responsible persons of operators on whose networks relatively large security risks exist or where security incidents occur, for a face-to-face talk (Second Reading Draft Article 54); second, persons wilfully engaging in acts harming cybersecurity, who receive public order management punishments or criminal punishments, may not take up key position in network operations and cybersecurity management for the rest of their lives (Second Reading Draft Article 61 Paragraph III); third, those committing unlawful act in violation of the provision of this law, will have them entered in their credit file according to the provisions of relevant laws and administrative regulations, and the matter will be made public. (Second Revision Draft Article 68)
Furthermore, some language alterations were made to the Draft.