Internet
Notice concerning Further Strengthening Management over Cultural and Artistic Programmes and Their Personnel
National Radio and Television Administration General Office
Guang Dian Ban Fa (2021) 267
All provincial, autonomous region and municipal radio and television bureaus, the Xinjiang Production-Construction Corps Culture, Sports, Radio, Television and Tourism Bureau, the Central Radio and Television Station Office, the Film Channel Programme Centre, the China Education Television Station:
In recent years, radio, television and online audiovisual cultural and artistic programmes have stressed quality, stressed style and stressed responsibility, and resisted vulgar, lowbrow and base tastes, incessantly pushed out excellent works, satisfying the popular masses’ spiritual and cultural needs. In order to further strengthen management, strictly deal with problems that artists violate the law and leave virtue behind, the “fan circle” mess, etc., and to establish a sectoral atmosphere of love for the Party and love for the country with all flags flying, of high virtue and noble art, hereby, the relevant matters are notified as follows:
I, Persisting in resisting unlawful and unvirtuous personnel. Radio and television bodies and online audiovisual platforms must strictly keep the gate in terms of programme actors and guest choices, and persist in making political quality, virtuous character, artistic levels and social evaluation as criteria for choice. Personnel with an incorrect political standpoint, who have dissension and discord with the Party and the country is resolutely not to be selected; personnel who violate laws and regulations and smash society’s baseline of fairness and justice is resolutely not to be selected; personnel who violate public order and fine customs, and whose acts and conduct are without virtue or norms is resolutely not to be selected.
II, Persisting in opposing the only-ratings-theory. Radio and television bodies and online audiovisual platforms may not broadcast idol cultivation-type programmes, they may not broadcast comprehensive arts, entertainment and reality shows where stars’ sons and daughters participate. Talent-type shows must strictly control the setup of the voting segment, they may not set up segments and channels outside of the venue for voting, ranking, reinforcement, etc., it is strictly prohibited to guide or encourage fans to covertly spend money to vote by materialized methods such as purchasing goods, pledging memberships, etc, and the harmful “fan circle” culture is to be resolutely resisted.
III, Persisting in resisting excessive entertainmentization. Persist in cultural self-confidence, forcefully hold high China’s excellent traditional culture, revolutionary culture and advanced Socialist culture. Establish a correct aesthetic orientation for programmes, strictly grasp actor and guest choice, acting styles, dress and make-up, etc, resolutely resist “sissies” and other such abnormal aesthetics. Resolutely resist excessive entertainmentization tendencies of playing up bragging about wealth and hedonism, rumours about sex scandals and personal lives, negative hot topics, vulgare “Internet celebrities”, anti-aesthetics without baselines, etc.
IV, Persisting in resisting high-value remuneration. Strictly implement remuneration regulations for actors and guest, strictly implement their remuneration management notification commitment system. Advocate and encourage actors and guests to bear social responsibility, and participate in public benefit-type programmes. Strictly punish violation of remuneration regulations, “yin-yang contracts”, and tax evasion activities.
Substantially strengthen employee management. Strictly implement that presenters must hold credentials to take up positions, standardize presenters’ participation in social activities and online information dissemination. Strengthen employees’ political quality training, deeply launch education on the Marxist view of news and view on culture and art, persist in the people’s standpoint from beginning to end, stick to the people’s mood. Perfect professional ethical norms, strengthen the construction of professional ethics, consciously resist the temptations of fame and wealth, professional identities and individual fame may not be used to seek improper gain, consciously accept social supervision, and be a model of social virtue and a builder of positive energy.
VI, Launching dedicated and authoritative culture and art criticism. Persist in the correct political orientation, public opinion orientation and value orientation, carry forward the true, the good and the beautiful, reject the false, the evil and the ugly, give full rein to the roles of values in guidance, spirits in leadership and aesthetic in enlightenment. Put social effect and social value first, unify profound thoughts, profound art and excellent production, and evaluate programmes strictly and objectively. Scientifically treat audience ratings, click ratings and other such quantified indicators, and strengthen the expansion and application of “China audiovisual big data”.
VII, Giving full rein to the role of sectoral organizations. Radio, television and online audiovisual sectoral associations and other such sectoral organizations must further perfect sectoral standards and self-discipline conventions, vigorously launch moral appraisal. Strengthen education and training on ideology and politics, professional ethics, etc., establish regularized training mechanisms, optimize teaching content, strengthen case-based teaching, discuss the law through cases, and demonstrate the law through cases. Criticize harmful phenomena in the sectors and negative models with clear banners flying, resolutely oppose circle culture and sectoral corrupt customs, effect a thorough overhaul, and safeguard the benign atmosphere in the sector.
VIII, Substantially implement management duties and responsibilities. Administrative radio and television departments must raise their political stance, earnestly implement ideology work responsibility systems, further compact and substantiate local management responsibilities, competence and supervision responsibilities and dominant responsibilities, guard the culture and art programme orientation gate, content gate, personnel gate, remuneration gate and propaganda gate well. We must pay high regard to listening to the calls of the popular masses, vigorously respond to the concerns of the popular masses, resolutely say “no” to law-breaking and immorality, playing up stars, excessive entertainmentization, “supremacy of ratings” etc., and let the main melody and positive energy fill the radio, television and online audiovisual space to the brim.
It is hereby notified
National Radio and Television Administration General Office
2 September 2021
国家广播电视总局办公厅关于进一步加强文艺节目及其人员管理的通知
广电办发〔2021〕267号
各省、自治区、直辖市广播电视局,新疆生产建设兵团文化体育广电和旅游局,中央广播电视总台办公厅、电影频道节目中心、中国教育电视台:
近年来,广播电视和网络视听文艺节目坚持讲品位讲格调讲责任、抵制低俗庸俗媚俗,不断推出优秀作品,满足人民群众精神文化需要。为进一步加强管理,从严整治艺人违法失德、“饭圈”乱象等问题,旗帜鲜明树立爱党爱国、崇德尚艺的行业风气,现就有关事项通知如下:
一、坚决抵制违法失德人员。广播电视机构和网络视听平台在节目演员和嘉宾选用上要严格把关,坚持把政治素养、道德品行、艺术水准、社会评价作为选用标准。政治立场不正确、与党和国家离心离德的人员坚决不用;违反法律法规、冲击社会公平正义底线的人员坚决不用;违背公序良俗、言行失德失范的人员坚决不用。
二、坚决反对唯流量论。广播电视机构和网络视听平台不得播出偶像养成类节目,不得播出明星子女参加的综艺娱乐及真人秀节目。选秀类节目要严格控制投票环节设置,不得设置场外投票、打榜、助力等环节和通道,严禁引导、鼓励粉丝以购物、充会员等物质化手段变相花钱投票,坚决抵制不良“饭圈”文化。
三、坚决抵制泛娱乐化。坚定文化自信,大力弘扬中华优秀传统文化、革命文化、社会主义先进文化。树立节目正确审美导向,严格把握演员和嘉宾选用、表演风格、服饰妆容等,坚决杜绝“娘炮”等畸形审美。坚决抵制炒作炫富享乐、绯闻隐私、负面热点、低俗“网红”、无底线审丑等泛娱乐化倾向。
四、坚决抵制高价片酬。严格执行演员和嘉宾片酬规定,严格片酬管理告知承诺制度。倡导鼓励演员和嘉宾担当社会责任,参与公益性节目。严肃惩戒片酬违规、“阴阳合同”、偷逃税行为。
五、切实加强从业人员管理。严格执行主持人持证上岗,规范主持人参加社会活动和网络信息发布。加强从业人员政治素质培养,深入开展马克思主义新闻观、文艺观教育,始终坚定人民立场、坚守人民情怀。完善职业道德规范,加强职业道德建设,自觉抵制名利诱惑,不得利用职业身份和个人知名度谋取不当利益,自觉接受社会监督,做社会公德的示范者、正能量的建设者。
六、开展专业权威文艺评论。坚持正确政治方向、舆论导向、价值取向,弘扬真善美、批驳假恶丑,充分发挥价值引导、精神引领、审美启迪作用。把社会效益、社会价值放在首位,把思想精深、艺术精湛、制作精良统一起来,严肃客观评价节目。科学看待收视率、点击率等量化指标,加大“中国视听大数据”推广应用力度。
七、充分发挥行业组织作用。广播电视、网络视听行业协会等社会组织要进一步完善行业规范和自律公约,积极开展道德评议。加强思想政治、职业道德等教育培训,建立常态化培训机制,优化教学内容,强化案例教学,以案说法、以案示法。对行业不良现象、反面典型旗帜鲜明发声批评,坚决反对圈子文化和行业陋习,正本清源,维护行业良好风气。
八、切实履行管理职责。广播电视行政部门要提高政治站位,认真落实意识形态工作责任制,进一步压紧压实属地管理责任、主管主办责任和主体责任,把好文艺节目导向关、内容关、人员关、片酬关、宣传关。要重视倾听人民群众呼声,积极回应人民群众关切,对违法失德、造星炒星、泛娱乐化、“流量至上”等坚决说“不”,让主旋律和正能量充盈广播电视和网络视听空间。
特此通知。
国家广播电视总局办公厅
2021年9月2日
Notice concerning Further Strengthening Control over the “Fan Circle” Mess
All provincial, autonomous region and municipal Party Committee cybersecurity and informatization offices, the Xinjiang Production-Construction Corps Party Committee Cybersecurity and Informatization Office”
Since the “Clear and Crisp ‘Fan Circle’ Mess Control” campaign was held, all localities have implemented relevant work requirements, and have gained certain achievements focusing on star rankings, trending topics, fan communities, interactive comments and other such focus segments, and deeply dealt with the problem of the “fan circle” mess. In order to further strengthen control, bring greater and substantial pressure to the dominant responsibilities of websites and platforms, make substantial breakthroughs in focus and difficult issues, incessantly consolidate and expand the achievements of the campaign, attack and resolve the “fan circle” mess with a heavy fist, hereby, relevant work measures are notified as follows.
1. Cancel star and artist rankings. Cancel all rankings and lists involving individual stars and artists or groups, prohibit newly adding or covertly uploading individual rankings and related products or functions. Only rankings of music works, film and television works, etc. may be maintained, but no individual characteristic such as stars’ or artists’ names may appear.
2. Optimize and adjust ranking rules. When ranking music works, film and television works, etc., reduce the weight of registries, likes, comments and other such indicators, and increase the weight of indicators such as the work’s orientation and expert evaluation. Related functions that lead users to make lists may not be set up, paid-for registration functions or increasing registry numbers through added-value memberships and other such methods may not be set up, guide fans to pay more attention to the quality of cultural products, and reduce the heat of chasing stars.
3. Strictly manage star brokerage companies. Strengthen website platforms’ management responsibilities over the online conduct of star brokerage companies (offices), formulate related online operational standards, and make clear provisions concerning account registration and verification, content dissemination, commercial marketing, crisis PR, fan management and other such online conduct. Strengthen the responsibility of star brokerage companies (offices) to guide fan communities, adopt measures such as limiting flow, prohibition of speech, closure, etc., against stars and their brokerage companies (offices), fan groups and their accounts who incite mutual rifts of fans, struggles and incitements of battles, at the same time, the entire platform will reduce and even cancel all kinds of information dissemination related to [those] stars.
4. Standardize fan community accounts. Strengthen management of accounts of stars’ fan communities, backers, etc. require that fan communities and backers must be authorized or accredited by the star’s brokerage company (office), and their daily maintenance and supervision becomes the latter’s responsibility. Without authorization, no individual or organization may, without exception, register a star fan community account.
5. Strictly prohibit the emergence of mutual ripping information. Substantially implement management responsibilities, timely discover and clean up all kinds of harmful “fan circle” information where fans mutually tear at each other or hurl abuse, drag and trigger fights, start rumours and attacks, etc., strictly deal with accounts violating laws and regulations, effectively prevent heating up and fermentation of public opinion. Strictly punish website platforms where discovery is not timely and management is insufficient.
6. Clean up community pages violating regulations. Continue to dissolve fan communities and groups with themes such as rank voting, reinforcement, collecting money, controlling comments, gossip, explosive materials, etc., close boards, channels, etc. that easily lead to fans collecting and exchanging their ranking experiences, discuss stars’ sex scandals, mutually assign data scraping, etc, and block channels that generate harmful inducements to fans and encourage stirring up of trouble.
7. Fans may not be incited to consume. Formulate detailed rules that stars’ and artists’ magazines or other works, products, etc., in the sales segment, may not display fans’ individual purchase amounts, contribution amounts and other such data, may not rank fans’ individual product purchase data or amounts, may not set up marketing activities that stimulate fans to consume such as task-based unlocking, custom-made benefits, limited-time PK, etc.
8. Strengthen segment setup and management. Strengthen management of online arts and entertainment programmes’ online conduct, they may not set up “spend money to buy votes” functionalities, and are strictly prohibited from guiding or encouraging netizens to vote for candidates by material methods such as purchasing products, memberships etc.
9. Strictly control participation by minors. Further adopt measures to strictly prohibit minors from playing for rewards, it is strictly prohibited that minors respond to calls for consumption, minors may not act as related community heads or managers, minors are restricted from voting for rankings, clarify that star fan communities, backers, etc. may not, in their online conduct, influence minors’ regular study and rest, and may not organize minors to launch all kinds of online assemblies, etc.
10. Standardize reinforcement and fund-raising activities. Timely discover and clean up all kinds of information on calling for reinforcements and raising funds isolating regulations; deal with and punish website platforms where problems are concentrated, accountability is weak, who induce minors to participate in calls for reinforcement and fundraising according to laws and regulations; continue to investigate and prosecute foreign websites who provide ranking votes, reinforcement calls and fund-raising.
All localities must further raise their political stance, substantially strengthen their sense of responsibility, sense of mission and sense of urgency, and understand and advance their work in bringing the “fan circle” mess under control from the height of online political security and ideological security, and creating a clear and crisp cyberspace. They must, in the first instance, arrange and implement matters, take further steps to break the matter down, formulate detailed implementation plans, and supervise local website platforms’ realistic grasp and implementation of these.
CAC Secretariat
25 August 2021
关于进一步加强“饭圈”乱象治理的通知
各省、自治区、直辖市党委网信办,新疆生产建设兵团党委网信办:
“清朗·‘饭圈’乱象整治”专项行动开展以来,各地落实有关工作要求,围绕明星榜单、热门话题、粉丝社群、互动评论等重点环节,深入整治“饭圈”乱象问题,取得了一定成效。为进一步加大治理力度,压紧压实网站平台主体责任,切实突破重点难点问题,不断巩固和扩大专项行动成果,重拳出击解决“饭圈”乱象问题,现就有关工作措施通知如下。
1.取消明星艺人榜单。取消所有涉明星艺人个人或组合的排行榜单,严禁新增或变相上线个人榜单及相关产品或功能。仅可保留音乐作品、影视作品等排行,但不得出现明星艺人姓名等个人标识。
2.优化调整排行规则。在音乐作品、影视作品等排行中,降低签到、点赞、评论等指标权重,增加作品导向及专业性评价等指标权重。不得设置诱导粉丝打榜的相关功能,不得设置付费签到功能或通过充值会员等方式增加签到次数,引导粉丝更多关注文化产品质量,降低追星热度。
3.严管明星经纪公司。强化网站平台对明星经纪公司(工作室)网上行为的管理责任,制定相关网上运营规范,对账号注册认证、内容发布、商业推广、危机公关、粉丝管理等网上行为作出明确规定。强化明星经纪公司(工作室)对粉丝群体的引导责任,对引发粉丝互撕、拉踩引战的明星及其经纪公司(工作室)、粉丝团,对其账号采取限流、禁言、关闭等措施,同时,全平台减少直至取消相关明星的各类信息发布。
4.规范粉丝群体账号。加强对明星粉丝团、后援会等账号的管理,要求粉丝团、后援会账号必须经明星经纪公司(工作室)授权或认证,并由其负责日常维护和监督。未经授权的个人或组织一律不得注册明星粉丝团账号。
5.严禁呈现互撕信息。切实履行管理责任,及时发现清理“饭圈”粉丝互撕谩骂、拉踩引战、造谣攻击等各类有害信息,从严处置违法违规账号,有效防止舆情升温发酵。对发现不及时、管理不到位的网站平台从重处罚。
6.清理违规群组版块。持续解散以打投、应援、集资、控评、八卦、爆料等为主题的粉丝社区、群组,关闭易导致粉丝聚集、交流打榜经验、讨论明星绯闻、互相做任务刷数据的版块、频道等,阻断对粉丝群体产生不良诱导甚至鼓励滋事的渠道。
7.不得诱导粉丝消费。制定细化规则,对明星艺人专辑或其他作品、产品等,在销售环节不得显示粉丝个人购买量、贡献值等数据,不得对粉丝个人购买产品的数量或金额进行排行,不得设置任务解锁、定制福利、限时PK等刺激粉丝消费的营销活动。
8.强化节目设置管理。加强对网络综艺节目网上行为管理,不得设置“花钱买投票”功能,严禁引导、鼓励网民采取购物、充会员等物质化手段为选手投票。
9.严控未成年人参与。进一步采取措施,严禁未成年人打赏,严禁未成年人应援消费,不得由未成年人担任相关群主或管理者,限制未成年人投票打榜,明确明星粉丝团、后援会等线上活动不得影响未成年人正常学习、休息,不得组织未成年人开展各种线上集会等。
10.规范应援集资行为。及时发现、清理各类违规应援集资信息;对问题集中、履责不力、诱导未成年人参与应援集资的网站平台,依法依规处置处罚;持续排查处置提供投票打榜、应援集资的境外网站。
各地要进一步提高政治站位,切实增强责任感、使命感、紧迫感,从维护网上政治安全和意识形态安全、营造清朗网络空间的高度认识和推进“饭圈”乱象治理工作。要第一时间部署落实,进一步分解措施,制定细化实施方案,督促属地网站平台切实抓好落实。
中央网信办秘书局
2021年8月25日
Chinese Banking and Insurance Supervisory Commission Notice concerning Further Standardizing Commercial Banks’Internet Lending Operations
YBJBF No. (2021)24
All banking supervisory bureaus, all large-scale banks, shareholding-type banks and foreign invested banks:
In order to promote commercial banks to effectively implement the “Provisional Rules for the Management of Commercial Banks’ Online Lending” (hereafter referred to as “Rules”), further standardize Internet lending operations and activities, stimulate the healthy development of the business, with the agreement of the CBIRC, the following notification is made on related matters:
I, Implementing risk control requirements. Commmercial banks shall strengthen their dominant responsibility in risk control, independently conduct Internet lending risk management, and autonomously complete lending risk assessment and risk control steps with an important influence for risk control, they are strictly prohibited from outsourcing crucial steps in management before, during and after loans.
II, Strengthening capital issue proportion management. Where commercial banks jointly issue capital for Internet loans with cooperating bodies, they shall strictly implement interregional capital issue proportion management requirements, the capital issue proportion from the cooperating party for a “single pen loan” [a loan not repayable in installments] may not be lower than 30%.
III, Strengthening management of concentration of cooperating party. Where commercial banks jointly issue capital for Internet loans with cooperating bodies, the balance of that bank’s lending issued with any one cooperating party may not exceed 25% of the net amount of that bank’s first-tier capital.
IV, Implementing aggregate control and quota management. The balance of Internet loans where commercial banks jointly issue capital with cooperating bodies may not exceed 50% of that bank’s total lending balance.
V, Strictly controlling cross-regional operations. Where banks with local legal personality conduct Internet lending activities, they shall serve local customers, they may not conduct Internet lending operations outside of the jurisdiction where they are registered. Those who do not have physical operational branches, who mainly conduct operations online, and furthermore conform to other CBIRC regulations and conditions are exempt.
VI, Article 2 and Article 5 of this Notification take effect from 1 January 2022, operational inventories will be settled naturally, the transition period for other provisions is consistent with the “Rules”. The CBIRC and its assigned bodies will, according to the principles of “one bank one policy, steady transition”, supervise commercial banks in formulating rectification plans for Internet lending operations that do not meet the requirements of this Notice, and in completing rectification within the notification period. Commercial banks meeting conditions are encouraged to meet targets early.
VII, The CBIRD and its assigned bodies may put forward stricter precautionary supervision and management requirements concerning capital issue proportions, concentration of cooperating bodies, Internet lending amounts and quotas on the basis of the operational management, risk levels and operational conduct status of commercial banks under their jurisdiction, and on the basis of the provisions of this Notice.
VIII, Foreign bank branches, trust companies, consumer finance companies or car finance companies conducting Internet lending operations will refer to and implement the requirements of this Notice and the “Rules”, where the CBIRC provides otherwise, those provisions are followed.
CBIRC General Office
19 February 2021
中国银保监会办公厅关于进一步规范商业银行互联网贷款业务的通知
银保监办发〔2021〕24号
各银保监局,各大型银行、股份制银行、外资银行:
为推动商业银行有效实施《商业银行互联网贷款管理暂行办法》(以下简称《办法》),进一步规范互联网贷款业务行为,促进业务健康发展,经银保监会同意,现就有关事项通知如下:
一、落实风险控制要求。商业银行应强化风险控制主体责任,独立开展互联网贷款风险管理,并自主完成对贷款风险评估和风险控制具有重要影响的风控环节,严禁将贷前、贷中、贷后管理的关键环节外包。
二、加强出资比例管理。商业银行与合作机构共同出资发放互联网贷款的,应严格落实出资比例区间管理要求,单笔贷款中合作方出资比例不得低于30%。
三、强化合作机构集中度管理。商业银行与合作机构共同出资发放互联网贷款的,与单一合作方(含其关联方)发放的本行贷款余额不得超过本行一级资本净额的25%。
四、实施总量控制和限额管理。商业银行与全部合作机构共同出资发放的互联网贷款余额不得超过本行全部贷款余额的50%。
五、严控跨地域经营。地方法人银行开展互联网贷款业务的,应服务于当地客户,不得跨注册地辖区开展互联网贷款业务。无实体经营网点、业务主要在线上开展,且符合银保监会其他规定条件的除外。
六、本通知第二条、第五条自2022年1月1日起执行,存量业务自然结清,其他规定过渡期与《办法》一致。银保监会及其派出机构按照“一行一策、平稳过渡”的原则,督促商业银行对不符合本通知要求的互联网贷款业务制定整改计划,在过渡期内整改完毕。鼓励有条件的商业银行提前达标。
七、银保监会及其派出机构可根据辖内商业银行经营管理、风险水平和业务开展情况等,在本通知规定基础上,对出资比例、合作机构集中度、互联网贷款总量限额提出更严格的审慎监管要求。
八、外国银行分行、信托公司、消费金融公司、汽车金融公司开展互联网贷款业务参照执行本通知和《办法》要求,银保监会另有规定的,从其规定。
中国银保监会办公厅
2021年2月19日
Guiding Opinions concerning Further Perfecting Structures to Restrain Trust-Breaking and Building Long-Term Mechanisms for Sincerity Construction
GBF No. (2020)49
All provincial, autonomous region and municipal People’s Governments, all State Council ministries and commissions, all directly subordinate bodies:
In order to deeply implement the requirements of the Party Centre and the State Council concerning enhancing sincerity construction, earnestly implementing the “Regulations on Optimizing the Commercial Environment” and other such relevant regulations, further clarify the scope of credit information, impose punishment for trust-breaking according to laws and regulations, perfect credit recovery mechanisms for untrustworthy subjects, and raise the rule of law and standardization levels of social credit system construction, with the approval of the State Council, the following Opinions are hereby put forward.
I, General requirements
With Xi Jinping Thought on Socialism with Chinese characteristics for a new era as guidance, comprehensively implement the spirit of the 19th Party Congress and the 2nd, 3rd, 4th and 5th Plenums of the 19th Party Congress, firmly take seeking progress in stability as a general foundation for work, firmly follow rule of law tracks, strive to build long-term mechanisms for sincerity construction, further standardize and complete mechanisms for the establishment, recording, collecting, sharing, publication, punishment and credit recovery of untrustworthy acts according to the general thinking lines of acting according to laws and regulations, protecting rights and interests, exercising caution and moderation, and checklist-based management, push the social credit system to enter a new phase of high quality development, let the social credit system play an even more positive role in supporting “release, management, service” reform and the transformation of government functions, creating a fair and sincere market environment and social environment.
In the process of advancing and practically exploring social credit system construction work, we must grasp the following important principles: first, strictly act according to laws and regulations, the recording to untrustworthy acts, determining name lists of gravely untrustworthy subjects and punishment for untrustworthiness, and other such matters affecting the direct rights and interests of related individuals, enterprises and all other kinds of subjects, must be handled strictly along rule of law tracks. Second, define scopes accurately, accurately determine the assessment scope for credit information and name lists of gravely untrustworthy subjects, reasonably handle punishment measures for untrustworthiness, firmly prevent improper application and even abuse. Third, ensure punishment is matched to the error, implement different kinds and different degrees of punitive measures strictly according to the law, respectively according to the area in which the untrustworthy act took place, the gravity of the circumstances, the extent of its impact, etc, and ensure the lawful rights and interests of credit subjects are protected. Fourth, lean from international experiences, both act on the basis of our country’s national circumstances, and fully consider international precedents, advance social credit construction cautiously in areas of high social attention, where understandings are not yet in agreement, and push related measures to link tracks internationally.
II, Scientifically determine the scope and processes for public credit information entry
(1) Clearly determine the scope for public credit information. The entry of information on particular acts held by public bodies and organizations authorized by laws and regulations to have public affairs management functions, etc. (hereafter jointly named administrative bodies) into public credit information must be strictly based on laws, regulations or Party Centre and State Council policy documents, and a catalogue system implemented to manage it. The leading work unit of the Interministerial Joint Conference for Social Credit System Construction (hereafter simply named Interministerial Joint Conference) compiles and regularly renews a basic nationwide public credit information catalogue according to laws and regulations, and together with relevant departments, the Interministerial Joint Conference’s member work units and other relevant departments may, according to laws and regulations, put forward suggestions for information to be entered into the catalogue, the Interministerial Joint Conference’s leading work unit combs through them and collects a catalogue, solicits opinions from all localities, all relevant departments and related market subjects, sectoral associations and chambers of commerce, legal service bodies, exports, scholars and the social public, and after submission to the Interministerial Joint Conference for deliberation, [the catalogue] is published to society and its implementation organized. All localities may, on the basis of local regulations, and with reference to the formulation procedure for the basic nationwide public credit information catalogue, formulate supplementary public credit information catalogues suited to that locality.
(2) Strictly standardize bases for determining untrustworthy acts. Administrative bodies determining untrustworthy acts must have a document with legal validity as basis. The bases on which an untrustworthy act may be determined include: valid judicial judgment documents or mediation letters, documents on decisions of administrative acts such as administrative punishments, administrative arbitration, etc, as well as other documents where laws, administrative regulations or other Party Centre and State Council policy documents provide they may act as a basis for a basis determining an untrustworthy act. After administrative bodies determine an untrustworthy act, they shall truthfully record the untrustworthy act.
III, Standardize the scope and process for public credit information sharing and openness
(3) Standardize the scope and process for public credit information sharing. Whether public credit information may be shared or in which scope it may be shared, shall be determined on the basis of the principles of legality and necessity, and determined at the time where public credit information catalogues are compiled. Perfect credit sharing mechanisms, promote the interaction and interconnection, and data sharing between the Nationwide Credit Information Sharing Platform, the National Enterprise Credit Information Publication System as well as relevant departments’ credit information systems, collecting departments must be clarified for data that may be shared, ensuring that “what is collected in one window, is fully shared”.
(4) Determine the scope for publication of public credit information according to laws and regulations. Whether public credit information may be published, shall be determined on the basis of the principles of legality and necessity, and determined at the time where public credit information catalogues are compiled. Public credit information publication may not infringe commercial secrets and personal privacy, where laws and regulations provide otherwise, those provisions are followed. Where information related to an individual is published, the basis in law, regulation, State Council decision or degree must be clarified or the individual in question must consent, and the necessary desensitization must be performed.
(5) Strengthen comprehensive management of public credit information publication channels. Departments determining public credit information shall, according to government information openness and other relevant regulations, publish the related information on that department’s portal website, all levels’ governments’ portal websites or other appointed websites. The “Credit China” website, and the National Enterprise Credit Information Publication System must, according to relevant regulations, conduct uniform publication of public credit information that is collected and shall be published, consistency is to be maintained on the content and time period of publication with the department determining public credit information.
IV, Standardize determination standards and procedures for name lists of gravely untrustworthy subjects
(6) Strictly limit the areas and scopes for the institutions of name lists of gravely untrustworthy subjects. Areas where a name list of gravely untrustworthy subjects ins instituted, must have a basis in laws, regulations or Party Centre or State Council policy documents, no department (work unit) may increase or expand them without authorization. The scope of the institution of name lists of gravely untrustworthy subjects is to be limited strictly to subjects responsible for grave harm to the physical health and life safety of the popular masses, gravely harm fair market competition order and regular social order, refuse to carry out statutory duties with grave influence on the credibility of judicial bodies and administrative bodies, refuse to implement national defence duties and other such grave unlawful and untrustworthy acts, according to the provisions of the “State Council Guiding Opinions concerning Establishing and Perfecting Joint Incentive Structures for Trust-Keeping and Joint Punishment Structures for Untrustworthiness, and Accelerating the Construction of Social Sincerity” (GF No. (2016)33).
(7) Strictly standardize determination standards for name lists of gravely untrustworthy subjects. For name list systems of gravely untrustworthy subjects implemented at the national level, the name list determination standards shall be determined in the form of laws, administrative regulations or Party Centre or State Council policy documents, those temporarily not meeting conditions may be determined by the competent (supervision) department of the area in question through departmental rules, for determination standards, the opinions of the Interministerial Joint Conference leading work unit and other relevant departments, related market subjects, sectoral associations and chambers of commerce, legal service bodies, experts, scholars and the social public shall be fully solicited, the period of public opinion solicitation shall not be less than 30 days. Determination standards shall be published through the “Credit China” website and websites appointed by the competent (supervision) department. Determination standards shall, at the same time, clarify conditions and procedures to leave the name lists as well as relief measures. Departments formulating determination standards shall regularly organize third-party assessment of the outcome of standards implementation and timely revise them. For name list structures for gravely untrustworthy subjects only implemented on a local scale, name list determination standards shall be provided in departmental regulations.
(8) Strictly implement determination procedures for name lists of gravely untrustworthy subjects. Administrative bodies shall, before making determination decisions about name lists of gravely untrustworthy subjects, notify the party concerned about the grounds and basis for the decision, and the rights the party concerned has according to the law; where the party concern raises an objection, this shall be verified and feedback made on the outcome within stipulated time limits. To list a market subject on a name list for gravely untrustworthy subjects, the determining department shall rely on corresponding administrative decision documents, bearing the grounds, basis, untrustworthiness punishment measure notes, withdrawal conditions and procedures as swell as relief measures, when necessary, it is also permitted for the determining department to produce a stand-alone determination decision document about name lists for gravely untrustworthy subjects. In principle, name lists for gravely untrustworthy subjects shall be determined by relevant departments of county-level and higher (including county-level) People’s Governments according to related standards, where laws, regulations and departmental rules provide otherwise, those provisions are followed.
V, Imposing punishment for untrustworthiness according to laws and regulations
(9) Determining punishment measures for untrustworthiness according to laws and regulations. Punitive measures reducing rights or adding to duties of untrustworthy subjects must be based on the facts of the concrete untrustworthy act, directly cite laws, regulations , or Party Centre or State Council policy documents as a basis, ad implement name list structure management. The work unit leading the Interministerial Joint Conference will, together with relevant departments, compile and regularly renew a nationwide basic list of punishment measures against untrustworthiness according to laws and regulations, member work units of the Interministerial Joint Conference and other relevant departments may, on the basis of laws and regulations, put forward suggestions on punitive measures for untrustworthiness to be included in the list, the work unit leading the Interministerial Joint Conference combs through them and collects a general list, solicits opinions from all localities, all relevant departments and related market subjects, sectoral associations and chambers of commerce, legal service bodies, experts, scholars and the social public, and after submission to the Interministerial Joint Conference, publishes [the list] to society and organizes implementation. All localities may, on the basis of local regulations, and with reference to the procedure for the formulation of the basic nationwide list for punitive measures against untrustworthiness, formulate supplementary lists of punitive measures against untrustworthiness suited to these localities. No department (work unit) may coercively require financial bodies, credit service bodies, sectoral associations, chambers of commerce, etc. to punish untrustworthy subjects.
(10) Ensure wrongdoings and punishments are proportional. According to the principles of legality, correlation and balance, according to the list of punishment measures against untrustworthiness, on the basis of the nature of the untrustworthy act and the extent of its gravity, adopt punitive measures of suitable weight, and prevent that small wrongdoings are punished heavily. No department (work unit) may, for the reason of existing regulations not sufficiently strongly punishing untrustworthy acts, expand punitive measures outside the provisions of laws, regulations, or Party Centre or State Council policy documents, or increase punishment on top of statutory punishment standards.
VI, Completing and perfecting credit recovery mechanisms
(11) Establishing and completing a set of credit recovery mechanisms. Related sectoral competent (supervision) departments shall establish credit recovery mechanisms beneficial to self-correction and active self-renewal. Except where laws, administrations, or Party Centre or State Council policy documents clearly provide untrustworthiness information cannot be recovered, where untrustworthy subjects correct the untrustworthy act according to requirements or eliminate the harmful influence, they may in all cases apply for credit recovery. Related departments (work units) shall formulate concrete regulations for credit recovery, clarifying recovery methods and procedures. Where they conform to recovery conditions, they will be timely removed from the name list of untrustworthy subjects according to relevant regulations, the sharing and publication of related untrustworthiness information ceases, or the related untrustworthiness information will be indicated, shielded off or deleted.
(12) Raising credit recovery rates. Strengthen credit recovery information sharing, accelerate the construction and perfection of coordinated and joint “running everything on one network” mechanisms, realistically resolve the problem that “credit recovery is difficult”. Related sectoral competent (supervision) departments as well as the Nationwide Credit Information Sharing Platform and the “Credit China” website shall appoint specialized personnel responsible for credit recovery work, and process credit recovery requests meeting conditions within statutory time limits, they may in no way collect fees from subjects applying for credit recovery.
VII, Strengthening information security and privacy protection
(13) Strengthening credit information security management. All levels’ public credit information systems must, according to the requirement of protecting market subjects’ rights and interests, clarify information inquiry and use privileges and procedures, establish and perfect information inquiry and use registration and inspection structures, and prevent information leaks, where information leaks intentionally or due to work errors, the responsibility of related work units and personnel must be prosecuted strictly, according to laws and regulations. Strictly investigate and prosecute acts of credit information leaks, distortion, damage and theft, or use of credit information to seek improper gain, strictly attack unlawful activities such as the illegal collection, sale or purchase of credit information under the guise of social credit system construction.
(14) Strengthening personal privacy protection. All localities and all relevant departments shall abide by the principles of legality, justification, necessity and minimization, collect and use personal credit information strictly according to the public credit information catalogue, clearly indicate the goal, method and scope of information collection and use and obtain consent from the person in question, where laws or regulations provide otherwise, those provisions are followed. It is prohibited for any work unit or individual to collect and use a person’s credit information without authorization, having coerced authorization or to do so life-long with a one-time authorization. Strengthen investigation and prosecution of the illegal collection, transmission, use, leakage, distortion, damaging, theft or sale of personal credit information and other such act. Related departments must implement focused supervision and management of financial bodies, credit investigation bodies, Internet enterprises, big data enterprises and mobile application software work units, and strictly standardize their personal information collection, storage, use, processing, transmission, provision and publication activities.
VIII, Striving to strengthen credit rule of law construction
(15) Accelerating the progress of credit law and regulation construction. Persist in following rule of law tracks, accelerate the research and advance of legislative processes for laws and regulations in the social credit area, smoothen the relationship between punishment for untrustworthiness and administrative management measures, lay a firm rule of law basis. Where the punitive strength of existing laws and regulations is insufficient, and it is necessary to strengthen punishment, all localities and all relevant departments shall put forward legislative revision suggestions in a timely manner, and ensure punishment for untrustworthiness is conducted strictly according to laws and regulations.
(16) Advancing social credit system construction strictly according to laws and regulations. Strictly standardize credit information, collection and publication scopes according to laws and regulations, strictly standardize determination of name lists of gravely untrustworthy subjects, punishment for untrustworthiness and credit recovery work, ensure that all areas of social credit system construction work operate along rule of law tracks. Minors’ untrustworthy acts, untrustworthy acts resulting from natural disasters, epidemics and other inevitable influences as well as acts with non-subjective intent or minor untrustworthy acts, shall be determined, recorded and punished in a tolerant and cautious manner. Firmly investigate, prosecute and attack all kinds of infringing acts, protect credit information security, commercial secrets and personal privacy according to laws and regulations, and protect the lawful rights and interests of all kinds of credit subjects according to laws and regulations.
IX, Strengthening organizational implementation safeguards.
Implementing dominant responsibilities. All sectoral competent (supervision) departments must realistically fulfil their dominant responsibility in supervising and managing credit in their sector, and perform untrustworthy conduct determination, recording, collection, sharing, publication, punishment and credit recovery work according to laws and regulations, the Interministerial Joint Conference’s leading work units must coordinate with judicial bodies as well as other responsible work units who have already obtained clear authorization in performing related work well. All local levels’ social credit system construction leading work units must realistically implement their comprehensive coordination responsibilities, and strengthen standardization and guidance of social credit system construction work in their areas.
Strengthening responsibility and accountability. With regard to recording, sharing and publication of credit information outside of public credit information catalogues and in violation of laws and regulations, implementing punitive measures outside of the punishment list for untrustworthiness in violation of laws and regulations, as well as acts such as unauthorized determination about name lists of gravely untrustworthy subjects not according to standards and procedures, not processing credit recovery timely or according to regulations, the liability of related work units and personnel must be prosecuted according to laws and regulations
Strengthening propaganda and explanation. All kinds of media are encouraged to vigorously conduct sincerity propaganda and education, deeply report on advanced models of sincerity and promise-keeping, launch constructive public opinion supervision of untrustworthy conduct and incidents, advocate sincerity and promise-keeping. Let relevant departments, sectoral associations and chambers of commerce, experts and scholars, news media, etc. play their role fully, timely explain and interpret credit policies, vigorously respond to concerns from all sides, strengthen positive guidance, and create a benign public opinion environment.
Grasping the moment. All localities and all relevant departments must, according to the requirements of these Opinions, conduct a comb-through and assessment of measures on untrustworthy conduct determination, recording, collection, sharing, publication, punishment and credit recovery measures already published, and those not meeting the requirements of these Opinions must be timely standardized. Set up a transitional period for name list structures of gravely untrustworthy subjects having a clear basis for their continued retention, complete renewal determination standards and procedures of name lists that these Opinions require to be adjusted before the end of 2021, after the transition period, those not conform to the requirements of these Opinions will be abolished without exception.
State Council General Office
7 December 2020
国务院办公厅关于进一步完善失信约束制度
构建诚信建设长效机制的指导意见
国办发〔2020〕49号
各省、自治区、直辖市人民政府,国务院各部委、各直属机构:
为深入贯彻落实党中央、国务院关于推进诚信建设的要求,认真落实《优化营商环境条例》等相关规定,进一步明确信用信息范围,依法依规实施失信惩戒,完善失信主体信用修复机制,提高社会信用体系建设法治化、规范化水平,经国务院同意,现提出如下意见。
一、总体要求
以习近平新时代中国特色社会主义思想为指导,全面贯彻落实党的十九大和十九届二中、三中、四中、五中全会精神,坚持稳中求进工作总基调,坚持遵循法治轨道,着力构建诚信建设长效机制,按照依法依规、保护权益、审慎适度、清单管理的总体思路,进一步规范和健全失信行为认定、记录、归集、共享、公开、惩戒和信用修复等机制,推动社会信用体系迈入高质量发展的新阶段,更好发挥社会信用体系在支撑“放管服”改革和政府职能转变、营造公平诚信的市场环境和社会环境等方面的积极作用。
在社会信用体系建设工作推进和实践探索中,要把握好以下重要原则:一是严格依法依规,失信行为记录、严重失信主体名单认定和失信惩戒等事关个人、企业等各类主体切身利益,必须严格在法治轨道内运行。二是准确界定范围,准确界定信用信息和严重失信主体名单认定范围,合理把握失信惩戒措施,坚决防止不当使用甚至滥用。三是确保过惩相当,按照失信行为发生的领域、情节轻重、影响程度等,严格依法分别实施不同类型、不同力度的惩戒措施,切实保护信用主体合法权益。四是借鉴国际经验,既立足我国国情,又充分参考国际惯例,在社会关注度高、认识尚不统一的领域慎重推进信用体系建设,推动相关措施与国际接轨。
二、科学界定公共信用信息纳入范围和程序
(一)明确界定公共信用信息范围。将行政机关及法律、法规授权的具有管理公共事务职能的组织等(以下统称行政机关)掌握的特定行为信息纳入公共信用信息,必须严格以法律、法规或者党中央、国务院政策文件为依据,并实行目录制管理。社会信用体系建设部际联席会议(以下简称部际联席会议)牵头单位会同有关部门依法依规编制并定期更新全国公共信用信息基础目录,部际联席会议成员单位和其他有关部门可依法依规提出拟纳入目录信息的建议,部际联席会议牵头单位梳理汇总目录,征求各地区、各有关部门和相关市场主体、行业协会商会、法律服务机构、专家学者和社会公众意见,提请部际联席会议审定后向社会公布并组织实施。各地可依据地方性法规,参照全国公共信用信息基础目录的制定程序,制定适用于本地的公共信用信息补充目录。
(二)严格规范失信行为认定依据。行政机关认定失信行为必须以具有法律效力的文书为依据。可认定失信行为的依据包括:生效的司法裁判文书和仲裁文书、行政处罚和行政裁决等行政行为决定文书,以及法律、法规或者党中央、国务院政策文件规定可作为失信行为认定依据的其他文书。行政机关认定失信行为后应当如实记录失信信息。
三、规范公共信用信息共享公开范围和程序
(三)规范公共信用信息共享范围和程序。公共信用信息是否可共享及在何种范围内共享,应当根据合法、必要原则确定,并在编制公共信用信息目录时一并明确。完善信息共享机制,推动全国信用信息共享平台与国家企业信用信息公示系统以及相关部门信用信息系统实现互联互通、数据共享,对于可共享数据要明确采集部门,做到“一口采集、充分共享”。
(四)依法依规确定公共信用信息公开范围。公共信用信息是否可公开应当根据合法、必要原则确定,并在编制公共信用信息目录时一并明确。公共信用信息公开不得侵犯商业秘密和个人隐私,法律、法规另有规定的从其规定。公开个人相关信息的,必须有明确的法律、法规或者国务院决定、命令作为依据或经本人同意,并进行必要脱敏处理。
(五)加强对公共信用信息公开渠道的统筹管理。公共信用信息的认定部门应当按照政府信息公开或其他有关规定,在本部门门户网站、本级政府门户网站或其他指定的网站公开相关信息。“信用中国”网站、国家企业信用信息公示系统要按照有关规定,将所归集的应当公开的公共信用信息进行统一公开,并与公共信用信息认定部门公开的内容、期限保持一致。
四、规范严重失信主体名单认定标准和程序
(六)严格限定严重失信主体名单设列领域范围。设列严重失信主体名单的领域,必须以法律、法规或者党中央、国务院政策文件为依据,任何部门(单位)不得擅自增加或扩展。设列严重失信主体名单的范围,严格按照《国务院关于建立完善守信联合激励和失信联合惩戒制度加快推进社会诚信建设的指导意见》(国发〔2016〕33号)规定,限制为严重危害人民群众身体健康和生命安全、严重破坏市场公平竞争秩序和社会正常秩序、拒不履行法定义务严重影响司法机关和行政机关公信力、拒不履行国防义务等严重违法失信行为的责任主体。
(七)严格规范严重失信主体名单认定标准。在全国范围内实施的严重失信主体名单制度,其名单认定标准应当以法律、行政法规或者党中央、国务院政策文件形式确定,暂不具备条件的可由该领域主管(监管)部门以部门规章形式确定,认定标准应当充分征求部际联席会议牵头单位及其他有关部门、相关市场主体、行业协会商会、法律服务机构、专家学者和社会公众意见,公开征求意见期限不少于30日。认定标准应当通过“信用中国”网站及该领域主管(监管)部门指定的网站公开。认定标准应当一并明确名单移出条件、程序以及救济措施。认定标准制定部门应当定期组织对标准执行效果进行第三方评估并及时修订。仅在地方范围内实施的严重失信主体名单制度,其名单认定标准应当由地方性法规规定。
(八)严格履行严重失信主体名单认定程序。行政机关在作出认定严重失信主体名单决定前,应当告知当事人作出决定的事由、依据和当事人依法享有的权利;当事人提出异议的,应当予以核实并在规定时限内反馈结果。将市场主体列入严重失信主体名单,应当由认定部门依托相应的行政决定文书,载明事由、依据、失信惩戒措施提示、移出条件和程序以及救济措施等,必要时也可由认定部门单独制作认定严重失信主体名单的决定文书。严重失信主体名单原则上应当由县级以上(含县级)人民政府有关部门按照相关标准认定,法律、法规和部门规章另有规定的从其规定。
五、依法依规开展失信惩戒
(九)依法依规确定失信惩戒措施。对失信主体采取减损权益或增加义务的惩戒措施,必须基于具体的失信行为事实,直接援引法律、法规或者党中央、国务院政策文件为依据,并实行清单制管理。部际联席会议牵头单位会同有关部门依法依规编制并定期更新全国失信惩戒措施基础清单,部际联席会议成员单位和其他有关部门可依法依规提出拟纳入清单失信惩戒措施的建议,部际联席会议牵头单位梳理汇总清单,征求各地区、各有关部门和相关市场主体、行业协会商会、法律服务机构、专家学者和社会公众意见,提请部际联席会议审定后向社会公布并组织实施。各地可依据地方性法规,参照全国失信惩戒措施基础清单的制定程序,制定适用于本地的失信惩戒措施补充清单。任何部门(单位)不得强制要求金融机构、信用服务机构、行业协会商会、新闻媒体等惩戒失信主体。
(十)确保过惩相当。按照合法、关联、比例原则,依照失信惩戒措施清单,根据失信行为的性质和严重程度,采取轻重适度的惩戒措施,防止小过重惩。任何部门(单位)不得以现行规定对失信行为惩戒力度不足为由,在法律、法规或者党中央、国务院政策文件规定外增设惩戒措施或在法定惩戒标准上加重惩戒。
六、健全和完善信用修复机制
(十一)建立健全信用修复配套机制。相关行业主管(监管)部门应当建立有利于自我纠错、主动自新的信用修复机制。除法律、法规和党中央、国务院政策文件明确规定不可修复的失信信息外,失信主体按要求纠正失信行为、消除不良影响的,均可申请信用修复。相关部门(单位)应当制定信用修复的具体规定,明确修复方式和程序。符合修复条件的,要按照有关规定及时将其移出严重失信主体名单,终止共享公开相关失信信息,或者对相关失信信息进行标注、屏蔽或删除。
(十二)提高信用修复效率。加强信用修复信息共享,加快建立完善协同联动、“一网通办”机制,切实解决“信用修复难”问题。相关行业主管(监管)部门以及全国信用信息共享平台、“信用中国”网站应当明确专门人员负责信用修复工作,在规定时限内办结符合条件的信用修复申请,不得以任何形式向申请信用修复的主体收取费用。
七、加强信息安全和隐私保护
(十三)加强信用信息安全管理。各级公共信用信息系统要按照保护市场主体权益的要求,明确信息查询使用权限和程序,建立完善信息查询使用登记和审查制度,防止信息泄露,对故意或因工作失误泄露信息的,要依法依规严格追究相关单位和人员责任。严肃查处泄露、篡改、毁损、窃取信用信息或利用信用信息谋私等行为,严厉打击借社会信用体系建设名义非法收集、买卖信用信息的违法行为。
(十四)加大个人隐私保护力度。各地区、各有关部门应当遵循合法、正当、必要、最小化原则,严格按照公共信用信息目录收集使用个人信用信息,明示收集使用信息的目的、方式和范围并经本人同意,法律、法规另有规定的从其规定。禁止任何单位和个人未经授权、强制授权或一次授权终身收集使用个人信用信息。加大对非法获取、传播、利用以及泄露、篡改、毁损、窃取、出售个人信息等行为的查处力度。相关部门要对金融机构、征信机构、互联网企业、大数据企业、移动应用程序运营企业实施重点监管,严格规范其收集、存储、使用、加工、传输、提供和公开个人信息等行为。
八、着力加强信用法治建设
(十五)加快推动信用法律法规建设。坚持遵循法治轨道,加快研究推进社会信用方面法律法规的立法进程,理顺失信惩戒与行政管理措施的关系,夯实法治基础。现行法律、法规对失信行为惩戒力度不足、确有必要加大惩戒力度的,各地区、各有关部门应当及时提出修法建议,确保失信惩戒严格依法依规开展。
(十六)严格依法依规推动社会信用体系建设。依法依规严格规范信用信息采集、共享、公开范围,严格规范严重失信主体名单认定、失信惩戒和信用修复工作,确保社会信用体系建设各项工作在法治轨道运行。对未成年人失信行为、受自然灾害或疫情等不可抗力影响导致的失信行为以及非主观故意、轻微失信行为,应宽容审慎进行认定、记录和惩戒。坚决查处和打击各类侵权行为,依法依规保护信用信息安全、商业秘密和个人隐私,依法依规保护各类信用主体合法权益。
九、加强组织实施保障
落实主体责任。各行业主管(监管)部门要切实履行本行业信用监管主体责任,依法依规做好失信行为认定、记录、归集、共享、公开、惩戒和信用修复等工作,部际联席会议牵头单位要协调司法机关以及其他已获明确授权的责任单位做好相关工作。地方各级社会信用体系建设牵头单位要切实履行统筹协调职责,对本区域内社会信用体系建设工作加强规范指导。
强化追责问责。对在公共信用信息目录外违法违规记录、共享、公开信用信息,在失信惩戒措施清单外违法违规实施惩戒措施,以及不按标准和程序擅自认定严重失信主体名单、不按规定及时办理信用修复等行为,要依法依规追究相关单位和人员责任。
加强宣传解读。鼓励各类媒体积极开展诚信宣传教育,深入报道诚实守信的先进典型,对失信行为和事件开展建设性舆论监督,倡导诚实守信。充分发挥有关部门、行业协会商会、专家学者、新闻媒体等作用,及时阐释和解读信用政策,积极回应各界关切,强化正面引导,营造良好舆论环境。
把握时间节点。各地区、各有关部门要按照本意见要求,对已经出台的失信行为认定、记录、归集、共享、公开、惩戒和信用修复等措施进行梳理评估,对不符合本意见要求的要及时规范。对有明确依据可继续保留的严重失信主体名单制度设置过渡期,在2021年底前按本意见要求对需要调整的名单认定标准和程序进行更新,过渡期后与本意见要求不符的一律废止。
国务院办公厅
2020年12月7日
Internet Public User Account Information Service Management Regulations (Revision Draft – Opinion-seeking Version)
Chapter I: General provisions
Article 1: These Regulations are formulated in order to standardize Internet public account information services, safeguard national security and the public interest, and protect the lawful interests of citizens, legal persons and other organizations, on the basis of the “Cybersecurity Law of the People’s Republic of China”, the “Internet Information Service Management Rules”, the “Online Information Content Ecology Governance Regulations” and other such laws, regulations and relevant State provisions.
Article 2: These Regulations apply to the provision and conduct of Internet public account information services within the territory of the People’s Republic of China.
Internet public accounts as mentioned in these Regulations, refers to online accounts of Internet users registered and operated on Internet sites, application software and other such online platforms, to produce and disseminate written, pictorial, audiovisual and other such information content to the social public.
public account platform as mentioned in these Regulations, refers to online information service providers providing public account registration and operation, information content dissemination and technical protection services to Internet users.
Public account producers and operators as mentioned in these Regulations, refers to natural persons, legal persons and non-legal person organizations registering and operating public accounts and engaging in content dissemination.
Article 3: The national cybersecurity and informatization department is responsible for Internet public account information service supervision, management and law enforcement work nationwide. Local cybersecurity and informatization departments are, according to their duties and responsibilities, responsible for Internet public account information service supervision, management and law enforcement work within their administrative areas.
Article 4: Public service information service platforms and public account producers and operators shall abide by laws and regulations, fulfil social responsibilities and moral responsibilities, uphold the correct public opinion orientation and value orientation, carry forward the Socialist core value view, produce and disseminate healthy and upward, true and objective excellent information content, create a crisp and bright cyberspace, and stimulate progress of society and civilization.
All levels’ Party and government bodies, enterprise and undertaking work units, and people’s organizations are encouraged to register and operate public accounts, produce and disseminate high-quality government affairs information or public service information, satisfying public information demand, and promoting economic and social development.
Public service information service platforms are encouraged to vigorously enhance government affairs information publication, public service and social government levels for Party and government bodies, enterprise and undertaking work units, and people’s organizations, provide full and necessary technical support and security protection.
Article 5: Public account information service platforms providing Internet public account information services, shall obtain corresponding qualifications as provided in national laws and regulations.
Public service information service platforms and public account producers and operators shall obtain an Internet news information service licence to provide Internet news information services to the social public.
Chapter II: Public service information service platforms
Article 6: Public service information service platforms shall bear dominant responsibility for information content and public account management, allocate management personnel and technical capabilities suited to the business scale, appoint persons to position responsible for content security, establish, complete and strictly implement management structures for account registration, content examination and verification, information inspection, ecological governance, emergency response, cybersecurity, data security, personal information protection, copyright protection, credit evaluation, etc., and uphold the security of the platform’s information content and public accounts, and the security of data and personal information.
Public service information service platforms shall, on the basis of relevant laws and regulations and relevant State provisions, formulate and publish management norms and platform conventions for information content production, public account operations, etc., and conclude service agreements with public account producers and operators, clarifying both sides’ content dissemination limitations, account management responsibilities and other such rights and obligations.
Article 7: Public service information service platforms shall, according to relevant national standards and norms, establish categorized public account registration and categorized production structures, implement categorized management, and file the matter with the provincial, autonomous region or municipal cybersecurity and informatization department of the locality of the public account.
Public service information service platforms shall, on the basis of indicators and dimensions such as an account’s information content quality, the credit evaluation of the account’s subject, etc., establish tiered management structures, and implement tiered account management.
Public service information service platforms formulating content production and account operations management norms, platform conventions and other such important structures and measures shall file them with the local provincial, autonomous region or municipal cybersecurity and informatization department; when bringing related new technologies, new applications or new functions online, they shall conduct a security assessment according to relevant regulations.
Article 8: Public service information service platforms shall adopt measures such as composite verification, etc., to conduct real identity information authentication of Internet users applying to register for a public account, based on mobile telephone number, resident identity card number or unified social credit code and other such methods, and raise the accuracy of authentication. Where users do not provide real identity information, or improperly use real identity information of organizations, bodies or other persons to conduct a false registration, no related service may be provided to them.
Public service information service platforms shall conduct inspection of the legal and regulatory compliance of public account names, portraits, bios, etc. of public accounts registered by Internet users, where they discover an account name, portrait or bio does not conform to the subject’s real identity information, and especially where they use or link to Party or government bodies, enterprise and undertaking work units and other such organizations and bodies or well-known social personalities without authorization, as well as where the corresponding registration information contains unlawful or harmful information, they shall suspend the provision of services and notify the user to correct matters within a limited time, where these refuse to correct the matter, the provision of services shall be terminated.
Public service information service platforms shall prohibit public accounts closed according to the law or to the convention to re-register under a similar name; where an account name with a high degree of connectedness to them is registered, the real identity information, service qualifications, etc. of the account subject shall also be subject to necessary checks.
Article 9: Public service information service platforms shall require public accounts applying to register and engage in the production of information content in areas such as economics, education, health, judicial affairs, etc., require users to provide their specialized background at the time of registration, as well as corresponding materials to prove professional qualifications or service qualifications they have acquired according to laws and administrative regulations, and conduct the necessary checks.
Public service information service platforms shall add a special symbol to public accounts after they are checked and passed, and according to the different subject nature of the user, externally announce content production categories, the name of operating subjects, the registered business address, uniform social credit code, contact method and other such registration information, to facilitate social supervision and inspection.
Public service information service platforms shall establish dynamic checking and inspection structures, and at suitable times check the veracity and validity of registration information of producers and operators.
Article 10: Public service information service platforms shall set reasonable upper limits to the number of registered public accounts of the same subject on their platform. Where users apply to register for multiple public accounts, their subject nature, service qualifications, business scope, credit evaluation etc. shall also be checked.
Public service information service platforms may, on the basis of the service agreement suspend or terminate provision of services to public accounts who have not logged on or have been used for over six months after the Internet user registered.
Public service information service platforms shall complete technical measures to prevent and deal with unlawful registration acts by Internet users such as registration in excess of quota, malicious registration, false registration, etc.
Article 11: Public service information service platforms shall, according to the law and the convention, prohibit public account producers and operators to transfer, lend or illegally trade, sell or buy public accounts in violation of regulations.
Where public account producers and operators transfer or donate public account use rights to other users, they shall put forward an application with the platform. The platform shall, on the basis of the provisions in the previous Paragraph, authenticate and check the user on the receiving side, and publish the subject change information. Where the platform discovers a producer or operator has transferred a public account without inspection or authorization, it shall timely suspend or terminate the provision of services.
Public account producers and operators voluntarily terminating account operations may apply with the platform for suspension or termination of use. The platform shall suspend or terminate the provision of services according to the service agreement.
Article 12: Public service information service platforms shall establish public account supervision and assessment mechanisms, and prevent acts of falsification of account subscriptions, user following numbers, content click rates, repost or comment quantities and other such data.
Public service information service platforms shall standardize public account recommendation, subscription and following mechanisms, and complete technological measures to timely discover and deal with unusual changing circumstances in account subscription and following numbers. Without the knowledge and agreement of the Internet user, subscription and following of other users’ public accounts may not be forced.
Article 13: Public service information service platforms shall establish tiered credit management systems, and provide corresponding services on the basis of credit tiers.
Public service information service platforms shall establish and complete mechanisms to warn for, discover, trace, refute, delete and in other ways deal with online rumours and other such false information, and reduce the credit tier or blacklist public account producers and operators who produced and disseminated rumours and other such false information.
Article 14: Public service information service platforms shall, when conducting content supply and account recommendation cooperation with producers and users, standardize commercial activities such as management of advertising and operations, knowledge payment, e-commerce sales, user gratuities, etc., they may not disseminate false advertising, conduct exaggerated propaganda, commit commercial fraud, etc., preventing operations violating laws and regulations.
Public service information service platforms shall strengthen copyright protection of originally produced information content, preventing acts of piracy and infringement. Platforms may not abuse their advantaged position to interfere in the lawful and compliant operations of producers and operators, or infringe users’ lawful rights and interests.
Chapter III: Public account information producers and operators.
Article 15: Public account information producers and operators shall, on the basis of categorized platform management norms, at the time of registering the public account, accurately fill out user’s subject nature, registered location, business location, content production category, contact method and other such basic information, enterprises, organizations, bodies and other such Internet users shall also indicate their main activity or business scope.
Public account producers shall aide by platform management norms, platform conventions and service agreements, and engage in information content production and dissemination in the relevant sectoral area on the basis of the registered content production category indicated at the time of public account registration.
Article 16: Public account producers and operators shall bear dominant responsibility for information content production and public account operations and management, and engage in information content production and account operations and activities according to laws and regulations.
Public account producers and operators shall establish and complete information content security examination and verification mechanism for the entire process of topic planning, editing and production, dissemination and popularization, interactive comments, etc., strengthen gatekeeping over information content’s orientation, veracity and legality, and maintain a benign order in online communication.
Public account information producers and operators shall establish and complete security management mechanisms for the entire process of public account registration and use, operations and popularization, etc., manage and operate the account in a civilized, rational and standardized manner, attract the public’s attention, subscription, interaction and sharing with high-quality information content, and maintain a benign social image of the account.
Article 17: Public account producers and operators shall, when reposting information content originally created by other persons, abide by copyright protection-related laws and regulations, indicate the original creator and a traceable information source, and respect and protect the lawful rights and interests of copyright holders.
Public account producers and operators shall manage messages, posts, comments and other such interactive segments on their account. Platforms may, on the basis of the subject nature and credit tier of the public account, rationally set up management limits, and provide corresponding technological support.
Where public account producers and operators conduct account operations, content provision and other such cooperation with third-party bodies , both sides shall conduct checks and gatekeeping of the account’s operations and activities, supplied information content, etc.
Article 18: Public account producers and operators may not commit the following acts in violation of laws and regulations:
(1) Not registering with real identity information, or registering with a public account name, portrait, bio, etc. that is not conform with one’s own real identity information;
(2) Maliciously posing as, imitating or misappropriating the public account of an organization, body or other person to produce and disseminate information content;
(3) Providing Internet news information gathering, dissemination and other such services without a licence or in excess of a licence’s scope;
(4) Manipulatively using accounts on multiple platforms, to publish batches of homogenous information content, generating false flow data, and creating false public opinion hot spots;
(5) Using sudden public incidents to incite extreme emotions and acts, or commit online violence harming the reputation of other persons and organizations, influencing social harmony and stability;
(6) Fabricating false information, counterfeiting originally-created content, quoting or concocting untrue information sources, distorting facts and truths, misleading the social public;
(7) Using paid dissemination and deletion of information and other such methods to commit illegal online surveillance, marketing frauds, extortion and blackmail, in pursuit of improper gain;
(8) Registering in batches, hoarding or illegally trading, buying and selling public accounts;
(9) Producing, reproducing or disseminating unlawful information, or not adopting measures to prevent and resist the production, reproduction or dissemination of harmful information;
(10) Other acts prohibited in laws and administrative regulations.
Chapter IV: Supervision and management
Article 19: Public service information service platforms shall strengthen supervision and management of public service information service activities, and timely discover and deal with information or activities violating laws and regulations.
Public service information service platforms shall, on the basis of service agreements and platform conventions, adopt measures to deal with public accounts violating these regulations and relegated laws and regulations including warnings and alerts, limiting account functions, suspending content renewal, ceasing advertising dissemination, closing or cancelling accounts, blacklisting, termination of re-registration, etc., preserve relevant records, and timely report the matter to cybersecurity and informatization and other such relevant competent department.
Article 20: Public service information service platforms and producers and operators shall consciously accept social supervision.
Public service information service platforms shall set up eye-catching and convenient reporting interfaces, publish appeals, complaints and reporting methods and other such information, complete reporting information acceptance, screening, handling and feed-back mechanisms, clarify handling workflows and feed-back time limits, and timely and effectively deal with complaints by producers and operators, and complaints and reports from the public.
Internet sectoral organizations are encouraged to conduct public appraisal, promote strict self-discipline of public service information service platforms and producers and operators, establish authoritative mediation mechanisms with participation from multiple sides, fairly and relationally resolve sectoral disputes, and safeguard users’ lawful rights and interests according to the law.
Article 21: All levels’ cybersecurity and informatization departments will establish and complete coordinated supervision and management work mechanisms together with relevant competent departments, to supervise and guide public service information service platforms and producers and operators to conduct related information service activities according to laws and regulations.
Public service information service platforms and producers and operators shall cooperate with relevant competent departments’ lawful conduct of supervision and inspection, and provide the necessary technical support and assistance.
Where public service information service platforms and producers and operators violate these Regulations, cybersecurity and informatization departments and relevant competent departments will impose punishment according to relevant laws and regulations within their scope of duties and responsibilities.
Article 22: These Regulations take effect on (day, month) 2020.
互联网用户公众账号信息服务管理规定(修订草案征求意见稿)
第一章 总则
第一条 为规范互联网用户公众账号信息服务,维护国家安全和公共利益,保护公民、法人和其他组织的合法权益,根据《中华人民共和国网络安全法》《互联网信息服务管理办法》《网络信息内容生态治理规定》等法律法规和国家有关规定,制定本规定。
第二条 在中华人民共和国境内提供、从事互联网用户公众账号信息服务,应当遵守本规定。
本规定所称互联网用户公众账号,是指互联网用户在互联网站、应用程序等网络平台注册运营,面向社会公众生产发布文字、图片、音视频等信息内容的网络账号。
本规定所称公众账号信息服务平台,是指为互联网用户提供公众账号注册运营、信息内容发布与技术保障服务的网络信息服务提供者。
本规定所称公众账号生产运营者,是指注册运营公众账号从事内容生产发布的自然人、法人或非法人组织。
第三条 国家网信部门负责全国互联网用户公众账号信息服务的监督管理执法工作。地方网信部门依据职责负责本行政区域内互联网用户公众账号信息服务的监督管理执法工作。
第四条 公众账号信息服务平台和公众账号生产运营者应当遵守法律法规,履行社会责任、道德责任,坚持正确舆论导向、价值取向,弘扬社会主义核心价值观,生产发布健康向上、真实客观的优质信息内容,营造清朗网络空间,促进社会文明进步。
鼓励各级党政机关、企事业单位和人民团体注册运营公众账号,生产发布高质量政务信息或公共服务信息,满足公众信息需求,推动经济社会发展。
鼓励公众账号信息服务平台积极为党政机关、企事业单位和人民团体提升政务信息发布、公共服务和社会治理水平,提供充分必要的技术支持和安全保障。
第五条 公众账号信息服务平台提供互联网用户公众账号信息服务,应当取得国家法律法规规定的相关资质。
公众账号信息服务平台和公众账号生产运营者向社会公众提供互联网新闻信息服务,应当取得互联网新闻信息服务许可。
第二章 公众账号信息服务平台
第六条 公众账号信息服务平台应当履行信息内容和公众账号管理主体责任,配备与业务规模相适应的管理人员和技术能力,设置内容安全负责人岗位,建立健全并严格落实账号注册、内容审核、信息巡查、生态治理、应急处置、网络安全、数据安全、个人信息保护、著作权保护、信用评价等管理制度,维护平台信息内容与公众账号安全、数据和个人信息安全。
公众账号信息服务平台应当依据相关法律法规和国家有关规定,制定并公开信息内容生产、公众账号运营等管理规则、平台公约,与公众账号生产运营者签订服务协议,明确双方内容发布权限、账号管理责任等权利义务。
第七条 公众账号信息服务平台应当按照国家有关标准和规范,建立公众账号分类注册和分类生产制度,实施分类管理,并将公众账号向所在地省、自治区、直辖市网信部门备案。
公众账号信息服务平台应当依据账号信息内容质量、账号主体信用评价等指标维度,建立分级管理制度,实施账号分级管理。
公众账号信息服务平台制定内容生产与账号运营管理规则、平台公约等重要制度措施,应当向所在地省、自治区、直辖市网信部门备案;上线相关新技术新应用新功能,应当按照有关规定进行安全评估。
第八条 公众账号信息服务平台应当采取复合验证等措施,对申请注册公众账号的互联网用户进行基于移动电话号码、居民身份证号码或统一社会信用代码等方式的真实身份信息认证,提高认证准确率。用户不提供真实身份信息的,或冒用组织机构、他人真实身份信息进行虚假注册的,不得为其提供相关服务。
公众账号信息服务平台应当对互联网用户注册的公众账号名称、头像和简介等进行合法合规性核验,发现账号名称、头像和简介与注册主体真实身份信息不相符的,特别是擅自使用或关联党政机关、企事业单位等组织机构或社会知名人士名义的,以及相关注册信息含有违法和不良信息的,应当暂停提供服务并通知用户限期改正,拒不改正的,应当终止提供服务。
公众账号信息服务平台应当禁止被依法依约关闭的公众账号以相同账号名称重新注册;对注册与其关联度高的账号名称,还应当对账号主体真实身份信息、服务资质等进行必要核验。
第九条 公众账号信息服务平台对申请注册从事经济、教育、卫生、司法等领域信息内容生产的公众账号,应当要求用户在注册时提供其专业背景,以及依照法律、行政法规获得的职业资格或服务资质等相关证明材料,并进行必要核验。
公众账号信息服务平台应当对核验通过后的公众账号加注专门标识,并根据用户的不同主体性质,对外公示内容生产类别、运营主体名称、注册运营地址、统一社会信用代码、联系方式等注册信息,方便社会监督查询。
公众账号信息服务平台应当建立动态核验巡查制度,适时核验生产运营者注册信息的真实性、有效性。
第十条 公众账号信息服务平台应当对同一主体在本平台注册公众账号的数量合理设定上限。对申请注册多个公众账号的用户,还应当对其主体性质、服务资质、业务范围、信用评价等进行核验。
公众账号信息服务平台对互联网用户注册后超过六个月不登录、不使用的公众账号,可以根据服务协议采取暂停或终止提供服务。
公众账号信息服务平台应当健全技术手段,防范和处置互联网用户超限量注册、恶意注册、虚假注册等违规注册行为。
第十一条 公众账号信息服务平台应当依法依约禁止公众账号生产运营者违规转让借用或者非法交易买卖公众账号。
公众账号生产运营者向其他用户转让或赠与公众账号使用权的,应当向平台提出申请。平台应当依据前款规定对受让方用户进行认证核验,并公示主体变更信息。平台发现生产运营者未经审核擅自转让公众账号的,应当及时暂停或终止提供服务。
公众账号生产运营者自行停止账号运营,可以向平台申请暂停或终止使用。平台应当按照服务协议暂停或终止提供服务。
第十二条 公众账号信息服务平台应当建立公众账号监测评估机制,防范账号订阅数、用户关注度、内容点击率、转发评论量等数据造假行为。
公众账号信息服务平台应当规范公众账号推荐订阅关注机制,健全技术手段,及时发现、处置账号订阅关注数量的异常变动情况。未经互联网用户知情同意,不得强制订阅关注其他用户公众账号。
第十三条 公众账号信息服务平台应当建立信用等级管理体系,根据信用等级提供相应服务。
公众账号信息服务平台应当建立健全网络谣言等虚假信息预警、发现、溯源、甄别、辟谣、消除等处置机制,对制作发布谣言等虚假信息的公众账号生产运营者降低信用等级或列入黑名单。
第十四条 公众账号信息服务平台与生产运营者开展内容供给与账号推广合作,应当规范管理广告经营、知识付费、电商销售、用户打赏等经营行为,不得发布虚假广告、进行夸大宣传、实施商业欺诈等,防止违法违规运营。
公众账号信息服务平台应当加强对原创信息内容的著作权保护,防范盗版侵权行为。平台不得滥用优势地位干扰生产运营者合法合规运营、侵犯用户合法权益。
第三章 公众账号生产运营者
第十五条 公众账号生产运营者应当根据平台分类管理规则,在注册公众账号时如实填写用户主体性质、注册地、运营地、内容生产类别、联系方式等基本信息,企业、组织机构等互联网用户还应当注明主要经营或业务范围。
公众账号生产运营者应当遵守平台管理规则、平台公约和服务协议,根据公众账号注册时登记的内容生产类别,从事相关行业领域的信息内容生产发布。
第十六条 公众账号生产运营者应当履行信息内容生产与公众账号运营管理主体责任,依法依规从事信息内容生产和账号运营活动。
公众账号生产运营者应当建立健全选题策划、编辑制作、发布推广、互动评论等全过程信息内容安全审核机制,加强信息内容导向性、真实性、合法性把关,维护网络传播良好秩序。
公众账号生产运营者应当建立健全公众账号注册使用、运营推广等全过程安全管理机制,文明理性、规范管理运营账号,以优质信息内容吸引公众关注订阅和互动分享,维护账号良好社会形象。
第十七条 公众账号生产运营者转载他人原创信息内容,应当遵守著作权保护相关法律法规,标注原创作者和可追溯信息来源,尊重和保护著作权人的合法权益。
公众账号生产运营者应当对账号留言、跟帖、评论等互动环节进行管理。平台可以根据公众账号的主体性质、信用等级,合理设置管理权限,提供相关技术支持。
公众账号生产运营者与第三方机构开展账号运营、内容供给等合作,双方均应当对账号运营行为、供给的信息内容等进行审核把关。
第十八条 公众账号生产运营者不得有下列违法违规行为:
(一)不以真实身份信息注册,或注册与自身真实身份信息不相符的公众账号名称、头像、简介等;
(二)恶意假冒、仿冒或盗用组织机构及他人公众账号生产发布信息内容;
(三)未经许可或超越许可范围提供互联网新闻信息采编发布等服务;
(四)操纵利用多个平台账号,批量发布同质信息内容,生成虚假流量数据,制造虚假舆论热点;
(五)借突发公共事件煽动极端情绪行为,或实施网络暴力损害他人和组织名誉,影响社会和谐稳定;
(六)编造虚假信息,伪造原创内容,引用或捏造不实信息来源,歪曲事实真相,误导社会公众;
(七)以有偿发布、删除信息等手段,实施非法网络监督、营销诈骗、敲诈勒索,牟取不当利益;
(八)批量注册、囤积或非法交易买卖公众账号;
(九)制作、复制、发布违法信息,或未采取措施防范和抵制制作、复制、发布不良信息;
(十)法律、行政法规禁止的其他行为。
第四章 监督管理
第十九条 公众账号信息服务平台应当加强对本平台公众账号信息服务活动的监督管理,及时发现和处置违法违规信息或行为。
公众账号信息服务平台应当依据服务协议和平台公约,对违反本规定及相关法律法规的公众账号采取警示提醒、限制账号功能、暂停内容更新、停止广告发布、关闭注销账号、列入黑名单、禁止重新注册等处置措施,保存有关记录,并及时向网信等有关主管部门报告。
第二十条 公众账号信息服务平台和生产运营者应当自觉接受社会监督。
公众账号信息服务平台应当设置醒目、便捷举报入口,公布申诉、投诉、举报方式等信息,健全举报信息受理、甄别、处置、反馈等机制,明确处理流程和反馈时限,及时有效处理生产运营者申诉和公众投诉举报。
鼓励互联网行业组织开展公众评议,推动公众账号信息服务平台和生产运营者严格自律,建立多方参与的权威调解机制,公平合理解决行业纠纷,依法维护用户合法权益。
第二十一条 各级网信部门会同有关主管部门建立健全协作监管等工作机制,监督指导公众账号信息服务平台和生产运营者依法依规从事相关信息服务活动。
公众账号信息服务平台和生产运营者对有关主管部门依法实施的监督检查,应当予以配合,并提供必要的技术支持与协助。
公众账号信息服务平台和生产运营者违反本规定的,由网信部门和有关主管部门在职责范围内依照相关法律法规处理。
第二十二条 本规定自2020年 月 日起施行。
Guiding Opinions on Implementing the Cybersecurity Multi-Level Protection System and Critical Information Infrastructure Security Protection System
Gong Wang An No. (2020)1960
All Centre and State bodies’ ministries and commissions, all bodies, office bodies and undertaking work units directly subordinate to the State Council, all Centre enterprises:
In order to implement the spirit of relevant Party Centre documents and the “Cybersecurity Law”, guide focus sectors and departments in comprehensively implementing the cybersecurity multi-level protection system and critical information infrastructure security protection system, complete and perfect the national comprehensive cybersecurity defence system, effectively prevent cybersecurity threats, forcefully deal with major cybersecurity incidents, coordinate public security bodies’ strengthening of cybersecurity supervision and management, strictly attack unlawful and criminal activities harming cybersecurity, realistically ensure the security of critical information infrastructure, important networks and data, the Ministry of Public Security has researched and formulated the “Guiding Opinions on Implementing the Cybersecurity Multi-Level Protection System and Critical Information Infrastructure Security Protection System”. These are hereby issued to you, please earnestly consult and implement them in combination with the work reality in your sectors and your departments.
Ministry of Public Security
22 July 2020
Guiding Opinions on Implementing the Cybersecurity Multi-Level Protection System and Critical Information Infrastructure Security Protection System
The cybersecurity multi-level protection system and critical information infrastructure security protection system are basic systems laid down in relevant Party Centre documents and the “Cybersecurity Law”. In recent years, all work units and all departments have comprehensively strengthened cybersecurity work according to the requirements of Central cybersecurity policies and the provisions of the “Cybersecurity Law” and other such laws and regulations, powerfully ensuring the security of national critical information infrastructure, important networks and data. Even though information technology develops at flying speed, cybersecurity work still faces several new situations, new tasks and new challenges. In order to implement the cybersecurity multi-level protection system and critical information infrastructure security protection system, complete and perfect the national cybersecurity defence system, effectively prevent cybersecurity threats, forcefully deal with cybersecurity incidents, strictly attack unlawful and criminal activities harming cybersecurity, realistically safeguard national cybersecurity, the following Guiding Opinions are hereby formulated.
I, Guiding ideology, basic principles and work objectives.
(1) Guiding ideology
With Xi Jinping Thought on Socialism with Chinese Characteristics in a New Era as guidance, according to the policy arrangements of the Party Centre and the State Council, with the overall national security view as the lead, earnestly implement the cyber power strategy, comprehensively strengthen overall cybersecurity work planning, with implementing the cybersecurity multi-level protection system and critical information infrastructure security protection system as basis, with protecting the security of critical information infrastructure, important networks and data as focus points, comprehensively strengthen work in areas such as cybersecurity prevention and management, monitoring and early warning, emergency response, investigation and attack, intelligence and information, etc., timely monitor and deal with cybersecurity risks, threats and sudden cybersecurity incidents, protect critical information infrastructure, important networks and data from attacks, intrusions, interference and destruction, punish online unlawful and criminal activities according to the law, substantially raise cybersecurity protection capabilities, vigorously build a comprehensive cybersecurity defence system, substantially safeguard national cyberspace sovereignty, national security and the social and public interest, protect the lawful rights and interests of the popular masses, ensure and stimulate the healthy development of economic and social informatization.
(2) Basic principles
– Persist in tiered protection, focus on prominent issues. On the basis of the degree of importance of networks (including network infrastructure, information systems, data resources, etc.) for national security, economic construction and social life, as well as factors such as the degree of harm after they should be destroyed, scientifically determine the security protection tier of networks, implement tiered protection and tiered supervision and management, focus on ensuring the security of critical information infrastructure and third-tier (including third-tier, hereafter similar) and higher networks.
-Persisting in active defence and comprehensive protection. According to laws, regulations and relevant State standards and norms, fully use artificial intelligence, big data analysis and other such technologies to vigorously implement cybersecurity management and technical protection measures, strengthen cybersecurity mentoring, state sensing, reporting and early warning, emergency response and other such major work matters, comprehensively adopt cybersecurity protection, defence and safeguard measures, prevent and curb the occurrence of major cybersecurity risks and incidents, protect the security of new technology applications and new business models such as cloud computing , the Internet of Things, the New Internet, big data, smart manufacturing, etc.
-Persisting in protection according to the law and creating joint forces. On the basis of the provisions of the “Cybersecurity Law” and other such laws and regulations, public security bodies fulfil cybersecurity protection, supervision and management duties and responsibilities according to the law, sectoral competent departments for cybersecurity (including supervision and management departments, hereafter similar) fulfil cybersecurity supervision and management responsibilities within their sectors according to the law, strengthen and implement the dominant protection responsibility of network operators, give full rein and muster forces from all parts of society, coordinate and cooperate, decide and work as team, and create cybersecurity protection work joint forces.
(3) Work objectives
– Deeply implementing the cybersecurity multi-level protection system. Cybersecurity multi-level protection tier determination and filing, tier monitoring and assessment, security construction, inspections and other such basic work matters are to be profoundly advanced. The “three izations and six defences” measures of “actualization, systematization and regularization” of cybersecurity protection and “dynamic defence, active defence, defence in depth, accurate protection, overall protection, joint defence and joint control” to be effectively implemented, a beneficial ecology for cybersecurity protection to be basically established, critical information infrastructure security protection capabilities to clearly strengthen.
– The critical information infrastructure security protection system to be established and implemented. Critical information infrastructure base numbers to be made clear, security protection bodies to be completed, responsibilities to be clarified, protection to be powerful. On the basis of implementing the cybersecurity multi-level protection system, critical information infrastructure-related critical position personnel management, supply chain security, data security, emergency response and other such focus protection measures to be effectively implemented, clearly strengthening critical information infrastructure security protection capabilities.
– Cybersecurity monitoring, early warning and emergency response capabilities to clearly increase. A cross-sector, cross-departmental and cross-regional three-dimensional cybersecurity monitoring system and cybersecurity protection platform to be basically completed, clearly raising cybersecurity state sensing, reporting, early warning and incident discovery and handling capabilities. Cybersecurity advance plans to be scientifically readied, emergency response and handling mechanisms to be perfected, emergency drills to be conducted in a regularized manner, major cybersecurity incidents to be effectively prevented, restrained and dealt with.
– A comprehensive cybersecurity prevention system to be basically created. Cybersecurity protection work mechanisms to be completed and perfected, a cybersecurity work structure with Party Committees in overall leadership, all departments taking responsibility according to the division of work, and social forces from many sides participating to be further perfected. The cybersecurity responsibility system to be effectively implemented, cybersecurity management, prevention, supervision, guidance, investigation and attack capabilities to clearly rise, and a comprehensive cybersecurity protection system integrating “attack, defence, management and control” to be basically created.
II, Deeply implementing the national cybersecurity multi-level protection system
According to the requirements oof the national cybersecurity multi-level protection system, all work units and all departments will, under the guidance and supervision of public security bodies, earnestly organize and deeply launch cybersecurity multi-level protection work, establish a beneficial cybersecurity protection ecology, substantially implement their dominant responsibilities, and completely enhance cybersecurity protection capabilities.
(1) Deepening network tier determination and filing work. Network operators shall comprehensively comb through all kinds of networks in their work unit, and especially the basic situation of cloud computing, Internet of Things, the New Internet, big data, smart manufacturing and other such new technological applications, and on the basis of the function of the network, its service scope, service counterparts, the data it handles and other such matters, scientifically determine the security protection tier of networks, second-level and higher networks will be filed according to the law with public security bodies, and filed with the sectoral competent department. Newly built networks shall be assigned a security protection tier in the planning and design phase. Public security bodies conduct examination and verification of the filing materials and network security protection tier submitted by network operators, where the tier determination result is reasonable and filing materials comply with requirements, they will timely issue cybersecurity multi-level protection filing certification. Sectoral competent departments may, on the basis of the national standard “Cybersecurity Multi-Level Protection Tier Determination Guidelines”, formulate guiding opinions for cybersecurity multi-level protection tier determination in integration with the characteristics of their sector.
(2) Regularly conducting cybersecurity tier assessments. Network operators shall, on the basis of relevant standards and norms, conduct monitoring and assessment of the security of networks with determined and filed tiers, and search for possibly existing cybersecurity problems and vulnerabilities. Third-tier and higher network operators shall entrust tier assessment bodies compliant with relevant State regulations to annually conduct a cybersecurity tier assessment, and timely submit the tier assessment report to the public security body and administrative competent department who received the filing. Newly-built third-tier and higher networks shall be put into operation after undergoing tier assessment. Network operators must, in the process of conducting assessment services, conclude a security and secrecy protection agreement with the assessment body, and conduct supervision and management of the assessment process. Public security bodies must strengthen supervision and management over tier assessment bodies in their localities, establish structures for the background inspection of assessment personnel and the examination and verification of personnel, and ensure that the tier assessment process is objective, fair and secure.
(3) Scientifically conducting security construction and improvements. Network operators shall, in the process of network construction and operation, simultaneously plan, simultaneously build and simultaneously use relevant cybersecurity protection measures. They shall, on the basis of the “Cybersecurity Multi-Level Protection Basic Requirements”, the “Cybersecurity Multi-Level Protection Security Design Technology Requirements” and other such national standards, and on the basis of existing security protection measures, completely comb through and analyse security protection requirements, and in integration with the problems and vulnerabilities discovered during the process of tier assessment, according to the requirements of “once centre” (security management centre), “three protects” (secure telecommunications networks, secure regional boundaries, secure computing environments”, earnestly conduct network security construction, improvement and consolidation, and comprehensively implement security protection technology measures. Network operators may move networks into the cloud, or outsource security services, fully using the capabilities and levels of cloud service companies and cybersecurity service companies to enhance cybersecurity protection. They shall comprehensively strengthen cybersecurity management, establish and perfect personnel management, education and training, system security construction and operational maintenance and other such management structures, strengthen management of computer rooms, facilities and medium security, strengthen the protection of important data and personal information, formulate operational norms and workflows, strengthen daily supervision and verification, and ensure the effective implementation of all management measures.
(4) Strengthening the implementation of security responsibility. Sectoral competent departments and network operators shall, on the basis of the requirements of the “Cybersecurity Law” and other such laws and regulations as well as relevant policies, and according to the principle of “who manages is responsible, who operates is responsible”, draw clear cybersecurity protection borders, clarify security protection work responsibilities, establish cybersecurity multi-level protection work responsibility systems, implement responsibility investigation structures, and ensure that “everyone has the responsibility to protect their land, and everyone does their utmost to protect their land”. Network operators must regularly organize dedicates forces to conduct cybersecurity inspections monitoring and assessment, sectoral competent departments must organize risk assessments, timely discover cybersecurity vulnerabilities and weak segments, and correct them, and incessantly raise cybersecurity protection capabilities and levels.
(5) Strengthening supply chain security management. Network operators shall strengthen the security management of critical network personnel, third-tier and higher network operators shall strengthen management over the bodies and personnel providing them with design, construction, operational maintenance and technical services, assess security risks that may exist in the process of services, and adopt corresponding management and control measures. Network operators shall strengthen network operations and maintenance management, where it is truly necessary to conduct Internet remote operational maintenance because of business needs, they shall provide an explanation of their assessment, and adopt corresponding management and control measures. Network operators shall purchase and use network products and services compliant with the requirements of State laws and regulations as well as relevant standards and norms, third-tier and higher network operators shall vigorously use secure and trustworthy network products and services.
(6) Implementing encryption security protection requirements. Network operators shall implement the provisions of the “Encryption Law” and other such laws and regulations as well as encryption us-related standards and norms. Third-tier and higher networks shall correctly and effectively adopt encryption technology for protection, and use encryption products and services compliant with related requirements. Third-tier and higher network operators shall, in the network planning, construction and operations stages, simultaneously conduct encryption use security assessment wat the same time as conducting cybersecurity tier assessment according to encryption use security assessment management rules and related standards.
III, Building and implementing the critical information infrastructure security protection system
Public security bodies guide and supervise critical information infrastructure security protection work. All work units and all departments shall strengthen the construction of legal systems, policy systems standards systems, protection systems, defence systems and safeguard systems for critical information infrastructure security, establish and implement critical information infrastructure security protection systems, and on the basis of implementing the cybersecurity multi-level protection system, give prominence to its protection focus, strengthen protection measures, and realistically ensure the security of critical information infrastructure.
(1) Organising the identification of critical information infrastructure. On the basis of relevant provisions of the Party Centre and the Ministry of Public Security, the competent and supervision and management departments (hereafter jointly named protection work departments) of important sectors and domains such as public telecommunications and information services, energy, transportation, waterworks, finance, public services, e-government, national defence science and technology and industry, etc., shall formulate critical information infrastructure identification norms for their sectors or domains and report them to the Ministry of Public Security for filing. Protection work departments are, on the basis of the identification norms, responsible for organizing the identification of critical information infrastructure in their sectors and domains, and to timely report the identification results to the related critical information infrastructure operators and to the Ministry of Public Security. They shall include focus protection counterparts such as basic networks meeting determination conditions, large-scale special networks, core business systems, cloud platforms, big data platforms, the Internet of Things, industrial control systems, smart manufacturing systems, the New Internet, novel telecommunications, etc., in critical information infrastructure. Critical information infrastructure lists will be subject to dynamic adjustment mechanisms, where relatively major changes occur in relevant network infrastructures and information systems, operators shall timely report the relevant circumstances to the protection work department, the protection work department shall organize re-identification, notify the operator about the identification result, and report the matter to the Ministry of Public Security.
(2) Clarifying the division of labour in critical information infrastructure security protection work functions. The Ministry of Public Security is responsible for the top-level design, planning and arrangement of critical information infrastructure security protection work, and completes and perfects the critical information infrastructure security protection structures and systems together with relevant departments. Protection work departments are responsible for organizational leadership over critical information infrastructure security protection work in their sectors and their areas, as well as formulating and implementing general plans and security protection tactics for critical information infrastructure security in their sectors and their areas, and implementing critical information infrastructure security guidance and supervision responsibilities within their own sectors and areas. Critical information infrastructure operators are responsible for the establishment of a specialized security management body, organizing and conducting critical information infrastructure security and protection work, whose main responsible person bears overall responsibility for the work unit’s critical information infrastructure security protection.
(3) Implementing focus protection measures for critical information infrastructure. Critical information infrastructure operators shall, on the basis of the cybersecurity multi-level protection standards, conduct security construction and conduct tiered monitoring, and must timely correct problems, risks and vulnerabilities they find; on the basis of critical information infrastructure security protection standards, strengthen security protection measures and conduct security monitoring and assessment. We must comb through network assets, establish asset files, strengthen the management of personnel in core positions, integrate protection with monitoring and early warning, emergency response and handling, data protection and other such focus protection measures, reasonably differentiate fields and areas, reduce the Internet’s disclosure surface, strengthen cyberattack threat control, strengthen defence-in-depth, vigorously use technologies to conduct cybersecurity protection, build a cybersecurity protection system with encryption technology, trusted computing, artificial intelligence, big data analysis etc. at the core, incessantly enhance the inherent security of critical information infrastructure, and capabilities for active immunity and active defence. Operators meeting conditions shall establish their own security services body, undertaking critical information infrastructure security protection tasks, they may also raise cybersecurity specialized and intensified protection capabilities through migrating to the cloud or purchasing security services and other such measures.
(4) Strengthening the protection of important data and personal information. Operators shall establish and implement a protection structure for important data and personal information security, conduct disaster-proof backups of important networks and important databases in critical information infrastructure, adopt critical technological measures such as identity differentiation, access control, encrypted protection, security audits, security isolation, trusted verification, etc. to substantially protect the security of important data in its entire lifecycle. Operators shall store personal information and important data collected and produced during their domestic operations inside the territory, where they need to provide it abroad because of business requirements, they shall abide by relevant regulations and conduct a security assessment.
(5) Strengthening the security management of personnel in core positions as well as products and services. We must conduct a background security inspection of responsible persons in specialized security management bodies and personnel in critical positions, and strengthen management. We must implement security management over critical information infrastructure design, construction, operations, maintenance and other such services, purchase secure and trustworthy network products and services, and ensure supply chain security. Where the purchase of products and services may influence national security, a security review shall be undergone according to relevant state regulations. Public security bodies strengthen security management over critical information infrastructure security service bodies, and provide support for operators conducting security protection work.
IV, Strengthening cooperation and coordination in cybersecurity protection work
Sectoral competent departments and network operators must closely cooperate with public security bodies, forcefully conduct security monitoring, reporting, early warning, emergency response, threat intelligence and other such work, implement regularized measures, enhance their capabilities to respond to and deal with sudden cybersecurity incidents and major risk prevention and control.
(1) Strengthening the construction of a three-dimensional cybersecurity monitoring system. All work units and all departments must comprehensively strengthen cybersecurity monitoring, conduct real-time monitoring of critical information infrastructure, important networks, etc., and when they discover cyberattacks and security threats, immediately report them to public security bodies and relevant departments, and adopt effective measures to deal with them. They must strengthen the research and applications of new network technologies, research and draw up cyberspace topography information maps (network maps), and ensure map-based battle. Sectoral competent departments and network operators must construct cybersecurity protection operations platforms for their sector and their work unit, build smart platform brains, , and rely on the platform and big data to conduct real-time monitoring, reporting, early warning, emergency response, security protection, command and control and other such work, and link up with public security bodies’ relevant security protection platform, creating a comprehensive defence and control structure integrating hierarchical and local links, connecting vertical and horizontal links, in a coordinated and jointly acting manner. Focus sectors, network operators and public security bodies must establish cybersecurity supervision and control command centres, implement a 24-7 duty staffing system, and create regularized and actualized cybersecurity work mechanisms.
(2) Strengthening cybersecurity information sharing reporting and early warning. Sectoral competent departments and network operators must, with the support of the national cyber and information security information notification mechanism, strengthen the construction of cyber and information security notification and early warning capabilities, timely collect, pool and analyse all sides’ cybersecurity information, strengthen threat intelligence work, organize the conduct of cybersecurity threat analysis and state research and argumentation, and timely notify early warnings and responses. Third-level and higher network operators and critical information infrastructure operators must conduct cybersecurity monitoring, early warning and information notification work, timely receive and deal with cybersecurity early warning notifications and information coming from the national level, sectoral level and local level, and notify cybersecurity monitoring and early warning information as well as cybersecurity incidents to sectoral competent departments, filing public security bodies. Public security bodies must strengthen the construction of cyber and information security information circulation and early warning mechanisms and forces, and incessantly raise cybersecurity notification and early warning capabilities.
(3) Strengthen the construction of cybersecurity emergency response mechanisms. Sectoral competent departments and network operators must, according to relevant State requirements, formulate cybersecurity emergency response plans, strengthen cybersecurity emergency response force construction and emergency response resource stockage, closely cooperate with public security bodies to establish a cybersecurity incident reporting structure and emergency response mechanisms. Critical information infrastructure operators and third-tier and higher network operators shall regularly conduct emergency response drills, effectively respond to cybersecurity incidents, and timely correct and consolidate prominent problems, leaks and vulnerabilities discovered during emergency response drills, and perfect protection measures. Sectoral competent departments and network operators shall coordinate with public security bodies’ annual organization and conduct of cybersecurity supervision and inspections, tournaments, exercises and other such work, and incessantly enhance security protection capabilities and resistance capabilities.
(4) Strengthening cybersecurity incident handling and case investigation When major cybersecurity threats and incidents occur in critical information infrastructure or third-tier and higher networks, sectoral competent departments, network operators and public security bodies shall jointly launch a response. Telecommunications operators and network service providers shall provide technical support and assistance. Network operators shall cooperate with public security bodies in attacking unlawful and criminal online activities; when indications of unlawful or criminal acts, major cybersecurity threats and incidents are discovered, they shall timely report the matter to public security bodies and relevant departments, and provide the necessary assistance.
(5) Strengthening cybersecurity problem and threat correction supervision and management. Public security bodies establish and appoint a supervision and management structure, to be appointed to supervise and manage, or schedule talks with relevant responsible persons where network operators persistently procrastinate and do not correct weak cybersecurity work or major security problems and vulnerabilities, or where relatively large cybersecurity risks exist, major cybersecurity incidents, occur, etc., according to regulatory powers and procedures, together with sectoral competent departments, and to strengthen supervision, inspection and administrative law enforcement, as well as conduct administrative punishment according to laws and regulations. Network operators shall, according to relevant requirements, adopt measures to timely conduct corrections, and eliminate major risks and vulnerabilities. Where major cybersecurity incidents occur, sectoral competent departments shall organize the entire sector to conduct correction and reorganization.
V, Strengthening all guarantees in cybersecurity work
(1) Strengthening organizational leadership. All work units and all departments must give high regard to multi-level cybersecurity protection and critical information infrastructure security protection work, enter it onto the important matters agenda, strengthen comprehensive leadership, planning and design, earnestly research and resolve major problems such as the establishment of cybersecurity bodies, personnel allocation, financial input, security protection measure construction, etc. Sectoral competent departments and network operators must clarify that the main responsible persons in those work units are the first responsible persons for cybersecurity, and determine a leading cadre management to be separately responsible for cybersecurity work, establish dedicated cybersecurity bodies, clarify tasks and divisions of labour, grasping matters level by level, and implementing matters level by level.
(2) Strengthening financial policy guarantees. All work units and all departments must, through existing funding channels, ensure funding input for critical information infrastructure, third-tier and higher networks, etc., to conduct tiered monitoring, risk assessment, encryption use security monitoring, drills and competitions, security construction and reorganization, security protection platform construction, encryption protection system construction, operational maintenance, supervision and inspection, education and training, etc. Critical information infrastructure operators shall ensure sufficient amounts of cybersecurity input, and when making cybersecurity and informatization-related policy decisions, shall have members from the cybersecurity management body participate. Relevant departments must support focus cybersecurity technology industries and projects, support cybersecurity technology research, development, innovation and application, and promote the healthy development of the cybersecurity industry. Public security bodies must, together with relevant departments, organize and implement “Belt-Road” cybersecurity strategies, and support cybersecurity enterprises “marching out”, and share China’s cybersecurity protection experience with relevant countries.
(3) Strengthening testing and evaluation All work units and all departments must further complete and perfect cybersecurity testing and evaluation structures, clarify testing standards, and organize the conduct of testing. Public security bodies will enter cybersecurity work into the comprehensive social management and governance testing and evaluation system, annually organize testing and evaluation to be conducted for all localities’ cybersecurity work, annually chose advance work unit in cybersecurity multi-level protection and critical information infrastructure security protection work, and report the results to Party Committees and governments, and notify cybersecurity and informatization departments.
(4) Strengthening technical breakthroughs. All work units and all departments must fully muster social forces from cybersecurity enterprises, scientific research bodies, experts, etc., to vigorously participate in making core breakthroughs in cybersecurity technology, strengthen cybersecurity coordination and cooperation, interaction and mutual support, joint governance and sharing, and collective defence and collective governance. Public security bodies must, together with relevant departments, strengthen cybersecurity multi-level protection and critical information infrastructure security protection standards formulation work, publish standards and application guidelines, strengthen the dissemination, application and implementation of standards build pilot demonstration bases, and enhance the healthy development of our country’s cybersecurity industries and enterprises.
(5) Strengthening talent training. All work units and all departments must strengthen cybersecurity multi-level protection and critical information infrastructure security protection professional exchanges, and discover and select high-grade, precise and advanced talents through organizing and conducting tournaments, competitions and other such forms, build talent databases, establish and complete talent discovery training, selection and use mechanisms, and provide talent guarantees to do cybersecurity work well.
《公安部关于印送〈贯彻落实网络安全等级保护制度和关键信息基础设施安全保护制度的指导意见〉的函》
公网安〔2020〕1960号
中央和国家机关各部委,国务院各直属机构、办事机构、事业单位,各中央企业:
为深入贯彻党中央有关文件精神和《网络安全法》,指导重点行业、部门全面落实网络安全等级保护制度和关键信息基础设施安全保护制度,健全完善国家网络安全综合防控体系,有效防范网络安全威胁,有力处置重大网络安全事件,配合公安机关加强网络安全监管,严厉打击危害网络安全的违法犯罪活动,切实保障关键信息基础设施、重要网络和数据安全,公安部研究制定了《贯彻落实网络安全等级保护制度和关键信息基础设施安全保护制度的指导意见》。现印送给你们,请结合本行业、本部门工作实际,认真参照执行。
公安部
2020年7月22日
贯彻落实网络安全等级保护制度和关键信息基础设施安全保护制度的指导意见
网络安全等级保护制度和关键信息基础设施安全保护制度是党中央有关文件和《中华人民共和国网络安全法》确定的基本制度。近年来,各单位、各部门按照中央网络安全政策要求和《网络安全法》等法律法规规定,全面加强网络安全工作,有力保障了国家关键信息基础设施、重要网络和数据安全。但随着信息技术飞速发展,网络安全工作仍面临一些新形势、新任务和新挑战。为深入贯彻落实网络安全等级保护制度和关键信息基础设施安全保护制度,健全完善国家网络安全综合防控体系,有效防范网络安全威胁,有力处置网络安全事件,严厉打击危害网络安全的违法犯罪活动,切实保障国家网络安全,特制定以下指导意见。
一、指导思想、基本原则和工作目标
(一)指导思想
以习近平新时代中国特色社会主义思想为指导,按照党中央、国务院决策部署,以总体国家安全观为统领,认真贯彻实施网络强国战略,全面加强网络安全工作统筹规划,以贯彻落实网络安全等级保护制度和关键信息基础设施安全保护制度为基础,以保护关键信息基础设施、重要网络和数据安全为重点,全面加强网络安全防范管理、监测预警、应急处置、侦查打击、情报信息等各项工作,及时监测、处置网络安全风险、威胁和网络安全突发事件,保护关键信息基础设施、重要网络和数据免受攻击、侵入、干扰和破坏,依法惩治网络违法犯罪活动,切实提高网络安全保护能力,积极构建国家网络安全综合防控体系,切实维护国家网络空间主权、国家安全和社会公共利益,保护人民群众的合法权益,保障和促进经济社会信息化健康发展。
(二)基本原则
坚持分等级保护、突出重点。根据网络(包含网络设施、信息系统、数据资源等)在国家安全、经济建设、社会生活中的重要程度,以及其遭到破坏后的危害程度等因素,科学确定网络的安全保护等级,实施分等级保护、分等级监管,重点保障关键信息基础设施和第三级(含第三级、下同)以上网络的安全。
坚持积极防御、综合防护。按照法律法规和有关国家标准规范,充分利用人工智能、大数据分析等技术,积极落实网络安全管理和技术防范措施,强化网络安全监测、态势感知、通报预警和应急处置等重点工作,综合采取网络安全保护、保卫、保障措施,防范和遏制重大网络安全风险、事件发生,保护云计算、物联网、新型互联网、大数据、智能制造等新技术应用和新业态安全。
坚持依法保护、形成合力。依据《网络安全法》等法律法规规定,公安机关依法履行网络安全保卫和监督管理职责,网络安全行业主管部门(含监管部门,下同)依法履行本行业网络安全主管、监管责任,强化和落实网络运营者主体防护责任,充分发挥和调动社会各方力量,协调配合、群策群力,形成网络安全保护工作合力。
(三)工作目标
网络安全等级保护制度深入贯彻实施。网络安全等级保护定级备案、等级测评、安全建设和检查等基础工作深入推进。网络安全保护“实战化、体系化、常态化”和“动态防御、主动防御、纵深防御、精准防护、整体防控、联防联控”的“三化六防”措施得到有效落实,网络安全保护良好生态基本建立,国家网络安全综合防护能力和水平显著提升。
关键信息基础设施安全保护制度建立实施。关键信息基础设施底数清晰,安全保护机构健全、职责明确、保障有力。在贯彻落实网络安全等级保护制度的基础上,关键信息基础设施涉及的关键岗位人员管理、供应链安全、数据安全、应急处置等重点安全保护措施得到有效落实,关键信息基础设施安全防护能力明显增强。
网络安全监测预警和应急处置能力显著提升。跨行业、跨部门、跨地区的立体化网络安全监测体系和网络安全保护平台基本建成,网络安全态势感知、通报预警和事件发现处置能力明显提高。网络安全预案科学齐备,应急处置机制完善,应急演练常态化开展,网络安全重大事件得到有效防范、遏制和处置。
网络安全综合防控体系基本形成。网络安全保护工作机制健全完善,党委统筹领导、各部门分工负责、社会力量多方参与的网络安全工作格局进一步完善。网络安全责任制得到有效落实,网络安全管理防范、监督指导和侦查打击等能力显著提升,“打防管控”一体化的网络安全综合防控体系基本形成。
二、深入贯彻实施国家网络安全等级保护制度
按照国家网络安全等级保护制度要求,各单位、各部门在公安机关指导监督下,认真组织、深入开展网络安全等级保护工作,建立良好的网络安全保护生态,切实履行主体责任,全面提升网络安全保护能力。
(一)深化网络定级备案工作。网络运营者应全面梳理本单位各类网络,特别是云计算、物联网、新型互联网、大数据、智能制造等新技术应用的基本情况,并根据网络的功能、服务范围、服务对象和处理数据等情况,科学确定网络的安全保护等级,对第二级以上网络依法向公安机关备案,并向行业主管部门报备。对新建网络,应在规划设计阶段确定安全保护等级。公安机关对网络运营者提交的备案材料和网络的安全保护等级进行审核,对定级结果合理、备案材料符合要求的,及时出具网络安全等级保护备案证明。行业主管部门可以依据《网络安全等级保护定级指南》国家标准,结合行业特点制定行业网络安全等级保护定级指导意见。
(二)定期开展网络安全等级测评。网络运营者应依据有关标准规范,对已定级备案网络的安全性进行检测评估,查找可能存在的网络安全问题和隐患。第三级以上网络运营者应委托符合国家有关规定的等级测评机构,每年开展一次网络安全等级测评,并及时将等级测评报告提交受理备案的公安机关和行业主管部门。新建第三级以上网络应在通过等级测评后投入运行。网络运营者在开展测评服务过程中要与测评机构签署安全保密协议,并对测评过程进行监督管理。公安机关要加强对本地等级测评机构的监督管理,建立测评人员背景审查和人员审核制度,确保等级测评过程客观、公正、安全。
(三)科学开展安全建设整改。网络运营者应在网络建设和运营过程中,同步规划、同步建设、同步使用有关网络安全保护措施。应依据《网络安全等级保护基本要求》《网络安全等级保护安全设计技术要求》等国家标准,在现有安全保护措施的基础上,全面梳理分析安全保护需求,并结合等级测评过程中发现的问题隐患,按照“一个中心(安全管理中心)、三重防护(安全通信网络、安全区域边界、安全计算环境)”的要求,认真开展网络安全建设和整改加固,全面落实安全保护技术措施。网络运营者可将网络迁移上云,或将网络安全服务外包,充分利用云服务商和网络安全服务商提升网络安全保护能力和水平。应全面加强网络安全管理,建立完善人员管理、教育培训、系统安全建设和运维等管理制度,加强机房、设备和介质安全管理,强化重要数据和个人信息保护,制定操作规范和工作流程,加强日常监督和考核,确保各项管理措施有效落实。
(四)强化安全责任落实。行业主管部门、网络运营者应依据《网络安全法》等法律法规和有关政策要求,按照“谁主管谁负责、谁运营谁负责”的原则,厘清网络安全保护边界,明确安全保护工作责任,建立网络安全等级保护工作责任制,落实责任追究制度,作到“守土有责、守土尽责”。网络运营者要定期组织专门力量开展网络安全自查和检测评估,行业主管部门要组织风险评估,及时发现网络安全隐患和薄弱环节并予以整改,不断提高网络安全保护能力和水平。
(五)加强供应链安全管理。网络运营者应加强网络关键人员的安全管理,第三级以上网络运营者应对为其提供设计、建设、运维、技术服务的机构和人员加强管理,评估服务过程中可能存在的安全风险,并采取相应的管控措施。网络运营者应加强网络运维管理,因业务需要确需通过互联网远程运维的,应进行评估论证,并采取相应的管控措施。网络运营者应采购、使用符合国家法律法规和有关标准规范要求的网络产品及服务,第三级以上网络运营者应积极应用安全可信的网络产品及服务。
(六)落实密码安全防护要求。网络运营者应贯彻落实《中华人民共和国密码法》等有关法律法规规定和密码应用相关标准规范。第三级以上网络应正确、有效采用密码技术进行保护,并使用符合相关要求的密码产品和服务。第三级以上网络运营者应在网络规划、建设和运行阶段,按照密码应用安全性评估管理办法和相关标准,在网络安全等级测评中同步开展密码应用安全性评估。
三、建立并实施关键信息基础设施安全保护制度
公安机关指导监督关键信息基础设施安全保护工作。各单位、各部门应加强关键信息基础设施安全的法律体系、政策体系、标准体系、保护体系、保卫体系和保障体系建设,建立并实施关键信息基础设施安全保护制度,在落实网络安全等级保护制度基础上,突出保护重点,强化保护措施,切实维护关键信息基础设施安全。
(一)组织认定关键信息基础设施。根据党中央和公安部有关规定,公共通信和信息服务、能源、交通、水利、金融、公共服务、电子政务、国防科技工业等重要行业和领域的主管、监管部门(以下统称保护工作部门)应制定本行业、本领域关键信息基础设施认定规则并报公安部备案。保护工作部门根据认定规则负责组织认定本行业、本领域关键信息基础设施,及时将认定结果通知相关设施运营者并报公安部。应将符合认定条件的基础网络、大型专网、核心业务系统、云平台、大数据平台、物联网、工业控制系统、智能制造系统、新型互联网、新兴通讯设施等重点保护对象纳入关键信息基础设施。关键信息基础设施清单实行动态调整机制,有关网络设施、信息系统发生较大变化,可能影响其认定结果的,运营者应及时将相关情况报告保护工作部门,保护工作部门应组织重新认定,将认定结果通知运营者,并报公安部。
(二)明确关键信息基础设施安全保护工作职能分工。公安部负责关键信息基础设施安全保护工作的顶层设计和规划部署,会同相关部门健全完善关键信息基础设施安全保护制度体系。保护工作部门负责对本行业、本领域关键信息基础设施安全保护工作的组织领导,根据国家网络安全法律法规和有关标准规范要求,制定并实施本行业、本领域关键信息基础设施安全总体规划和安全防护策略,落实本行业、本领域网络安全指导监督责任。关键信息基础设施运营者负责设置专门安全管理机构,组织开展关键信息基础设施安全保护工作,主要负责人对本单位关键信息基础设施安全保护负总责。
(三)落实关键信息基础设施重点防护措施。关键信息基础设施运营者应依据网络安全等级保护标准开展安全建设并进行等级测评,发现问题和风险隐患要及时整改;依据关键信息基础设施安全保护标准,加强安全保护和保障,并进行安全检测评估。要梳理网络资产,建立资产档案,强化核心岗位人员管理、整体防护、监测预警、应急处置、数据保护等重点保护措施,合理分区分域,收敛互联网暴露面,加强网络攻击威胁管控,强化纵深防御,积极利用新技术开展网络安全保护,构建以密码技术、可信计算、人工智能、大数据分析等为核心的网络安全保护体系,不断提升关键信息基础设施内生安全、主动免疫和主动防御能力。有条件的运营者应组建自己的安全服务机构,承担关键信息基础设施安全保护任务,也可通过迁移上云或购买安全服务等方式,提高网络安全专业化、集约化保障能力。
(四)加强重要数据和个人信息保护。运营者应建立并落实重要数据和个人信息安全保护制度,对关键信息基础设施中的重要网络和数据库进行容灾备份,采取身份鉴别、访问控制、密码保护、安全审计、安全隔离、可信验证等关键技术措施,切实保护重要数据全生命周期安全。运营者在境内运营中收集和产生的个人信息和重要数据应当在境内存储,因业务需要,确需向境外提供的,应当遵守有关规定并进行安全评估。
(五)强化核心岗位人员和产品服务的安全管理。要对专门安全管理机构的负责人和关键岗位人员进行安全背景审查,加强管理。要对关键信息基础设施设计、建设、运行、维护等服务实施安全管理,采购安全可信的网络产品和服务,确保供应链安全。当采购产品和服务可能影响国家安全的,应按照国家有关规定通过安全审查。公安机关加强对关键信息基础设施安全服务机构的安全管理,为运营者开展安全保护工作提供支持。
四、加强网络安全保护工作协作配合
行业主管部门、网络运营者与公安机关要密切协同,大力开展安全监测、通报预警、应急处置、威胁情报等工作,落实常态化措施,提升应对、处置网络安全突发事件和重大风险防控能力。
(一)加强网络安全立体化监测体系建设。各单位、各部门要全面加强网络安全监测,对关键信息基础设施、重要网络等开展实时监测,发现网络攻击和安全威胁,立即报告公安机关和有关部门并采取有效措施处置。要加强网络新技术研究和应用,研究绘制网络空间地理信息图谱(网络地图),实现挂图作战。行业主管部门、网络运营要建设本行业、本单位的网络安全保护业务平台,建设平台智慧大脑,依托平台和大数据开展实时监测、通报预警、应急处置、安全防护、指挥调度等工作,并与公安机关有关安全保卫平台对接,形成条块结合、纵横联通、协同联动的综合防控大格局。重点行业、网络运营者和公安机关要建设网络安全监控指挥中心,落实7×24小时值班值守制度,建立常态化、实战化的网络安全工作机制。
(二)加强网络安全信息共享和通报预警。行业主管部门、网络运营者要依托国家网络与信息安全信息通报机制,加强本行业、本领域网络安全信息通报预警力量建设,及时收集、汇总、分析各方网络安全信息,加强威胁情报工作,组织开展网络安全威胁分析和态势研判,及时通报预警和处置。第三级以上网络运营者和关键信息基础设施运营者要开展网络安全监测预警和信息通报工作,及时接收、处置来自国家、行业和地方网络安全预警通报信息,按规定向行业主管部门、备案公安机关报送网络安全监测预警信息和网络安全事件。公安机关要加强网络与信息安全信息通报预警机制建设和力量建设,不断提高网络安全通报预警能力。
(三)加强网络安全应急处置机制建设。行业主管部门、网络运营者要按照国家有关要求制定网络安全应急预案,加强网络安全应急力量建设和应急资源储备,与公安机关密切配合,建立网络安全事件报告制度和应急处置机制。关键信息基础设施运营者和第三级以上网络运营者应定期开展应急演练,有效处置网络安全事件,并针对应急演练中发现的突出问题和漏洞隐患,及时整改加固,完善保护措施。行业主管部门、网络运营者应配合公安机关每年组织开展的网络安全监督检查、比武演习等工作,不断提升安全保护能力和对抗能力。
(四)加强网络安全事件处置和案件侦办。关键信息基础设施、第三级以上网络发生重大网络安全威胁和事件时,行业主管部门、网络运营者和公安机关应联合开展处置。电信业务经营者、网络服务提供者应提供支持及协助。网络运营者应配合公安机关打击网络违法犯罪活动;发现违法犯罪线索、重大网络安全威胁和事件时,应及时报告公安机关和有关部门并提供必要协助。
(五)加强网络安全问题隐患整改督办。公安机关建立挂牌督办制度,针对网络运营者网络安全工作不力、重大安全问题隐患久拖不改,或存在较大网络安全风险、发生重大网络安全案事件的,按照规定的权限和程序,会同行业主管部门对相关负责人进行约谈,挂牌督办,并加大监督检查和行政执法力度,依法依规进行行政处罚。网络运营者应按照有关要求采取措施,及时进行整改,消除重大风险隐患。发生重大网络安全案事件的,行业主管部门应组织全行业开展整改整顿。
五、加强网络安全工作各项保障
(一)加强组织领导。各单位、各部门要高度重视网络安全等级保护和关键信息基础设施安全保护工作,将其列入重要议事日程,加强统筹领导和规划设计,认真研究解决网络安全机构设置、人员配备、经费投入、安全保护措施建设等重大问题。行业主管部门和网络运营者要明确本单位主要负责人是网络安全的第一责任人,并确定一名领导班子成员分管网络安全工作,成立网络安全专门机构,明确任务分工,一级抓一级,层层抓落实。
(二)加强经费政策保障。各单位、各部门要通过现有经费渠道、保障关键信息基础设施、第三级以上网络等开展等级测评、风险评估、密码应用安全性检测、演练竞赛、安全建设整改、安全保护平台建设、密码保障系统建设、运行维护、监督检查、教育培训等经费投入。关键信息基础设施运营者应保障足额的网络安全投入,作出网络安全和信息化有关决策时应有网络安全管理机构人员参与。有关部门要扶持重点网络安全技术产业和项目,支持网络安全技术研究开发和创新应用,推动网络安全产业健康发展。公安机关要会同相关部门组织实施“一带一路”网络安全战略,支持网络安全企业“走出去”, 与有关国家共享中国网络安全保护经验。
(三)加强考核评价。各单位、各部门要进一步健全完善网络安全考核评价制度,明确考核指标,组织开展考核。公安机关将网络安全工作纳入社会治安综合治理考核评价体系,每年组织对各地区网络安全工作进行考核评价,每年评选网络安全等级保护、关键信息基础设施安全保护工作先进单位,并将结果报告党委政府,通报网信部门。
(四)加强技术攻关。各单位、各部门要充分调动网络安全企业、科研机构、专家等社会力量积极参与网络安全核心技术攻关,加强网络安全协同协作、互动互补、共治共享和群防群治。公安机关要会同有关部门加强网络安全等级保护和关键信息基础设施安全保护标准制定工作,出台标准应用指南,加强标准宣贯和应用实施,建设试点示范基地,促进我国网络安全产业和企业的健康发展。
(五)加强人才培养。各单位、各部门要加强网络安全等级保护和关键信息基础设施安全保护业务交流,通过组织开展比武竞赛等形式,发现选拔高精尖技术人才,建设人才库,建立健全人才发现、培养、选拔和使用机制,为做好网络安全工作提供人才保障。
Guidelines for the Construction of the Online Data Security Standards System
(Opinion-seeking draft)
April 2020
Foreword
Following the connection and convergence of information technology and human production and lives, global data have gained the characteristics of explosive growth and massive collection, the big data industry is in a period of brisk development, technological progress and application innovation have accelerated their advance in lockstep, data resources have become national fundamental strategic resources and innovation factors for social production. At present, our country’s telecommunications and Internet sectors are developing rapidly, collecting large amounts of online data, and at the same time as liberating the development potential of the data economy and stimulating the accelerated growth of the data economy, we face severe security risks. This requires that we deeply understand the importance and urgency of online data security, persist in equally stressing security and development, vigorously responding to complex and severe security risks and challenges, and accelerate the construction of a security protection system for online data.
“In safe development, standards go first”, standardization work is an important basis in guaranteeing online data security. In order to implement the requirements of laws and regulations such as the “Cybersecurity Law of the People’s Republic of China”, the “National People’s Congress Standing Committee Decision concerning Strengthening Online Information Protection”, the “Telecommunications and Internet User Personal Information Protection Regulations”, etc., guide online data security standardization work in the telecommunications and Internet sectors, the Ministry of Industry and Information Technology has organized the drafting of the “Guidelines for the Construction of the Online Data Security Standards System” (hereafter simply named “Construction Guidelines”. The “Construction Guidelines” give full rein to the top-level design and fundamental guidance roles of standards, and provides a powerful support for guaranteeing online data security in the telecommunications and Internet sectors, stimulating the rational and orderly flow of online data, and assist the high-quality development of the digital economy. Read the rest of this entry »
Notice concerning Promoting the Accelerated Development of 5G
MIIT Communications No. (2020)49
All provincial, autonomous regions, municipal, plan-listed city and Xinjiang Production-Construction Corps controlling departments for industry and information technology, and wireless communications management bodies, all provincial, autonomous region and municipal telecommunications management bureaus, China Telecom Group Co. Ltd., China Mobile Telecommunications Group Co. Ltd., China Unicom Telecommunications Group Co. Ltd., China Tower Co. Ltd., China Broadcast Network Co. Ltd.:
In order to deeply implement the spirit of General Secretary Xi Jinping’s important speech concerning promoting the accelerated development of 5G networks, forcefully advance 5G network construction, usage, popularization, technology development and security protection, give full rein to the effects of scale and driving role of new 5G infrastructure, and support high-quality economic development, hereby, related matters are notified as follows:
Determination Rules on Acts of Collecting and Using Personal Information in Violation of Rules and Regulations in Apps
Notice concerning Issuance of the “Determination Rules on Acts of Collecting and Using Personal Information in Violation of Rules and Regulations in Apps”
All provincial, autonomous region, municipal and the Xinjiang Production-Construction Corps cybersecurity and informatization offices, telecommunications management bureaus, public security offices (bureaus), market supervision and management bureaus (offices, committees):
On the basis of the “Announcement concerning a Special Campaign on Collection and Use of Personal Information in Violation of Rules and Regulations in Apps”, in order to provide reference for the determination of acts of collecting and using personal information in violations of rules and regulations in apps, implement laws and regulations such as the “Cybersecurity Law”, etc., the Cyberspace Administration of China, Ministry of Industry and Information Technology, Ministry of Public Security, and State Administration of Market Regulation have jointly formulated the “Determination Rules on Acts of Collecting and Using Personal Information in Violation of Rules and Regulations in Apps”. These are hereby issued to you, please refer to and implement them in integration with supervision, management and law enforcement work realities.
Cyberspace Administration of China Secretariat
Ministry of Industry and Information Technology General Office
Ministry of Public Security General Office
State Administration for Market Regulation General Office
28 November 2019
Determination Rules on Acts of Collecting and Using Personal Information in Violation of Rules and Regulations in Apps
On the basis of the “Announcement concerning a Special Campaign on Collection and Use of Personal Information in Violation of Rules and Regulations in Apps”, in order to provide reference for the determination of acts of collecting and using personal information in violations of rules and regulations in apps, provide guidance for app operators’ self-inspection and self-rectification as well as netizens’ social supervision, and implement laws and regulations such as the “Cybersecurity Law”, these Rules are formulated.
I, The following acts may be determined as “not publishing collection and use norms”
1. There is no privacy policy in the app, or the privacy policy does not contain norms on the collection and use of personal information;
2. When using the app for the first time, users are not prompted to read privacy policies and other such norms on collection and use through a pop-up window and other such clear methods
3. The privacy policy and other such collection and use norms are difficult to access, for instance when after entering the app’s main interface, 4 clicks or other such manipulations are required before it can be accessed;
4. The privacy policy and other such collection and use norms are difficult to read, for instance because characters are too small and closely spaced, colours are too light, they are blurred and unclear, or no simplified Mandarin version is provided.
II, The following acts may be determined as “not indicating the objective, method and scope of collecting and using personal information”
1. Not listing the objective, method and scope of personal information collection and use in the app (including entrusted third parties or embedded third-party code and plug-ins) one by one;
2. When a change occurs in the objective, method and scope of personal information collection and use, not notifying the user in an appropriate manner, appropriate manners include revising the privacy policy and other such collection and use norms and alerting the user to read it;
3. When requesting to activate authorization of collectable personal information, or requesting to collect users’ identity card number, bank account number, geographical tracking and other such sensitive personal information, not simultaneously notifying the user about its objective, or having an unclear or difficult to understand objective.
4. Content related to collection and use norms is obscure and difficult to understand, verbose and overly detailed, which is difficult for users to understand, for instance using large amounts of specialist jargon, etc.
III, The following acts may be determined as “collecting and using personal information without users’ consent”
1. Beginning to collect personal information or activating authorizations for collectable information before obtaining users’ consent;
2. After users clearly indicate they do not consent, still collecting personal information or activating up collectable personal information authorizations, or frequently obtaining users’ consent, interfering with users’ regular use;
3. Actually collecting personal information or activating collectable personal information authorizations in excess of the scope of user authorization;
4. Obtaining users’ consent by way of implicit agreement to privacy policies and other non-explicit methods;
5. Altering the status of collectable personal information authorizations they have set up without users’ consent, for instance automatically restoring user-set up authorization to implicit approval status when updating an app;
6. Using users’ personal information and algorithms to direct push delivery information, without providing an option for non-targeted push delivery information;
7. Misleading users through fraudulent, swindling and other such improper methods into consenting to personal information collection or the activation of collectable personal information authorizations, for instance wilfully hoodwinking or covering up the true objective for the collection of users’ personal information;
8. Not providing users with a way and method to revoke consent for personal information collection;
9. Collecting users’ personal information in violation of the announced collection and use norms.
IV, The following acts may be determined as “collecting personal information in violation of the principle of necessity, that is not related to the provided service”
1. Collected categories of personal information or activated collectable personal information authorizations are not related to the existing business functions;
2. Refusing to provide business functions because users do not consent to the collection of unnecessary personal information or the activation of unnecessary authorizations;
3. Requesting the collection of personal information in excess of the scope the user originally consented to when adding new business functions to the app, refusing to provide the original business functions if the user does not agree, except where the newly added business function supersedes the original business function;
4. The frequency of personal information collection exceeds the actual needs of business functions;
5. Obliging he user to consent to personal information collection for only the purpose of improving of service quality, enhancing user experience, targeting push delivery information, researching and developing new products, etc.,
6. Requiring users to consent once to activating multiple collectable personal information authorizations, where use is impossible if users do not consent.
V, The following acts may be determined as “providing personal information to others without consent”
1. Providing personal information directly from the app customer end to third parties both without user content, and without anonymized processing, including providing personal information to third parties through methods such as embedding third-party code or plug-in components at the customer end, etc.;
2. Providing collected personal information to third parties after data is transmitted to the app’s back-end servers both without user content, and without anonymized processing;
3. Even if functions are provided to correct and delete personal information and cancel user accounts, not timely responding to user’s corresponding operations, requiring manual processing, not completing examination and processing within the committed time limits (the committed time limit may not exceed 15 working days, where there is not committed time limit, 15 working days are taken as limit);
4. Where the executing of correction or deletion of personal information, the cancellation of user accounts and other such user operations has been completed, but it is not completed at the app back-end;
5. Not establishing and publishing personal information security complaints and reporting channels, or not accepting and processing matters within the committed time limits (the committed time limit may not exceed 15 working days, where there is not committed time limit, 15 working days are taken as limit).
关于印发《App违法违规收集使用个人信息行为认定方法》的通知
各省、自治区、直辖市及新疆生产建设兵团网信办、通信管理局、公安厅(局)、市场监管局(厅、委):
根据《关于开展App违法违规收集使用个人信息专项治理的公告》,为认定App违法违规收集使用个人信息行为提供参考,落实《网络安全法》等法律法规,国家互联网信息办公室、工业和信息化部、公安部、市场监管总局联合制定了《App违法违规收集使用个人信息行为认定方法》。现印发你们,请结合监管和执法工作实际参考执行。
国家互联网信息办公室秘书局
工业和信息化部办公厅
公安部办公厅
市场监管总局办公厅
2019年11月28日
App违法违规收集使用个人信息行为认定方法
根据《关于开展App违法违规收集使用个人信息专项治理的公告》,为监督管理部门认定App违法违规收集使用个人信息行为提供参考,为App运营者自查自纠和网民社会监督提供指引,落实《网络安全法》等法律法规,制定本方法。
一、以下行为可被认定为“未公开收集使用规则”
1.在App中没有隐私政策,或者隐私政策中没有收集使用个人信息规则;
2.在App首次运行时未通过弹窗等明显方式提示用户阅读隐私政策等收集使用规则;
3.隐私政策等收集使用规则难以访问,如进入App主界面后,需多于4次点击等操作才能访问到;
4.隐私政策等收集使用规则难以阅读,如文字过小过密、颜色过淡、模糊不清,或未提供简体中文版等。
二、以下行为可被认定为“未明示收集使用个人信息的目的、方式和范围”
1.未逐一列出App(包括委托的第三方或嵌入的第三方代码、插件)收集使用个人信息的目的、方式、范围等;
2.收集使用个人信息的目的、方式、范围发生变化时,未以适当方式通知用户,适当方式包括更新隐私政策等收集使用规则并提醒用户阅读等;
3.在申请打开可收集个人信息的权限,或申请收集用户身份证号、银行账号、行踪轨迹等个人敏感信息时,未同步告知用户其目的,或者目的不明确、难以理解;
4.有关收集使用规则的内容晦涩难懂、冗长繁琐,用户难以理解,如使用大量专业术语等。
三、以下行为可被认定为“未经用户同意收集使用个人信息”
1.征得用户同意前就开始收集个人信息或打开可收集个人信息的权限;
2.用户明确表示不同意后,仍收集个人信息或打开可收集个人信息的权限,或频繁征求用户同意、干扰用户正常使用;
3.实际收集的个人信息或打开的可收集个人信息权限超出用户授权范围;
4.以默认选择同意隐私政策等非明示方式征求用户同意;
5.未经用户同意更改其设置的可收集个人信息权限状态,如App更新时自动将用户设置的权限恢复到默认状态;
6.利用用户个人信息和算法定向推送信息,未提供非定向推送信息的选项;
7.以欺诈、诱骗等不正当方式误导用户同意收集个人信息或打开可收集个人信息的权限,如故意欺瞒、掩饰收集使用个人信息的真实目的;
8.未向用户提供撤回同意收集个人信息的途径、方式;
9.违反其所声明的收集使用规则,收集使用个人信息。
四、以下行为可被认定为“违反必要原则,收集与其提供的服务无关的个人信息”
1.收集的个人信息类型或打开的可收集个人信息权限与现有业务功能无关;
2.因用户不同意收集非必要个人信息或打开非必要权限,拒绝提供业务功能;
3.App新增业务功能申请收集的个人信息超出用户原有同意范围,若用户不同意,则拒绝提供原有业务功能,新增业务功能取代原有业务功能的除外;
4.收集个人信息的频度等超出业务功能实际需要;
5.仅以改善服务质量、提升用户体验、定向推送信息、研发新产品等为由,强制要求用户同意收集个人信息;
6.要求用户一次性同意打开多个可收集个人信息的权限,用户不同意则无法使用。
五、以下行为可被认定为“未经同意向他人提供个人信息”
1.既未经用户同意,也未做匿名化处理,App客户端直接向第三方提供个人信息,包括通过客户端嵌入的第三方代码、插件等方式向第三方提供个人信息;
2.既未经用户同意,也未做匿名化处理,数据传输至App后台服务器后,向第三方提供其收集的个人信息;
3.App接入第三方应用,未经用户同意,向第三方应用提供个人信息。
六、以下行为可被认定为“未按法律规定提供删除或更正个人信息功能”或“未公布投诉、举报方式等信息”
1.未提供有效的更正、删除个人信息及注销用户账号功能;
2.为更正、删除个人信息或注销用户账号设置不必要或不合理条件;
3.虽提供了更正、删除个人信息及注销用户账号功能,但未及时响应用户相应操作,需人工处理的,未在承诺时限内(承诺时限不得超过15个工作日,无承诺时限的,以15个工作日为限)完成核查和处理;
4.更正、删除个人信息或注销用户账号等用户操作已执行完毕,但App后台并未完成的;
5.未建立并公布个人信息安全投诉、举报渠道,或未在承诺时限内(承诺时限不得超过15个工作日,无承诺时限的,以15个工作日为限)受理并处理的。
Personal Information Protection Law (Expert Suggestion Draft)
Editorial note:
This suggestion draft is one of the outcomes of the National Social Science Fund Major Project “Important Legislative Questions for Internet Security” (14ZDC021) at Renmin University of China Law School, of which Professor Zhang Xinbao is lead expert, its objective is to provide reference for legislation, its authors are Zhang Xinbao and Ge Xin. On deficiencies in the suggestion draft, the submission of valuable opinions and suggestions is welcomed, to be sent to gexinde@126.com. After further revision and perfection, the suggestion draft and statement of grounds for legislation will be published in the near future by Renmin University of China Press, further attention is respectfully invited. Read the rest of this entry »
Management Rules for Credit Information of Gravely Untrustworthy Subjects in Internet Information Services (Opinion-seeking Draft)
Article 1: In order to stimulate the construction of credit in the Internet information services area, ensure the lawful rights and interests of citizens, legal persons and other organizations, on the basis of the “Cybersecurity Law of the People’s Republic of China”, the “Planning Outline for the Construction of a Social Credit System”, the “State Council Guiding Opinions concerning Establishment and Perfection of Joint Incentive Structures for the Trustworthy and Joint Punishment Structures for the Untrustworthy, and Accelerating the Advance of Social Credit Construction”, the “State Council General Office Guiding Opinions concerning Accelerating the Advance of Social Credit System Construction and Building Novel Management Mechanisms Based on Credit” and the “State Council Notice concerning Authorizing the Cyberspace Administration of China to Take Responsibility for Internet Information Content Management Work”, these Rules are formulated. Read the rest of this entry »
State Council General Office Guiding Opinions concerning Accelerating the Advance of Social Credit System Construction and Building Credit-Based Novel Supervision and Management Mechanisms
GBF No. (2019)35
All provincial, autonomous region and municipal People’s Governments, all State Council Ministries and Commissions, all directly subordinate bodies:
In order to strengthen the construction of the social credit system, deeply advance the “release, management and service” reform, further give rein to the fundamental role of credit in innovating supervision and management mechanisms, raising supervision and management capacities and levels, even better incite the vigour of market subjects, and promote high-quality development, with the agreement of the State Council, the following Opinions are hereby put forward.
I, General requirements.
With Xi Jinping Thought on Socialism with Chinese characteristics for a new era as guidance, deeply implement the spirit of the 19th Party Committee and its 2nd and 3rd Plenums, according to the basic principles of acting according to laws and regulations, reform and innovation, coordinated and joint governance, with strengthening credit supervision and management as rallying points, innovate supervision and management concepts, supervision and management structures, and supervision and management methods, establish and complete novel supervision and management methods running throughout the whole lifecycle of market subjects, connecting supervision and management links ex ante, ad interim and ex post, incessantly enhance supervision and management capabilities and levels, further standardize market order, optimize the commercial environment, and promote high-quality development.
II, Innovating credit supervision and management in the ex-ante link
(1) Establishing and completing credit commitment structures. When handling administrative licencing affairs using credit commitment structures, where applicants’ commitments conform to approval conditions and they have submitted the relevant materials, this shall be handled immediately. Where applicants’ credit situation is relatively good, and a part of the application materials is incomplete but they commit in writing to provide this within the provided time period, they shall be accepted with priority, and the handling process is to be accelerated. The circumstances of honouring written commitments will be entered into credit records, to act as an important basis for ad interim and ex post supervision and management, applicants not honouring them will be subject to punishment in view of the circumstances. We must accelerate combing through administrative licensing items amenable to the introduction of credit commitments, formulate credit commitment letters with standardized templates, and rely on all levels’ credit portal websites to publish them. Market subjects are encouraged to actively issue credit commitments to society. Sectoral associations and chambers of commerce are supported in the establishment and completion of intra-sector credit commitment structures, strengthening sectoral self-discipline. (All localities and all departments are respectively responsible according to their duties)
(2) Exploring the introduction of business people’s pre-access sincerity education. Fully utilized all levels’ and all categories’ government service windows, to broadly launch education on legal compliance and sincerity among market subjects. When handling work related to registration, examination and approval, filing, etc. for market subjects, timely introduce standardized, regularized and convenient legal knowledge and credit knowledge education, raising business people’s consciousness on doing business according to the law and sincerely. The launch of credit education must not be fee-paying, and must also not be a necessary condition for market access. (All localities and all departments are respectively responsible according to their duties)
(3) Vigorously expand credit reporting applications. All kinds of market subjects are encouraged to more broadly and actively use credit reports in their production and commercial activities. In processes such as government procurement, tendering and bidding, administrative examination and approval, market access, credential verification, etc., fully give rein to the role of credit reports issues by public credit service bodies and third-party credit service bodies. Explore the establishment of nationwide uniform credit report standards, promote cross-regional mutual recognition of credit report results. (NDRC, PBoC take the lead, all localities and all departments are respectively responsible according to their duties)
III, Strengthening credit supervision and management in the ad interim segment
(4) Comprehensively establish market subject credit records. Establish credit information collection catalogues on the basis of lists of powers and responsibilities, timely, accurately and comprehensively record market subjects’ credit activities in the process of handing registration, qualification verification, daily supervision and management, public service, etc., especially file and record untrustworthiness records, ensure that these can be consulted, verified and traced. ((All localities and all departments are respectively responsible according to their duties). Perfect uniform social credit code structures for legal persons and non-legal person organizations, use the uniform social credit code as a marker to integrate and shape integrated market subject credit records, and publish these according to laws and regulations through channels such as the “Credit China” website, he national enterprise credit information publication system or the China governmental web, as well as other related portal websites. Complete the 12315 market supervision and management complaint reporting hotline and informatized platform integration work, forcefully launch consumer complaints publication, stimulate businesspeople to implement their leading responsibility for consumer rights defence. (NDRC takes the lead, all departments are respectively responsible according to their duties).
(5) Establishing and completing voluntary credit information registration mechanisms. Encourage market subjects to voluntarily register credit information on qualifications and licences, market operations, contract fulfilment, social welfare, etc. on the “Credit China” website or other channels, to make public credit commitments concerning the veracity of the information, authorize the website to integrate, share and apply corresponding information. Verified voluntarily registered information may be an important basis to conduct credit evaluation and generate credit reports. (NDRC takes the lead, all departments are respectively responsible according to their duties.
(6) Deeply conducting comprehensive credit evaluation. The nationwide credit information sharing platforms must strengthen coordination and cooperation with relevant departments, integrate all kinds of credit information according to laws and regulations, conduct full-coverage, standardized, and public interest-type comprehensive public credit evaluation of market subjects, regularly report evaluation results to corresponding government department, financial bodies, sectoral associations and chambers of commerce for reference and use, and publish them to society according to relevant regulations. Promote relevant departments’ use of comprehensive public credit evaluation results, integrate departmental and sectoral management data, establish sectoral credit evaluation models, and provide ever more accurate bases for credit supervision and management. (NDRC takes the lead, all departments are respectively responsible according to their duties)
(7) Forcefully advancing tiered and categorized credit supervision and management. Divide supervision and management across tiers and categories on the basis of fully grasping credit information, and comprehensively deliberating the situation of credit, and on the basis of comprehensive public credit evaluation results and sectoral credit evaluation results, etc., and adopt differentiated supervision and management measures based on the height of the credit tier. “Double random and one public” supervision and management must be integrated with credit tiers, the proportion and frequency of spot checks may be reasonably lowered for market subjects with relatively good credit and relatively low risk, reducing influence to their regular production and operations; for market subjects with ordinary credit risks, spot checks are conducted with conventional proportions and frequencies; for law-breaking, untrustworthy, and relatively high-risk market subjects the proportion and frequency of spot checks will be appropriately increased, implementing strict management and punishment according to laws and regulations. (All localities and all departments are respectively responsible according to their duties)
IV, Perfecting credit supervision and management in the ex-post segment
(8) Completing determination mechanisms for the counterparts for joint punishment for trust-breaking. Relevant departments will establish and complete name list systems for the counterparts of joint punishment for trustworthiness according to laws and regulations, on the basis of untrustworthiness records obtained and determined during the ex ante and interim supervision and management segments. Market subjects with unlawful and untrustworthy acts of a malicious nature, with grave circumstances and relatively large social harm will be listed on the name list for joint punishment counterparts for untrustworthy acts according to procedure and on the basis of corresponding judicial verdicts, administrative punishments, administrative coercive measures, etc. Accelerate the perfection of relevant management rules, clarify determination bases, standards, procedures, dissent appeals and withdrawal mechanisms. For the formulation of management rules, the opinions from the social public must be fully solicited, and published standards and their concrete determination procedures will be made published to society in an appropriate manner. Relevant departments will be supported to establish name list systems for focus attention targets on the basis of requirement, for market subjects where untrustworthy acts exist but the degree of gravity has not reached the determination standard for joint punishment of untrustworthiness, it is permitted to implement strict supervision measures corresponding to the degree of their untrustworthiness. (All departments are respectively responsible according to their duties)
(9) Supervising rectification of untrustworthy market subjects within a limited time. Untrustworthy market subjects shall earnestly rectify matters within the provided time limits; where the rectification is insufficient, the determining department will initiate procedures for prompting talks or warning talks according to laws and regulations, according to the principle of “who determines, has the talk”, and supervise untrustworthy market subjects’ fulfilment of related duties and deletion of the harmful influence. Talk records are included into the credit record of the untrustworthy market subject, and are entered into the national credit information sharing platform after uniform collection. Forcefully advance special campaigns on untrustworthiness issues in focus areas, and adopt powerful and effective measures to accelerate the progress of rectification. (All departments are respectively responsible according to their duties)
(10) Deeply conducting joint punishment for untrustworthiness. Accelerate the construction of cross-regional, cross-sectoral, and cross-area joint punishment mechanisms for untrustworthiness, and resolve the problem that untrustworthy acts emerge repeatedly, or emerge in other areas at the roots. Establish joint punishment measure lists according to laws and regulations, dynamically renew them and publish them to society, and create a large structure for joint punishment for untrustworthiness with multi-barrelled roles for administrative, market and sectoral punishment measures, and broad participation from social forces. Focus on implementing punishment measures for untrustworthiness with great punitive strength and good supervision and management effects, including constraining targets of joint punishment for untrustworthiness according to laws and regulations from issuing shares, tendering and bidding, applying for funding projects from the finance administration, enjoying fiscal preferences and other such administrative punishment measures, restrict them from obtaining credit lines, traveling on aircraft, traveling on high-grade trains and seats and other such market punishment measures, as well as reporting for criticism, public denunciation and other such administrative punishment measures. (NDRC takes the lead, all localities and all departments are respectively responsible according to their responsibilities)
(11) Determinedly implementing market and sector ban mechanisms according to laws and regulations. Implement strict supervision and management, and strengthen punishment with the focus on food and drug products, ecology and the environment, engineering quality, safe production, care for the elderly and children, urban operational security and other such areas directly connected with the security of the popular masses’ lives and assets. Firmly implement market and sectoral ban measures within a certain time period according to laws and regulations, even up to permanent expulsion from markets, against market subjects and their relevant responsible persons who refuse to implement a judicial verdict or an administrative punishment decision, do not improve after repeated violations, resulting in major losses. (NDRC takes the lead, all localities and all departments are respectively responsible according to their duties)
(12) Lawfully investigate liability for law-breaking and untrustworthiness. Establish and complete liability investigation mechanisms, impose untrustworthiness punishment against the legal representative or main responsible persons and actual controlling persons of market subjects listed on the joint punishment target list for untrustworthiness according to laws and regulations, and enter corresponding untrustworthy act on their personal credit record. Where unlawful or untrustworthy conduct occurs in organize undertaking work units or State-owned enterprises, it must be reported to the higher-level competent work unit and auditing department; where unlawful or trust-breaking conduct occurs among work personnel, they must be reported to their work unit and the related discipline inspection, supervision, organization and personnel departments. (All localities and all departments are respectively responsible according to their duties)
(13) Exploring the establishment of credit recovery mechanisms. Where untrustworthy market subjects correct the untrustworthy act and eliminate harmful influence within the provided time limit, they may conduct credit recovery through methods such as issuing credit commitments, completing credit rectification, passing credit inspections, accepting specialized training, submitting credit reports, participating in public interest and charity activities, etc. After recovery is completed, all localities and all departments must timely cease the publication of their untrustworthiness reports according to procedure, and terminate the implementation of joint punishment measures. Accelerate the establishment and perfection of mechanisms for coordination and joint action, handling all affairs through one network, and provide high-efficiency and convenient credit recovery services to untrustworthy market subjects. Third-party credit service bodies meeting conditions are encouraged to provide credit reports, credit management consulting and other such services. (NDRC takes the lead, all localities and all departments are respectively responsible according to their duties)
V, Strengthening support and safeguards for credit supervision and management
(14) Striving to enhance credit supervision and management informatization construction levels. Give full rein to the information collection and sharing role of the nationwide credit information sharing platform and the national “Internet Plus Supervision and Management” system, ensure that government departments’ credit information “is fully collected where it shall be collected”, enhance the interconnection and interaction of local credit information platforms and sectoral credit information systems, create smooth government and enterprise data circulation mechanisms, create “one network” completely covering credit information of all localities, all departments and all kinds of market subjects. Rely on the national credit information sharing platform and the national “Internet Plus Supervision and Management” system to share basic market subject information, law enforcement supervision, management and punishment information, untrustworthiness joint punishment information etc. with related departmental operations systems according to requirement, add applications in the process of credit supervision and management and other such processes, support the creation of a credit supervision and management coordination mechanism with synchronized data, uniform measures and consistent standards. (NDRC and State Council General Office take the lead, all localities and all departments are respectively responsible according to their duties)
(15) Forcefully advancing credit supervision and management information openness and publication. On the basis of integrated publication of administrative licensing and administrative punishment information, entrust the “Credit China” website, the Chinese government network and other channels with further researching and promoting the open uploading of information on administrative obligations, administrative affirmations, administrative collection, administrative fees, administrative rulings, administrative compensation, administrative rewards, administrative supervision and inspection, and other such administrative acts within seven working days, promote the publication of information in judicial verdicts and law enforcement activities related to untrustworthy persons subject to enforcement and untrustworthy persons making false complaints of whom the information should be published, ensuring that “what shall be published, is fully published”. (All localities and all departments are respectively responsible according to their duties)
(16) Fully giving rein to the supporting role of “Internet Plus” and big data in credit supervision and management. Rely on the national “Internet Plus Supervision and Management” system and other such systems to effectively integrate public credit information, market credit information, complaints reporting information and related Internet and third-party information, fully use big data, artificial and other such new-generation information technologies to realize that credit supervision and management data can be compared, processes can be traced, and issues can be monitored. All localities and all departments are encouraged to, in integration with reality, cooperate with big data bodies according to laws and regulations to exploit credit information, grasp market subjects’ business situations and the characteristics of their laws in a timely and dynamic manner. Fully use the national “Internet Plus Supervision and Management” system and other such systems to establish early risk assessment and early warning mechanisms, to discover and prevent symptomatic, cross-sectoral and cross-regional risks early. Use big data to actively discover and distinguish clues for violations of laws and regulations, effectively prevent acts violating laws and regulations harming the public interests and the security of the masses’ lives and assets. It is encouraged to enhance law enforcement supervision and management efficiency through the Internet of Things, the Internet of Vision and other such non-contact supervision and management measures to enhance the efficiency of law enforcement, supervision and management, realize the standardization, accuratization and smartification of supervision and management, reduce human factors, realize fair supervision and management, stop problems such as wilful inspections, multi-headed supervision and inspection, etc., realize “entering the door once, inspecting multiple matters”, and reduce disturbance to supervision and management targets. (State Council General Office, NDRC, State Administration of Market Regulation take the lead, all departments are respectively responsible according to their duties.
(17) Realistically strengthening the protection of credit information security and market subjects’ rights and interests. Strictly investigate and prosecute acts where credit information is leaked or distorted in violation of regulations, or credit information is used in pursuit of private gain, etc. Strengthen the construction of basic credit information security infrastructure and security protection capabilities. Establish and complete credit information objection and complaint structures, information providing and collecting work units must as quickly as possible examine and verify information to which market subjects have raised an objection and feed back the results, information verified as containing errors must be timely corrected or deleted. Where market subjects’ lawful rights and interests were harmed after they were erroneously assigned to the untrustworthiness joint punishment target list, or untrustworthiness joint measures were erroneously adopted, relevant departments and work units must vigorously adopt measures to eliminate the harmful influence. (All localities and al departments are responsible on the basis of their duties)
(18) Vigorously guiding sectoral organizations and credit service bodies to coordinate supervision and management. Relevant department-authorized sectoral associations and chambers of commerce are supported to assist in the conduct of sectoral credit construction and credit supervision and management, sectoral associations and chambers of commerce are encouraged to establish member credit records, conduct credit commitments, credit training, sincerity propaganda, sincerity advocacy etc., make sincerity into an important component for sectoral rules and sectoral conventions, and guide their sectors in strengthening awareness about doing business lawfully and sincerely. Promote the development of information services for credit inquiry, credit grading, credit insurance, credit guarantees, contract fulfilment guarantees, credit management consulting and training, etc., and realistically let third-party credit service bodies play a specialized role in aspects such as credit information collection, processing, use, etc. Relevant departments are encouraged to launch cooperation’s with third-party credit service bodies in areas such as credit record integration, credit information sharing, credit big data analysis, credit risk early warning, examination and verification of cases of untrustworthiness, tracing and monitoring of untrustworthy activities, etc. (NDRC, Ministry of Civil Affairs, People’s Bank of China are respectively responsible according to their duties)
VI, Strengthening organization and implementation of credit supervision and management
(19) Strengthening organizational leadership. All localities and all departments must make building credit-based novel supervision and management mechanisms into an important measure in deeply advancing the “release, manage, serve” reform, put it in an ever more prominent position, strengthen organizational leadership, detail divisions of work and responsibilities, and promote implementation in a forceful, orderly and effective manner. Perfect supplementary structures to credit supervision and management, and strengthen links with other elements of “release, manage, serve” reform. Departments responsible for market supervision and management and sectoral supervision and management must realistically bear their dominant responsibility in sectoral credit construction and credit supervision and management, fully give rein to the roles of sectoral organizations and third-party credit service bodies, create beneficial conditions for public supervision, integrate and create joint forces for credit supervision and management with joint participation from all of society. (NDRCD takes the lead, all departments and all localities are respectively responsible according to their duties)
(20) Launching trials and demonstrations. Organize and launch credit construction and credit supervision and management trials and demonstrations revolving around credit commitments, credit recovery, untrustworthiness joint punishment, credit big data exploitation and use and other such focus work. On the basis of exploration and innovation in all localities and all departments, timely summarize, abstract and exchange good methods and good experiences in launching credit construction and credit supervision and management, and reproduce and broaden them on an ever greater scale (NDRC takes the lead, all localities and all departments are respectively responsible according to their duties)
(21) Accelerating the establishment of rules and structures. Promote the formulation of social credit system construction-related laws, accelerate the research and promulgation of public credit information management regulations, unified social credit code management rules and other such regulations. Establish and complete nationwide uniform credit supervision and management norms and standards, timely publish related local regulations, government rules and normative documents, and upgrade methods effective in credit supervision and management practice into structures and norms. Grasp the formulation of national standards urgently needed in credit supervision and management. (NDRC, Ministry of Justice take the lead, all localities and all departments are respectively responsible according to their duties)
(22) Conducting propaganda and explanation. All localities and all departments must, through all kinds of channels and methods, conduct policy propaganda and explanation work in a thorough and detailed manner for market subjects, to let businesspeople fully understand and vigorously cooperate with credit-based novel supervision and management measures. Strengthen guidance and training for grass-roots and first-line supervision and management personnel. Organize news media to report broadly, vigorously propagate credit supervision and management measures and their results, and create a benign social atmosphere. (NDRC takes the lead, all localities and all departments are respectively responsible according to their duties)
State Council General Office
9 July 2019
国务院办公厅关于加快推进社会信用体系建设 构建以信用为基础的新型监管机制的指导意见
国办发〔2019〕35号
各省、自治区、直辖市人民政府,国务院各部委、各直属机构:
为加强社会信用体系建设,深入推进“放管服”改革,进一步发挥信用在创新监管机制、提高监管能力和水平方面的基础性作用,更好激发市场主体活力,推动高质量发展,经国务院同意,现提出如下意见。
一、总体要求
以习近平新时代中国特色社会主义思想为指导,深入贯彻落实党的十九大和十九届二中、三中全会精神,按照依法依规、改革创新、协同共治的基本原则,以加强信用监管为着力点,创新监管理念、监管制度和监管方式,建立健全贯穿市场主体全生命周期,衔接事前、事中、事后全监管环节的新型监管机制,不断提升监管能力和水平,进一步规范市场秩序,优化营商环境,推动高质量发展。
二、创新事前环节信用监管
(一)建立健全信用承诺制度。在办理适用信用承诺制的行政许可事项时,申请人承诺符合审批条件并提交有关材料的,应予即时办理。申请人信用状况较好、部分申报材料不齐备但书面承诺在规定期限内提供的,应先行受理,加快办理进度。书面承诺履约情况记入信用记录,作为事中、事后监管的重要依据,对不履约的申请人,视情节实施惩戒。要加快梳理可开展信用承诺的行政许可事项,制定格式规范的信用承诺书,并依托各级信用门户网站向社会公开。鼓励市场主体主动向社会作出信用承诺。支持行业协会商会建立健全行业内信用承诺制度,加强行业自律。(各地区各部门按职责分别负责)
(二)探索开展经营者准入前诚信教育。充分利用各级各类政务服务窗口,广泛开展市场主体守法诚信教育。为市场主体办理注册、审批、备案等相关业务时,适时开展标准化、规范化、便捷化的法律知识和信用知识教育,提高经营者依法诚信经营意识。开展诚信教育不得收费,也不得作为市场准入的必要条件。(各地区各部门按职责分别负责)
(三)积极拓展信用报告应用。鼓励各类市场主体在生产经营活动中更广泛、主动地应用信用报告。在政府采购、招标投标、行政审批、市场准入、资质审核等事项中,充分发挥公共信用服务机构和第三方信用服务机构出具的信用报告作用。探索建立全国统一的信用报告标准,推动信用报告结果实现异地互认。(发展改革委、人民银行牵头,各地区各部门按职责分别负责)
三、加强事中环节信用监管
(四)全面建立市场主体信用记录。根据权责清单建立信用信息采集目录,在办理注册登记、资质审核、日常监管、公共服务等过程中,及时、准确、全面记录市场主体信用行为,特别是将失信记录建档留痕,做到可查可核可溯。(各地区各部门按职责分别负责)完善法人和非法人组织统一社会信用代码制度,以统一社会信用代码为标识,整合形成完整的市场主体信用记录,并通过“信用中国”网站、国家企业信用信息公示系统或中国政府网及相关部门门户网站等渠道依法依规向社会公开。完成12315市场监管投诉举报热线和信息化平台整合工作,大力开展消费投诉公示,促进经营者落实消费维权主体责任。(发展改革委、市场监管总局负责)
(五)建立健全信用信息自愿注册机制。鼓励市场主体在“信用中国”网站或其他渠道上自愿注册资质证照、市场经营、合同履约、社会公益等信用信息,并对信息真实性公开作出信用承诺,授权网站对相关信息进行整合、共享与应用。经验证的自愿注册信息可作为开展信用评价和生成信用报告的重要依据。(发展改革委牵头,各部门按职责分别负责)
(六)深入开展公共信用综合评价。全国信用信息共享平台要加强与相关部门的协同配合,依法依规整合各类信用信息,对市场主体开展全覆盖、标准化、公益性的公共信用综合评价,定期将评价结果推送至相关政府部门、金融机构、行业协会商会参考使用,并依照有关规定向社会公开。推动相关部门利用公共信用综合评价结果,结合部门行业管理数据,建立行业信用评价模型,为信用监管提供更精准的依据。(发展改革委牵头,各部门按职责分别负责)
(七)大力推进信用分级分类监管。在充分掌握信用信息、综合研判信用状况的基础上,以公共信用综合评价结果、行业信用评价结果等为依据,对监管对象进行分级分类,根据信用等级高低采取差异化的监管措施。“双随机、一公开”监管要与信用等级相结合,对信用较好、风险较低的市场主体,可合理降低抽查比例和频次,减少对正常生产经营的影响;对信用风险一般的市场主体,按常规比例和频次抽查;对违法失信、风险较高的市场主体,适当提高抽查比例和频次,依法依规实行严管和惩戒。(各地区各部门按职责分别负责)
四、完善事后环节信用监管
(八)健全失信联合惩戒对象认定机制。有关部门依据在事前、事中监管环节获取并认定的失信记录,依法依规建立健全失信联合惩戒对象名单制度。以相关司法裁判、行政处罚、行政强制等处理结果为依据,按程序将涉及性质恶劣、情节严重、社会危害较大的违法失信行为的市场主体纳入失信联合惩戒对象名单。加快完善相关管理办法,明确认定依据、标准、程序、异议申诉和退出机制。制定管理办法要充分征求社会公众意见,出台的标准及其具体认定程序以适当方式向社会公开。支持有关部门根据监管需要建立重点关注对象名单制度,对存在失信行为但严重程度尚未达到失信联合惩戒对象认定标准的市场主体,可实施与其失信程度相对应的严格监管措施。(各部门按职责分别负责)
(九)督促失信市场主体限期整改。失信市场主体应当在规定期限内认真整改,整改不到位的,按照“谁认定、谁约谈”的原则,由认定部门依法依规启动提示约谈或警示约谈程序,督促失信市场主体履行相关义务、消除不良影响。约谈记录记入失信市场主体信用记录,统一归集后纳入全国信用信息共享平台。大力推进重点领域失信问题专项治理,采取有力有效措施加快推进整改。(各部门按职责分别负责)
(十)深入开展失信联合惩戒。加快构建跨地区、跨行业、跨领域的失信联合惩戒机制,从根本上解决失信行为反复出现、易地出现的问题。依法依规建立联合惩戒措施清单,动态更新并向社会公开,形成行政性、市场性和行业性等惩戒措施多管齐下,社会力量广泛参与的失信联合惩戒大格局。重点实施惩戒力度大、监管效果好的失信惩戒措施,包括依法依规限制失信联合惩戒对象股票发行、招标投标、申请财政性资金项目、享受税收优惠等行政性惩戒措施,限制获得授信、乘坐飞机、乘坐高等级列车和席次等市场性惩戒措施,以及通报批评、公开谴责等行业性惩戒措施。(发展改革委牵头,各地区各部门按职责分别负责)
(十一)坚决依法依规实施市场和行业禁入措施。以食品药品、生态环境、工程质量、安全生产、养老托幼、城市运行安全等与人民群众生命财产安全直接相关的领域为重点,实施严格监管,加大惩戒力度。对拒不履行司法裁判或行政处罚决定、屡犯不改、造成重大损失的市场主体及其相关责任人,坚决依法依规在一定期限内实施市场和行业禁入措施,直至永远逐出市场。(发展改革委牵头,各地区各部门按职责分别负责)
(十二)依法追究违法失信责任。建立健全责任追究机制,对被列入失信联合惩戒对象名单的市场主体,依法依规对其法定代表人或主要负责人、实际控制人进行失信惩戒,并将相关失信行为记入其个人信用记录。机关事业单位、国有企业出现违法失信行为的,要通报上级主管单位和审计部门;工作人员出现违法失信行为的,要通报所在单位及相关纪检监察、组织人事部门。(各地区各部门按职责分别负责)
(十三)探索建立信用修复机制。失信市场主体在规定期限内纠正失信行为、消除不良影响的,可通过作出信用承诺、完成信用整改、通过信用核查、接受专题培训、提交信用报告、参加公益慈善活动等方式开展信用修复。修复完成后,各地区各部门要按程序及时停止公示其失信记录,终止实施联合惩戒措施。加快建立完善协同联动、一网通办机制,为失信市场主体提供高效便捷的信用修复服务。鼓励符合条件的第三方信用服务机构向失信市场主体提供信用报告、信用管理咨询等服务。(发展改革委牵头,各地区各部门按职责分别负责)
五、强化信用监管的支撑保障
(十四)着力提升信用监管信息化建设水平。充分发挥全国信用信息共享平台和国家“互联网+监管”系统信息归集共享作用,对政府部门信用信息做到“应归尽归”,推进地方信用信息平台、行业信用信息系统互联互通,畅通政企数据流通机制,形成全面覆盖各地区各部门、各类市场主体的信用信息“一张网”。依托全国信用信息共享平台和国家“互联网+监管”系统,将市场主体基础信息、执法监管和处置信息、失信联合惩戒信息等与相关部门业务系统按需共享,在信用监管等过程中加以应用,支撑形成数据同步、措施统一、标准一致的信用监管协同机制。(发展改革委、国务院办公厅牵头,各地区各部门按职责分别负责)
(十五)大力推进信用监管信息公开公示。在行政许可、行政处罚信息集中公示基础上,依托“信用中国”网站、中国政府网或其他渠道,进一步研究推动行政强制、行政确认、行政征收、行政给付、行政裁决、行政补偿、行政奖励和行政监督检查等其他行政行为信息7个工作日内上网公开,推动在司法裁判和执行活动中应当公开的失信被执行人、虚假诉讼失信人相关信息通过适当渠道公开,做到“应公开、尽公开”。(各地区各部门按职责分别负责)
(十六)充分发挥“互联网+”、大数据对信用监管的支撑作用。依托国家“互联网+监管”等系统,有效整合公共信用信息、市场信用信息、投诉举报信息和互联网及第三方相关信息,充分运用大数据、人工智能等新一代信息技术,实现信用监管数据可比对、过程可追溯、问题可监测。鼓励各地区各部门结合实际,依法依规与大数据机构合作开发信用信息,及时动态掌握市场主体经营情况及其规律特征。充分利用国家“互联网+监管”等系统建立风险预判预警机制,及早发现防范苗头性和跨行业跨区域风险。运用大数据主动发现和识别违法违规线索,有效防范危害公共利益和群众生命财产安全的违法违规行为。鼓励通过物联网、视联网等非接触式监管方式提升执法监管效率,实现监管规范化、精准化、智能化,减少人为因素,实现公正监管,杜绝随意检查、多头监管等问题,实现“进一次门、查多项事”,减少对监管对象的扰动。(国务院办公厅、发展改革委、市场监管总局牵头,各部门按职责分别负责)
(十七)切实加大信用信息安全和市场主体权益保护力度。严肃查处违规泄露、篡改信用信息或利用信用信息谋私等行为。加强信用信息安全基础设施和安全防护能力建设。建立健全信用信息异议投诉制度,对市场主体提出异议的信息,信息提供和采集单位要尽快核实并反馈结果,经核实有误的信息要及时予以更正或撤销。因错误认定失信联合惩戒对象名单、错误采取失信联合惩戒措施损害市场主体合法权益的,有关部门和单位要积极采取措施消除不良影响。(各地区各部门按职责分别负责)
(十八)积极引导行业组织和信用服务机构协同监管。支持有关部门授权的行业协会商会协助开展行业信用建设和信用监管,鼓励行业协会商会建立会员信用记录,开展信用承诺、信用培训、诚信宣传、诚信倡议等,将诚信作为行规行约重要内容,引导本行业增强依法诚信经营意识。推动征信、信用评级、信用保险、信用担保、履约担保、信用管理咨询及培训等信用服务发展,切实发挥第三方信用服务机构在信用信息采集、加工、应用等方面的专业作用。鼓励相关部门与第三方信用服务机构在信用记录归集、信用信息共享、信用大数据分析、信用风险预警、失信案例核查、失信行为跟踪监测等方面开展合作。(发展改革委、民政部、人民银行按职责分别负责)
六、加强信用监管的组织实施
(十九)加强组织领导。各地区各部门要把构建以信用为基础的新型监管机制作为深入推进“放管服”改革的重要举措,摆在更加突出的位置,加强组织领导,细化责任分工,有力有序有效推动落实。完善信用监管的配套制度,并加强与其他“放管服”改革事项的衔接。负有市场监管、行业监管职责的部门要切实承担行业信用建设和信用监管的主体责任,充分发挥行业组织、第三方信用服务机构作用,为公众监督创造有利条件,整合形成全社会共同参与信用监管的强大合力。(发展改革委牵头,各地区各部门按职责分别负责)
(二十)开展试点示范。围绕信用承诺、信用修复、失信联合惩戒、信用大数据开发利用等重点工作,组织开展信用建设和信用监管试点示范。在各地区各部门探索创新的基础上,及时总结、提炼、交流开展信用建设和信用监管的好经验、好做法,在更大范围复制推广。(发展改革委牵头,各地区各部门按职责分别负责)
(二十一)加快建章立制。推动制定社会信用体系建设相关法律,加快研究出台公共信用信息管理条例、统一社会信用代码管理办法等法规。建立健全全国统一的信用监管规则和标准,及时出台相关地方性法规、政府规章或规范性文件,将信用监管中行之有效的做法上升为制度规范。抓紧制定开展信用监管急需的国家标准。(发展改革委、司法部牵头,各地区各部门按职责分别负责)
(二十二)做好宣传解读。各地区各部门要通过各种渠道和形式,深入细致向市场主体做好政策宣传解读工作,让经营者充分理解并积极配合以信用为基础的新型监管措施。加强对基层和一线监管人员的指导和培训。组织新闻媒体广泛报道,积极宣传信用监管措施及其成效,营造良好社会氛围。(发展改革委牵头,各地区各部门按职责分别负责)
国务院办公厅
2019年7月9日
Regulations on Internet Security Supervision and Inspection by Public Security Bodies
Ministry of Public Security of the People’s Republic of China Decree
No. 151
The “Regulations on Internet Security Supervision and Inspection by Public Security Bodies” were passed at the Minister’s business meeting of the Ministry of Public Security on 5 September 2018, are hereby promulgated, and take effect on 1 November 2018.
Minister: Zhao Kezhi
15 September 2018
Regulations on Internet Security Supervision and Inspection by Public Security Bodies
Chapter I: General provisions
Article 1: These Regulations are formulated in order to standardize public security bodies’ Internet security supervision and inspection work, prevent online law-breaking and crime, safeguard cybersecurity, protect the lawful rights and interests of citizens, legal persons and other organizations, on the basis of the “People’s Police Law of the People’s Republic of China”, the “Cybersecurity Law of the People’s Republic of China” and other such laws and administrative regulations.
Article 2: These Regulations apply to public security bodies conducting security supervision and inspection of Internet service providers’ and network-using work units’ fulfilment of cybersecurity duties provided in laws and administrative regulations.
Article 3: Internet security supervision and inspection work is conducted by county-level or higher local People’s Government public security body cybersecurity protection departments.
Higher-level public security bodies shall implement guidance and supervision of lower levels’ public security bodies’ conduct of Internet security supervision and inspection work.
Article 4: Public security bodies conducting Internet security supervision and inspection shall abide by the policies of scientific management, ensuring and stimulating development, strictly abide by statutory powers and procedures, incessantly improve law enforcement methods, and comprehensively implement law enforcement responsibilities.
Article 5: Public security bodies and their work personnel shall strictly preserve the secrecy of personal information and privacy, commercial secrets and State secrets they learn in the process of fulfilling Internet security supervision and inspection duties and responsibilities, they may not leak this, sell it or illegally provide it to others.
Public security bodies and their work personnel can only use information they learn in the process of fulfilling Internet security supervision and inspection duties as required for maintaining cybersecurity, and may not use it for other purposes.
Article 6: Public security bodies shall timely notify relevant controlling departments and work units about cybersecurity risks they discover in the process of Internet security supervision and inspection work, which may harm national security, public security or social order.
Article 7: Public security bodies shall establish and implement rules for Internet security supervision and inspection work, and consciously accept supervision by inspection counterparts and the popular masses.
Chapter II: Supervision and inspection counterparts and content.
Article 8: Internet security supervision and inspection will be conducted by public security bodies of the locality of Internet service providers’ network service operations bodies and network using work units’ network management bodies. Where an Internet service provider is an individual, it may be implemented by the public security body of their regular place of residence.
Article 9: Public security bodies shall, on the basis of cybersecurity protection requirements and the concrete circumstances of cybersecurity risks and vulnerabilities, conduct supervision and inspection of the following Internet service providers and network-using work units.
(1) Those providing Internet access, Internet data centre, content distribution and domain name services;
(2) Those providing Internet information services;
(3) Those providing public network access services;
(4) Those providing other Internet services.
Focus supervision and inspection shall be conducted of those who have not conducted the services provided in the previous Paragraph for a full year, those where a cybersecurity incident, breach of law or crime occurred within two years, or those who have been subject to administrative punishment by a public security body for not fulfilling statutory cybersecurity duties.
Article 10: Public security bodies shall, on the basis of the actual circumstances of Internet service providers’ and network-using work units fulfilling their statutory cybersecurity duties, and according to relevant State regulations and standards, conduct supervision and inspection of the following content:
(1) Whether or not they have conducted network work unit filing formalities, and have reported the access work unit, basic user information and changes therein;
(2) Whether or not they have formulated and implemented cybersecurity management rules and operating rules, and appointed a person responsible for cybersecurity;
(3) Whether or not they have adopted technical measures to record and preserve user registration information and network use record information according to the law;
(4) Whether or not they have adopted technical measures to defend against computer viruses, cyberattacks, cyber intrusions, etc.;
(5) Whether or not they have adopted corresponding prevention measures against the publication or transmission of information prohibited in laws and administrative regulations according to the law in public information services;
(6) Whether or not they have provided technical support and assistance to public security bodies lawfully maintaining cybersecurity, preventing and investigating terror activities, or investigating crimes according to statutory provisions;
(7) Whether or not they have fulfilled cybersecurity multi-level protection duties as provided in laws and administrative regulations.
Article 11: Apart from the content listed in Article 10 of these Regulations, public security bodies shall also conduct supervision and inspection of the following content, on the basis of the category of provided Internet services:
(1) Where Internet access services are provided, supervising and inspecting whether they have recorded and preserved network address, allocation and use details;
(2) Where Internet data centre services are provided, supervising and inspecting whether they have recorded user information of the host entrustment, host rental and virtual space rental they provide;
(3) Where Internet domain name services are provided, supervising and inspecting whether they have recorded network domain name application and modification information, and whether or not they have adopted measures to deal with unlawful domain names according to the law.
(4) Where Internet information services are provided, supervising and inspecting whether they have adopted user-disseminated information management measures according to the law, whether or not they have adopted measures to deal with already published or transmitted information of which the dissemination or transmission is prohibited by laws and administrative regulations, and maintained related records;
(5) Where Internet content distribution services are provided, supervising and inspecting whether or not they have recorded circumstances concerning content distribution network and content source network links;
(6) Where Internet public access services are provided, supervising and inspecting whether or not they have adopted technical network and information security protection measures conform to national standards.
Article 12: During periods of national major cybersecurity defence tasks, public security bodies may conduct targeted security supervision and inspection of the following content of Internet service providers and network-using work units related to national major cybersecurity defence tasks:
(1) Whether or not they have formulated work plans required for major national cybersecurity defence tasks, clarified cybersecurity duties and work divisions, and appointed a management person for cybersecurity;
(2) Whether or not they have organized and conducted cybersecurity risk assessments, and adopted corresponding risk control measures to remedy cybersecurity leaks and vulnerabilities;
(3) Whether or not they have formulated cybersecurity emergency response plans, organized and conducted emergency response exercises, and whether or not emergency response-related equipment is complete and effective.
(4) Whether or not they have adopted other cybersecurity protection tasks required for major cybersecurity protection tasks according to the law;
(5) Whether or not they have reported cybersecurity protection measures and implementation circumstances to public security bodies according to requirement.
Internet security supervision and inspection with preventing terror attacks as its major objective will be implemented according to the content provided in the previous Paragraph.
Chapter III: Supervision and inspection procedures
Article 13: Public security bureaus conducting Internet security supervision and inspection may adopt on-site supervision and inspection or remote monitoring methods to do so.
Article 14: When public security bodies conduct on-site Internet security supervision and inspection, the number of People’s Police may not be less than 2, and they shall produce their People’s Police card and county-level or higher local People’s Government public security body-issued supervision and inspection notification letter.
Article 15: Public security bodies conducting on-site Internet security supervision and inspection may adopt the following measures on the basis of requirement:
(1) Entering business premises, computer rooms, work premises;
(2) Requiring the supervision and inspection counterpart’s responsible person or cybersecurity management personnel to explain supervision and inspection matters;
(3) Consulting and reproducing information related to Internet security supervision and inspection;
(4) Checking the operational state of technical network and information security protection measures.
Article 16: Public security bodies may conduct remote monitoring on whether or not cybersecurity leaks exist with Internet service providers and network-using work units.
Public security bodies conducting remote monitoring shall notify the supervision and inspection counterpart in advance about the inspection time, inspection cope and other such matters, or publish the related inspection matters, they may not interfere with or destroy the regular operations of the supervision and inspection counterpart’s networks.
Article 17: Public security bodies conducting on-site supervision and inspection or remote monitoring may entrust cybersecurity service bodies having corresponding technical capabilities with providing technical support.
Cybersecurity service bodies and their work personnel shall strictly preserve the secrecy of personal information and privacy, commercial secrets and State secrets they learn in the process of fulfilling Internet security supervision and inspection duties and responsibilities, they may not leak this, sell it or illegally provide it to others.
Public security bodies shall strictly supervise cybersecurity service bodies’ implementation of cybersecurity management and secrecy protection responsibilities.
Article 18: Public security bodies conducting on-site supervision and inspection shall draft supervision and inspection records, and have them signed by the People’s Police conducting supervision and inspection and the responsible person or cybersecurity management personnel from the supervision and inspection counterpart. Where the responsible person or cybersecurity management personnel from the supervision and inspection counterpart object to the supervision and inspection record, they shall be allowed to explain the matter; where they refuse to sign, People’s Police shall indicate this on the supervision and inspection record.
Public security bodies conducting remote monitoring shall draft supervision and inspection records, and have the supervision and inspection record signed by two or more People’s Police conducting the supervision and inspection.
Where cybersecurity service bodies are entrusted with providing technical support, the technical support personnel shall sign the supervision and inspection record together.
Article 19: Public security bodies discovering that cybersecurity risks or vulnerabilities exist in Internet service providers and network-using work unit in the process of Internet security supervision and inspection, shall urge and guide them to adopt measures to eliminate the risks or vulnerabilities, and indicate this in the supervision and inspection records; where they discover unlawful acts, but circumstances are light or no results have been created, they shall order them to correct the matter within a limited time.
Where the supervision and inspection counterpart believes they have completed correction before the end of the time limit, they may submit a re-inspection application in writing to the public security body.
Public security bodies shall, within three working days after the time limit ends or after receiving an earlier re-inspection application from the supervision and inspection counterpart, conduct a re-inspection of the corrected situation, and feed back the re-inspection results within three working days after the re-inspection concludes.
Article 12: All kinds of material collected in the process of inspection, or all kinds of produced documents and other materials, shall be stored in files according to regulations.
Chapter IV: Legal liability
Article 21: Where public security bodies discover Internet service providers or network-using work units committed the following unlawful acts in the process of Internet security supervision and inspection, they shall impose administrative punishment according to the law:
(1) Those not formulating or implementing cybersecurity management rules and operating rules, or not appointing a responsible person for cybersecurity, will be punished according to Article 59 Paragraph I of the “Cybersecurity Law of the People’s Republic of China”;
(2) Those not adopting technical measures to defend against computer viruses, cyberattacks, cyber intrusions and other such acts harming cybersecurity, will be punished according to the provisions of Article 59 Paragraph I of the “Cybersecurity Law of the People’s Republic of China”;
(3) Those not adopting measures to record and preserve user registration information and web access daily record information, will be punished according to the provisions of Article 59 Paragraph I of the “Cybersecurity Law of the People’s Republic of China”;
(4) Those not requiring users to provide real identity information according to requirements in the process of providing Internet information dissemination, instant communication and other such services, or who provide related services to users not providing real identity information, will be punished according to the provisions of Article 61 of the “Cybersecurity Law of the People’s Republic of China”;
(5) Those who do not adopt measures to cease transmission and delete information of which the dissemination and transmission is prohibited by laws and administrative regulations according to the law or according to public security bodies’ requirements, and preserve relevant records, will be punished according to the provisions of Article 68 or Article 69 Paragraph I of the “Cybersecurity Law of the People’s Republic of China”;
(6) Those refusing to provide technical support and assistance to public security bodies maintaining cybersecurity and investigating criminal activities according to the law, will be punished according to the provisions of Article 69 Paragraph III of the “Cybersecurity Law of the People’s Republic of China”.
Where the acts in the preceding items 4 to 6 violate the “Anti-Terrorism Law of the People’s Republic of China”, they will be punished according to the provisions of Article 84 or Article 86 Paragraph I of the “Anti-Terrorism Law of the People’s Republic of China”.
Article 22: Where public security bodies, in the process of Internet security supervision and inspection, discover Internet service providers and network-using work units steal or obtain personal information in an illegal manner, illegally sell or illegally provide it to others, but it does not constitute a crime, they will be punished according to the provisions of Article 64 Paragraph II of the “Cybersecurity Law of the People’s Republic of China”.
Article 23: Where public security bodies, in the process of Internet security supervision and inspection, discover Internet service providers and network-using work units have installed malicious programmes in the Internet services they provide, they will be punished according to the provisions of Article 60 Paragraph I of the “Cybersecurity Law of the People’s Republic of China”.
Article 24: Where Internet service providers and network-using work units refuse or impede public security bodies’ conduct of Internet security supervision and inspection, they will be punished according to the provisions of Article 69 Paragraph II of the “Cybersecurity Law of the People’s Republic of China”; where they refuse to cooperate with anti-terrorism work, they will be punished according to the provisions of Article 91 or Article 92 of the “Anti-Terrorism Law of the People’s Republic of China.
Article 25: Where cybersecurity service bodies and their work personnel entrusted with providing technical support engage in illegal intrusion into the supervision and inspection counterpart’s networks, interfere with the regular functioning of the supervision and inspection counterpart’s networks, or steal online data and other such activities harming cybersecurity, they will be punished according to the provisions of Article 63 of the “Cybersecurity Law of the People’s Republic of China”; where they steal personal information they have obtained in the process of their work or obtain it in an illegal manner, illegally sell or illegally provide it to others, they will be punished according to the provisions of Article 64 Paragraph II of the “Cybersecurity Law of the People’s Republic of China”, where it constitutes a crime, criminal liability will be prosecuted according to the law.
Where bodies and their work personnel as provided in the previous Paragraph infringe the commercial secrets of the supervision and inspection counterpart, constituting a crime, criminal liability will be prosecuted according to the law.
Article 26: Where public security bodies and their work personnel, in the process of Internet security supervision and inspection work, are derelict in their duties, abuse their powers, or engage in favouritism, the directly responsible person in charge and other directly responsible personnel will be punished according to the law; where it constitutes a crime, criminal liability will be prosecuted according to the law.
Article 27: Where Internet service providers and network-using work units violate these Regulations, constituting a violation of public security management, they will be subject to public order management punishment; where it constitutes a crime, criminal liability will be prosecuted according to the law.
Chapter V: Supplementary provisions
Article 28: Supervision and inspection of commercial Internet access service venues will be implementing according to the relevant provisions of the “Commercial Internet Access Service Venue Management Regulations”.
Article 29: These Regulations take effect on 1 November 2018.
中华人民共和国公安部令
第151号
《公安机关互联网安全监督检查规定》已经2018年9月5日公安部部长办公会议通过,现予发布,自2018年11月1日起施行。
部长 赵克志
2018年9月15日
公安机关互联网安全监督检查规定
第一章 总则
第一条 为规范公安机关互联网安全监督检查工作,预防网络违法犯罪,维护网络安全,保护公民、法人和其他组织合法权益,根据《中华人民共和国人民警察法》《中华人民共和国网络安全法》等有关法律、行政法规,制定本规定。
第二条 本规定适用于公安机关依法对互联网服务提供者和联网使用单位履行法律、行政法规规定的网络安全义务情况进行的安全监督检查。
第三条 互联网安全监督检查工作由县级以上地方人民政府公安机关网络安全保卫部门组织实施。
上级公安机关应当对下级公安机关开展互联网安全监督检查工作情况进行指导和监督。
第四条 公安机关开展互联网安全监督检查,应当遵循依法科学管理、保障和促进发展的方针,严格遵守法定权限和程序,不断改进执法方式,全面落实执法责任。
第五条 公安机关及其工作人员对履行互联网安全监督检查职责中知悉的个人信息、隐私、商业秘密和国家秘密,应当严格保密,不得泄露、出售或者非法向他人提供。
公安机关及其工作人员在履行互联网安全监督检查职责中获取的信息,只能用于维护网络安全的需要,不得用于其他用途。
第六条 公安机关对互联网安全监督检查工作中发现的可能危害国家安全、公共安全、社会秩序的网络安全风险,应当及时通报有关主管部门和单位。
第七条 公安机关应当建立并落实互联网安全监督检查工作制度,自觉接受检查对象和人民群众的监督。
第二章 监督检查对象和内容
第八条 互联网安全监督检查由互联网服务提供者的网络服务运营机构和联网使用单位的网络管理机构所在地公安机关实施。互联网服务提供者为个人的,可以由其经常居住地公安机关实施。
第九条 公安机关应当根据网络安全防范需要和网络安全风险隐患的具体情况,对下列互联网服务提供者和联网使用单位开展监督检查:
(一)提供互联网接入、互联网数据中心、内容分发、域名服务的;
(二)提供互联网信息服务的;
(三)提供公共上网服务的;
(四)提供其他互联网服务的;
对开展前款规定的服务未满一年的,两年内曾发生过网络安全事件、违法犯罪案件的,或者因未履行法定网络安全义务被公安机关予以行政处罚的,应当开展重点监督检查。
第十条 公安机关应当根据互联网服务提供者和联网使用单位履行法定网络安全义务的实际情况,依照国家有关规定和标准,对下列内容进行监督检查:
(一)是否办理联网单位备案手续,并报送接入单位和用户基本信息及其变更情况;
(二)是否制定并落实网络安全管理制度和操作规程,确定网络安全负责人;
(三)是否依法采取记录并留存用户注册信息和上网日志信息的技术措施;
(四)是否采取防范计算机病毒和网络攻击、网络侵入等技术措施;
(五)是否在公共信息服务中对法律、行政法规禁止发布或者传输的信息依法采取相关防范措施;
(六)是否按照法律规定的要求为公安机关依法维护国家安全、防范调查恐怖活动、侦查犯罪提供技术支持和协助;
(七)是否履行法律、行政法规规定的网络安全等级保护等义务。
第十一条 除本规定第十条所列内容外,公安机关还应当根据提供互联网服务的类型,对下列内容进行监督检查:
(一)对提供互联网接入服务的,监督检查是否记录并留存网络地址及分配使用情况;
(二)对提供互联网数据中心服务的,监督检查是否记录所提供的主机托管、主机租用和虚拟空间租用的用户信息;
(三)对提供互联网域名服务的,监督检查是否记录网络域名申请、变动信息,是否对违法域名依法采取处置措施;
(四)对提供互联网信息服务的,监督检查是否依法采取用户发布信息管理措施,是否对已发布或者传输的法律、行政法规禁止发布或者传输的信息依法采取处置措施,并保存相关记录;
(五)对提供互联网内容分发服务的,监督检查是否记录内容分发网络与内容源网络链接对应情况;
(六)对提供互联网公共上网服务的,监督检查是否采取符合国家标准的网络与信息安全保护技术措施。
第十二条 在国家重大网络安全保卫任务期间,对与国家重大网络安全保卫任务相关的互联网服务提供者和联网使用单位,公安机关可以对下列内容开展专项安全监督检查:
(一)是否制定重大网络安全保卫任务所要求的工作方案、明确网络安全责任分工并确定网络安全管理人员;
(二)是否组织开展网络安全风险评估,并采取相应风险管控措施堵塞网络安全漏洞隐患;
(三)是否制定网络安全应急处置预案并组织开展应急演练,应急处置相关设施是否完备有效;
(四)是否依法采取重大网络安全保卫任务所需要的其他网络安全防范措施;
(五)是否按照要求向公安机关报告网络安全防范措施及落实情况。
对防范恐怖袭击的重点目标的互联网安全监督检查,按照前款规定的内容执行。
第三章 监督检查程序
第十三条 公安机关开展互联网安全监督检查,可以采取现场监督检查或者远程检测的方式进行。
第十四条 公安机关开展互联网安全现场监督检查时,人民警察不得少于二人,并应当出示人民警察证和县级以上地方人民政府公安机关出具的监督检查通知书。
第十五条 公安机关开展互联网安全现场监督检查可以根据需要采取以下措施:
(一)进入营业场所、机房、工作场所;
(二)要求监督检查对象的负责人或者网络安全管理人员对监督检查事项作出说明;
(三)查阅、复制与互联网安全监督检查事项相关的信息;
(四)查看网络与信息安全保护技术措施运行情况。
第十六条 公安机关对互联网服务提供者和联网使用单位是否存在网络安全漏洞,可以开展远程检测。
公安机关开展远程检测,应当事先告知监督检查对象检查时间、检查范围等事项或者公开相关检查事项,不得干扰、破坏监督检查对象网络的正常运行。
第十七条 公安机关开展现场监督检查或者远程检测,可以委托具有相应技术能力的网络安全服务机构提供技术支持。
网络安全服务机构及其工作人员对工作中知悉的个人信息、隐私、商业秘密和国家秘密,应当严格保密,不得泄露、出售或者非法向他人提供。公安机关应当严格监督网络安全服务机构落实网络安全管理与保密责任。
第十八条 公安机关开展现场监督检查,应当制作监督检查记录,并由开展监督检查的人民警察和监督检查对象的负责人或者网络安全管理人员签名。监督检查对象负责人或者网络安全管理人员对监督检查记录有异议的,应当允许其作出说明;拒绝签名的,人民警察应当在监督检查记录中注明。
公安机关开展远程检测,应当制作监督检查记录,并由二名以上开展监督检查的人民警察在监督检查记录上签名。
委托网络安全服务机构提供技术支持的,技术支持人员应当一并在监督检查记录上签名。
第十九条 公安机关在互联网安全监督检查中,发现互联网服务提供者和联网使用单位存在网络安全风险隐患,应当督促指导其采取措施消除风险隐患,并在监督检查记录上注明;发现有违法行为,但情节轻微或者未造成后果的,应当责令其限期整改。
监督检查对象在整改期限届满前认为已经整改完毕的,可以向公安机关书面提出提前复查申请。
公安机关应当自整改期限届满或者收到监督检查对象提前复查申请之日起三个工作日内,对整改情况进行复查,并在复查结束后三个工作日内反馈复查结果。
第二十条 监督检查过程中收集的资料、制作的各类文书等材料,应当按照规定立卷存档。
第四章 法律责任
第二十一条 公安机关在互联网安全监督检查中,发现互联网服务提供者和联网使用单位有下列违法行为的,依法予以行政处罚:
(一)未制定并落实网络安全管理制度和操作规程,未确定网络安全负责人的,依照《中华人民共和国网络安全法》第五十九条第一款的规定予以处罚;
(二)未采取防范计算机病毒和网络攻击、网络侵入等危害网络安全行为的技术措施的,依照《中华人民共和国网络安全法》第五十九条第一款的规定予以处罚;
(三)未采取记录并留存用户注册信息和上网日志信息措施的,依照《中华人民共和国网络安全法》第五十九条第一款的规定予以处罚;
(四)在提供互联网信息发布、即时通讯等服务中,未要求用户提供真实身份信息,或者对不提供真实身份信息的用户提供相关服务的,依照《中华人民共和国网络安全法》第六十一条的规定予以处罚;
(五)在公共信息服务中对法律、行政法规禁止发布或者传输的信息未依法或者不按照公安机关的要求采取停止传输、消除等处置措施、保存有关记录的,依照《中华人民共和国网络安全法》第六十八条或者第六十九条第一项的规定予以处罚;
(六)拒不为公安机关依法维护国家安全和侦查犯罪的活动提供技术支持和协助的,依照《中华人民共和国网络安全法》第六十九条第三项的规定予以处罚。
有前款第四至六项行为违反《中华人民共和国反恐怖主义法》规定的,依照《中华人民共和国反恐怖主义法》第八十四条或者第八十六条第一款的规定予以处罚。
第二十二条 公安机关在互联网安全监督检查中,发现互联网服务提供者和联网使用单位,窃取或者以其他非法方式获取、非法出售或者非法向他人提供个人信息,尚不构成犯罪的,依照《中华人民共和国网络安全法》第六十四条第二款的规定予以处罚。
第二十三条 公安机关在互联网安全监督检查中,发现互联网服务提供者和联网使用单位在提供的互联网服务中设置恶意程序的,依照《中华人民共和国网络安全法》第六十条第一项的规定予以处罚。
第二十四条 互联网服务提供者和联网使用单位拒绝、阻碍公安机关实施互联网安全监督检查的,依照《中华人民共和国网络安全法》第六十九条第二项的规定予以处罚;拒不配合反恐怖主义工作的,依照《中华人民共和国反恐怖主义法》第九十一条或者第九十二条的规定予以处罚。
第二十五条 受公安机关委托提供技术支持的网络安全服务机构及其工作人员,从事非法侵入监督检查对象网络、干扰监督检查对象网络正常功能、窃取网络数据等危害网络安全的活动的,依照《中华人民共和国网络安全法》第六十三条的规定予以处罚;窃取或者以其他非法方式获取、非法出售或者非法向他人提供在工作中获悉的个人信息的,依照《中华人民共和国网络安全法》第六十四条第二款的规定予以处罚,构成犯罪的,依法追究刑事责任。
前款规定的机构及人员侵犯监督检查对象的商业秘密,构成犯罪的,依法追究刑事责任。
第二十六条 公安机关及其工作人员在互联网安全监督检查工作中,玩忽职守、滥用职权、徇私舞弊的,对直接负责的主管人员和其他直接责任人员依法予以处分;构成犯罪的,依法追究刑事责任。
第二十七条 互联网服务提供者和联网使用单位违反本规定,构成违反治安管理行为的,依法予以治安管理处罚;构成犯罪的,依法追究刑事责任。
第五章 附则
第二十八条 对互联网上网服务营业场所的监督检查,按照《互联网上网服务营业场所管理条例》的有关规定执行。
第二十九条 本规定自2018年11月1日起施行。
Proposal on Personal Information Protection
Following the rapid development of the mobile Internet and big data, the scale and impact of the disclosure of personal information of our country’s netizens has become ever larger, gravely infringing netizens’ rights and interests, harming the public interest, and attracting a high degree of attention from competent government departments as well as the broad attention of all walks of society. In order to protect netizens’ personal information security, safeguard the rights and interests of netizens, guide Internet enterprises to collect, store and use personal information in a standardized manner, stimulate the implementation of related laws and regulations, promote the healthy and sustainable development of the Internet sector, the Internet Society of China proposes the following Proposal to the nationwide Internet circles:
I, Strictly abide by all laws and regulations formulated by national and sectoral competent departments, as well as the sectoral self-discipline conventions issued by the Internet Society of China, and cooperate with relevant government departments’ lawful actions to attack the online disclosure of personal information.
II, Strengthen sectoral self-discipline, shoulder corporate social responsibility, strengthen examination, verification and management of interactive platforms such as websites, forums, microblogs, instant messaging, e-commerce, etc., timely discover and clean up online disclosure of personal information, do not provide communication channels for information disclosure, and protect netizens’ lawful rights and interests.
III, Complete supervision and reporting mechanisms, vigorously respond to netizens’ complaints in the area of personal information protection, timely feed back handling outcomes to netizens, earnestly correct problems reflected by the public, increase online service quality, and create an online environment of security and sincerity.
IV, Strengthen professional training for employees, raise employees’ understanding of personal information protection, require employees to earnestly implement legal responsibilities, abide by legal provisions, and implement the requirements concerning personal information protection in laws and regulations.
V, Strengthen cybersecurity protection capabilities, and prevent that databases and user information is stolen. If cybersecurity incidents such as disclosure of user information are discovered, timely report them to public security bodies and relevant government departments, adopt effective measures to plug cybersecurity vulnerabilities, and protect data and information security.
VI, Strengthen propaganda, raise netizens’ capability to identify and judge phishing, fraud and other such online violations and harmful information, strengthen netizens’ understanding and usage levels of online smart terminals, strengthen personal information protection awareness, and prevent personal information disclosure.
Internet Society of China
14 September 2018.
Appendix: small measures to prevent personal information disclosure
1, Do not register at websites with unclear sources, cautiously use mobile phone number registration.
2, Do not scan QR codes from an unclear origin, do not install software from an unclear origin.
3, Information on replaced electronic products must be deleted thoroughly, to prevent law-breakers from recovering data.
4, Processing paper forms with personal information requires caution, and privacy information must be erased.
5, Avoid disclosing excessive personal information on social software, to prevent its use by lawbreakers.
6, Cautiously use free WiFi in public venues, to prevent disclosure of user names and passwords.
7, Do not click on links in text messages and mails, in order to avoid “phishing”.
8, The same account name and password group must not be used on different pieces of software, in order to avoid the creation of grave harm.
个人信息保护倡议书
随着移动互联网和大数据的快速发展,我国网民个人信息泄露的规模和影响越来越大,严重侵犯网民权益,损害公共利益,受到政府主管部门的高度重视和社会各界的广泛关注。为保护网民个人信息安全,维护网民合法权益,引导互联网企业规范地收集、存储及使用个人信息,促进相关法律法规的贯彻落实,推动互联网行业健康可持续发展,中国互联网协会向全国互联网业界发出如下倡议:
一、严格遵守国家和行业主管部门制定的各项法律法规,以及中国互联网协会发布的行业自律公约,配合政府有关部门依法打击网络泄露个人信息的行为。
二、加强行业自律,承担企业社会责任,强化对网站、论坛、微博、即时通信、电子商务等互动平台的审核和管理,及时发现、清理网上泄露的个人信息,不为泄露信息提供传播渠道,保护网民的合法权益。
三、健全监督举报机制,积极响应网民在个人信息保护方面的诉求,及时向网民反馈处理结果,对公众反映的问题认真整改,提高网络服务质量,营造安全诚信的网络环境。
四、加强对从业人员的职业教育,提高从业人员对个人信息保护的认识,要求从业人员认真履行法律责任,遵守法律规定,落实法律法规对个人信息保护方面的要求。
五、强化网络安全防护能力,防止数据库和用户信息被窃取。如发现用户信息泄露等网络安全事件,及时向公安机关及政府有关部门报告,采取有效措施弥补网络安全漏洞,保护数据信息安全。
六、加强宣传,提高网民对钓鱼、诈骗等网络违法和不良信息的识别判断能力,加强网民对网络智能终端的了解和应用水平,强化个人信息保护意识,防止个人信息泄露。
中国互联网协会
2018年9月14日
附:防范个人信息泄露小妙招
1、不要注册来源不明网站,谨慎使用手机号码注册。
2、不扫描来历不明的二维码,不安装来历不明的程序。
3、淘汰的电子产品信息销毁要彻底,防止不法分子恢复数据。
4、带有个人信息的纸张单据处理需谨慎,要抹掉隐私信息。
5、避免在社交软件上泄露过多个人信息,防止不法分子利用。
6、慎用公共场所免费WiFi,防止用户名、密码泄露。
7、不要点击短信和邮件中的链接,以免被“钓鱼”。
8、不同软件不要使用同一组账号密码,以免造成严重损失。
Xi Jinping’s Speech at the National Cybersecurity and Informatization Work Conference
In the wake of the recent upgrade of the Central Leading Group for Cybersecurity and Informatization to a fully-fledged Commission, a national Work Conference on Cybersecurity and Informatization work took place in Beijing on 20 and 21 April. Xi Jinping gave a speech outlining adjusted priorities after the 19th Party Congress. The full text of the speech has not (yet) been made public. This is a translation of the official Xinhua report. Analysis will be published on the DigiChina platform.
Xi Jinping Stresses at the Cybersecurity and Informatization Work Conference to Keenly Grasp the Historical Opportunity in Informatization Development, and Move Forward the Construction of a Cyber Power through Indigenous Innovation
Li Keqiang Chairs, Li Zhanshu, Wang Yang, Wang Huning, Zhao Leji and Han Zheng Attend
Xinhua, 21 April, Beijing (Journalists Zhang Xiaosong, Zhu Jichai). The National Cybersecurity and Informatization Work Conference was convened on the 20th and 21st in Beijing. CCP Central Committee General Secretary, State President, Chair of the Central Military Commission and Chair of the Central Commission for Cybersecurity and Informatization Xi Jinping attended the Conference and gave an important speech. He stressed that informatization has brought extremely rare opportunities to the Chinese nation. We must acutely grasp the historical opportunity of informatization development, strengthen online positive propaganda, safeguard cybersecurity, promote breakthroughs in core technologies in the informatization area, give rein to the guiding role of informatization in economic development, strengthen civil-military convergence in the cybersecurity and informatization area, actively participate in international cyberspace governance processes, move forward the construction of a cyber power through indigenous innovation, and make new contributions to determine victory in comprehensively constructing a moderately prosperous society, seize new grand victories for Socialism with Chinese Characteristics in a new era, and realize the Chinese Dream of the Great Rejuvenation of the Chinese Nation. Read the rest of this entry »
Regulations for Internet Security Supervision and Inspection by Public Security Bodies
(Opinion-seeking Draft)
Chapter I: General Principles
Article 1: In order to strengthen and standardize Internet security supervision and inspection work by public security bodies, prevent online law-breaking and crime, safeguard cybersecurity, protect the lawful rights and interests of citizens, legal persons and other organizations, on the basis of the “People’s Police Law of the People’s Republic of China”, the “Cybersecurity Law of the People’s Republic of China” and other such relevant laws and administrative regulations, these Regulations are formulated. Read the rest of this entry »
Report concerning the Inspection of the Implementation of the “Cybersecurity Law of the People’s Republic of China” and the “National People’s Congress Standing Committee Decisions concerning strengthening Online Information Protection”
Presented at the 31st Meeting of the 12th National People’s Congress Standing Committee on 24 December 2017
Wang Shengjun
Cybersecurity affects the long-term governance of the Party, affects a long period of peace and order for the country, and affects economic and social development as well as the personal interests of the popular masses. General Secretary Xi Jinping has emphatically pointed out that without cybersecurity, there is no national security, without informatization, there is no modernization. The National People’s Congress attaches high importance to cybersecurity work, deliberated and passed the “National People’s Congress Standing Committee Decision concerning Strengthening Network and Information Security Protection” in December 2012, and deliberated and passed the “Cybersecurity Law of the People’s Republic of China” in November 2016 (hereafter referred to as the “Law and Decision”). On the basis of the 2017 supervisory work plan, the National People’s Congress Standing Committee Law Enforcement Inspection Group has conducted a review of the implementation situation of the “Law and Decision” from August to October 2017. Now, on behalf of the Law Enforcement Inspection Group, I report to the Standing Committee.
I, The work situation of law enforcement inspection.
The Cybersecurity Law took effect on 1 June of this year. Opening a law enforcement inspection of a newly formulated law, having effect for less than three months, is a first in the NPCSC’s supervision work. Committee chair Zhang Dejiang attached full importance to this law enforcement inspection, and provided important instructions, pointing out that cybersecurity affects the country’s long term peace and order, and affects economic and social development as well as the well-being of the popular masses. The NPCSC launching law enforcement inspection in the same year that the Cybersecurity Law has taken effect, is an implementation of the spirit of the important instructions of General Secretary Xi Jinping concerning “we must establish a correct cybersecurity view”, to supervise relevant parties to further strengthen legal propaganda, strengthen the cybersecurity awareness of all of society, grasp the formulation of accompanying laws and policies, ensure the effective implementation of the law, strive to upgrade cyberspace governance levels and realistically safeguarding security in national cyberspace and the lawful rights and interests of the people. We hope that the inspection group have meticulously organized this law enforcement inspection, persisted in problem-based guidance, and found through in facts. On the basis of the spirit of the instructions of Committee chair Zhang Dejiang, the Internal Judicial Committee, Finance and Economics Committee, Education, Science, Culture and Health Committee and the Standing Committee Office researched the matter repeatedly, and established the five focus points of this law enforcement inspection: the first is the situation of conducting legal propaganda and education work; the second is the situation of formulating accompanying regulations and rules; the third is the situation of strengthening critical information infrastructure protection and implementing the multi-level protection system for cybersecurity; the fourth is the situation of bringing online unlawful information under control and safeguarding the benign ecology of cyberspace; and the fifth is the implementation of the citizens’ personal information protection system, and investigating and prosecution unlawful and criminal acts violating citizens’ personal information and related matters.
On 25 August, the Law Enforcement Inspection Group convened its first plenary meeting to convey the important instructions of Committee chair Zhang Dejiang. The meeting heard the reports of the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, the State Administration of Press, Publications, Radio, Film and Television and the Supreme People’s Court concerning the implementation situation of the “Law and Decision”, the Ministry of Education, the Ministry of Science and Technology and the Ministry of Traffic and Transportation submitted written reporting materials.
On the basis of arrangements, deputy Committee chair and Chef Secretary Wang Zhen, Deputy Committee Chairs Shen Yueyue, Zhang Ping, Wan Exiang, Chen Zhu and myself participated in this law enforcement inspection. The Inspection Group visited six provinces (regions, municipalities) Inner Mongolia, Heilongjiang, Fujian, Henan, Guangdong and Chongqing to conduct investigation, in that period, the Inspection Group heard reports from relevant provincial, municipal and county governments, successively convening over 30 discussion meetings, and inspected several cybersecurity command platforms and critical infrastructure operating work units on the ground. Furthermore, it also entrusted 12 provincial (regional, municipal) People’s Congresses to conduct an investigation of the implementation situation of the “Law and Decision within their administrative area.
In order to deeply understand the implementation situation of the “Law and Decision”, this law enforcement inspection conducted several new trials in terms of methods and approaches: first, it invited third-party expert bodies to participate. From early September until mid-October, the Inspection Group selected 20 important information systems in each of the six provinces (regions, municipalities) for on-the-ground inspection, and entrusted the China Information Security Monitoring Centre with conducting a vulnerability sweep and a mock attack, and issued a specialized monitoring report on the basis of the situation of monitored systems’ cybersecurity. The Inspection Group also entrusted the China Youth Daily Social Survey Centre with conducting popular opinion surveys in 31 provinces (regions, municipalities) on the basis of questions in 10 areas of the “Law and Decision” that closely affect the public, and they issued a survey report. In total, 10370 people participated in this survey. The orderly participation of third-party bodies strengthened the expertise, authority, objectivity and fairness of this inspection. Second, expert participation. Considering the strong specialized nature of cybersecurity, during the law enforcement inspection period, the Inspection Group successively invited 21 cybersecurity experts and technical personnel having engaged in cybersecurity work for a long time from the State Information Technology Security Research Centre and other such work units, to provide technical support to the Investigation Group, and strengthen the focus and efficacy of the inspection. Third, random spot checks. Each small inspection group randomly selected several critical information infrastructure operating work units according to the requirements of the inspection plan, and conducted preliminary spot checks unannounced. Six small inspection groups conducted random spot checks on 13 work units in total. 120 important information systems were monitored remotely, and were also selected randomly by the Law Enforcement Inspection Group, and monitoring was completed under circumstances where the operating work units was not aware of the matter.
II, The method and efficacy of implementing the “Law and Decision””
In recent years, all levels’ Party Committees and governments have earnestly organized study of General Secretary Xi Jinping’s series of important speeches and important judgments concerning cybersecurity, deeply implemented the Centre’s strategic arrangements concerning “building a strong cyber power”, entered cybersecurity into the overall picture of economic and social development and into comprehensive planning and arrangements, forcefully advanced cybersecurity and network information protection work, and legal implementation has seen vigorous results.
(1) Deeply conducting propaganda and education, strengthening cybersecurity awareness.
First, strengthening the entire people’s cybersecurity awareness has been made into a basic task. 9 departments including the Cyberspace Administration of China, the Ministry of Industry and Information Technology and the Ministry of Public Security have, for four successive years, organized and launched Cybersecurity Week and themed days and propaganda activities, lectures, forums, etc. during this period of events annually have exceeded 10.000 in number, with an annual average coverage of around 200 million people. After the promulgation of the Cybersecurity Law, all localities have conducted propaganda and explanation of the core content of the law through newspapers and magazines, radio and television stations, portal websites, governmental microblogs and public channels, etc. Second, strengthening legal propaganda and education in focus work units and focus sectors. The Ministry of Industry and Information Technology has entered learning about the “Law and Decision” into annual assessment standards for basic telecommunications operating enterprises, and organized learning sessions at focus Internet enterprises such as Baidu, Alibaba, Tencent, etc. The Ministry of Public Security has organized concentrated study sessions for the public security bodies nationwide, over 200 Central ministries and commissions as well as Central enterprises, and over 260 information security enterprises and related personnel. The State Administration of Press, Publications, Radio, Film and Television has organized cybersecurity knowledge and skill training and competition activities. Provinces (regions) such as Inner Mongolia and Heilongjiang have conducted focus training for professional backbones in focus work units and focus sectors who are responsible for cybersecurity. Third, closely grasping the critical minority of leading cadres, and making enhancing the cybersecurity awareness of leading cadres into the heaviest of heavies. Localities such as Guangdong and Fujian have promoted leading cadres to take the lead in knowing the law, understanding the law and using the law through organizing cybersecurity and informatization-themed deliberation classes for leading cadres, and other such methods. The Ministry of Traffic and Transportation Party Group’s members have taken the lead in study, and organized a “special training class for bureau-level leading cadres on cybersecurity”, the Ministry of education has organized cybersecurity training classes for the education system, and has conducted topical training for responsible persons in all provincial education administration departments, directly subordinate higher education institute and directly subordinate ministry bodies. All localities have made younger netizens into a focus point for law popularization, launched activities such as “cybersecurity entering campuses and entering households”, “strive to be a netizen with good ‘four haves'”, etc. guiding broad youth into going online in a lawful, civilized and healthy manner.
(2) Formulating accompanying regulations and policies, building cybersecurity structures and systems
In order to support the implementation of the “Law and Decision”, in recent years, relevant state Council departments have published the “National Cyberspace Security Strategy”, the “Telecommunications Cybersecurity Protection Management Rules”, the “Telecommunications and Internet User Personal Information Protection Regulations”, the “Telephone User Real Identity Information Registration Regulations”, the “Press, Publications, Radio, Film and Television Cybersecurity Management Rules”, the “Public Internet Cybersecurity Sudden Incident Emergency Response Plan” and other such accompanying riles, plans and policy documents. The Cybersecurity Administration of China has, together with relevant departments, published the “Some Opinions concerning Strengthening National Cybersecurity Standardization Work”, accelerated the formulation work of cybersecurity standards, and 198 national cybersecurity standards have been published. The Supreme Court and the Supreme Procuratorate have published the “Interpretation concerning Some Questions on Applicable Law when Handling Criminal Cases of Infringement of Citizens’ Personal Information”. Some provinces have also launched accompanying regulation drafting work, the Inner Mongolia Autonomous Region People’s Congress Standing Committee formulated the “Computer Information System Security Protection Rules”, the Fujian Province People’s Congress Standing Committee passed the “Fujian Province Telecommunications Infrastructure Construction and Protection Regulations”, the Guangdong Province People’s Congress Standing Committee published the “Decision concerning Implementing Telecommunications Users Real Identity Information Registration System”, the Heilongjiang Province People’s Congress Standing Committee published the “Industrial Information Security Management Regulations”. Chongqing Municipality persisted in equally stressing cybersecurity and informatization development, strengthening the construction of e-government systems and perfecting governmental website management structures. A series of accompanying regulations, rules and policy documents have been published, assisting in the implementation of the “Law and Decision”.
(3) Enhancing security protection capabilities, striving to ensure the security of network operations
First, strengthening critical information infrastructure protection. In 2016, the Cyberspace Administration of China and other departments organized the launch of critical information infrastructure investigation and inspection work, they conducted spot-checks and technological surveys of 11.000 important infrastructure systems’ operational security state, completed cybersecurity risk assessments in multiple focus sectors including finance, energy, telecommunications, transportation, radio and television, education, healthcare, social security, etc., putting forward over 4000 improvement suggestions. Second, launching network infrastructure protection work. The Ministry of Industry and Information Technology has launched network infrastructure investigation work, completely combing through network infrastructure and information systems, at present, all sectors in total have been determined to contain 11590 critical network infrastructure systems and important information systems. Since 2017, over 900 focus network systems and industrial control systems have been subject to supervision and spot-checks, and 78980 vulnerabilities have been notified for rectification. Third, deeply advancing multi-level cybersecurity protection. 140.000 information systems have already been filed, among whom 1.7000 are third-tier or higher important information systems, this basically covers all critical information infrastructure. At the same time, regularized inspection has been launched for information systems entered into multi-level protection, in recent years, the total of all kinds of security vulnerabilities that have been discovered and rectified approaches 400.000. Fourth, establishing reporting and early warning systems. The Ministry of Public Security has taken the lead in establishing a national cybersecurity reporting and early warning mechanism, with a notification scope already covering 100 Central Party and government bodies, 101 Central enterprises, 31 provinces (regions, municipalities) and the Xinjiang Production-Construction Corps, all localities have also established cybersecurity and information security notification mechanism, to notify and deal with all kinds of vulnerabilities and threats in real time. The Ministry of Education has established security supervision and early warning mechanisms for important websites and information systems in the education system, having already handled 35.000 security threats in total. Fifth, vigorously launching the construction of coordinated joint action platforms for cybersecurity. The Cyberspace Administration of China has taken the lead in establishing emergency response technology support and assistance mechanisms for critical information infrastructure, it has incessantly upgraded the overall emergency response capabilities, security protection capabilities and coordinated joint action capabilities for critical information infrastructures. Sixth, forcefully conducting cybersecurity special campaign work. The Ministry of Public Security has, together with relevant work unit, conducted large-scale special Internet enterprise defence campaigns, website security, as well as Internet and email security special governance campaigns, discovering and rectifying a batch of deep cybersecurity problems and vulnerabilities.
(4) Controlling information violating laws and regulations, and safeguarding a clear and crisp cyberspace
All localities and all relevant departments have earnestly implemented the requirements of the law, soundly performed online ideological work, and firmly cleaned up information violating laws and regulations of all kinds. Through launching a series of campaigns including “sweeping pornography and beating illegality”, the “Web Sword” etc., targeting information propagating terror, violence, obscenity or sex, etc. on Internet sites, application software, blogs, microblogs, public accounts, instant messaging tools or online streaming. Since 2015, the Cyberspace Administration of China and other departments have, according to the law, held talks with over 2200 websites violating laws or regulations, cancelled the permit or filing of websites breaking laws or regulations or closed unlawful websites in over 13.000 cases, relevant websites have, according to user service agreements, closed nearly 10 million accounts violating laws or regulations, creating a powerful deterrence against all kinds of online unlawful conduct. The China Youth Daily Social Survey Centre provided the inspection group with a large-scale survey analysis report (hereafter simply named “mass survey report” which suggests that among the 10370 people participating in the survey, over 90% of respondents affirm the efficacy of governance, and 63,5% among them believe that information violating laws and regulations online including information harming national security, propagating terror, violence, obscenity or sex has clearly reduced. The legal implementation competent departments have also established an online information patrol mechanism and public reporting platforms, to timely clean up information violating laws and regulations. Chongqing and other such localities give high regard to strengthening online content construction, vigorously creating excellent online works and strengthening online positive propaganda.
(5) Strengthening personal information protection, attacking unlawful and criminal infringement of user information security
In comprehensively implementing real identity system requirements for online access (website filing and domain names / IP addresses), fixed telephones and mobile telephones, in all cases where users do not provide real identity information, operators no longer provide related services to them. In the past five years, telecommunications enterprises have organized the accompanying registration of 300 million old users who had not yet submitted their real name, and ceased the provision of services according to the law to over 10 million users who refused to amend their registration. In order to ensure user information security, relevant departments have guided all network operating work units to further strengthen internal control and management structures, requiring them to implement strict management over application, use and period of validity of major operations such as mass data export, reproduction, information deletion, etc., preventing the mass leak of user information through workflows. Henan Province has strengthened security protection of critical systems for user information storage, enhancing capabilities to protect against hacking attacks. With regard to the trend of high incidence of user personal information crimes, the Ministry of Public Security has arranged and launched a dedicated attack campaign, establishing anti-fraud centres in 31 provinces (regions, municipalities) and the Xinjiang Production-Construction Corps, it comprehensively coordinated the attack against the use of citizens’ personal information to conduct telecommunications and online fraud crimes, in the past two years, over 3700 cases of criminal infringement of personal information were cracked, and over 11.000 criminal suspects were arrested. Between 2014 and September 2017, courts nationwide tried 1529 criminal cases where networks were used to infringe citizens’ personal information, gaining relatively good legal effects and social effects.
(6) Expanding support strength, advancing critical cybersecurity technology innovation.
In order to implement the requirements of the Cybersecurity Law to “support focus cybersecurity technology industries and projects, and support the research, development and utilization of cybersecurity technology”, the Ministry of Science and Technology, jointly with the Cyberspace Administration of China, composed dedicated research plans, based on the current development status of cyberspace security, focusing on raising our country’s critical information infrastructure and data security protection capabilities, supporting trusted management of cyberspace and data asset protection, enhancing cyberspace protection capabilities and other such goals, this established research directions in several focus points. In order to expand support to research, development and application support of cybersecurity technology the Ministry of Science and Technology and the Ministry of Industry and Information Technology gave priority to initiating the “Cyberspace Security Focus Earmarks” in the “13th Five-Year Plan Period” national focus research and development plan, with a State-issued funding input of 1.384 billion Yuan, they systematically arranged 47 research tasks, striving to basically create an indigenous and controllable core cybersecurity technology system by the year 2020. Furthermore, in the “Science and Technology Innovation 2030 – Major Projects”, they gave priority to arranging a batch of major cybersecurity research projects, providing technical support to enhancing our country’s information supervision and management, leak and theft of confidential information prevention, cyber defence, etc. The Ministry of Education has innovated cybersecurity talent education models, adding a first-tier cyberspace security discipline, issuing the “Opinions concerning Strengthening Cybersecurity Discipline Construction and Talent Training” together with relevant departments, initiating first-rate cybersecurity academy construction demonstration projects, and thus providing talent support for cybersecurity technology innovation.
III, Difficulties and problems existing in work
The inspection situation shows that various localities still display some difficulties and problems in implementing the “Law and Decision” and in safeguarding aspects of cybersecurity.
(1) Cybersecurity awareness urgently remains to be strengthened
Many critical information infrastructure operating work units have an insufficient understanding of the importance of cybersecurity, they believe that their being cyberattacked is only a low-probability matter, and they lack understanding of the harm from cyberattacks they may receive. In the area of informatization, they are “high on construction, low on security; high on use, low on protection”, they lack awareness about active defence, and are unwilling to conduct the necessary investment in security protection; when handling the relationship between the usability and security of business information systems, they often more emphasize usability, and when there is a conflict with the later, often reduce security requirements. Quite a few local governments’ and departments’ leading cadres cannot understand cybersecurity from the height of national security, they have not entered cybersecurity work on the important work agenda for that level’s government or department, or they only give it priority in name, “saying it is easy, but treating it as secondary, and forgetting it when busy”. The social public’s cybersecurity awareness is generally not strong, the “Mass Survey Report” indicates that 55,4% of respondents believe that many people around them lack a cybersecurity awareness, and “know that cybersecurity exists but do not know much about it”.
(2) Basic cybersecurity construction is generally weak
First, the construction of cybersecurity state sensing platforms is lagging behind. Cybersecurity risks have a strong hidden component, sensing the security state is the most basic and fundamental work to do cybersecurity well. In safeguarding cybersecurity, it is first and foremost necessary to know where the risks are, what the risks are, and when the risks emerge. But quite a few provinces have not yet initiated the construction of cybersecurity state sensing platforms, they cannot realize all-weather, real-time, dynamic monitoring of the cybersecurity risk in important information systems. Second, the construction of disaster-proof back-up systems is generally lagging behind. Quite a few work units operating critical information infrastructure relating to the national economy and the people’s welfare have not conducted remote disaster-proof backups of important data according to legal provision, but have only adopted several simple data back-up measures, some have even not conducted disaster-proof backups, and cannot effectively respond to major data security risks. In several provinces, multiple important information systems have not conducted remote disaster-proof backups according to legal requirements. Third, indigenization levels in important industrial control enterprises’ equipment and control systems remains to be increased. Several important industrial control enterprises heavily rely on foreign technology, not only are production control systems built by foreign companies, but foreign products are also used as accompanying network and security equipment, the deployment of network and security equipment is controlled by foreign personnel, enterprises’ internal personnel even does not hold security equipment deployment and management powers. In some provinces, the indigenization level of important industrial control enterprises’ production control systems is less than 20%. Fourth, emergency response plans are treated as a mere formality. Some cybersecurity emergency response plans are biased towards the elimination of equipment blockages, and their content dealing with cyberattacks, information leaks and other such cyberspace security incidents is relatively limited; some emergency response plans lack feasibility; some emergency response plans have not been revised for a long time, and can no longer respond to the present type of cybersecurity incidents; many work units have not truly organized emergency response drills because they have insufficient conditions to have emergency response drills; quite a few localities and sectors have insufficient funds to be used to resolve cybersecurity problems, and after problems are discovered, they can often not be resolved timely because of funding shortages.
(3) Prominent cybersecurity risks and vulnerabilities
In order to understand the situation of online operations, the law enforcement inspection group entrusted the China Information Security Monitoring Centre with conducting remote penetration tests and vulnerability scans of 120 randomly selected critical information infrastructure systems (60 portal websites and 60 operational systems). This Centre issued a report that stated that among the 120 critical information infrastructure systems undergoing remote monitoring, 30 contained security vulnerabilities, including 12 high-risk vulnerabilities, some provincial-level departments’ comprehensive Internet supervision and management platforms among them contained three high-risk vulnerabilities of unauthorized uploads, unauthorized downloads, and unauthorized deletion, gravely threatening the security of systems and servers, they also contained grave risks of user information leaks. The remote monitoring also discovered that multiple city-level government portal websites contained the risk that pages might be distorted. The law enforcement inspection group’s on-sit spot checks discovered that multiple work units have not retained network daily records according to laws and regulations, this may lead to the impossibility to timely conduct tracing and response measures when a cybersecurity incident occurs; some work units have not conducted risk assessments of important information systems, and lack knowledge of the cybersecurity situation they may face. The inspection also discovered that in multiple work units, the security construction of intranets and private networks has not been given sufficient attention, some work units have not arranged for any security protection equipment of their intranet systems, and not conducted vulnerability scans for a long time, and thus major cybersecurity risks exists. Following the advance of informatization construction in all areas and all localities, the datafication, onlinification and remotization of all sectors and all areas is becoming ever clearer, putting forward higher requirements for cybersecurity.
(4) The situation in user personal information protection work is grim
The “mass survey report” demonstrates that the implementation of many structures in the “Law and Decision” concerning user personal information protection is not ideal: 52.1% percent of interviewees believe that the provisions in the law concerning “online service providers and other enterprise and undertaking work units must, when collecting and using citizens’ personal electronic information during their business operations, indicate the purpose, method and scope for the collection and use of information” has been implemented badly or mediocrely; 49.6% of interviewees have encountered excessive collection of personal information, and 18.3% among them have regularly encountered excessive collection of user information; 61.2% of people have encountered “dictator clauses” where relevant enterprises use their own advantageous position to force the collection and use of user information, and if this is not accepted, the product in question cannot be used, or services received; 52.5% of people believe that law enforcements’ protection of user information has ordinary or bad results, quite a few people reflect that after discovering that their personal information was leaked or abused, it was relatively widespread that reporting was difficult, filing complaints was difficult, and filing cases was difficult. Many interviewees reflected that the problems of excessive collection of user information and infringement of personal privacy exist in a widespread manner in free-of-charge applications, but it seems as if there is no supervision, management or lawful punishment whatsoever. The investigation discovered that some Internet companies and public service departments stored large amounts of citizens’ personal information, but security protection technology was gravely lagging behind, making it easy for law-breakers to steal and abuse it. Several work units’ internal control systems are not perfected or not implemented, a small number of “inside ghosts” have taken the risks in pursuit of unlawful gain, leading to large-scale leaks of user information. In several places at present, the use of networks to illegally collect, steal, peddle and use users’ information has created black industry chains. Cases recently uncovered by public security department recently demonstrate the features of user information leaks such as they have multiple channels, costs for unlawful acts of theft are low, the difficulty of investigation is high, etc., furthermore, law-breakers’ used methods are incessantly improving, cases of “targeted fraud” triggered by user information leaks are increasing, creating grave harm to the popular masses’ asset security.
(5) Cybersecurity law enforcement structures remain to be further smoothened
The phenomenon of “nine dragons ruling the water” in cybersecurity supervision and management still exists, problems such as unclear duties and responsibilities, each fighting their own battles, law enforcement shifts responsibility, efficiency is low, etc., still have not been effectively resolved, the comprehensive coordination role with which the law endowed cybersecurity and informatization departments has been insufficiently unhindered. In several localities, multi-headed management problems in network and information security are relatively prominent, but after information leaks, abuses of user personal information and other such information security incidents occur, users regulatory run into the problems that there is no door to complain to, or departments shift responsibility between them or dispute over trifles. The “mass survey report” reveals that 18.9% of interviewees reflect that, after encountering cybersecurity problems, they do not know which department to go to to file a report or complaint, and even if they have reported the matter, it is often not dealt with or there is no result. Multiple network operating work units participating in the discussions reflect that problems exist in administrative law enforcement, such as different law enforcement departments conduct duplicate inspections of the same work unit or the same item, and even that inspection standards are not identical, different law-implementation competent departments collect data but “interconnection and interaction” cannot yet be realized, regularly bringing increased and extra burdens to network operators. Quite a few people believe that if it is impossible to rationally structure and precisely delineate duties and responsibilities between departments, it will lead to the problem that law enforcement is not coordinated in the process of implementing the multi-level protection system and critical information infrastructure protection system. Furthermore, the investigation discovered that urban rail transport control systems and other such industrial control systems have unclear cybersecurity management responsibility boundaries, operating work units’ implementation of cybersecurity responsibility contains difficulties; supervision, management and administrative law enforcement powers in the telecommunications sector are gravely insufficient, law enforcement forces are not suited to the present sever situation that cybersecurity incidents occur at high frequency.
(6) Accompanying regulations to the Cybersecurity Law remain to be perfected
Quite a few work units reflected that as the basic law in the area of cybersecurity management, quite a few elements from the Cybersecurity Law are principle-type provisions, and true “implementation” still relies on the perfection of accompanying regulations. For example, even though the Cybersecurity Law contains provisions on data security and use, data operations in practice are relatively complicated, and data desensitization standards, inter-enterprise data sharing norms etc. still need relevant regulations and rules to clarify them; the Cybersecurity Law only clarified that critical information infrastructure operators’ data export activities require assessment, but it has not further clarified whether a security assessment is to be conducted for the export of important data held by other network operators. The critical information infrastructure protection system is an important system in the Cybersecurity Law, but understandings at present are not yet uniform with regard to what is critical information infrastructure, standards and procedures to designate critical information infrastructure, etc. this needs to be clarified through accompanying regulations. How critical information infrastructure is to conduct annual inspections and evaluations, how network operators and management departments are to uniformly publish cybersecurity early warning information, how to support indigenous intellectual property rights in cybersecurity, etc., are also waiting for accompanying regulations and rules to be clarified.
(7) There is a cybersecurity talent shortage
Among the 10370 people participating in the investigation, over 69% of interviewees believe that within their work unit or among the people they know, the specialist technical talents who are able to engage in cybersecurity protection with skill is relatively low in number, it is impossible to satisfy real needs, 21.6& among these interviewees believe that within their work unit, there is basically no-one who is well acquainted with cybersecurity protection technology. The investigation situation shows that, regardless of whether a region is economically developed or relatively backward, cybersecurity technology talents are relatively lacking in all cases, existing network operating work units’ technology talents are mostly biased towards systems use, operational maintenance, their capability for cybersecurity risk supervision and control, emergency response and comprehensive defence is insufficient, and it is difficult to respond to the needs of protecting cybersecurity. Some critical information infrastructure core business systems, even though protection systems are installed, upgrades or patches cannot be applied to security software because of a lack of high-level security technology talent, and so this means cybersecurity security protection products can play an effective role with difficulty. Quite a few government portal websites do not have specialized cybersecurity technology talents, website management personnel has not accepted systematic cybersecurity skills training. Furthermore, cybersecurity competent departments’ specialized talents are clearly insufficient in number. Under factor constraints such as personnel appointment, duties, remuneration, etc., many local cybersecurity and informatization, public security, telecommunications management, industry and information technology, and other which work units often are unable to recruit or retain specialized technical talents, first-line law enforcement personnel’s specialist training and skills can hardly gain competence for regularized supervision, management and law enforcement duties for network operational security.
IV, Some suggestions
On the basis of the inspection situation, the inspection group has put forward the following suggestions for further implementing the “Law and Decision”.
(1) Further raising understanding of the importance of cybersecurity
In the information age, cybersecurity has become the fifth space outside terrestrial, maritime, aerial and outer space, it has become a new frontier for national interests and a new area for the strategic game between all major countries worldwide, cybersecurity can affect the entire picture of national security with one move, it has become a national security problem of a fundamental and comprehensive nature. The 19th Party Congress report stressed that cybersecurity and other such non-traditional security matters are one of the common challenges that humanity faces, we must persist in the overall national security view, make the people’s security into the purpose, make political security into the foundation, comprehensively manage external security and internal security, territorial security and citizens’ security, traditional security and non-traditional security, our own security and common security, perfect national security structures and systems, and strengthen the construction of national security capabilities. We must further deepen understanding of the importance of strengthening cybersecurity work under new circumstances, incessantly strengthen our sense of urgency and self-consciousness in implementing the Cybersecurity Law and other such laws and regulations. The competent departments for implementation of law and other related work units must, in integration with their work reality, further strengthen propaganda and training about the Cybersecurity Law, incessantly let the broad network operators, critical information infrastructure operating work units and their relevant personnel be able to know the content of the law, they must also strengthen propaganda for the social public in ways that are pleasing to see and hear, let the broad public understand the close relationship between cybersecurity and themselves, and strengthen the cybersecurity awareness of all of society.
(2) Correctly dealing with the relationship between security and development.
General Secretary Xi Jinping pointed out that cybersecurity and informatization are mutually accompanying. Security is the precondition for development, development is the guarantee for security, security and development must be advanced simultaneously. We must fully understand the role of the Internet in state management, economic development and social governance, continue to advance e-government, e-commerce and new smart city construction, incessantly enhance technological convergence, operational convergence and data convergence, create information “arteries” for economic and social development. We must, according to the requirements in the Cybersecurity Law to “equally stress maintaining cybersecurity and informatization development”, persist in grasping network and informatization development with one hand, and grasping cybersecurity with the other, “grasp with both hands, both hands must be tight”. In cybersecurity, we must give high regard to traditional information security and ideological security, and create a cyberspace with a clear atmosphere, brimming with positive energy, we must also give high regard to enhancing capabilities to defend against attacks, effectively prevent cyber attacks, and realistically safeguard the security of networks and information systems. We must scientifically formulate cybersecurity standards for different sectors and different work units, and earnestly research and resolve the problem that “cybersecurity compliance costs are excessively high” put forward by several work units. Encourage and support the development of the cybersecurity industry, give rein to the role of social forces, and provide secure products and services.
(3) Accelerate the perfection of accompanying regulations and rules of the Cybersecurity Law.
We must accelerate the legislative progress of the “Critical Information Infrastructure Protection Regulations” and the “Cybersecurity Multi-Level Protection Regulations”, make clear provisions on issues that, in practice everyone universally feels are difficult to grasp, such as what is critical information infrastructure, how to determine critical information infrastructure, etc., and further clarify the departmental duties and responsibilities in the process of implementing the multi-level protection system and the critical information infrastructure protection system. Cybersecurity and informatization, telecommunications and public security departments must formulate accompanying regulations or documents as quickly as possible, and create detailed structure for elements of the law such as personal information and important data export security assessment, online data management, cybersecurity monitoring and early warning, information reporting, cybersecurity review, cybersecurity certification and security monitoring result mutual recognition, etc. Several administrative regulations and departmental rules already formulated earlier should also be timely corrected and perfected on the basis of the requirements of the Cybersecurity Law as well as new issues and new questions that were encountered. On the basis of the need to prevent and attack online unlawful and criminal acts, strengthen Internet criminal legislation, research the formulation of a law to prevent and address online unlawful and criminal acts, and promote the effective linkage of administrative punishment and criminal punishment of online unlawful and criminal acts.
(4) Striving to enhance cybersecurity protection capabilities
First, accelerating cybersecurity state sensing platform construction. We must integrate resources from all departments to establish a unified all-weather cybersecurity sensing platform, in order to discover risks and sense risks well, and thereby build uniform and high-efficiency cybersecurity risk discovery mechanisms, notification mechanisms, intelligence sharing mechanisms, deliberation and response mechanisms, and to accurately grasp the laws, trends and tendencies occurring in cybersecurity risks. Second, organizing and conducting risk assessment according to the law. We must, as quickly as possible, perfect cybersecurity risk assessment mechanisms, strengthen assessment in important sectors and areas such as finance, energy, transportation, etc., and on the basis of the assessment situation, adjust cybersecurity work plans and protection measures at suitable times. Third, regularly organizing emergency response drills. Organize critical information infrastructure operating work units to regularly conduct emergency response drills, to ensure that important information systems involving national security, or involving the national economy and the people’s livelihoods to be able to effectively respond against organized, high-strength cyberattacks. Fourth, we must earnestly implement the requirements of the law, accelerate the construction of disaster-proof backups in critical information infrastructure, and regularly conduct testing of their disaster-proof efficacy, enhancing the capabilities of information systems to be resilient to disasters, mitigate disasters and recover. We must supervise network operating work units in earnestly implementing the provisions of the law and preserve network daily records according to the law. Fifth, we must strengthen the construction of cybersecurity confidentiality protection systems, enhance the capabilities of cybersecurity secrecy protection equipment, and enhance the construction of cybersecurity secrecy protection technology safeguard infrastructure. Sixth, we must forcefully advance the domestic production replacement project. Strengthen technological research and development, progressively raise the degree of domestically produced content in information control systems in important industries and enterprises, and increase the indigenous and controllable capabilities in critical information infrastructure and cybersecurity equipment.
(5) Progressively strengthening users’ personal information protection
First, we must accelerate the progress of the personal information protection legislation. Through specialized legislation, clarify the principles and procedures for network operators to collect user information, clarify their secrecy protection and [general] protection duties of collected information, and the liability they shall bear for improper use and weak protection, as well as supervision, inspection and assessment measures. Second, strengthening security protection. Strengthen the construction of data security supervision and management methods, implement tiered and categorized management for data resources, promote the research, development and deployment of security technologies for preventing data disclosure, preventing distortion and preventing leaks in the big data landscape. Third, we must earnestly research the scope and methods for user real-name registration systems, and resolutely avoid the problems that information collection subjects are excessively many in number, and real-name registration items are excessive. All localities and aal work units shall have a clear legal basis for any real identity registration system. We must enhance real identity information collection methods, and reduce the content of real identity information content. Fourth, strengthening supervision and inspection. Establish third-party assessment mechanisms, supervise network operators and public service work units in strictly collecting user information according to the law, establishing and completing internal management mechanisms, and effectively reducing the risk of “inside demons” stealing data. Fifth, further strengthening attack. Public security bodies must strengthen the attack against cyberattacks, online fraud, online harmful information and other such unlawful and criminal activities, sever online criminal profit chains, continue to shape a high-pressure situation, implement the provisions of the law on protecting citizens’ personal information, and ensure that the broad citizens’ lawful rights and interests are not harmed. Sixth, we must perfect complaints reception mechanisms. Research the establishment of uniform and highly effective user information security incident complaint reception mechanisms, to provide a convenience for user complaints and reporting, and safeguard the popular masses’ lawful rights and interests.
(6) Strengthening comprehensive coordination in cybersecurity work
Cybersecurity work involves many domains, has a broad scope, brings heavy tasks, great difficulties, and is strongly systemic, general and coordinated in nature. To respond to complex cybersecurity situations, we must ensure uniform planning, uniform arrangements, uniform standards and uniform progress. We must incessantly perfect online law enforcement coordination mechanisms, complete standardized law enforcement suited to the features of networks as quickly as possible. We must implement regulations related to the Cybersecurity Law, strengthen the construction of cybersecurity law enforcement teams and law enforcement capabilities, strengthen the comprehensive coordination duties and responsibilities of cybersecurity and informatization departments, clarify the boundaries of and interfaces between all functional departments’ powers and responsibilities, create coordinated action mechanisms for departments including cybersecurity and informatization, industry and information technology, public security, secrecy protection, etc., we must both prevent functional overlap and multi-headed management, while also avoiding a pushing away of law enforcement responsibilities, and blank spots in management, incessantly raise law enforcement efficiency, effectively safeguarding cyberspace security. Considering the strong cross-regional nature of the Internet, and the fact that land boundaries are not clear, we must complete and perfect cybersecurity non-local law enforcement cooperation mechanisms, and realize interregional law enforcement joint action. We must also eliminate departmental interests, cut through data and information barriers, reduce duplicate construction, establish shared data platforms, substantially ensure that data collected by different departments can be shared, and raise cybersecurity protection capabilities.
(7) Accelerating the construction of cybersecurity talent teams
Cybersecurity is one of the areas where technological renewal happens the most quickly, competition in cyberspace fundamentally is a competition over talent; to construct a cyber power, the most crucial resource is talent. We must give high regard to cybersecurity talent training work, we must not only foster technical talents proficient in information system use and protection, but we must also foster large batches of talents who are able to conduct cybersecurity risk supervision and control, emergency response and comprehensive protection, and thereby satisfy the demands put forward in the implementation of the Cybersecurity Law. We must further strengthen the construction of cybersecurity academic disciplines, optimize the structuring of teacher teams, reform talent fostering models, foster ever more applied talents who can satisfy practical requirements. We must encourage reforms of network and informatization talents develop mechanisms systems and mechanisms to be conducted and trialled with priority, research the establishment of cybersecurity special talent training, management and incentive mechanisms, strengthen fostering, guidance and support of high-end cybersecurity talents and urgently required talents, ensure that Party and government bodies and critical information infrastructure operating work units are able to find and recruit, use well and can retain “high-end, capable and sharp” specialized talents proficient in cybersecurity technology.
At present, the Internet has deeply merged with all areas of economic development and social life, it has profoundly transformed people’s ways of production and life. We must earnestly study and comprehensively implement the spirit of the 19th Party Congress and especially Xi Jinping Thought on Socialism with Chinese characteristics for a new era, further raise our political stance, firmly establish correct cybersecurity views, further strengthen our sense of urgency and sense of awareness in implementing the law, advance all structures of the “Law and Decision” towards complete implementation, substantially safeguard cyberspace sovereignty and the direct personal interests of the popular masses, and provide firm guarantees for victoriously constructing a moderately prosperous society, gaining magnificent victories for Socialism with Chinese characteristics in a new era, and realizing the Chinese Dream of the great rejuvenation of the Chinese nation.
全国人民代表大会常务委员会执法检查组关于检查《中华人民共和国网络安全法》、《全国人民代表大会常务委员会关于加强网络信息保护的决定》实施情况的报告
——2017年12月24日在第十二届全国人民代表大会常务委员会第三十一次会议上
王胜俊
全国人民代表大会常务委员会:
网络安全事关党的长期执政,事关国家长治久安,事关经济社会发展和人民群众切身利益。习近平总书记强调指出,没有网络安全就没有国家安全,没有信息化就没有现代化。全国人大常委会高度重视网络安全工作,2012年12月审议通过《全国人民代表大会常务委员会关于加强网络信息保护的决定》,2016年11月审议通过《中华人民共和国网络安全法》(以下简称“一法一决定”)。根据2017年监督工作计划,全国人大常委会执法检查组于2017年8月至10月对“一法一决定”的实施情况进行了检查。现在,我代表执法检查组向常委会作报告。
一、执法检查的工作情况
网络安全法是今年6月1日开始施行的。一部新制定的法律实施不满3个月即启动执法检查,这在全国人大常委会监督工作中尚属首次。张德江委员长十分重视这次执法检查,作了重要批示,指出:网络安全事关国家长治久安,事关经济社会发展和人民群众福祉。全国人大常委会在网络安全法实施当年就开展执法检查,要贯彻落实习近平总书记关于“要树立正确的网络安全观”的重要指示精神,督促有关方面进一步加强法律宣传,增强全社会网络安全意识,抓紧配套法规政策制定,确保法律有效实施,着力提升网络空间治理水平,切实维护国家网络空间安全和人民群众合法权益。希望检查组精心组织好这次执法检查,坚持问题导向,务求取得实效。根据张德江委员长的批示精神,内务司法委员会、财政经济委员会、教育科学文化卫生委员会和常委会办公厅等单位反复研究,确定了这次执法检查的五个重点:一是开展法律宣传教育的情况;二是制定配套法规规章的情况;三是强化关键信息基础设施保护及落实网络安全等级保护制度的情况;四是治理网络违法违规信息,维护网络空间良好生态的情况;五是落实公民个人信息保护制度,查处侵犯公民个人信息及相关违法犯罪的情况。
8月25日,执法检查组召开第一次全体会议,传达张德江委员长的重要批示。会议听取了国家互联网信息办公室、工业和信息化部、公安部、国家新闻出版广电总局、最高人民法院关于“一法一决定”贯彻实施情况的汇报,教育部、科技部、交通运输部等单位提交了书面汇报材料。
根据安排,王晨副委员长兼秘书长、沈跃跃、张平、万鄂湘、陈竺副委员长和我六位副委员长参加这次执法检查。检查组赴内蒙古、黑龙江、福建、河南、广东、重庆等6省(区、市)进行检查,期间,检查组听取了有关省、市、县政府的汇报,先后召开30余次座谈会,实地考察了部分网络安全指挥平台和关键信息基础设施运营单位。另外,还委托12个省(区、市)人大常委会对本行政区域“一法一决定”实施情况进行检查。
为了深入了解“一法一决定”实施情况,这次执法检查在方式方法上作了一些新的尝试:一是请第三方专业机构参与。9月上旬至10月中旬,检查组在实地检查的6个省(区、市)各选取20个重要信息系统,委托中国信息安全测评中心进行漏洞扫描和模拟攻击,并就所检测系统的网络安全情况出具专业检测报告。检查组还委托中国青年报社社会调查中心就“一法一决定”中与公众关系密切的10个方面的问题,在全国31个省(区、市)进行了民意调查,出具了调查报告。共有10370人参与这次调查。第三方机构的有序参与,增强了本次检查的专业性、权威性和客观公正性。二是专家参与。考虑到网络安全专业性较强,执法检查期间,检查组先后从国家信息技术安全研究中心等单位聘请21名网络安全专家和长期从事网络安全工作的专业技术人员参加检查,为检查组提供技术支持,增强检查的针对性和实效性。三是随机抽查。各检查小组均按检查方案要求,随机选取若干关键信息基础设施运营单位,在不打招呼的情况下进行临时抽查。6个检查小组共对13个单位进行了随机抽查。远程检测的120个重要信息系统也均由执法检查组随机选取,在运营单位不知情的情况下完成检测。
二、贯彻实施“一法一决定”的做法和成效
近年来,各级党委政府认真组织学习习近平总书记系列重要讲话和关于网络安全的重要论述,深入贯彻中央关于“建设网络强国”的战略部署,把网络安全纳入经济社会发展全局来统筹谋划部署,大力推进网络安全和网络信息保护工作,法律实施取得了积极成效。
(一)深入开展宣传教育,增强网络安全意识
一是把增强全民网络安全意识作为基础工程。国家互联网信息办公室、工业和信息化部、公安部等9部门连续四年组织开展网络安全周和主题日宣传活动,每年活动期间组织的讲座论坛等都超过1万场次,年均覆盖人数约2亿人。网络安全法颁布后,各地均通过报刊杂志、电台电视台、门户网站、政务微信微博等,对法律核心内容进行宣传解读。二是加强重点单位、重点行业法律宣传教育。工业和信息化部将学习“一法一决定”情况纳入各基础电信运营企业的年度考核指标,并组织百度、阿里、腾讯等重点互联网企业开展学习。公安部组织全国公安机关、200多个中央部委和中央企业、260多家信息安全企业相关人员进行集中学习。国家新闻出版广电总局组织开展了网络安全知识技能练兵和竞赛活动。内蒙古、黑龙江等省(区)对重点单位、重点行业负责网络安全的业务骨干进行了重点培训。三是紧紧抓住领导干部这个关键少数,把提升领导干部的网络安全意识作为重中之重。广东、福建等地通过举办领导干部网络安全和信息化专题研讨班等形式,推动领导干部率先知法懂法用法。交通运输部党组成员带头学习,并举办了“交通运输网络安全局级领导专题培训班”,教育部举办了教育系统网络安全培训班,对各省级教育行政部门、直属高校、部直属机关负责人进行专题培训。四是加强重点人群宣传教育。各地把青少年网民作为普法重点,开展了“网络安全进校园、进家庭”、“争做四有好网民”等活动,引导广大青少年依法、文明、健康上网。
(二)制定配套法规政策,构建网络安全制度体系
为配合“一法一决定”实施,近年来,国务院相关部门出台了《国家网络空间安全战略》《通信网络安全防护管理办法》《电信和互联网用户个人信息保护规定》《电话用户真实身份信息登记规定》《新闻出版广播影视网络安全管理办法》《公共互联网网络安全突发事件应急预案》等配套规章、规划和政策文件。国家互联网信息办公室会同有关部门出台了《关于加强国家网络安全标准化工作的若干意见》,加快了网络安全国家标准制定工作,目前已发布198项网络安全国家标准。最高法院、最高检察院出台了《关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释》。一些省份也开展了配套法规立法工作,内蒙古自治区人大常委会制定了《计算机信息系统安全保护办法》,福建省人大常委会通过了《福建省电信设施建设与保护条例》,广东省人大常委会出台了《关于落实电信用户真实身份信息登记制度的决定》,黑龙江省人大常委会制定了《工业信息安全管理条例》。重庆市坚持网络安全与信息化发展并重,加强电子政务制度建设,完善了政府网站管理制度。一系列配套法规、规章和政策文件出台,助推了“一法一决定”的贯彻实施。
(三)提升安全防范能力,着力保障网络运行安全
一是强化关键信息基础设施防护。2016年,国家互联网信息办公室等部门组织开展了关键信息基础设施摸底排查工作,对1.1万个重要信息系统安全运行状况进行抽查和技术检测,完成了对金融、能源、通信、交通、广电、教育、医疗、社保等多个重点行业的网络安全风险评估,提出整改建议4000余条。二是开展网络基础设施防护工作。工业和信息化部开展了网络基础设施摸底工作,全面梳理网络设施和信息系统,目前全行业共确定关键网络设施和重要信息系统11590个。2017年以来,监督抽查重点网络系统和工业控制系统900余个,通知整改漏洞78980个。三是深入推进网络安全等级保护。已累计受理备案14万个信息系统,其中三级以上重要信息系统1.7万个,基本涵盖了所有关键信息基础设施。同时,对纳入等级保护的信息系统开展常态化检查,近年来累计发现整改各类安全漏洞近40万个。四是建立通报预警机制。公安部牵头建立了国家网络安全通报预警机制,通报范围已覆盖100个中央党政军机构、101家央企、31个省(区、市)和新疆生产建设兵团,各地也都建立了网络安全与信息安全通报机制,实时通报处置各类隐患漏洞。教育部建立了教育系统重要网站和信息系统安全监测预警机制,已累计通报处置安全威胁3.5万个。五是积极开展网络安全协调联动平台建设。国家互联网信息办公室牵头建立了关键信息基础设施应急技术支持和协助机制,不断提升关键信息基础设施整体应急反应能力、安全保障能力和协调联动能力。六是大力开展网络安全专项整治工作。公安部会同有关单位组织开展了大型互联网企业专项保卫行动、网站安全和互联网电子邮件安全专项整治行动,发现整改了一批网络安全深层次问题和隐患。
(四)治理违法违规信息,维护网络空间清朗
各地各有关部门认真落实法律要求,扎实做好网络意识形态工作,坚决清理各类违法违规信息。通过开展“扫黄打非”、“剑网”等系列行动,对互联网站、应用程序、论坛、博客、微博、公众账号、即时通讯工具、网络直播中宣扬恐怖暴力、淫秽色情等信息及时清理。2015年以来,国家互联网信息办公室等部门依法约谈违法违规网站2200余家,取消违法违规网站许可或备案、关停违法网站13000多家,有关网站按照用户服务协议关闭违法违规账号近1000万个,对网上各类违法行为形成有力震慑。中国青年报社社会调查中心提供给检查组的万人调查分析报告(以下简称“万人调查报告”)显示,在参与调查的10370人中,超过90%的受访者对治理成效给予肯定,其中有63.5%的人认为近年来网络上危害国家安全、宣扬恐怖暴力、淫秽色情等违法违规信息明显减少。法律实施主管部门还建立了网络信息巡查机制和公众举报平台,及时清理违法违规信息。重庆等地重视加强网络内容建设,积极创作优秀网络作品,做强网上正面宣传。
(五)加强个人信息保护,打击侵犯用户信息安全违法犯罪
全面落实网络接入(网站备案和域名/IP地址)、固定电话、移动电话实名制办理要求,凡用户不提供真实信息的,运营者不再为其提供相关服务。五年来,组织电信企业对3亿多未实名的老用户进行补登记,对拒不补登记的1000余万用户依法暂停提供服务。为确保用户信息安全,有关部门指导各网络运营单位进一步强化了内控管理制度,要求对批量导出、复制、销毁信息等重大操作的申请、使用和有效期实行严格管理,从工作流程上防止用户信息的批量泄露。河南省加强对保存用户信息关键系统的安全防护,提升防止黑客攻击能力。针对侵犯用户个人信息犯罪高发态势,公安部部署开展专项打击行动,在31个省(区、市)和新疆生产建设兵团公安机关建立了反诈骗中心,统筹协调打击利用公民个人信息实施的电信网络诈骗犯罪,近两年,共侦破侵犯个人信息犯罪相关案件3700余起,抓获犯罪嫌疑人11000余名。2014年至2017年9月,全国法院共审理利用网络侵犯公民个人信息犯罪案件1529件,取得了较好的法律效果和社会效果。
(六)加大支持力度,推进网络安全核心技术创新
为落实网络安全法“扶持重点网络安全技术产业和项目,支持网络安全技术的研究开发和利用”等要求,科技部会同国家互联网信息办公室共同编制了专项研究计划,立足网络空间安全发展现状,围绕提高我国关键信息基础设施和数据安全的防护能力、支撑网络空间可信管理和数字资产保护、提升网络空间防护能力等目标,确立若干重点研究方向。为了加大对网络安全技术研究开发和应用的支持,科技部、工业和信息化部等部门,在“十三五”国家重点研发计划中优先启动了“网络空间安全重点专项”,投入国拨经费13.84亿元,系统部署了47项研究任务,力争到2020年,基本形成自主可控的网络空间安全核心技术体系。另外,在“科技创新2030——重大项目”中,也将优先安排一批网络空间安全重大研究项目,为提升我国信息监管、泄密窃密防范、网络防御等提供技术支持。教育部创新网络安全人才培养模式,增设了网络空间安全一级学科,与有关部门共同下发了《关于加强网络安全学科建设和人才培养的意见》,启动了一流网络安全学院建设示范项目,为网络安全技术创新提供人才支持。
三、工作中存在的困难和问题
从检查情况看,各地在贯彻实施“一法一决定”、维护网络安全方面还存在一些困难和问题。
(一)网络安全意识亟待增强
许多关键信息基础设施运营单位对网络安全的重要性认识不到位,认为受到网络攻击只是小概率事件,对可能受到的网络攻击的危害性缺乏认知。在信息化方面“重建设、轻安全;重使用、轻防护”,缺乏主动防御意识,不愿在安全防护方面进行必要投入;在处理业务信息系统可用性和安全性的关系时,往往更重视可用性,在二者有冲突时,往往会降低安全性要求。不少地方政府和部门领导干部不能从国家安全的高度认识网络安全,没有把网络安全工作列入本级政府和部门工作重要议程,或者只是口头上重视,“说起来重要,干起来次要,忙起来不要”。社会公众网络安全意识总体不强,“万人调查报告”显示,有55.4%的受访者认为,他们身边的许多人缺乏网络安全意识,对网络安全“知其然不知其所以然”。
(二)网络安全基础建设总体薄弱
一是网络安全态势感知平台建设滞后。网络安全风险具有很强的隐蔽性,感知安全态势是做好网络安全最基本最基础的工作。维护网络安全,首先要知道风险在哪里,是什么样的风险,什么时候发生风险。但不少省份尚未启动网络安全态势感知平台建设,不能实现对重要信息系统网络安全风险的全天候实时、动态监测。二是容灾备份体系建设总体滞后。不少关系国计民生的关键信息基础设施运营单位没有按照法律规定对重要数据进行异地容灾备份,而仅仅采取了一些简单的数据备份措施,有的甚至尚未进行过容灾备份,不能有效应对重大网络安全风险。在有些省份,多数重要信息系统未按法律要求进行异地容灾备份。三是重要工业控制企业的设备和控制系统国产化程度有待提高。一些重要工控企业对外国技术依赖严重,不仅生产控制系统由国外公司建设,配套的网络及安全设备也采用国外产品,网络及安全设备的配置由外方人员操控,企业内部人员甚至不掌握安全设备配置和管理权限。在有的省份,重要工控企业的生产控制系统国产化率不足20%。四是应急预案流于形式。有的网络安全应急预案侧重于设备设施障碍的排除,针对网络攻击、信息泄露等网络空间安全事件的内容较少;有的应急预案缺乏可操作性;有的应急预案长期未修订,已不能应对当下的网络安全事件;许多单位由于应急演练相关条件不足,未真正举行过应急演练;不少地方和行业用于解决网络安全问题的经费不足,发现了问题后,往往因经费缺乏不能及时解决。
(三)网络安全风险和隐患突出
为了解网络运行情况,执法检查组委托中国信息安全测评中心对随机选取的120个关键信息基础设施(60个门户网站和60个业务系统)进行了远程渗透测试和漏洞扫描。该中心出具的报告显示,本次远程测试的120个关键信息基础设施中,共存在30个安全漏洞,包括高危漏洞13个,其中某省级部门互联网监管综合平台存在越权上传、越权下载、越权删除文件等3个高危漏洞,严重威胁了系统及服务器安全,也存在严重的用户信息泄露风险。远程检测还发现,多个设区的市政府门户网站存在页面被篡改风险。执法检查组现场抽查时发现,许多单位没有依照法律规定留存网络日志,这可能导致发生网络安全事件时无法及时进行追溯和处置;有的单位从未对重要信息系统进行风险评估,对可能面临的网络安全态势缺乏认知。检查还发现,在许多单位,内网和专网安全建设没有引起足够重视,有的单位对内网系统未部署任何安全防护设施,长期不进行漏洞扫描,存在重大网络安全隐患。随着各地区各领域信息化建设的推进,各行业各领域数据化、在线化、远程化趋势更加明显,对网络安全提出了更高要求。
(四)用户个人信息保护工作形势严峻
“万人调查报告”显示,“一法一决定”关于用户个人信息保护的多项制度落实得并不理想:有52.1%的受访者认为,法律关于“网络服务提供者和其他企业事业单位在业务活动中收集、使用公民个人电子信息,必须明示收集、使用信息的目的、方式和范围”的规定执行得不好或者一般;有49.6%的受访者曾遇到过度收集用户信息现象,其中18.3%的受访者经常遇到过度采集用户信息现象;有61.2%的人遇到过有关企业利用自己的优势地位强制收集、使用用户信息,如果不接受就不能使用该产品或接受服务的“霸王条款”;有52.5%的人认为执法部门保护用户信息的成效一般或者不好,不少人反映,在发现本人信息被泄露或者被滥用后,举报难、投诉难、立案难现象比较普遍。许多受访者反映,当前免费应用程序普遍存在过度收集用户信息、侵犯个人隐私问题,但几乎没有受到任何监管和依法惩处。检查发现,有的互联网公司和公共服务部门存储了大量公民个人信息,但安防技术严重滞后,容易被不法分子窃取和盗用。一些单位内控制度不完善或不落实,少数“内鬼”为牟取不法利益铤而走险,致使用户信息大批量泄露。当前在一些地方,利用网络非法采集、窃取、贩卖和利用用户信息已形成黑色产业链。从公安部门近期破获的案件看,用户信息泄露呈现渠道多、窃取违法行为成本低、追查难度大等特点,而且违法分子使用的手段不断升级,因用户信息泄露引发的“精准诈骗”案件增多,给人民群众财产安全造成严重危害。
(五)网络安全执法体制有待进一步理顺
网络安全监管“九龙治水”现象仍然存在,权责不清、各自为战、执法推诿、效率低下等问题尚未有效解决,法律赋予网信部门的统筹协调职能履行不够顺畅。一些地方网络信息安全多头管理问题比较突出,但在发生信息泄露、滥用用户个人信息等信息安全事件后,用户又经常遇到投诉无门、部门之间推诿扯皮的问题。“万人调查报告”显示,有18.9%的受访者反映,在遇到网络安全问题后,他们不知该向哪个部门举报和投诉,即使举报了也往往不予处理或者没有结果。参加座谈的多数网络运营单位反映,行政执法过程中存在不同执法部门对同一单位、同一事项重复检查且检查标准不一等问题,不同法律实施主管机关采集的数据还不能实现“互联互通”,经常给网络运营商增加额外负担。不少人认为,如果不能合理定位,准确厘清部门之间的职责,等级保护制度和关键信息基础设施保护制度落实过程中也会产生执法不协调问题。另外,检查发现,城市轨道交通控制系统等工控系统网络安全管理责任边界不清,运营单位落实网络安全责任制存在困难;通信行业监管和行政执法力量严重不足,执法力量与当前网络安全事件频发多发的严峻形势不相适应。
(六)网络安全法配套法规有待完善
不少单位反映,作为网络安全管理方面的基础性法律,网络安全法不少内容还只是原则性规定,真正“落地”还有赖于配套制度的完善。比如,网络安全法虽然对数据安全和利用作了规定,但现实中数据运用比较复杂,数据脱敏标准、企业间数据共享规则等,仍然需要有关法规规章予以明确;网络安全法仅明确了关键信息基础设施运营者数据出境需进行评估,但其他网络运营者掌握的重要数据出境是否进行安全评估,尚待进一步明确。关键信息基础设施保护制度是网络安全法一项重要制度,但对于什么是关键信息基础设施、关键信息基础设施认定的标准和程序等,目前认识尚不一致,需要配套法规予以明确。关键信息基础设施如何进行年度检测评估、网络运营者和管理部门如何统一发布网络安全预警信息、如何扶持网络安全自主知识产权等,也有待于配套法规规章予以明确。
(七)网络安全人才短缺
参与调查的10370人中,有超过69%的受访者认为,所在单位或者熟悉的人中,能够熟练从事网络安全防护的专业技术人才较少,无法满足现实需要,其中有21.6%的受访者认为所在单位基本上无人熟悉网络安全防护技术。从检查的情况看,不管是经济发达地区还是相对落后地区,网络安全技术人才都比较匮乏,现有的网络运营单位技术人才多侧重于系统使用、操作维护,对网络安全风险的监控、应急处置和综合防护能力不足,难以适应保障网络安全的需要。有的关键信息基础设施核心业务系统虽然安装了防护系统,但由于缺乏高水平的安全技术人才,不能对安全软件进行升级和打补丁,从而使网络安全防护产品难以有效发挥作用。不少政府门户网站没有专门的网络安全技术人才,网站管理人员没有接受过系统的网络安全技能培训。另外,网络安全主管部门专业人才也明显不足。受到编制、职务、薪资等因素制约,许多地方网信、公安、通信管理、工信等单位往往招不到或留不住专业技术人才,一线执法人员的专业素养和技能难以胜任网络运行安全常态化监管执法职责。
四、几点建议
根据检查情况,检查组对进一步贯彻实施“一法一决定”提出以下建议。
(一)进一步提高对网络安全重要性的认识
在信息时代,网络空间已经成为继陆地、海洋、天空、外层空间之外,人类活动的第五空间,成为国家利益的新边疆和世界各主要国家战略博弈的新领域,网络安全对国家安全牵一发而动全身,已成为基础性、全局性的国家安全问题。党的十九大报告强调,网络安全等非传统安全是人类面临的共同挑战之一,要坚持总体国家安全观,以人民安全为宗旨,以政治安全为根本,统筹外部安全和内部安全、国土安全和国民安全、传统安全和非传统安全、自身安全和共同安全,完善国家安全制度体系,加强国家安全能力建设。要进一步深化对新形势下加强网络安全工作重要性的认识,不断增强贯彻落实网络安全法等法律法规的紧迫感和自觉性。法律实施主管机关和其他相关单位要结合工作实际,进一步加大对网络安全法的宣传培训力度,不仅让广大网络运营商、关键信息基础设施运营单位的相关人员能够熟知法律内容,还要以喜闻乐见的方式加强对社会公众的宣传,让广大公众认识到网络安全与自身的密切关系,增强全社会的网络安全意识。
(二)正确处理安全和发展的关系
习近平总书记强调指出,网络安全和信息化是相辅相成的。安全是发展的前提,发展是安全的保障,安全和发展要同步推进。要充分认识到互联网在国家管理、经济发展和社会治理中的作用,继续推进电子政务、电子商务、新型智慧型城市建设,不断推进技术融合、业务融合、数据融合,打通经济社会发展的信息“大动脉”。要按照网络安全法“坚持网络安全与信息化发展并重”的要求,坚持一手抓网络和信息化发展,一手抓网络安全,“两手抓,两手都要硬”。对于网络安全,既要重视传统的信息安全和意识形态安全,营造风清气正、正能量充沛的网络空间,也要高度重视攻防能力提升,有效防范网络攻击,切实维护网络信息系统安全。要科学制定不同行业、不同单位的网络安全标准,认真研究解决有些单位提出的“网络安全合规成本过高”的问题。鼓励和支持网络安全产业的发展,发挥社会力量的作用,提供安全的产品和服务。
(三)加快完善网络安全法配套法规规章
要加快《关键信息基础设施安全保护条例》《网络安全等级保护条例》的立法进程,对实践中大家普遍感觉难以把握的问题,如什么是关键信息基础设施、如何认定关键信息基础设施等作出明确规定,并对等级保护制度和关键信息基础设施保护制度落实过程中的部门职责进一步予以明确。网信、工信、公安等部门要尽快制定配套规章或者文件,细化法律中个人信息和重要数据出境安全评估、网络数据管理、网络安全监测预警和信息通报、网络安全审查、网络安全认证和安全检测结果互认等制度。此前已制定的一些行政法规和部门规章也应根据网络安全法的要求以及法律实施中遇到的新情况新问题,及时予以修改完善。根据防范和打击网络违法犯罪的需要,加强互联网刑事立法,研究制定网络违法犯罪防治法,推动网络违法犯罪行政处罚与刑事处罚的有效衔接。
(四)着力提升网络安全防护能力
一是加快网络安全态势感知平台建设。要整合各部门资源,建立统一的全天候网络安全感知平台,以更好地发现风险、感知风险,进而构建统一高效的网络安全风险发现机制、报告机制、情报共享机制、研判处置机制,准确把握网络安全风险发生的规律、动向、趋势。二是依法组织开展风险评估。要尽快完善网络安全风险评估机制,加强对金融、能源、交通等重要行业和领域的评估,根据评估情况,适时调整网络安全工作方案和保护措施。三是定期组织应急演练。组织关键信息基础设施运营单位定期进行应急演练,使事关国家安全、关系国计民生的重要信息系统能够有效应对有组织的高强度网络攻击。四是要认真落实法律要求,加快关键信息基础设施数据的容灾备份建设,并定期开展灾备效果验证,提升信息系统的抗灾、减灾和恢复能力。要督促网络运营单位认真落实法律规定,依法留存网络日志。五是要加强网络安全保密保障体系建设,提升网络安全保密装备能力,推进网络安全保密技术保障基础设施建设。六是要大力推进国产化替代工程。加大技术研发力度,逐步提高重要工业企业信息控制系统的国产化率,提升关键信息基础设施和网络安全设备的自主可控能力。
(五)进一步加大用户个人信息保护力度
一是要加快个人信息保护法立法进程。通过专门立法,明确网络运营者收集用户信息的原则、程序,明确其对收集到的信息的保密和保护义务,不当使用、保护不力应当承担的责任,以及监督检查和评估措施。二是加强安全防护。强化数据安全监管手段建设,实施数据资源分级分类管理,推动大数据场景下的数据防窃密、防篡改、防泄露等安全技术的研发和部署。三是要认真研究用户实名制的范围和方式,坚决避免信息采集主体过多、实名登记事项过滥问题。各地区各单位对某一事项实施实名登记制度,应当有明确的法律依据。要改进实名信息采集方式,减少实名信息采集的内容。四是加大监督检查力度。建立第三方评估机制,督促网络运营和公共服务单位严格依法收集用户信息,建立健全内部管理制度,有效降低“内鬼”窃密风险。五是进一步加大打击力度。公安机关要加大对网络攻击、网络诈骗、网络有害信息等违法犯罪活动的打击力度,切断网络犯罪利益链条,持续形成高压态势,落实法律保护公民个人信息的规定,使广大公民的合法权益免受侵害。六是要完善投诉受理机制。研究建立统一高效的用户信息安全事件投诉受理机制,为用户投诉、举报提供便利,维护人民群众合法权益。
(六)强化网络安全工作统筹协调
网络安全工作涉及领域多、范围广、任务重、难度大,系统性、整体性、协同性很强。应对复杂的网络安全态势,必须做到统一谋划、统一部署、统一标准、统一推进。要不断完善网络执法协作机制,尽快健全适应网络特点的规范化执法体系。要落实网络安全法相关规定,加强网络安全执法队伍和执法能力建设,强化网信部门的统筹协调职责,明确各职能部门的权责界限和接口,形成网信、工信、公安、保密等各部门协调联动机制,既要防止职能交叉、多头管理,又要避免执法推责、管理空白,不断提高执法效率,有效维护网络空间的安全。考虑到互联网跨区域性强、地域边界不明显的特点,要健全完善网络安全异地执法协作机制,实现区域之间执法联动。还要破除部门利益,打通数据和信息壁垒,减少重复建设,建立共享数据平台,切实做到不同部门收集的数据能够共享,提高网络安全防范能力。
(七)加快网络安全人才队伍建设
网络安全是技术更新最快的领域之一,网络空间的竞争,归根到底是人才的竞争;建设网络强国,最关键的资源是人才。要高度重视网络安全人才培养工作,不仅要培养精通信息系统使用和维护的技术人才,还要培养大批能够开展网络安全风险监控、应急处置和综合防护的人才,从而满足网络安全法实施提出的要求。要进一步加强网络安全学科建设,优化师资队伍结构,改革人才培养模式,培养更多满足实践需要的应用型人才。要鼓励网络和信息化人才发展体制机制改革先行先试,研究建立网络安全特殊人才培养、管理和激励制度,加大对网络安全高端人才、紧缺人才的培养、引进和支持力度,使党政机关、关键信息基础设施运营单位能够招得进、用得好、留得住精通网络安全技术的“高、精、尖”专业人才。
当前,互联网已深度融入经济发展和社会生活的方方面面,深刻改变着人们的生产和生活方式。我们要认真学习、全面贯彻党的十九大精神特别是习近平新时代中国特色社会主义思想,进一步提高政治站位,牢固树立正确的网络安全观,进一步增强贯彻实施法律的紧迫感和自觉性,推进“一法一决定”各项制度全面落实,切实维护网络空间主权和人民群众切身利益,为决胜全面建成小康社会、夺取新时代中国特色社会主义伟大胜利、实现中华民族伟大复兴的中国梦提供坚强保障。
以上报告,请审议。
“Proposal for International Cooperation on the “One Belt, One Road” Digital Economy”
The digital economy is a driver for global economic growth that becomes more important every day, and is playing an ever more important role in accelerating economic development, enhancing labour productivity in existing industries, fostering new markets and new industrial growth points, realizing inclusive growth and sustainable growth. In order to expand cooperation in the digital economy area, as countries supporting the “One Belt, One Road” initiative, we will, on the basis of the principles of interconnection and interaction, innovation and development, openness and cooperation, harmony and inclusivity, mutual benefit and win-win, explore the common use of digital opportunities and response to challenge, strive to realize an interconnected and interactive “Digital Silk Road” through strengthening policy communication, infrastructure linkages, trade facilitation, financial flows and interlinking popular sentiment, and forge a mutually beneficial, win-win “community of interests” and a “community of destiny” for common development and flourishing. To this end, on the basis of voluntarity and non-restraint, we put forward the following proposal:
<!–more–>
1. Expanding broadband access, raising broadband quality. Build and perfect regional telecommunications, Internet, satellite navigation and other such important information infrastructure, stimulate interconnection and interaction, explore the expansion of high-speed Internet access and connectivity measures at a bearable price, stimulate broadband network coverage, improve service capabilities and quality.
2. Stimulating the digital transformation. Stimulate the digitization of agricultural production, operations and management, as well as the networked transformation of agricultural product distribution. Encourage digital technologies to converge with the manufacturing sector, build an ever more linked, networked and smart manufacturing sector. Use information and telecommunications technology to improve cultural education, healthcare and medicine, environmental protection, urban planning and other public services. Stimulate the sustained development of service sectors such as smart logistics, online tourism, mobile payment, digital creativity and the shared economy.
3. Stimulate e-commerce cooperation. Explore the feasibility of establishing information sharing, mutual trust and mutual recognition mechanisms for cross-border e-commerce credit, customs passage, inspection, quarantine, consumer protection and other such areas, strengthen cooperation in areas such as financial payment, storage and logistics, technology services, offline exhibitions, etc. Strengthen cooperation in consumer rights protection.
4. Support Internet start-ups and innovation. Encourage the promotion of Internet-based research, development and innovation through beneficial and transparent legal frameworks, and support Internet-based start-ups. Use the Internet to stimulate innovation in products, services, processes, organizational and commercial models.
5. Stimulate the development of small, mid-size and micro enterprises. Stimulate small, mid-size and micro enterprises to use information and telecommunication technologies to conduct innovation, raise competitiveness and open up new market sales channels through policy support. Promote the provision of required digital infrastructure to small, mid-size and micro enterprises at bearable prices. Encourage small, mid-size and micro enterprises to provide information and telecommunication products and services to public departments, and enter into global value chains.
6. Strengthen digitized skills training. Increase the public’s digitized skills levels, ensure that they obtain gains from the development of the digital economy. Launch on-the-job training for digital skills, enhance employees’ digital skills. Encourage government departments, universities, research bodies and enterprises to vigorously launch training programmes, and stimulate the popularization and improvement of digital skills.
7. Stimulating investment in the information and telecommunications technology area. Improve the commercial environment through stimulating research, development and innovation as well as investment, including cross-border investment in the digital economy. Promote all kinds of financial bodies, multilateral development bodies, etc., to invest in information and telecommunications technology infrastructure and applications, guide commercial share investment funds as well as social funds to invest in the area of the digital economy, encourage public-private partnership relations and other such forms of participation. Encourage the organization of investment information exchange activities between information and telecommunications technology enterprises and financial bodies, encourage reciprocal investment in the information and telecommunications technology area.
8. Promoting inter-city digital economy cooperation. Stimulate relevant cities to launch twinning cooperation, support the establishment of strategic cooperation relationships between twinned cities, drive international traffic and logistics, enhance quality and increase efficiency through constructing information infrastructure, promoting information sharing, stimulating information technology cooperation, and stimulating Internet trading services. Explore the establishment of “Digital Silk Road” economic cooperation demonstration areas. Encourage and support relevant cities in establishing “Digital Silk Road” economic demonstration areas within these cities, promote profound bilateral cooperation in areas such as information infrastructure, smart cities, e-commerce, long-distance healthcare, “Internet Plus”, the Internet of Things, artificial intelligence, etc.
9. Increasing digital inclusivity. Adopt many kinds of policy measures and technological measures to reduce the digital divide, including the digital divide between countries and within countries, and forcefully stimulate the proliferation of the Internet. Stimulate the use of digital technologies in school education and non-official education, promote the realization of broadband access for schools and equip them with online learning environments, so that ever more students can use digitized tools and resources in pursuit of learning. Strengthen the development of digital content such as excellent online games, cartoons, audiovisual materials, literature, music and knowledge resources, and stimulate exchange between the cultures of all countries, and a meeting of people’s hearts.
10. Encouraging and fostering transparent digital economy policies. Develop and maintain an open, transparent and inclusive digital economy policy formulation method. Encourage the dissemination of related and publishable government data, and understand the potential of these in driving new technologies, new products and new services. Encourage online open tendering and procurement, support enterprises in innovating digital product production and services, and simultaneously ensure that demand is market-led.
11. Furthering international standardization cooperation. Propose the formulation and application of international standards for technology products and services developed through joint coordination, these international standards should maintain consistency with international norms including the norms and principles of the World Trade Organization.
12. Strengthening confidence and trust. Strengthen the feasibility, completeness, secrecy and reliability of online transactions. Encourage the development of secure information infrastructure, in order to stimulate trustworthy, stable and reliable Internet applications. Strengthen international cooperation in the area of online trading, jointly attack cybercrime and protect the information and telecommunications technology environment. Through ensuring and respecting privacy and protecting personal data, establish confidence among users, this is a critical factor influencing the development of the digital economy.
13. Encourage and stimulate cooperation while respecting autonomous development paths. Encourage all countries along the Belt and Road to strengthen exchange and enhance mutual understanding, strengthen cooperation in policy formulation, supervision and management, reduce, eliminate or prevent unnecessary differences in supervision and management requirement, in order to liberate the vitality of the digital economy, simultaneously understand that all countries should preserve consistency with their international legal obligations, and that they will plan their development path no the basis of their own development situation, historical and cultural traditions, national legal systems and national development strategies.
14. Encouraging the joint construction of a peaceful, secure, open, cooperative and ordered cyberspace. Support information and telecommunication technology policies that safeguard the global nature of the Internet, permit Internet users to lawfully and autonomously choose the information, knowledge and services they obtain online. Understand that cybersovereignty must be fully respected, safeguard cybersecurity, determinedly attack cyberterrorism and cybercrime, protect personal privacy and information security, and promote the establishment of a multilateral, democratic and transparent international Internet governance system.
15. Encouraging the establishment of multi-level exchange mechanisms. Stimulate all sides, governments, enterprises, scientific research bodies, and sectoral organizations to communicate and interact, share viewpoints, and promote cooperation in the digital economy. Strengthen training, research and cooperation in the area of the digital economy. Strengthen exchanges about policy formulation and legislative experiences among the “Belt-Road Initiative” countries, and share best practices. Launch the construction of digital technology capabilities, welcome and encourage the United Nations Trade and Development Committee, the United Nations Industrial Development Organization, the Organization for Economic Cooperation and Development, the International Telecommunications Union and other such international organizations to play an important role in driving international cooperation on the “Belt-Road Initiative” digital economy.
(Signed by China, Laos, Saudi Arabia, Serbia, Thailand, Turkey and the United Arab Emirates)
《“一带一路”数字经济国际合作倡议》全文如下:
数字经济是全球经济增长日益重要的驱动力,在加速经济发展、提高现有产业劳动生产率、培育新市场和产业新增长点、实现包容性增长和可持续增长中正发挥着重要作用。为拓展数字经济领域的合作,作为支持“一带一路”倡议的相关国家,我们将本着互联互通、创新发展、开放合作、和谐包容、互利共赢的原则,探讨共同利用数字机遇、应对挑战,通过加强政策沟通、设施联通、贸易畅通、资金融通和民心相通,致力于实现互联互通的“数字丝绸之路”,打造互利共赢的“利益共同体”和共同发展繁荣的“命运共同体”。为此,在基于自愿、不具约束力基础上,我们提出以下倡议:
1.扩大宽带接入,提高宽带质量。建设完善区域通信、互联网、卫星导航等重要信息基础设施,促进互联互通,探索以可负担的价格扩大高速互联网接入和连接的方式,促进宽带网络覆盖、提高服务能力和质量。
2.促进数字化转型。促进农业生产、运营、管理的数字化,以及农产品配送的网络化转型。鼓励数字技术与制造业融合,建设一个更加连接的、网络化、智能化的制造业。利用信息通信技术改善文化教育、健康医疗、环境保护、城市规划和其他公共服务。促进智慧物流、在线旅游、移动支付、数字创意和分享经济等服务业的持续发展。
3.促进电子商务合作。探索在跨境电子商务信用、通关和检验检疫、消费者保护等领域建立信息共享和互信互认机制的可行性,加强金融支付、仓储物流、技术服务、线下展示等方面的合作。加强消费者权益保护合作。 4.支持互联网创业创新。鼓励通过有利和透明的法律框架,推动基于互联网的研发和创新,支持基于互联网的创业。利用互联网促进产品、服务、流程、组织和商业模式的创新。
5.促进中小微企业发展。通过政策支持,促进中小微企业使用信息通信技术进行创新、提高竞争力、开辟新的市场销售渠道。推动以可负担的价格为中小微企业运营提供所需的数字基础设施。鼓励中小微企业为公共部门提供信息通信产品和服务,融入全球价值链。
6.加强数字化技能培训。提升公众数字化技能水平,确保从数字经济发展中获益。开展数字技能的在职培训,提升从业人员的数字技能。鼓励政府部门、大学和研究机构、企业积极开展培训项目,促进数字技能的普及和提升。
7.促进信息通信技术领域的投资。通过促进研发和创新(RDI)以及投资,包括数字经济跨境投资等方面的政策框架,改善商业环境。推动各类金融机构、多边开发机构等投资信息通信技术基础设施和应用,引导商业股权投资基金以及社会基金向数字经济领域投资,鼓励公私伙伴关系(PPP)等参与形式。鼓励组织信息通信技术企业和金融机构间的投资信息交流活动,鼓励在信息通信技术领域相互投资。
8.推动城市间的数字经济合作。推动有关城市开展对点合作,支持对点城市间建立战略合作关系,通过信息基础设施建设、推动信息共享、促进信息技术合作、推进互联网经贸服务和加强人文交流,带动国际交通物流提质增效。探索建设“数字丝绸之路”经济合作试验区。鼓励支持有关城市在各自城市分别建立“数字丝绸之路”经济合作试验区,推动双方在信息基础设施、智慧城市、电子商务、远程医疗、 “互联网+”、物联网、人工智能等领域的深度合作。
9.提高数字包容性。采取多种政策措施和技术手段来缩小数字鸿沟,包括各国之间和各国之内的数字鸿沟,大力推进互联网普及。促进数字技术在学校教育及非正式教育中的使用,推动实现学校宽带接入并具备网络教学环境,越来越多的学生可以利用数字化工具和资源进行学习。加强各自的优秀网络游戏、动漫、影视、文学、音乐和知识资源等数字内容开发,促进各国文化交流、民心交融。
10.鼓励培育透明的数字经济政策。发展和保持公开、透明、包容的数字经济政策制定方式。鼓励发布相关的、可公开的政府数据,并认识到这些对于带动新技术、新产品、新服务的潜力。鼓励在线公开招标采购,支持企业创新数字产品生产和服务,同时保持需求由市场主导。
11.推进国际标准化合作。倡导共同协作开发相关技术产品和服务的国际标准的制定和应用,这些国际标准应与包括世贸组织规则和原则在内的国际规则保持一致。
12.增强信心和信任。增强在线交易的可用性、完整性、保密性和可靠性。鼓励发展安全的信息基础设施,以促进可信、稳定和可靠的互联网应用。加强在线交易方面的国际合作,共同打击网络犯罪和保护信息通信技术环境。通过确保尊重隐私和个人数据保护,树立用户信心,这是影响数字经济发展的关键因素。
13.鼓励促进合作并尊重自主发展道路。鼓励沿线各国加强交流、增进相互了解,加强政策制定、监管领域的合作,减少、消除或防止不必要的监管要求的差异,以释放数字经济的活力,同时认识到所有国家应与其国际法律义务保持一致,并根据各自的发展情况、历史文化传统、国家法律体系和国家发展战略来规划发展道路。
14.鼓励共建和平、安全、开放、合作、有序的网络空间。支持维护互联网全球属性的信息通信技术政策,允许互联网使用者依法自主选择获得在线信息、知识和服务。认识到必须充分尊重网络主权,维护网络安全,坚决打击网络恐怖主义和网络犯罪,保护个人隐私和信息安全,推动建立多边、民主、透明的国际互联网治理体系。
15.鼓励建立多层次交流机制。促进政府、企业、科研机构、行业组织等各方沟通交流、分享观点,推动数字经济合作。加强数字经济方面的培训和研究合作。加强“一带一路”国家间交流政策制定和立法经验,分享最佳实践。开展数字技术能力建设,欢迎和鼓励联合国贸易和发展会议、联合国工业发展组织、经济合作与发展组织、国际电信联盟和其他国际组织,在推动“一带一路”数字经济国际合作中发挥重要作用。
China Copyright and Media 