MII

Guidelines for the Construction of the Online Data Security Standards System

Posted on Updated on

(Opinion-seeking draft)

April 2020

Foreword

Following the connection and convergence of information technology and human production and lives, global data have gained the characteristics of explosive growth and massive collection, the big data industry is in a period of brisk development, technological progress and application innovation have accelerated their advance in lockstep, data resources have become national fundamental strategic resources and innovation factors for social production. At present, our country’s telecommunications and Internet sectors are developing rapidly, collecting large amounts of online data, and at the same time as liberating the development potential of the data economy and stimulating the accelerated growth of the data economy, we face severe security risks. This requires that we deeply understand the importance and urgency of online data security, persist in equally stressing security and development, vigorously responding to complex and severe security risks and challenges, and accelerate the construction of a security protection system for online data.

“In safe development, standards go first”, standardization work is an important basis in guaranteeing online data security. In order to implement the requirements of laws and regulations such as the “Cybersecurity Law of the People’s Republic of China”, the “National People’s Congress Standing Committee Decision concerning Strengthening Online Information Protection”, the “Telecommunications and Internet User Personal Information Protection Regulations”, etc., guide online data security standardization work in the telecommunications and Internet sectors, the Ministry of Industry and Information Technology has organized the drafting of the “Guidelines for the Construction of the Online Data Security Standards System” (hereafter simply named “Construction Guidelines”. The “Construction Guidelines” give full rein to the top-level design and fundamental guidance roles of standards, and provides a powerful support for guaranteeing online data security in the telecommunications and Internet sectors, stimulating the rational and orderly flow of online data, and assist the high-quality development of the digital economy. Read the rest of this entry »

Notice concerning Promoting the Accelerated Development of 5G

Posted on Updated on

 

MIIT Communications No. (2020)49

All provincial, autonomous regions, municipal, plan-listed city and Xinjiang Production-Construction Corps controlling departments for industry and information technology, and wireless communications management bodies, all provincial, autonomous region and municipal telecommunications management bureaus, China Telecom Group Co. Ltd., China Mobile Telecommunications Group Co. Ltd., China Unicom Telecommunications Group Co. Ltd., China Tower Co. Ltd., China Broadcast Network Co. Ltd.:

In order to deeply implement the spirit of General Secretary Xi Jinping’s important speech concerning promoting the accelerated development of 5G networks, forcefully advance 5G network construction, usage, popularization, technology development and security protection, give full rein to the effects of scale and driving role of new 5G infrastructure, and support high-quality economic development, hereby, related matters are notified as follows:

Read the rest of this entry »

Determination Rules on Acts of Collecting and Using Personal Information in Violation of Rules and Regulations in Apps

Posted on Updated on

Notice concerning Issuance of the “Determination Rules on Acts of Collecting and Using Personal Information in Violation of Rules and Regulations in Apps”

All provincial, autonomous region, municipal and the Xinjiang Production-Construction Corps cybersecurity and informatization offices, telecommunications management bureaus, public security offices (bureaus), market supervision and management bureaus (offices, committees):

On the basis of the “Announcement concerning a Special Campaign on Collection and Use of Personal Information in Violation of Rules and Regulations in Apps”, in order to provide reference for the determination of acts of collecting and using personal information in violations of rules and regulations in apps, implement laws and regulations such as the “Cybersecurity Law”, etc., the Cyberspace Administration of China, Ministry of Industry and Information Technology, Ministry of Public Security, and State Administration of Market Regulation have jointly formulated the “Determination Rules on Acts of Collecting and Using Personal Information in Violation of Rules and Regulations in Apps”. These are hereby issued to you, please refer to and implement them in integration with supervision, management and law enforcement work realities.

Cyberspace Administration of China Secretariat

Ministry of Industry and Information Technology General Office

Ministry of Public Security General Office

State Administration for Market Regulation General Office

28 November 2019

Determination Rules on Acts of Collecting and Using Personal Information in Violation of Rules and Regulations in Apps

On the basis of the “Announcement concerning a Special Campaign on Collection and Use of Personal Information in Violation of Rules and Regulations in Apps”, in order to provide reference for the determination of acts of collecting and using personal information in violations of rules and regulations in apps, provide guidance for app operators’ self-inspection and self-rectification as well as netizens’ social supervision, and implement laws and regulations such as the “Cybersecurity Law”, these Rules are formulated.

I, The following acts may be determined as “not publishing collection and use norms”

1. There is no privacy policy in the app, or the privacy policy does not contain norms on the collection and use of personal information;

2. When using the app for the first time, users are not prompted to read privacy policies and other such norms on collection and use through a pop-up window and other such clear methods

3. The privacy policy and other such collection and use norms are difficult to access, for instance when after entering the app’s main interface, 4 clicks or other such manipulations are required before it can be accessed;

4. The privacy policy and other such collection and use norms are difficult to read, for instance because characters are too small and closely spaced, colours are too light, they are blurred and unclear, or no simplified Mandarin version is provided.

II, The following acts may be determined as “not indicating the objective, method and scope of collecting and using personal information”

1. Not listing the objective, method and scope of personal information collection and use in the app (including entrusted third parties or embedded third-party code and plug-ins) one by one;

2. When a change occurs in the objective, method and scope of personal information collection and use, not notifying the user in an appropriate manner, appropriate manners include revising the privacy policy and other such collection and use norms and alerting the user to read it;

3. When requesting to activate authorization of collectable personal information, or requesting to collect users’ identity card number, bank account number, geographical tracking and other such sensitive personal information, not simultaneously notifying the user about its objective, or having an unclear or difficult to understand objective.

4. Content related to collection and use norms is obscure and difficult to understand, verbose and overly detailed, which is difficult for users to understand, for instance using large amounts of specialist jargon, etc.

III, The following acts may be determined as “collecting and using personal information without users’ consent”

1. Beginning to collect personal information or activating authorizations for collectable information before obtaining users’ consent;

2. After users clearly indicate they do not consent, still collecting personal information or activating up collectable personal information authorizations, or frequently obtaining users’ consent, interfering with users’ regular use;

3. Actually collecting personal information or activating collectable personal information authorizations in excess of the scope of user authorization;

4. Obtaining users’ consent by way of implicit agreement to privacy policies and other non-explicit methods;

5. Altering the status of collectable personal information authorizations they have set up without users’ consent, for instance automatically restoring user-set up authorization to implicit approval status when updating an app;

6. Using users’ personal information and algorithms to direct push delivery information, without providing an option for non-targeted push delivery information;

7. Misleading users through fraudulent, swindling and other such improper methods into consenting to personal information collection or the activation of collectable personal information authorizations, for instance wilfully hoodwinking or covering up the true objective for the collection of users’ personal information;

8. Not providing users with a way and method to revoke consent for personal information collection;

9. Collecting users’ personal information in violation of the announced collection and use norms. 

IV, The following acts may be determined as “collecting personal information in violation of the principle of necessity, that is not related to the provided service”

1.  Collected categories of personal information or activated collectable personal information authorizations are not related to the existing business functions;

2. Refusing to provide business functions because users do not consent to the collection of unnecessary personal information or the activation of unnecessary authorizations;

3.  Requesting the collection of personal information in excess of the scope the user originally consented to when adding new business functions to the app, refusing to provide the original business functions if the user does not agree, except where the newly added business function supersedes the original business function;

4. The frequency of personal information collection exceeds the actual needs of business functions;

5. Obliging he user to consent to personal information collection for only the purpose of improving of service quality, enhancing user experience, targeting push delivery information, researching and developing new products, etc., 

6. Requiring users to consent once to activating multiple collectable personal information authorizations, where use is impossible if users do not consent.

V, The following acts may be determined as “providing personal information to others without consent”

1. Providing personal information directly from the app customer end to third parties both without user content, and without anonymized processing, including providing personal information to third parties through methods such as embedding third-party code or plug-in components at the customer end, etc.;

2. Providing collected personal information to third parties after data is transmitted to the app’s back-end servers both without user content, and without anonymized processing;

3. Even if functions are provided to correct and delete personal information and cancel user accounts, not timely responding to user’s corresponding operations, requiring manual processing, not completing examination and processing within the committed time limits (the committed time limit may not exceed 15 working days, where there is not committed time limit, 15 working days are taken as limit);

4. Where the executing of correction or deletion of personal information, the cancellation of user accounts and other such user operations has been completed, but it is not completed at the app back-end;

5. Not establishing and publishing personal information security complaints and reporting channels, or not accepting and processing matters within the committed time limits (the committed time limit may not exceed 15 working days, where there is not committed time limit, 15 working days are taken as limit).

关于印发《App违法违规收集使用个人信息行为认定方法》的通知
各省、自治区、直辖市及新疆生产建设兵团网信办、通信管理局、公安厅(局)、市场监管局(厅、委):
  根据《关于开展App违法违规收集使用个人信息专项治理的公告》,为认定App违法违规收集使用个人信息行为提供参考,落实《网络安全法》等法律法规,国家互联网信息办公室、工业和信息化部、公安部、市场监管总局联合制定了《App违法违规收集使用个人信息行为认定方法》。现印发你们,请结合监管和执法工作实际参考执行。
国家互联网信息办公室秘书局
工业和信息化部办公厅
公安部办公厅
市场监管总局办公厅
  2019年11月28日
App违法违规收集使用个人信息行为认定方法
  根据《关于开展App违法违规收集使用个人信息专项治理的公告》,为监督管理部门认定App违法违规收集使用个人信息行为提供参考,为App运营者自查自纠和网民社会监督提供指引,落实《网络安全法》等法律法规,制定本方法。
  一、以下行为可被认定为“未公开收集使用规则”
  1.在App中没有隐私政策,或者隐私政策中没有收集使用个人信息规则;
  2.在App首次运行时未通过弹窗等明显方式提示用户阅读隐私政策等收集使用规则;
  3.隐私政策等收集使用规则难以访问,如进入App主界面后,需多于4次点击等操作才能访问到;
  4.隐私政策等收集使用规则难以阅读,如文字过小过密、颜色过淡、模糊不清,或未提供简体中文版等。
  二、以下行为可被认定为“未明示收集使用个人信息的目的、方式和范围”
  1.未逐一列出App(包括委托的第三方或嵌入的第三方代码、插件)收集使用个人信息的目的、方式、范围等;
  2.收集使用个人信息的目的、方式、范围发生变化时,未以适当方式通知用户,适当方式包括更新隐私政策等收集使用规则并提醒用户阅读等;
  3.在申请打开可收集个人信息的权限,或申请收集用户身份证号、银行账号、行踪轨迹等个人敏感信息时,未同步告知用户其目的,或者目的不明确、难以理解;
  4.有关收集使用规则的内容晦涩难懂、冗长繁琐,用户难以理解,如使用大量专业术语等。
  三、以下行为可被认定为“未经用户同意收集使用个人信息”
  1.征得用户同意前就开始收集个人信息或打开可收集个人信息的权限;
  2.用户明确表示不同意后,仍收集个人信息或打开可收集个人信息的权限,或频繁征求用户同意、干扰用户正常使用;
  3.实际收集的个人信息或打开的可收集个人信息权限超出用户授权范围;
  4.以默认选择同意隐私政策等非明示方式征求用户同意;
  5.未经用户同意更改其设置的可收集个人信息权限状态,如App更新时自动将用户设置的权限恢复到默认状态;
  6.利用用户个人信息和算法定向推送信息,未提供非定向推送信息的选项;
  7.以欺诈、诱骗等不正当方式误导用户同意收集个人信息或打开可收集个人信息的权限,如故意欺瞒、掩饰收集使用个人信息的真实目的;
  8.未向用户提供撤回同意收集个人信息的途径、方式;
  9.违反其所声明的收集使用规则,收集使用个人信息。
  四、以下行为可被认定为“违反必要原则,收集与其提供的服务无关的个人信息”
  1.收集的个人信息类型或打开的可收集个人信息权限与现有业务功能无关;
  2.因用户不同意收集非必要个人信息或打开非必要权限,拒绝提供业务功能;
  3.App新增业务功能申请收集的个人信息超出用户原有同意范围,若用户不同意,则拒绝提供原有业务功能,新增业务功能取代原有业务功能的除外;
  4.收集个人信息的频度等超出业务功能实际需要;
  5.仅以改善服务质量、提升用户体验、定向推送信息、研发新产品等为由,强制要求用户同意收集个人信息;
  6.要求用户一次性同意打开多个可收集个人信息的权限,用户不同意则无法使用。
  五、以下行为可被认定为“未经同意向他人提供个人信息”
  1.既未经用户同意,也未做匿名化处理,App客户端直接向第三方提供个人信息,包括通过客户端嵌入的第三方代码、插件等方式向第三方提供个人信息;
  2.既未经用户同意,也未做匿名化处理,数据传输至App后台服务器后,向第三方提供其收集的个人信息;
  3.App接入第三方应用,未经用户同意,向第三方应用提供个人信息。
  六、以下行为可被认定为“未按法律规定提供删除或更正个人信息功能”或“未公布投诉、举报方式等信息”
  1.未提供有效的更正、删除个人信息及注销用户账号功能;
  2.为更正、删除个人信息或注销用户账号设置不必要或不合理条件;
  3.虽提供了更正、删除个人信息及注销用户账号功能,但未及时响应用户相应操作,需人工处理的,未在承诺时限内(承诺时限不得超过15个工作日,无承诺时限的,以15个工作日为限)完成核查和处理;
  4.更正、删除个人信息或注销用户账号等用户操作已执行完毕,但App后台并未完成的;
  5.未建立并公布个人信息安全投诉、举报渠道,或未在承诺时限内(承诺时限不得超过15个工作日,无承诺时限的,以15个工作日为限)受理并处理的。

Internet Domain Name Management Rules

Posted on Updated on

Ministry of Industry and Information Technology Decree

No .43

The “Internet Domain Name Management Rules” were deliberated and passed at the 32nd Ministerial meeting of the Ministry of Industry and Information Technology on 16 August 2017, are hereby promulgated, and take effect on 1 November 2017. The “Internet Domain Name Management Rules” (then-Ministry of Information Industry Decree No. 30) promulgated by the then-Ministry of Information Industry on 5 November 2004 are abolished at the same time.

Minister Miao Wei

24 August 2017

Internet Domain Name Management Rules

Chapter I: General Provisions

Article 1: These Rules are formulated in order to standardize domain name services, protect users’ lawful rights and interests, ensure the secure and reliable operation of the Internet domain name system, promote the development and application of Mandarin-language domain names and national top-level domain name domain names, and stimulate the healthy development of the Chinese Internet, on the basis of regulations such as the “Administrative Licencing Law of the People’s Republic of China”, the “State Council Decision on Determining Administrative Licences and Administrative Examination and Approval Programmes that Need to Be Maintained”, etc., and with reference to international Internet domain name management norms. 

Article 2: These Rules shall be followed when engaging in Internet domain name services and their related activities such as operational maintenance, supervision and management within the territory of the People’s Republic of China

Internet domain name services as mentioned in these Rules (hereafter simply named domain name services) refers to engaging in activities such as domain name root server operation and maintenance, top-level domain name operation and management, domain name registration, domain name resolution, etc.

Article 3: The Ministry of Industry and Information Technology implements supervision and management over domain name services nationwide, its main duties and responsibilities are:

(1) Formulating Internet domain name management rules and policies;

(2) Formulating development plans for the Internet domain name system and domain name resources;

(3) Managing domestic domain name root server operating bodies and domain name registration management bodies;

(4) Being responsible for the network and information security management of domain name systems;

(5) Protecting users’ personal information and lawful rights and interests according to the law;

(6) Being responsible for domain name-related international coordination;

(7) Managing domestic domain name resolution services;

(8) Managing other domain name service-related activities.

Article 4: All provincial, autonomous region and municipal telecommunications management bureaus implement supervision and management over domain name services within their administrative areas, their main duties and responsibilities are:

(1) Implementing and enforcing domain name management laws, administrative regulations, rules and policies;

(2) Managing domain name registration service bodies within their administrative areas;

(3) Assisting the Ministry of Industry and Information Technology in conducting management of domain name root server operating bodies and domain name registration management bodies within their administrative areas;

(4) Being responsible for the network and information security of domain name systems within their administrative areas;

(5) Protecting users’ personal information and lawful rights and interests according to the law;

(6) Managing domain name resolution services within their administrative areas;

(7) Managing other domain name service-related activities within their administrative areas.

Article 5: The Chinese Internet domain name system is announced by the Ministry of Industry and Information Industry. On the basis of the actual circumstances of domain name development, the Ministry of Industry and Information Technology may adjust the Chinese Internet domain name system.

Article 6: “.cn” and “.中国” are China’s national top-level domain names.

Mandarin-language domain names are an important component part of the Chinese Internet domain name system. The State encourages and supports technological research and broad application of Mandarin-language domain names.

Article 7: Those providing domain name services, shall abide by relevant State laws and regulation, and conform with relevant technological norms and standards.

Article 8: No organization or individual may impede the secure and stable operation of the Internet domain name system.

Chapter II: Domain name management

Article 9: Those establishing domain name root servers and domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies within the borders, shall obtain corresponding licenses on the basis of these Rules from the Ministry of Industry and Information Technology or provincial, autonomous region and municipal telecommunications management bureau (hereafter generally designated as telecommunication management bodies).

Article 10: Those applying to establish domain name root servers and domain name root server operating bodies, shall meet the following conditions:

(1) Setting up the domain name root server within the borders, and conforming to Internet development-related plans and secure and stable operating requirements for the domain name system;

(2) Being a lawfully established legal person, the said legal person and their main investors and main business management personnel have a good credit record;

(3) Having premises, funding, environments, specialist personnel and technical capabilities to ensure the secure and reliable operation of the domain name root server, as well as information management systems conform to telecommunications management bodies’ requirements;

(4) Having complete network and information security protection measures, including management personnel, network and information security management systems, emergency response plans and related technical and management measures, etc.;

(5) Having the capacity to protect users’ personal information, the capacity to provide long-term services and complete service withdrawal mechanisms;

(6) Other conditions provided in laws or administrative regulations.

Article 11: Those applying to establish a domain name registration management body shall meet the following conditions:

(1) Establishing the domain name management system inside the borders, and holding top-level domain names in conformity with related laws and regulations as well as requirements for the secure and stable operation of domain name systems;

(2) Being a lawfully established legal person, the said legal person and their main investors and main business management personnel have a good credit record; 

(3) Having a perfected business development plan and technical plan, as well as the premises, funding and specialist personnel corresponding to engaging in top-level domain name operations and management, as well as information management systems conform to telecommunications management bodies’ requirements;

(4) Having complete network and information security protection measures, including management personnel, network and information security management systems, emergency response plans and related technical and management measures, etc.;

(5) Having the capacity to conduct real identity information verification and protect users’ personal information , the capacity to provide long-term services and complete services withdrawal mechanisms;

(6) Having complete domain name registration service management structures and supervision mechanisms over domain name registration service bodies;

(7) Other conditions as provided in laws and administrative regulations.

Article 12: Those applying to establish a domain name registration service body shall meet the following conditions:

(1) Establishing the domain name registration service system, registration database and corresponding domain name resolution systems within the borders;

(2) Being a lawfully established legal person, the said legal person and their main investors and main business management personnel have a good credit record; 

(3) Having the premises, funding and specialist personnel corresponding to engaging in domain name registration, as well as information management systems conform to telecommunications management bodies’ requirements;

(4)  Having the capacity to conduct real identity information verification and protect users’ personal information , the capacity to provide long-term services and complete services withdrawal mechanisms;

(5) Having complete domain name registration service management structures and supervision mechanisms over domain name registration agents;

(6) Having complete network and information security protection measures, including management personnel, network and information security management systems, emergency response plans and related technical and management measures, etc.;

(7) Other conditions provided in laws and administrative regulations.

Article 13: Those applying to establish a domain name root server or root server operating body, or a domain name registration management body, shall submit application materials to the Ministry of Industry and Information Technology. Those applying to establish a domain name registration service body, shall submit application materials to the local provincial, autonomous region and municipal telecommunications management bureau.

The application materials shall include:

(1) The applicant work unit’s basic situation as well as a commitment letter signed by its legal representative to do business sincerely and according to the law;

(2) Materials proving the implementation of effective management of domain name services, including materials proving relevant systems, premises and service capabilities, management rules, agreements signed with other bodies, etc.;

(3) Network and information security protection structures and measures;

(4) Materials proving the applicant work unit’s reputation.

Article 14: Where application materials are complete and conform to statutory forms, telecommunication management bodies shall issue an application acceptance notification letter to the applicant work unit; where application materials are not complete or do not conform to statutory forms, telecommunication management bodies shall notify the applicant work unit on the spot or once in writing within five working days about the complete content they need to supplement; where it is not accepted, they shall issue a non-acceptance notification letter and explain the reasons. 

Article 15 Telecommunication management bodies shall complete inspection within twenty working days from the date of acceptance, and make a decision on granting a licence or not granting a licence. Where a decision cannot be made within twenty working days, with the approval of the responsible person of the telecommunication management body, an extension of ten working days is permitted, and the applicant work unit will be notified about the reasons for the extended time limit. Where it is necessary to organize expert appraisal, the appraisal time is not counted into the inspection period.

Where a licence is granted, corresponding licence documents shall be issued; where a licence is not granted, the applicant work unit shall be notified in writing and the reasons explained.

Article 16: Licences of domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies are valid for a period of five years.

Article 17: Where a change occurs in the name, address, legal representative or other such information of domain name root server operating bodies, domain name registration management bodies or domain name registration service bodies, they shall conduct modification formalities within twenty working days from the day the change occurs with the original licence-issuing body.

Article 18: Where, within a licence’s period of validity, a domain name root server operating body, domain name registration management body, or domain name registration service body plans to terminate corresponding services, they shall notify users in writing thirty days in advance, put forward feasible plans to deal with the aftermath, and submit a written application to the original licence-issuing body.

After the original licence-issuing body receives the application, it shall publish it to society for thirty days. The publication period concludes within sixty days, and the original licence-issuing body shall complete inspection and make a decision. 

Article 19: Where it is required to continue engaging in domain name services when a licence’s period of validity expires, an extension shall be applied for with the original licence-issuing body ninety days in advance; where it is not required to continue engaging in domain name services, the original licence-issuing body shall be notified ninety days in advance, and aftermath work conducted.

Article 20: Where a domain name registration service body entrusts a domain name registration agency body to conduct market sales and other such work, it shall conduct supervision and management of the domain name registration agency body’s work.

Domain name registration agency body entrusted with conducting market sales and other such work shall, in that process, actively indicate the agency relationship, and explicitly clarify the domain name registration service body’s name and agency relationship in the domain name registration service contract.

Article 21: Domain name registration management bodies and domain name registration service bodies shall establish corresponding emergency response back-up systems within the borders and regularly back up domain name registration data.

Article 22: Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall indicate information related to their licence in a clear location on the front page of their website and their business premises. Domain name registration management bodies shall also show a list of domain name registration service bodies with which they cooperate.

Domain name registration agency bodies shall indicate the name of the domain name registration service body for which they are agents in a clear location on the front page of their website and their business premises. 

Chapter III: Domain name services

Article 23: Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall provide secure, convenient and stable services to users.

Article 24: Domain name registration management bodies shall, on the basis of these Rules, formulate domain name registration implementation rules and publish them to society.

Article 25: Domain name registration management bodies shall, conduct domain name registration services through domain name registration service bodies licenced by telecommunication management bodies.

Domain name registration service bodies shall provide services according to the domain name registration service items licenced by telecommunication management bodies, they may not provide domain name registration services for domain name registration management bodies who do not have a telecommunication management body licence.

Article 26: “First application, first registration” is implemented for domain name registration services in principle, where related domain name registration implementation rules provide otherwise, those provisions are followed.

Article 27: In order to uphold the national interest and the social public interest, domain name registration management bodies shall establish reserved domain name registration word systems.

Article 28: Domain names registered and used by any organization or individual may not contain the following content:

(1) Content violating the basic principles determined in the Constitution;

(2) Content harming national security, divulging State secrets, subverting the national regime, or destroying national unity;

(3) Content harming the country’s honour and interest;

(4) Content inciting ethnic hatred or ethnic discrimination, or destroying ethnic unity;

(5) Content destroying State religious policies, propagating heresy and feudal superstition;

(6) Content disseminating rumours, upsetting social order, or destroying social stability;

(7) Content disseminating obscenity, sex, gambling, violence, homicide or terror, or inciting crime;

(8) Content insulting or slandering other persons, or harming other persons’ lawful rights and interests.

(9) Other content prohibited by laws and administrative regulations.

Domain name registration management bodies and domain name registration service bodies may not provide services to domain names containing content listed in the previous Paragraph.

Article 29: Domain name registration service bodies may not use fraudulent, coercive or other such improper means to require other persons to register domain names. 

Article 30: Domain name registration service bodies providing domain name registration services shall require domain name registration applicants to provide domain name holders’ real, accurate and complete identity information and other such domain name registration information.

Domain name registration management bodies and domain name registration service bodies shall check the veracity and completeness of domain name registration information.

Where domain name registration applicants provide inaccurate or incomplete domain name registration information, domain name registration service bodies shall require correction. Where applicants do not correct the matter or provide untrue domain name registration information, domain name registration service bodies may not provide domain name registration services to them.

Article 31: Domain name registration service bodies shall publish domain name registration service content, time limits and fees, to ensure service quality, and provide public inquiry services of domain name registration information.

Article 32: Domain name registration management bodies and domain name registration service bodies shall store and protect users’ personal information according to the law. Without user agreement, users’ personal information may not be provided to other persons, except where laws and regulations provide otherwise.

Article 33: Where a change occurs in domain name holders’ contact method and other such information, they shall conduct domain name registration information modification formalities within thirty days after the change with the domain name registration service body.

Where domain name holders transfer domain names to other persons, the assignee shall abide by domain name registration-related requirements. 

Article 34: Domain name holders have the right to choose or change domain name registration service bodies. Where a domain name registration service body is changed, the original domain name registration service body shall cooperate with the domain name holder to transfer their domain name registration-related information. 

Without proper reason, domain name registration service bodies may not impede domain name holders’ changing domain name registration service bodies.

Article 35: Domain name registration management bodies and domain name registration service bodies shall establish complaints acceptance mechanisms, and publish complaints acceptance methods in a clear location on the front page of their website and their business premises.

Domain name registration management bodies and domain name registration service bodies shall handle complaints timely; where they cannot be handled timely, the reasons and handling period shall be explained.

Article 36: In the provision of domain name resolution services, relevant laws, regulations and standards shall be observed, corresponding technical, service and network and information protection capabilities possessed, network and information security protection measures implemented, daily domain name resolution records recorded and preserved according to the law, daily records and modification records maintained, and resolution service quality and resolution system security guaranteed. Where it involved commercial telecommunications business, a telecommunications business licence shall be obtained according to the law.

Article 37: In the provision of domain name resolution services, it is prohibited to alter resolution information without authorization. 

No organization or individual may maliciously direct domain name resolution towards other persons’ IP addresses.

Article 38: In the provision of domain name resolution services, it is prohibited to provide domain name aliasing for domain name with content listed in Article 28 Paragraph I of these Rules.

Article 39: Of those engaging in Internet information services, the domain names they use shall conform to laws, regulations and the relevant requirements of telecommunication management bodies, and may not use domain names to conduct unlawful acts.

Article 40: Domain name registration management bodies and domain name registration service bodies shall cooperate with relevant State departments conducting inspection work according to the law, and adopt measures such as cessation of resolution, etc. against domain names where unlawful acts occur according to telecommunication management bodies’ requirements.

Where domain name registration management bodies and domain name registration service bodies discover the domain names to which they provide services publish or transmit information of which the publication or transmission is prohibited by laws and administrative regulations, they shall immediately adopt measures in response, such as deletion, cessation of resolution, etc., prevent the spread of the information, preserve relevant records, and notify the matter to relevant departments.

Article 41: Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall abide by relevant State laws, regulations and standards, implement network and information security protection measures, deploy the necessary network and telecommunications emergency response equipment, establish and complete technical network and information security monitoring  methods and emergency response structures. When a network or information incident occurs on a domain name system, it shall be reported to the telecommunication management body within 24 hours.

When required for national security and to deal with emergencies or incidents, domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall submit to the uniform commands and coordination of telecommunication management bodies, and abide by telecommunication management bodies’ management requirements. 

Article 42: Where any organization or individual believes that a domain name registered or used by another person harms their lawful rights and interests, they may apply for mediation with a domain name dispute settlement body or file a lawsuit with a People’s Court according to the law.

Article 43: Where one of the following circumstances is present with a registered domain name, the domain name registration service body shall cancel it, and notify the domain name holder:

(1) The domain name holder applies for domain name cancellation;

(2) Domain name holders submitted false domain name registration information;

(3) It shall be closed on the basis of a People’s Court judgment, or a domain name dispute settlement body verdict;

(4) Other circumstances where laws and administrative regulations provide for cancellation. 

Chapter IV: Supervision and inspection

Article 44: Telecommunication management bodies shall strengthen supervision and inspection of domain name services. Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall accept and cooperate with supervision and inspection by telecommunication management bodies.

Domain name service sectoral self-discipline and management is encouraged, public supervision of domain name services is encouraged.

Article 45: Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall, according to telecommunication management bodies’ requirements, regularly report business development situations, operations security situations, network and information security responsibility situation, the complaints and dispute handling situation and other such information.

Article 47: When telecommunication management bodies carry out supervision and inspection, they shall examine the materials submitted by domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies, and inspect the situation of their executing laws, regulations and relevant provisions of telecommunication management bodies.

Telecommunication management bodies may entrust specialized third-party bodies to conduct relevant supervision and inspection activities.

Article 47: Telecommunication management bodies shall establish credit-recording structures for domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies, and enter their violations of these Rules and the administrative punishment they receive into the credit file.

Article 48: Telecommunication management bodies conducting supervision and inspection may not impede the regular commercial and service activities of domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies, they may not accept any fees, and may not leak the domain name registration information they learn.

Chapter V: Punitive provisions

Article 49: Where, in violation of the provisions of Article 9 of these Rules, a domain name root server or domain name root server operating body, domain name registration management body or domain name registration service body is established without a licence or authorization, telecommunication management bodies shall, on the basis of the provisions of Article 81 of the “Administrative Licensing Law of the People’s Republic of China”, adopt measures to stop the matter, and in view of the gravity of circumstances, issue a warning or a fine of more than 10.000 Yuan but less than 30.000 Yuan.

Article 50: Where, in violation of the provisions of these Rules, a domain name registration management body or domain name registration service body commits one of the following acts, the telecommunication management body will order correction within a limited time on the basis of their duties and powers, and in view of the gravity of circumstances, impose a fine of 10.000 Yuan or more but less than 30.000 Yuan, and publish the matter to society:

(1) Providing domain name registration services to unlicensed domain name registration management bodies, or conducting domain name registration services through unlicensed domain name registration service bodies;

(2) Not providing services according to the licenced domain name registration service items;

(3) Not checking the veracity and completeness of domain name registration information;

(4) Obstructing domain name holders to change domain name registration service bodies without proper reason.

Article 51: Where, in violation of the provisions of these Regulations, domain name resolution services are provided and one of the following acts committed, the telecommunication management body will order correction within a limited time, and may, in view of the gravity of circumstances, impose a fine of 10.000 Yuan or more but less than 30.000 Yuan, and publish the matter to society;

(1) Altering domain name resolution information without authorization or maliciously directing domain name resolution towards other persons. IP addresses;

(2) Providing domain name aliasing for domain name with content listed in Article 28 Paragraph I of these Rules;

(3) Not implementing network and information security protection measures;

(4) Not recording and preserving daily domain name resolution records according to the law, maintaining daily records and modification records;

(5) Not dealing with domain names where unlawful activities according to requirements.

Article 52: Where the provisions of Article 17, Article 18 Paragraph I, Article 21, Article 22, Article 28 Paragraph II, Article 29, Article 31, Article 32, Article 35 Paragraph I, Article 40 Paragraph II or Article 41 of these Rules are violated, the telecommunication management body will order correction within a limited time on the basis of their duties and powers, may additionally impose a fine of 10.000 Yuan or more but less than 30.000 Yuan, and publish the matter to society.

Article 53: Where laws or administrative regulations provide otherwise on relevant unlawful conduct, the provisions of those laws and administrative regulations are implemented. 

Article 54: Where any organization or individual registers or uses domain names in violation of the provisions of Article 28 Paragraph I of these Rules, constituting a crime, criminal liability will be prosecuted according to the law; where the matter does not constitute a crime, relevant departments will punish the matter according to the law.

Chapter VI: Supplementary provisions

Article 55: The meaning of the following terms in these Rules is:

(1) Domain name: refers to a hierarchically structured character indication to identify and locate a computer on the Internet, corresponding with that computer’s IP address.

(2) Mandarin-language domain name: refers to a domain name using Mandarin characters.

(3) Top-level domain name: refers to the first-level name of the root node in the domain name system.

(4) Domain name server: refers to servers with domain name system root node functioning (including mirror servers).

(5) Domain name root server operating body: refers to a body that lawfully obtained a licence and undertakes domain name root server operations, maintenance and management work.

(6) Domain name registration management body: refers to a body that lawfully obtained a licence and undertakes top-level domain name operations and management work. 

(7) Domain name registration service body: refers to a body that lawfully obtained a licence, accepts domain name registration applications and completes the registration of a domain name in the top-level domain name database.

(8) Domain name registration agency body: refers to a body that is entrusted by domain name registration service bodies to accept domain name registration applications, and indirectly complete domain name registration in the top-level domain name database.

(9) Domain name management system: refers to the main information system required by domain name registration management bodies to conduct top-level domain name operations and management work within the borders, and includes registration management systems, registration databases, domain name resolution systems, domain name information inquiry systems, identity information inspection systems, etc.

(10) Domain name aliasing: refers to the transfer of a visit of one domain name to another domain name and IP address or online information service connected with or directed by that domain name.

Article 56: The time periods provided in these Rules, except where working days are determined, are all natural days.

Article 57: Those conducting domain name services without obtaining corresponding licences before these Rules took effect, shall conduct licensing formalities according to the provisions of these Rules within 12 months from the date these Regulations take effect.

For domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies that already obtained a licence before these Rules took effect, the provisions of Article 16 of these Rules shall apply to the period of validity of their licence, the period of validity will be computed form the day these Rules take effect.

Article 58: These Rules take effect on 1 November 2017. The “Chinese Internet Domain Name Management Rules (then-Ministry of Information Industry Decree No. 30) promulgated on 5 November 2004 are abolished at the same time. Where inconsistencies exist between these Rules and relevant provisions promulgated before these Regulations took effect, these Rules shall be implemented.

中华人民共和国工业和信息化部令

第 43 号

《互联网域名管理办法》已经2017年8月16日工业和信息化部第32次部务会议审议通过,现予公布,自2017年11月1日起施行。原信息产业部2004年11月5日公布的《中国互联网络域名管理办法》(原信息产业部令第30号)同时废止。
部 长  苗 圩
2017年8月24日

互联网域名管理办法

第一章 总  则

第一条 为了规范互联网域名服务,保护用户合法权益,保障互联网域名系统安全、可靠运行,推动中文域名和国家顶级域名发展和应用,促进中国互联网健康发展,根据《中华人民共和国行政许可法》、《国务院对确需保留的行政审批项目设定行政许可的决定》等规定,参照国际上互联网域名管理准则,制定本办法。
第二条 在中华人民共和国境内从事互联网域名服务及其运行维护、监督管理等相关活动,应当遵守本办法。
本办法所称互联网域名服务(以下简称域名服务),是指从事域名根服务器运行和管理、顶级域名运行和管理、域名注册、域名解析等活动。
第三条 工业和信息化部对全国的域名服务实施监督管理,主要职责是:
(一)制定互联网域名管理规章及政策;
(二)制定中国互联网域名体系、域名资源发展规划;
(三)管理境内的域名根服务器运行机构和域名注册管理机构;
(四)负责域名体系的网络与信息安全管理;
(五)依法保护用户个人信息和合法权益;
(六)负责与域名有关的国际协调;
(七)管理境内的域名解析服务;
(八)管理其他与域名服务相关的活动。
第四条 各省、自治区、直辖市通信管理局对本行政区域内的域名服务实施监督管理,主要职责是:
(一)贯彻执行域名管理法律、行政法规、规章和政策;
(二)管理本行政区域内的域名注册服务机构;
(三)协助工业和信息化部对本行政区域内的域名根服务器运行机构和域名注册管理机构进行管理;
(四)负责本行政区域内域名系统的网络与信息安全管理;
(五)依法保护用户个人信息和合法权益;
(六)管理本行政区域内的域名解析服务;
(七)管理本行政区域内其他与域名服务相关的活动。
第五条 中国互联网域名体系由工业和信息化部予以公告。根据域名发展的实际情况,工业和信息化部可以对中国互联网域名体系进行调整。
第六条 “.CN”和“.中国”是中国的国家顶级域名。
中文域名是中国互联网域名体系的重要组成部分。国家鼓励和支持中文域名系统的技术研究和推广应用。
第七条 提供域名服务,应当遵守国家相关法律法规,符合相关技术规范和标准。
第八条 任何组织和个人不得妨碍互联网域名系统的安全和稳定运行。

第二章 域名管理

第九条 在境内设立域名根服务器及域名根服务器运行机构、域名注册管理机构和域名注册服务机构的,应当依据本办法取得工业和信息化部或者省、自治区、直辖市通信管理局(以下统称电信管理机构)的相应许可。
第十条 申请设立域名根服务器及域名根服务器运行机构的,应当具备以下条件:
(一)域名根服务器设置在境内,并且符合互联网发展相关规划及域名系统安全稳定运行要求;
(二)是依法设立的法人,该法人及其主要出资者、主要经营管理人员具有良好的信用记录;
(三)具有保障域名根服务器安全可靠运行的场地、资金、环境、专业人员和技术能力以及符合电信管理机构要求的信息管理系统;
(四)具有健全的网络与信息安全保障措施,包括管理人员、网络与信息安全管理制度、应急处置预案和相关技术、管理措施等;
(五)具有用户个人信息保护能力、提供长期服务的能力及健全的服务退出机制;
(六)法律、行政法规规定的其他条件。
第十一条 申请设立域名注册管理机构的,应当具备以下条件:
(一)域名管理系统设置在境内,并且持有的顶级域名符合相关法律法规及域名系统安全稳定运行要求;
(二)是依法设立的法人,该法人及其主要出资者、主要经营管理人员具有良好的信用记录;
(三)具有完善的业务发展计划和技术方案以及与从事顶级域名运行管理相适应的场地、资金、专业人员以及符合电信管理机构要求的信息管理系统;
(四)具有健全的网络与信息安全保障措施,包括管理人员、网络与信息安全管理制度、应急处置预案和相关技术、管理措施等;
(五)具有进行真实身份信息核验和用户个人信息保护的能力、提供长期服务的能力及健全的服务退出机制;
(六)具有健全的域名注册服务管理制度和对域名注册服务机构的监督机制;
(七)法律、行政法规规定的其他条件。
第十二条 申请设立域名注册服务机构的,应当具备以下条件:
(一)在境内设置域名注册服务系统、注册数据库和相应的域名解析系统;
(二)是依法设立的法人,该法人及其主要出资者、主要经营管理人员具有良好的信用记录;
(三)具有与从事域名注册服务相适应的场地、资金和专业人员以及符合电信管理机构要求的信息管理系统;
(四)具有进行真实身份信息核验和用户个人信息保护的能力、提供长期服务的能力及健全的服务退出机制;
(五)具有健全的域名注册服务管理制度和对域名注册代理机构的监督机制;
(六)具有健全的网络与信息安全保障措施,包括管理人员、网络与信息安全管理制度、应急处置预案和相关技术、管理措施等;
(七)法律、行政法规规定的其他条件。
第十三条 申请设立域名根服务器及域名根服务器运行机构、域名注册管理机构的,应当向工业和信息化部提交申请材料。申请设立域名注册服务机构的,应当向住所地省、自治区、直辖市通信管理局提交申请材料。
申请材料应当包括:
(一)申请单位的基本情况及其法定代表人签署的依法诚信经营承诺书;
(二)对域名服务实施有效管理的证明材料,包括相关系统及场所、服务能力的证明材料、管理制度、与其他机构签订的协议等;
(三)网络与信息安全保障制度及措施;
(四)证明申请单位信誉的材料。
第十四条 申请材料齐全、符合法定形式的,电信管理机构应当向申请单位出具受理申请通知书;申请材料不齐全或者不符合法定形式的,电信管理机构应当场或者在5个工作日内一次性书面告知申请单位需要补正的全部内容;不予受理的,应当出具不予受理通知书并说明理由。
第十五条 电信管理机构应当自受理之日起20个工作日内完成审查,作出予以许可或者不予许可的决定。20个工作日内不能作出决定的,经电信管理机构负责人批准,可以延长10个工作日,并将延长期限的理由告知申请单位。需要组织专家论证的,论证时间不计入审查期限。
予以许可的,应当颁发相应的许可文件;不予许可的,应当书面通知申请单位并说明理由。
第十六条 域名根服务器运行机构、域名注册管理机构和域名注册服务机构的许可有效期为5年。
第十七条 域名根服务器运行机构、域名注册管理机构和域名注册服务机构的名称、住所、法定代表人等信息发生变更的,应当自变更之日起20日内向原发证机关办理变更手续。
第十八条 在许可有效期内,域名根服务器运行机构、域名注册管理机构、域名注册服务机构拟终止相关服务的,应当提前30日书面通知用户,提出可行的善后处理方案,并向原发证机关提交书面申请。
原发证机关收到申请后,应当向社会公示30日。公示期结束60日内,原发证机关应当完成审查并做出决定。
第十九条 许可有效期届满需要继续从事域名服务的,应当提前90日向原发证机关申请延续;不再继续从事域名服务的,应当提前90日向原发证机关报告并做好善后工作。
第二十条 域名注册服务机构委托域名注册代理机构开展市场销售等工作的,应当对域名注册代理机构的工作进行监督和管理。
域名注册代理机构受委托开展市场销售等工作的过程中,应当主动表明代理关系,并在域名注册服务合同中明示相关域名注册服务机构名称及代理关系。
第二十一条 域名注册管理机构、域名注册服务机构应当在境内设立相应的应急备份系统并定期备份域名注册数据。
第二十二条 域名根服务器运行机构、域名注册管理机构、域名注册服务机构应当在其网站首页和经营场所显著位置标明其许可相关信息。域名注册管理机构还应当标明与其合作的域名注册服务机构名单。
域名注册代理机构应当在其网站首页和经营场所显著位置标明其代理的域名注册服务机构名称。

第三章 域名服务

第二十三条 域名根服务器运行机构、域名注册管理机构和域名注册服务机构应当向用户提供安全、方便、稳定的服务。
第二十四条 域名注册管理机构应当根据本办法制定域名注册实施细则并向社会公开。
第二十五条 域名注册管理机构应当通过电信管理机构许可的域名注册服务机构开展域名注册服务。
域名注册服务机构应当按照电信管理机构许可的域名注册服务项目提供服务,不得为未经电信管理机构许可的域名注册管理机构提供域名注册服务。
第二十六条 域名注册服务原则上实行“先申请先注册”,相应域名注册实施细则另有规定的,从其规定。
第二十七条 为维护国家利益和社会公众利益,域名注册管理机构应当建立域名注册保留字制度。
第二十八条 任何组织或者个人注册、使用的域名中,不得含有下列内容:
(一)反对宪法所确定的基本原则的;
(二)危害国家安全,泄露国家秘密,颠覆国家政权,破坏国家统一的;
(三)损害国家荣誉和利益的;
(四)煽动民族仇恨、民族歧视,破坏民族团结的;
(五)破坏国家宗教政策,宣扬邪教和封建迷信的;
(六)散布谣言,扰乱社会秩序,破坏社会稳定的;
(七)散布淫秽、色情、赌博、暴力、凶杀、恐怖或者教唆犯罪的;
(八)侮辱或者诽谤他人,侵害他人合法权益的;
(九)含有法律、行政法规禁止的其他内容的。
域名注册管理机构、域名注册服务机构不得为含有前款所列内容的域名提供服务。
第二十九条 域名注册服务机构不得采用欺诈、胁迫等不正当手段要求他人注册域名。
第三十条 域名注册服务机构提供域名注册服务,应当要求域名注册申请者提供域名持有者真实、准确、完整的身份信息等域名注册信息。
域名注册管理机构和域名注册服务机构应当对域名注册信息的真实性、完整性进行核验。
域名注册申请者提供的域名注册信息不准确、不完整的,域名注册服务机构应当要求其予以补正。申请者不补正或者提供不真实的域名注册信息的,域名注册服务机构不得为其提供域名注册服务。
第三十一条 域名注册服务机构应当公布域名注册服务的内容、时限、费用,保证服务质量,提供域名注册信息的公共查询服务。
第三十二条 域名注册管理机构、域名注册服务机构应当依法存储、保护用户个人信息。未经用户同意不得将用户个人信息提供给他人,但法律、行政法规另有规定的除外。
第三十三条 域名持有者的联系方式等信息发生变更的,应当在变更后30日内向域名注册服务机构办理域名注册信息变更手续。
域名持有者将域名转让给他人的,受让人应当遵守域名注册的相关要求。
第三十四条 域名持有者有权选择、变更域名注册服务机构。变更域名注册服务机构的,原域名注册服务机构应当配合域名持有者转移其域名注册相关信息。
无正当理由的,域名注册服务机构不得阻止域名持有者变更域名注册服务机构。
电信管理机构依法要求停止解析的域名,不得变更域名注册服务机构。
第三十五条 域名注册管理机构和域名注册服务机构应当设立投诉受理机制,并在其网站首页和经营场所显著位置公布投诉受理方式。
域名注册管理机构和域名注册服务机构应当及时处理投诉;不能及时处理的,应当说明理由和处理时限。
第三十六条 提供域名解析服务,应当遵守有关法律、法规、标准,具备相应的技术、服务和网络与信息安全保障能力,落实网络与信息安全保障措施,依法记录并留存域名解析日志、维护日志和变更记录,保障解析服务质量和解析系统安全。涉及经营电信业务的,应当依法取得电信业务经营许可。
第三十七条 提供域名解析服务,不得擅自篡改解析信息。
任何组织或者个人不得恶意将域名解析指向他人的IP地址。
第三十八条 提供域名解析服务,不得为含有本办法第二十八条第一款所列内容的域名提供域名跳转。
第三十九条 从事互联网信息服务的,其使用域名应当符合法律法规和电信管理机构的有关规定,不得将域名用于实施违法行为。
第四十条 域名注册管理机构、域名注册服务机构应当配合国家有关部门依法开展的检查工作,并按照电信管理机构的要求对存在违法行为的域名采取停止解析等处置措施。
域名注册管理机构、域名注册服务机构发现其提供服务的域名发布、传输法律和行政法规禁止发布或者传输的信息的,应当立即采取消除、停止解析等处置措施,防止信息扩散,保存有关记录,并向有关部门报告。
第四十一条 域名根服务器运行机构、域名注册管理机构和域名注册服务机构应当遵守国家相关法律、法规和标准,落实网络与信息安全保障措施,配置必要的网络通信应急设备,建立健全网络与信息安全监测技术手段和应急制度。域名系统出现网络与信息安全事件时,应当在24小时内向电信管理机构报告。
因国家安全和处置紧急事件的需要,域名根服务器运行机构、域名注册管理机构和域名注册服务机构应当服从电信管理机构的统一指挥与协调,遵守电信管理机构的管理要求。
第四十二条 任何组织或者个人认为他人注册或者使用的域名侵害其合法权益的,可以向域名争议解决机构申请裁决或者依法向人民法院提起诉讼。
第四十三条 已注册的域名有下列情形之一的,域名注册服务机构应当予以注销,并通知域名持有者:
(一)域名持有者申请注销域名的;
(二)域名持有者提交虚假域名注册信息的;
(三)依据人民法院的判决、域名争议解决机构的裁决,应当注销的;
(四)法律、行政法规规定予以注销的其他情形。

第四章 监督检查

第四十四条 电信管理机构应当加强对域名服务的监督检查。域名根服务器运行机构、域名注册管理机构、域名注册服务机构应当接受、配合电信管理机构的监督检查。
鼓励域名服务行业自律管理,鼓励公众监督域名服务。
第四十五条 域名根服务器运行机构、域名注册管理机构、域名注册服务机构应当按照电信管理机构的要求,定期报送业务开展情况、安全运行情况、网络与信息安全责任落实情况、投诉和争议处理情况等信息。
第四十六条 电信管理机构实施监督检查时,应当对域名根服务器运行机构、域名注册管理机构和域名注册服务机构报送的材料进行审核,并对其执行法律法规和电信管理机构有关规定的情况进行检查。
电信管理机构可以委托第三方专业机构开展有关监督检查活动。
第四十七条 电信管理机构应当建立域名根服务器运行机构、域名注册管理机构和域名注册服务机构的信用记录制度,将其违反本办法并受到行政处罚的行为记入信用档案。
第四十八条 电信管理机构开展监督检查,不得妨碍域名根服务器运行机构、域名注册管理机构和域名注册服务机构正常的经营和服务活动,不得收取任何费用,不得泄露所知悉的域名注册信息。

第五章 罚  则

第四十九条 违反本办法第九条规定,未经许可擅自设立域名根服务器及域名根服务器运行机构、域名注册管理机构、域名注册服务机构的,电信管理机构应当根据《中华人民共和国行政许可法》第八十一条的规定,采取措施予以制止,并视情节轻重,予以警告或者处1万元以上3万元以下罚款。
第五十条 违反本办法规定,域名注册管理机构或者域名注册服务机构有下列行为之一的,由电信管理机构依据职权责令限期改正,并视情节轻重,处1万元以上3万元以下罚款,向社会公告:
(一)为未经许可的域名注册管理机构提供域名注册服务,或者通过未经许可的域名注册服务机构开展域名注册服务的;
(二)未按照许可的域名注册服务项目提供服务的;
(三)未对域名注册信息的真实性、完整性进行核验的;
(四)无正当理由阻止域名持有者变更域名注册服务机构的。
第五十一条 违反本办法规定,提供域名解析服务,有下列行为之一的,由电信管理机构责令限期改正,可以视情节轻重处1万元以上3万元以下罚款,向社会公告:
(一)擅自篡改域名解析信息或者恶意将域名解析指向他人IP地址的;
(二)为含有本办法第二十八条第一款所列内容的域名提供域名跳转的;
(三)未落实网络与信息安全保障措施的;
(四)未依法记录并留存域名解析日志、维护日志和变更记录的;
(五)未按照要求对存在违法行为的域名进行处置的。
第五十二条 违反本办法第十七条、第十八条第一款、第二十一条、第二十二条、第二十八条第二款、第二十九条、第三十一条、第三十二条、第三十五条第一款、第四十条第二款、第四十一条规定的,由电信管理机构依据职权责令限期改正,可以并处1万元以上3万元以下罚款,向社会公告。
第五十三条 法律、行政法规对有关违法行为的处罚另有规定的,依照有关法律、行政法规的规定执行。
第五十四条 任何组织或者个人违反本办法第二十八条第一款规定注册、使用域名,构成犯罪的,依法追究刑事责任;尚不构成犯罪的,由有关部门依法予以处罚。

第六章 附  则

第五十五条 本办法下列用语的含义是:
(一)域名:指互联网上识别和定位计算机的层次结构式的字符标识,与该计算机的IP地址相对应。
(二)中文域名:指含有中文文字的域名。
(三)顶级域名:指域名体系中根节点下的第一级域的名称。
(四)域名根服务器:指承担域名体系中根节点功能的服务器(含镜像服务器)。
(五)域名根服务器运行机构:指依法获得许可并承担域名根服务器运行、维护和管理工作的机构。
(六)域名注册管理机构:指依法获得许可并承担顶级域名运行和管理工作的机构。
(七)域名注册服务机构:指依法获得许可、受理域名注册申请并完成域名在顶级域名数据库中注册的机构。
(八)域名注册代理机构:指受域名注册服务机构的委托,受理域名注册申请,间接完成域名在顶级域名数据库中注册的机构。
(九)域名管理系统:指域名注册管理机构在境内开展顶级域名运行和管理所需的主要信息系统,包括注册管理系统、注册数据库、域名解析系统、域名信息查询系统、身份信息核验系统等。
(十)域名跳转:指对某一域名的访问跳转至该域名绑定或者指向的其他域名、IP地址或者网络信息服务等。
第五十六条 本办法中规定的日期,除明确为工作日的以外,均为自然日。
第五十七条 在本办法施行前未取得相应许可开展域名服务的,应当自本办法施行之日起12个月内,按照本办法规定办理许可手续。
在本办法施行前已取得许可的域名根服务器运行机构、域名注册管理机构和域名注册服务机构,其许可有效期适用本办法第十六条的规定,有效期自本办法施行之日起计算。
第五十八条 本办法自2017年11月1日起施行。2004年11月5日公布的《中国互联网络域名管理办法》(原信息产业部令第30号)同时废止。本办法施行前公布的有关规定与本办法不一致的,按照本办法执行。

Public Internet Cybersecurity Threat Monitoring and Mitigation Measures

Posted on Updated on

This translation was kindly provided by John Costello

Ministry of Industry and Information Technology Network [2017] No. 202

Provincial, autonomous region, and municipal communications authorities, China Telecom Group Corporation, China Mobile Communications Corporation, China Unicom Group Corporation, China National Computer Emergency Technical Team/Coordination Center of China (CNCERT), China Information Communications Research Institute, National Industrial Information Security Development Research Center, China Internet Association, domain name registration management and service organs, internet companies, and cybersecurity enterprises:

In order to deepen the implementation of the spirit of General Secretary Xi Jinping’s important speeches on cybersecurity, actively respond to the dire and complex cybersecurity situation, to move forward robust public internet cybersecurity threat monitoring and mitigation mechanism, safeguard the legitimate rights and interests of citizens, legals person, and other organizations, and in accordance with “Cybersecurity Law of the People’s Republic of China” and other relevant laws and regulations, the “Public Internet Cybersecurity Threat Monitoring and Mitigation Measures”. Hereby issued to you, please realistically and effectively implement and carry out.

Ministry of Industry and Information Technology Read the rest of this entry »

Information Security Protection Guidelines for Industrial Control Systems.

Posted on Updated on

Information security in industrial control systems affects economic development, social stability and national security. In order to enhance the information security protection levels of industrial control systems in industrial enterprises (hereafter simply named industrial control security), and ensure the security of industrial control systems, these Guidelines are formulated.

These Guidelines apply to enterprises utilizing industrial control systems, as well as enterprise and undertaking work units engaging in industrial control system planning, design, construction, operations and maintenance, as well as evaluation.

Enterprises utilizing industrial control systems shall conduct industrial control security protection work well, on the basis of the following eleven aspects. Read the rest of this entry »

Internet Domain Name Management Rules (Opinion-seeking Revision Draft)

Posted on Updated on

Chapter I: General Principles

Article 1: In order to standardize Internet domain name service activities, protect users’ lawful rights and interests, guarantee the security and reliable operation of the Internet domain name system, promote the development and application of Chinese-language domain names and national top-level domains, and stimulate the healthy development of China’s Internet, on the basis of the “Administrative Licensing Law of the People’s Republic of China” and the “State Council Decision concerning Establishing Administrative Licensing for Administrative Examination and Approval Matters that Need to Be Preserved” and other such provisions, and with reference to international Internet domain name management norms, these Rules are formulated. Read the rest of this entry »

Online Publishing Service Management Rules

Posted on Updated on

Chapter I: General Principles

Article 1: In order to standardize the online publishing services order, stimulate the healthy and orderly development of the online publishing services sector, on the basis of the “Publishing Management Regulations”, the “Internet Information Service Management Regulations” and relevant laws and regulations, these Rules are promulgated.

Article 2: These Rules apply to online publishing services provided within the borders of the People’s Republic of China

Online publishing services as mentioned in these rules refers to the provision of online publications to the public through information networks. Read the rest of this entry »

Guiding Opinions concerning Using Secure and Controllable Information Technology and Strengthening Cybersecurity and Informatization in the Banking Sector

Posted on Updated on

China Banking Regulatory Commission, National Development and Reform Commission, Ministry of Science and Technology, Ministry of Industry and Information Technology

All Banking Regulatory Bureaus, all provincial (autonomous region, municipal and plan-listed city) development and reform commissions, science and technology offices (committees, bureaus), controlling bodies for industry and information technology, all policy banks, all State-owned commercial banks, shareholding-type commercial banks, financial asset management companies, savings banks, all provincial-level rural credit cooperatives, trust companies directly subordinate to banking supervision commissions, enterprise groups’ financial companies, finance and lease companies: Read the rest of this entry »

Guiding Opinions concerning Strengthening Cybersecurity Work in the Telecommunications and Internet Sectors

Posted on Updated on

GXBB No. (2014)368

All provincial, autonomous region and municipal telecommunications management bureaus, China Telecom Group Co., China Mobile Telecom Group Co., China United Network Communications Group Co., the National Computer Network Emergency Response Coordination Centre, the Ministry of Industry and Information Technology Academy for Telecommunications Research, the Telecommunications Sector Professional Skills Supervision and Guidance Centre, the China Association of Communication enterprises, the Internet Society of China, all Internet domain name registration management bodies, and relevant work units: Read the rest of this entry »

Announcement concerning Launching a Special Campaign to Attack Online Obscenity and Sexual Information

Posted on Updated on

At present, online obscenity and sexual information has not been stopped despite repeated bans, and has not been eliminated despite repeated bans, this gravely harms the physical and mental health of minors and gravely harms the social atmosphere, all walks of society deeply abhor this, and the popular masses’ calls demanding strict punishment have grown strong. In order to strictly attack the use of the Internet to produce and disseminate obscenity and sexual information, the National “Sweeping Pornography and Striking Illegality” Work Group Office, the State Internet Information Office, the Ministry of Industry and Information Technology and the Ministry of Public Security have decided to launch a “Sweeping Pornography and Striking Illegality – Clean Web 2014” campaign for a united attack on online obscenity and sexual information on a nationwide level. Hereby, the relevant matters are notified as follows: Read the rest of this entry »

Notice concerning Strengthening the Management of Mobile Smart Terminals’ Network Access

Posted on Updated on

MIIT DG No. (2013)120

All relevant work units:

In order to safeguard users’ personal information security and lawful rights and interests, guarantee cyber and information security, and stimulate the healthy development of the sector, on the basis of the “National People’s Congress Standing Committee Decision concerning Strengthening Online Information Security” and the “Telecommunications Regulations of the People’s Republic of China”, and according to the relevant provisions of the “Telecommunications Equipment Network Access Rules”, hereby, the demands concerning strengthening the management of mobile smart terminals’ network access are clarified as follows: Read the rest of this entry »

Explaining the “Telecommunication and Internet User Personal Data Protection Regulations”.

Posted on Updated on

On 16 July 2013, the Ministry of Industry and Information Technology promulgated the “Telecommunication and Internet User Personal Data Protection Regulations” (People’s Republic of China, Ministry of Industry and Information Technology Decree No. 24). A journalist interviewed Ministry of Industry and Information Technology Politico-Legal Department Inspector Li Guobin, asking him to explain the “Regulations”.

Read the rest of this entry »

Explaining the “Telephone User Real Identity Information Registration Regulations”

Posted on Updated on

On 16 July 2013, the Ministry of Industry and Information Technology promulgated the “Telephone User Real Identity Information Registration Regulations” (People’s Republic of China, Ministry of Industry and Information Technology Decree No. 25). A journalist interviewed Ministry of Industry and Information Technology Politico-Legal Department Inspector Li Guobin, asking him to explain the “Regulations”.

Q: The Ministry of Industry and Information Technology recently promulgated the “Telephone User Real Identity Information Registration Regulations”, could I ask what the significance of publishing the “Regulations” is? Read the rest of this entry »

Telephone User Real Identity Information Registration Regulations

Posted on Updated on

This translation tracks the changes between the earlier opinion-seeking draft and this final version. Underlined sections are reformulations or additions, sections that are crossed out are sections from the opinion-seeking draft that have been deleted. 

People’s Republic of China, Ministry of Industry and Information Technology Decree

No. 25

The “Telephone User Real Identity Information Registration Regulations” were deliberated and passed on 28 June 2013, at the 2nd ministerial meeting of the Ministry of Industry and Information Technology of the People’s Republic of China, are hereby promulgated, and will take effect on 1 September 2013.

16 July 2013

Minister: Miao Wei

Article 1: In order to standardize the registration activities of telephone users’ real identity information, guarantee the lawful rights and interests of telephone users and telecommunications business operators, safeguard network information security, and stimulate the healthy development of the telecommunications sector, on the basis of the “National People’s Congress Standing Committee Decision concerning Strengthening Network Information Protection” and the “Telecommunications Regulations of the People’s Republic of China, these Regulations are formulated. Read the rest of this entry »

Telecommunications and Internet Personal User Data Protection Regulations

Posted on Updated on

This translation tracks the changes between the earlier opinion-seeking draft and this final version. Underlined sections are reformulations or additions, sections that are crossed out are sections from the opinion-seeking draft that have been deleted. 

People’s Republic of China, Ministry of Industry and Information Technology Decree

No. 24

The “Telecommunications and Internet Personal User Data Protection Regulations” were deliberated and passed on 28 June 2013, at the 2nd ministerial meeting of the Ministry of Industry and Information Technology of the People’s Republic of China, are hereby promulgated, and will take effect on 1 September 2013.

Minister: Miao Wei Read the rest of this entry »

Telecommunications and Internet User Individual Information Protection Regulations (Opinion-seeking Draft)

Posted on Updated on

Chapter I: General principles

Article 1: In order to protect the lawful rights and interests of telecommunications and Internet users, safeguard network information security, on the basis of the “National People’s Congress Standing Committee Decision concerning Strengthening Network Information Protection”, the “Telecommunications Regulations of the People’s Republic of China”, the “Internet Information Service Management Rules” and other laws and administrative regulations, these Regulations are formulated. Read the rest of this entry »

Telephone User Real Identity Information Registration Regulations (Opinion-Seeking Draft)

Posted on Updated on

Article 1: In order to standardize the registration activities of telephone users’ real identity information, guarantee the lawful rights and interests of telephone users and telecommunications business operators, safeguard network information security, and stimulate the healthy development of the telecommunications sector, on the basis of the “National People’s Congress Standing Committee Decision concerning Strengthening Network Information Protection” and the “Telecommunications Regulations of the People’s Republic of China, these Regulations are formulated. Read the rest of this entry »

Information Security Technology Guidelines for Personal Information Protection on Public and Commercial Service Information Systems

Posted on Updated on

Includes explanatory notes published by the Ministry of Industry and Information Technology.

Our country’s first national personal information protection standards, the “Information Security Technology Guidelines for Personal Information Protection on Public and Commercial Service Information Systems” will be implemented from 1 February 2013. The said standard’s clearest characteristic is that, before sensitive personal information is collected and used, the clear authorization of the subject of that personal information must be obtained in advance.

The Ministry of Industry and Information Technology Information Security Coordination Department’s vice-director Ouyang Wu said, at a teaching meeting on national standards for personal information protection, that these standards are put forward and specifically organized by the National Information Security Standardization Technology Committee, the China Software Observation Centre took the lead in formulating them jointly with many work units. The said standards are our country’s first national standards concerning personal information protection, and were published last year in November. Read the rest of this entry »

Network Publishing Service Management Regulations (Opinion-Seeking Revision Draft)

Posted on Updated on

Chapter I: General Principles

Article 1: In order to standardize network publishing services order, stimulate the healthy and orderly development of publishing service business, on the basis of the State Council’s “Publishing Management Regulations” and “Internet Service Management Rules”, and corresponding laws and regulations, these Regulations are formulated.

Article 2: These regulations apply to engaging in network publishing business within the territory of the People’s Republic of China. Read the rest of this entry »