This translation was kindly provided by John Costello
State Internet Information Office
Decree No. 2
“Regulations for Internet Content Management Administration Law Enforcement Procedures” approved in a meeting of the State Internet Information Office is hereby announced, to be implemented from June 1, 2017 onward.
Director Xu Lin
May 2, 2017
Regulations for Internet Content Management Administration Law Enforcement Procedures Read the rest of this entry »
Circular of the State Internet Information Office on the Public Consultation on the Measures for the Assessment of Personal Information and Important Data Exit Security (Draft for Soliciting Opinions)
This translation was kindly provided by Paul Triolo
To safeguard personal information and important data security, to safeguard cyberspace sovereignty and national security, and social and public interests, and promote the orderly free flow of network information according to the law, according to the People’s Republic of China National Security Law, the People’s Republic of China Cybersecurity Law, and other laws and regulations , our office has worked with relevant departments and drafted the “Personal Information and Important Data Outbound Security Assessment Measures (draft)”, is now open to the public for comments.
Relevant units and people of all walks of life may submit their views by May 11, 2017, in the following manner:
First, through a letter to the views sent to: Beijing Dongcheng District Chaoyang Gate Street 225, the State Internet Information Office Cybersecurity Coordination Bureau, Zip code: 100010, and in the envelope marked “comments”.
Second, by e-mail to: firstname.lastname@example.org.
State Internet Information Office
April 11, 2017
Personal Information and Important Data Outbound Security Assessment Measures (draft)
Article 1 These Measures have been drafted in order to protect the security of personal information and important data, safeguard cyberspace sovereignty and national security, and social and public interests, while protecting the legitimate interests of citizens, legal persons and other organizations, in accordance with the People’s Republic of China National Security Law, the People’s Republic of China Cybersecurity Law, and other laws and regulations.
Article 2 The personal information and important data collected and generated by network operators within the People’s Republic of China during operations shall be stored within the [national] territory. If the business requirements make it necessary to provide data outside of China, a security assessment shall be carried out in accordance with these Measures.
Article 3 The security assessment for outbound data shall follow the principle of impartiality, objectivity and validity, protect the security of personal information and important data, and promote the orderly and free flow of network information according to law.
Article 4 Where personal information leaves China’s borders, the purpose, scope, content, recipient and destination country of the data shall be explained to the subject of the personal information and agreed upon. Minors’ personal information is subject to the consent of their guardian.
Article 5 State cybersecurity and informatization departments shall coordinate the outbound data outbound security assessment work and guide the industry regulatory or supervisory departments in organizing the outbound data security assessment.
Article 6 Industry regulatory or supervisory departments shall be responsible for the security assessment of the industry outbound data and shall regularly organize the inspection of the specific industry outbound data.
Article 7 Network operators shall, before data leaves China’s borders, on their own initiative organize the conduct of a security assessment for outbound data and be responsible for the evaluation results.
Article 8 The outbound data security assessment shall focus on the following:
(A) the necessity of outbound data;
(B) the conditions touching on personal information, including the amount, scope, type, and sensitivity, and whether or not the subject of the personal information agrees that his/her personal information can leave China’s borders;
(C) the conditions touching on important data, including the amount, scope, type and sensitivity level of important data;
(D) the security protection measures and capability level of the data receiving party, and the cybersecurity environment in the country and region;
(E) risks such as disclosure, damage, tampering and abuse after the data leaves China’s borders and after re-transfer;
(F) the risks that may be brought to national security, social and public interests, and personal legitimate interests arising from the data leaving China’s borders and outbound data collection;
(G) other important matters that need to be assessed.
Article 9 If outbound data is stored in one of the following circumstances, network operators should report to the industry regulators or supervisory authorities and organize a security assessment:
(A) the [data set] contains or has accumulated personal information of more than 500,000 people;
(B) the amount of data is over 1000 GB;
(C) the data includes sector data on nuclear facilities, chemical and biological facilities, the national defense industry, or population health, large-scale engineering activities, the marine environment, and sensitive geographic information data;
(D) the data includes cybersecurity information including system vulnerabilities and security protection for critical information infrastructure;
(E) personal information and important data provided by critical information infrastructure operators to [parties] outside China;
(F) other data that could affect national security and social and public interests that industry regulators or supervisory departments consider should be assessed.
For areas where the is no clear industry regulator or supervisory department, an assessment shall be organized by national cybersecurity and informatization departments.
Article 10 The security assessment organized by industry regulatory or supervisory departments shall be completed within 60 working days, and feedback on the security assessment shall be provided to the network operator in a timely manner and reported to the national cybersecurity and informatization departments.
Article 11 In any of the following circumstances, data shall not be allowed to leave the country:
(A) personal information leaving China’s borders without the consent of the subject of the personal information, or that may be against the interests of the individual;
(B) there is a risk that the data leaving China’s borders could impact national politics, the economy, S&T, and national defense, and could affect national security and harm social and public interests;
(C) other data that national cybersecurity and informatization departments, public security departments, state security departments, and other relevant departments deem cannot leave China.
Article 12 Network operators should, according to business development and the network operation situation, annually conduct at least once a security assessment of outbound data, ad in a timely manner assess the situation and report to industry regulatory and supervisory departments.
When the data receiver changes, or there is a relatively large change in the destination, scope, quantity, type of data, etc., or a major security incident occurs with the data receiver or outbound data, a new security assessment should be conducted.
Article 13 Any individual or organization shall have the right to report to the relevant cybersecurity and informatization departments, public security department, and other relevant departments any violations of relevant laws and regulations and these Measures in terms of providing data outside of China’s borders.
Article 14 Whoever violates the provisions of these Measures shall be punished in accordance with the relevant laws and regulations.
Article 15 Agreements between the Chinese government and other countries and regions on outbound data shall be carried out in accordance with the provisions of the agreement.
Data involving state secret information shall be handled in accordance with the relevant provisions.
Article 16 Security assessment work for the personal information and important data sent outside China’s borders that was collected and produced by other individuals and organizations within the territory of the People’s Republic of China shall be carried out in accordance with the present Measures.
Article 17 The definitions for the following terms used in the present Measures:
A network operator is the owner of a network, a manager, and a network service provider.
Outbound data refers to personal and important information co9llection and generated by network operators during operations within the territory of the People’s Republic of China, and provided to overseas institutions, organizations, or individuals.
Personal information refers to various types of information recorded by electronic or other means capable of identifying a person’s personal identity alone or in combination with other information, including but not limited to the name of the natural person, date of birth, identity document number, personal biometric information, telephone number and so on. Important data refers to data that is closely related to national security, economic development, and social and public interests, with specific reference to national relevant standards and important data identification guidelines.
Article 18 These Measures shall come into force on the day X of 2017.
Office of the Central Cybersecurity and Informatization Leading Small Group
(Cyberspace Administration of China)
Cybersecurity Coordination Bureau
第十八条 本办法自2017年 月 日起实施。
This is the official translation of this text, as published by Xinhua
Chapter I. Opportunities and Challenges
Chapter II. Basic Principles
1.The Principle of Peace
2.The Principle of Sovereignty
3.The Principle of Shared Governance
4.The Principle of Shared Benefits
Chapter III. Strategic Goals
1. Safeguarding Sovereignty and Security
2. Developing A System of International Rules
3. Promoting Fair Internet Governance
4. Protecting Legitimate Rights and Interests of Citizens
5. Promoting Cooperation on Digital Economy
6. Building Platform for Cyber Culture Exchange
Chapter IV. Plan of Action
1. Peace and Stability in Cyberspace
2. Rule-based Order in Cyberspace
3. Partnership in Cyberspace
4. Reform of Global Internet Governance System
5. International Cooperation on Cyber Terrorism and Cyber Crimes
6. Protection of Citizens’ Rights and Interests Including Privacy
7. Digital Economy and Sharing of Digital Dividends
8. Global Information Infrastructure Development and Protection
9. Exchange of Cyber Cultures
Cyberspace is the common space of activities for mankind. The future of cyberspace should be in the hands of all countries. Countries should step up communications, broaden consensus and deepen cooperation to jointly build a community of shared future in cyberspace.
—Remarks by H.E. Xi Jinping, President of the People’s Republic of China, 2015/12/16
This translation was kindly provided by Paul Triolo
The Central Cybersecurity and Informatization Leading Group Office, the Central Internet Security and Informatization Leading Group (CCILSG) Office
The People’s Republic of China State Internet Information Office, The State Internet Information Office
Notice of the on Public Consultation on the Measures for the Security Review of Internet Products and Services (Opinion-seeking draft)
In order to improve the security and controllability of network products and services, prevent supply chain security risks, and safeguard national security and the public interest, the CCILSG Office has drafted the Measures for the Security Review of Network Products and Services (draft for soliciting opinions ) “, and it is now open to the public for comments The relevant units and people of all walks of life can make comments according to the following procedure, before March 4, 2017.
First, send comments by letter to: Beijing Dongcheng District, Chaoyang Gate Street 225 State Internet Information Office Cybersecurity Coordination Bureau, Zip Code: 100010, and mark on the envelope “solicited comments.”
Second, by e-mail send to: email@example.com.
Annex: Measures for Network Products and Services Security Review (draft)
State Internet Information Office
February 4, 2017
Measures for Network Products and Services Security Review
Article 1: The security and controllability of network products and services directly affect the interests of users and the national security. These Measures are formulated in accordance with the National Security Law of the People’s Republic of China and the Cybersecurity Law of the People’s Republic of China to improve the security and controllability of network products and services, guard against supply chain safety risks, and safeguard national security and the public interest.
Article 2: Important network products and services that are used by the national security and public interest information systems shall undergo a cybersecurity review.
Article 3: A cybersecurity review of network products and services and their providers shall be carried out, insisting on the combination of enterprise commitment and social supervision, combining third-party evaluation and government supervision, combining laboratory testing, on-site inspection, on-line monitoring, and background investigations.
Article 4: The review shall focus on the the security and controllability of network products and services, including:
(1) the risks of illegal control, interference and interruption of the operation of products and services;
(2) risks in the R&D, delivery, and technical support of products and key components;
(3) risks related to product and services providers utilizing the convenience of providing products and services to engage in illegal collection, storage, handling and utilization of user-related information;
(4) products and service providers taking advantage of users’ reliance on products and services, and carrying out unfair competition or harm to the interests of users;
(5) other risks that may endanger national security and the public interest.
Article 5 The State Internet Information Office, in conjunction with relevant departments, shall set up a Cybersecurity Review Committee to review important policies of the cybersecurity review, organize cybersecurity review work, and coordinate the relevant important issues related to the cybersecurity review.
The Cybersecurity Review Office shall concretely organize and implement the cybersecurity review.
Article 6: The Cybersecurity Review Committee shall appoint relevant experts to form a Cybersecurity Review Experts Committee to conduct a comprehensive evaluation on the security risks of network products and services and the security and trustworthiness of suppliers on the basis of the third-party evaluation.
Read the rest of this entry »
State Council General Office
GBF No. (2016)98
All provincial, autonomous region and municipal people’s governments, all State Council ministries and commissions, all directly subordinate bodies:
In order to carry forward the traditional virtue of sincerity, strengthen the sincerity consciousness of members of society, strengthen the construction of a personal sincerity system, praise sincerity and punish trust-breaking, raise the credit levels of the entire society and create a beneficial credit environment, with the approval of the State Council, these Opinions are hereby put forward. Read the rest of this entry »
This translation was published first on China Law Translate, and is reposted here with kind permission.
Article 1: These Provisions are formulated on the basis of the “Standing Committee of the National of the National People’s Congress’s Decision on Strengthening Protections for Online Information”, the “State Council’s Notification of Authorization of the State Internet Information Office to be Responsible for Efforts to Management Internet Information Content”, “Measures for the Management of Internet Information Services”, and the “Provisions on the Management of Internet News Information Services” so as to strengthen management of internet live-streaming services, to protect the lawful rights and interests of citizens, legal persons, and other organizations, safeguard national security and the public interest.
Today, it was reported that China’s draft cybersecurity law has been presented to the National People’s Congress for a third reading. It is widely expected that this reading will accept the law, which will thus be promulgated soon. The following is a translation of a Xinhua report, which outlines the changes that have been made.
The third deliberation draft of the Cybersecurity Law was submitted to the NPC Standing Committee for deliberation on the 31st. The NPC Legal Committee indicated in its report concerning the draft’s deliberation results, that the third draft made a partial revision on the basis of the second draft, including a further planned definition of the scope of crucial information infrastructure; it also provides corresponding punishment measures against foreign organizations and individuals attacking or destroying our country’s crucial information infrastructure.
Planned further definition of the scope of critical information infrastructure. Read the rest of this entry »
Information security in industrial control systems affects economic development, social stability and national security. In order to enhance the information security protection levels of industrial control systems in industrial enterprises (hereafter simply named industrial control security), and ensure the security of industrial control systems, these Guidelines are formulated.
These Guidelines apply to enterprises utilizing industrial control systems, as well as enterprise and undertaking work units engaging in industrial control system planning, design, construction, operations and maintenance, as well as evaluation.
Enterprises utilizing industrial control systems shall conduct industrial control security protection work well, on the basis of the following eleven aspects. Read the rest of this entry »
Opinions concerning Accelerating the Construction of Credit Supervision, Warning and Punishment Mechanisms for Persons Subject to Enforcement for Trust-Breaking
CCP Central Committee General Office, State Council General Office
Information concerning people who are subject to enforcement for trust-breaking through a judicial procedure by a People’s Court is an important component of social credit information. Conducting credit supervision, warning and punishment of people subject to enforcement for trust-breaking, benefits stimulating persons subject to enforcement to consciously implement their duties established in valid legal documents, raises judicial credibility, and moves forward the construction of the social credit system. In order to accelerate the construction of credit supervision, warning and punishment mechanisms for people subject to enforcement for trust-breaking, the following Opinions are hereby formulated. Read the rest of this entry »
Drive Modernization With Informatization: Help Realize the Chinese Dream of the Great Rejuvenation of the Chinese Nation
This article was published in People’s Daily and reposted on the website of the Cyberspace Administration of China. It was kindly translated by Lincoln Davidson, who researches Chinese cyber policy.
By Zhuang Rongwen
July 28, 2016
Since the Party’s 18th Party Congress, under Comrade Xi Jinping as General Secretary, Party Central has placed a high level of importance on cybersecurity and informatization work, establishing the Central Leading Group for Cyberspace Affairs, pronouncing the major conclusion that “without cybersecurity there can be no national security,” and drawing up the grand blueprint for constructing a cyber superpower. As the guiding document of the next ten years of our nation’s informatization development, the National Informatization Development Strategic Outline (hereafter, “the Strategic Outline”) concentrates and embodies Party Central’s new thinking, new conclusions, and new deployments since the 18th Party Congress, sounding the clarion call of the times for walking the road of informatization development with Chinese characteristics and constructing a cyber superpower, launching the new journey of China’s informatization development. Read the rest of this entry »
Central Committee General Office
State Council General Office
27 July 2016
In the present world, information technology innovation changes every day, and a tide of informatization, characterized by digitization, networking and smartification has vigorously arisen. Without informatization, there is no modernization. Adapting to and leading a new normal in economic development, and strengthening new development drivers, require informatization to penetrate into the entire process of our country’s modernization, and the acceleration and liberation of the huge potential of informatization development. Driving modernization with informatization and building a strong network power are major measures in the “Four Comprehensive” strategic positioning, and are necessary choices to realize the “Two Centenaries” struggle objective and the Chinese Dream of the great rejuvenation of the Chinese nation.
This Strategy Outline is an adjustment and development of the “National Informatization Development Strategy 2006-2020” on the basis of new circumstances, it is a programmatic document to standardize and guide national informatization development in the next ten years it is an important component part of the national strategy system, and is an important basis for the formulation of plans and policies in the area of informatization. Read the rest of this entry »
Seeking Truth 2016/12
– In the present era, data has become a national basic strategic resource, bug data is gaining an ever more important influence on the operational mechanisms of the global economy, society’s way of life and national governing capability. The Party Centre and the State Council are giving the development of big data and innovation of application in high regard, and the 5th Plenum of the 19th Party Congress clearly put forward the implementation of the national big data strategy.
– The scientific and technological revolution is moving forward rapidly, which is especially due to the advent of big data era, which urgently requires governmental governing to transform from closed management to open governance, from unidirectional management to coordinated governance, from passive influence to active service, from qualitative management to quantitative management, from extensive management to detailed management, from operational management to conventional management, and so to realize a transformation of social governance thinking, improvement in social governance methods, progress of governmental policymaking technology, the upgrading of risk control capacity, the recreation of public management workflows, and the enhancement of social coordination in governance.
– We are entering the Internet era and the big data era, public goods and public services must progressively transform from being “supply-oriented” to being “demand oriented”, from focusing on “service coverage” to focusing on “service experience”, and from focusing on “passive provision” to “active provision”.
– The first step to enhance the government’s governing capacity with big data is to transform the traditional concentration of work in offices, and the paper transmission of public documents between different departments into paperless, networked and virtualized new methods, ensure the informatization of public affairs workflows, and use the Internet to realize the online operation of governmental affairs.
– What we must guard against is that, if there is no openness and sharing of cross-regional, high-quantity, specialized data, using big data to upgrade the government’s governing capability is an empty phrase; but if we completely fail to differentiate which data should be opened op or not, it may bring great privacy and secrecy leaks, and the disaster of great economic fluctuations. Read the rest of this entry »
This is the National People’s Congress’ official explanation of the changes made in the Second Reading Draft of the Cybersecurity Law.
I, Some Standing Committee Members suggested that the content of Article 11 of the Draft, concerning the national cybersecurity strategy, be moved to the General Principles, to clarify its important position. Some Standing Committee Members, localities and departments pointed out that, in order to better maintain sovereignty in cyberspace, and to vigorously and actively respond to cyber attacks and destruction at home and abroad, State measures to maintain cybersecurity should be further strengthened, in the corresponding articles, content concerning resisting domestic and foreign cybersecurity threats, protection of the security of critical information infrastructure, punishment of online law-breaking and crime, maintaining order in cyberspace, etc., has been added. The Legal Committee praised the abovementioned opinion, and suggested the following revision be made to the draft: first, the content of Article 11 be moved to the General Principles, and be revised as: the State formulates and incessantly perfects a cybersecurity strategy, which clarifies the basic requirements and main objectives of ensuring cybersecurity, puts forward cybersecurity policies, work tasks and measures for focus areas (Second Reading Draft Article 4); second, a provision is added: the State adopts measures to monitor, defend against, and deal with cybersecurity risks and threats originating from inside and outside of the territory of the People’s Republic of China, to protect critical information infrastructure from attack, intrusion, interference and destruction, to punish unlawful and criminal cyber activities according to the law, and maintain security and order in cyberspace (Second Reading Draft Article 5). Read the rest of this entry »
Article 1: In order to strengthen management of mobile Internet application (apps) information services, protect the lawful rights of citizens, legal persons and other organizations, safeguard national security and the public interest, on the basis of the “National People’s Congress Standing Committee Decision concerning Strengthening Online Information Protection” and the “State Council Notice concerning Authorizing the Cyberspace Administration of China to Take Responsibility of Internet Information Content Management”, these Regulations are formulated.