Security Assessment and Management Regulations concerning New Technologies and New Applications in Internet News Information Services

Posted on Updated on

Article 1: In order to standardize security assessment and management work concerning new technologies and new applications in Internet news information services, safeguard national security and the public interest, protect the lawful rights and interests of citizens, legal persons and other organizations, on the basis of the “Cybersecurity Law of the People’s Republic of China”, and the “Internet News Information Service Management Regulations”, these Regulations are formulated.

Article 2: These Regulations apply to national, provincial, autonomous region and municipal Internet information offices’ organization and execution of security assessments of new technologies and new applications concerning Internet news information services. Read the rest of this entry »

What did Xi Jinping say about cyberspace?

Posted on

Yesterday, Xi Jinping presented his political report to the 19th Party Congress – a 32000 word behemoth comprehensively covering all areas of economic, political and social life. The report announces a new era in China’s historical progress. In CCP theory, history is divided in stages, which are characterised by various contradictions that are subordinate manifestations of one fundamental contradiction. Once that contradiction is solved, history moves to the next phase. Xi now announced that the primary contradiction is no longer the one defined by Deng Xiaoping: the tension between China’s material poverty and the needs of its population. Instead, Xi claims the major problem that must now be solved is China’s imbalanced development. In other words, GDP growth at all costs is out, in favour of a more comprehensive approach to social and economic governance. Technology will obviously play a central role in this regard, as a governance tool and a potential economic growth pole, but also as a source of potential risk and disruption. The journal China Information Security very usefully listed the excerpts referring to cybersecurity and informatization, which are translated here:

I, The work from the past five years and historical changes

Public culture service levels have incessantly risen, literature and art creation continues to flourish, cultural undertakings and cultural industries thrive and develop, Internet construction, management and use has incessantly been perfected, and the entire people’s fitness and competitive sports levels have developed comprehensively.

III, The thought and basic orientation of Socialism with Chinese Characteristics for a New Era and

(4) Persisting in new development ideas. […] Push forward the synchronized development of new kinds of industrialization, informatization, urbanization and agricultural modernization, actively participate in and promote the progress of economic globalization, and develop and ever higher-level, open economy, incessantly expand our country’s economic strength and comprehensive national strength.

(10) Persist in the overall view of national security. […] Comprehensively manage external security and internal security, territorial security and citizens’ security, traditional security and non-traditional security, our own security and common security, perfect national security structures and systems, strengthen the construction of national security capabilities, and determinedly defend the country’s sovereignty, security and development interests.

V, Implement new development ideas, build modernized economic systems

(1) Deepen supply-side structural reform. […] Accelerate the development of advanced manufacturing sectors, promote the profound convergence of the Internet, big data, artificial intelligence and the real economy, foster new growth points and create new drivers in areas such as mid- and high-end consumption, innovative leadership, greenness and low-carbon, the sharing economy, modern supply chains, human capital services and other such areas. […] Strengthen the construction of basic infrastructure networks for irrigation, railways, roads, waterways, aviation, pipelines, the electricity grid, information, logistics, etc.

(2) Accelerate the construction of an innovative country. […] Strengthen the use of basic research, expand the implementation of national major science and technology programmes, give prominence to critical and common technologies, advanced forerunner technologies, modern engineering technologies, disruptive technology innovation, in order to provide powerful support for the construction of a strong science and technology country, a strong quality country, a strong aviation country, a strong cyber country, a strong transportation country, a strong digital country and a smart society.

VII, Persist in cultural self-confidence, promote the flourishing and ascendance of Socialist culture

(1) Firmly grasp leadership power in ideological work. […] Deepen Marxist theory research and construction, accelerate the construction of philosophy and social science with Chinese characteristics, and strengthen the construction of new types of think tanks with Chinese characteristics. Give high regard to construction and innovation in means of dissemination, and raise the communication power, guiding power, influence and credibility of news and public opinion. Strengthen the construction of Internet content, establish comprehensive network governance systems, and create a clear and crisp cyber space.

VIII, Raising, guaranteeing and improving people’s living standards, strengthening and innovating social governance

(1) Giving priority to development of education. […] Promote the integrated development of urban and rural compulsory education, give high regard to rural compulsory education, run preschool education, special education and online education well, universalize education at the higher secondary stage, and strive to let every child enjoy fair and high-quality education.

(7) Effectively safeguard national security. National security is an important cornerstone to bring peace and stability to the nation, safeguarding national security is the locus of the fundamental interest of the people of all ethnicities in the entire country. We must perfect the national security strategy and national security policies, firmly safeguard national political security, and comprehensively advance security work in all areas. Complete national security systems, strengthen legal guarantees for national security, and raise capabilities to guard against and resist security risks. Closely guard against and resolutely attack all kinds of infiltration, subversive and destructive activities, violent and terrorist activities, ethnic separatist activities, and religious extremist activities. Strengthen national security education, strengthen the national security consciousness of the entire Party and the people in the entire country, and promote all of society to create and safeguard powerful polled efforts for national security.

X, Firmly march the path of a strong military with Chinese characteristics, comprehensively move national defence and military modernization forward

Adapt to new global military changes and development trends and national security demands, raise construction quality and efficiency, ensure that mechanization is basically realized by 2020, that informatization concentration sees major progress, and strategic capabilities increase greatly.

The military must prepare to wage war, all work must target the norm of combat effectiveness, the focus must be on waging war and waging war victoriously. Firmly prepare for military struggles in all strategic orientations, comprehensively advance military struggle preparation in traditional security areas and new strategic areas, develop new kinds of battle forces and protection forces, launch combat-type military training, strengthen the use of military forces, accelerate the development of military smartification, raise joint warfare capabilities and all-area warfare capabilities based on online information systems, effectively mould situations, manage and control crises, contain war, and fight war victoriously.

XII, Persist in the path of peaceful development, promote the construction of a community of common destiny for humanity.

At the same time, the world faces prominent instabilities and indeterminacies, global economic growth drivers are insufficient, the difference between rich and poor grows graver daily, regional hotspots and problems rise one after another, terrorism, cybersecurity, major epidemics, climate change and other such non-traditional security threats continue to proliferate, humanity faces many common challenges.

XIII, Unwaveringly, comprehensively and strictly govern the Party, incessantly raise the Party’s governing ability and leadership levels.

Strengthen reform and innovation skills, maintain a tenacious and enterprising spiritual bearing, be good at integrating real creativeness in moving work forward, and be good at using Internet technologies and informatized means to carry out work.

Internet User Public Account Information Service Management Regulations

Posted on Updated on

Article 1: These Regulations are formulated in order to standardize Internet user public account information services, safeguard national security and the public interest, protect the lawful rights and interests of citizens, legal persons and other organizations, on the basis of the “Cybersecurity Law of the People’s Republic of China” and the “State Council Notice concerning Authorizing the Cyberspace Administration of China to Be Responsible for Internet Information Content Management Work”.

Article 2: These Regulations shall be observed when providing or using Internet user public accounts to engage in information dissemination services within the territory of the People’s Republic of China. 

Internet user public account information service providers as mentioned in these Regulations, refers to online platforms providing Internet user public account registration and use services. Internet user public account information service users as mentioned in these Regulations, refers to bodies or individuals using or operating Internet user public accounts to provide information dissemination services. 

Article 3: the Cyberspace Administration of China is responsible for Internet user public account information service supervision, management and law enforcement work nationwide, local Internet information offices are responsible for Internet user public account information service supervision, management and law enforcement work within their administrative areas, on the basis of their duties and responsibilities.

Article 4: Internet user public account information service providers and users shall uphold the correct orientation, carry forward the Socialist core value view, foster vigorous and healthy online culture, and maintain a benign online ecology.

All levels’ Party and government departments, enterprise and undertaking work units and people’s organizations are encouraged to register and use Internet user public accounts to disseminate government affairs information or public service information, serving economic and social development and satisfying the public’s information demand. 

Internet user public account information service providers shall cooperate with Party and government bodies, enterprise and undertaking work units and people’s organizations to enhance government information dissemination and public service levels, provide the necessary technical support and information security protection.

Article 5: Internet user public account information service providers shall bear dominant responsibility for information content security management, allocate specialist personnel and technical capabilities suited to the business scale, install general editors and other such positions responsible for information content security, establish and complete management structures for user registration, information examination and verification, emergency response, security protection, etc.

Internet user public account information service providers shall formulate and publish management norms and platform conventions, and conclude service agreements with users, clarifying both sides’ rights and interests.

Article 6: Internet user public account information service providers shall, according to the principle of “real name back stage, voluntary at the front of the stage”, conduct authentication of the real identity information of users, based on organization and body codes, identity card numbers, mobile telephone numbers, etc. Where users do not provide real identity information, no information dissemination services may be provided to them. 

Internet user public account information service providers shall establish a tiered credit management system for Internet user public account information service users, and provide corresponding services on the basis of credit tiers.

Article 7: Internet user public account information service providers shall check users’ account information, service qualifications, service scope and other such information, categorize them and add symbols, and file them with the local provincial, autonomous region or municipal Internet information office in a categorized manner. 

Internet user public account information service providers shall establish databases on the basis of users public account’s registration subjects, disseminated content, account subscription numbers, article reading numbers, etc., implement tiered and categorized management of Internet user public accounts, formulate concrete management rules and file them with the national or provincial, autonomous region and municipal Internet information offices. 

Internet user public account information service providers shall set a reasonable upper limit to the number of registered public account by the same subject on the same platform; where the same subject registers multiple accounts on the same platform, or a user operates multiple accounts in the form of a group, company or alliance, they shall be required to provide basic information on registration subjects, business scope, account list, etc., this will be filed with the local provincial, autonomous region or municipal Internet information office.

Article 8: Internet news information service providers who have lawfully obtained Internet news information gathering and dissemination qualifications, they may gather and disseminate news information through establishing a user public account. 

Article 9: Internet user public account information service providers shall adopt the necessary measures to protect users’ personal information security, they may not leak, distort or damage it, and may not illegally sell or illegally provide it to other persons.

Internet user public account information service provides shall, after a user terminates service use, provide them with account cancellation services.

Article 10: Internet user public account information service users shall bear responsibility for the secure management of information dissemination and operations, observe laws, regulations and relevant State provisions on news information management, intellectual property protection, cybersecurity protection, etc., and safeguard the online communication order.

Article 11: Internet user public account information service users may not disseminate information content prohibited by laws, regulations and relevant State provisions through public accounts.

Internet user public account information service providers shall strengthen supervision and management of public accounts on their platforms, where they discover the dissemination or transmission of unlawful information, they shall immediately adopt deletion and other such measures to deal with it, prevent transmission and diffusion, preserve relevant records, and report the matter to the relevant competent authorities.

Article 12: Internet user public account information service providers launching online public account messages, posts, comments and other such interactive functions, shall conduct security assessments according to relevant regulations.

Internet user public account information service providers shall, according to the principle of tiered and categorized management, conduct supervision and management of user public account messages, posts, comments, etc., set up by users, provide management powers to users, and provide them with support to conduct management of interactive segments. 

Internet user public account information service users shall conduct real-time management of user public account messages, posts, comments and other such interactive segments. Where management is weak, and information content prohibited by laws, regulations and relevant State provisions emerges, Internet user public account information service providers shall, on the basis of the user agreement, limit or cancel messaging, posting, commenting and other such interactive functions.

Article 13: Interactive user account information service providers shall, according to the law, adopt measures to deal with Internet user public accounts violating laws and regulations, service agreements and platform conventions, such as warning, correction, limiting functions, suspending renewal, account closure, etc., preserve relevant records and report the situation to the relevant competent department.

Internet user public account information service providers shall establish blacklist management systems, to blacklist public accounts and registration subjects gravely violating laws and conventions, adopt measures such as account closure, prohibition of re-registration, etc. in view of circumstances, preserve relevant records, and report the matter to the relevant competent department. 

Article 14: Internet sectoral organizations are encouraged to guide and promote Internet user public account information service providers and users to formulate sectoral conventions, strengthen sectoral self-discipline, and bear social responsibility.

Internet sectoral enterprises are encouraged to establish authoritative specialized mediation mechanisms with participation from multiple parties, to coordinate the resolution of sectoral disputes.

Article 15: Internet user public account information service providers and users shall accept supervision from the social public and sectoral organizations. 

Internet user public account information service providers shall set up convenient reporting interfaces, complete complaints and  reporting channels, perfect mechanisms to screen malicious reports, for report acceptance, feedback, etc. timely and fairly  deal with complaints and reports. National and local Internet information offices will, on the basis of their duties and responsibilities, conduct supervision and inspection of the report reception and implementation situation.

Article 16: Internet user public account information service providers and users shall cooperate with relevant competent departments conducting supervision and inspection according to the law, and provide the necessary technical support and assistance.

Internet user public account information service providers shall record Internet user public account information service users’ disseminated content and daily records, and preserve this for no less than six months according to regulations.

Article 17: Internet user public account information service providers and users violating these Regulations, will be punished by the relevant department according to relevant laws and regulations.

Article 18: These Regulations will take effect on 8 October 2017.

互联网用户公众账号信息服务管理规定
第一条 为规范互联网用户公众账号信息服务,维护国家安全和公共利益,保护公民、法人和其他组织的合法权益,根据《中华人民共和国网络安全法》《国务院关于授权国家互联网信息办公室负责互联网信息内容管理工作的通知》,制定本规定。
  第二条 在中华人民共和国境内提供、使用互联网用户公众账号从事信息发布服务,应当遵守本规定。
  本规定所称互联网用户公众账号信息服务,是指通过互联网站、应用程序等网络平台以注册用户公众账号形式,向社会公众发布文字、图片、音视频等信息的服务。
  本规定所称互联网用户公众账号信息服务提供者,是指提供互联网用户公众账号注册使用服务的网络平台。本规定所称互联网用户公众账号信息服务使用者,是指注册使用或运营互联网用户公众账号提供信息发布服务的机构或个人。
  第三条 国家互联网信息办公室负责全国互联网用户公众账号信息服务的监督管理执法工作,地方互联网信息办公室依据职责负责本行政区域内的互联网用户公众账号信息服务的监督管理执法工作。
  第四条 互联网用户公众账号信息服务提供者和使用者,应当坚持正确导向,弘扬社会主义核心价值观,培育积极健康的网络文化,维护良好网络生态。
  鼓励各级党政机关、企事业单位和人民团体注册使用互联网用户公众账号发布政务信息或公共服务信息,服务经济社会发展,满足公众信息需求。
  互联网用户公众账号信息服务提供者应当配合党政机关、企事业单位和人民团体提升政务信息发布和公共服务水平,提供必要的技术支撑和信息安全保障。
  第五条 互联网用户公众账号信息服务提供者应当落实信息内容安全管理主体责任,配备与服务规模相适应的专业人员和技术能力,设立总编辑等信息内容安全负责人岗位,建立健全用户注册、信息审核、应急处置、安全防护等管理制度。
  互联网用户公众账号信息服务提供者应当制定和公开管理规则和平台公约,与使用者签订服务协议,明确双方权利义务。
  第六条 互联网用户公众账号信息服务提供者应当按照“后台实名、前台自愿”的原则,对使用者进行基于组织机构代码、身份证件号码、移动电话号码等真实身份信息认证。使用者不提供真实身份信息的,不得为其提供信息发布服务。
  互联网用户公众账号信息服务提供者应当建立互联网用户公众账号信息服务使用者信用等级管理体系,根据信用等级提供相应服务。
  第七条 互联网用户公众账号信息服务提供者应当对使用者的账号信息、服务资质、服务范围等信息进行审核,分类加注标识,并向所在地省、自治区、直辖市互联网信息办公室分类备案。
  互联网用户公众账号信息服务提供者应当根据用户公众账号的注册主体、发布内容、账号订阅数、文章阅读量等建立数据库,对互联网用户公众账号实行分级分类管理,制定具体管理制度并向国家或省、自治区、直辖市互联网信息办公室备案。
  互联网用户公众账号信息服务提供者应当对同一主体在同一平台注册公众账号的数量合理设定上限;对同一主体在同一平台注册多个账号,或以集团、公司、联盟等形式运营多个账号的使用者,应要求其提供注册主体、业务范围、账号清单等基本信息,并向所在地省、自治区、直辖市互联网信息办公室备案。
  第八条 依法取得互联网新闻信息采编发布资质的互联网新闻信息服务提供者,可以通过开设的用户公众账号采编发布新闻信息。
  第九条 互联网用户公众账号信息服务提供者应当采取必要措施保护使用者个人信息安全,不得泄露、篡改、毁损,不得非法出售或者非法向他人提供。
  互联网用户公众账号信息服务提供者在使用者终止使用服务后,应当为其提供注销账号的服务。
  第十条 互联网用户公众账号信息服务使用者应当履行信息发布和运营安全管理责任,遵守新闻信息管理、知识产权保护、网络安全保护等法律法规和国家有关规定,维护网络传播秩序。
  第十一条 互联网用户公众账号信息服务使用者不得通过公众账号发布法律法规和国家有关规定禁止的信息内容。
  互联网用户公众账号信息服务提供者应加强对本平台公众账号的监测管理,发现有发布、传播违法信息的,应当立即采取消除等处置措施,防止传播扩散,保存有关记录,并向有关主管部门报告。
  第十二条 互联网用户公众账号信息服务提供者开发上线公众账号留言、跟帖、评论等互动功能,应当按有关规定进行安全评估。
  互联网用户公众账号信息服务提供者应当按照分级分类管理原则,对使用者开设的用户公众账号的留言、跟帖、评论等进行监督管理,并向使用者提供管理权限,为其对互动环节实施管理提供支持。
  互联网用户公众账号信息服务使用者应当对用户公众账号留言、跟帖、评论等互动环节进行实时管理。对管理不力、出现法律法规和国家有关规定禁止的信息内容的,互联网用户公众账号信息服务提供者应当依据用户协议限制或取消其留言、跟帖、评论等互动功能。
  第十三条 互联网用户公众账号信息服务提供者应当对违反法律法规、服务协议和平台公约的互联网用户公众账号,依法依约采取警示整改、限制功能、暂停更新、关闭账号等处置措施,保存有关记录,并向有关主管部门报告。
  互联网用户公众账号信息服务提供者应当建立黑名单管理制度,对违法违约情节严重的公众账号及注册主体纳入黑名单,视情采取关闭账号、禁止重新注册等措施,保存有关记录,并向有关主管部门报告。
  第十四条 鼓励互联网行业组织指导推动互联网用户公众账号信息服务提供者、使用者制定行业公约,加强行业自律,履行社会责任。
  鼓励互联网行业组织建立多方参与的权威专业调解机制,协调解决行业纠纷。
  第十五条 互联网用户公众账号信息服务提供者和使用者应当接受社会公众、行业组织监督。
  互联网用户公众账号信息服务提供者应当设置便捷举报入口,健全投诉举报渠道,完善恶意举报甄别、举报受理反馈等机制,及时公正处理投诉举报。国家和地方互联网信息办公室依据职责,对举报受理落实情况进行监督检查。
  第十六条 互联网用户公众账号信息服务提供者和使用者应当配合有关主管部门依法进行的监督检查,并提供必要的技术支持和协助。
  互联网用户公众账号信息服务提供者应当记录互联网用户公众账号信息服务使用者发布内容和日志信息,并按规定留存不少于六个月。
  第十七条 互联网用户公众账号信息服务提供者和使用者违反本规定的,由有关部门依照相关法律法规处理。
  第十八条 本规定自2017年10月8日起施行。

Provisions on the Management of Internet Forum Community Services

Posted on Updated on

This translation was completed by ChinaLawTranslate, and is republished here with kind permission

Article 1: These Provisions are formulated on the basis of the “Cybersecurity Law of the P.R.C.”and the“State Council’s Notification of Authorization of the State Internet Information Office to be Responsible for Efforts to promote the healthy and orderly development of the internet forum community industry, so as to standardize Internet forum community services, stimulate the healthy and orderly development of Internet forum community services, protect the lawful rights and interests of citizens, legal persons, and other organizations, safeguard national security and the public interest. Read the rest of this entry »

Internet Domain Name Management Rules

Posted on Updated on

Ministry of Industry and Information Technology Decree

No .43

The “Internet Domain Name Management Rules” were deliberated and passed at the 32nd Ministerial meeting of the Ministry of Industry and Information Technology on 16 August 2017, are hereby promulgated, and take effect on 1 November 2017. The “Internet Domain Name Management Rules” (then-Ministry of Information Industry Decree No. 30) promulgated by the then-Ministry of Information Industry on 5 November 2004 are abolished at the same time.

Minister Miao Wei

24 August 2017

Internet Domain Name Management Rules

Chapter I: General Provisions

Article 1: These Rules are formulated in order to standardize domain name services, protect users’ lawful rights and interests, ensure the secure and reliable operation of the Internet domain name system, promote the development and application of Mandarin-language domain names and national top-level domain name domain names, and stimulate the healthy development of the Chinese Internet, on the basis of regulations such as the “Administrative Licencing Law of the People’s Republic of China”, the “State Council Decision on Determining Administrative Licences and Administrative Examination and Approval Programmes that Need to Be Maintained”, etc., and with reference to international Internet domain name management norms. 

Article 2: These Rules shall be followed when engaging in Internet domain name services and their related activities such as operational maintenance, supervision and management within the territory of the People’s Republic of China

Internet domain name services as mentioned in these Rules (hereafter simply named domain name services) refers to engaging in activities such as domain name root server operation and maintenance, top-level domain name operation and management, domain name registration, domain name resolution, etc.

Article 3: The Ministry of Industry and Information Technology implements supervision and management over domain name services nationwide, its main duties and responsibilities are:

(1) Formulating Internet domain name management rules and policies;

(2) Formulating development plans for the Internet domain name system and domain name resources;

(3) Managing domestic domain name root server operating bodies and domain name registration management bodies;

(4) Being responsible for the network and information security management of domain name systems;

(5) Protecting users’ personal information and lawful rights and interests according to the law;

(6) Being responsible for domain name-related international coordination;

(7) Managing domestic domain name resolution services;

(8) Managing other domain name service-related activities.

Article 4: All provincial, autonomous region and municipal telecommunications management bureaus implement supervision and management over domain name services within their administrative areas, their main duties and responsibilities are:

(1) Implementing and enforcing domain name management laws, administrative regulations, rules and policies;

(2) Managing domain name registration service bodies within their administrative areas;

(3) Assisting the Ministry of Industry and Information Technology in conducting management of domain name root server operating bodies and domain name registration management bodies within their administrative areas;

(4) Being responsible for the network and information security of domain name systems within their administrative areas;

(5) Protecting users’ personal information and lawful rights and interests according to the law;

(6) Managing domain name resolution services within their administrative areas;

(7) Managing other domain name service-related activities within their administrative areas.

Article 5: The Chinese Internet domain name system is announced by the Ministry of Industry and Information Industry. On the basis of the actual circumstances of domain name development, the Ministry of Industry and Information Technology may adjust the Chinese Internet domain name system.

Article 6: “.cn” and “.中国” are China’s national top-level domain names.

Mandarin-language domain names are an important component part of the Chinese Internet domain name system. The State encourages and supports technological research and broad application of Mandarin-language domain names.

Article 7: Those providing domain name services, shall abide by relevant State laws and regulation, and conform with relevant technological norms and standards.

Article 8: No organization or individual may impede the secure and stable operation of the Internet domain name system.

Chapter II: Domain name management

Article 9: Those establishing domain name root servers and domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies within the borders, shall obtain corresponding licenses on the basis of these Rules from the Ministry of Industry and Information Technology or provincial, autonomous region and municipal telecommunications management bureau (hereafter generally designated as telecommunication management bodies).

Article 10: Those applying to establish domain name root servers and domain name root server operating bodies, shall meet the following conditions:

(1) Setting up the domain name root server within the borders, and conforming to Internet development-related plans and secure and stable operating requirements for the domain name system;

(2) Being a lawfully established legal person, the said legal person and their main investors and main business management personnel have a good credit record;

(3) Having premises, funding, environments, specialist personnel and technical capabilities to ensure the secure and reliable operation of the domain name root server, as well as information management systems conform to telecommunications management bodies’ requirements;

(4) Having complete network and information security protection measures, including management personnel, network and information security management systems, emergency response plans and related technical and management measures, etc.;

(5) Having the capacity to protect users’ personal information, the capacity to provide long-term services and complete service withdrawal mechanisms;

(6) Other conditions provided in laws or administrative regulations.

Article 11: Those applying to establish a domain name registration management body shall meet the following conditions:

(1) Establishing the domain name management system inside the borders, and holding top-level domain names in conformity with related laws and regulations as well as requirements for the secure and stable operation of domain name systems;

(2) Being a lawfully established legal person, the said legal person and their main investors and main business management personnel have a good credit record; 

(3) Having a perfected business development plan and technical plan, as well as the premises, funding and specialist personnel corresponding to engaging in top-level domain name operations and management, as well as information management systems conform to telecommunications management bodies’ requirements;

(4) Having complete network and information security protection measures, including management personnel, network and information security management systems, emergency response plans and related technical and management measures, etc.;

(5) Having the capacity to conduct real identity information verification and protect users’ personal information , the capacity to provide long-term services and complete services withdrawal mechanisms;

(6) Having complete domain name registration service management structures and supervision mechanisms over domain name registration service bodies;

(7) Other conditions as provided in laws and administrative regulations.

Article 12: Those applying to establish a domain name registration service body shall meet the following conditions:

(1) Establishing the domain name registration service system, registration database and corresponding domain name resolution systems within the borders;

(2) Being a lawfully established legal person, the said legal person and their main investors and main business management personnel have a good credit record; 

(3) Having the premises, funding and specialist personnel corresponding to engaging in domain name registration, as well as information management systems conform to telecommunications management bodies’ requirements;

(4)  Having the capacity to conduct real identity information verification and protect users’ personal information , the capacity to provide long-term services and complete services withdrawal mechanisms;

(5) Having complete domain name registration service management structures and supervision mechanisms over domain name registration agents;

(6) Having complete network and information security protection measures, including management personnel, network and information security management systems, emergency response plans and related technical and management measures, etc.;

(7) Other conditions provided in laws and administrative regulations.

Article 13: Those applying to establish a domain name root server or root server operating body, or a domain name registration management body, shall submit application materials to the Ministry of Industry and Information Technology. Those applying to establish a domain name registration service body, shall submit application materials to the local provincial, autonomous region and municipal telecommunications management bureau.

The application materials shall include:

(1) The applicant work unit’s basic situation as well as a commitment letter signed by its legal representative to do business sincerely and according to the law;

(2) Materials proving the implementation of effective management of domain name services, including materials proving relevant systems, premises and service capabilities, management rules, agreements signed with other bodies, etc.;

(3) Network and information security protection structures and measures;

(4) Materials proving the applicant work unit’s reputation.

Article 14: Where application materials are complete and conform to statutory forms, telecommunication management bodies shall issue an application acceptance notification letter to the applicant work unit; where application materials are not complete or do not conform to statutory forms, telecommunication management bodies shall notify the applicant work unit on the spot or once in writing within five working days about the complete content they need to supplement; where it is not accepted, they shall issue a non-acceptance notification letter and explain the reasons. 

Article 15 Telecommunication management bodies shall complete inspection within twenty working days from the date of acceptance, and make a decision on granting a licence or not granting a licence. Where a decision cannot be made within twenty working days, with the approval of the responsible person of the telecommunication management body, an extension of ten working days is permitted, and the applicant work unit will be notified about the reasons for the extended time limit. Where it is necessary to organize expert appraisal, the appraisal time is not counted into the inspection period.

Where a licence is granted, corresponding licence documents shall be issued; where a licence is not granted, the applicant work unit shall be notified in writing and the reasons explained.

Article 16: Licences of domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies are valid for a period of five years.

Article 17: Where a change occurs in the name, address, legal representative or other such information of domain name root server operating bodies, domain name registration management bodies or domain name registration service bodies, they shall conduct modification formalities within twenty working days from the day the change occurs with the original licence-issuing body.

Article 18: Where, within a licence’s period of validity, a domain name root server operating body, domain name registration management body, or domain name registration service body plans to terminate corresponding services, they shall notify users in writing thirty days in advance, put forward feasible plans to deal with the aftermath, and submit a written application to the original licence-issuing body.

After the original licence-issuing body receives the application, it shall publish it to society for thirty days. The publication period concludes within sixty days, and the original licence-issuing body shall complete inspection and make a decision. 

Article 19: Where it is required to continue engaging in domain name services when a licence’s period of validity expires, an extension shall be applied for with the original licence-issuing body ninety days in advance; where it is not required to continue engaging in domain name services, the original licence-issuing body shall be notified ninety days in advance, and aftermath work conducted.

Article 20: Where a domain name registration service body entrusts a domain name registration agency body to conduct market sales and other such work, it shall conduct supervision and management of the domain name registration agency body’s work.

Domain name registration agency body entrusted with conducting market sales and other such work shall, in that process, actively indicate the agency relationship, and explicitly clarify the domain name registration service body’s name and agency relationship in the domain name registration service contract.

Article 21: Domain name registration management bodies and domain name registration service bodies shall establish corresponding emergency response back-up systems within the borders and regularly back up domain name registration data.

Article 22: Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall indicate information related to their licence in a clear location on the front page of their website and their business premises. Domain name registration management bodies shall also show a list of domain name registration service bodies with which they cooperate.

Domain name registration agency bodies shall indicate the name of the domain name registration service body for which they are agents in a clear location on the front page of their website and their business premises. 

Chapter III: Domain name services

Article 23: Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall provide secure, convenient and stable services to users.

Article 24: Domain name registration management bodies shall, on the basis of these Rules, formulate domain name registration implementation rules and publish them to society.

Article 25: Domain name registration management bodies shall, conduct domain name registration services through domain name registration service bodies licenced by telecommunication management bodies.

Domain name registration service bodies shall provide services according to the domain name registration service items licenced by telecommunication management bodies, they may not provide domain name registration services for domain name registration management bodies who do not have a telecommunication management body licence.

Article 26: “First application, first registration” is implemented for domain name registration services in principle, where related domain name registration implementation rules provide otherwise, those provisions are followed.

Article 27: In order to uphold the national interest and the social public interest, domain name registration management bodies shall establish reserved domain name registration word systems.

Article 28: Domain names registered and used by any organization or individual may not contain the following content:

(1) Content violating the basic principles determined in the Constitution;

(2) Content harming national security, divulging State secrets, subverting the national regime, or destroying national unity;

(3) Content harming the country’s honour and interest;

(4) Content inciting ethnic hatred or ethnic discrimination, or destroying ethnic unity;

(5) Content destroying State religious policies, propagating heresy and feudal superstition;

(6) Content disseminating rumours, upsetting social order, or destroying social stability;

(7) Content disseminating obscenity, sex, gambling, violence, homicide or terror, or inciting crime;

(8) Content insulting or slandering other persons, or harming other persons’ lawful rights and interests.

(9) Other content prohibited by laws and administrative regulations.

Domain name registration management bodies and domain name registration service bodies may not provide services to domain names containing content listed in the previous Paragraph.

Article 29: Domain name registration service bodies may not use fraudulent, coercive or other such improper means to require other persons to register domain names. 

Article 30: Domain name registration service bodies providing domain name registration services shall require domain name registration applicants to provide domain name holders’ real, accurate and complete identity information and other such domain name registration information.

Domain name registration management bodies and domain name registration service bodies shall check the veracity and completeness of domain name registration information.

Where domain name registration applicants provide inaccurate or incomplete domain name registration information, domain name registration service bodies shall require correction. Where applicants do not correct the matter or provide untrue domain name registration information, domain name registration service bodies may not provide domain name registration services to them.

Article 31: Domain name registration service bodies shall publish domain name registration service content, time limits and fees, to ensure service quality, and provide public inquiry services of domain name registration information.

Article 32: Domain name registration management bodies and domain name registration service bodies shall store and protect users’ personal information according to the law. Without user agreement, users’ personal information may not be provided to other persons, except where laws and regulations provide otherwise.

Article 33: Where a change occurs in domain name holders’ contact method and other such information, they shall conduct domain name registration information modification formalities within thirty days after the change with the domain name registration service body.

Where domain name holders transfer domain names to other persons, the assignee shall abide by domain name registration-related requirements. 

Article 34: Domain name holders have the right to choose or change domain name registration service bodies. Where a domain name registration service body is changed, the original domain name registration service body shall cooperate with the domain name holder to transfer their domain name registration-related information. 

Without proper reason, domain name registration service bodies may not impede domain name holders’ changing domain name registration service bodies.

Article 35: Domain name registration management bodies and domain name registration service bodies shall establish complaints acceptance mechanisms, and publish complaints acceptance methods in a clear location on the front page of their website and their business premises.

Domain name registration management bodies and domain name registration service bodies shall handle complaints timely; where they cannot be handled timely, the reasons and handling period shall be explained.

Article 36: In the provision of domain name resolution services, relevant laws, regulations and standards shall be observed, corresponding technical, service and network and information protection capabilities possessed, network and information security protection measures implemented, daily domain name resolution records recorded and preserved according to the law, daily records and modification records maintained, and resolution service quality and resolution system security guaranteed. Where it involved commercial telecommunications business, a telecommunications business licence shall be obtained according to the law.

Article 37: In the provision of domain name resolution services, it is prohibited to alter resolution information without authorization. 

No organization or individual may maliciously direct domain name resolution towards other persons’ IP addresses.

Article 38: In the provision of domain name resolution services, it is prohibited to provide domain name aliasing for domain name with content listed in Article 28 Paragraph I of these Rules.

Article 39: Of those engaging in Internet information services, the domain names they use shall conform to laws, regulations and the relevant requirements of telecommunication management bodies, and may not use domain names to conduct unlawful acts.

Article 40: Domain name registration management bodies and domain name registration service bodies shall cooperate with relevant State departments conducting inspection work according to the law, and adopt measures such as cessation of resolution, etc. against domain names where unlawful acts occur according to telecommunication management bodies’ requirements.

Where domain name registration management bodies and domain name registration service bodies discover the domain names to which they provide services publish or transmit information of which the publication or transmission is prohibited by laws and administrative regulations, they shall immediately adopt measures in response, such as deletion, cessation of resolution, etc., prevent the spread of the information, preserve relevant records, and notify the matter to relevant departments.

Article 41: Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall abide by relevant State laws, regulations and standards, implement network and information security protection measures, deploy the necessary network and telecommunications emergency response equipment, establish and complete technical network and information security monitoring  methods and emergency response structures. When a network or information incident occurs on a domain name system, it shall be reported to the telecommunication management body within 24 hours.

When required for national security and to deal with emergencies or incidents, domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall submit to the uniform commands and coordination of telecommunication management bodies, and abide by telecommunication management bodies’ management requirements. 

Article 42: Where any organization or individual believes that a domain name registered or used by another person harms their lawful rights and interests, they may apply for mediation with a domain name dispute settlement body or file a lawsuit with a People’s Court according to the law.

Article 43: Where one of the following circumstances is present with a registered domain name, the domain name registration service body shall cancel it, and notify the domain name holder:

(1) The domain name holder applies for domain name cancellation;

(2) Domain name holders submitted false domain name registration information;

(3) It shall be closed on the basis of a People’s Court judgment, or a domain name dispute settlement body verdict;

(4) Other circumstances where laws and administrative regulations provide for cancellation. 

Chapter IV: Supervision and inspection

Article 44: Telecommunication management bodies shall strengthen supervision and inspection of domain name services. Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall accept and cooperate with supervision and inspection by telecommunication management bodies.

Domain name service sectoral self-discipline and management is encouraged, public supervision of domain name services is encouraged.

Article 45: Domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies shall, according to telecommunication management bodies’ requirements, regularly report business development situations, operations security situations, network and information security responsibility situation, the complaints and dispute handling situation and other such information.

Article 47: When telecommunication management bodies carry out supervision and inspection, they shall examine the materials submitted by domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies, and inspect the situation of their executing laws, regulations and relevant provisions of telecommunication management bodies.

Telecommunication management bodies may entrust specialized third-party bodies to conduct relevant supervision and inspection activities.

Article 47: Telecommunication management bodies shall establish credit-recording structures for domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies, and enter their violations of these Rules and the administrative punishment they receive into the credit file.

Article 48: Telecommunication management bodies conducting supervision and inspection may not impede the regular commercial and service activities of domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies, they may not accept any fees, and may not leak the domain name registration information they learn.

Chapter V: Punitive provisions

Article 49: Where, in violation of the provisions of Article 9 of these Rules, a domain name root server or domain name root server operating body, domain name registration management body or domain name registration service body is established without a licence or authorization, telecommunication management bodies shall, on the basis of the provisions of Article 81 of the “Administrative Licensing Law of the People’s Republic of China”, adopt measures to stop the matter, and in view of the gravity of circumstances, issue a warning or a fine of more than 10.000 Yuan but less than 30.000 Yuan.

Article 50: Where, in violation of the provisions of these Rules, a domain name registration management body or domain name registration service body commits one of the following acts, the telecommunication management body will order correction within a limited time on the basis of their duties and powers, and in view of the gravity of circumstances, impose a fine of 10.000 Yuan or more but less than 30.000 Yuan, and publish the matter to society:

(1) Providing domain name registration services to unlicensed domain name registration management bodies, or conducting domain name registration services through unlicensed domain name registration service bodies;

(2) Not providing services according to the licenced domain name registration service items;

(3) Not checking the veracity and completeness of domain name registration information;

(4) Obstructing domain name holders to change domain name registration service bodies without proper reason.

Article 51: Where, in violation of the provisions of these Regulations, domain name resolution services are provided and one of the following acts committed, the telecommunication management body will order correction within a limited time, and may, in view of the gravity of circumstances, impose a fine of 10.000 Yuan or more but less than 30.000 Yuan, and publish the matter to society;

(1) Altering domain name resolution information without authorization or maliciously directing domain name resolution towards other persons. IP addresses;

(2) Providing domain name aliasing for domain name with content listed in Article 28 Paragraph I of these Rules;

(3) Not implementing network and information security protection measures;

(4) Not recording and preserving daily domain name resolution records according to the law, maintaining daily records and modification records;

(5) Not dealing with domain names where unlawful activities according to requirements.

Article 52: Where the provisions of Article 17, Article 18 Paragraph I, Article 21, Article 22, Article 28 Paragraph II, Article 29, Article 31, Article 32, Article 35 Paragraph I, Article 40 Paragraph II or Article 41 of these Rules are violated, the telecommunication management body will order correction within a limited time on the basis of their duties and powers, may additionally impose a fine of 10.000 Yuan or more but less than 30.000 Yuan, and publish the matter to society.

Article 53: Where laws or administrative regulations provide otherwise on relevant unlawful conduct, the provisions of those laws and administrative regulations are implemented. 

Article 54: Where any organization or individual registers or uses domain names in violation of the provisions of Article 28 Paragraph I of these Rules, constituting a crime, criminal liability will be prosecuted according to the law; where the matter does not constitute a crime, relevant departments will punish the matter according to the law.

Chapter VI: Supplementary provisions

Article 55: The meaning of the following terms in these Rules is:

(1) Domain name: refers to a hierarchically structured character indication to identify and locate a computer on the Internet, corresponding with that computer’s IP address.

(2) Mandarin-language domain name: refers to a domain name using Mandarin characters.

(3) Top-level domain name: refers to the first-level name of the root node in the domain name system.

(4) Domain name server: refers to servers with domain name system root node functioning (including mirror servers).

(5) Domain name root server operating body: refers to a body that lawfully obtained a licence and undertakes domain name root server operations, maintenance and management work.

(6) Domain name registration management body: refers to a body that lawfully obtained a licence and undertakes top-level domain name operations and management work. 

(7) Domain name registration service body: refers to a body that lawfully obtained a licence, accepts domain name registration applications and completes the registration of a domain name in the top-level domain name database.

(8) Domain name registration agency body: refers to a body that is entrusted by domain name registration service bodies to accept domain name registration applications, and indirectly complete domain name registration in the top-level domain name database.

(9) Domain name management system: refers to the main information system required by domain name registration management bodies to conduct top-level domain name operations and management work within the borders, and includes registration management systems, registration databases, domain name resolution systems, domain name information inquiry systems, identity information inspection systems, etc.

(10) Domain name aliasing: refers to the transfer of a visit of one domain name to another domain name and IP address or online information service connected with or directed by that domain name.

Article 56: The time periods provided in these Rules, except where working days are determined, are all natural days.

Article 57: Those conducting domain name services without obtaining corresponding licences before these Rules took effect, shall conduct licensing formalities according to the provisions of these Rules within 12 months from the date these Regulations take effect.

For domain name root server operating bodies, domain name registration management bodies and domain name registration service bodies that already obtained a licence before these Rules took effect, the provisions of Article 16 of these Rules shall apply to the period of validity of their licence, the period of validity will be computed form the day these Rules take effect.

Article 58: These Rules take effect on 1 November 2017. The “Chinese Internet Domain Name Management Rules (then-Ministry of Information Industry Decree No. 30) promulgated on 5 November 2004 are abolished at the same time. Where inconsistencies exist between these Rules and relevant provisions promulgated before these Regulations took effect, these Rules shall be implemented.

中华人民共和国工业和信息化部令

第 43 号

《互联网域名管理办法》已经2017年8月16日工业和信息化部第32次部务会议审议通过,现予公布,自2017年11月1日起施行。原信息产业部2004年11月5日公布的《中国互联网络域名管理办法》(原信息产业部令第30号)同时废止。
部 长  苗 圩
2017年8月24日

互联网域名管理办法

第一章 总  则

第一条 为了规范互联网域名服务,保护用户合法权益,保障互联网域名系统安全、可靠运行,推动中文域名和国家顶级域名发展和应用,促进中国互联网健康发展,根据《中华人民共和国行政许可法》、《国务院对确需保留的行政审批项目设定行政许可的决定》等规定,参照国际上互联网域名管理准则,制定本办法。
第二条 在中华人民共和国境内从事互联网域名服务及其运行维护、监督管理等相关活动,应当遵守本办法。
本办法所称互联网域名服务(以下简称域名服务),是指从事域名根服务器运行和管理、顶级域名运行和管理、域名注册、域名解析等活动。
第三条 工业和信息化部对全国的域名服务实施监督管理,主要职责是:
(一)制定互联网域名管理规章及政策;
(二)制定中国互联网域名体系、域名资源发展规划;
(三)管理境内的域名根服务器运行机构和域名注册管理机构;
(四)负责域名体系的网络与信息安全管理;
(五)依法保护用户个人信息和合法权益;
(六)负责与域名有关的国际协调;
(七)管理境内的域名解析服务;
(八)管理其他与域名服务相关的活动。
第四条 各省、自治区、直辖市通信管理局对本行政区域内的域名服务实施监督管理,主要职责是:
(一)贯彻执行域名管理法律、行政法规、规章和政策;
(二)管理本行政区域内的域名注册服务机构;
(三)协助工业和信息化部对本行政区域内的域名根服务器运行机构和域名注册管理机构进行管理;
(四)负责本行政区域内域名系统的网络与信息安全管理;
(五)依法保护用户个人信息和合法权益;
(六)管理本行政区域内的域名解析服务;
(七)管理本行政区域内其他与域名服务相关的活动。
第五条 中国互联网域名体系由工业和信息化部予以公告。根据域名发展的实际情况,工业和信息化部可以对中国互联网域名体系进行调整。
第六条 “.CN”和“.中国”是中国的国家顶级域名。
中文域名是中国互联网域名体系的重要组成部分。国家鼓励和支持中文域名系统的技术研究和推广应用。
第七条 提供域名服务,应当遵守国家相关法律法规,符合相关技术规范和标准。
第八条 任何组织和个人不得妨碍互联网域名系统的安全和稳定运行。

第二章 域名管理

第九条 在境内设立域名根服务器及域名根服务器运行机构、域名注册管理机构和域名注册服务机构的,应当依据本办法取得工业和信息化部或者省、自治区、直辖市通信管理局(以下统称电信管理机构)的相应许可。
第十条 申请设立域名根服务器及域名根服务器运行机构的,应当具备以下条件:
(一)域名根服务器设置在境内,并且符合互联网发展相关规划及域名系统安全稳定运行要求;
(二)是依法设立的法人,该法人及其主要出资者、主要经营管理人员具有良好的信用记录;
(三)具有保障域名根服务器安全可靠运行的场地、资金、环境、专业人员和技术能力以及符合电信管理机构要求的信息管理系统;
(四)具有健全的网络与信息安全保障措施,包括管理人员、网络与信息安全管理制度、应急处置预案和相关技术、管理措施等;
(五)具有用户个人信息保护能力、提供长期服务的能力及健全的服务退出机制;
(六)法律、行政法规规定的其他条件。
第十一条 申请设立域名注册管理机构的,应当具备以下条件:
(一)域名管理系统设置在境内,并且持有的顶级域名符合相关法律法规及域名系统安全稳定运行要求;
(二)是依法设立的法人,该法人及其主要出资者、主要经营管理人员具有良好的信用记录;
(三)具有完善的业务发展计划和技术方案以及与从事顶级域名运行管理相适应的场地、资金、专业人员以及符合电信管理机构要求的信息管理系统;
(四)具有健全的网络与信息安全保障措施,包括管理人员、网络与信息安全管理制度、应急处置预案和相关技术、管理措施等;
(五)具有进行真实身份信息核验和用户个人信息保护的能力、提供长期服务的能力及健全的服务退出机制;
(六)具有健全的域名注册服务管理制度和对域名注册服务机构的监督机制;
(七)法律、行政法规规定的其他条件。
第十二条 申请设立域名注册服务机构的,应当具备以下条件:
(一)在境内设置域名注册服务系统、注册数据库和相应的域名解析系统;
(二)是依法设立的法人,该法人及其主要出资者、主要经营管理人员具有良好的信用记录;
(三)具有与从事域名注册服务相适应的场地、资金和专业人员以及符合电信管理机构要求的信息管理系统;
(四)具有进行真实身份信息核验和用户个人信息保护的能力、提供长期服务的能力及健全的服务退出机制;
(五)具有健全的域名注册服务管理制度和对域名注册代理机构的监督机制;
(六)具有健全的网络与信息安全保障措施,包括管理人员、网络与信息安全管理制度、应急处置预案和相关技术、管理措施等;
(七)法律、行政法规规定的其他条件。
第十三条 申请设立域名根服务器及域名根服务器运行机构、域名注册管理机构的,应当向工业和信息化部提交申请材料。申请设立域名注册服务机构的,应当向住所地省、自治区、直辖市通信管理局提交申请材料。
申请材料应当包括:
(一)申请单位的基本情况及其法定代表人签署的依法诚信经营承诺书;
(二)对域名服务实施有效管理的证明材料,包括相关系统及场所、服务能力的证明材料、管理制度、与其他机构签订的协议等;
(三)网络与信息安全保障制度及措施;
(四)证明申请单位信誉的材料。
第十四条 申请材料齐全、符合法定形式的,电信管理机构应当向申请单位出具受理申请通知书;申请材料不齐全或者不符合法定形式的,电信管理机构应当场或者在5个工作日内一次性书面告知申请单位需要补正的全部内容;不予受理的,应当出具不予受理通知书并说明理由。
第十五条 电信管理机构应当自受理之日起20个工作日内完成审查,作出予以许可或者不予许可的决定。20个工作日内不能作出决定的,经电信管理机构负责人批准,可以延长10个工作日,并将延长期限的理由告知申请单位。需要组织专家论证的,论证时间不计入审查期限。
予以许可的,应当颁发相应的许可文件;不予许可的,应当书面通知申请单位并说明理由。
第十六条 域名根服务器运行机构、域名注册管理机构和域名注册服务机构的许可有效期为5年。
第十七条 域名根服务器运行机构、域名注册管理机构和域名注册服务机构的名称、住所、法定代表人等信息发生变更的,应当自变更之日起20日内向原发证机关办理变更手续。
第十八条 在许可有效期内,域名根服务器运行机构、域名注册管理机构、域名注册服务机构拟终止相关服务的,应当提前30日书面通知用户,提出可行的善后处理方案,并向原发证机关提交书面申请。
原发证机关收到申请后,应当向社会公示30日。公示期结束60日内,原发证机关应当完成审查并做出决定。
第十九条 许可有效期届满需要继续从事域名服务的,应当提前90日向原发证机关申请延续;不再继续从事域名服务的,应当提前90日向原发证机关报告并做好善后工作。
第二十条 域名注册服务机构委托域名注册代理机构开展市场销售等工作的,应当对域名注册代理机构的工作进行监督和管理。
域名注册代理机构受委托开展市场销售等工作的过程中,应当主动表明代理关系,并在域名注册服务合同中明示相关域名注册服务机构名称及代理关系。
第二十一条 域名注册管理机构、域名注册服务机构应当在境内设立相应的应急备份系统并定期备份域名注册数据。
第二十二条 域名根服务器运行机构、域名注册管理机构、域名注册服务机构应当在其网站首页和经营场所显著位置标明其许可相关信息。域名注册管理机构还应当标明与其合作的域名注册服务机构名单。
域名注册代理机构应当在其网站首页和经营场所显著位置标明其代理的域名注册服务机构名称。

第三章 域名服务

第二十三条 域名根服务器运行机构、域名注册管理机构和域名注册服务机构应当向用户提供安全、方便、稳定的服务。
第二十四条 域名注册管理机构应当根据本办法制定域名注册实施细则并向社会公开。
第二十五条 域名注册管理机构应当通过电信管理机构许可的域名注册服务机构开展域名注册服务。
域名注册服务机构应当按照电信管理机构许可的域名注册服务项目提供服务,不得为未经电信管理机构许可的域名注册管理机构提供域名注册服务。
第二十六条 域名注册服务原则上实行“先申请先注册”,相应域名注册实施细则另有规定的,从其规定。
第二十七条 为维护国家利益和社会公众利益,域名注册管理机构应当建立域名注册保留字制度。
第二十八条 任何组织或者个人注册、使用的域名中,不得含有下列内容:
(一)反对宪法所确定的基本原则的;
(二)危害国家安全,泄露国家秘密,颠覆国家政权,破坏国家统一的;
(三)损害国家荣誉和利益的;
(四)煽动民族仇恨、民族歧视,破坏民族团结的;
(五)破坏国家宗教政策,宣扬邪教和封建迷信的;
(六)散布谣言,扰乱社会秩序,破坏社会稳定的;
(七)散布淫秽、色情、赌博、暴力、凶杀、恐怖或者教唆犯罪的;
(八)侮辱或者诽谤他人,侵害他人合法权益的;
(九)含有法律、行政法规禁止的其他内容的。
域名注册管理机构、域名注册服务机构不得为含有前款所列内容的域名提供服务。
第二十九条 域名注册服务机构不得采用欺诈、胁迫等不正当手段要求他人注册域名。
第三十条 域名注册服务机构提供域名注册服务,应当要求域名注册申请者提供域名持有者真实、准确、完整的身份信息等域名注册信息。
域名注册管理机构和域名注册服务机构应当对域名注册信息的真实性、完整性进行核验。
域名注册申请者提供的域名注册信息不准确、不完整的,域名注册服务机构应当要求其予以补正。申请者不补正或者提供不真实的域名注册信息的,域名注册服务机构不得为其提供域名注册服务。
第三十一条 域名注册服务机构应当公布域名注册服务的内容、时限、费用,保证服务质量,提供域名注册信息的公共查询服务。
第三十二条 域名注册管理机构、域名注册服务机构应当依法存储、保护用户个人信息。未经用户同意不得将用户个人信息提供给他人,但法律、行政法规另有规定的除外。
第三十三条 域名持有者的联系方式等信息发生变更的,应当在变更后30日内向域名注册服务机构办理域名注册信息变更手续。
域名持有者将域名转让给他人的,受让人应当遵守域名注册的相关要求。
第三十四条 域名持有者有权选择、变更域名注册服务机构。变更域名注册服务机构的,原域名注册服务机构应当配合域名持有者转移其域名注册相关信息。
无正当理由的,域名注册服务机构不得阻止域名持有者变更域名注册服务机构。
电信管理机构依法要求停止解析的域名,不得变更域名注册服务机构。
第三十五条 域名注册管理机构和域名注册服务机构应当设立投诉受理机制,并在其网站首页和经营场所显著位置公布投诉受理方式。
域名注册管理机构和域名注册服务机构应当及时处理投诉;不能及时处理的,应当说明理由和处理时限。
第三十六条 提供域名解析服务,应当遵守有关法律、法规、标准,具备相应的技术、服务和网络与信息安全保障能力,落实网络与信息安全保障措施,依法记录并留存域名解析日志、维护日志和变更记录,保障解析服务质量和解析系统安全。涉及经营电信业务的,应当依法取得电信业务经营许可。
第三十七条 提供域名解析服务,不得擅自篡改解析信息。
任何组织或者个人不得恶意将域名解析指向他人的IP地址。
第三十八条 提供域名解析服务,不得为含有本办法第二十八条第一款所列内容的域名提供域名跳转。
第三十九条 从事互联网信息服务的,其使用域名应当符合法律法规和电信管理机构的有关规定,不得将域名用于实施违法行为。
第四十条 域名注册管理机构、域名注册服务机构应当配合国家有关部门依法开展的检查工作,并按照电信管理机构的要求对存在违法行为的域名采取停止解析等处置措施。
域名注册管理机构、域名注册服务机构发现其提供服务的域名发布、传输法律和行政法规禁止发布或者传输的信息的,应当立即采取消除、停止解析等处置措施,防止信息扩散,保存有关记录,并向有关部门报告。
第四十一条 域名根服务器运行机构、域名注册管理机构和域名注册服务机构应当遵守国家相关法律、法规和标准,落实网络与信息安全保障措施,配置必要的网络通信应急设备,建立健全网络与信息安全监测技术手段和应急制度。域名系统出现网络与信息安全事件时,应当在24小时内向电信管理机构报告。
因国家安全和处置紧急事件的需要,域名根服务器运行机构、域名注册管理机构和域名注册服务机构应当服从电信管理机构的统一指挥与协调,遵守电信管理机构的管理要求。
第四十二条 任何组织或者个人认为他人注册或者使用的域名侵害其合法权益的,可以向域名争议解决机构申请裁决或者依法向人民法院提起诉讼。
第四十三条 已注册的域名有下列情形之一的,域名注册服务机构应当予以注销,并通知域名持有者:
(一)域名持有者申请注销域名的;
(二)域名持有者提交虚假域名注册信息的;
(三)依据人民法院的判决、域名争议解决机构的裁决,应当注销的;
(四)法律、行政法规规定予以注销的其他情形。

第四章 监督检查

第四十四条 电信管理机构应当加强对域名服务的监督检查。域名根服务器运行机构、域名注册管理机构、域名注册服务机构应当接受、配合电信管理机构的监督检查。
鼓励域名服务行业自律管理,鼓励公众监督域名服务。
第四十五条 域名根服务器运行机构、域名注册管理机构、域名注册服务机构应当按照电信管理机构的要求,定期报送业务开展情况、安全运行情况、网络与信息安全责任落实情况、投诉和争议处理情况等信息。
第四十六条 电信管理机构实施监督检查时,应当对域名根服务器运行机构、域名注册管理机构和域名注册服务机构报送的材料进行审核,并对其执行法律法规和电信管理机构有关规定的情况进行检查。
电信管理机构可以委托第三方专业机构开展有关监督检查活动。
第四十七条 电信管理机构应当建立域名根服务器运行机构、域名注册管理机构和域名注册服务机构的信用记录制度,将其违反本办法并受到行政处罚的行为记入信用档案。
第四十八条 电信管理机构开展监督检查,不得妨碍域名根服务器运行机构、域名注册管理机构和域名注册服务机构正常的经营和服务活动,不得收取任何费用,不得泄露所知悉的域名注册信息。

第五章 罚  则

第四十九条 违反本办法第九条规定,未经许可擅自设立域名根服务器及域名根服务器运行机构、域名注册管理机构、域名注册服务机构的,电信管理机构应当根据《中华人民共和国行政许可法》第八十一条的规定,采取措施予以制止,并视情节轻重,予以警告或者处1万元以上3万元以下罚款。
第五十条 违反本办法规定,域名注册管理机构或者域名注册服务机构有下列行为之一的,由电信管理机构依据职权责令限期改正,并视情节轻重,处1万元以上3万元以下罚款,向社会公告:
(一)为未经许可的域名注册管理机构提供域名注册服务,或者通过未经许可的域名注册服务机构开展域名注册服务的;
(二)未按照许可的域名注册服务项目提供服务的;
(三)未对域名注册信息的真实性、完整性进行核验的;
(四)无正当理由阻止域名持有者变更域名注册服务机构的。
第五十一条 违反本办法规定,提供域名解析服务,有下列行为之一的,由电信管理机构责令限期改正,可以视情节轻重处1万元以上3万元以下罚款,向社会公告:
(一)擅自篡改域名解析信息或者恶意将域名解析指向他人IP地址的;
(二)为含有本办法第二十八条第一款所列内容的域名提供域名跳转的;
(三)未落实网络与信息安全保障措施的;
(四)未依法记录并留存域名解析日志、维护日志和变更记录的;
(五)未按照要求对存在违法行为的域名进行处置的。
第五十二条 违反本办法第十七条、第十八条第一款、第二十一条、第二十二条、第二十八条第二款、第二十九条、第三十一条、第三十二条、第三十五条第一款、第四十条第二款、第四十一条规定的,由电信管理机构依据职权责令限期改正,可以并处1万元以上3万元以下罚款,向社会公告。
第五十三条 法律、行政法规对有关违法行为的处罚另有规定的,依照有关法律、行政法规的规定执行。
第五十四条 任何组织或者个人违反本办法第二十八条第一款规定注册、使用域名,构成犯罪的,依法追究刑事责任;尚不构成犯罪的,由有关部门依法予以处罚。

第六章 附  则

第五十五条 本办法下列用语的含义是:
(一)域名:指互联网上识别和定位计算机的层次结构式的字符标识,与该计算机的IP地址相对应。
(二)中文域名:指含有中文文字的域名。
(三)顶级域名:指域名体系中根节点下的第一级域的名称。
(四)域名根服务器:指承担域名体系中根节点功能的服务器(含镜像服务器)。
(五)域名根服务器运行机构:指依法获得许可并承担域名根服务器运行、维护和管理工作的机构。
(六)域名注册管理机构:指依法获得许可并承担顶级域名运行和管理工作的机构。
(七)域名注册服务机构:指依法获得许可、受理域名注册申请并完成域名在顶级域名数据库中注册的机构。
(八)域名注册代理机构:指受域名注册服务机构的委托,受理域名注册申请,间接完成域名在顶级域名数据库中注册的机构。
(九)域名管理系统:指域名注册管理机构在境内开展顶级域名运行和管理所需的主要信息系统,包括注册管理系统、注册数据库、域名解析系统、域名信息查询系统、身份信息核验系统等。
(十)域名跳转:指对某一域名的访问跳转至该域名绑定或者指向的其他域名、IP地址或者网络信息服务等。
第五十六条 本办法中规定的日期,除明确为工作日的以外,均为自然日。
第五十七条 在本办法施行前未取得相应许可开展域名服务的,应当自本办法施行之日起12个月内,按照本办法规定办理许可手续。
在本办法施行前已取得许可的域名根服务器运行机构、域名注册管理机构和域名注册服务机构,其许可有效期适用本办法第十六条的规定,有效期自本办法施行之日起计算。
第五十八条 本办法自2017年11月1日起施行。2004年11月5日公布的《中国互联网络域名管理办法》(原信息产业部令第30号)同时废止。本办法施行前公布的有关规定与本办法不一致的,按照本办法执行。

Public Internet Cybersecurity Threat Monitoring and Mitigation Measures

Posted on Updated on

This translation was kindly provided by John Costello

Ministry of Industry and Information Technology Network [2017] No. 202

Provincial, autonomous region, and municipal communications authorities, China Telecom Group Corporation, China Mobile Communications Corporation, China Unicom Group Corporation, China National Computer Emergency Technical Team/Coordination Center of China (CNCERT), China Information Communications Research Institute, National Industrial Information Security Development Research Center, China Internet Association, domain name registration management and service organs, internet companies, and cybersecurity enterprises:

In order to deepen the implementation of the spirit of General Secretary Xi Jinping’s important speeches on cybersecurity, actively respond to the dire and complex cybersecurity situation, to move forward robust public internet cybersecurity threat monitoring and mitigation mechanism, safeguard the legitimate rights and interests of citizens, legals person, and other organizations, and in accordance with “Cybersecurity Law of the People’s Republic of China” and other relevant laws and regulations, the “Public Internet Cybersecurity Threat Monitoring and Mitigation Measures”. Hereby issued to you, please realistically and effectively implement and carry out.

Ministry of Industry and Information Technology Read the rest of this entry »

A Next Generation Artificial Intelligence Development Plan

Posted on Updated on

This documents was translated jointly by Graham Webster, Paul Triolo, Elsa Kania, and Rogier Creemers. John Costello assisted with helpful comments. An analysis of this document can be found on the New America website.

State Council Notice on the Issuance of the Next Generation Artificial Intelligence Development Plan

Completed: July 8, 2017

Released: July 20, 2017

 

A Next Generation Artificial Intelligence Development Plan

 

The rapid development of artificial intelligence (AI) will profoundly change human society and life and change the world. To seize the major strategic opportunity for the development of AI, to build China’s first-mover advantage in the development of AI, to accelerate the construction of an innovative nation and global power in science and technology, in accordance with the requirements of the CCP Central Committee and the State Council, this plan has been formulated.

I.  The Strategic Situation

Read the rest of this entry »

Critical Information Infrastructure Security Protection Regulations

Posted on Updated on

This document was translated jointly by Graham Webster, Paul Triolo and Rogier Creemers

CAC Notice concerning the Public Solicitation of Opinions on the “Critical Information Infrastructure Security Protection Regulations (Opinion-seeking Draft)”

http://www.cac.gov.cn/2017-07/11/m_1121294220.htm

In order to guarantee the security of critical information infrastructure, based on the “Cybersecurity Law of the People’s Republic of China”, our Administration, jointly with relevant departments, has drafted the “Critical Information Infrastructure Security Protection Regulations (Opinion-seeking Draft)”, which is now made public for open solicitation of opinions. Relevant work units and individuals from all circles may, before 10 August, put forward opinions through the following ways:

1, Sending opinions in a letter form to: Beijing Xicheng Chegongzhuang Avenue 11, CAC Cybersecurity Coordination Bureau, Post Code 100044, and clearly indicate “opinion solicitation” on the envelope

2, Sending an e-mail to: security@cac.gov.cn.

CAC

10 July 2017

Critical Information Infrastructure Security Protection Regulations

(Opinion-seeking draft)

Chapter 1: General principles Read the rest of this entry »

Implementing Rules for the Management of Internet News Information Service Licences

Posted on Updated on

Article 1: In order to further raise the standardization and scientization levels of Internet news information service licence management, and stimulate the healthy and orderly development of Internet news information services, on the basis of the “Administrative Licensing Law of the People’s Republic of China” and the “Internet News Information Service Management Regulations” (hereafter simply named “Regulations”), these Implementing Rules are formulated.

Article 2: These Implementing Rules apply to national and provincial, autonomous region and municipal Internet information offices’ implementation of Internet news information service licensing. Read the rest of this entry »

National Intelligence Law of the People’s Republic of China (Draft)

Posted on Updated on

Chapter I: General Provisions

Article 1: In order to strengthen and guarantee national intelligence work, and safeguard national security and interests, on the basis of the Constitution, this Law is formulated.

Article 2: National intelligence work shall persist in an overall national security view, provide intelligence reference for major national policy decisions, provide intelligence support for preventing and dissolving risks endangering national security, and safeguard the national regime, sovereignty, unity, independence and territorial integrity, the prosperity of the people, economic and social sustainable development and other major national interests. Read the rest of this entry »

Interim Security Review Measures for Network Products and Services

Posted on Updated on

This translation was kindly provided by Paul Triolo

Article 1 These Measures are developed with a view to enhancing the secure and controllable levels of network products and services, guarding against cyber security risks, and safeguarding the national security, and in accordance with the laws and regulations such as National Security Law of the People’s Republic of China and the Cybersecurity Law of the People’s Republic of China.

Article 2 Important network products and services procured for use in networks and information systems that touch on national security are subject to a cybersecurity review.

Article 3 A cybersecurity review shall be conducted for network products and services and their supply chains, in a manner that combines enterprise commitments with public supervision, combines third-party assessments with government continuous regulation, and combines laboratory testing with on-site checks, on-line monitoring and background investigations. Read the rest of this entry »

Internet News Information Service Management Regulations

Posted on Updated on

Chapter I: General Provisions

Article 1: In order to strengthen Internet information content management and stimulate the healthy and orderly development of Internet news information services, on the basis of the “Cybersecurity Law of the People’s Republic of China”, the “Internet Information Service Management Rules”, and the “State Council Notice concerning Authorizing the State Internet Information Office to Take Responsibility of Internet Information Content Management Work”, these Regulations are formulated.

Read the rest of this entry »

Regulations for Internet Content Management Administration Law Enforcement Procedures

Posted on Updated on

This translation was kindly provided by John Costello

State Internet Information Office

Decree No. 2

“Regulations for Internet Content Management Administration Law Enforcement Procedures” approved in a meeting of the State Internet Information Office is hereby announced, to be implemented from June 1, 2017 onward.

Director Xu Lin

May 2, 2017

Regulations for Internet Content Management Administration Law Enforcement Procedures Read the rest of this entry »

Encryption Law of the People’s Republic of China (Opinion-seeking Draft)

Posted on Updated on

This translation was created jointly with Paul Triolo and John Costello

Table of contents

Chapter I: General principles

Chapter II: The use of encryption

Chapter III: Encryption security

Chapter IV: Stimulating the development of encryption

Chapter V: Supervision and management

Chapter VI: Legal liability

Chapter VII: Supplementary provisions

Chapter I: General principles

Read the rest of this entry »

Circular of the State Internet Information Office on the Public Consultation on the Measures for the Assessment of Personal Information and Important Data Exit Security (Draft for Soliciting Opinions)

Posted on Updated on

This translation was kindly provided by Paul Triolo

To safeguard personal information and important data security, to safeguard cyberspace sovereignty and national security, and social and public interests, and promote the orderly free flow of network information according to the law, according to the People’s Republic of China National Security Law, the People’s Republic of China Cybersecurity Law, and other laws and regulations , our office has worked with relevant departments and drafted the “Personal Information and Important Data Outbound Security Assessment Measures (draft)”, is now open to the public for comments.

Relevant units and people of all walks of life may submit their views by May 11, 2017, in the following manner:

First, through a letter to the views sent to: Beijing Dongcheng District Chaoyang Gate Street 225, the State Internet Information Office Cybersecurity Coordination Bureau, Zip code: 100010, and in the envelope marked “comments”.

Second, by e-mail to: security@cac.gov.cn.

State Internet Information Office

April 11, 2017

Annex

Personal Information and Important Data Outbound Security Assessment Measures (draft)

Article 1 These Measures have been drafted in order to protect the security of personal information and important data, safeguard cyberspace sovereignty and national security, and social and public interests, while protecting the legitimate interests of citizens, legal persons and other organizations, in accordance with the People’s Republic of China National Security Law, the People’s Republic of China Cybersecurity Law, and other laws and regulations.

Article 2 The personal information and important data collected and generated by network operators within the People’s Republic of China during operations shall be stored within the [national] territory. If the business requirements make it necessary to provide data outside of China, a security assessment shall be carried out in accordance with these Measures.

Article 3 The security assessment for outbound data shall follow the principle of impartiality, objectivity and validity, protect the security of personal information and important data, and promote the orderly and free flow of network information according to law.

Article 4 Where personal information leaves China’s borders, the purpose, scope, content, recipient and destination country of the data shall be explained to the subject of the personal information and agreed upon. Minors’ personal information is subject to the consent of their guardian.

Article 5 State cybersecurity and informatization departments shall coordinate the outbound data outbound security assessment work and guide the industry regulatory or supervisory departments in organizing the outbound data security assessment.

Article 6 Industry regulatory or supervisory departments shall be responsible for the security assessment of the industry outbound data and shall regularly organize the inspection of the specific industry outbound data.

Article 7 Network operators shall, before data leaves China’s borders, on their own initiative organize the conduct of a security assessment for outbound data and be responsible for the evaluation results.

Article 8 The outbound data security assessment shall focus on the following:

(A) the necessity of outbound data;

(B) the conditions touching on personal information, including the amount, scope, type, and sensitivity, and whether or not the subject of the personal information agrees that his/her personal information can leave China’s borders;

(C) the conditions touching on important data, including the amount, scope, type and sensitivity level of important data;

(D) the security protection measures and capability level of the data receiving party, and the cybersecurity environment in the country and region;

(E) risks such as disclosure, damage, tampering and abuse after the data leaves China’s borders and after re-transfer;

(F) the risks that may be brought to national security, social and public interests, and personal legitimate interests arising from the data leaving China’s borders and outbound data collection;

(G) other important matters that need to be assessed.

Article 9 If outbound data is stored in one of the following circumstances, network operators should report to the industry regulators or supervisory authorities and organize a security assessment:

(A) the [data set] contains or has accumulated personal information of more than 500,000 people;

(B) the amount of data is over 1000 GB;

(C) the data includes sector data on nuclear facilities, chemical and biological facilities, the national defense industry, or population health, large-scale engineering activities, the marine environment, and sensitive geographic information data;

(D) the data includes cybersecurity information including system vulnerabilities and security protection for critical information infrastructure;

(E) personal information and important data provided by critical information infrastructure operators to [parties] outside China;

(F) other data that could affect national security and social and public interests that industry regulators or supervisory departments consider should be assessed.

For areas where the is no clear industry regulator or supervisory department, an assessment shall be organized by national cybersecurity and informatization departments.

Article 10 The security assessment organized by industry regulatory or supervisory departments shall be completed within 60 working days, and feedback on the security assessment shall be provided to the network operator in a timely manner and reported to the national cybersecurity and informatization departments.

Article 11 In any of the following circumstances, data shall not be allowed to leave the country:

(A) personal information leaving China’s borders without the consent of the subject of the personal information, or that may be against the interests of the individual;

(B) there is a risk that the data leaving China’s borders could impact national politics, the economy, S&T, and national defense, and could affect national security and harm social and public interests;

(C) other data that national cybersecurity and informatization departments, public security departments, state security departments, and other relevant departments deem cannot leave China.

Article 12 Network operators should, according to business development and the network operation situation, annually conduct at least once a security assessment of outbound data, ad in a timely manner assess the situation and report to industry regulatory and supervisory departments.

When the data receiver changes, or there is a relatively large change in the destination, scope, quantity, type of data, etc., or a major security incident occurs with the data receiver or outbound data, a new security assessment should be conducted.

Article 13 Any individual or organization shall have the right to report to the relevant cybersecurity and informatization departments, public security department, and other relevant departments any violations of relevant laws and regulations and these Measures in terms of providing data outside of China’s borders.

Article 14 Whoever violates the provisions of these Measures shall be punished in accordance with the relevant laws and regulations.

Article 15 Agreements between the Chinese government and other countries and regions on outbound data shall be carried out in accordance with the provisions of the agreement.

Data involving state secret information shall be handled in accordance with the relevant provisions.

Article 16 Security assessment work for the personal information and important data sent outside China’s borders that was collected and produced by other individuals and organizations within the territory of the People’s Republic of China shall be carried out in accordance with the present Measures.

Article 17 The definitions for the following terms used in the present Measures:

A network operator is the owner of a network, a manager, and a network service provider.

Outbound data refers to personal and important information co9llection and generated by network operators during operations within the territory of the People’s Republic of China, and provided to overseas institutions, organizations, or individuals.

Personal information refers to various types of information recorded by electronic or other means capable of identifying a person’s personal identity alone or in combination with other information, including but not limited to the name of the natural person, date of birth, identity document number, personal biometric information, telephone number and so on. Important data refers to data that is closely related to national security, economic development, and social and public interests, with specific reference to national relevant standards and important data identification guidelines.

Article 18 These Measures shall come into force on the day X of 2017.

Office of the Central Cybersecurity and Informatization Leading Small Group

(Cyberspace Administration of China)

Cybersecurity Coordination Bureau

国家互联网信息办公室关于《个人信息和重要数据出境安全评估办法(征求意见稿)》公开征求意见的通知

为保障个人信息和重要数据安全,维护网络空间主权和国家安全、社会公共利益,促进网络信息依法有序自由流动,依据《中华人民共和国国家安全法》《中华人民共和国网络安全法》等法律法规,我办会同相关部门起草了《个人信息和重要数据出境安全评估办法(征求意见稿)》,现向社会公开征求意见。有关单位和各界人士可以在2017年5月11日前,通过以下方式提出意见:

一、通过信函方式将意见寄至:北京市东城区朝阳门内大街225号国家互联网信息办公室网络安全协调局,邮编:100010,并在信封上注明“征求意见”。

二、通过电子邮件方式发送至:security@cac.gov.cn。

附件:个人信息和重要数据出境安全评估办法(征求意见稿)

国家互联网信息办公室

2017年4月11日

附件

个人信息和重要数据出境安全评估办法

(征求意见稿)

第一条 为保障个人信息和重要数据安全,维护网络空间主权和国家安全、社会公共利益,保护公民、法人和其他组织的合法利益,根据《中华人民共和国国家安全法》《中华人民共和国网络安全法》等法律法规,制定本办法。

第二条 网络运营者在中华人民共和国境内运营中收集和产生的个人信息和重要数据,应当在境内存储。因业务需要,确需向境外提供的,应当按照本办法进行安全评估。

第三条 数据出境安全评估应遵循公正、客观、有效的原则,保障个人信息和重要数据安全,促进网络信息依法有序自由流动。

第四条 个人信息出境,应向个人信息主体说明数据出境的目的、范围、内容、接收方及接收方所在的国家或地区,并经其同意。未成年人个人信息出境须经其监护人同意。

第五条 国家网信部门统筹协调数据出境安全评估工作,指导行业主管或监管部门组织开展数据出境安全评估。

第六条 行业主管或监管部门负责本行业数据出境安全评估工作,定期组织开展本行业数据出境安全检查。

第七条 网络运营者应在数据出境前,自行组织对数据出境进行安全评估,并对评估结果负责。

第八条 数据出境安全评估应重点评估以下内容:

(一)数据出境的必要性;

(二)涉及个人信息情况,包括个人信息的数量、范围、类型、敏感程度,以及个人信息主体是否同意其个人信息出境等;

(三)涉及重要数据情况,包括重要数据的数量、范围、类型及其敏感程度等;

(四)数据接收方的安全保护措施、能力和水平,以及所在国家和地区的网络安全环境等;

(五)数据出境及再转移后被泄露、毁损、篡改、滥用等风险;

(六)数据出境及出境数据汇聚可能对国家安全、社会公共利益、个人合法利益带来的风险;

(七)其他需要评估的重要事项。

第九条 出境数据存在以下情况之一的,网络运营者应报请行业主管或监管部门组织安全评估:

(一)含有或累计含有50万人以上的个人信息;

(二)数据量超过1000GB;

(三)包含核设施、化学生物、国防军工、人口健康等领域数据,大型工程活动、海洋环境以及敏感地理信息数据等;

(四)包含关键信息基础设施的系统漏洞、安全防护等网络安全信息;

(五)关键信息基础设施运营者向境外提供个人信息和重要数据;

(六)其他可能影响国家安全和社会公共利益,行业主管或监管部门认为应该评估。

行业主管或监管部门不明确的,由国家网信部门组织评估。

第十条 行业主管或监管部门组织的安全评估,应当于六十个工作日内完成,及时向网络运营者反馈安全评估情况,并报国家网信部门。

第十一条 存在以下情况之一的,数据不得出境:

(一)个人信息出境未经个人信息主体同意,或可能侵害个人利益;

(二)数据出境给国家政治、经济、科技、国防等安全带来风险,可能影响国家安全、损害社会公共利益;

(三)其他经国家网信部门、公安部门、安全部门等有关部门认定不能出境的。

第十二条 网络运营者应根据业务发展和网络运营情况,每年对数据出境至少进行一次安全评估,及时将评估情况报行业主管或监管部门。

当数据接收方出现变更,数据出境目的、范围、数量、类型等发生较大变化,数据接收方或出境数据发生重大安全事件时,应及时重新进行安全评估。

第十三条 对违反相关法律法规和本办法向境外提供数据的行为,任何个人和组织有权向国家网信部门、公安部门等有关部门举报。

第十四条 违反本办法规定的,依照有关法律法规进行处罚。

第十五条 我国政府与其他国家、地区签署的关于数据出境的协议,按照协议的规定执行。
涉及国家秘密信息的按照相关规定执行。

第十六条 其他个人和组织在中华人民共和国境内收集和产生的个人信息和重要数据出境的安全评估工作参照本办法执行。

第十七条 本办法下列用语的含义:

网络运营者,是指网络的所有者、管理者和网络服务提供者。

数据出境,是指网络运营者将在中华人民共和国境内运营中收集和产生的个人信息和重要数据,提供给位于境外的机构、组织、个人。

个人信息,是指以电子或者其他方式记录的能够单独或者与其他信息结合识别自然人个人身份的各种信息,包括但不限于自然人的姓名、出生日期、身份证件号码、个人生物识别信息、住址、电话号码等。

重要数据,是指与国家安全、经济发展,以及社会公共利益密切相关的数据,具体范围参照国家有关标准和重要数据识别指南。

第十八条 本办法自2017年 月 日起实施。

 International Strategy of Cooperation on Cyberspace

Posted on Updated on

This is the official translation of this text, as published by Xinhua

Contents

Preface

Chapter I. Opportunities and Challenges 

Chapter II. Basic Principles

1.The Principle of Peace

2.The Principle of Sovereignty 

3.The Principle of Shared Governance 

4.The Principle of Shared Benefits 

Chapter III. Strategic Goals

1. Safeguarding Sovereignty and Security

2. Developing A System of International Rules

3. Promoting Fair Internet Governance

4. Protecting Legitimate Rights and Interests of Citizens

5. Promoting Cooperation on Digital Economy 

6. Building Platform for Cyber Culture Exchange

Chapter IV. Plan of Action

1. Peace and Stability in Cyberspace 

2. Rule-based Order in Cyberspace 

3. Partnership in Cyberspace 

4. Reform of Global Internet Governance System 

5. International Cooperation on Cyber Terrorism and Cyber Crimes 

6. Protection of Citizens’ Rights and Interests Including Privacy

7. Digital Economy and Sharing of Digital Dividends 

8. Global Information Infrastructure Development and Protection 

9. Exchange of Cyber Cultures 

Conclusion

Preface

Cyberspace is the common space of activities for mankind. The future of cyberspace should be in the hands of all countries. Countries should step up communications, broaden consensus and deepen cooperation to jointly build a community of shared future in cyberspace. 

—Remarks by H.E. Xi Jinping, President of the People’s Republic of China, 2015/12/16

Read the rest of this entry »

Measures for the Security Review of Internet Products and Services (Opinion-seeking Draft)

Posted on Updated on

This translation was kindly provided by Paul Triolo

The Central Cybersecurity and Informatization Leading Group Office, the Central Internet Security and Informatization Leading Group (CCILSG) Office
The People’s Republic of China State Internet Information Office, The State Internet Information Office 

Notice of the  on Public Consultation on the Measures for the Security Review of Internet Products and Services (Opinion-seeking draft)

In order to improve the security and controllability of network products and services, prevent supply chain security risks, and safeguard national security and the public interest, the CCILSG Office has drafted the Measures for the Security Review of Network Products and Services (draft for soliciting opinions ) “, and it is now open to the public for comments The relevant units and people of all walks of life can make comments according to the following procedure, before March 4, 2017. 

First, send comments by letter to: Beijing Dongcheng District, Chaoyang Gate Street 225 State Internet Information Office Cybersecurity Coordination Bureau, Zip Code: 100010, and mark on the envelope “solicited comments.”

Second, by e-mail sento: zhangheng@cac.gov.cn.

Annex: Measures for Network Products and Services Security Review (draft)

State Internet Information Office

February 4, 2017

Measures 
for Network Products and Services Security Review

(Opinion-seeking Draft)

Article 1: The security and controllability of network products and services directly affect the interests of users and the national security. These Measures are formulated in accordance with the National Security Law of the People’s Republic of China and the Cybersecurity Law of the People’s Republic of China to improve the security and controllability of network products and services, guard against supply chain safety risks, and safeguard national security and the public interest.

Article 2: Important network products and services that are used by the national security and public interest information systems shall undergo a cybersecurity review.

Article 3: A cybersecurity review of network products and services and their providers shall be carried out, insisting on the combination of enterprise commitment and social supervision, combining third-party evaluation and government supervision, combining laboratory testing, on-site inspection, on-line monitoring, and background investigations.

Article 4: The review shall focuon the the security and controllability of network products and services, including:

(1) the risks of illegal control, interference and interruption of the operation of products and services;

(2) risks in the R&D, delivery, and technical support of products and key components;

(3) risks related to product and services providers utilizing the convenience of providing products and services to engage in illegal collection, storage, handling and utilization of user-related information;

(4) products and service providers taking advantage of users’ reliance on products and services, and carrying out unfair competition or harm to the interests of users;

(5) other risks that may endanger national security and the public interest.

Article 5 The State Internet Information Office, in conjunction with relevant departments, shall set up a Cybersecurity Review Committee to review important policies of the cybersecurity review, organize cybersecurity review work, and coordinate the relevant important issues related to the cybersecurity review.

The Cybersecurity Review Office  shall concretely organize and implement the cybersecurity review.

Article 6: The Cybersecurity Review Committee shall appoint relevant experts to form a Cybersecurity Review Experts Committee to conduct a comprehensive evaluation on the security risks of network products and services and the security and trustworthiness of suppliers on the basis of the third-party evaluation.
Read the rest of this entry »

Opinions concerning Stimulating the Healthy and Orderly Development of the Mobile Internet

Posted on Updated on

Central Committee General Office

State Council General Office

Following the swift development of information network technology and the broad popularization of smart mobile terminals, mobile Internet has, with its prominent advantages of broad availability, connectivity, smartness and universality, powerfully promoted a profound convergence between the Internet and the real economy, it has become a new area for innovative development, a new platform for public services, and a new channel for information sharing. In order to deeply implement General Secretary Xi Jinping’s thinking about the strong cyber power strategy, and stimulate the orderly and healthy development of our country’s mobile Internet, the following opinions are hereby put forward. Read the rest of this entry »

National Cyberspace Security Strategy

Posted on Updated on

The broad application of information technologies and the rise and development of cyberspace has extremely greatly stimulated economic and social flourishing and progress, but at the same time, has also brought new security risks and challenges. Cyberspace security (hereafter named cybersecurity) concerns the common interest of humankind, concerns global peace and development, and concerns the national security of all countries. Safeguarding our country’s cybersecurity is an important measure to move forward the strategic arrangement of comprehensively constructing a moderately prosperous society, comprehensively deepening reform, comprehensively governing the country according to the law, and comprehensively and strictly governing the Party forward in a coordinated manner, and is an important guarantee to realize the “Two Centenaries” struggle objective and realize the Chinese Dream of the great rejuvenation of the Chinese nation. In order to implement Xi Jinping’s “Four Principles” concerning moving forward reform of the global Internet governance system and the “Five Standpoints” on building a community of common destiny in cyberspace, elaborate China’s important standpoints concerning cyberspace development and security, guide China’s cybersecurity work and safeguard the country’s interests in the sovereignty, security and development of cyberspace, this Strategy is formulated.

Read the rest of this entry »

Guiding Opinions concerning Strengthening the Construction of a Personal Sincerity System

Posted on Updated on

State Council General Office

GBF No. (2016)98

All provincial, autonomous region and municipal people’s governments, all State Council ministries and commissions, all directly subordinate bodies:

In order to carry forward the traditional virtue of sincerity, strengthen the sincerity consciousness of members of society, strengthen the construction of a personal sincerity system, praise sincerity and punish trust-breaking, raise the credit levels of the entire society and create a beneficial credit environment, with the approval of the State Council, these Opinions are hereby put forward. Read the rest of this entry »