People’s Republic of China Cyber ​​Security Law

People’s Republic of China Cyber ​​Security Law: This Law is enacted for the purpose of safeguarding network security, safeguarding cyberspace sovereignty and national security, social public interests, protecting the legitimate rights and interests of citizens, legal persons and other organizations, and promoting the healthy development of economic and social information.

People’s Republic of China Cyber ​​Security Law
(Adopted at the 24th meeting of the Standing Committee of the 12th National People’s Congress on November 7, 2016)

Table of Contents

Chapter I General Provisions

Chapter II Network Security Support and Promotion

Chapter III Network Operation Security

Section 1 General Provisions

Section 2 Operational Safety of Critical Information Infrastructure

Chapter IV Network Information Security

Chapter V Monitoring and Early Warning and Emergency Treatment

Chapter VI Legal Liability

Chapter VII Supplementary Provisions

Devider

Chapter I General Provisions

Article 1 This Law is enacted for the purpose of safeguarding network security, safeguarding cyberspace sovereignty and national security, social public interests, protecting the legitimate rights and interests of citizens, legal persons and other organizations, and promoting the healthy development of economic and social information.

Article 2 This Law applies to the construction, operation, maintenance and use of the network within the territory of the People’s Republic of China, as well as the supervision and management of network security.

Article 3 The State adheres to both the development of cybersecurity and informatization, follows the guidelines of active use, scientific development, management according to law, and ensuring security, promotes network infrastructure construction and interconnection, encourages network technology innovation and application, and supports the cultivation of network security talents. Establish and improve the network security system to improve network security protection.

Article 4 The State formulates and continuously improves its network security strategy, clarifies the basic requirements and main objectives for ensuring network security, and proposes network security policies, tasks and measures in key areas.

Article 5 The State adopts measures to monitor, defend and dispose of cybersecurity risks and threats originating inside and outside the People’s Republic of China, protect key information infrastructure from attacks, intrusions, interference and destruction, punish cybercrime and criminal activities in accordance with the law, and maintain networks. Space security and order.

Article 6 The State advocates honest, trustworthy, healthy and civilized network behavior, promotes the dissemination of socialist core values, and takes measures to raise the awareness and level of cybersecurity in the whole society, forming a good environment for the whole society to participate in promoting network security.

Article 7 The State actively carries out international exchanges and cooperation in cyberspace governance, network technology research and development and standards development, combating network crimes, and promotes the construction of a cyberspace of peace, security, openness and cooperation, and establishes a multilateral, democratic and transparent network. Governance system.

Article 8 The national network information department is responsible for coordinating and coordinating network security work and related supervision and management. The competent telecommunications department of the State Council, the public security department and other relevant organs shall be responsible for network security protection and supervision and management within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations.

The responsibilities of the network security protection and supervision and management of the relevant departments of the local people’s governments at or above the county level shall be determined in accordance with relevant state regulations.

Article 9 Network operators must abide by laws and administrative regulations, respect social ethics, respect business ethics, honor and credit, fulfill their obligations of cybersecurity protection, accept government and social supervision, and assume social responsibilities.

Article 10 To construct or operate a network or provide services through the network, technical measures and other necessary measures shall be taken in accordance with the provisions of laws, administrative regulations and mandatory requirements of national standards to ensure network security and stable operation, and effectively respond to cybersecurity incidents. Prevent network criminal activities and maintain the integrity, confidentiality and availability of network data.

Article 11 Network-related industry organizations shall, in accordance with the Articles of Association, strengthen industry self-discipline, formulate cybersecurity behavior norms, guide members to strengthen network security protection, improve network security protection level, and promote the healthy development of the industry.

Article 12 The State protects the rights of citizens, legal persons and other organizations to use the Internet in accordance with the law, promotes the popularization of network access, enhances the level of network services, provides safe and convenient network services to the society, and guarantees the orderly and free flow of network information.

Any individual or organization using the Internet shall abide by the constitutional laws, abide by public order, respect social ethics, and shall not endanger cybersecurity. It shall not use the network to endanger national security, honour and interests, incite subversion of state power, overthrow the socialist system, and incite secession. Destroy national unity, promote terrorism, extremism, promote national hatred, ethnic discrimination, spread violence, obscene pornographic information, fabricate and disseminate false information to disrupt economic order and social order, and infringe on the reputation, privacy, intellectual property rights and other legitimate rights and interests of others And other activities.

Article 13 The State supports research and development of network products and services conducive to the healthy growth of minors, punishes the use of the Internet to engage in activities that endanger the physical and mental health of minors, and provides a safe and healthy network environment for minors.

Article 14 Any individual or organization has the right to report to the network, telecommunications, public security and other departments for acts that endanger cybersecurity. The department that receives the report shall promptly handle it according to law; if it is not the responsibility of the department, it shall promptly transfer the department that has the right to handle it.

The relevant departments shall keep confidential the relevant information of the reporter and protect the legitimate rights and interests of the informant.

Chapter II Network Security Support and Promotion

Article 15 The State establishes and improves the network security standards system. The State Council’s standardization administrative department and other relevant departments of the State Council shall, in accordance with their respective responsibilities, organize and timely revise national standards and industry standards related to network security management and network products, services and operational safety.

State-supported enterprises, research institutions, institutions of higher learning, and network-related industry organizations participate in the formulation of national standards and industry standards for network security.

Article 16 The State Council and the people’s governments of provinces, autonomous regions and municipalities directly under the Central Government shall make overall plans, increase investment, support key network security technology industries and projects, support the research and development and application of network security technologies, and promote secure and credible network products and services. Protect intellectual property rights of network technologies and support enterprises, research institutions and institutions of higher learning to participate in national cybersecurity technology innovation projects.

Article 17 The State promotes the construction of a network security social service system and encourages relevant enterprises and institutions to carry out security services such as network security certification, testing and risk assessment.

Article 18 The State encourages the development of network data security protection and utilization technologies, promotes the opening of public data resources, and promotes technological innovation and economic and social development.

The state supports innovative network security management methods and uses network new technologies to improve the level of network security protection.

Article 19 The people’s governments at all levels and their relevant departments shall organize and carry out regular cybersecurity publicity and education, and guide and supervise relevant units to do a good job in cybersecurity publicity and education.

The mass media should be targeted to the society for cybersecurity publicity and education.

Article 20 The State supports enterprises and institutions of higher education, vocational schools and other educational and training institutions to carry out cybersecurity-related education and training, adopt various methods to train cyber security talents, and promote the exchange of cyber security talents.

Chapter III Network Operation Security

Section 1 General Provisions

Article 21 The State implements a network security level protection system. The network operator shall perform the following security protection obligations in accordance with the requirements of the network security level protection system to protect the network from interference, destruction or unauthorized access, and prevent network data from being leaked or stolen or tampered with:

(1) Formulating internal safety management systems and operational procedures, determining the person responsible for network security, and implementing the responsibility for network security protection;

(2) adopting technical measures to prevent computer viruses, network attacks, network intrusions and other network security actions;

(3) adopting technical measures for monitoring and recording network operation status and network security incidents, and retain relevant network logs in accordance with regulations for not less than six months;

(4) taking measures such as data classification, important data backup and encryption;

(5) Other obligations as stipulated by laws and administrative regulations.

Article 22 Network products and services shall comply with the mandatory requirements of relevant national standards. The provider of network products and services shall not set malicious programs; if it discovers that its network products and services are at risk of security defects or loopholes, it shall immediately take remedial measures, notify the users in time and report to the relevant competent authorities in accordance with the regulations.

The provider of network products and services shall continue to provide security maintenance for its products and services; it shall not terminate the provision of security maintenance within the time limit stipulated by the regulations or the parties.

Network products and services have the function of collecting user information, and their providers shall express and obtain consent to the users; if they involve personal information of users, they shall also abide by the provisions of this Law and relevant laws and administrative regulations on the protection of personal information.

Article 23 Network key equipment and network security special products shall be sold or provided in accordance with the mandatory requirements of relevant national standards, after the qualified institutions have passed the safety certification or the safety inspection meets the requirements. The national network information department will work with relevant departments of the State Council to formulate and publish catalogues of key equipment and network security products, and promote mutual recognition of safety certification and safety inspection results to avoid repeated certification and testing.

Article 24 Network operators shall handle network access and domain name registration services for users, handle the procedures for accessing the Internet such as fixed telephones and mobile phones, or provide services such as information distribution and instant messaging for users, and sign agreements or confirm services with users. Users should be required to provide true identity information. If the user does not provide true identity information, the network operator shall not provide related services.

The state implements the network trusted identity strategy, supports the research and development of safe and convenient electronic identity authentication technology, and promotes mutual recognition between different electronic identity authentication.

Article 25 Network operators shall formulate emergency plans for network security incidents, and promptly deal with system vulnerabilities, computer viruses, network attacks, network intrusions and other security risks; in the event of an event that threatens network security, immediately launch an emergency plan and take appropriate measures. Remedial measures and report to the relevant authorities in accordance with the regulations.

Article 26: Carry out activities such as network security certification, testing, risk assessment, etc., and release network security information such as system vulnerabilities, computer viruses, network attacks, and network intrusions to the society, and comply with relevant state regulations.

Article 27 No individual or organization may engage in activities that illegally invade other people’s networks, interfere with the normal functions of other people’s networks, or steal network data and other hazards to network security; it shall not provide special functions for engaging in intrusion into the network, interfering with normal network functions and protective measures, and stealing. Procedures and tools for cyber-security activities such as network data; if you know that others are engaged in activities that endanger network security, you must not provide technical support, advertising promotion, payment settlement, etc.

Article 28 Network operators shall provide technical support and assistance to public security organs and state security organs in safeguarding national security and investigating crimes according to law.

Article 29 The State supports network operators to cooperate in the aspects of network security information collection, analysis, notification and emergency response to improve the security of network operators.

Relevant industry organizations establish and improve the network security protection norms and collaboration mechanisms of the industry, strengthen the analysis and assessment of network security risks, and regularly provide risk warnings to members to support and assist members in responding to network security risks.

Article 30 The information obtained by the network information department and relevant departments in fulfilling their responsibilities for network security protection shall only be used to maintain the needs of network security and shall not be used for other purposes.

Section 2 Operational Safety of Critical Information Infrastructure

Article 31 The State may seriously endanger national security in the fields of public communications and information services, energy, transportation, water conservancy, finance, public services, e-government and other important industries and fields, as well as other damages, loss of function or data leakage. The key information infrastructure of the national economy and the people’s livelihood and the public interest shall be protected on the basis of the network security level protection system. The specific scope and security protection measures for key information infrastructure are formulated by the State Council.

The State encourages network operators outside of critical information infrastructure to voluntarily participate in key information infrastructure protection systems.

Article 32 In accordance with the division of responsibilities prescribed by the State Council, the departments responsible for the security protection of key information infrastructures shall separately prepare and organize the implementation of key information infrastructure security plans for the industry and the field, and guide and supervise the security protection of key information infrastructure operations. jobs.

Article 33 The construction of key information infrastructure shall ensure that it has the performance to support stable and continuous operation of the business, and ensure that the safety technical measures are simultaneously planned, synchronized, and used simultaneously.

Article 34 In addition to the provisions of Article 21 of this Law, operators of key information infrastructure shall also perform the following security protection obligations:

(1) Setting up a special safety management agency and the person in charge of safety management, and conducting a safety background review of the person in charge and personnel in key positions;

(2) Conducting network security education, technical training and skills assessment for employees on a regular basis;

(3) Performing disaster recovery backup of important systems and databases;

(4) Formulating emergency plans for cybersecurity incidents and conducting regular drills;

(5) Other obligations as stipulated by laws and administrative regulations.

Article 35 If the operators of key information infrastructure purchase network products and services may affect national security, they shall pass the national security review organized by the national network information department in conjunction with the relevant departments of the State Council.

Article 36 Operators of key information infrastructure purchase network products and services shall sign a security and confidentiality agreement with the provider in accordance with the regulations, and clarify the obligations and responsibilities for security and confidentiality.

Article 37 The personal information and important data collected and generated by the operators of key information infrastructures within the territory of the People’s Republic of China shall be stored in the territory. If it is necessary to provide it abroad for business needs, it shall conduct safety assessment in accordance with the measures formulated by the State Administration of Credit and the relevant departments of the State Council; if there are other provisions in laws and administrative regulations, it shall be in accordance with its provisions.

Article 38 The operator of the key information infrastructure shall, at its own discretion or entrust the network security service organization, conduct at least one test and assessment of the security and possible risks of its network every year, and submit the relevant assessment and assessment measures and improvement measures. The department of critical information infrastructure security protection work.

Article 39 The national network information department shall coordinate and coordinate relevant departments to take the following measures for the security protection of key information infrastructure:

(1) Conducting spot checks on the security risks of key information infrastructures, proposing improvement measures, and entrusting network security service organizations to detect and evaluate the security risks of the network when necessary;

(2) Regularly organize operators of key information infrastructures to conduct network security emergency drills to improve the level of coordination and coordination of network security incidents;

(3) Promoting network security information sharing between relevant departments, operators of key information infrastructure, and relevant research institutions, network security service agencies, etc.;

(4) Providing technical support and assistance for emergency handling of network security incidents and restoration of network functions.

Chapter IV Network Information Security

Article 40 Network operators shall strictly keep confidential the user information they collect and establish and improve the user information protection system.

Article 41 Network operators shall, in the collection and use of personal information, follow the principles of lawfulness, dueness and necessity, publicly collect and use rules, and clearly indicate the purpose, manner and scope of the collection and use of information, with the consent of the collector.

The network operator shall not collect personal information unrelated to the services it provides, and shall not collect or use personal information in violation of laws and administrative regulations and the agreement between the parties, and shall handle the preservation in accordance with the provisions of laws, administrative regulations and agreements with users. Personal information.

Article 42 Network operators shall not disclose, tamper with or damage the personal information they collect; they may not provide personal information to others without the consent of the collector. However, unless it is processed that does not recognize a particular individual and cannot be recovered.

Network operators should take technical measures and other necessary measures to ensure the personal information they collect is safe and prevent information from being leaked, damaged or lost. In the event of the occurrence or possible occurrence of personal information leakage, damage, or loss, remedial measures shall be taken immediately, and the user shall be promptly notified according to the regulations and reported to the relevant competent department.

Article 43: Individuals who discover that a network operator violates laws or administrative regulations or the agreement of both parties to collect and use their personal information have the right to require the network operator to delete their personal information; and discover the individuals whose network operators collect and store. If the information is wrong, you have the right to ask the network operator to correct it. Network operators should take steps to remove or correct them.

Article 44 No individual or organization may steal or otherwise obtain personal information, and may not illegally sell or illegally provide personal information to others.

Article 45 The departments and their staff members who are responsible for the supervision and management of cyber safety in accordance with the law must strictly keep confidential the personal information, privacy and business secrets that are known in the performance of their duties, and must not disclose, sell or illegally provide them to others.

Article 46 Any individual or organization shall be responsible for its use of the Internet, and shall not establish websites or communication groups for the implementation of fraud, the transmission of criminal methods, the production or sale of prohibited articles, controlled items, etc. Web publishing involves the implementation of fraud, the production or sale of prohibited items, controlled items, and other criminal activities.

Article 47 Network operators shall strengthen the management of the information released by their users. If they find any information that is prohibited from being published or transmitted by laws or administrative regulations, they shall immediately stop transmitting the information, take measures such as elimination, and prevent information from spreading and storing. Relevant records and report to the relevant authorities.

Article 48 No electronic information or application software sent by any individual or organization shall be provided with malicious procedures, and shall not contain information that is prohibited from being published or transmitted by laws and administrative regulations.

The electronic information transmission service provider and the application software download service provider shall perform the safety management obligation. If they know that their users have the prescribed behaviors in the preceding paragraph, they shall stop providing services, take measures such as elimination, save relevant records, and report to relevant authorities. report.

Article 49 Network operators shall establish network information security complaints and reporting systems, publish information such as complaints and reporting methods, and promptly accept and handle complaints and reports about network information security.

The network operators shall cooperate with the supervision and inspection of the network information department and relevant departments according to law.

Article 50: The national network information department and relevant departments shall perform the duties of supervision and management of network information security in accordance with law, and shall discover the information that is prohibited from being published or transmitted by laws and administrative regulations, and shall require the network operator to stop transmission, take measures such as elimination and save relevant records. For the above information originating outside the territory of the People’s Republic of China, the relevant agencies shall be notified to take technical measures and other necessary measures to block the spread.

Chapter V Monitoring and Early Warning and Emergency Treatment

Article 51 The State establishes a network security monitoring and early warning and information notification system. The national network information department shall coordinate and coordinate relevant departments to strengthen the collection, analysis and notification of network security information, and uniformly publish network security monitoring and early warning information in accordance with regulations.

Article 52 The department responsible for the security protection of key information infrastructure shall establish and improve the network security monitoring and early warning and information notification system in the industry and in this field, and submit the network security monitoring and early warning information in accordance with regulations.

Article 53 The national network information department shall coordinate relevant departments to establish and improve the network security risk assessment and emergency work mechanism, formulate emergency plans for network security incidents, and organize regular drills.

The department responsible for the security protection of key information infrastructure shall formulate contingency plans for cyber security incidents in this industry and in this field, and organize regular drills.

The cybersecurity incident emergency plan shall classify the network security incident according to the degree of harm and the scope of influence after the incident, and stipulate the corresponding emergency response measures.

Article 54 When the risk of a network security incident increases, the relevant departments of the people’s government at or above the provincial level shall, in accordance with the prescribed authority and procedures, and take the following measures according to the characteristics of the network security risks and the possible harm:

(1) Requiring relevant departments, agencies and personnel to collect and report relevant information in a timely manner, and strengthen monitoring of network security risks;

(2) Organizing relevant departments, agencies and professionals to analyze and evaluate cybersecurity risk information, and predict the probability, scope and extent of the incident;

(3) Issue cybersecurity risk warnings to the society and issue measures to avoid and mitigate the hazards.

Article 55 In the event of a network security incident, an emergency plan for cybersecurity incidents shall be initiated immediately to investigate and evaluate cybersecurity incidents, requiring network operators to take technical measures and other necessary measures to eliminate potential safety hazards, prevent hazards from expanding, and promptly Issue warnings related to the public to the public.

Article 56: In the performance of cyber safety supervision and management duties, the relevant departments of the people’s governments at or above the provincial level may, if they discover that there are major security risks or security incidents in the network, they may follow the prescribed authority and procedures to the legal representatives of the operators of the network. The person or the principal person in charge makes an interview. Network operators should take measures to rectify and eliminate hidden dangers as required.

Article 57 If an emergency or production safety accident occurs due to a network security incident, it shall be disposed of in accordance with the Laws of the People’s Republic of China on Emergency Response, the Law of the People’s Republic of China on Safe Production, and other relevant laws and administrative regulations. .

Article 58. Due to the need to safeguard national security and social public order and deal with major unexpected social security incidents, temporary measures such as restrictions on network communications may be imposed in specific areas upon the decision or approval of the State Council.

Chapter VI Legal Liability

Article 59 If a network operator fails to perform its network security protection obligations as stipulated in Articles 21 and 25 of this Law, the relevant competent department shall order it to make corrections and give warnings; refuse to correct or cause harm to network security and other consequences. A fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed, and the person directly responsible shall be fined not less than 5,000 yuan but not more than 50,000 yuan.

Where the operator of the key information infrastructure fails to perform the network security protection obligations stipulated in Articles 33, 34, 36 and 38 of this Law, the relevant competent department shall order the correction and give a warning. Those who refuse to correct or cause harm to the network security shall be fined not less than 100,000 yuan but not more than 1 million yuan, and fined not less than 10,000 yuan but not more than 100,000 yuan for the directly responsible person in charge.

Article 60 In case of any of the following acts in violation of the provisions of paragraphs 2, 2 and 48 of Article 22 of this Law, the relevant competent department shall order correction and give a warning; refuse to correct Or a fine of not less than 50,000 yuan but not more than 500,000 yuan, or a fine of not less than 10,000 yuan but not more than 100,000 yuan for the directly responsible person in charge:

(1) setting up a malicious program;

(2) failing to take remedial measures immediately on the risks of safety defects and loopholes in its products and services, or failing to inform the users in time and reporting to the relevant competent authorities;

(3) Terminating the provision of security maintenance for its products and services without authorization.

Article 61 If a network operator violates the provisions of the first paragraph of Article 24 of this Law and does not require the user to provide true identity information, or provides relevant services to users who do not provide true identity information, the relevant competent department shall order it to make corrections; If the refusal is not corrected or the circumstances are serious, a fine of not less than 50,000 yuan but not more than 500,000 yuan shall be imposed, and the relevant competent department may order it to suspend the relevant business, suspend business for rectification, close the website, revoke the relevant business license or revoke the business license. The competent person in charge and other directly responsible personnel shall be fined not less than 10,000 yuan but not more than 100,000 yuan.

Article 62 Anyone who violates the provisions of Article 26 of this Law, conducts network security certification, testing, risk assessment and other activities, or issues system security information such as system vulnerabilities, computer viruses, network attacks, network intrusions, etc. The competent department shall order the correction and give a warning; if it refuses to make corrections or if the circumstances are serious, it shall impose a fine of not less than 10,000 yuan but not more than 100,000 yuan, and may be ordered by the relevant competent department to suspend the relevant business, suspend business for rectification, close the website, revoke the relevant business license or The business license shall be revoked, and the directly responsible person in charge and other directly responsible personnel shall be fined not less than 5,000 yuan but not more than 50,000 yuan.

Article 63: In violation of the provisions of Article 27 of this Law, engage in activities that endanger cybersecurity, or provide procedures or tools specifically for engaging in activities that endanger cybersecurity activities, or provide technical support for others to engage in activities that endanger cybersecurity, If the advertisement promotion, payment settlement and other assistance do not constitute a crime, the public security organ shall confiscate the illegal income and detain it for less than five days, and may impose a fine of not less than 50,000 yuan but not more than 500,000 yuan; if the circumstances are heavier, it shall be more than five days. If you are detained for less than fifteen days, you may be fined between 100,000 yuan and 1 million yuan.

Where the unit has the act of the preceding paragraph, the public security organ shall confiscate the illegal income, impose a fine of not less than 100,000 yuan and less than one million yuan, and impose penalties on the directly responsible person in charge and other directly responsible personnel in accordance with the provisions of the preceding paragraph.

Those who are punished by the provisions of Article 27 of this Law and who are punished by public security management shall not engage in the work of network security management and key positions in network operations within five years; those who are subject to criminal punishment shall not engage in key positions in network security management and network operations for life. jobs.

Article 64: Network operators, providers of network products or services violate the provisions of Articles 23, 3 and 41 to 43 of this Law, and infringe the rights of personal information to be protected according to law. The relevant competent department shall order the correction, and may be fined according to the circumstances of the case or concurrently warning, confiscation of illegal income, and the illegal income of more than one ten times and ten times. If there is no illegal income, a fine of less than one million yuan shall be imposed. The competent person and other directly responsible personnel shall be fined not less than 10,000 yuan but not more than 100,000 yuan; if the circumstances are serious, they may be ordered to suspend the relevant business, suspend business for rectification, close the website, revoke the relevant business license or revoke the business license.

Violation of the provisions of Article 44 of this Law, stealing or illegally obtaining or illegally selling or illegally providing personal information to others shall not constitute a crime, and the public security organ shall confiscate the illegal income and be more than ten times the illegal income. The following fines, if there is no illegal income, a fine of less than one million yuan.

Article 65 If the operator of a key information infrastructure violates the provisions of Article 35 of this Law and uses network products or services that have not passed the security review or failed the security review, the relevant competent department shall order it to stop using the purchase amount. More than one ten times and ten times less fine; the directly responsible person in charge and other directly responsible personnel shall be fined not less than 10,000 yuan but not more than 100,000 yuan.

Article 66 If the operator of a key information infrastructure violates the provisions of Article 37 of this Law and stores network data overseas or provides network data abroad, the relevant competent department shall order it to make corrections, give warnings, and confiscate illegal income. A fine of not less than 50,000 yuan but not more than 500,000 yuan, and may be ordered to suspend related business, suspend business for rectification, close the website, revoke the relevant business license or revoke the business license; 10,000 yuan for directly responsible executives and other directly responsible personnel The fine of less than 100,000 yuan.

Article 67: In violation of the provisions of Article 46 of this Law, the establishment of websites or communication groups for the implementation of illegal and criminal activities, or the use of the Internet to publish information concerning the implementation of illegal and criminal activities, does not constitute a crime, the public security organs If he is detained for less than five days, he may be imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan. If the circumstances are serious, he shall be detained for more than five days and less than fifteen days, and may be imposed a fine of not less than 50,000 yuan but not more than 500,000 yuan. Close websites and communication groups used to implement illegal criminal activities.

Where the unit has the act of the preceding paragraph, the public security organ shall impose a fine of not less than 100,000 yuan but not more than 500,000 yuan, and the directly responsible person in charge and other directly responsible personnel shall be punished in accordance with the provisions of the preceding paragraph.

Article 68 If a network operator violates the provisions of Article 47 of this Law and fails to stop transmission of information prohibited by laws or administrative regulations, removes measures such as elimination, and saves relevant records, the relevant competent department shall order it to make corrections. Give warnings, confiscate illegal gains; refuse to correct or serious circumstances, impose a fine of 100,000 yuan but not more than 500,000 yuan, and may order the suspension of related business, suspend business for rectification, close the website, revoke the relevant business license or revoke the business license The person directly in charge and other directly responsible personnel shall be fined not less than 10,000 yuan but not more than 100,000 yuan.

If the electronic information transmission service provider or the application software download service provider fails to perform the safety management obligations stipulated in the second paragraph of Article 48 of this Law, it shall be punished in accordance with the provisions of the preceding paragraph.

Article 69 If a network operator violates the provisions of this Law and has one of the following acts, the relevant competent department shall order it to make corrections; if it refuses to make corrections or if the circumstances are serious, it shall be directly liable for a fine of not less than 50,000 yuan but not more than 500,000 yuan. The competent person in charge and other directly responsible personnel shall be fined not less than 10,000 yuan but not more than 100,000 yuan:

(1) failing to dispose of the transmission or elimination of information that is prohibited by law or administrative regulations from being released or transmitted in accordance with the requirements of the relevant department;

(2) Refusing or obstructing the supervision and inspection carried out by the relevant departments according to law;

(3) Refusing to provide technical support and assistance to public security organs and state security organs.

Article 70 Whoever issues or transmits the second paragraph of Article 12 of this Law and other laws or administrative regulations that are prohibited from being published or transmitted shall be punished in accordance with the provisions of relevant laws and administrative regulations.

Article 71 If there are illegal acts as provided for in this Law, they shall be credited to the credit file in accordance with the provisions of relevant laws and administrative regulations, and shall be publicized.

Article 72 If the operator of the government agency’s government affairs network fails to perform the network security protection obligations stipulated in this Law, its superior authority or relevant authority shall order it to make corrections; the directly responsible supervisors and other directly responsible personnel shall be given disciplinary sanctions according to law.

Article 73 If the information obtained by the network information department and the relevant department in violation of the provisions of Article 30 of this Law and the information obtained in the performance of the cyber security protection function is used for other purposes, the directly responsible person in charge and other directly responsible personnel shall be given according to law. Disciplinary action.

If the staff of the network information department and relevant departments neglect their duties, abuse their powers, and engage in malpractices for personal gains, if they do not constitute a crime, they shall be punished according to law.

Article 74 Whoever violates the provisions of this Law and causes damage to others shall bear civil liability according to law.

Those who violate the provisions of this Law and constitute violations of public security management shall be given administrative punishments for public security according to law; if they constitute a crime, they shall be investigated for criminal responsibility according to law.

Article 75: If an overseas institution, organization or individual engages in activities such as attack, intrusion, interference or destruction that endanger the key information infrastructure of the People’s Republic of China and causes serious consequences, it shall be investigated for legal responsibility according to law; the public security department of the State Council and relevant departments shall It may be decided to impose frozen property or other necessary sanctions on the institution, organization or individual.

Chapter VII Supplementary Provisions

Article 76 The meanings of the following terms in this Law:

(1) Network refers to a system consisting of computers or other information terminals and related equipment that collects, stores, transmits, exchanges, and processes information according to certain rules and procedures.

(2) Network security refers to the prevention of attacks, intrusions, interferences, destruction and illegal use of the network and accidents by taking necessary measures to ensure that the network is in a stable and reliable state, and to ensure the integrity and confidentiality of network data. , the ability to usability.

(3) Network operators refer to the owners, managers and network service providers of the network.

(4) Network data refers to various electronic data collected, stored, transmitted, processed and generated through the network.

(5) Personal information refers to various information recorded by electronic or other means that can identify the natural person’s personal identity alone or in combination with other information, including but not limited to the name of the natural person, date of birth, ID number, personal biometric information. , address, phone number, etc.

Article 77 The operation and security protection of the network that stores and handles state secret information shall, in addition to complying with this Law, comply with the provisions of secrecy laws and administrative regulations.

Article 78 The security protection of military networks shall be separately prescribed by the Central Military Commission.

Article 79 This Law shall come into force on June 1, 2017.