Cybersecurity Law of the People’s Republic of China

By Todd KuhnsLast Updated on Nov 7, 2016
Cybersecurity Law of the People’s Republic of China

Release Date: 11-07-2016

Source: Cyberspace Administration of China site

Chinese Title: 中华人民共和国网络安全法

Presidential Decree No. 53

Having been adopted at the 24th Session of the Standing Committee of the 12th National People’s Congress of the People’s Republic of China on 7 November 2016, the Cybersecurity Law of the People’s Republic of China is hereby promulgated, effective on 1 June 2017.

Xi Jinping

President of the People’s Republic of China

7 November 2016

Cybersecurity Law of the People’s Republic of China

(Adopted at the 24th Session of the Standing Committee of the 12th People’s Congress on 7 November 2016)

Chapter I General provisions

Article 1 The Cybersecurity Law of the People’s Republic of China (hereinafter referred to as the present Law) is enacted for the purposes of ensuring cybersecurity, secure guarding cyberspace sovereignty, national security and public interests, protecting the legitimate rights and interests of citizens, legal persons and other organizations, and promoting the healthy development of information technology in economic and social sectors.

Article 2 The present Law shall apply to the construction, operation, maintenance and use of the network as well as the supervision and administration of cybersecurity within the territory of the People’s Republic of China.

Article 3 The State attaches equal importance to cybersecurity and the development of information technology, promotes the development of network infrastructures and its interconnectivity, encourages innovation in and application of network technology, supports the cultivation of talents specialized in cybersecurity, establishes and optimizes cybersecurity system, and improve the protection of cybersecurity under the principles of positive use, scientific development, lawful administration and security assurance.

Article 4 The State shall develop and constantly improve cybersecurity strategies, specify primary requirements and objectives for ensuring cybersecurity, and propose cybersecurity policies, tasks and measures for key areas.

Article 5 The State shall take necessary measures to monitor, prevent and deal with cybersecurity risks and threats from both within and outside of the territory of the People’s Republic of China, to protect critical information infrastructure from attacks, intrusions, interference and damage, to impose punishments on unlawful and criminal network activities according to the laws, and to maintain the security and order of cyberspace.

Article 6 The State advocates network practices in a good-faith, trustworthy and civilized manner, promotes dissemination of core socialist values, and adopts measures to raise social awareness of cybersecurity in order to create a sound environment for the promotion of cybersecurity with the participation of the public.

Article 7 The State shall actively carry out international exchange and cooperation in cyberspace governance, network technology R&D and development of standards thereof and network crime crackdown, in order to shape a peaceful, secure, open and cooperative cyberspace and establish a multilateral, democratic and transparent system for network governance.

Article 8 The Cyberspace administration of China (CAC) is responsible for the overall planning and coordination of cybersecurity work and the relevant supervision and administration. The authority in charge of telecommunication, the public security authority and other relevant authorities of the State Council shall, ex officio, take charge of protection, supervision and administration of cybersecurity pursuant to the present Law and applicable laws and administrative regulations.Competent authorities of local people’s governments at county level or above shall take the responsibilities for cybersecurity protection and regulation as stipulated in the relevant regulations of the State.

Article 9 When carrying out business operation and service activities, network operators shall abide by laws and administrative regulations, show respect for social moralities, follow business ethics, and act in good faith. They shall also fulfill the obligation of cybersecurity protection, accept governmental and public supervision, and undertake social responsibilities.

Article 10 To construct and operate a network, or to provide services through a network, technical measures and other necessary measures shall be taken in accordance with laws, administrative regulations and the compulsory requirements set forth in national standards to ensure the secure and stable operation of the network, to effectively cope with cybersecurity events, to prevent criminal activities committed on the network, and to protect the integrity, confidentiality and availability of network data.

Article 11 Cyber-related industry organizations shall intensify self-discipline pursuant to their articles of association. They shall develop codes of conduct to guide their members to strengthen cybersecurity protection, improve cybersecurity protection level and boost the healthy development of relevant industries.

Article 12 The State protects the rights of citizens, legal persons and other organizations to lawfully access network, promotes the popularity of network access, and improves network services, so as to provide the public with secure and convenient network services, and ensure free flow of network information in a lawful and orderly manner.Individuals and organizations using the network shall comply with the Constitution and laws, follow the public order, and show respect for social moralities, and shall neither impair cybersecurity nor engage in activities, by making use of the network, that endanger national security, honor and interests, incite subversion of the state power or overthrow of the socialist system, incite splitting of the country, undermine national unity, advocate terrorism and extremism, ethnic hatred and discrimination, spread violent and pornographic information, fabricate and disseminate false information to disrupt economic and social orders, or infringe upon the reputation, privacy, intellectual property and other legitimate rights and interests of others.

Article 13 The State supports research and development of network products and services conductive to the healthy growth of minors, and punishes activities endangering physical and psychological health of minors pursuant to laws in order to create a safe and healthy network environment for minors.

Article 14 Any individual or organization may blow the whistle on activities that endanger cybersecurity to the Cyberspace administration, telecommunication authority and public security authority, etc. Any such authority that receives a whistleblowing shall handle the case in a timely manner in accordance with the law or, if such whistleblowing is beyond its jurisdiction, promptly refer the case to the authority having jurisdiction.The authority concerned shall keep information on the whistleblower in confidence and protect the legitimate rights and interest of the whistleblower.

Chapter II Support for and Promotion of Cyber Security

Article 15 The State establishes and perfects the system for cybersecurity standards. The competent administrative department of the State Council for standardization and other relevant departments of the State Council shall, ex officio, organize development and make revisions at appropriate time of national and industrial standards regarding cybersecurity administration and network products, services and operation security.The State encourages businesses, research institutes, institutions of higher learning, network-related industry organizations to participate in the formulation of national and industrial standards for cybersecurity.

Article 16 The State Council and the governments of provinces, autonomous regions and the centrally-administered municipalities shall make overall planning and increase inputs to support key industries and projects of cybersecurity technologies, support R&D and application of cybersecurity technologies, promote secure and reliable network products and services, protect the intellectual property right of network technologies, and encourage businesses, research institutes and colleges to engage in national projects of innovation in cybersecurity technologies.

Article 17 The State shall boost the development of a socialized service system for cybersecurity, and encourage related businesses and institutions to provide services such as certification, testing and risk assessment for cybersecurity.

Article 18 The State encourages the development of technologies for network data protection and use, improves the availability of public data resources, and boosts technological innovation and economic and social development.The State supports innovation in cybersecurity administration mode and the use of new network technologies to improve the level of cybersecurity protection.

Article 19 People’s governments at all levels and their departments concerned shall organize regular publicity and education on cybersecurity, and guide and urge organizations concerned to effectively carry out such activities on cybersecurity. The mass media shall carry out publicity and education on cybersecurity targeting at the public.

Article 20 The State encourages businesses, institutions of higher learning, vocational schools and related education and training bodies to carry out educational and training activities regarding cybersecurity, to foster cybersecurity professionals in various means, and to promote the exchange among those professionals.

Chapter III Security of Network Operation

Section 1 General provisions

Article 21 The State adopts graded system for cybersecurity protection, under which network operators are required to perform the following obligations of security protection to ensure that the network is free from interference, disruption or unauthorized access, and prevent network data from being disclosed, stolen or tampered:

1. Formulating internal security management systems and operation instructions to determine the person in charge of cybersecurity and define accountabilities for cybersecurity;

2. Taking technical measures to prevent computer virus, network attacks, network intrusions and other activities that endanger cybersecurity;

3. Taking technical measures to monitor and record network operation and cybersecurity events, and maintaining the cyber-related logs for no less than six months as required;

4. Taking such measures as data classification, and backup and encryption of important data, etc.; and

5. Performing other obligations provided for in relevant laws and administrative regulations.

Article 22 Network products and services shall satisfy the mandatory requirements set forth in applicable national standards. Any provider of network products or services shall not install malwares. For any risk such as security defect or bug that is found, the provider concerned shall, as required, immediately take remedial actions, inform the users of the said risk, and report the case to the competent authority.A provider of network products or services shall also provide consistent security maintenance for its products or services. Such maintenance shall not be discontinued within the prescribed term or the term agreed upon by the parties thereto.

A provider of network products or services shall expressly notify and obtain consent of the users if the products or services collect user information; and if personal information of users are involved, the provider shall also comply with provisions of the present Law and the relevant laws and administrative regulations governing protection of personal information.

Article 23 Under the compulsory requirements set forth in national standards, critical network equipment and special-purpose cybersecurity products shall not be sold or supplied until such equipment or product successfully passes security certification or security tests by a qualified organization. CAC shall work with departments concerned of the State Council to formulate and release a catalogue of critical network equipment and special-purpose cybersecurity products, and promote mutual recognition of security certificate and security test results for the avoidance of repeated certification and tests.

Article 24 Network operators shall require the users to provide their real identity information when signing agreements or confirmations on the provision of such services as network access, domain name registration, fixed phone and mobile phone network access, or information release and instant communication. In case that a user does not provide his/her real identity information, no network operator may provide related services for the user.The State implements the strategy of trusted identity in cyberspace, supports R&D of secure and convenient technologies for E-identity authentication, and promotes mutual recognition among various E-identity authentications.

Article 25 Network operators shall develop an emergency plan for cybersecurity events to promptly respond to such security risks as system bug, computer virus, network attacks and intrusions. For an event that threatens cybersecurity, the operator concerned shall forthwith initiate the emergency plan, take corresponding remedial actions, and report as required such event to competent authority concerned.

Article 26 Activities such as cybersecurity authentication, testing, and risk assessment, and releasing of cybersecurity information such as system bug, computer virus, network attacks and intrusions shall be carried out in compliance with applicable regulations of the State.

Article 27 No individual or organization may engage in activities that threaten cybersecurity such as unlawful intrusion into others’ networks, interfering with the normal functions of others’ network and stealing network data, provide programs or tools for such intrusions, interference or stealing, or provide any assistance such as technical support, advertisement, payment or settlement for any other person if the individual or organization is fully aware that such person engages in an activity endangering cybersecurity.

Article 28 Network operators shall provide public security organs and national security authorities with technical support and assistance in their attempts to safeguard national security and investigate into crimes.

Article 29 The State supports the cooperation among network operators in collection, analysis and notification of cybersecurity information and emergency response, in order to improve their capability for cybersecurity protection.The relevant industry organizations shall establish and perfect respective cybersecurity rules and coordination mechanisms, intensify the analysis and assessment on cybersecurity risks, regularly give risk warnings to their members, and support and assist their members in coping with cybersecurity risks.

Article 30 The cyberspace administration and authorities concerned shall use the information accessed in performance of their duties for cybersecurity protection only and not for any other purpose.

Section 2 Operation Security of Critical information infrastructure

Article 31 For critical information infrastructure in important industries and sectors such as public communications, information service, energy, transport, water conservancy, finance, public service and e-government, and other critical information infrastructure that, once damaged, disabled or data disclosed, may severely threaten the national security, national economy, people’s livelihood and public interests, the State shall give them extra protection on the basis of the graded system for cybersecurity protection. The specific scope and security measures for critical information infrastructure hall be developed by the State Council.The State encourages network operators not engaged in critical information infrastructure to voluntarily participate in the protection system for critical information infrastructure.

Article 32 In conformity with respective duties assigned by the State Council, the authorities in charge of the security protection of critical information infrastructure shall formulate and organize to implement the plans for the critical information infrastructure of specific industries/sectors within their respective jurisdiction, and guide and oversee the operation security protection of such critical information infrastructure.

Article 33 A critical information infrastructure shall be developed with the capacity to support the steady and continuous business operation, and technical security measures shall be planned, established and put into use simultaneously.

Article 34 In addition to those provided in Article 20 hereof, the operator of a critical information infrastructure shall also fulfill obligations of security protection as follows:1. Set up a dedicated security management body and designate a person in charge, and review the security backgrounds of the said person and those in key positions;

2. Provide practitioners with regular cybersecurity education, technical training and skill assessment;

3. Make disaster recovery backup of important systems and databases;

4. Work out an emergency plan for cybersecurity events and carry out drills regularly; and

5. Perform other obligations provided for in relevant laws and administrative regulations.

Article 35 Any purchase of network products and services by the operator of critical information infrastructure that may threaten the national security is subject to the national security review conducted by the CAC together with competent departments of the State Council.

Article 36 The operator of a critical information infrastructure shall, in purchase of network products and services, enter into an agreement with the product/service provider in which obligations and responsibilities of security and confidentiality shall be specified.

Article 37 The operator of a critical information infrastructure shall store within the territory of the People’s Republic of China personal information and important data collected and generated during its operation within the territory of the People’s Republic of China. Where such information and data have to be provided abroad for business purpose, security assessment shall be conducted pursuant to the measures developed by the CAC together with competent departments of the State Council, unless otherwise provided for in laws and administrative regulations, in which such laws and administrative regulations shall prevail.

Article 38 The operator of a critical information infrastructure shall conduct, by itself or entrusting a cybersecurity service provider, examination and assessment of its cybersecurity and potential risks at least once a year, and submit the examination and assessment results as well as improvement measures to the competent authorities in charge of the security of the critical information infrastructure .

Article 39 The CAC shall make an overall plan and coordinate competent authorities to take the following measures for the security of a critical information infrastructure:1. Carrying out random security risk examination of the critical information infrastructure followed by improvement measures and, if necessary, authorizing a cybersecurity service provider to conduct examination and assessment on cybersecurity risks;

2. Regularly organizing cybersecurity emergency response drills for the operator of the critical information infrastructure to improve its abilities to cope with cybersecurity events and coordinate with each other;

3. Promoting cybersecurity information sharing among the competent authorities, the operator of the critical information infrastructure , relevant research institutes and the cybersecurity service providers; and

4. Providing technical support and assistance regarding emergency response to cybersecurity events and recovery of network functions.

Chapter IV Network Information Security

Article 40 Network operators shall keep the user information that they have collected in strict confidence, and shall establish and improve the system for user information protection.

Article 41 Network operators shall abide by the “lawful, justifiable and necessary” principles to collect and use personal information by announcing rules for collection and use, expressly notifying the purpose, methods and scope of such collection and use, and obtain the consent of the person whose personal information is to be collected.No network operator may collect any personal information that is not related to the services it provides. It shall collect and use, and process and store personal the information in the light of laws and administrative regulations and agreement with the users.

Article 42 No network operator may disclose, tamper with or destroy personal information that it has collected, or disclose such information to others without prior consent of the person whose personal information has been collected, unless such information has been processed to prevent specific person from being identified and such information from being restored. .A network operator shall take technical and other necessary measures to ensure the security of personal information it collects, and to protect such information from disclosure, damage or loss. In case of disclosure, damage or loss of, or possible disclosure, damage or loss of such information, the network operator shall take immediate remedies, notify the users in accordance with the relevant provisions, and report to competent authority.

Article 43 Each individual is entitled to require a network operator to delete his or her personal information if he or she founds that collection and use of such information by such operator violate the laws, administrative regulations or the agreement by and between such operator and him or her; and is entitled to require any network operator to make corrections if he or she founds errors in such information collected and stored by such operator. Such operator shall take measures to delete the information or correct the error.

Article 44 No individual or organization may steal or otherwise unlawfully obtain any personal information, or sell or unlawfully provide any personal information to others.

Article 45 Authorities legitimately bearing regulatory responsibilities for cybersecurity and their staff members must carefully keep the strict confidentiality of any and all personal information, privacy and business secrets obtained in their performance of duties. They shall not disclose, sell or unlawfully provide such information to others.

Article 46 Any individual or organization is responsible for his/its use of network, and shall neither establish any website or online communication group for the purpose of conducting fraud, transmitting criminal methods, making or selling prohibited or controlled items, or conducting other illegal criminal activities nor utilize the network to release information involving implementation of fraud, making or sales of prohibited or controlled items, and any other illegal criminal activity.

Article 47 A network operator shall strengthen the management of the information released by its users. If it founds any information that is prohibited by laws and administrative regulations from release or transmission, it shall immediately cease transmission of such information, and take measures such as deletion to prevent dissemination of such information. The operator shall also keep relevant record, and report the case to the competent authority.

Article 48 Electronic information sent and applications provided by any individual and organization shall be free of malwares and information that are prohibited by laws and administrative regulations from release or transmission.Providers of electronic information transmission service and application download service shall assume the obligations of security management. If any such provider becomes aware that its user engages in any act mentioned in the preceding paragraph, such provider shall immediately stop providing such service, take measures such as deletion, keep the record, and report to competent authority.

Article 49 A network operator shall establish network information security complaint and reporting mechanisms, and shall release the complaint and reporting channels to promptly accept and settle complaints and reports concerning network information security.Network operators shall cooperate with the Cyberspace administration and any other competent authority in their lawful inspections and supervisions.

Article 50 The CAC and competent authorities of the State shall perform their regulatory responsibilities for network information security. If any information prohibited by laws and administrative regulations from release or transmission is found, they shall require the network operator to stop the transmission of such information, take measures such as deletion and keep the records. If any such information is from outside of the territory of the People’s Republic of China, they shall notify competent organs to take technical and other necessary measures to block transmission of such information.

Chapter V Monitoring, Early Warning and Emergency Response

Article 51 The State shall establish cybersecurity monitoring and early warning mechanism and information reporting mechanism. The CAC shall make overall planning and coordinate competent authorities in strengthening collection, analysis and reporting of cybersecurity information, and release cybersecurity monitoring & warning information pursuant to the relevant regulations.

Article 52 The authorities in charge of protection of critical information infrastructure shall establish and perfect the cybersecurity monitoring and early warning mechanism and information reporting mechanism for specific industries/sectors within their respective jurisdiction, and shall report cybersecurity monitoring and early warning information according to applicable regulations.

Article 53 The CAC shall coordinate competent authorities in establishing and perfecting the mechanisms of cybersecurity risk assessment and emergency response, develop emergency plans for cybersecurity events and carry out drills in a regular manner.The authorities in charge of the security protection of critical information infrastructure shall develop emergency plans for cybersecurity events for specific industries/sectors within their respective jurisdiction, and organize drills in a regular manner.

Such plans shall classify cybersecurity events based on their possible severity and impact, and shall prescribe corresponding emergency response measures.

Article 54 In case of increasing risk of cybersecurity events, governments at provincial level and above shall take the following measures according to their jurisdictions and prescribed procedures, and based on the characteristics and possible damages of such risks:1. Requiring authorities, organs and personnel concerned to promptly collect and report necessary information and intensify monitoring of cybersecurity risks;

2. Organizing authorities, organs and professionals concerned to analyze and evaluate cybersecurity risks, and estimate the possibility, impact and severity of occurrence of event; and

3. Give a warning to the public about cybersecurity risks and release prevention and mitigation measures.

Article 55 For a cybersecurity event, the emergency plan shall be immediately activated to investigate and assess the event, and the network operator concerned is required to take technical and necessary measures to eliminate security risks and prevent spread of hazard. The relevant warning information shall be made available to the public.

Article 56 In the event that a network is found of material security risk or that security event occurs to the network in performance of their duties of cybersecurity supervision and administration, competent authorities of the governments at provincial level and above may, pursuant to prescribed jurisdictions and procedures, interview with the legal representative or responsible person of operator of such network. Such operator shall take necessary measures for rectification and elimination of potential risks as required.

Article 57 For emergency events or production security accidents resulting from cybersecurity events, the Emergency Response Law of the People’s Republic of China, the Law of the People’s Republic of China on Work Security and other relevant laws and administrative regulations shall apply.

Article 58 Such temporary measures as network communication restriction in specific areas may be taken following the decision of or approval by the State Council, for the purpose of secure guarding national security, maintaining public order, and dealing with significant social security emergencies.

Article 59 Where a network operator fails to fulfill obligation of cybersecurity protection set out in Articles 21 and 25 hereof, the competent authority shall warn such operator and order it to make rectifications. A fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on such operator if it refuses to make rectifications or in case of consequential severe damage to the network, and a fine ranging from 5,000 to 50,000 yuan shall be imposed on the supervisor directly in charge. Where an operator of critical information infrastructure fails to fulfill obligation of cybersecurity protection set out in Articles 33, 34, 36 and 38 hereof, the competent authority shall warn such operator and order it to make rectifications. A fine ranging from 100,000 yuan to 1 million yuan shall be imposed on such operator if it refuses to make rectifications or in case of consequential severe damage to the network, and a fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on the supervisor directly in charge.

Article 60 For any of the following activities violating Paragraph 1, Article 22, Paragraph 2, Article 22 or Paragraph 1, Article 48 hereof, the competent authority shall give a warning and an order of rectification. A fine ranging from 50,000 yuan to 500,000 yuan shall be imposed in case of refusal to make rectifications or in case of consequential severe damage to the network, and a fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on the supervisor directly in charge:1. Providing malicious programs in the network;

2. Failure to promptly notify the user of risks such as defects or bugs of its products and/or services and to make remedies, or to report to competent authorities pursuant to regulations; and

3. Ceasing provision of security maintenance for its products and/or services without prior consent.

Article 61 Where a network operator, in violation of Paragraph 1, Article 24 hereof, fails to require users to provide true identity information, provide services to users who fail to provide their true identity information, the competent authority shall order such operator to make rectifications. A fine ranging from 50,000 yuan to 500,000 yuan shall be imposed in case of refusal to make rectifications or of severe circumstance, and further penalties such as suspension of related business, winding up for rectification, shutdown of website, and revocation of business license may be imposed by competent authority. A fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on the supervisor directly in charge and other directly liable persons.

Article 62 Where a network operator, in violation of Article 26 hereof, fails to conduct cybersecurity authentication, test, risk assessment, and release of cybersecurity information such as system bugs, computer virus, network attack and intrusion, the competent authority shall warn such operator and order it to make rectifications. A fine of ranging from 10,000 yuan to 100,000 yuan shall be imposed in case of refusal to make rectifications or severe circumstance, and further penalties such as suspension of related business, winding up for rectification, close of website, and revocation of business license may be imposed by the competent authority. A fine ranging from 5,000 yuan to 50,000 yuan shall be imposed on the supervisor directly in charge and other directly liable persons.

Article 63 Violation of Article 27 hereof by engaging in any activity that threatens cybersecurity, or providing programs or tools for such activity or providing such assistance in any activity conducted by any other person that endangers cybersecurity as technical support, advertisement, payment or settlement but not constituting a crime shall be subject to confiscation of illegal earnings and detention of less than 5 days by the public security authority and a fine ranging from 50,000 yuan to 500,000 yuan. Severe violation in this regard shall be subject to a detention of above 5 days but below 15 days and a fine ranging from 100,000 yuan to 1 million yuan.Any organization the conduct mentioned in the preceding paragraph shall be subject to confiscation of illegal earnings by the public security authority and a fine ranging from 100,000 yuan to 1 million yuan. The supervisor directly in charge and other directly liable persons shall be subject to penalty prescribed in the preceding paragraph.

Any person who violates Article 27 hereof and receives public security administrative punishment shall not be allowed to hold key posts of cybersecurity and network operation for 5 years, and any such person who receives criminal punishment shall not be allowed to hold key posts of cybersecurity and network operation for his/her lifetime.

Article 64 For any network operator or provider of network products or services violating the Paragraph 3,Article 22 and Articles 41 through 43 hereof by infringing upon any right in personal information that is legally protected, the competent authority shall order such operator or provider to make rectification and such operator or provider may be subject to one or combination of the following actions, depending on the severity of the circumstance: warning, confiscation of illegal earnings, a fine equivalent to more than 1 but less than 10 times the illegal earnings, or a fine less than 1million yuan and the supervisor directly in charge and other directly liable persons subject to a fine ranging from 10,000 yuan to 100,000 yuan if there is no illegal earnings. In case of severe violation, the competent authority may order suspension of related business, winding up for rectification, shutdown of website, and revocation of business license of such operator or provider.Violation of Article 44 by stealing or otherwise unlawfully obtaining any personal information, or selling or unlawfully providing such information to others but not constituting a crime shall be subject to confiscation of illegal earnings by the public security authority and a concurrent fine equivalent to more than 1 but less than 10 times the illegal earnings or a fine less than 1 million yuan if there is no illegal earnings.

Article 65 An operator of critical information infrastructure violating Article 35 by using products and/or services which have not undergo or have failed in the security review shall be ordered by the competent authority to stop such use and shall be subject to a fine equivalent to more than 1 but less than 10 times the purchase price, and the supervisor directly in charge and other directly liable persons shall be subject to a fine of ranging from 10,000 yuan to 100,000 yuan.

Article 66 An operator of critical information infrastructure violating Article 37 hereof by storing or providing network data out abroad shall be warned and ordered by the competent authority to make rectifications, and shall be subject to confiscation of illegal earnings and a fine ranging from 50,000 yuan to 500,000 yuan, and may be subject to suspension of related business, winding up for rectification, shutdown of website, and revocation of business license, and the supervisor directly in charge and other directly liable persons shall be subject to a fine ranging from 10,000 yuan to 100,000 yuan.

Article 67 In the event that any individual or organization, in violation of Article 46 hereof, establishes a website or online communication group for the purpose of committing unlawful and criminal activities, or utilizes the network to release information involving implementation of such activities, but such violation does not constitute a crime, such individual or organization shall be subject to detention of less than 5 days by the public security authority and a fine ranging from 10,000 yuan to 100,000 yuan. Severe violation in this regard shall be subject to a detention of more than 5 days but less than 15 days and a concurrent fine ranging from 50,000 yuan to 500,000 yuan. The website or online communication group involved in the violation shall be closed.Those units with the conduct mentioned in the preceding paragraph shall be subject to a fine ranging from 100,000 yuan to 500,000 yuan by the public security authority. The supervisor directly in charge and other directly liable persons shall be subject to penalty prescribed in the preceding paragraph.

Article 68 In the event that a network operator, in violation of Article 47 hereof, fails to take such measures as ceasing transmission or removal of such information prohibited by appropriate laws or administrative regulations, or keep record of relevant information, the competent authority shall warn such operator and order it to make rectifications, and shall confiscate its illegal earnings. A fine of ranging from100, 000 yuan to 500,000 yuan shall be imposed in case of refusal to make rectifications or severe violations, and further penalties such as suspension of related business, winding up for rectification, shutdown of website, and revocation of business license may be concurrently imposed by the competent authority. A fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on the supervisor directly in charge and other directly liable persons.Providers of electronic information transmission and application download services who fail to perform the obligations prescribed in the Paragraph 2, Article 48 hereof shall be subject to penalty prescribed in the preceding paragraph.

Article 69 Network operators violating provisions of the present Law by any of the following acts shall be warned and ordered by the competent authority to make rectifications. A fine of ranging from 50,000 yuan to 500,000 yuan shall be imposed in case of refusal to make rectifications or severe violations and a fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on the supervisor directly in charge and other directly liable persons.1. Failing to, as required by the authority concerned, take such measures as ceasing transmission or removal of such information prohibited by appropriate laws or administrative regulations;

2. Refusing or impeding supervisions and/or inspections conducted by the competent authority pursuant to law; and

3. Refusing to provide technical support and/or assistance to the public security and national security authorities.

Article 70 Release or transmission of the information prohibited by Paragraph 2, Article 12 hereof and applicable laws and administrative regulations shall be subject to penalties pursuant to applicable laws and administrative regulations.

Article 71 Any violation of the present Law shall be recorded in creditability archives and made public pursuant to applicable laws and administrative regulations.

Article 72 The operator of the government network of a state organ who fail to perform its cybersecurity protection obligations prescribed herein shall be ordered by its superior or the authority concerned to make rectifications, and the supervisor directly in charge and other directly liable persons shall be subject to disciplinary actions pursuant to the laws.

Article 73 Where Cyberspace administration or any authority concerned violates Article 30 hereof by using any information accessed in performance of its duty of cybersecurity protection for any other purpose, the supervisor directly in charge and other directly liable persons shall be subject to disciplinary actions pursuant to the laws.Any staff members of Cyberspace administration and any authority concerned who commits neglect of duty, abuse of authority and malpractices for personal gains which do not constitute crimes shall be subject to disciplinary actions pursuant to the laws.

Article 74 In case of violation of the present Law and any harm caused to others, the civil liability shall be borne pursuant to the laws.Any violations of the present Law which constitutes violation of public security regulations shall be subject to public security administrative penalties, and violations constituting crimes shall be subject to investigations on criminal liabilities.

Article 75 In the event that any overseas establishment, organization or individual engages in any activity that endangers critical information infrastructure of the People’s Republic of China by attack, intrusion, interference, or damage, and that such activity causes severe consequence, such establishment, organization or individual shall be investigated for legal liability according to law; and the public security authority and any other authority concerned of the State Council may decide to freeze properties involved and take other necessary sanction actions against such establishment, organization or individual.

Chapter VII Supplementary Provisions

Article 76 For the purpose of the present Law, the following terms shall have the meaning as follows:

1. Network refers to the system comprising computers or other information terminals and equipment that collects, stores, transmits, exchanges and processes information under specific rules and procedures.

2. Cybersecurity refers to the ability to prevent network from attack, intrusion, interference, damage, unauthorized use and accidents through necessary measures, in order to maintain the stable and reliable operation of network and safeguard the integrity, confidentiality and usability of network data.

3. A network operator refers to the owner or manager of a network or the provider of a network service.

4. Network data refer to various electronic data collected, stored, transmitted, processed and generated through network.

5. Personal information refers to various information which is recorded in electronic or any other form and used alone or in combination with other information to recognize the identity of a natural person, including but not limited to name, date of birth, ID number, personal biological identification information, address and telephone number of the natural person.

Article 77 Operation security of networks that store and process confidential information of the State shall comply with, in addition to the present Law, applicable laws and administrative regulations on confidentiality.

Article 78 Rules for security protection of military networks shall be otherwise developed by the Central Military Commission.

Article 79 The present Law shall become effective as of 1 June 2017.