Provisions on the Security Assessment of Internet-based Information Services with Attribute of Public Opinions or Capable of Social Mobilization

Promulgation Authorites: Cyberspace Administration of China, The Ministry of Public Security

Release Date:  2018- 11-15 

Effective On: 2018- 11-30

Chinese Name: 具有舆论属性或社会动员能力的互联网信息服务安全评估规定

Provisions on the Security Assessment of Internet-based Information Services with Attribute of Public Opinions or Capable of Social Mobilization

Article 1 In order to strengthen the security management of Internet-based information services with attribute of public opinions or capable of social mobilization and the relevant new technologies and new applications, regulate Internet-based information service activities, and safeguard national security, social order and public interests, the present Provisions are developed in accordance with the Cybersecurity Law of the People’s Republic of China, the Administrative Measures on Internet-based Information Services and the Administrative Measures for the Protection of International Networking Security of Computer Information Networks.

Article 2 For the purpose of the present Provisions, the expression “Internet-based information services with attribute of public opinions or capable of social mobilization” shall include the following circumstances:

(1) Providing such information services as BBS, blogs, microblogs, chat rooms, communication groups, public accounts, short videos, online streaming, information sharing and mini programs, etc. or setting up corresponding functions; and

(2) Providing other Internet-based information services that offer channels for expressing public opinions or that are capable of mobilizing the public to carry out specific activities.

Article 3 An Internet-based information service provider shall voluntarily conduct security assessment in accordance with the Provisions and shall be responsible for the assessment results if:

(1) the information services with attribute of public opinions or capable of social mobilization are made available online, or relevant functions are added to the information services;

(2) the use of new technologies and new applications causes major changes in the functional attribute of information services, technical realization methods and basic resource allocations, leading to major changes in the attribute of public opinions or capability of social mobilization;

(3) the significant increase in the scale of its users results in major changes in the attribute of public opinions or capability of social mobilization of information services;

(4) the illegal and harmful information spread, indicating that the existing security measures are insufficient to effectively prevent and control cybersecurity risks; or

(5) there are other circumstances that require to conduct security assessment  as notified in writing by the cyberspace administration or the public security organ at the prefecture level or above.

Article 4 An Internet-based information service provider may conduct security assessment by itself or by entrusting a third-party security assessment  agency with security assessment .

Article 5 When conducting security assessment, Internet-based information service providers shall comprehensively assess such situations as the legitimacy of information services as well as new applications and new technologies, the effectiveness of implementation of safety measures stipulated by laws, administrative regulations, departmental rules and standards as well as the effectiveness of safety risk prevention and control, with focus on the following contents:

(1) the information about the person-in-charge of security management and information review personnel compatible with the services provided or the establishment of a security management agency;

(2) Users’ authentic identity verification and registration information retention measures;

(3) Retention measures for the log information such as the users’ accounts, operation times, operation types, network source addresses and destination addresses, network source ports and client hardware characteristics, and for the records of information released by users;

(4) Measures for the prevention and disposal of illegal and harmful information in the names, nicknames, profiles, notes and logos of user accounts and communication groups, and the service functions such as information release, forwarding and comments and communication groups as well as the retention measures of relevant records;

(5) Technical measures for the protection of personal information and the prevention of the spread of illegal and harmful information as well as the risks of loss of control of social mobilization functions;

(6) Situations concerning establishing complaint and whistleblowing systems, announcing information such as complaints and reporting methods, and accepting and handling relevant complaints and whistleblowing in a timely manner;

(7) Situations concerning establishing working mechanisms for providing technical and data support and assistance to cyberspace administrations in fulfilling their duties of supervision and management of Internet-based information services; and

(8) Situations concerning the establishment of a working mechanism for providing technical and data support and assistance to public security organs and State security organs in safeguarding State security and investigating and punishing illegal cranial activities.

Article 6 Internet-based information service providers discovering potential safety hazards in the security assessment shall promptly make rectifications until the relevant safety hazards are eliminated.For those that are in compliance with laws, administrative regulations, departmental rules and standards upon security assessment, a security assessment report shall be prepared, with the following contents covered:

(1) Basic information such as functions, service scopes, software and hardware facilities and deployment locations of Internet-based information services and the relevant license and certificate;

(2) Implementation of security management systems and technical measures and the effectiveness of risk prevention and control;

(3) Conclusions of security assessment; and

(4) Other situations that should be explained.

Article 7 Internet-based information service providers shall submit security assessment reports to the local cyberspace administrations or the public security organs at the prefecture level or above through the national Internet security management service platform.For the circumstances prescribed in the first item and the second item of Article 3 hereof, Internet-based information service providers shall submit a security assessment report prior to that the information services, new technologies and new applications are made available online or the relevant functions are added; while for the circumstances as regulated in the third, fourth and fifth items of Article 3 hereof, a security assessment  report shall be submitted within 30 working days from the date of occurrence of relevant circumstances.

Article 8 The cyberspace administrations and the public security organs at the prefecture level or above shall review in writing security assessment reports ex officio.If it is found that the contents or items of a security assessment report are missing, or that the security assessment method is obviously improper, the said authorities shall order the Internet-based information service provider concerned to conduct a new assessment within a prescribed time limit.

If it is found that the contents of a security assessment reports are unclear, the said authorities may order the Internet-based information service provider concerned to supplement explanations.

Article 9 Cyberspace administrations and public security organs shall, on the basis of the result of the written review of a security assessment report, carry out on-site inspection of the Internet-based information service provider concerned according to their respective duties if they consider necessary.The on-site inspection conducted by cyberspace administrations and public security organs shall be jointly implemented in principle and shall not interfere with the normal business activities of the Internet-based information service provider concerned.

Article 10 For the Internet-based information services that have major safety risks or  may affect State security, social order and public interests, the cyberspace administrations and public security organs at the provincial level or above shall organize experts to conduct review and assessment, and may conduct on-site inspections jointly with relevant local departments if necessary.

Article 11 The on-site inspections carried out by cyberspace administrations and public security organs shall be subject to the provisions of relevant laws, administrative regulations and departmental rules.

Article 12 Cyberspace administrations and public security organs shall establish monitoring and management systems, strengthen cyber security risk management and supervise Internet-based information service providers to fulfill their cyber security obligations in accordance with the law.If a provider of Internet-based information services with attribute of public opinions or capable of social mobilization is found to fail to conduct the security assessment in accordance with the Provisions, the cyberspace administration concerned and the public security organ concerned shall notify it to conduct the security assessment in accordance with the Provisions.

Article 13 In the case that the provider of Internet-based information services with attribute of public opinions or capable of social mobilization refuses to carry out the security assessment  in accordance with the Provisions, the cyberspace administration or the public security organ concerned shall inform the public of the safety risks of such Internet-based information services through the national Internet security management service platform, and carry out supervision and inspection of such Internet-based information services ex officio. Any illegal acts found out in the inspection shall be dealt with in accordance with the law.

Article 14 Cyberspace administrations shall coordinate the security assessment of the Internet-based information services with attribute of public opinions or capable of social mobilization, and the public security organs shall regularly inform the cyberspace administrations of their security assessment work.

Article 15 Cyberspace administrations, public security organs and their staff members shall keep strictly confidential the State secrets, trade secrets and personal information that they accessed during the performance of their duties, and shall not disclose, sell or illegally provide such information to others.

Article 16 The security assessment of new technologies and new applications for Internet news information services shall be carried out in accordance with the Administrative Provisions for the Security Assessment of New Technologies and New Applications for Internet News Information Services.

Article 17 The Provisions shall come into force as of November 30, 2018.