Explanation of Revisions to the Cybersecurity Law (Draft)

ALL TRANSLATIONS ON THIS SITE ARE UNOFFICIAL AND ARE PROVIDED FOR REFERENCE PURPOSES ONLY. THESE TRANSLATIONS ARE CREATED AND CONTINUOUSLY UPDATED BY USERS --THEY ARE FREE TO VIEW, BUT PROPER ATTRIBUTION IS REQUIRED FOR DISTRIBUTION OF THESE OR DERIVATIVE TRANSLATIONS.

I. Some Standing Committee members recommended that the content of Article 11 of the draft, regarding the national network security strategy, be moved to the General Provisions section, to clarify its important role. A few Standing Committee members, regions, and departments submitted that State measures to protect network security should be further strengthened so as as to better preserve sovereignty in cyberspace and actively respond to domestic and foreign network attacks and destruction; and that content should be added to relevant articles on defending against domestic and foreign threats to network security, protecting the security of critical information infrastructure, punishing online crimes and unlawful activity, preserving order in cyberspace and so forth. The Legal Committee agrees with the above views and recommends making the following revisions to the draft: First, move the content of Draft article 11 to the General Provisions, and revise them to be: The State formulates and continuously improves a network security strategy, clarifies the fundamental requirements and primary goals of network security, and puts forward network security policies, work tasks, and procedures for key fields (Second Reading Draft Article 4); Second is adding the provision: The State takes measures for monitoring, preventing, and handling network security risks and threats arising both within and without the mainland territory of the People's Republic of China, protects critical information infrastructure against attacks, intrusions, interference and destruction; and punishes unlawful and criminal network activities in accordance with law, preserving cyberspace security and order (Second Reading Draft Article 5).

II. A few Standing Committee members, regions, departments and the public put forward that in order to clean up the network environment and preserve national security and the public interest, conduct using network should be further regulated, and emphasize advocacy of the core socialist values. After researching, the Legal Committee has recommends the following revisions to the draft: first, add "promoting dissemination of the core socialist values" to article 4 (Article 6 of the Second Reading Draft). Second is adding that networks must not be used negatively to engage in acts such as inciting subversion of national sovereignty and the overturn of the socialist system" and "infringing on the reputation, privacy" (paragraph 2 of Article 12 of the Second Reading Draft); and added provisions to Draft article 58, saying that publication or dissemination of the content above is to be punished in accordance with relevant law and administrative regulations (Article 67 of the Second Reading Draft).

III. Some Standing Committee members, regions and departments and the public put forward that in order to create a positive environment and order on the networks, network operators' social responsibility should be further strengthened, clarifying the period for which network operators are to keep logs, and their obligation to cooperate with relevant departments in supervision and inspections. After researching, the Legal Committee recommends that the following provisions be added to the draft: First, that network operators must follow laws and administrative regulations, follow social mores and commercial ethics, be honest and credible, perform obligations to protect network security, accept supervision from the government and public, and bear social responsibility (Article 9 of the Second Reading Draft); Second is that network operators' logs must store logs for at least 60 days (paragraph 3 of article 20 of the Second Reading Draft); and Third is that network operators shall cooperate with relevant departments performing supervision and inspections in accordance with law (paragraph 2 of Article 47 of the Second Reading Draft).

IV. Some Standing Committee Members, regions, departments, enterprises and experts put forward that, in order to coordinate the advancement of network security and development, they propose content such as increasing support for promotion of safe and reliable network products, and improving systems for network security services, promoting the use of big data and innovation in network security management methods. After researching, the Legal Committee recommend the following revisions to the draft: first, add "promoting safe and credible network products and services" to article 14 of the Draft (Article 15 of the Second Reading Draft). Second is adding: The State advances the establishment of socialized service systems for network security, encouraging enterprises and institutions to carry out network security certifications, testing, risk assessment and other such services. (Article 16 of the Second Reading Draft). Third is adding: The State encourages the development of network data security protections and utilization technologies, advancing the opening of public data resources, and promoting technological innovation, and economic and social development; supports innovative network security management methods and using new network technologies to raise the level of network security protections (Article 17 of the Second Reading Draft). Fourth is adding provisions that the use of big data must process citizens' personal information so that individuals cannot be identifies, further clarifying the rules for use of citizens' personal information (paragraph 1 of Article 41 of the Second Reading Draft).

V. Some regions and departments put forward that, in order to strengthen the focus and efficacy of the system for management of online identities, they recommend clarifying that real-name user management is to be used for instant messaging services, and adding content on network identity credibility strategy. After research, the Legal Committee recommends that a provision be added to article 20 of the Draft, that network operators providing users with instant messaging and other such services shall require users to provide their real identity information, and add that the State carries out a network identity credibility strategy to paragraph 2. (Second Reading Draft Article 23)

VI. A few regions, departments, and enterprises put forward that some individuals and organizations casually publish network security information such as system leaks, having a quite large impact on the preservation of network security, which should be regulated. After research, the Legal Committee recommends that a provision be added that: Those carrying out network security certification, testing, risk assessment or other such activities, and publicly publishing network security information such as system leaks, computer viruses, network attacks, or network incursions, shall comply with relevant national provisions. (Second Reading Draft Article 25)

VII. A few places, departments, and enterprises put forward that the there was overlap regarding the subjects of management in the Draft's provisions on the the critical information infrastructure protection systems and on the tiered network security protection system, and that critical information infrastructure should be given key protection on the foundation of the tiered network security protection system. Some Standing Committee members and departments suggested not enumerating the scope of critical information infrastructure, and having the State Council draft accompanying rules clarifying this. After research, the Legal Committee recommends revising Draft Article 25 to read: The State implements key protection of critical information infrastructure that if destroyed, losing function or leaking data might seriously endanger national security, national welfare and the people's livelihood, or the public interest, on the basis of the tiered protection system. The State Council will formulate the specific scope and security protection measures for critical information infrastructure. (Article 29 of the Second Reading Draft)

VIII. Draft Article 31 provides that critical information infrastructure operators shall store citizens' personal information, and other important data gathered and produced during operations, within the mainland territory of China; and where due to business requirements it is truly necessary to store it outside the mainland or provide outside the mainland, they shall follow provisions to conduct a security assessment. A few departments, enterprises and experts suggested further clarifying that the important data to be stored in the mainland is data collected during the course of business operations in mainland China. Some regions, departments and the public put forward that critical information infrastructure operators' important operations data should be stored in the mainland. After research, the Legal Committee recommends revising the provisions above to read: Citizens' personal information and other important business data gathered or produced by critical information infrastructure operators during operations within the mainland territory of the People's Republic of China, shall store it within mainland China. Where due to business requirements it is truly necessary to provide it outside the mainland, they shall follow the measures jointly formulated by the State network information departments and the relevant departments of the State Council to conduct a security assessment". (Article 35 of the Second Reading Draft)

IX. Some enterprises and experts put forward that in protecting critical information infrastructures, network operators should be encouraged to participate in the national critical information infrastructure protection system, promoting network security information sharing between network operators, professional institutes, and relevant government departments, and protecting this information at the same time. After researching, the Legal Committee recommends adding the following provisions: First, the State encourages operators of networks outside the critical information infrastructure to voluntarily participate in the critical information infrastructure protection system (Article 29 of the Second Reading Draft); Second, information obtained by State network information departments and relevant departments during critical information infrastructure protection can only be used as necessary for the protection of network security, and must not be used in other ways (Article 38 of the Second Reading Draft).

X. Some members of the Standing Committee, regions and departments suggested increasing the degree of punishment for conduct endangering network security, and adding punishments such calling in people for a talk, making records in credit archives, and prohibitions from engaging in certain fields. After researching, the Legal Committee recommends that: First, where networks have a relatively large security risk or the occurrence of a security incident, the relevant departments may call in the legally-designated representative or responsible party for the operator of that network for a talking to in accordance with the scope of authority and procedures provided. (Article 54 of the Second Reading Draft); second, persons who receive public security administrative sanctions or criminal punishments must not take on work in key network security management and network operations positions for their lifetimes (paragraph 3 of Article 61 of the Second Reading Draft); and third, conduct violating the provisions of this law, is recorded in the credit archives and made public in accordance with relevant laws and administrative regulations (Article 68 of the Second Reading Draft).

In addition, some linguistic changes were also made to the draft.

Print Friendly, PDF & Email
Tip Us!

Be the first to comment

Leave a Reply

Your email address will not be published.


*