Explanation on the Cybersecurity Law of the People's Republic of China (Draft)

Explanation on the Cybersecurity Law of the People's Republic of China (Draft)

I. On the Need for This Law and its Drafting Process

At Present, network and information technology are developing at a rapid pace, and have already deeply integrated with all aspects of our country's economy and society, immensely changing and impacting people's social activity and lifestyles; while promoting technological innovation, economic development, cultural prosperity and social improvement, network security issues are also increasingly prominent. First, unlawful activities like network intrusions and network attacks seriously threaten the information infrastructure in important fields such as telecommunications, energy, transportation, and finance as well as military national defense and administrative management; new technologies and applications such as cloud computing, big data and the internet of things face an even more complicated network security environment. Second, illegal activities such as illegally obtaining or leaking, and even selling of citizens' personal information, insulting and defaming others, and violating intellectual property rights, happen occasionally, seriously harming citizens, legal persons, and other organizations' lawful rights and interests. Third is using the networks to broadcast or disseminate unlawful information such as that advocating terrorism and extremism, inciting subversion of state power or the overthrow of the socialist system, as well as pornography; seriously threatening national security and societal public interest. Network security has already become an important issue connected to national security and development, related to the vital interests of the the masses.

Since the 18th National Party Congress, the Party Central Committee with Comrade Xi Jinping as general secretary, with the overall national security outlook as the starting place, has proposed a series of new ideas and viewpoints on network security issues, and made important deployments to strengthen national network security efforts. The decision of the fourth plenary session of the Eighteenth Party Congress requires the perfection of laws and regulations on network security safeguards. The masses pay close attention to network security, and vehemently call for strengthening the governance of cyberspace in accordance with law, regulating the order of Internet information transmission, punishing internet crimes and illegality, and bringing light to cyberspace. Delegates of the National People's Congress also submitted many comments and suggestions, calling for legislation on network security to be put forth. So as to adjust to the new situation and new tasks on national network security work, to put in place the requirements of the Party Central Committee, to respond to the expectations of the people, this session of the National People's Congress placed formulating network security legislation on the legislative agenda and annual legislation plan. Chairman Zhang Dejiang, Vice-Chairman Li Jianguo and other leading comrades of the Standing Committee have given important instruction on the issue of network security legislation several times, asking that "a firm grip be taken on debating the evidence, creating a draft, and putting legislation forward"

On the basis of the the Party Central Committee's requirements and the Standing Committee of the National People's Congress' work arrangements, in the first half of 2014, the Legislative Affairs Commission formed a special team to launch research and drafting efforts on the Cybersecurity Law. 通过召开座谈会、论证会等多种方式听取中央有关部门，银行、证券、电力等重要信息系统运营机构，一些网络设备制造企业、互联网服务企业、网络安全企业，有关信息技术和法律专家的意见，并到北京、浙江、广东等一些地方调研，深入了解网络安全领域存在的突出问题，掌握各方面的立法需求。 在此基础上，先后提出了网络安全立法的基本思路、制度框架和草案初稿，会同中央网信办与工业和信息化部、公安部、国务院法制办等部门多次交换意见，反复研究，提出了网络安全法草案征求意见稿。 经同中央国安办、中央网信办共同商量，再次征求了有关部门的意见，作了进一步完善，形成了网络安全法草案。

II. Several Points on the Guiding Ideology and Understanding of the Legistalation

The guiding ideology of the Cybersecurity law is: adhereing to the overall national security perspective as guidance, comprehensively putting in place the stategy and deployments of the 18th Party Congress's third and fourth plenary sessions; persisting in the directive of active use, scientific development, and administration in accordance with law to ensure security; fully bringing into play the roles of guidance and promotion, addressing the prominent issues faced by our nation in the area of network security, increasing capacity to safeguard network security and grasp the initiative in cyberspace management and rule formulation, truly preserving soverignty and security in cyberspace and the development of interests.

Accordingly, the draft efforts grasped the following points:

First, Persist in Proceeding from the National Conditions. Based on the challenging network security situation faced by our nation and the current status of network legislation, fully summarize the experience of network security efforts in recent years and set up a basic institutional framework for safeguarding network security. Focus on making systemic security arrangements for the network itself, and at the same time make regulatory provisions relevant to information content, and establishing and improving systems embodying Chinese characteristics from aspects such as network equipment and facility security, network operations security, network data security and network information security; and pay attention to adopting the experience of relevant nations, and according principle systems with internation practice, as well as treating domestic and foreign enterprises the same, and not conducting differential treatment.

Second,persist in being problem oriented. This law is the basic law on administration of network security, primarily directed at prominent issues in practice, affirming some mature good practices of recent years as part of the system to provide practical legal assurances for network security efforts. Principle-type provisions are made for a few institutional arrangements that are truly necessary but where practical experience is lacking, and at the same time emphasis is placed on the interface with existing laws and regulations, and a opening is preserved for connecting to accompanying legal measures that need to be drafted.

Third, persist in equally emphasizing national security and development. Preservation of network security must persist in the the directives of active use, scientific development, administration in accordance with law, and assuring security; taking care of the relationship to informatization so that they are coordinated together and go hand in hand. A positive environment is developed and provided through safeguarding security, and even as this law emphasizes standardizing the network security system, attention is paid to protecting the lawful rights and interests of all kinds of network entities; assuring the lawful, orderly and free movement of network information; and promoting innovation in network technology and the sustainable healthy development of informatization.

III. On the Principal content of the Draft

The Draft has a total of 7 Chapters and 68 articles. Principle Content Includes:

(1) On preserving network sovereignty and strategic planning

Network sovereignty is the manifestation and extension of national sovereignty into cyberspace, the principle of network sovereignty is an important principle upheld in our nation's protection of national security and interests, participating in international network governance and cooperation. Therefore, the Draft puts "preserving cyberspace sovereignty and national security" as a legislative purpose, providing" This law applies with respect to the construction, operation, maintenance and usage of the internet, as well as the management of internet supervision within the borders of the People's Republic of China.(Draft article 2). At the same time, in accordance with the principle of placing equal emphasis on security and development, a special chapter is established on the national network security strategy and network security plans for important fields, to make provisions for support measures promoting network security. (Draft Chapter II)

(2) On ensuring the security of network products and services.

Preservation of network security, first requires safeguarding the security network products and services. The draft primarily makes the following provisions: Fist is clarifying the security duties of providers of network product and services, including: not installing malicious applications, promptly informing users of security risks such as flaws and holes, and continuously providing security maintenance services and so forth (Draft Article 18). 二是，总结实践经验，将网络关键设备和网络安全专用产品的安全认证和安全检测制度上升为法律并作了必要的规范（草案第十九条）。 三是，建立关键信息基础设施运营者采购网络产品、服务的安全审查制度，规定：关键信息基础设施的运营者采购网络产品或者服务，可能影响国家安全的，应当通过国家网信部门会同国务院有关部门组织的安全审查（草案第三十条）。

(3) On the protection of network security

Safeguarding network operations security, must carry out responsibility of network operators. 据此，草案将现行的网络安全等级保护制度上升为法律，要求网络运营者按照网络安全等级保护制度的要求，采取相应的管理措施和技术防范等措施，履行相应的网络安全保护义务。 (Draft Article 17)

为了保障关键信息基础设施安全，维护国家安全、经济安全和保障民生，草案设专节对关键信息基础设施的运行安全作了规定，实行重点保护。 范围包括基础信息网络、重要行业和领域的重要信息系统、军事网络、重要政务网络、用户数量众多的商业网络等。 并对关键信息基础设施安全保护办法的制定、负责安全保护工作的部门、运营者的安全保护义务、有关部门的监督和支持等作了规定。 （草案第二十五条至第二十九条、第三十二条、第三十三条）

(4) On the protection of network data security

随着云计算、大数据等技术的发展和应用，网络数据安全对维护国家安全、经济安全，保护公民合法权益，促进数据利用至为重要。 为此，草案作了以下规定：一是，要求网络运营者采取数据分类、重要数据备份和加密等措施，防止网络数据被窃取或者篡改（草案第十七条）。 二是，加强对公民个人信息的保护，防止公民个人信息数据被非法获取、泄露或者非法使用（草案第三十四条至第三十九条）。 三是，要求关键信息基础设施的运营者在境内存储公民个人信息等重要数据；确需在境外存储或者向境外提供的，应当按照规定进行安全评估（草案第三十一条）。

(5) On the Safeguarding network information security

In 2012 the Standing Committee of the NPC issued a set of principle guidelines concerning the standardization of online information transmission activities, as part of the decision overall to strengthen online information protection. The draft of these guidelines insisted on reinforcing the established principles of strengthening the protections for online information, and the importance of perfecting corresponding management systems. 一是，确立决定规定的网络身份管理制度即网络实名制，以保障网络信息的可追溯（草案第二十条）。 二是，明确网络运营者处置违法信息的义务，规定：网络运营者发现法律、行政法规禁止发布或者传输的信息的，应当立即停止传输，采取消除等处置措施，防止信息扩散，保存有关记录，并向有关主管部门报告（草案第四十条）。 三是规定，发送电子信息、提供应用软件不得含有法律、行政法规禁止发布或者传输的信息（草案第四十一条）。 四是规定，为维护国家安全和侦查犯罪的需要，侦查机关依照法律规定，可以要求网络运营者提供必要的支持与协助（草案第二十三条）。 Fifth is to give the relevant authorities the powers to dispose of and to block the dissemination of illegal information (draft Article 43).

(6) On monitoring and early-warning and emergency response

为了加强国家的网络安全监测预警和应急制度建设，提高网络安全保障能力，草案作了以下规定：一是，要求国务院有关部门建立健全网络安全监测预警和信息通报制度，加强网络安全信息收集、分析和情况通报工作（草案第四十四条、第四十五条）。 二是，建立网络安全应急工作机制，制定应急预案（草案第四十六条）。 三是，规定预警信息的发布及网络安全事件应急处置措施（草案第四十七条至第四十九条）。 四是，为维护国家安全和社会公共秩序，处置重大突发社会安全事件，对网络管制作了规定（草案第五十条）。

(7) On the network security supervision and management system

为加强网络安全工作，草案规定：国家网信部门负责统筹协调网络安全工作和相关监督管理工作，并在一些条款中明确规定了其协调和管理职能。 同时规定，国务院工业和信息化、公安等部门按照各自职责负责网络安全保护和监督管理相关工作（草案第六条）。

Additionally, the Draft also has provisions relating to legal liability for violations of that Law, and the meaning of certain language.