Regulations on the Management of Online Data Security (Draft for Solicitation of Comments)

Chapter I: General Provisions

Article 1: These Regulations are drafted on the basis of the Cybersecurity Law of the PRC, the PRC Data Security Law, the Personal Information Protection Law of the PRC, and other laws, so as to regulate data handling activities, protect data security, protect the lawful rights and interests of individuals and organizations in cyberspace, and to preserve national security and the public interest.

Article 2: These Regulations apply to the use of networks to carry out data handling activities as well as to oversight management of data security.

These Regulations apply to activities outside the mainland PRC [“overseas“--ed.] that handle the data of individuals and organizations within the mainland territory of the PRC, in any of the following circumstances:

(1) for the purpose of providing products or services to persons within the territory;

(2) to analyze or assess the conduct of persons or organizations in the territory;

(3) where involved with the handling of important data in the territory;

(4) Other situations provided for by law or administrative regulations.

These Regulations do not apply to the data handling activities of natural persons for personal or family affairs.

Article 3: The state is to make overall plans for development and security, persisting in paying equal attention to the promotion of data development and utilization and to protecting data security, strengthening capacity building for data security and protections, safeguarding the orderly and free flow of data in accordance with law, and promoting the reasonable and effective use of data.

Article 4: The State is to support innovation and cultivation of talent for technologies, products, and services related to the development and use of data, and to data security protections.

The state encourages state organs, industry organizations, enterprises, educational and research bodies, relevant professional bodies, and so forth, and carry out cooperation on the development and use of data and to data security protections, and carry out publicity, education, and training on data security.

Article 5: The state is to establish a categorical and hierarchical protection system for data. Data is to be categorized as general data, important data, and core data in accordance with the data's impact and importance to national security, the public interest, or the lawful rights and interests of individuals and organizations, and employ different protective measures for different grades of data.

The state is to conduct key protections for personal information and important data, and implement strict protections for core data.

In accordance with state requirements on categorical and hierarchical management, each region and department shall conduct categorical and hierarchical management of the data in that region, department, and corresponding industries or fields.

Article 6: Data handlers are responsible for the security of the data they handle, are to fulfill data security protection obligations, accept oversight from the government and public, and bear social responsibility.

Data handlers shall establish and improve systems for the management of data security and technical protection mechanisms in accordance with related laws, administrative regulations, and mandatory requirements of state standards.

Article 7: The state is to promote the opening and sharing of public data, promoting the development and use of data, and implementing oversight and management of public data in accordance with law.

The state is to establish and complete systems for the management of data transactions, clarifying the standards for the establishment and operation of data transaction establishments, and ensuring the orderly circulation of data in accordance with law.

Chapter II: Ordinary Provisions

Article 8: All individuals and organizations carrying out data handling activities shall obey laws and administrative regulations, and comply with societal mores and ethics, and must not engage in the following activities:

（1） endangering national security, national honor, or national interests; or leaking state secrets and work secrets;

(2) Harming others' reputational rights, privacy rights, copyrights, or other lawful rights and interests and so forth;

(3) Obtaining data through theft or other illegal methods;

(4) illegally selling or illegally providing others with data;

(5) Producing, publishing, reproducing, or transmitting illegal information;

(6) Other conduct prohibited by laws and administrative regulations;

Where any individuals and organizations know or should know that others are engaging in the activities provided for in the preceding paragraph, they must not provide them with services such as technical support, tools, applications, promotional advertising, or payment clearance.

Article 9: Data handlers shall employ necessary measures such as backups, encryption, and access controls to ensure that data is not leaked, stolen, altered, destroyed, lost, or illegally used; respond to data security incidents; guard against illegal and criminal activities targeting or using data; and preserve the integrity, secrecy, and usability of data.

In accordance with requirements for graded cybersecurity protections, data handlers shall strengthen security protections for data handling systems, data transmission networks, data storage environments, and so forth; systems handling important data shall in principle satisfy the requirements of cybersecurity protection level 3 or higher and of critical information infrastructure security protections, and systems handling core data are to make protection more severe in accordance with relevant provisions.

Data handlers shall use encryption to protect important and core data.

Article 10: When data handlers discover that the network products or services that they use or provide have deficiencies or vulnerabilities, or pose risks such as endangering national security or harming the public interest, they shall immediately employ remedial measures.

Article 11: Data handlers shall establish mechanisms for handling data security emergencies, and promptly initiate the emergency response mechanisms data security incidents occur, employing measures to prevent the harm from expanding and to eliminate security threats. Where security incidents cause harm to individuals or organizations, data handlers shall notify the interested parties within three working days of the security incident and risks, the harmful consequences, remedial measures that have already been employed, and so forth, by telephone, text message, instant messenger, e-mail or other methods, and where there is no way to give notice, a public announcement may be employed for the notification; but where laws or administrative regulations provide that notice need not be given, follow those provisions. Where crimes are involved in security incidents, data handlers shall report the case to the public security organs in accordance with provisions.

When data security incidents occur, such as leaks, destruction, or loss of important data or the personal information of 100,000 persons or more, the data handlers shall perform the following obligations:

(1) Report the basic information on the incident, including the data volume, types, possible impact, and measures that have already been employed to address it, to the districted-city level internet information departments and relevant competent departments within eight hours of the incident occurring;

(2) Make an investigation and assessment report, including the causes of the incident, the harmful consequences, handling of responsibility, and improvement measures, to the districted-city level internet information departments and relevant competent departments within five working days.

Article 12: Where data handlers provide personal information to third parties, or share, trade, or entrust the handling of important data, they shall obey the following provisions:

(1) Notify individuals of the purpose of providing personal information, the types of information provided, the method and scope of the provision, and the period and location for storage, and acquire their independent consent; except in circumstances where laws and administrative regulations provide it is not necessary to obtain individuals' consent or where anonymization handling has been employed.

(2) Make agreements with the parties receiving data on the purpose, scope, handling methods, data security protection measures, and so forth; and clarify the data security responsibilities and obligations of both parties through means such as contracts, and conduct oversight of the data handling activities by the party receiving the data;

(3) Retain records of individuals' consent, log records of the provision of personal information, and approval records and log records on the sharing, trading, or entrusting the handling of important data, for at least five years.

The party receiving data shall perform the agreed-upon obligations and must not exceed the agreed-upon purposes, range, or handling methods in handling personal information and important data.

Article 13: Data handlers carrying out the following activities shall report for cybersecurity review in accordance with relevant state provisions;

(1) Where the merger, restructuring, or division of internet platform operators that gather and have control of large amounts of data resources related to national security, economic development, or the public interest, impacts or might impact national security;

(2) Where data handlers handling the personal information of 1,000,000 or more persons lists on a foreign stock market;

(3) Where data handlers listing on the Hong Kong stock market, impacts or might impact national security;

(4) Other data handling activities that impact or might impact national security.

Large-scale internet platform operators that establish headquarters or operations centers or research and development centers overseas shall report to the state internet information departments and competent departments.

Article 14: Where mergers, restructuring, or division occurs in data handlers, the party receiving data shall continue to perform obligations on the protection of data security, and where important data or the personal information of one million or more persons is involved, they shall report to the competent departments at the districted-city level; where circumstances such as data handlers disbursing or being declared bankrupt occur, they shall report to the competent department at the districted-city level and transfer or delete the data as required, and where is not clear what department is competent, they shall report to the internet information department at the districted-city level.

Article 15: Data handlers obtaining data from other channels shall perform data security protection obligations in accordance with the provisions of these Regulations.

Article 16: State organs shall follow laws and administrative regulations and the mandatory requirements of state standards to establish and complete data security management systems and implement the responsibility for data security protections to ensure the security of government affairs data.

Article 17: When data handlers employ automated tools to access or collect data, they shall assess the impact on the properties and functions of network services, and must not disrupt the normal functions of network services.

Where automated tools access or collection of data violates laws, administrative regulations, or industry discipline covenants, impacting the normal functions of network services or infringing on others' intellectual property rights or other lawful rights and interests; the data handlers shall stop the conduct accessing or collecting data, and employ corresponding remedial measures.

Article 18: Data handlers shall establish convenient channels for complaints and reports on data security, and promptly accept and address complaints and reports on data security.

Data handlers shall publish the methods for making complaints and reports and the person responsible's information; and publicly disclose each year the number of complaints accepted and received on personal information security, the handling of the complaints, and the average time for handling, and accept societal oversight.

Chapter III: The Protection of Personal Information

Article 19: Data handlers handling personal information shall have a clear and reasonable purpose, and comply with the principles of legality, propriety, and necessity. Where the handling of personal information is based on individuals' consent, the following requirements shall be satisfied:

(1) The personal information handled is necessary for the provision of services or necessary for the performance of obligations prescribed by laws and administrative regulations;

(2) It is limited to the shortest period and lowest frequency necessary to realize the purpose, and employs the means that least impact individual rights and interests;

(3) Services must not be refused, or individual's normal use of services disrupted, because the individual refuses to provide personal information beyond what is necessary to provide the services.

Article 20: Data handlers handling personal information shall draft rules for handling personal information and strictly obey them. The rules for handling personal information shall be centralized for public display, easy to access, and placed in a conspicuous location, the content is to be clear and specific and easily understood, and they are to systematically and completely explain the circumstances of handling personal information to individuals.

The rules for handling personal information shall include, but are not limited to, the following content:

(1) Clarification of the personal information needed based on products' or services' functions: List the purpose, use, methods, types, frequency or opportunities, storage location, etc. for the handling of personal information, as well as the impact on individuals rejecting the handling of personal information;

(2) The period for storing personal information or the methods for determining the period for storing personal information and methods for handling it after that period is reached;

(3) The channels and methods for individuals to check, reproduce, delete, restrict handling, or transfer personal information, and well as for unregistering accounts and withdrawing consent to the handling of personal information;

(4) Through methods that facilitate user access such as centralized displays, explain the names of all QR codes and plugins that collect personal informational that are embedded in products and services, as well as the purpose, methods, types, frequency, or opportunities for each QR code's and plugin's collection of personal information, as well as the rules for handling personal information;

(5) The purpose, methods, and types of personal information provided to third parties, information related to the data recipient, and so forth;

(6) Personal information security risks and protective measures;

(7) The channels for making complaints or reports on personal information security issues and paths for resolving them, contact methods for the persons responsible for protecting personal information.

Article 21: Where obtaining individuals' consent for the handling of personal information is required, data handlers shall comply with the following provisions:

(1) Request individuals' consent for the handling of personal information separately in accordance the differing types of services, consent must not be obtained through use of blanket clauses;

(2) Independent consent shall be obtained for the handling of sensitive personal information such as on individuals' biometrics, religious faith, special identities, medical health, financial accounts, and location tracking;

(3) In handling the personal information of minors not yet 14 years, their guardians' consent shall be obtained;

(4) Consent for the handling of personal information must not be compelled on grounds such as for improving service quality, enhancing user experience, or researching and developing new products;

（5） Individuals' consent must not be obtained through misleading, deceptive, or coercive methods and so forth;

(6) Methods such as bundling different types of services or batch requests for consent must not be used to induce or coerce individuals' into giving batch consent for personal information;

(7) personal information must not be handled exceeding the scope of authorization and consent;

(8) Frequent requests for consent that disrupt the normal use of services must not be made after individuals expressly do not consent.

Where there are changes to the purpose or methods for handling personal information, or to the type of personal information to be handled, the data handlers shall newly obtain the individual's consent and simultaneously revise the rules for handling personal information.

Where there is controversy as to the validity of an individual's acts of consent, data handlers bear the responsibility of presenting evidence.

Article 22: In any of the following circumstances, data handlers shall delete personal information or conduct handling for anonymization within 15 working days:

(1) The purpose of the handling has already been realized or it is no longer necessary for the realization of the purpose of handling;

(2) The period for storage agreed upon with the users or made clear in the rules for handling personal information has bee reached;

(3) Services are terminated or individuals de-register accounts;

(4) Where the use of automated collection techniques it is not possible to avoid the collection of unnecessary personal information or personal information for which consent was not given.

Where it is technically difficult to delete personal information, or where it is truly difficult to delete personal information within 15 working days due to the complexity of business operations or other reasons, the data handlers must not carry out handling other than storage and necessary security protection measures, and shall make a reasonable explanation to the individuals.

Where laws or administrative regulations provide otherwise, follow those provisions.

Article 23: Where individuals submit reasonable requests to access, reproduce, correct, supplement, restrict handling of, or delete their personal information, data handlers shall perform the following obligations:

(1) Provide convenient means and paths to support individuals' structured inquiries into the types and volume etc. of their personal information that has been collected, and restrictions must not be carried out on individuals' reasonable requests in terms of time or position;

(2) Provide convenient functions to support individuals' reproduction, correction, supplementing, restricting the handling of, or deletion of their personal information, the revocation of their authorization and consent, or the deregistration of accounts, and unreasonable requirements must not be set up.

(3) Where individuals' applications to reproduce, correct, supplement, restrict the handling of, or delete their own personal information, revoke authorization or consent, or deregister accounts, they shall give feedback on the handling within 15 working days.

Where laws or administrative regulations provide otherwise, follow those provisions.

Article 24: For requests to transfer personal information that meet the following requirements, data handlers shall provide transfer services for other data handlers designated by individuals to access or acquire their personal information:

(1) The personal information requested to be transferred is personal information collection based on consent or as needed to conclude of perform on a contract;

(2) The personal information requested to be transferred is one's own information or the information of others that the requester has lawfully obtained and it is not contrary the other persons' wishes;

(3) The lawful identity of the requester can be verified.

Where data handlers discover that the other data handlers who are receiving personal information have a risk of illegally handling personal information, they shall make a reasonable risk alert about the transfer of personal information.

Where the number of requests to transfer personal information clearly exceeds a reasonable scope, data handlers may collect reasonable fees.

Article 25: Where data handlers use biometrics to conduct identity verification, they shall conduct a risk analysis of its necessity and security, and must not have face, gait, fingerprint, iris, voiceprint, or other biometrics as the sole means of identity verification or compel individuals to consent to the collection of their personal biometric information.

Where laws or administrative regulations provide otherwise, follow those provisions.

Article 26: Data handlers handling the personal information of one million or more persons shall also obey the provisions of Chapter IV of these Regulations on handlers of important data.

Chapter IV: Security of Important Data

Article 27: Each region and each department is to organize the data handlers in that region or department and in relevant industries and fields in identifying important data and core data in accordance with relevant state requirements and standards, and organize the drafting of catalogs of important data and core data in that region or department as well as relevant industries and fields, and report them to the state internet information office.

Article 28: Handlers of important data shall clarify the persons responsible for data security and establish data security management bodies. The data security management bodies are to perform the following duties under the leadership of the persons responsible for data security:

(1) Research and submit recommendations related to major decisions on data security:

(2) Draft implementation plans for data security protections and emergency response plan for data security incidents;

(3) Carry out data security risk monitoring, promptly addressing data security risks and incidents;

(4) Periodically organize and carry out activities such as data security publicity, education, training, risk assessment, and emergency drills;

(5) Accept and address complaints and reports on data security;

(6) Promptly report on the data security situation to the internet information departments, competent departments, and regulatory departments as required;

The persons responsible for data security shall possess professional knowledge of data security and relevant management work experience, and the data handlers, are to be members of the decision-making level of the data handler, and have the right to directly report on the data security situation to the internet information departments, competent departments, and regulatory departments.

Article 29: Within 15 working days of identifying their important data handlers of important data shall file with an internet information department at the districted-city level, and the content of the filing is to include:

(1) The data handler's basic information, information on the data security management body, the names and contact methods for the persons responsible for data security, and so forth;

(2) The purpose, scale, methods, scope, types, storage period, and storage location for handling of data, but not including the content of the data itself;

(3) Other content that the internet information departments, competent departments, and regulatory departments request be filed.

Where there are major changes to the purpose, scope, and type of data handling, or to data security precautions, a new filing shall be made.

Based on the departments' duties and division of labor, the internet information departments, competent departments, and regulatory departments are to shall the information from filings.

Article 30: Handlers of important data shall draft data security training plans, and organize and carry out annual data security education and training for all personnel, the length of annual education and training for technical and management personnel related to data security must not be less than 20 hours.

Article 31: Handlers of important data shall prioritize the purchase of network products and services that are secure and reliable.

Article 32: Data handlers that handle important data or that list on foreign stock markets shall carry out an annual data security assessment either themselves or by entrusting a data security service body, and before January 31 each year, shall send a data security assessment report for the preceding year to the internet information department at the districted-city level, the content of the data security assessment report is to include:

(1) Situations of handling important data;

(2) Data security risks that were discovered and measures to address them;

(3) The data security management system, security protection measures such as backup copies, encryption, or access restrictions, as well as the implementation of the management system and the effectiveness of the protection measures;

(4) Circumstances of the implementation of state data security laws, administrative regulations, and standards;

(5) Data security incidents that were discovered as well as their handling;

(6) Security assessments for the sharing, trading, entrustment of handling, or overseas provision of important data;

(7) Complaints related to data security and their handling;

(8) Other data security circumstances clarified by the internet information departments, competent departments, and regulatory departments.

Data handlers shall retain risk assessment reports for at least three years.

Based on departmental duties and division of labor, the internet information departments and relevant departments are to share information from reports.

Data handlers carrying out security assessments for the sharing, trading, entrustment of handling, or overseas provision of important data; shall emphasize the assessment of the following content:

(1) Whether the sharing, trading, entrusted handling, or provision overseas, as well the purpose, methods, and scope of the recipients' handling of data, were legal, proper, and necessary;

(2) The risk of data being shared, traded, entrusted for handling, or provided overseas being leaked, destroyed, altered, or abused, as well as risks to national security, economic development, and the public interests.

(3) Background circumstances such as the data recipients creditworthy status, compliance with laws, cooperative relationships with foreign government bodies, and whether they have been sanctioned by the Chinese government, and whether pledges to take on responsibility and capacity to fulfil responsibility can effectively ensure data security;

(4) Whether requirements for data security in the contract concluded with the data recipient can effectively bind the data recipients' performance of data security obligations;

(5) Whether the management and technical measures in the course of data handling can prevent risks such as data leaks or destruction.

Where the assessment finds potential harm to national security, economic development, or the public interest, the data handlers must not share, trade, or entrust the handling the data, or provide the data overseas.

Article 33: Where data handlers share, trade, or entrust the handling of important data, they shall obtain the consent of a competent department at the districted-city level or above, and where it is unclear which department is competent, obtain the consent of the internet information department at the districted-city level or above.

Article 34: State organs and critical information infrastructure operators purchasing cloud computing services shall go through a security assessment organized by the state internet information departments and relevant departments of the State Council.

Chapter V: Cross-Border Data Security Management

Article 35: Where data handlers truly need to provide data overseas due to business requirements, they shall possess one of the following requirements:

(1) passing a safety assessment organized by the state internet information departments;

(2) Both the data handlers and the data recipient have passed a personal information protection certification by a professional body identified by the state internet information department;

(3) Contracts concluded with the overseas data recipient parties in accordance with standard contract drafted by the state internet information departments agreeing upon the rights and obligations of both parties;

(4) Other conditions provided for by laws, administrative regulations, or provisions of the state internet information department.

Except where data handlers need to provide parties' personal information overseas in order to conclude or perform on a contract to which an individual is one party, or where personal information needs to be provided overseas in order to protect individuals' security in their lives, health, and property.

Article 36: Where data handlers provide personal information overseas, they shall notify the individuals of matters such as the name and contact methods of the overseas data recipient, the purposes and methods of the handling, the types of personal information to be handled, and the methods for individuals to exercise rights in personal information with the overseas data recipient, and obtain the individuals' independent consent.

Where an individual's consent to the export of data has already been obtained at the time of the collection of personal information, and it is exported in accordance with the matters for which consent was obtained, it is not necessary to obtain the individual's independent consent.

Article 37: Where data handlers' provision of data that was collected or produced within the mainland territory of the People's Republic of China overseas belongs to any of the following situations, it shall pass a data export security assessment organized by the state internet information department:

(1) The exported data includes important data;

(2) Where critical information infrastructure operators or data handlers handling the personal information of 1,000,000 of more persons provide personal information overseas;

(3) Other situations provided for by the state internet information departments.

Where laws, administrative regulations, and provisions of the state internet information department provide that it is acceptable to not conduct a security assessment, follow those provisions.

Article 38: Where the international treaties and agreements concluded by or participated in by the PRC have requirements for the provision of personal information overseas and so forth, those provisions may be implemented.

Article 39: Data handlers providing data overseas shall perform the following obligations:

(1) Personal information must not be provided overseas exceeding the purpose, scope, methods, or the types and scale of data, and so forth, indicated in the personal information protection impact assessment report sent to the internet information departments;

(2) Personal information and important data must not be provided overseas exceeding the export purpose, scope, methods, or the types and scale of data, and so forth, indicated at the of the internet information department security assessment;

(3) Employ contract and other effective methods to oversee the data recipient is in accordance with the agreements between the parties on the purpose, scope, and methods of using data, performs data security protection obligations, and ensures data security;

(4) Accept and address user complaints involving the export of data;

(5) Where data export causes harm to the lawful rights and interests of individuals and organizations or the public interest, the data handlers shall bear responsibility in accordance with law;

(6) Retain relevant log records and records of approvals for data export for at least 3 years;

(7) When the state internet information department in conjunction with relevant departments of the State Council verify the type and scope of personal information and important data exported, data handlers shall present in a civil and reasonable manner;

(8) Where the state internet information department finds data must not be exported, data handlers shall stop the data export and employ effective measures to supplement the security of data that has already been exported;

(9) Where further transfers are truly necessary after personal information has been exported, the conditions for further transfer shall first be agreed upon with the individual, and the security protection obligations of the data recipient shall be clarified.

Domestic individuals and organizations must not provide data stored within the PRC to foreign justice or law enforcement bodies without the permission of the competent organs of the PRC.

Article 40: Data handlers providing personal information and important data overseas shall compile a report on data export security before January 31 of each year, to report to the districted-city level internet information department on the following circumstances of data exports in the preceding year:

(1) The names and contact methods of all data recipients;

(2) The type, volume, and purpose of exporting data;

(3) The location where data is stored overseas, the period for data storage, and the scope and methods of use.

(4) User complaints involving the provision of data overseas and their handling;

(5) Data security incidents that were discovered as well as their handling;

(6) Situations of further transfer after the export of data;

(7) Other matters that the state internet information department indicates need to be reported in the provision of data overseas.

Article 41: The state is to establish a cross-border data security gateway to block the transmission of information from outside the mainland territory of the People's Republic of China that is prohibited by laws and administrative regulations from being published or transmitted.

Individuals and organizations must not provide programs, tools, lines, and so forth used to penetrate or bypass the cross-border data security gateway, and must not provide internet access, server hosting, technical support, transmission expansion, payment settlement, application downloads, or other services for the penetration or bypassing of the cross-border data security gateway.

Where domestic users access domestic networks, their traffic must not be routed outside the mainland.

Article 42: Data handlers engaged in cross-border data activities shall establish and complete corresponding technical and management measures in accordance with state requirements for the oversight of cross-border data security.

Chapter VI: The Obligations of Internet Platform Operators

Article 43: Internet platform operators shall establish systems for the disclosure of data-related platform rules, privacy policies, and algorithm policies, and promptly disclose the drafting and decision procedures, to ensure the fairness and equity of platform rules, privacy policies, and algorithms.

The drafting of platform rule and privacy policies, and revisions that have a major impact on users rights and interests, shall be made public by the internet platform operators for the solicitation of public comments on their official websites and internet platforms for industry associations related to the protection of personal information, and the duration of solicitation of comments must not be less than 30 working days, to ensure that user can easily and fully express their opinions. Internet platform operators shall fully adopt public comments to revise and improve platform rules and privacy policies, and publish the circumstances of the adoption of comments in a manner that is easily accessed by users, explain the reasons for non-adoptions, and accept societal oversight.

Where large-scale internet platforms with over one-hundred million daily active users draft platform rules and privacy policies or revise them with a major impact on users' rights and interests, they shall go through an assessment by a third party establishment identified by the state internet information department and report for consent to the provincial-level internet information department and department in charge of telecommunications.

Article 44: Internet platform operators shall bear responsibility for the data security management of third party products and services entering their platforms, and use contracts or other means to clarify the third parties' data security responsibilities and obligations, and urge the third parties to strengthen data security management and employ necessary measures for protecting data security.

Where third party products and services cause harm to users, the users may request that internet platform operators make initial compensation.

The provisions of the preceding two paragraphs apply to third-party products preinstalled on mobile communications terminals.

Article 45: The state encourages internet platform operators that provide instant messaging services to provide personal communication and non-personal communication choices in function designs. Information in personal communications is to be strictly protected in accordance with requirements for protecting personal information and conduct management of information from non-personal communications in accordance with the relevant provisions on public information.

Article 46: Internet platform operators must not use data, platform rules and so forth to engage in the following activities:

(1) use of platforms to collect or take hold of user data and carrying out acts that harm users lawful interests such as having differentiated pricing for products and services for users with similar transaction conditions without legitimate reasons;

(2) use of platforms to collect or take hold of businesses' data and carrying out acts harmful to fair competition such as minimum price sales in the promotion of products;

(3) using data to mislead, trick, or coerce users, harming user right to decide on the handling on their data, and handling user data contrary to users' wishes;

(4) Setting up unreasonable restrictions or obstacles in areas such as platform rules, algorithms, techniques, and traffic allocation, restricting small and medium-sized enterprises on the platform from obtaining industry and market data produced by the platform, obstructing market innovation.

Article 47: internet platform operators providing application program distribution services shall establish and disclose rules for reviewing and verifying application procedures in accordance with relevant laws, administrative regulations, and provisions of the state internet information department, and conduct security reviews and verification for application programs. For application programs that do not comply with laws, administrative regulations, and the mandatory requirements of state standards, they shall employ measures such as refusing to put them on the market, urging corrections, or removing them from the market.

Article 48: Internet platform operators providing the public with instant messaging services shall do so in accordance with the provisions of the department in charge of telecommunications under the State Council, and provide data portals for other internet platform's instant messenger services to support data connectivity between users of different instant messenger services, and must not restrict users' access to other internet platforms or transmission of documents to other internet platforms without a legitimate reason.

Article 49: Where internet platform operators use personal information and personalized push algorithms to provide information to users, they shall be responsible for the veracity and accuracy of the information and the legality of the sources, and comply with the following requirements:

(1) When collected personal information is used for personalized pushing, individuals' independent consent shall be obtained;

(2) Set up easily understood, conveniently accessible and operatable, one-click options to turn off personalized pushing, allowing users to reject the acceptance of targeted push information, and allowing users to reset, change, or adjust the parameters for directional pushing targetting their personal characteristics;

(3) Allow individuals to delete personal information collected by directed information push services, except where laws and administrative regulation provide otherwise or users have made other agreements.

Article 50: The state is to establish a public service infrastructure for online identity verification, providing the public service of individual identity verification in accordance with the principles of government guidance and netizens' voluntariness.

Internet platform operators shall support and prioritize the use of the individual identity verification services provided by the state online identity verification public service infrastructure.

Article 51: Data collected or produced by internet platform operators when providing services to state organs, participating in the establishment, operation, or maintenance of public infrastructure or public service systems, or using public resources to provide services, must not be put to other uses.

Article 52: Relevant departments of the State Council that need to collect or access public data or public information that is in the control of internet operators in order to perform their legally-prescribed duties, shall indicate the scope, type, uses, and basis for the collection and access, and strictly limit it to the scope of performance of their legally-prescribed duties, they must not collect or access public data or public information for use other than the performance of legally-prescribed duties.

Internet platform operators shall cooperate with relevant departments' collection or access of public data or public information.

Article 53: Large-scale internet platform operators shall retain third-party auditors to conduct an annual audit of the platform's data security situation and the implementation of platform rules and pledges, the personal information protection situation, the development and use of data, and so forth, and disclose the outcome of the audit.

Article 54: Where internet platform operators use artificial intelligence, virtual reality, deep synthesis, and other new technologies to carry out data handling activities, they shall conduct security assessments in accordance with relevant state provisions.

Chapter VII: Oversight and Management

Article 55: The state internet information department is responsible for the overall planning and coordinating of data security and related oversight and management efforts.

The public security organs, state security organs, and so forth are to bear duties for data security regulation within the scope of their respective duties.

Regulatory departments such as for industry, telecommunications, transportation, finance, natural resources, health, education, science and technology are to undertake data security regulatory duties in the corresponding sector.

The competent departments shall clarify the data security bodies and personnel in the corresponding industry or field, and compile and organize the implementation of data security plans and data security incident emergency response plans for that industry or field.

The competent departments shall periodically organize and carry out data security risk assessments for the corresponding industry or field, conducting oversight and inspections for data handlers' performance of data security protection obligations, guiding and urging data handlers to promptly correct any existing security threats.

Article 56: The state is to establish and complete mechanisms for handling data security emergencies and improve emergency response plans and platforms for sharing cybersecurity information, and include data security incidents in the state mechanism for emergency response to cybersecurity incidents, strengthen the sharing of data security information, monitoring and alerts for data security risks and threats, as well as emergency response efforts for data security incidents.

Article 57: Relevant competent and regulatory departments may employ the following measures to conduct oversight inspections for data security:

(1) Request that the relevant personnel of data handlers make explanations of matters for the oversight inspections;

(2) Access or collect files or records related to data security;

(3) Use testing tools or retain professional bodies to conduct technical testing of the operation of data security measures in accordance with the procedures provided;

(4) Verifying the type and scope of data exported;

(5) Other necessary measures as provided by laws, administrative regulations, and rules.

Relevant competent or regulatory departments carrying out data security oversight inspections shall be objective and just, and must not accept fees from the inspected units. Information obtained during data security oversight inspections can only be used as needed to preserve data security, and must not be used for other purposes.

Data handlers shall cooperate with the data security oversight inspections by competent and regulatory departments, including making explanations of organizational operations, technical systems, algorithm principles, data handling procedures, and so forth, make security-related data available for access, provide necessary technical support, and so forth.

Article 58: The state is to establish a data security auditing system. Data handlers shall entrust professional bodies for data security audits to conduct periodic audits of whether their personal information handling activities are in compliance with laws and administrative regulations.

Competent and regulatory departments organizing and carrying out audits of data handling activities on important data are to emphasize data handlers' performance of obligations prescribed by laws and administrative regulations.

Article 59: The state is to support relevant industry organizations drafting specifications for data security activities, strengthening industry self-discipline, guiding members to strengthen data security protections, increasing the level of data security protections, and promoting the healthy development of the industry in accordance with their charters.

The state is to support the establishment of personal information protection industry organizations, carrying out the following activities:

(1) Accept complaints and reports on personal information protections, and conduct investigations and mediation;

(2) Provide information and consultation services to individuals, supporting individuals in initiating litigation in accordance with law for acts harming their rights in personal information;

(3) Expose conduct harming rights in personal information, and carrying out social oversight of personal information protections;

(4) Giving feedback to relevant departments on the personal information protection situation, providing consultation and recommendations;

(5) Initiate litigation in the people's courts in accordance with law for violations of law in handling personal information that harms the rights and interests of a large number of people.

Chapter VIII: Legal Responsibility

Article 60: Where data handlers do not perform the provisions of articles 9, 10, 11, 12, 13, 14, 15, or 18, the relevant competent departments are to order corrections and give warnings, and may give a concurrent fine of between 50,000 and 500,000 RMB, and may give directly responsible managers and other directly responsible personnel a concurrent fine of between 10,000 and 100,000 RMB; where corrections are refused or serious consequences such as data security harms are caused, a fine of between 500,000 and 2,000,000 RMB is to be given, and they may be ordered to stop relevant operations, suspend operations for rectification, and have relevant business permits or licenses canceled, and the directly responsible managers and other directly responsible personnel are to be given a fine of between 50,000 and 200,000 RMB.

Article 61: Where data handlers do not perform data security protection obligations provided for in articles 19, 20, 21, 22, 23, 24, or 25, the relevant departments are to order corrections, give warnings, and confiscate unlawful gains; and applications that illegally handle personal information are to be ordered to have their provision of services suspended or stopped, and where corrections are refused a fine of up to 1,000,000 RMB is to be given; and the directly responsible managers and other directly responsible personnel are to be given a fine of between 10,000 and 100,000 RMB.

Where the circumstances of the illegal activities provided for in the preceding paragraph are serious, the relevant departments are to order corrections, confiscate unlawful gains, and give a concurrent fine of up to 50,000,000 RMB or up to 5% of the preceding year's business income, and may order that operation be suspended, suspend operations for rectification, or report to relevant regulatory departments for the cancellation of business permits or licenses; and a fine of between 100,000 and 1,000,000 RMB is to be given to the directly responsible managers and other directly responsible personnel, and a decision may be made to prohibit their serving as the board member, supervisor, senior management, or person in charge of personal information protection for an enterprise during a set period of time.

Article 62: Where data handlers do not perform the data security protection obligations provided for in articles 28, 29, 30, 31, 32, or 33, the relevant departments are to order corrections and give warnings, and order the suspension or termination of service provision by apps that handle important data in accordance with law; and where corrections are refused, give a fine of up to 2,000,000 RMB, and give directly responsible managers and other directly responsible personnel a fine of between 50,000 and 200,000 RMB.

Where the circumstances of the illegal activities provided for in the preceding paragraph are serious, the relevant departments are to order corrections, confiscate unlawful gains, and give a concurrent fine of between 2,000,000 and 5,000,000 RMB, and may order that operations be suspended, suspend operations for rectification, or report to relevant regulatory departments for the cancellation of business permits or licenses; and a fine of between 200,000 and 1,000,000 RMB is to be given to the directly responsible managers and other directly responsible personnel.

Article 63: Where critical information infrastructure operators violate article 34, the relevant departments are to order corrections and may give fines in accordance with relevant laws and administrative regulations.

Article 64: Where data handlers violate articles 35, 36, 37, the first paragraph of article 39, or article 42, the relevant departments are to order corrections and give warnings, and suspend data exports, and may give a concurrent fine of between 100,000 and 1,000,000 RMB, and may give directly responsible managers and other directly responsible personnel a concurrent fine of between 10,000 and 100,000 RMB; where the circumstances are serious, a fine of between 1,000,000 and 10,000,000 RMB is to be given, and they may be ordered to stop relevant operations, suspend operations for rectification, cancel relevant business permits or licenses, and the directly responsible managers and other directly responsible personnel are to be given a fine of between 100,000 and 1,000,000 RMB.

Article 65: Where the second paragraph of article 39 if these Regulations is violated by providing data to foreign justice or law enforcement bodies without the approval of the organs in charge, the relevant regulatory departments are to give warnings, may give a concurrent fine of between 100,000 and 1,000,000 RMB, and may give directly responsible managers and other directly responsible personnel a concurrent fine of between 10,000 and 100,000 RMB; where serious consequences result, a fine of between 1,000,000 and 5,000,000 RMB is to be given, and they may be ordered to suspend relevant operations, suspend operations for rectification, or cancel relevant business permits or licenses, and the directly responsible managers and other directly responsible personnel are to be given a fine of between 50,000 and 500,000 RMB.

Article 66: Where individuals violate article 41, the relevant competent departments are to order corrections, give warnings, and confiscate unlawful gains; where corrections are refused, give a fine of between 1 and 10 times the unlawful gains, and where there are no unlawful gains, give directly responsible managers and other directly responsible persons a fine of between 50,000 and 500,000 RMB; where the circumstances are serious, the relevant competent departments are to order the suspension of operations, suspension for rectification, or cancel relevant business permits or business licenses in accordance with relevant laws and administrative regulations; and where a crime is constituted, give a fine in accordance with relevant laws and administrative regulations.

Article 67: Where internet platform operators that violate article 43, 44, 45, 47, or 53, the relevant departments are to order corrections and give warnings; where corrections are refused, give a fine of between 500,000 and 5,000,000 RMB, and fine directly responsible managers and other directly responsible persons between 50,000 and 500,000 RMB; where the circumstances are serious, operations may be ordered suspended or suspended for rectification, websites closed, business permits and business licenses canceled.

Article 68: Where individuals violate articles 46, 48, or 51, the relevant competent departments are to order corrections and give warnings; where corrections are refused, give a fine of between 1 and 5 percent of annual sales value; where the circumstances are serious, the relevant competent departments are to order the suspension of operations, suspension for rectification, or cancel relevant business permits or business licenses in accordance with relevant laws and administrative regulations; and where a crime is constituted, give a fine in accordance with relevant laws and administrative regulations.

Article 69: Where internet platform operators violate article 49 or 54, the relevant competent departments are to order corrections and give warnings; where corrections are refused, give a fine of between 50,000 and 500,000 RMB, and fine directly responsible managers and other directly responsible personnel between 10,000 and 100,000 RMB; where the circumstances are serious, operations may be ordered suspended or suspended for rectification by the relevant competent departments, websites closed, business permits and business licenses canceled.

Article 70: Where data handlers violate these Regulations causing harm to others, they are to bear civil liability in accordance with law; where it constituted a violation of public security administration, public security administration punishments are to be given in accordance with law; where a crime is constituted, criminal responsibility is to be pursued in accordance with law.

Article 71: Where state organs fail to perform their data security protection obligations under this Law [sic], the organ at the level above or the departments performing data security management duties shall order corrections; and the directly responsible managers and other directly responsible persons are to be sanctioned in accordance with law.

Article 72: Data handling activities carried out outside the [mainland] territory of the P.R.C. that harm the national security of the P.R.C., the public interest, or the lawful rights and interests of citizens and organizations, are to be pursued for legal responsibility in accordance with law.

Chapter IX: Supplementary Provisions

Article 73: The language of these Regulations below has the following meaning:

(1) "online data" (data for short) refers to any record of information in electronic form.

(2) "Data handling activities" refers to activities such as the collection, storage, use, processing, transmission, provision, disclosure, or deletion of data.

(3) "Important data" refers to data that once altered, destroyed, leaked, or illegally obtained, or illegally utilized, might endanger national security or the public interests. The following data is included:

1. Government affairs that that has not been disclosed, work secrets, intelligence data, and law enforcement or judicial data;

2. Export control data; data related to core technology, design plans, and production techniques, and so forth involved in export control items; data on scientific and technological accomplishments in fields such as encryption, biology, electronic information, and artificial intelligence that directly impact national security or economic competitiveness;

3. Data on state economic operations, data on important industry operations, statistical data and so forth, which state laws, administrative regulations, or departmental rules determine requires protections or controls on transmission,

4. Data on production and operations safety in key industries and fields such as industry, telecommunications, energy, transport, water, finance, national defense technology industry, customs, and taxation, and supply chain data on critical system components and equipment;

5. National infrastructure data on the population and health, environmental resources, and the environment, such as genetic, geographic, mining, or meteorological data, that reaches a scale and degree of precision indicated by relevant state departments;

6. Data on the construction and operation of national infrastructure and critical information infrastructure, data on the geographic position and security situation of important sensitive areas such as national defense facilities, military administration zones, and defense research and production units;

7. Other data that might impact the nation's political, territorial, military, economic, cultural, social, scientific, ecologic, resource, nuclear facility, foreign interest, biologic, space, polar, or maritime security.

(4) "Core data" refers to data related to national security, the lifeline of the national economy, important aspects of the people's livelihood, major public interests, and so forth.

(5) “Data handlers“ refers to individuals or organizations that independently make decisions about the goals and methods of data handling in data handling activities.

(6) "Public Data" refers to all types of data collected by state organs and organizations authorized by laws or administrative regulations to have public affairs management duties in the performance of public management duties or provision of public services, as well as all kinds of data involving the public interest that is collected or produced by other organizations in the provision of public services.

(7) "Entrusting handling" refers to data handlers entrusting third parties to carry out data handling activities in accordance with agreed upon purposes and methods.

(8) "Independent consent" refers to data handlers' obtaining individual's consent to each item of personal information when carrying out specific data handling activities, but does not include one-time consent to multiple items of personal information or multiple types of handling activities.

(9) "Internet platform operators" refers to data handlers providing users with internet platform services such as information publishing, social interaction, trade, payments, or audio and video.

(10) "Large-scale platform operators" refers to internet platform operators with more than 50,000,000 users, handling large volumes of personal information and important data, that have a strong capacity to mobilize the public, and dominant market position.

(11) "Cross-border data security" refers to important security infrastructure for blocking access to overseas reactionary websites and harmful information, preventing cyber-attacks from overseas, controlling the transmission of data across borders, and for preventing, investigating, and combatting cross-border cyber crimes.

(12) "Public information" refers to information with a public broadcast nature that is collected or produced by data handlers during the course of providing public services. This includes openly published information, information that can be forwarded, information with no clear recipient, and so forth.

Article 74: Enforcement is to be in accordance with the relevant provisions for data handling activities using state secret information, core data, and data on the use of encryption.

Article 75: These regulations take effect on ______.