Public Security Organs Internet Security Oversight and Inspection Provisions (Draft For Solicitation of Comments)

Source: http://www.mps.gov.cn/n2254536/n4904355/c6090144/content.html

Comment Period:Through 2018/5/4

This is a DRAFT: FINALIZED VERSION OF THIS DOCUMENT AVAILABLE: HERE

Chapter I: General Provisions

Article 1: These Provisions are formulated on the basis of the "People's Republic of China Police Law", the "People's Republic of China Cybersecurity Law" and other relevant laws and administrative regulations, so as to strengthen and regulate efforts to oversee and inspect Internet security, to prevent online violations and crimes, to preserve network security, to and to protect the lawful rights and interests and citizens, legal persons, and other organizations.

Article 2: These Provisions apply to public security organs lawful conduct of security oversight and inspections of Internet service providers' and network-using units' performance of network security responsibilities and obligations as provided for in laws, administrative regulations, and department rules.

Oversight and inspections of Internet online service business premises are to be conducted in accordance with the relevant provisions of the "Regulations on the Management of the Internet Online Service Business Premises".

Article 3: The network security protection departments of people's governments' public security organs at the prefecture level or above are to organize and carry out oversight and inspections of Internet security.

Article 4: Higher level public security organs shall conduct guidance and oversight of lower level public security organs' carrying out of Internet security oversight and inspections.

Article 5: Public security organs carrying out Internet security oversight and inspections shall comply with the relevant state laws, administrative regulations, rules, and provisions, to ensure the lawful rights and interests of citizens, legal persons, and other organizations.

Article 6: Public security organs and their staffs shall strictly keep confidential any personal information and commercial secrets that they learn of in performing their duties, and must not leak, sell, or unlawfully provide it to others.

Article 7: Public security organs shall promptly report any Internet security risks that they discover during Internet oversight and inspections, and that might endanger national security, public safety, or social order, to the competent Internet departments.

Chapter II: Content and Form of Inspections.

Article 8: The public security organs for the locations of Internet service providers' network service business bodies and network-using units' network management bodies, are specifically responsible for Internet security oversight and inspection. Where Internet service providers are individuals, the public security organs for the site of the Internet service providers' habitual residence may be specifically responsible.

Where there is controversy over jurisdiction for Internet security oversight and inspections, the public security organ at the common level above is to designate jurisdiction.

Article 9: Public security organs may carry out the following Internet security oversight and inspections:

(1) Oversight and spot inspections of the performance of legally-prescribed network security responsibility obligations;

(2) Special inspections during major network security protection periods;

(3) Conducting other oversight and inspections as needed.

Article 10: As required by the specific situations of protecting network security and hidden threats to network security, public security organs shall emphasize organizing and carrying out oversight and spot checks on the following Internet service providers and network-using units:

(1) Those that have launched Internet access, data center, content distribution, or domain name services, or changed the type and content of Internet services, for less than one year;

(2) Those that have launched Internet information services, or changed the content of Internet information services, for less than one year;

(3) Those that have established Internet service venues, or network units that have accessed the Internet for less than one year;

(4) Those that have had network security incidents or violations or crimes occur within the last two years, or those that have been given administrative punishments in accordance with law by the public security organs for failure to perform legally prescribed network security responsibilities and obligations.

Article 11: Public security organs shall emphasize inspections of the following conduct, on the basis of the actual status of Internet service providers and network-using units' performance of their legally-prescribed responsibilities and duties.

(1) Whether they handled international networking recording procedures, and reported basic information and altered circumstances of access units and users.

(2) Whether they drafted network security management systems and operating rules, and designated persons responsible for network security;

(3) Where they adopted technological measures to prevent computer viruses, network attacks, network intrusions and so forth;

(4) Whether they adopted technical measures to record and retain user registration information and logs of their going online, and whether the retention time complies with laws and regulations;

(5) Whether they have implemented graded network security protection systems, have followed the requirements of relevant standards and norms, and have employed management and technical measures, to protect the security of networks, information systems, and data resources;

(6) Whether they have taken measures to prohibit the release, or stop the transmission, of illegal information on public information services, and to keep relevant records;

(7) Where they have followed national law and standards to provide technical support and assistance to public security organs' and state security organs; lawful activities preserving national security and investigating crimes;

(8) Whether they performed other network security responsibilities and obligations as provided for by laws and regulations.

Article 12: During periods for major national network security defense tasks, public security organs may organize and carry out special inspections of related Internet service providers and network-using units, focusing on inspection of the following content:

(1) Whether provision of Internet access services, information services, and so forth complies with the requirements of network security;

(2) Whether a work plan was drafted as required for the major network security defense task, specifying the division of labor for network security responsibility, and determining the security management personnel;

(3) Whether network security risk assessments were organized and carried out, and whether risk control and management measures were employed, plugging leaks and hidden threats to network security;

(4) Whether a network security emergency response plan has been formulated, emergency drills have been organized and carried out, and whether emergency response facilities are complete and effective;

(5) Whether other network security precaution measures are employed as required for major Internet security defense tasks.

Article 13: In addition to oversight and inspections of the content listed in article 11 of these provisions, public security organs shall also emphasize inspections of the following content on Internet service providers and network-using units providing the following services:

(1) Whether Internet service providers and network-using units that provide Internet access services have recorded and retained IP addresses and their distribution and usage;

(2) Whether Internet service providers and network-using units that provide Internet data center services have recorded information on users of hosting, dedicated hosting, and virtual space they provided;

(3) Whether Internet service providers and network-using units that provide Internet domain name services have recorded applications or modifications for domain names, and whether measures were taken to stop the resolution of illegal domain names;

(4) Whether Internet service providers and network-using units that provide Internet information services have taken measures to manage information published by users and to eliminate and stop the spread of illegal information that is already published;

(5) Whether Internet service providers and network-using units that provide content delivery services have recorded the correspondence between content delivery networks and content source network links;

(6) Whether Internet service providers and network-using units that provide Internet services have taken network and information security protection measures that comply with public safety industry technical standards.

Chapter III: Inspection procedures

Article 14: Internet security oversight and inspections may be conducted by employing on-site inspections or remote testing methods.

Article 15: Public security organs carrying out Internet security oversight on-site inspections of Internet service providers and network-using units, must not have less than two oversight inspection personnel, and shall present their police identification and a "Notice of Law Enforcement Inspection".

Article 16: The public security organs may carry out remote testing of whether Internet service providers and network-using units have network security leaks and other hidden threats to network security.

Article 17: Public security organs carrying out Internet security oversight and inspections may employ the following measures as needed:

(1) Entering business premises, computer rooms, office space, and other places that need to be entered for oversight and inspection;

(2) Meeting with the responsible party or network security management personnel for the target of the inspection, and requiring them to explain the matters under inspection;

(3) Accessing and collecting information related to network security oversight and inspection;

(4) Checking the operation of technical measures on network security protection;

(5) Using inspection tools to conduct on-site or remote testing.

Article 18: Public security organs using inspection tools to carry out on-site inspections or remote testing shall inform the subject of the inspection or disclose matters for inspection, and must not disrupt or undermine the normal operations of the inspection targets' networks.

Public security organs carrying out on-site inspections or remote testing may retain network security service establishments that are authorized by public security organs at the provincial level or higher to provide technical support. During on-site inspections and remote testing, public security organs shall oversee the network security service establishments implementation of security management and confidentiality responsibilities.

Article 19: Public security organs carrying out on-site inspections shall make inspection records and have them signed by two or more inspection personnel and the responsible party or network security management personnel of the investigations' target. Where the responsible person or network security management personnel for the investigation's target have objections to the investigation record, the shall be allowed to make an explanation; where they refuse to sign, the inspection personnel shall note this on the inspection record.

Public security organs carrying out remote testing shall make and retain inspection records and have them signed by two or more inspection personnel. Where the staff of network security service establishments participate in remote testing, they shall sign the inspection records as well.

Article 20: Where in the course of Internet security oversight and inspections, public security organs discover that Internet service providers or network-using units have hidden risks to network security, but they are clearly minor, they may orally order corrections, and note this in the inspection records; where illegal conduct is discovered, but the circumstances are minor or have not yest cause consequences, they may lawfully give a talking to the responsible party and request they employ measures to eliminate hidden threats and make corrections in a certain period of time.

Article 21: Public security organs shall verify that investigation targets' have made corrections.

Article 22: A file shall be established of materials gathered, and all kinds of materials such as documents that are created, in an inspection. Confidential documents are to be independently archived and managed in accordance with the relevant state provisions.

Article 23: Public security organs shall establish and implement network security oversight and inspection working systems, and conscientiously accept oversight by Internet service providers and network-using units.

Information obtained by public security organs lawfully performing Internet security oversight and inspection duties can only be used as necessary for the protection of network security, and must not be used in other ways.

Chapter IV: Legal Responsibility

Article 24: Where Internet service providers and network-using units exhibit the following illegal conduct, causing harm to network security and other such consequences, or refusing to make corrections, the public security organs may lawfully give administrative punishments in accordance with the distinct situations:

(1) Failure to establish network security management systems and operating procedures, and failing to designate the persons responsible for network security, are to be punished in accordance with the provisions of Article 59, paragraph 1, of the "Cybersecurity Law";

(2) Failure to employ technological measures to prevent computer viruses, network attacks, network intrusions, and so forth, are to be punished in accordance with the provisions of Article 59, paragraph 1, of the "Cybersecurity Law";

(3) Failure to employ measures record and retain user registration information and online log information, are to be punished in accordance with the provisions of Article 59, paragraph 1, of the "Cybersecurity Law";

(4) In the provision of services such as Internet information publication or instant messaging, failure to request that users provide their real identity information, or providing services to those users that do not provide real identity information, is to be punished in accordance with the provisions of Article 61, of the "Cybersecurity Law";

(5) Failure to take lawful measures to prohibit the release, or stop the transmission, of illegal information in public information services, and to keep relevant records, is to be punished in accordance with with the provisions of Article 68 of the "Cybersecurity Law";

(6) Refusal to provide technical support and assistance to public security organs lawfully protecting national security and investigating crimes, is to be punished in accordance with law with article 69, paragraph 3, of the "Cybersecurity Law".

Where Internet service providers and network-using units refuse to provide technical interfaces, decryption, and other technical assistance and support to public security organs lawfully conducting prevention and investigations of terrorist activities, the public security organs are to give punishments in accordance with article 84(1) of the "Counter-terrorism Law".

Article 25: Where, in the course of Internet security oversight and inspections, public security organs discover that Internet service providers or network-using units have stolen, or otherwise illegally acquired, personal information, or illegally sold or provided it to others, but it has not yet constituted a crime, they shall give punishments in accordance with article 64, paragraph 2, of the "Cybersecurity Law".

Article 26: Where in the course of Internet security oversight and inspections, public security organs discover that Internet service providers or network-using units have set up malicious programs during the provision of Internet services, they shall give punishments in accordance with article 60(1), of the "Cybersecurity Law".

Article 27: Where Internet service providers or network-using units refuse or obstruct the public security organs' Internet security oversight and inspections, punishment shall be given in accordance with article 69(2) of the "Cybersecurity Law".

Article 28: Where network security service establishments, or their staffs, that have been retained by public security organs to provide technical support disrupt or undermine the normal operation of investigation targets' networks, they are to be punished in accordance with article 63 of the "Cybersecurity Law"; where they leak, sell, of illegally provide personal information that is acquired in the course of work, they are to be punished in accordance with article 64, paragraph 2, of the "Cybersecurity Law", and where a crime is constituted, criminal responsibility is pursued in accordance with law.

Where establishments and persons provided for in the preceding paragraph infringe the commercial secrets of an investigation's targets, and a crime is constituted, criminal responsibility is to be pursued in accordance with law.

Article 29: Where public security organs and their staffs have derelicted their duties, abused their authority, or twisted the law for personal gain, disciplinary action shall be lawfully taken against directly responsible managers and other directly responsible personnel; and where a crime is constituted, criminal responsibility is pursued in accordance with law.

Where public security organs and their staffs use personal information acquired while performing Internet security oversight and inspection duties for other purposes, the directly responsible persons in charge and other directly responsible personnel are to be given sanctions.

Chapter V: Supplementary Provisions

Article 30: The terms "above" or "inside" as used in these Regulations include the number or level itself.

Article 31: These Provisions are to take effect on XX-XX-XXXX.

Attachment: Model Notice of Public security organs Network Security Law Enforcement Inspections

Notice of Public security organs Network Security Law Enforcement Inspections

XXGongWangAnJian﹝year﹞No. XX

In accordance with the "People's Republic of China Police Law", the "People's Republic of China Cybersecurity Law", the "Computer Information Network International Network Security Protection Management Measures", and other relevant laws and administrative regulations, a law enforcement inspection is now being conducted of your unit, please provide support and cooperation.

Police implementing this inspection: (signature)

Technical support unit personnel: (signature)

Province (district, city), City (prefecture, banner) public security bureau network security squad (AFFIX SEAL)

YEAR/ MONTH/ DAY

Two identical copies of this notice are made, on copy sent to the unit being inspected, and one copy stored in the files of the network security department.