NOTE: This translation was originally published on the China Copyright and Media blog, a project of DigiChina’s Prof. Rogier Creemers of the University of Leiden. It has not been edited, double-checked, or standardized with DigiChina’s original content. Read more.
(Passed on 28 December 2012 at the 30th Committee Meeting of the 11th National People’s Congress Standing Committee”
In order to protect network information security, protect the lawful interests of citizens, legal persons and other organizations, safeguard national security and social order, the following decision is hereby made:
I, The State protects electronic information by which the individual identity of citizens can be distinguished as well as involving citizens’ individual privacy.
No organization or individual may steal or obtain in other illegal manners obtain citizens’ individual electronic information, sell or illegally provide citizens’ individual electronic information to other persons.
II, Network service providers and other enterprise and undertaking work units that collect or use citizens’ individual electronic information during their business activities, shall abide by the principles of legality, legitimacy and necessity, clearly indicate the objective, methods and scope for collection and use of information, and obtain agreement from the person whose data is collected, they may not violate the provisions of laws and regulations, and the agreement between both sides, in collecting or using information.
Network service providers and other enterprise and undertaking work units collecting or using citizens’ individual electronic information shall make public their collection and use rules.
III, Network service providers, other enterprise and undertaking work unit and their staff must strictly preserve the secrecy of citizens’ individual electronic information they collect in their business activities, they may not divulge, distort, or damage it, and may not sell or illegally provide it to other persons.
IV, Network service providers and other enterprise and undertaking work units shall adopt technological measures and other necessary measures to ensure information security and prevent that citizens’ individual electronic information collected during business activities is divulged, damaged or lost. When divulging, damage to or loss of information occurs or may occur, remedial measures shall be adopted immediately.
V, Network service providers shall strengthen management of information disseminated by users, where it occurs that information violated by laws or regulations is published or disseminated, handling measures such as ceasing the dissemination of the said information, deleting it, etc., relevant records are to be preserved, and the relevant controlling departments informed.
VI, Network service providers that handle website access services for users, handle fixed telephone, mobile telephone and other surfing formalities, or provide information publication services to users, shall, when concluding agreements with users or affirming the provision of service, require users to provide real identity information.
VII, No organization or individual may, without having obtained agreement of or a request from the electronic information receiver, or where the electronic information receiver has clearly indicated refusal, send commercial electronic information to fixed telephones, mobile telephones and individual e-mail boxes.
VIII, Where citizens discover that their individual identity has been divulged, individual privacy has been disseminated or other network information infringes their lawful rights and interests, or are harassed by commercial electronic information, they have the power to require the network service provider to delete the relevant information or adopt other necessary measures to cease this.
IX, Any work unit or individual has the power to report or file accusations with the relevant controlling departments against unlawful or criminal acts of stealing citizens’ individual electronic information or gaining it by other illegal means, selling it or providing it illegally to other persons, as well as other unlawful and criminal acts concerning network information; departments receiving reports and accusations shall timely deal with them according to the law. The infringed person may file a lawsuit according to the law.
X, Relevant controlling department shall, within the scope of duties and responsibilities of each, carry out their duties according to the law, adopt technological measures and other necessary measures to guard against, prevent, investigate and prosecute unlawful or criminal acts of stealing citizens’ individual electronic information or gaining it by other illegal means, selling it or providing it illegally to other persons, as well as other unlawful and criminal acts concerning network information. When relevant controlling departments carry out their duties according to the law, network service providers shall grant cooperation and provide technological support.
State organs and their staff shall protect the secrecy of citizens’ individual electronic information that they learn when carrying out their duties, may not divulge, distort or damage it, and may not sell or illegally provide it to other persons.
XI, Acts violating this Decision, are subject to warnings, fines, confiscation of unlawful income, cancellation of permits or cancellation of fines, closure of websites, prohibition of relevant responsible personnel to engage in network service business and other punishments, they are entered into social credit files and published; where acts constitute violations of public order management, public order management punishments are imposed according to the law. Where they constitute a crime, criminal liability is prosecuted according to the law. Where other persons’ civil rights are infringed, civil liability is borne according to the law.
XII, This Decision takes effect on the date of promulgation.
全国人民代表大会常务委员会关于加强网络信息保护的决定
(2012年12月28日第十一届全国人民代表大会常务委员会第三十次会议通过)
为了保护网络信息安全,保障公民、法人和其他组织的合法权益,维护国家安全和社会公共利益,特作如下决定:
一、国家保护能够识别公民个人身份和涉及公民个人隐私的电子信息。
任何组织和个人不得窃取或者以其他非法方式获取公民个人电子信息,不得出售或者非法向他人提供公民个人电子信息。
二、网络服务提供者和其他企业事业单位在业务活动中收集、使用公民个人电子信息,应当遵循合法、正当、必要的原则,明示收集、使用信息的目的、方式和范围,并经被收集者同意,不得违反法律、法规的规定和双方的约定收集、使用信息。
网络服务提供者和其他企业事业单位收集、使用公民个人电子信息,应当公开其收集、使用规则。
三、网络服务提供者和其他企业事业单位及其工作人员对在业务活动中收集的公民个人电子信息必须严格保密,不得泄露、篡改、毁损,不得出售或者非法向他人提供。
四、网络服务提供者和其他企业事业单位应当采取技术措施和其他必要措施,确保信息安全,防止在业务活动中收集的公民个人电子信息泄露、毁损、丢失。在发生或者可能发生信息泄露、毁损、丢失的情况时,应当立即采取补救措施。
五、网络服务提供者应当加强对其用户发布的信息的管理,发现法律、法规禁止发布或者传输的信息的,应当立即停止传输该信息,采取消除等处置措施,保存有关记录,并向有关主管部门报告。
六、网络服务提供者为用户办理网站接入服务,办理固定电话、移动电话等入网手续,或者为用户提供信息发布服务,应当在与用户签订协议或者确认提供服务时,要求用户提供真实身份信息。
七、任何组织和个人未经电子信息接收者同意或者请求,或者电子信息接收者明确表示拒绝的,不得向其固定电话、移动电话或者个人电子邮箱发送商业性电子信息。
八、公民发现泄露个人身份、散布个人隐私等侵害其合法权益的网络信息,或者受到商业性电子信息侵扰的,有权要求网络服务提供者删除有关信息或者采取其他必要措施予以制止。
九、任何组织和个人对窃取或者以其他非法方式获取、出售或者非法向他人提供公民个人电子信息的违法犯罪行为以及其他网络信息违法犯罪行为,有权向有关主管部门举报、控告;接到举报、控告的部门应当依法及时处理。被侵权人可以依法提起诉讼。
十、有关主管部门应当在各自职权范围内依法履行职责,采取技术措施和其他必要措施,防范、制止和查处窃取或者以其他非法方式获取、出售或者非法向他人提供公民个人电子信息的违法犯罪行为以及其他网络信息违法犯罪行为。有关主管部门依法履行职责时,网络服务提供者应当予以配合,提供技术支持。
国家机关及其工作人员对在履行职责中知悉的公民个人电子信息应当予以保密,不得泄露、篡改、毁损,不得出售或者非法向他人提供。
十一、对有违反本决定行为的,依法给予警告、罚款、没收违法所得、吊销许可证或者取消备案、关闭网站、禁止有关责任人员从事网络服务业务等处罚,记入社会信用档案并予以公布;构成违反治安管理行为的,依法给予治安管理处罚。构成犯罪的,依法追究刑事责任。侵害他人民事权益的,依法承担民事责任。
十二、本决定自公布之日起施行。
