NOTE: This translation was originally published on the China Copyright and Media blog, a project of DigiChina’s Prof. Rogier Creemers of the University of Leiden. It has not been edited, double-checked, or standardized with DigiChina’s original content. Read more.
(Opinion-seeking Draft)
Chapter I: General Principles
Article 1: In order to strengthen and standardize Internet security supervision and inspection work by public security bodies, prevent online law-breaking and crime, safeguard cybersecurity, protect the lawful rights and interests of citizens, legal persons and other organizations, on the basis of the “People’s Police Law of the People’s Republic of China”, the “Cybersecurity Law of the People’s Republic of China” and other such relevant laws and administrative regulations, these Regulations are formulated.
Article 2: These regulations are applicable to the lawful conduct of security supervision and inspection by public security bodies of Internet service providers’ and network using work units’ performance of cybersecurity responsibilities and duties as stipulated in laws, administrative regulations and departmental rules.
Internet access service business venues supervision and inspection is conducted according to the relevant provisions of the “Management Regulations for Internet Access Service Business Venues”.
Article 3: Internet security supervision and inspection is organized and implemented by district or city-level and higher People’s Government public security bodies’ cybersecurity protection departments.
Article 4: Higher-level public security bodies shall guide and supervise lower-level public security bodies in conducting Internet security supervision and inspection.
Article 5: Public security bodies conducting Internet security supervision and inspection shall abide by relevant State laws, administrative regulations and departmental rules, and protect the lawful rights and interests of citizens, legal persons and other organizations.
Article 6: Public security bodies and their staff shall strictly preserve the secrecy of personal information and commercial secrets they learn during the performance of their Internet security supervision and inspection duties, they shall not divulge, sell or illegally provide it to others.
Article 7: Public security bodies shall timely notify relevant Internet management departments about Internet security risks that may harm national security, public security and social order they discover through Internet security supervision and inspection.
Chapter II: Inspection content and method
Article 8: Internet security supervision and inspection is the concrete responsibility of the public security bodies in the localities of Internet service providers’ network service operations bodies and Internet using work units’ network management bodies. Where an Internet service provider is an individual person, it is permitted that the public security body of the regular place of residence of the Internet service provider takes concrete responsibility.
Where jurisdictional disputes exist concerning Internet supervision and inspection, the joint higher-level public security body will assign jurisdiction.
Article 9: Public security bodies may carry out the following Internet security supervision and inspection measures:
(1) supervision and spot checks concerning performance of statutory cybersecurity responsibilities and duties;
(2) focused inspection during periods of major cybersecurity defence;
(3) other supervision and inspection conducted on the basis of need.
Article 10: Public security bodies shall, on the basis of cybersecurity protection needs and the concrete situation of cybersecurity dangers and risks, focus on carrying out supervision and inspection of the following Internet service providers and network using work units:
(1) those running Internet access, data centres, content distribution, domain name services, or who have changed their Internet service categories or content for less than a year;
(2) those running Internet information services, or have changed their Internet information service content for less than a year;
(3) those setting up surfing service venues, or network connection work units who have had access to the Internet for less than a year;
(4) those where cybersecurity incidents or cases of law-breaking or crime occurred within the previous two years, or who are subject to lawful administrative punishment from a public security bodies for not carrying out statutory cybersecurity responsibilities and duties.
Article 11: Public security bodies shall, on the basis of the actual circumstances of Internet service providers and Internet using work units performing their statutory cybersecurity responsibilities and duties, focus on inspecting the following content:
(1) whether or not they have handled international connection filing formalities, and reported the basic information and changes in circumstances of accessing work units and users;
(2) whether or not they have formulated cybersecurity management structures and operational procedures, and have appointed persons responsible for cybersecurity;
(3) whether or not they have adopted technical measures to prevent computer viruses, cyber attacks, cyber intrusions, etc.;
(4) whether or not they have adopted technical measures to record and preserve user registration information and surfing diary information, and whether or not the period of preservation conforms to provisions in laws and regulations;
(5) whether or not they have implemented the multi-level cybersecurity protection system, adopted management and technical measures according to the requirements of relevant standards and norms, to protect the security of network, information systems and data resources;
(6) whether or not they have adopted measures to prohibit the dissemination and cease the dissemination of unlawful information in public information services, and measures to preserve relevant records;
(7) whether or not they have adopted measures according to State laws and standards to provide technical support and assistance to public security bodies lawfully protecting national security, investigating crime, preventing or investigating terrorist activities;
(8) whether or not they have carried out other cybersecurity responsibilities and duties provided in laws and regulations.
Article 12: During periods of major national cybersecurity protection tasks, public security bodies may organize and launch a special campaign among Internet service providers and network using work units connected with major national cybersecurity protection tasks, and focus on inspecting the following content:
(1) whether the provided Internet access services, information services and surfing services conform to cybersecurity requirements;
(2) whether or not they have formulated work plans as required for major cybersecurity protection tasks, have clarified their division of labour for cybersecurity responsibilities and appointed security management personnel;
(3) whether or not they have organized and launched cybersecurity risk assessment, and adopted corresponding risk management measures to plug cybersecurity leaks and risks;
(4) whether or not they have formulated cybersecurity emergency response plans and organized emergency response exercises, whether relevant emergency response and handling measures were complete and effective;
(5) whether or not they have lawfully adopted other cybersecurity protection measures required for major cybersecurity protection tasks.
Article 13: Concerning Internet service providers and network using work units providing the following services, except for supervising and inspecting the content listed in Article 11 of these Regulations, public security bodies shall also lawfully focus on inspecting the following content:
(1) Internet service providers and network using work units providing Internet access services, whether they have recorded and preserved IP addresses and the distribution and usage situation;
(2) Internet service providers and network using work units providing Internet data centre services, whether or not they have recorded the information of users to whom hosting colocation, hosting rental and virtual space rental services have been provided;
(3) Internet service providers and network using work units providing Internet domain name services, whether or not they have recorded network domain name applications and modifications, and whether they have adopted measures to suspend analysis of unlawful domain names;
(4) Internet service providers and network using work units providing Internet information services, whether they have adopted measures to manage user-distributed information, to delete already published unlawful information and prevent its dissemination;
(5) Internet service providers and network using work units providing Internet content distribution services, whether or not they have recorded the linkage and response situation of content distribution networks and content source networks;
(6) Internet service providers and network using work units providing Internet surfing services, whether they have adopted technical measures to protect cyber and information security in conformity with technical standards for the public security sector.
Chapter III: Inspection procedures
Article 14: Internet security supervision and inspection may be conducted in the form of on-site inspection or remote monitoring.
Article 15: When public security bodies carry out on-site Internet supervision and inspection of Internet service providers and network using work units, there must be no fewer than two supervision and inspection personnel, they shall present their People’s Police credentials and the “Law Enforcement Inspection Notification Letter”.
Article 16: Public security bodies may launch remote monitoring of Internet service providers and network using work units to ascertain whether there are cybersecurity leaks and other such cybersecurity risks and dangers.
Article 17: Public security bodies carrying out Internet security supervision and inspection may, on the basis of requirement, adopt the following measures:
(1) entry into business premises, machine rooms, offices as well as other venues that need to be entered for supervision and inspection purposes;
(2) meeting with responsible persons within the inspection target or relevant cybersecurity management personnel, and requiring them to provide explanations concerning the inspected matters;
(3) consulting and obtaining information connected with cybersecurity supervision and inspection;
(4) reviewing the operational situation of technical cybersecurity protection measures;
(5) using inspection tools to launch on-site or remote monitoring.
Article 18: Public security bodies using inspection tools to launch on-site inspections or remote monitoring shall notify the inspection target or publish the inspected matters, they may not interfere with or destroy the regular operations of the inspection target’s networks.
Public security bodies engaging in on-site inspections or remote monitoring may entrust cybersecurity service bodies authorized by provincial-level or higher public security bodies with providing technical support. During on-site inspections or remote monitoring, public security bodies shall supervise the cybersecurity service body’s implementation of security management and secret-keeping responsibilities.
Article 19: Public security bodies conducting on-site inspection shall produce inspection records, to be signed by two or more inspection personnel and the responsible person or cybersecurity management staff of the inspection target. Where the responsible person or cybersecurity management staff of the inspection target objects to the inspection record, they shall be permitted to make an explanation; where they refuse to sign, the inspection personnel shall indicate this in the inspection records.
Article 20: Where public security bodies, during cybersecurity supervision and inspection, discover that Internet service providers or network using work units carry cybersecurity risks or dangers, but they are relatively minor, they may orally order rectification, and indicate this in the inspection records; where they discover unlawful conduct, but the circumstances are minor or no adverse outcomes have resulted, they may discuss the matter according to the law with the relevant responsible person, and require them to adopt measures to eliminate the risk and rectify the matter within a limited time.
Article 21: Public security bodies shall inspect whether the inspection target ahs carried out rectification.
Article 22: Materials gathered during inspections, all kinds of documents produced and other such matters shall be filed and preserved. Classified files are to be preserved and managed separately according to relevant State provisions.
Article 23: Public security bodies shall establish and implement cybersecurity supervision and inspection work structures, and consciously accept supervision from Internet service providers and network using work units.
Public security bodies may only use information they obtained during the lawful performance of cybersecurity supervision and inspection as needed for the protection of cybersecurity, and may not use it for other purposes.
Chapter IV: Legal liability
Article 24: Where Internet service providers and network using work units commit the following unlawful acts, resulting in harm to cybersecurity and other such consequences or they refuse to rectify the matter, public security bodies may, in view of different circumstances, impose administrative punishment:
(1) where no cybersecurity management system or operating rules have been formulated, or no persons responsible for cybersecurity have been appointed, punishment will be imposed according to Article 59 Paragraph 1 of the “Cybersecurity Law”;
(2) where no technical measures to prevent computer viruses, cyber attacks or cyber intrusions have been adopted, punishment will be imposed according to Article 59 Paragraph 1 of the “Cybersecurity Law”;
(3) where no measures are adopted to record and preserve user registration information and surfing diary information, punishment will be imposed according to Article 59 Paragraph 1 of the “Cybersecurity Law”;
(4) where during the provision of Internet information dissemination services, instant messaging and other such services, users have not been required to provide real identity information, or corresponding services are provided to users who have no provided real identity information, punishment will be imposed according to Article 61 of the “Cybersecurity Law”;
(5) where measures have not been adopted according to the law to prohibit the publication, suspend the dissemination and preserve relevant records of unlawful information in public information services, punishment will be imposed according to Article 68 of the “Cybersecurity Law”.
Where Internet service providers and network using work units refuse to provide technical access, decryption and other such technological support and assistance to public security bodies who are preventing or investigating acts of terror according to the law, the public security body will impose punishment according to Article 48 Paragraph 1 of the “Anti-Terrorism Law”.
Article 28: Where public security bodies in the process of Internet security supervision and inspection discover that Internet service providers or network using work units steal or obtain in another illegal manner, illegally sell or illegally provide to other persons personal information, and it does not yet constitute a crime, punishment will be imposed according to Article 64 Paragraph 2 of the “Cybersecurity Law”.
Article 26: Where public security bodies in the process of Internet security supervision and inspection discover that Internet service providers or network using work units have installed malicious code in their Internet services, punishment will be imposed according to Article 60 Paragraph 1 of the “Cybersecurity Law”.
Article 27: Where Internet service providers and network using work units refuse or obstruct public security bodies’ Internet security supervision and inspection, punishment will be imposed according to Article 69 Paragraph 2 of the “Cybersecurity Law”.
Article 28: Were cybersecurity service bodies and their personnel who have been entrusted by public security bodies with providing technical support, interfere with or destroy the regular functioning of the inspection target’s networks, punishment will be imposed according to Article 63 of the “Cybersecurity Law”; where they leak, sell, or illegally provide personal information they obtain during their work, punishment will be imposed according to Article 64 Paragraph 2 of the “Cybersecurity Law”, where it constitutes a crime, criminal liability will be prosecuted according to the law.
Where bodies and personnel stipulated in the previous Paragraph infringe commercial secrets of the inspection target, constituting a crime, criminal liability will be prosecuted according to the law.
Article 29: Where public security bodies and their work personnel, during Internet security supervision and inspection, commit dereliction of duty, abuse their powers, or improperly pursue private gain, the directly responsible person in charge and other directly responsible persons shall be subject to punishment according to the law; where it constitutes a crime, criminal liability will be prosecuted according to the law.
Where public security bodies and their work personnel use the information they have obtained when lawfully carrying out their Internet security supervision and inspection duties for other purposes, the directly responsible person in charge and other directly responsible persons will be subject to punishment according to the law.
Chapter V: Supplementary provisions
Article 30: “Higher” and “within” as mentioned in these Regulations both include the number or rank itself.
Article 31: These Regulations take effect on (day, month, year).
Attachment: Public security body cybersecurity law enforcement inspection notification letter template
xxx PWAJ No. (xxxx)xx
According to the provisions of relevant laws and administrative regulations, such as the “People’s Police Law of the People’s Republic of China”, the “Cybersecurity Law of the People’s Republic of China”, the “Computer Information Network International Interconnection Security Protection Management Regulations”, etc., a cybersecurity law enforcement inspection will be presently carried out in your work unit, please grant support and coordination.
The police officer carrying out this inspection: (signature)
Staff from technical support work units (signature)
xxx Province (Autonomous Region, Municipality) xxx City (Prefecture, Municipality) Public Security Bureau Cybersecurity Branch (stamp)
Day, month, year
This notice is made in duplicate, one copy is to be handed over to the inspected work unit, one copy is to be kept on file in the cybersecurity department.
公安机关互联网安全监督检查规定
(征求意见稿)
第一章 总则
第一条 为加强和规范公安机关互联网安全监督检查工作,防范网络违法犯罪,维护网络安全,保护公民、法人和其他组织合法权益,根据《中华人民共和国人民警察法》、《中华人民共和国网络安全法》等有关法律、行政法规,制订本规定。
第二条 本规定适用于公安机关依法对互联网服务提供者和联网使用单位履行法律、行政法规和部门规章规定的网络安全责任义务情况进行的安全监督检查。
互联网上网服务营业场所的监督检查,按照《互联网上网服务营业场所管理条例》有关规定实施。
第三条 互联网安全监督检查,由地市级以上人民政府公安机关网络安全保卫部门组织实施。
第四条 上级公安机关应当对下级公安机关开展互联网安全监督检查的情况进行指导和监督。
第五条 公安机关开展互联网安全监督检查,应当遵守国家有关法律、行政法规和规章规定,保障公民、法人和其他组织的合法权益。
第六条 公安机关及其工作人员对依法履行互联网安全监督检查职责中知悉的个人信息和商业秘密,应当严格保密,不得泄露、出售或者非法向他人提供。
第七条 公安机关对互联网安全监督检查中发现的可能危害国家安全、公共安全、社会秩序的互联网安全风险,应当及时通报有关互联网管理部门。
第二章 检查内容和形式
第八条 互联网安全监督检查由互联网服务提供者网络服务运营机构和联网使用单位网络管理机构所在地公安机关具体负责。互联网服务提供者为个人的,可以由互联网服务提供者经常居住地所在地公安机关具体负责。
对互联网安全监督检查的管辖存在争议的,由共同的上级公安机关指定管辖。
第九条 公安机关可以实施以下互联网安全监督检查:
(一)对履行法定网络安全责任义务情况的监督抽查;
(二)在重大网络安全保卫任务期间的专项检查;
(三)根据需要进行的其他监督检查。
第十条 公安机关应当根据网络安全防范需要和网络安全风险隐患的具体情况,重点对下列互联网服务提供者和联网使用单位组织开展监督抽查:
(一)开办互联网接入、数据中心、内容分发、域名服务,或者变更互联网服务种类、内容未满一年的;
(二)开办互联网信息服务,或者变更互联网信息服务内容未满一年的;
(三)开设上网服务场所,或者联网单位接入互联网未满一年的;
(四)两年内曾发生过网络安全事件、违法犯罪案件,或者因未履行法定网络安全责任义务被公安机关依法给予行政处罚的。
第十一条 公安机关应当根据互联网服务提供者和联网使用单位履行法定网络安全责任义务的实际情况,重点检查以下内容:
(一)是否办理国际联网备案手续,并报送接入单位和用户基本信息及变更情况;
(二)是否制定网络安全管理制度和操作规程,确定网络安全负责人;
(三)是否采取防范计算机病毒和网络攻击、网络侵入等技术措施;
(四)是否采取记录并留存用户注册信息和上网日志信息的技术措施,留存时间是否符合法律法规规定;
(五)是否落实网络安全等级保护制度,按照有关标准规范要求,采取管理和技术措施,保护网络、信息系统、数据资源安全;
(六)是否采取在公共信息服务中禁止发布和停止传输违法信息,并保存相关记录的措施;
(七)是否依照国家法律和标准采取为公安机关依法维护国家安全、侦查犯罪、防范调查恐怖活动提供技术支持和协助措施;
(八)是否履行法律法规规定的其他网络安全责任义务。
第十二条 在国家重大网络安全保卫任务期间,公安机关对与国家重大网络安全保卫任务相关的互联网服务提供者和联网使用单位,可以组织开展专项检查,并重点检查以下内容:
(一)提供的互联网接入服务、信息服务和上网服务等是否符合网络安全要求;
(二)是否制定重大网络安全保卫任务所要求的工作方案、明确网络安全责任分工并确定安全管理人员;
(三)是否组织开展网络安全风险评估,并采取相应风险管控措施,堵塞网络安全漏洞隐患;
(四)是否制定网络安全应急处置预案并组织开展应急演练,应急处置相关设施是否完备有效;
(五)是否依法采取了重大网络安全保卫任务所需要的其他网络安全防范措施。
第十三条 对提供下列服务的互联网服务提供者和联网使用单位,公安机关除监督检查本规定第十一条所列内容外,还应当依法重点检查以下内容:
(一)提供互联网接入服务的互联网服务提供者和联网使用单位,是否记录并留存IP地址及分配使用情况;
(二)提供互联网数据中心服务的互联网服务提供者和联网使用单位,是否记录所提供的主机托管、主机租用和虚拟空间租用用户信息;
(三)提供互联网域名服务的互联网服务提供者和联网使用单位,是否记录网络域名申请、变动,是否对违法域名采取了停止解析措施;
(四)提供互联网信息服务的互联网服务提供者和联网使用单位,是否采取了用户发布信息管理、已发布违法信息消除和防止扩散措施;
(五)提供互联网内容分发服务的互联网服务提供者和联网使用单位,是否记录了内容分发网络与内容源网络链接对应情况;
(六)提供互联网上网服务的互联网服务提供者和联网使用单位,是否采取了符合公共安全行业技术标准的网络与信息安全保护技术措施。
第三章 检查程序
第十四条 互联网安全监督检查可以采取现场检查或者远程检测的方式进行。
第十五条 公安机关对互联网服务提供者和联网使用单位开展互联网安全监督现场检查,监督检查人员不得少于二人,并应当出示人民警察证和《执法检查通知书》。
第十六条 公安机关对互联网服务提供者和联网使用单位是否存在网络安全漏洞等网络安全风险隐患,可以开展远程检测。
第十七条 公安机关开展互联网安全监督检查可以根据需要采取以下措施:
(一)进入营业场所、机房、办公场所以及其他监督检查需要进入的场所;
(二)会见被检查对象的负责人或者网络安全管理相关人员,要求对检查事项做出说明;
(三)查阅、调取与网络安全监督检查相关的信息;
(四)查看网络安全保护技术措施运行情况;
(五)利用检查工具开展现场或远程检测。
第十八条 公安机关利用检查工具开展现场检查或远程检测,应当告知被检查对象或者公开检查事项,不得干扰、破坏被检查对象网络的正常运行。
公安机关开展现场检查或远程检测可以委托由省级以上公安机关授权的网络安全服务机构提供技术支持。在现场检查或远程检测中,公安机关应当监督网络安全服务机构落实安全管理与保密责任。
第十九条 公安机关开展现场检查,应当制作检查记录,并由两名以上检查人员和被检查对象负责人或者网络安全管理人员签名。被检查对象负责人或者网络安全管理人员对检查记录有异议的,应当允许其作出说明;拒绝签名的,检查人员应当在检查记录中注明。
公安机关开展远程检测,应当制作并留存检查记录,并由两名以上检查人员在检查记录上签名。网络安全服务机构的工作人员参与远程检测的,应当一并在检查记录上签名。
第二十条 公安机关在互联网安全监督检查中,发现互联网服务提供者和联网使用单位有网络安全风险隐患,但显著轻微的,可以口头责令整改,并在检查记录上注明;发现有违法行为,但情节轻微或者未造成后果的,可以依法约谈相关负责人要求采取措施消除隐患,限期进行整改。
第二十一条 公安机关应当对被检查对象整改情况进行核查。
第二十二条 检查收集的资料、制作的各类文书等材料,应当立卷存档。涉密文档按照国家有关规定单独存档和管理。
第二十三条 公安机关应当建立并落实网络安全监督检查工作制度,自觉接受互联网服务提供者、联网使用单位的监督。
公安机关在依法履行互联网安全监督检查职责中获取的信息,只能用于维护网络安全的需要,不得用于其他用途。
第四章 法律责任
第二十四条 互联网服务提供者和联网使用单位有下列违法行为,造成危害网络安全等后果或者拒不改正的,公安机关可以根据不同情况依法给予行政处罚:
(一)未制定网络安全管理制度和操作规程,未确定网络安全负责人的,依照《网络安全法》第五十九条第一款的规定予以处罚;
(二)未采取防范计算机病毒和网络攻击、网络侵入等技术措施的,依照《网络安全法》第五十九条第一款的规定予以处罚;
(三)未采取记录并留存用户注册信息和上网日志信息措施的,依照《网络安全法》第五十九条第一款的规定予以处罚;
(四)在提供互联网信息发布、即时通讯等服务中,未要求用户提供真实身份信息,或者对不提供真实身份信息的用户提供相关服务的,依照《网络安全法》第六十一条的规定予以处罚;
(五)未依法采取在公共信息服务中禁止发布和停止传输违法信息及保存相关记录措施的,依照《网络安全法》第六十八条的规定予以处罚;
(六)拒不为公安机关依法维护国家安全、侦查犯罪提供技术支持和协助的,依照《网络安全法》第六十九条第三项的规定予以处罚。
互联网服务提供者和联网使用单位拒不为公安机关依法进行防范、调查恐怖活动提供技术接口和解密等技术支持和协助的,由公安机关依照《反恐怖主义法》第八十四条第一项的规定予以处罚。
第二十五条 公安机关在互联网安全监督检查中,发现互联网服务提供者和联网使用单位,窃取或者以其他非法方式获取、非法出售或者非法向他人提供个人信息,尚不构成犯罪的,应当依照《网络安全法》第六十四条第二款的规定予以处罚。
第二十六条 公安机关在互联网安全监督检查中,发现互联网服务提供者和联网使用单位在提供的互联网服务中设置恶意程序的,应当依照《网络安全法》第六十条第一项的规定予以处罚。
第二十七条 互联网服务提供者和联网使用单位拒绝、阻碍公安机关互联网安全监督检查的,应当依照《网络安全法》第六十九条第二项的规定予以处罚。
第二十八条 受公安机关委托提供技术支持的网络安全服务机构及其工作人员,在工作中干扰、破坏被检查对象网络正常运行的,依照《网络安全法》第六十三条的规定予以处罚;泄露、出售、非法提供在工作中获悉的个人信息,依照《网络安全法》第六十四条第二款的规定予以处罚,构成犯罪的,依法追究刑事责任。
前款规定的机构及人员侵犯被检查对象的商业秘密,构成犯罪的,依法追究刑事责任。
第二十九条 公安机关及其工作人员在互联网安全监督检查中,玩忽职守、滥用职权、徇私舞弊的,对直接负责的主管人员和其他直接责任人员应当依法给予处分;构成犯罪的,依法追究刑事责任。
公安机关及其工作人员将在依法履行互联网安全监督检查职责中获取的信息用于其他用途的,对直接负责的主管人员和其他直接责任人员依法给予处分。
第五章 附则
第三十条 本规定所称“以上”、“内”皆包括本数或者本级。
第三十一条 本规定自X年X月X日起施行。
附件:公安机关网络安全执法检查通知书式样
公安机关网络安全执法检查通知书
XX公网安检﹝XXXX﹞XX号
:
依照《中华人民共和国人民警察法》、《中华人民共和国网络安全法》、《计算机信息网络国际联网安全保护管理办法》等有关法律、行政法规的规定,现对你单位进行网络安全执法检查,请予以支持配合。
执行本次检查民警:(签字)
技术支持单位人员:(签字)
省(区、市) 市(州、盟)公安局网安支队(盖章)
年 月 日
本通知书一式两份,一份交被检查单位,一份网安部门存卷存档。
