Translation by Rogier Creemers and Hunter Dorwart. Edited by Graham Webster.
Date issued: Nov. 14, 2021
Online Data Security Management Regulations (Draft for Comment)
Chapter I: General Principles
Article 1: In order to standardize online data handling activities, ensure data security, protect the lawful rights and interests of individuals and organizations in cyberspace, maintain national security and the public interest, and on the basis of laws such as the “Cybersecurity Law of the People’s Republic of China,” the “Data Security Law of the People’s Republic of China,” and the “Personal Information Protection Law of the People’s Republic of China,” these Regulations are formulated.
Article 2: These Regulations apply to the use of networks to conduct data handling activities within the [mainland] territory of the People’s Republic of China, as well as to the supervision and management of online data security.
These Regulations apply to activities outside the territory of the People’s Republic of China of handling the data of individuals and organizations within the territory of the People’s Republic of China, where one of the following circumstances is present:
- For the purpose of providing products or services within the territory;
- To analyze or assess the behavior of individuals or organizations within the territory;
- When handling involves important domestic data;
- Other circumstances as provided in laws or administrative regulations.
These Regulations do not apply to natural persons' data handling activities for personal or household affairs.
Article 3: The State comprehensively plans development and security; it persists in equally emphasizing stimulation of data development and use, and ensuring data security; it strengthens the construction of data security protection capabilities, ensures the lawful, orderly, and free flow of data, and stimulates the lawful, reasonable, and efficient use of data.
Article 4: The State supports data development, use, and security protection-related technology, product and service innovation, and talent training.
The State encourages State bodies, sectoral organizations, enterprises, educational and scientific research bodies, related specialized bodies, etc., to conduct data development, use, and security protection cooperation, and conduct data security propaganda, education, and training.
Article 5: The State establishes a categorized and graded protection system for data. According to the influence and degree of importance of data towards national security, the public interest or the lawful rights and interests of individuals or organizations, data is classified into ordinary data, important data, and core data, different protection measures are undertaken for different grades of data.
The State conducts focused protection of personal information and important data, and implements strict protection for core data.
All localities and all departments shall, according to the State data categorization and grading requirements, conduct categorized and graded management of data within their localities, their departments, and in related sectors and areas.
Article 6: Data handlers bear responsibility for the security of the handled data, they undertake data security protection duties, accept government and social supervision, and bear social responsibility.
Data handlers shall, according to the provisions of laws and administrative regulations as well as the mandatory requirements of national standards, establish and perfect data security management systems and technical protection mechanisms.
Article 7: The State promotes public data openness and sharing, stimulates data development and use, and implements supervision and management over public data according to the law.
The State establishes and completes data transaction management systems, clarifies data transaction bodies’ establishment and operations standards, standardizes data exchange and transacting activities, and ensures the lawful and orderly flow of data.
Chapter II: General Provisions
Article 8: Any individual or organization engaging in data handling activities shall abide by the law and administrative regulations, respect social morals and ethics, and may not engage in the following activities:
- Harming national security, honor, or interests, or divulging State secrets and work secrets;
- Violating other persons’ right to reputation, privacy rights, intellectual property rights, or other lawful rights and interests;
- Obtaining data through theft or other illegal methods;
- Illegally selling or illegally providing data to other persons;
- Producing, disseminating, reproducing, or transmitting unlawful information;
- Other acts prohibited by laws or administrative regulations.
No individual or organization may, where they know or should know other persons are engaging in activities mentioned in the previous Paragraph, provide them with technical support, tools, software, advertising, payment settlement, or other such services.
Article 9: Data handlers shall adopt the necessary measures, including back-ups, encryption, access control, etc., to ensure that data is not leaked, stolen, distorted, destroyed, lost, or illegally used; to respond to data security incidents; to prevent unlawful and criminal activities targeting and using data; and to safeguard the integrity, confidentiality, and usability of data.
Data handlers shall, according to the requirements of the cybersecurity multi-level protection system, strengthen security protection of data handling systems, data transmission networks, data storage environments, etc. Systems handling important data shall, in principle, satisfy the requirements of the third tier or higher of cybersecurity multi-level protection and critical information infrastructure security protection; systems handling core data will be strictly protected according to relevant regulations.
Data handlers shall use encryption to protect important data and core data.
Article 10: When data handlers discover that leaks or vulnerabilities exist in the online products or services they use or provide, or there are risks threatening national security, endangering the public interest, etc., they shall immediately adopt remedial measures.
Article 11: Data handlers shall establish data security emergency response mechanisms, timely activate the emergency response mechanism when a data security incident occurs, adopt measures to prevent harm from expanding, and eliminate the security threat. Where security incidents result in harm to individuals or organizations, data handlers shall notify the affected party within three working days about the incident and risk situation, the harmful consequences, remedial measures already adopted, etc., through means such as telephone, text message, instant messaging tools, e-mail, etc. Where it is impossible to contact them, it is permitted to use public announcements for notification. Where laws or administrative regulations permit non-notification, those provisions apply. Where a security incident is suspected to be a crime, data handlers shall file the matter with the public security bodies according to regulations. When a leak, destruction, loss, or other such data security incident occurs with important data or the personal information of 100,000 individuals or more, data handlers shall also fulfill the following duties:
- Within eight hours of the security incident occurring, reporting the incident’s basic information with the districted city-level cybersecurity and informatization department and the relevant competent department. This includes the data quantities and categories involved, the possible effects, response measures already or planned to be adopted, etc.;
- Within five working days after the conclusion of incident response, reporting an investigation and assessment report with the districted city-level cybersecurity and informatization department and the relevant competent department, including the incident’s cause, the harmful consequences, responsibility assessment, improvement measures, and other such matters.
Article 12: Where data handlers provide personal information to third parties, or share, trade or entrust the handling of important data, they shall abide by the following provisions:
- Notifying individuals about the purpose, category, method, scope, storage period, and storage location of the provided personal information, and adopting separate consent from the individual, except in circumstances where, in conformance with the provisions of laws and administrative regulations, it is not necessary to obtain individual consent, or where anonymization processing is undertaken;
- Agreeing the purpose, scope, handling method, data security protection measures, etc., with the data recipient; clarifying the data security responsibilities and duties of both sides in the form of contracts, etc.; and conducting supervision over the data handling activities of the data recipient;
- Preserving individual consent records and daily records on the provision of personal information, examination and approval records, daily records, etc., on sharing, trading or entrusting the handling of important data, for a period of at least five years.
Data recipients shall fulfill the agreed duties, and may not handle personal information and important data outside of the agreed purpose, scope, or handling methods.
Article 13: Data handlers conducting the following activities shall report for cybersecurity review according to relevant State provisions:
- Where Internet platform operators collecting or holding large amounts of data resources related to national security, economic development, or the public interest, carry out mergers, reorganizations, or separations, affecting or possibly affecting national security;
- Where data handlers handling personal information of more than 1 million individuals list on a market abroad;
- Where data handlers list in Hong Kong, affecting or possibly affecting national security;
- Other data handling activities affecting or possibly affecting national security.
Large-scale Internet platform operators establishing headquarters or operations centers, or research and development centers, abroad, shall report the matter to the national cybersecurity and informatization department and competent department.
Article 14: Where data handlers merge, reorganize, or separate, the data recipient shall continue to fulfill data security protection duties; where this involves important data or the personal information of 1 million or more individuals, they shall report the matter to the districted city-level competent department; where data handlers are dissolved, or are declared bankrupt, they shall report the matter to the districted city-level competent department, and move or delete data according to related requirements; where the competent department is unclear, they shall report the matter to the districted city-level cybersecurity and informatization department.
Article 15: Data handlers obtaining data from other channels shall fulfill data security protection duties according to these Regulations.
Article 16: State bodies shall, according to the provisions of laws and administrative regulations, and the mandatory requirements of national standards, establish and complete data security management systems, implement data security protection responsibilities, and ensure the security of government data.
Article 17: When data handlers adopt automated tools to access or collect data, they shall assess the effect on online services brought about by their nature and functions; they may not interfere with the regular functioning of online services.
Where automated tool access or collection of data violates laws, administrative regulations or sectoral self-discipline conventions, influences the regular functioning of online services, or infringes other persons’ intellectual property rights or other such lawful rights and interests, data handlers shall cease access or collection of data and adopt corresponding remedial measures.
Article 18: Data handlers shall establish convenient data security complaints channels, and promptly collect and deal with data security complaint reports.
Data handlers shall publish contact methods and information about the persons responsible for the receipt of complaints and reports; annually publish and disclose details about the number of personal information security complaints received and accepted, the complaint handling situation, and the average processing time; and accept social supervision.
Chapter III: Personal Information Protection
Article 19: Data handlers handling personal information shall have a clear and reasonable purpose and abide by the principles of legality, propriety, and necessity. Where they handle personal information on the basis of individual consent, they shall satisfy the following requirements:
- The handled personal information is necessary to provide services, or necessary to fulfill duties provided in laws or administrative regulations;
- It is limited to the shortest period and lowest frequency necessary to realize the handling purpose, and adopt methods minimizing affects on individuals’ rights and interests;
- It is prohibited to refuse the provision of services or interfere with an individual’s regular use of services due to that individual’s refusal to provide information other than that necessary for the provision or services.
Article 20: Data handlers handling personal information shall formulate personal information handling rules and strictly abide by them. Personal information handling rules shall be published openly and in one collection, be easy to access and placed in an eye-attracting position, have clear and concrete content, use simple, clear and common language, and systematically and completely explain personal information handling circumstances to individuals.
Personal information handling rules shall include but not be limited to the following content:
- Elucidation of the personal information needed for the function of the product or service; the purpose, application, methods, categories, frequencies or time frames, storage location, etc., of the personal information handled for every functionality in a list form; as well as the influence on the individual of refusing the handling of personal information;
- Personal information storage periods or the method determine personal information storage periods; the handling method after the end of the period of validity;
- Channels and methods for individuals to consult, reproduce, correct, delete, limit the handling of, or transfer personal information, as well as to cancel accounts, and to revoke consent for the handling of personal information;
- Explanation of third party code collecting personal information inserted in products or services and the name of plug-ins, displayed in collection and other such methods convenient for users to access; as well as the purpose, method, categories, frequencies or timeframes of third-party code and plug-ins’ collection of personal information, and their personal information handling rules;
- The situation of provision of personal information to third parties, and the purposes, methods, categories, and data recipient-related information, etc.;
- Personal information security risks and protection measures;
- Personal information problem complaints and reporting channels and resolution pathways, contact methods for persons responsible for personal information protection.
Article 21: Where individual consent shall be obtained for handling personal information, data handlers shall abide by the following provisions:
- Consent to handle personal information is to be requested from the individual separately by category of services; broad conditions may not be used to obtain consent;
- Separate individual consent shall be obtained to handle sensitive personal information such as individual biometric characteristics, religious beliefs, specially designated identities, healthcare and medical information, financial accounts, geolocation and tracking, etc.;
- When handling the personal information of minors under the age of 14, consent shall be obtained from their guardian;
- It is prohibited to coerce individuals to consent to the handling of their personal information for reason of improving service quality, improving user experience, researching and developing new products, etc.;
- Individual consent may not be obtained through misleading, fraudulent, or coercive means;
- Individuals may not be misled or coerced to conduct consent for batches of personal information through bundling different categories of services, requesting consent in batches and other such methods;
- Personal information handling may not exceed the scope authorized in the individual consent;
- Consent may not be repeatedly sought after an individual has clearly signalled non-consent, interfering with the regular use of services.
Where a change occurs in the personal information handling purpose, handling method and the handled personal information categories, data handlers shall obtain individual consent again, and simultaneously revise the personal information handling rules.
Where disputes exist in relation to the validity of acts of individual consent, data handlers bear evidentiary responsibility.
Article 22: Where one of the following circumstances is present, data handlers shall delete personal information within 15 working days or apply anonymization processing:
- The personal information handling purpose has been realized, or it is no longer necessary to realize the handling purpose;
- The storage period agreed with the user or determined in the personal information handling rules has been reached;
- Services are terminated or the individual cancels their account;
- Because of the use of automated collection technology, etc., it was impossible to avoid the collection of unnecessary personal information or personal information has been collected without individual consent.
Where it is difficult to delete personal information within 15 working days because deletion of personal information is difficult to realize technically, or because of operational complexities and other such reasons, data handlers may not conduct handling outside of storage and adopting necessary security protection measures, and shall make a reasonable explanation to the individual.
Where laws and administrative regulations provide otherwise, those provisions are followed.
Article 23: Where individuals submit reasonable requests to consult, reproduce, correct, complete, limit the handling of, or delete their personal information, data handlers shall fulfill the following duties:
- Providing convenient methods and channels to support individuals to consult their collected personal information categories, quantities, etc., in a structured manner; they may not limit individuals’ reasonable requests for reasons such as time, location, etc.;
- Providing convenient functions supporting individuals to reproduce, corect, complete, limit the processing of or delete their personal information, revoke authorization and consent, as well as cancel accounts, they may furthermore not put in place unreasonable conditions;
- Where they receive an application from an individual to reproduce, correct, complete, limit the handling or or delete their personal information, revoke authorization and consent or cancel accounts, they shall handle these within 15 working days and provide feedback.
Where laws and administrative regulations provide otherwise, those provisions are followed.
Article 24: For personal information transfer requests meeting the following conditions, data handlers shall provide transfer services to another data handler assigned by the individual to access and obtain the personal information:
- The personal information for which transfer is requested is personal information collected based on consent or necessary to conclude and fulfill a contract;
- The personal information for which transfer is the information of that person or the information of another person which the requesting person has lawfully obtained and does not violate the will of the other person;
- It is possible to verify the lawful identity of the requesting person.
Where data handlers discover that there is a risk that the other data handler receiving personal information handles personal information illegally, they shall conduct a reasonable risk notification on the personal information transfer request.
Where requests for personal information transfer are frequent, clearly exceeding a reasonable scope, data handlers may obtain reasonable fees.
Article 25: Where data handlers use biometric characteristics to conduct individual identity verification, they shall conduct a risk assessment of its necessity and security; they may not make faces, gaits, fingerprints, irises, voice prints, and other such biometric characteristics into the sole personal identity verification method in order to force individuals to consent to the collection of their personal biometric characteristic information.
Where laws or administrative regulations provide otherwise, those provisions are followed.
Article 26: Where data handlers handle the personal information of more than 1 million persons, they shall also abide by the provisions in Chapter IV of these Regulations concerning important data handlers.
Chapter IV: Security of Important Data
Article 27: All localities and all departments are to, according to relevant State requirements and standards, organize data handlers in their localities and their departments as well as related sectors and areas to identify important data and core data, organize the formulation of important data and core data catalogs for their localities, their departments,and related sectors and areas, and report them to the national cybersecurity and informatization department.
Article 28: Important data handlers shall appoint a person responsible for data security, and establish a data security management body. The data security management body is under the leadership of the person responsible for data security, and fulfills the following duties:
- Researching and proposing data security-related major policy suggestions;
- Formulating and implementing data security protection plans and data security incident emergency response plans;
- Conducting data security risk monitoring, and promptly dealing with data security risks and incidents;
- Regularly organizing and conducting data security propaganda, education and training, risk assessment, emergency response exercises, and other such activities;
- Receiving and dealing with data security complaints and reports;
- Promptly reporting the data security situation to cybersecurity and informatization departments as well as competent and supervising departments according to requirements.
The person responsible for data security shall have specialized data security knowledge and corresponding management work experience, be appointed from the data handler’s policy decision-level members, and have the power to directly reflect the data security situation to the cyberspace and informatization departments and competent and supervising departments.
Article 29: Handlers of important data shall file with the districted city-level cybersecurity and informatization department within 15 working days of identifying their important data; the filing content includes:
- The basic information of the data handler, information about the data security management body, the full name and contact method of the person responsible for data security, etc.;
- The purpose, scale, method, scope, categories, storage periods, storage locations, etc., of handled data, not including data content itself;
- Other filing content as provided by the national cybersecurity and informatization department and competent and supervising departments.
Where a major change occurs in the purpose, scope, categories, data security protection measures, etc., of handled data, filing shall be renewed.
On the basis of the departmental division of duties and responsibilities, cybersecurity and informatization departments are to share filing information with relevant departments.
Article 30: Handlers of important data shall formulate data security training plans, annually organize and conduct all-staff data security education and training; the annual education and training time for data security-related technical and management staff may not be less than 20 hours.
Article 31: Handlers of important data shall give preference to purchasing secure and trustworthy network products and services.
Article 32: Data handlers handling important data or listing on stock exchanges abroad shall conduct a data security assessment once every year themselves, or entrust a data security service body to do so, and submit the data security assessment report of the previous year to the districted city-level cybersecurity and informatization department by January 31 every year; the annual data security assessment report’s content includes:
- The situation of handling important data;
- Discovered data security risks and response measures;
- Data security management systems, data back-up, encryption, access control, and other such security protection measures, as well as the management system implementation situation and the efficacy of protective measures;
- The situation of implementing national data security laws, administrative regulations and standards;
- The situation of occurred data security incidents and their handling;
- The security assessment situation of important data sharing, trading, entrusted handling, and provision abroad;
- Data security-related complaints and the handling situation;
- Other data security matters determined by the national cybersecurity and informatization department and competent and supervision departments.
Data handlers shall preserve risk assessment reports for at least three years.
On the basis of departmental divisions of duties and responsibilities, cybersecurity and informatization departments are to share reported information with relevant departments.
Data handlers conducting security assessment for important data sharing, trading, entrusted handling, or provision abroad, shall focus on assessing the following content:
- The data shared, traded, entrusted for handling, or provided abroad, as well as whether the purpose, method, scope, etc., of the data recipient’s data handling are lawful, proper, and necessary;
- The risk that the data shared, traded, entrusted for handling, or provided abroad leaks, or is destroyed, distorted, or abused; as well as the risks brought to national security, economic development, and the public interest;
- The trustworthiness status and legal compliance system of the data recipient, their cooperative relationship with foreign government bodies, whether or not they are sanctioned by the Chinese government, and other such background information, whether or not they are able to effectively protect data security through the responsibility they commit to bear as well as their capability to fulfill their responsibilities, etc.;
- Whether the requirements concerning data security in the related contracts concluded with the data recipient can effectively restrain the data recipient to fulfilling their data security protection duties and responsibilities;
- Whether or not management and technical measures during the data handling process can prevent data leaks, destruction, and other such risks.
Where the assessment establishes that harm to national security, economic development, or the public interest is possible, data handlers may not share data, trade it, entrust its handling, or provide it abroad.
Article 33: Where data handlers share, trade, or entrust the handling of important data, they shall obtain consent from the districted city-level or higher competent department; where the competent department is not clear, they shall obtain consent from the districted city-level or higher cybersecurity and informatization department.
Article 34: Cloud computing services purchased by State bodies and critical information infrastructure operators shall undergo a security assessment organized by the national cybersecurity and informatization department together with relevant State Council departments.
Chapter V: Cross-Border Data Security Management
Article 35: Where data handlers need to provide data outside of the territory of the People’s Republic of China due to operational and other such requirements, they shall meet one of the following conditions:
- Undergoing a data cross-border security assessment organized by the national cybersecurity and informatization department;
- The data handler and data recipient both passing personal information protection certification conducted by a specialized body recognized by the national cybersecurity and informatization department;
- Concluding contracts with the foreign data recipient according to provisions formulated by the national cybersecurity and informatization department concerning standard contracts, defining both sides’ rights and obligations;
- Other conditions provided by law, administrative regulations, or the national cybersecurity and informatization department.
Where a data handler provides personal information of a concerned party abroad as required for concluding or fulfilling a contract where an individual is a concerned party, or personal information is provided abroad as necessary for protecting individuals’ lives or health, or the security of their property, an exception is made.
Article 36: Where data handlers provide personal information outside of the territory of the People’s Republic of China, they shall notify the individual about the name of the foreign data recipient, their contact method, the handling purpose, handling method, personal information categories, as well as methods for individuals to exercise their personal information rights with the foreign data recipient and other such matters, and obtain separate consent from the individual.
Where individuals’ consent has been obtained separately for personal information export at the time of personal information collection, and export takes place according to the matters for which consent has been obtained, it is not necessary to obtain the individual’s separate consent again.
Article 37: Where data handlers provide data collected or produced within the territory of the People’s Republic of China abroad, and the matter falls under the following circumstances, they shall undergo a data cross-border security assessment organized by the national cybersecurity and informatization department:
- The data transferred abroad contains important data;
- Critical information infrastructure operators, or data handlers handling the personal information of 1 million or more persons, providing personal information abroad;
- Other circumstances as provided by the national cybersecurity and informatization department.
Where laws, administrative regulations or the national cybersecurity and informatization department provide it is permitted to not conduct a security assessment, those provisions are followed.
Article 38: Where the People’s Republic of China has concluded or acceded to international treaties or agreements that contain provisions concerning the conditions for providing personal information outside of the territory of the People’s Republic of China, it is permitted to act according to those provisions.
Article 39: Data handlers shall fulfill the following duties when providing data abroad:
- They may not provide personal information abroad outside of the purpose, scope, method, data categories, scale, etc., indicated in the report submitted to the cybersecurity and informatization department concerning personal information protection impact assessment;
- They may not provide personal information or important data abroad in excess of the export purpose, scope, method and data categories, scope, etc., determined at the time of security assessment by the cybersecurity and informatization department;
- Adopt contracts and other such effective measures to supervise data recipients to use data according to the purpose, scope, and method agreed upon by both parties, fulfill data security protection duties, and ensure data security;
- Accepting and handling outbound data transfer-related user complaints;
- Where outbound data transfer generates harm to the lawful rights and interests of individuals or organizations, or the public interest, data handlers shall bear liability according to the law;
- Retaining related daily records and outbound data transfer examination and approval records for a period of three years or more;
- When the national cybersecurity and informatization department, together with relevant State Council departments, examine and verify the categories and scope of personal information and data provided abroad, data handlers shall provide explanations in clear writing and in readable ways;
- Where cybersecurity and informatization departments determine outbound transfer is not permitted, data handlers shall cease outbound data transfer, and adopt effective measures to supplement the security of data already transferred abroad;
- Where personal information needs to be transferred after outbound transfer, the conditions for re-transfer shall be agreed upon with the individual in advance, and the security protection duties the recipient is to fulfill clarified.
Without the approval of the competent department of the People’s Republic of China, domestic individuals and organizations may not provide data stored within the territory of the People’s Republic of China to foreign judicial and law enforcement bodies.
Article 40: Data handlers providing personal information and important data abroad shall compile an outbound data transfer security report before January 31 of each year, and report the data export situation of the previous year to the districted city-level cybersecurity and informatization department:
- The complete name and contact method of the data recipient;
- The categories, quantities, and purpose of the exported data;
- The storage location, storage period, and scope and methods of use of the data abroad;
- The situation of user complaints involving foreign provision of data and their handling situation;
- Occurred data security incidents and their response situation;
- The situation of retransfer after data export;
- Other matters required to be reported by the national cybersecurity and informatization department concerning provision of data abroad.
Article 41: The State establishes a cross-border data security gateway, to interrupt the transmission of information originating from outside the People’s Republic of China, of which laws and administrative regulations prohibit the dissemination or transmission.
No individual or organization may provide software, tools, lines (线路), etc., used to penetrate or circumvent the cross-border data security gateway; they may not provide Internet access, server contracting, technical support, dissemination and marketing, payment settlement, application download, and other such services for the penetration or circumvention of the cross-border data security gateway.
Where domestic users access the domestic network, their flow may not be routed abroad.
Article 42: Data handlers engaging in cross-border data activities shall, according to the supervision and management requirements for national cross-border data security supervision and management, establish and complete related technical and management measures.
Chapter VI: The Duties of Internet Platform Operators
Article 43: Internet platform operators shall establish data-related platform rules, privacy policies, and algorithmic policy disclosure systems; timely disclose decision procedures and voting procedures; and ensure that platform rules, privacy rules, and algorithms are fair and just.
When formulating platform rules or privacy policies or revising them in a way significantly affecting user rights and interests, Internet platform operators shall openly solicit opinions from society on their official website and the personal information protection–related sectoral association’s Internet platform. The opinion solicitation period may not be less than 30 working days, ensuring that users are able to conveniently and fully express their opinions. Internet platform operators shall fully adopt the public’s opinions, revise and perfect platform rules and privacy policies; and publish the opinion adoption situation in a manner easy for users to access, explaining the reasons for not adopting them, and accepting social supervision.
Where large-scale Internet platform operators with over 100 million daily active users formulate platform rules or privacy policies, or revise them in a manner significantly affecting the rights and interests of users, they shall undergo assessment by a third-party body recognized by the national cybersecurity and informatization department, and report the matter to the provincial-level or higher cybersecurity and informatization department and telecommunications competent department for approval.
Article 44: Internet platform operators shall bear data security management responsibility for third-party products and services connected to their platforms, determine the data security responsibilities and duties of third parties through contracts and other such forms, and supervise third parties to strengthen data security management and adopt the necessary data security protection measures.
Where third-party products and services generate harm to users, the user may require the Internet platform operator to pay compensation first.
The provisions of the previous two Paragraphs apply to the installation of third-party products on mobile telecommunications terminals.
Article 45: The State encourages Internet platform operators providing instant messaging services to provide users with the choice between personal messaging and non-personal messaging in terms of functional design. Personal messaging information is strictly protected according to personal information protection requirements; non-personal messaging information is managed according to provisions related to public information.
Article 46: Internet platform operators may not use data, platform rules, etc., to engage in the following activities:
- Using user data collected and held on the platform to implement product and service price differentiation and other such activities harming users’ lawful rights and interests against users with similar trading conditions without proper reasons;
- Using merchant (经营者) data collected and held on the platform to implement lowest-price sales in product marketing, and other such activities harming fair competition;
- Using data to mislead, defraud, or coerce users, violating users’ right to decide how their data is handled, and handling user data in violation of users’ wishes;
- Setting up unreasonable limits or obstacles in areas such as platform rules, algorithms, technology, flow allocation, etc., restricting on-platform small and mid-size enterprises from fairly obtaining data about activities and markets generated on the platform, and obstructing market innovation.
Article 47: Internet platform operators providing application program distribution services shall, according to the provisions of relevant laws and administrative regulations and the national cybersecurity and informatization department, establish and disclose application program examination and verification norms, and conduct security examination and verification of application software. Where application software does not conform to the provisions of laws and administrative regulations or the mandatory requirements of national standards, measures such as refusal to carry, supervised rectification, and stopping carrying shall be adopted.
Article 48: Where Internet platform operators provide instant messaging services to the public, they shall, according to the provisions of the State Council telecommunications managing department, provide data interfaces for instant messaging services of other Internet platform operators, supporting user data interconnection between different instant messaging services; without proper reason, it is not permitted to restrict users from accessing other Internet platforms as well as transmitting files to other Internet platforms.
Article 49: Where Internet platform operators use personal information and individualized push algorithms to provide information to users, they shall bear responsibility for the veracity and accuracy of the pushed information as well as the legality of the source, and conform to the following requirements:
- When collecting personal information for use in individualized recommendation, they shall obtain separate consent from the individual;
- Installing easy-to-understand and conveniently accessible and operable choices to disable individualized recommendations with one click, allowing users to refuse receipt of directed recommended information, allowing users to reset, revise, and adjust directed recommendation parameters of their individual characteristics;
- Allowing individuals to delete personal information collected or created by directed recommendation information services, except where laws or administrative regulations provide otherwise or it is agreed otherwise with the user.
Article 50: The State establishes public service infrastructure for online identity verification, to provide individual identity verification public services according to the principles of government guidance and voluntary participation by netizens.
Internet platform operators shall support and give preference to using the national online identity verification public service infrastructure-provided personal information verification services.
Article 51: Where Internet platform operators provide services for State bodies, participating in the construction, maintenance, and management of public infrastructure or public service systems, the data collected or created in the process of using public resources to provide services may not be used for other purposes.
Article 52: Relevant State Council departments fulfilling statutory duties that need to obtain or access Internet platform operator-held public data or public information shall clarify the scope, categories, purpose, and basis for obtaining or accessing it, and are strictly limited to working within the scope of fulfilling their statutory duties; they may not use public data or public information they obtain or access for purposes other than fulfilling statutory duties.
Internet platform operators shall cooperate with relevant departments’ obtaining or accessing of public data or public information.
Article 53: Large-scale Internet platform operators shall, through retaining a third party for auditing, annually conduct an audit of the platform data security situation, the situation of platform rules and implementation of self-made commitments, the personal information protection situation, the data exploitation and use situation, etc., and disclose the auditing results.
Article 54: Internet platform operators using artificial intelligence, virtual reality, deep composites and other such new technologies to conduct data handling activities shall conduct a risk assessment according to relevant State provisions.
Chapter VII: Supervision and Management
Article 55: The national cybersecurity and informatization department is responsible for the comprehensive coordination of data security and related supervision and management work.
Public security bodies, national security bodies, etc., bear data security supervision and management duties and responsibilities within the scope of their respective duties and responsibilities.
Industry, telecommunications, transportation, finance, natural resources, healthcare, education, science and technology, and other such competent departments bear data security supervision and management duties and responsibilities within their sectors and their areas.
Competent departments shall determine data security protection work bodies and personnel for their sectors and their areas, and compile and organize the implementation of data security plans and data security incident emergency response plans for their sectors and their areas.
Competent departments shall regularly organize and conduct data security risk assessments for their sectors and their areas, conduct supervision and inspection of the situation of data handlers fulfilling data security protection duties, and guide and supervise data handlers in timely rectifying existing risks and vulnerabilities.
Article 56: The State is to establish and complete data security emergency response handling mechanisms, perfect cybersecurity emergency response plans and cybersecurity information sharing platforms, include data security incidents in national cybersecurity incident emergency response mechanisms, strengthen data security information sharing, data security risk and threat monitoring, and early warning, as well as data security incident emergency handling work.
Article 57: Relevant competent and supervision departments may adopt the following measures to conduct supervision and inspection of data security:
- Requiring data handlers’ relevant personnel to explain supervision and inspection matters;
- Inspecting or obtaining data security-related dossiers and records;
- According to regulatory procedure, using monitoring tools or entrusting specialized bodies to conduct technical monitoring of the operational situation of data security measures;
- Examining data export categories, scopes, etc.;
- Other necessary methods provided in laws, administrative regulations, and rules.
Relevant competent and supervision departments conducting data security supervision and inspection shall be objective and fair; they may not obtain fees from the inspected work unit. Information obtained during the process of data security supervision and inspection can only be used as required to safeguard data security; it may not be used for other purposes.
Data handlers shall provide cooperation with competent and supervision departments’ data security supervision and inspection, including giving explanations and clarification regarding organizational operations, technical systems, algorithmic principles, data handling processes, etc.; open up security-related data for access; provide the necessary technical support; etc.
Article 58: The State establishes a data security audit system. Data handlers shall entrust specialized data security audit bodies with regularly conducting compliance audits of their handling of personal information compliance situation with laws and administrative regulations.
Competent and supervision departments are to organize and conduct audits of important data handling activities, focusing on auditing the situation of data handlers’ fulfilling duties provided in laws and administrative regulations, etc.
Article 59: The State supports related sectoral organizations to, according to their Charter, formulate behavioural norms for data security, strengthen sectoral self-discipline, and guide members in strengthening data security protection, raising data security protection levels, and stimulating the healthy development of the sector.
The State supports the establishment of sectoral organizations for personal information protection, conducting the following activities:
- Receiving personal information protection complaints and reports, and engaging in investigation and mediation;
- Providing information and consulting services to individuals, supporting individuals to raise lawsuits against activities harming their personal information rights and interests;
- Exposing activities harming personal information rights and interests, conducting social supervision over personal information protection;
- Reflecting the personal information protection situation to relevant departments, providing consulting and suggestions;
- Raising lawsuits with People's Courts according to the law against acts unlawfully handling personal information or infringing the rights and interest of large numbers of individuals.
Chapter VIII: Legal Liability
Article 60: Data handlers that fail to fulfill the provisions of Articles 9, 10, 11, 12, 13, 14, 15 or 18 shall be issued a warning and ordered to make corrections by relevant competent department and may be additionally fined between 50,000 and 500,000 RMB. The directly responsible person in charge and other responsible personnel may be fined between 10,000 RMB and 100,000 RMB. Data handlers that refuse to make corrections or cause data security endangerment or other serious consequences shall be fined between 500,000 RMB and 2 million RMB. The relevant competent department may order the suspension of related business activities, cessation of business for rectification, and cancellation of corresponding professional licenses or business permits. The directly responsible person in charge and other directly responsible personnel are to be fined between 50,000 and 200,000 RMB.
Article 61: Data handlers that fail to fulfill data security protection responsibilities under the provisions of Articles 19, 20, 21, 22, 23, 24, and 25 shall be issued warnings, ordered to make corrections, and ordered by relevant departments to suspend or terminate the provision of services of applications that illegally handle personal information. Data handlers that refuse to make corrections shall be additionally fined no more than 1 million RMB. Directly responsible persons in charge and other personnel shall be fined between 10,000 RMB and 100,000 RMB.
Where the circumstances of the unlawful acts mentioned in the preceding Paragraph are grave, the relevant department shall order correction, confiscate illegal income, and impose a fine of a maximum of 50 million RMB or no greater than 5% of the previous year’s business volume (营业额). The relevant department may order the suspension of related business activities, cessation of the business for rectification and/or report to the relevant competent authorities for cancellation of relevant professional licenses or cancellation of business permits. Directly responsible persons in charge and other responsible persons may be fined between 100,000 RMB and 1 million RMB. Relevant departments may also decide to prohibit them from serving as directors, supervisors, senior managers, and/or personal information protection officers for relevant businesses for a certain period of time.
Article 62: Data handlers that fail to fulfil the data security protection responsibilities under the provisions of Articles 28, 29, 30, 31, 32, and 33 shall be issued warnings, ordered to make corrections, and ordered by relevant departments to suspend or terminate the provision of services of systems and applications that illegally handle important data. Data handlers that refuse to make a correction shall be additionally fined a maximum of 2 million RMB. The directly responsible person in charge and other directly responsible personnel shall be fined between 50,000 and 200,000 RMB.
Where the circumstances of the unlawful acts mentioned in the preceding Paragraph are grave, the relevant department shall order correction, confiscate illegal income, and impose a fine between 2 million and 5 million RMB. They may also order the suspension of related business activities, cessation of business for rectification, and/or report to the relevant competent department for cancellation of corresponding professional licenses or cancellation of business permits. Directly responsible persons in charge and other responsible personnel shall be fined between 200,000 and 1 million RMB.
Article 63: Critical information infrastructure operators that violate the provisions of Article 34 shall be ordered by relevant competent departments to make corrections and punished in accordance with relevant laws and administrative regulations.
Article 64: Data handlers who violate Articles 35, 36, 37, Article 39 Item 1, Article 40, or Article 42 shall be issued warnings, and ordered by relevant departments to make corrections and suspend outbound data transfer, and may additionally be fined between 100,000 and 1 million RMB. The directly responsible person in charge and other directly responsible personnel may be fined between 10,000 and 100,000 RMB. Where the circumstances are grave, a fine between 1 million and 10 million RMB may be imposed and the relevant department may order the suspension of related business activities, cessation of business for rectification, and/or cancellation of corresponding professional licenses or cancellation of business permits. The directly responsible person in charge and other directly responsible personnel may be fined between 100,000 and 1 million RMB.
Article 65: Data handlers that violate the provisions of Article 39 Item 2 of these Regulations and provide data to foriegn judicial or law enforcement agencies without approval of competent departments shall be given a warning by the relevant competent department and may additionally receive a penalty between 100,000 and 1 million RMB. Directly responsible persons in charge and other directly responsible personnel may be fined between 10,000 and 100,000 RMB. Where the consequences are grave, a fine between 1 million and 5 million RMB may be imposed and the relevant department may order the suspension of related business activities, cessation of business for rectification, and/or cancellation of corresponding professional licenses or cancellation of business permits. Directly responsible persons in charge and other directly responsible personnel may be fined between 50,000 and 500,000 RMB.
Article 66: Individuals and organizations that violate the provisions of Article 41 shall be issued warnings, ordered to make corrections, and have any illegal income confiscated by relevant competent departments. Individuals and organizations that refuse to make corrections shall be fined no less than one-times but no more than ten-times the amount of illegal income obtained. If no illegal gains are obtained, the directly responsible person in charge and other responsible personnel shall be fined between 50,000 and 500,000 RMB. Where the circumstances are serious, the relevant competent department in accordance with the law shall order the suspension of related business activities, cessation of business for rectification, and/or cancellation of corresponding professional licenses or cancellation of business permits. If the violation constitutes a crime, punishment shall be imposed in accordance with laws and administrative measures.
Article 67: Internet platform operators that violate the provisions of Article 43, Article 44, Article 45, Article 47, and Article 53 shall be issued warnings and ordered to make corrections by relevant departments. Operators that refuse to make corrections shall be fined between 500,000 and 5 million RMB. The directly responsible person in charge and other responsible personnel shall be fined between 50,000 and 500,000 RMB. Where the circumstances are grave, relevant departments may order the suspension of related business activities, cessation of business for rectification, and/or cancellation of corresponding professional licenses or cancellation of business permits.
Article 68: Internet platform operators that violate the provisions of Article 46, Article 48, and Article 51 shall be issued warnings and ordered to make corrections by relevant competent departments. Operators that refuse to make corrections shall be fined between 1% and 5% of gross business volume from the previous year. Where the circumstances are grave, the relevant competent department shall in accordance with relevant laws and administrative measures order the suspension of related business activities, cessation of business for rectification, and/or cancellation of corresponding professional licenses or cancellation of business permits. Violations that constitute crimes shall be punished in accordance with the relevant laws and administrative regulations.
Article 69: Internet platform operators that violate the provisions of Article 49 and Article 54 shall be warned and ordered by the relevant competent department to make corrections. Operators that refuse to make corrections shall be fined between 50,000 and 500,000 RMB. The directly responsible person in charge and other responsible personnel shall be fined between 10,000 to 100,000 RMB. Where the circumstances are grave, the relevant competent department may order the suspension of related business activities, cessation of business for rectification, and/or cancellation of corresponding professional licenses or cancellation of business permits.
Article 70: Data handlers that violate these Regulations and cause harm to others shall be civilly liable in accordance with law. Activities that constitute violations of public security management shall be given public security management penalties in accordance with the law. Activities that constitute crimes shall be investigated for criminal responsibility in accordance with the law.
Article 71: If a state organ does not fulfill its data security protection obligations under this measure, the higher-level body or department fulfilling data security management responsibilities shall order corrections. The directly responsible person in charge and other responsible personnel shall be punished in accordance with the law.
Article 72: Data handling activities conducted outside of the People’s Republic of China that harm national security, the public interest, or the legitimate rights and interests of individuals and organizations in the People's Republic of China shall be investigated for legal responsibility in accordance with the law.
Chapter IX: Supplementary Provisions
Article 73: The following terms used in this regulation are defined as follows:
- Network data (“data”) [网络数据、数据] refers to any electronic record of information
- Data handling activities [数据处理活动] refers to the collection, storage, use, processing, transfer, provision, disclosure, deletion, etc., of data.
- Important data [重要数据] refers to data that can endanger national security or the public interest once tampered with, destroyed, leaked, or illegally obtained or used. It includes the following data:
- Undisclosed data pertaining to government affairs (政务), work secrets, intelligence data, and law enforcement and justice administration data;
- Export control data and other data involved in export controlled items such as core technologies, design schematics (设计方案), production processes; and data related to scientific and technological achievements in fields such as cryptography, biology, electronics, and artificial intelligence that directly impact national security and economic competitiveness;
- National economic operational data, important industry business data, statistical data, etc., designated by national laws, administrative measures, or departmental rules as requiring protection or controlled dissemination;
- Data related to the safe production and operation of key industries and fields such as industry, telecommunications, energy, transportation, water conservation, finance, national defense technology, customs, taxation; and data related to key systems components and equipment supply chains;
- Basic national data on population, health, natural resources, and environment such as genetics, geography, minerals, meteorology, etc., reaching the scale or precision provided by relevant national departments;
- Data relevant to the construction and operation of national infrastructure and critical information infrastructure, as well as its security; and data pertaining to the geographic location and security situations, etc., of important sensitive areas such as national defense facilities, military administration areas, and national defense scientific research and production units.
- Other data that may affect the security of national politics, territory, military, economy, culture, society, science and technology, ecology, resources, nuclear facilities, foreign interests, biology, space, arctic regions, deep seas, etc.
- Core data [核心数据] refers to data related to national security, the life of the national economy, people’s important livelihoods, important public interests, etc.
- Data handlers [数据处理者] refers to individuals and organizations that independently determine the purposes and methods of handling in data handling activities.
- Public data [公共数据] refers to various types of data collected and produced in the process of fulfilling public management duties or providing public services by organizations having public affairs management duties as authorized by state organs and laws and administrative regulations, as well as various types of data related to the public interest collected and produced by other organizations providing public services.
- Entrusted processing [委托处理] refers to data handling activities that the data handler entrusts a third party to carry out in accordance with an agreed upon purpose and method of handling.
- Separate consent [单独同意] refers to the data handler, when carrying out specific data handling activities, obtaining personal consent for each item of personal information; it does not include obtaining consent one time for multiple items of personal information and multiple kinds of handling activities.
- Internet platform operators [互联网平台运营者] refer to a data handlers that provide users with information publishing, social networking, market transactions, payments, audio-visual, etc., Internet platform services.
- Large-scale Internet platform operators [大型互联网平台运营者] refer to Internet platform operators that have more than 50 million users, handle large amounts of personal information and important data, and possess strong social mobilization capabilities or a dominant position in the market.
- Cross-border data security gateway [数据跨境安全网关] refers to important security infrastructure that blocks visits to foreign reactionary websites and harmful information, prevents cyber attacks that come from abroad, manages cross-border network data transmission, and detects, investigates, and attacks cross-border cyber crimes.
- Public information [公共信息] refers to information that has characteristics of public dissemination that is collected or generated by data handlers in the process of providing public services. This includes information released publicly, information that can be retransmitted, and information with no clear recipient, etc.
Article 74: Data handling activities involving the use of state secret information, core data, and encrypted data shall be implemented in accordance with relevant national provisions.
Article 75: These Regulations enter into force on [day, month, year].
2021年11月14日 12:50 来源： 中国网信网
第七十五条 本条例自 年 月 日起施行。