Chapter V: Monitoring, Early Warning, and Emergency Response
Article 51: The state is to establish systems for network security monitoring, early warning, and information circulation. The state internet information departments shall coordinate relevant departments to strengthen efforts to collect, analyze, and report network security information, and uniformly release network security monitoring and early warning information in accordance with provisions.
Article 52: Departments responsible for critical information infrastructure security protection efforts shall establish and complete systems for network security monitoring, early warning, and information reporting in that industry or field, and report network security monitoring and early warning information in accordance with provisions.
Article 53: The State Internet Information Department is to coordinate with relevant departments to establish and complete network security risk assessment and emergency response work mechanisms, draft emergency response plans for network security incidents, and periodically organize drills.
Departments responsible for critical information infrastructure security protection efforts shall draft emergency response plans for network security incidents in that industry or field, and periodically organize drills.
Emergency response plans for network security incidents shall be graded based on factors such as the degree of harm and scope of impact after the incident, and provide for corresponding emergency response measures.
Article 54: When the risk of a network security incident increases, the relevant departments of people's governments at the provincial level or above shall employ the following measures in accordance with the scope of authority and procedures provided, and on the basis of the characteristics of the network security risk and the harm that might be caused:
(1) Request that relevant departments, bodies, and personnel promptly collect and report relevant information, and strengthen monitoring of network security risks;
(2) Organize relevant departments, institutions, and professionals to analyze and assess information on network security risks, and predict the likelihood of incidents, the scope of impact, and the degree of harm;
(3) Publish early warnings of network security risks to the public, and publish measures to avoid or mitigate harms.
Article 55: When a network security incident occurs, an emergency response plan for the network security incident shall be immediately initiated, an investigation and assessment of the network security incident shall be conducted, and network operators shall be required to employ technical measures and other necessary measures to eliminate potential security risks, prevent the expansion of harm, and promptly release warning information related to the public to the public.
Article 56: Where in the course of performing network security oversight and management duties, the relevant departments of people's governments at the provincial level or above discover that there are relatively large security risks or security incidents have occurred in the network, they may give a talk to the network operator's legally-designated representative or principle responsible person in accordance with the scope of authority and procedures provided. Network operators shall employ measures as required to carry out corrections and eliminate hidden dangers.
Article 57: Where emergencies or production safety accidents occur as a result of network security incidents, they shall be handled in accordance with the provisions of the "Emergency Response Law of the People's Republic of China", the "Production Safety Law of the People's Republic of China" and other relevant laws and administrative regulations.
Article 58: As needed to preserve national security and social public order, or to handle major social security emergencies, temporary measures such as restrictions on network communications may be employed in specific areas upon the decision or approval of the State Council.
Chapter VI: Legal Responsibility
Article 59: Where network operators do not perform the network security protection obligations provided for in articles 21 and 25 of this Law, the relevant competent departments are to order corrections and give warnings;
Where critical information infrastructure operators do not perform the network security protection obligations provided for in articles 33, 34, 36, or 38 of this Law, the relevant competent departments are to order corrections and give warnings;
Article 60: Where the provisions of paragraphs 1 and 2 of article 22 and paragraph 1 of article 48 of this Law are violated by any of the following conduct, the relevant competent departments are to order corrections and give warnings;
(1) Setting up malicious programs;
(2) Failing to immediately take remedial measures for risks such as security defects or vulnerabilities in their products or services, or failing to promptly inform users and report to the relevant competent departments in accordance with provisions;
(3) Terminating the provision of security maintenance for its products and services without authorization.
Article 61: Where network operators violate the provisions of paragraph 1 of article 24 of this Law by failing to require users to provide real identity information, or by providing relevant services to users who do not provide true identity information, the relevant competent departments are to order corrections; Revoke relevant business permits or business licenses, and give the directly responsible managers and other directly responsible personnel a fine of between 10,000 and 100,000 RMB.
Article 62: Where the provisions of article 26 of this Law are violated by carrying out activities such as network security certification, testing, or risk assessment, or by publishing network security information such as system vulnerabilities, computer viruses, network attacks, or network intrusions to the public, the relevant competent departments are to order corrections and give warnings; Revoke relevant business permits or business licenses, and give the directly responsible managers and other directly responsible personnel a fine of between 5,000 and 50,000 RMB.
Article 63: Violating the provisions of article 27 of this Law by engaging in activities that endanger network security, or by providing programs or tools specifically for use in activities endangering network security, or by providing technical support, advertising, or promotion for others to engage in activities that endanger network security. Where payment and settlement assistance does not constitute a crime, the public security organs are to confiscate unlawful gains and give a detention of up to 5 days, and may give a concurrent fine of between 50,000 and 500,000 RMB;
Where units exhibit the conduct in the preceding paragraph, the public security organs are to confiscate unlawful gains, give a fine of between 100,000 and 1,000,000 RMB, and punish the directly responsible managers and other directly responsible personnel in accordance with the provisions of the preceding paragraph.
Persons who violate the provisions of article 27 of this Law and receive public security administrative sanctions must not engage in work in key positions in network security management and network operations for five years, and persons who receive criminal punishments must not engage in work in key positions in network security management and network operations for life.
Article 64: Where network operators or providers of network products or services violate the provisions of paragraph 3 of article 22 or articles 41-43 of this Law by infringing on the right to have personal information protected in accordance with law, the relevant competent departments are to order corrections, and may be given warnings, confiscation of unlawful gains, or confiscation based on the circumstances. A fine of between 1 and 10 times the value of unlawful gains is to be given, and where there are no unlawful gains, a fine of up to 1,000,000 RMB is to be given, and a fine of between 10,000 and 100,000 RMB is to be given to the directly responsible managers and other directly responsible personnel;
Where the provisions of article 44 of this Law are violated by stealing or otherwise illegally obtaining, illegally selling, or illegally providing personal information to others, but it does not constitute a crime, the public security organs are to confiscate the unlawful gains and give a concurrent fine of between 1 and 10 times the value of the unlawful gains, and where there are no unlawful gains, give a fine of up to 1,000,000 RMB.
Article 65: Where critical information infrastructure operators violate the provisions of article 35 of this Law by using network products or services that have not undergone security review or have not passed security review, the relevant competent departments are to order them to stop using them and give a fine of between 1 and 10 times the amount of the purchase, and give a fine of between 10,000 and 100,000 RMB to the directly responsible managers and other directly responsible personnel.
Article 66: Where critical information infrastructure operators violate the provisions of article 37 of this Law by storing network data outside the mainland, or providing network data overseas, the relevant competent departments are to order corrections, give warnings, confiscate unlawful gains, and give a fine of between 50,000 and 500,000 RMB, and may order the suspension of relevant operations, suspend operations for rectification, close down websites, revoke relevant business permits, or revoke business licenses;
Article 67: Where the provisions of article 46 of this Law are violated by setting up websites or communication groups used to carry out illegal or criminal activities, or using networks to publish information related to the commission of illegal or criminal activities, but it does not constitute a crime, the public security organs are to detain them for up to 5 days and may concurrently give a fine of between 10,000 and 100,000 RMB, and where the circumstances are more serious, they are to be detained for between 5 and 15 days, and may be concurrently fined between 50,000 and 500,000 RMB. Shut down websites and communication groups used to carry out illegal and criminal activities.
Where units have conduct in the preceding paragraph, the public security organs are to give a fine of between 100,000 and 500,000 RMB, and punish the directly responsible managers and other directly responsible personnel in accordance with the provisions of the preceding paragraph.
Article 68: Where network operators violate the provisions of article 47 of this Law by failing to stop the transmission of information that laws or administrative regulations prohibit the publication or transmission of, employing measures such as erasing it, or keeping relevant records, the relevant competent departments are to order corrections, give warnings, and confiscate unlawful gains; Revoke relevant business permits or business licenses, and give the directly responsible managers and other directly responsible personnel a fine of between 10,000 and 100,000 RMB.
Where electronic information sending service providers or application software download service providers do not perform the security management obligations provided for in paragraph 2 of article 48 of this Law, punishment is to be given in accordance with the provisions of the preceding paragraph.
Article 69: Where network operators violate the provisions of this Law by exhibiting any of the following conduct, the relevant competent departments are to order corrections, and where corrections are refused or the circumstances are serious, a fine of between 50,000 and 500,000 RMB is to be given, and the directly responsible managers and other directly responsible personnel are to be fined between 10,000 and 100,000 RMB:
(1) Failing to follow the requirements of relevant departments to employ measures such as stopping the transmission or erasing of information that laws or administrative regulations prohibit the publication or transmission of;
(2) Refusing or obstructing the supervision and inspection carried out by relevant departments in accordance with law;
(3) Refusal to provide technical support and assistance to public security organs or state security organs.
Article 70: Where paragraph 2 of article 12 of this Law and other laws or administrative regulations prohibit the publication or transmission of information, punishment is to be given in accordance with the provisions of relevant laws and administrative regulations.
Article 71: Where there is illegal conduct provided for in this Law, it is to be recorded in the credit archives in accordance with the provisions of relevant laws and administrative regulations, and it is to be announced.
Article 72: Where state organ government affairs network operators do not perform the network security protection obligations provided for in this Law, the organ at the level above or the relevant organ is to order corrections, and the directly responsible managers and other directly responsible personnel are to be given sanctions in accordance with law.
Article 73: Where internet information departments and relevant departments violate the provisions of article 30 of this Law by using information obtained in the performance of network security protection duties for other purposes, the directly responsible managers and other directly responsible personnel are to be given sanctions in accordance with law.
Where the staff of internet information departments and relevant departments neglect their duties, abuse their authority, or twist the law for personal gain, and it does not constitute a crime, sanctions are to be given in accordance with law.
Article 74: Where the provisions of this Law are violated by causing harm to others, civil liability is to be borne in accordance with law.
Anyone who violates the provisions of this Law and constitutes a violation of the administration of public security shall be given a public security administrative punishment in accordance with law;
Article 75: Where foreign institutions, organizations, or individuals engage in activities that endanger the critical information infrastructure of the People's Republic of China, such as attacking, intruding, interfering, or sabotaging, causing serious consequences, legal responsibility is to be pursued in accordance with law;
Chapter VII Supplementary Provisions
Article 76: The meanings of the following terms in this Law:
(1) "Network" refers to a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges, and processes information in accordance with certain rules and procedures.
(2) "Network security" refers to the ability to prevent attacks, intrusions, interference, sabotage, and illegal use of networks, as well as accidents, by taking necessary measures to prevent attacks, intrusions, interference, destruction, and illegal use of networks, as well as the ability to ensure the integrity, confidentiality, and availability of network data.
(3) "Network operators" refers to network owners, managers, and network service providers.
(4) "Network data" refers to all kinds of electronic data collected, stored, transmitted, processed, and generated through networks.
(5) "Personal information" refers to all kinds of information recorded electronically or otherwise that can identify a natural person's personal identity alone or in combination with other information, including but not limited to a natural person's name, date of birth, ID number, personal biometric information, address, telephone number, and so forth.
Article 77: In addition to complying with this Law, operational security protections for networks that store and handle information involving state secrets shall also comply with the provisions of secrecy laws and administrative regulations.
Article 78: Security protections for military networks are to be provided for separately by the Central Military Commission.
Article 79: This Law takes effect on June 1, 2017.
Source: Xinhua News Agency
![The British minister warned Zuckerberg with "jail time"![fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)