Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection

December 28, 2012

(Adopted at the 30th Session of the Standing Committee of the 11th National People's Congress on December 28, 2012)

For the purposes of protecting the network information security, guaranteeing the legitimate rights and interests of citizens, legal persons and other organizations, and maintaining the national security and social public social interests, it is hereby decided as follows:

I. The State protects the electronic information that can identify the personal identity of citizens and that involves privacy of citizens.
No organization or individual may obtain the personal electronic information of citizens by steal or other illegal means, nor sell or illegally provide the personal electronic information of citizens to others.

II. When collecting or using the personal electronic information of citizens in their business activities, the network service providers and other enterprises and public institutions shall follow the principle of lawfulness, properness and necessity, explicitly disclose their purposes, methods and scopes for collection and use of the information, and, upon consent of the information providers, may collect or use information without violation of the provisions of the laws and regulations and the agreement of both parties.
Where the network service providers and other enterprises and public institutions collect and use the personal electronic information of citizens, they shall disclose the rules for such collection and use.

III. The network service providers and other enterprises and public institutions as well as their personnel must keep in strict confidence the personal electronic information of citizens collected in their business activities. They shall not divulge, distort or damage such information, or shall not sell or illegally provide the same to others.

IV. The network service providers and other enterprises and public institutions shall take technical measures and other necessary measures to ensure information security and prevent the divulgence, damage or loss of any personal electronic information of citizens collected in their business activities. In case of occurrence or possible occurrence of such divulgence, damage or loss of information, remedial measures shall be immediately taken.

V. The network service providers shall strengthen the management of the information published by their users, and shall immediately cease transmitting any information forbidden to be published or transmitted by the laws and regulations, take such measures as elimination, preserve relevant records, and report the same to relevant competent departments.

VI. Where the network service providers provide website access service, or handle network access formalities for fixed-line telephones or mobile phones, or provide information publication service for their users, they shall require the users to provide authentic identity information when concluding agreement or confirming provision of such service with the users.

VII. Without consent or request of the electronic information receiver, or upon explicit refusal made by the electronic information receiver, no organization or individual may send commercial electronic information to the fixed-line telephone, mobile phone or personal e-mail of the electronic information receiver.

VIII. Where a citizen finds out any network information infringing his/her legitimate rights and interests such as divulging personal identity or disseminating personal privacy, or is invaded by commercial electronic information, such citizen may request the network service providers to delete relevant information or take other necessary measures to stop the same.

IX. Any organization or individual may make report or accusation with relevant competent departments the illegal or criminal act of stealing, or otherwise illegally obtaining or selling, or illegally providing to others, the personal electronic information of citizens, or any other illegal or criminal act in connection with network information; the authorities receiving such report or accusation shall legally and timely deal with the same. The infringed party may legally bring a lawsuit.

X. The relevant competent departments shall legally perform duties within their respective scope of function and power, take technical measures and other necessary measures, and prevent, stop, investigate and punish the illegal or criminal act of stealing, or otherwise illegally obtaining or selling, or illegally providing to others, the personal electronic information of citizens, or any other illegal or criminal act in connection with network information. When the relevant competent departments legally perform their duties, the network service providers shall provide cooperation and technical support to them.
The State organs and their personnel shall keep in confidential the personal electronic information of citizens they know in the performance of their duties, and may not divulge, distort or damage the same, or sell or illegally provide to others such information.

XI. In case of any act in violation of this Decision, such punishments as giving a warning or fine, confiscating illegal gains, revoking license or canceling filing, closing website, and forbidding relevant responsible persons to engage in network service business shall be imposed legally, which shall be recorded in the social credit archive and be published; where such act violates the security administration regulations, a penalty for administration of public security shall be imposed legally. In case such act constitutes a crime, criminal liability shall be investigated legally. In case of infringement upon the civil rights and interests of others, civil liability shall be borne legally.

XII. This Decision shall come into force on the date of promulgation.