Decision of the National People's Congress on Strengthening the network information protection

In order to protect the security of network information, protect the legitimate rights and interests of citizens, legal persons and other organizations, safeguard national security and social public interests, the following decisions have been made:

  • First, the state can identify citizenship and personal privacy of citizens involved in electronic information. No organization or individual may steal or otherwise obtain personal electronic information from any person illegally and shall not sell or illegally provide personal electronic information to any other person.
  • Second, the network service providers and other enterprises and institutions in the business of collecting and using personal electronic information, should follow the legitimate and necessary rules governing collection of information.
  • Third, the network service providers, other enterprises and institutions, and their staff must treat all collected personal information as strictly confidential. It shall not be leaked, tampered with, destroyed, sold or illegally provided to others.
  • Fourth, network service providers and other enterprises and institutions should take technical measures and other necessary measures to ensure information is held security, to prevent the information leakage, damage, loss. Immediate remedial action should be taken in the event of leak, damage or loss.
  • Fifth, the network service provider shall do the utmost to manage the situation in the event of information being issued externally and abide by the laws and regulations prohibiting the publication or transmission of personal information, and shall immediately tale steps to stop the transmission of the information.
  • Sixth, the network service provider must provide users with a user agreement for access to services, which should be signed to confirm the provision of services and requiring users to provide real identity information.
  • Seventh, no organization or individual may send commercial electronic information to users’ fixed telephone, mobile phone or personal e-mail without consent or request from the recipient of the electronic information, or if the user expressly rejects it.
  • Eighth, citizens who discover that their personal identity has been exposed, spread or have had their personal privacy violated against their legitimate rights and interests by the provider, or by commercial electronic information intrusion, have the right to require the service provider to delete the information or take other necessary measures to stop the exposure of information.
  • Ninth, any organization or individual who has been the victim of having their personal information obtained, sold or illegally provided to others from state authorities, as well as other cyber-information criminal acts of theft or other illegal means, has the right to report and accuse the relevant parties; the departments concerned should deal with this in a timely manner according to law, and the victims may sue in accordance with the law.
  • Tenth, the relevant competent authorities shall perform their duties in accordance with the law in their respective terms of reference, take technical measures and other necessary measures to prevent, stop and investigate the criminal acts of stealing or illegally obtaining, selling or illegally providing other persons with personal electronic information as well as other network information. When the relevant authorities perform their duties according to law, the network service providers shall cooperate and provide technical support. State organs and their staff shall keep the personal electronic information of citizens in the performance of their duties confidential and it shall not be disclosed, tampered with, destroyed, sold or illegally provided to others.
  • Eleventh, those who violate the acts of this decision shall be given a warning, a fine, have their illegal gains confiscated, their license revoked, website shut down, be prohibited from working or engaging in the network service business etc, and the offence will be recorded in their social credit file. This will constitute a violation of public security management behavior, and will constitute a crime. Infringement of civil rights and interests of others, shall bear civil liability according to law.