china law
Lehmanlaw

Provisions on the Technical Measures for the Protection of the Security of the Internet 2006

The Provisions on the Technical Measures for the Protection of the Security of the Internet, which were adopted at the Minister’s executive meeting of the Ministry of Public Security on November 23, 2005, are hereby promulgated and shall come into force as of March 1, 2006.

Provisions on the Technical Measures for the Protection of the Security of the Internet

Article 1 The present Provisions are formulated according to the Administrative Measures for the Security Protection of the Computer Information Network Linked to the Internet for the purpose of intensifying and regulating the technical prevention for the sake of Internet security, guaranteeing the network security and information security of the Internet, promoting the sound and orderly development of the Internet and safeguarding the state security, social order and public interests.

Article 2 The term “technical measures for the protection of the Internet security” as mentioned in the present Provisions refers to the technical facilities and methods for guaranteeing the network security and information security of the Internet and preventing any law-breaking activities on the Internet.

Article 3 The providers of the Internet services and entity users of the network shall be responsible for carrying into effect the technical measures for the protection of the Internet security and shall guarantee the normal functioning of the technical measures for the protection of the Internet security.

Article 4 The providers of the Internet services and entity users of the network shall establish a corresponding administration system. The information as registered by users shall not be publicized or divulged without the approval of the users, unless it is otherwise provided for by any law or regulation.
The providers of the Internet services and entity users of the network shall adopt technical measures for the protection of the Internet security according to law and shall not take technical measures to injure the users’ freedom and confidentiality of communication under the pretext of protecting the security of the Internet.

Article 5 The safety supervision department of the public information network of the public security organs shall be responsible for the implementation of the technical measures for the protection of the Internet security and carry out supervision and administration according to law.

Article 6 The technical measures for the protection of the Internet security shall comply with the state standards. In the case of no relevant state standard, the said technical measures shall comply with the technical standards in the sector of public security.

Article 7 The providers of the Internet services and entity users of the network shall carry into effect the following technical measures for the protection of the Internet security:
(1) Technical measures for preventing any matter or act that may injure the network security, e.g., computer viruses, invasion or attacks to or destruction of the network;
(2) Measures for backing up any redundant disaster of key data base or major systematic equipment;
(3) Technical measures for recording and keeping the login-in and exit time of uses, advocate calls, accounts, internet web addresses or domain names and log files of system maintenance; and
(4) Any other technical measures for the protection of the Internet security as prescribed by any law, regulation or rule for implementation.

Article 8 An entity that provides Internet access services shall not only carry into effect the technical measures for the protection of the Internet security as prescribed by Article 7 of the present Provisions but also carry into effect the technical measures for the protection of the Internet security with the following functions:
(1) Recording and keeping the information as registered by users;
(2) Where the Internet access services are provided for users by means of conversion from intranet web addresses to Internet web addresses, being able to record and keep the corresponding relation between the Internet web addresses and intranet web addresses as applied by users; and
(3) Recording and following up the net operation and having the functions of security auditing such as inspecting, testing and recording the particulars concerning network security.

Article 9 An entity that provides Internet information services shall not only carry into effect the technical measures for the protection of the Internet security as prescribed by Article 7 of the present Provisions but also carry into effect the technical measures for the protection of the Internet security with the following functions:
(1) Finding and terminating the transmission of any illegal information in the public information services and keeping relevant records;
(2) Where such services as news, publication and electronic bulletin services are provided, being able to record and keep the information content and publication time;
(3) Where any portal website, news website, or e-commerce website is established, being able to prevent the alteration of any website or web page and, in the case of any alteration, being able to automatically recover the altered website or web page;
(4) Where any electronic bulletin service is provided, having the function of auditing the information as registered by users and information as publicized; and
(5) Where any service of emails or net short messages is provided, being able to prevent or eliminate any email or short message as sent in groups, in which the real indication of an information sender is altered or concealed.

Article 10 The entities that provide Internet data center services and entity users of the network shall not only carry into effect the technical measures for the protection of the Internet security as prescribed by Article 7 of the present Provisions but also carry into effect the technical measures for the protection of the Internet security with the following functions:
(1) Recording and keeping the information as registered by users;
(2) Finding and terminating the transmission of any illegal information in the public information services and keeping relevant records;
(3) Where any entity user of the network provides access services for users by means of conversion from intranet web addresses to Internet web addresses, being able to record and keep the corresponding relation between the Internet web addresses and intranet web addresses as applied by users.

Article 11 An entity that provides the Internet access services shall not only carry into effect the technical measures for the protection of the Internet security as prescribed by Article 7 of the present Provisions but also install and exercise a security administration system for public places where the Internet access services are provided.

Article 12 A provider of Internet services shall apply the network interface that complies with the technical standards in the sector of public security for the implementation of the technical measures for the protection of the Internet security according to the present Provisions.

Article 13 Where the technical measures for record and storage as effectively carried out by the providers of the Internet services and entity users of the network shall have the function of backing up the records for at least 60 days.

Article 14 A provider of the Internet services or an entity user of the network shall not make any of the following acts that may injure the technical measures for the protection of the Internet security:
(1) Unlawfully terminating or partly terminating the execution of any technical facility or means for the protection of the Internet security;
(2) Intentionally destroying any technical facility for the protection of the Internet security;
(3) Unlawfully deleting or altering any execution program or record regarding technical facilities or means for the protection of the Internet security;
(4) Unlawfully altering the purpose or scope of the application of the technical measures for the protection of the Internet security; or
(5) Making any other act of damaging the technical measures for the protection of the Internet security or hindering the normal functioning thereof on purpose.

Article 15 Any entity or individual who violates any provisions of Articles 7 through Article 14 of the present Provisions shall be given a punishment by the organ of public security according to the provisions of Article 21 of the Administrative Measures for the Security Protection of the Computer Information Network Linked to the Internet.

Article 16 The public security organ shall offer guidance to and carry out supervision and examination on the implementation of the technical measures for the protection of the Internet security by the providers of the Internet services and entity users of the network according to law.
Where a public security organ carries out supervision and examination according to law, the relevant providers of the Internet services and entity users of the network shall send their personnel to join the supervision and examination. Where the organ of public security finds any problem in the supervision and examination, it shall give opinions on improvement and notify the relevant providers of the Internet services and entity users of the network to rectify and reform in a timely manner.
Where the public security organ carries out supervision and examination, there shall be two or more supervisors and examiners who shall show their identity certificates of law enforcement according to law.

Article 17 Where any public security organ or any functionary thereof violates the present Provisions by abusing its/his power or practices favoritism for personal gains, the directly liable principal and other directly liable personnel shall be given relevant administrative sanctions according to law. Where a crime is constituted, the violator shall be affixed criminal liabilities.

Article 18 The term “providers of the Internet services” as mentioned in the present Provisions refers to the entities that provide to users Internet access services, Internet data center services, Internet information services, and Internet surfing services.
The term “entity users of the network” as mentioned in the present Provisions refers to the entities that are connected to and use the network to meet the application requirements of the said entity.
The term “entities that provide the Internet data center services” as mentioned in the present Provisions refers to the entities that provide such services as hosting and lease of server and renting of virtual space.

Article 19 The present Provisions shall come into force as of March 1, 2006.