Regulation on Network Data Security Management
Document Number:Order No. 790 of the State Council of the People's Republic of China
Area of Law: Network Security Management
Level of Authority: Administrative Regulations
Issuing Authority: State Council
Date Issued:09-24-2024
Effective Date:01-01-2025
Status: Effective
Topic: Digital Rule of Law
中华人民共和国国务院令
Order of the State Council of the People's Republic of China
(第790号)
(No. 790)
《网络数据安全管理条例》已经2024年8月30日国务院第40次常务会议通过,现予公布,自2025年1月1日起施行。
The Regulation on Network Data Security Management, as adopted at the 40th executive meeting of the State Council on August 30, 2024, is hereby issued, and shall come into force on January 1, 2025.
总理 李强
Premier: Li Qiang
2024年9月24日
September 24, 2024
网络数据安全管理条例
Regulation on Network Data Security Management
第一条 为了规范网络数据处理活动,保障网络数据安全,促进网络数据依法合理有效利用,保护个人、组织的合法权益,维护国家安全和公共利益,根据《中华人民共和国网络安全法》、《中华人民共和国数据安全法》、《中华人民共和国个人信息保护法》等法律,制定本条例。
Article 1 This Regulation is developed in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, and other applicable laws for the purposes of regulating network data processing activities, ensuring the security of network data, promoting the reasonable and effective use of network data in accordance with the law, protecting the lawful rights and interests of individuals and organizations, and safeguarding national security and public interest.
第二条 在中华人民共和国境内开展网络数据处理活动及其安全监督管理,适用本条例。
Article 2 This Regulation shall apply to network data processing activities and the security supervision and administration thereof conducted within the territory of the People's Republic of China.
在中华人民共和国境外处理中华人民共和国境内自然人个人信息的活动,符合《中华人民共和国个人信息保护法》第三条第二款规定情形的,也适用本条例。
在中华人民共和国境外开展网络数据处理活动,损害中华人民共和国国家安全、公共利益或者公民、组织合法权益的,依法追究法律责任。
第三条 网络数据安全管理工作坚持中国共产党的领导,贯彻总体国家安全观,统筹促进网络数据开发利用与保障网络数据安全。
Article 3 In the management of network data security, the leadership of the Communist Party of China shall be adhered to, a holistic approach to national security shall be carried out, and efforts shall be coordinated to promote network data development and utilization and ensure network data security.
第四条 国家鼓励网络数据在各行业、各领域的创新应用,加强网络数据安全防护能力建设,支持网络数据相关技术、产品、服务创新,开展网络数据安全宣传教育和人才培养,促进网络数据开发利用和产业发展。
Article 4 The state encourages the innovative application of network data in all industries and fields, and shall strengthen the building of capacity for ensuring network data security, support the innovation of technologies, products, and services related to network data, carry out publicity, education, and talent training for ensuring network data security, and promote the development and utilization of network data and industrial development.
第五条 国家根据网络数据在经济社会发展中的重要程度,以及一旦遭到篡改、破坏、泄露或者非法获取、非法利用,对国家安全、公共利益或者个人、组织合法权益造成的危害程度,对网络数据实行分类分级保护。
Article 5 The state shall implement classified and graded protection of network data based on the importance of network data in economic and social development and the degree of harm caused to national security, public interest, or the lawful rights and interests of individuals and organizations once network data is tampered with, destroyed, divulged, illegally obtained, or illegally used.
第六条 国家积极参与网络数据安全相关国际规则和标准的制定,促进国际交流与合作。
Article 6 The state shall actively participate in the development of international rules and standards related to network data security to promote international exchange and cooperation.
第七条 国家支持相关行业组织按照章程,制定网络数据安全行为规范,加强行业自律,指导会员加强网络数据安全保护,提高网络数据安全保护水平,促进行业健康发展。
Article 7 The state supports relevant industry organizations in developing codes of conduct for network data security in accordance with their bylaws, strengthening industry self-regulation, directing their members to strengthen network data security protection, improving the level of network data security protection, and promoting the sound development of the industry.
第八条 任何个人、组织不得利用网络数据从事非法活动,不得从事窃取或者以其他非法方式获取网络数据、非法出售或者非法向他人提供网络数据等非法网络数据处理活动。
Article 8 No individual or organization may use network data to engage in illegal activities, steal or obtain network data by other illegal means, illegally sell or illegally provide network data to others, or carry out other illegal network data processing activities.
任何个人、组织不得提供专门用于从事前款非法活动的程序、工具;明知他人从事前款非法活动的,不得为其提供互联网接入、服务器托管、网络存储、通讯传输等技术支持,或者提供广告推广、支付结算等帮助。
第九条 网络数据处理者应当依照法律、行政法规的规定和国家标准的强制性要求,在网络安全等级保护的基础上,加强网络数据安全防护,建立健全网络数据安全管理制度,采取加密、备份、访问控制、安全认证等技术措施和其他必要措施,保护网络数据免遭篡改、破坏、泄露或者非法获取、非法利用,处置网络数据安全事件,防范针对和利用网络数据实施的违法犯罪活动,并对所处理网络数据的安全承担主体责任。
Article 9 A network data processor shall, in accordance with the provisions of applicable laws and administrative regulations and the compulsory requirements of national standards, and on the basis of graded cybersecurity protection, strengthen network data security protection, establish and improve network data security management rules, take technical measures such as encryption, backup, access control, and security authentication, and other necessary measures to protect network data from being tampered with, destroyed, divulged, illegally obtained, or illegally used, handle network data security incidents, prevent illegal and criminal activities against and using network data, and assume primary responsibility for the security of network data processed by it.
第十条 网络数据处理者提供的网络产品、服务应当符合相关国家标准的强制性要求;发现网络产品、服务存在安全缺陷、漏洞等风险时,应当立即采取补救措施,按照规定及时告知用户并向有关主管部门报告;涉及危害国家安全、公共利益的,网络数据处理者还应当在24小时内向有关主管部门报告。
Article 10 Network products and services provided by a network data processor shall comply with the compulsory requirements of relevant national standards. When a network data processor discovers any risk such as security defect and loophole of its network products or services, it shall immediately take remedial measures, inform users in a timely manner, and report the same to the appropriate department in accordance with the applicable provisions. If any damage is caused to national security or public interest, the network data processor shall also report the same to the appropriate department within 24 hours.
第十一条 网络数据处理者应当建立健全网络数据安全事件应急预案,发生网络数据安全事件时,应当立即启动预案,采取措施防止危害扩大,消除安全隐患,并按照规定向有关主管部门报告。
Article 11 A network data processor shall establish and improve its contingency plan for network data security incidents, and when a network data security incident occurs, it shall immediately activate its contingency plan, take measures to prevent the expansion of the harm, eliminate hidden security risks, and report the same to the appropriate department in accordance with the applicable provisions.
第十二条 网络数据处理者向其他网络数据处理者提供、委托处理个人信息和重要数据的,应当通过合同等与网络数据接收方约定处理目的、方式、范围以及安全保护义务等,并对网络数据接收方履行义务的情况进行监督。向其他网络数据处理者提供、委托处理个人信息和重要数据的处理情况记录,应当至少保存3年。
Article 12 Where a network data processor provides, or entrusts the processing of, personal information and important data to any other network data processor, it shall, by reaching a contract or other methods, agree on the purpose, method, and scope of processing as well as security protection obligations, among others, with network data recipients, and oversee the performance of obligations by network data recipients. Records of such data provision or entrusted processing shall be kept for at least three years.
网络数据接收方应当履行网络数据安全保护义务,并按照约定的目的、方式、范围等处理个人信息和重要数据。
两个以上的网络数据处理者共同决定个人信息和重要数据的处理目的和处理方式的,应当约定各自的权利和义务。
第十三条 网络数据处理者开展网络数据处理活动,影响或者可能影响国家安全的,应当按照国家有关规定进行国家安全审查。
Article 13 Where network data processing activities carried out by a network data processor affect or may affect national security, national security review shall be conducted in accordance with the relevant provisions issued by the state.
第十四条 网络数据处理者因合并、分立、解散、破产等原因需要转移网络数据的,网络数据接收方应当继续履行网络数据安全保护义务。
Article 14 Where a network data processor needs to transfer network data due to its business combination, division, dissolution, bankruptcy, or any other reason, the network data recipient shall continue to fulfill its network data security protection obligations.
第十五条 国家机关委托他人建设、运行、维护电子政务系统,存储、加工政务数据,应当按照国家有关规定经过严格的批准程序,明确受托方的网络数据处理权限、保护责任等,监督受托方履行网络数据安全保护义务。
Article 15 In commissioning others to construct, operate, or maintain an e-government system or store or process government data, a state organ shall undergo strict approval procedures in accordance with relevant provisions issued by the state, specify the commissioned party's authority to process network data and protection responsibilities, among others, and oversee the commissioned party's performance of data security protection obligations.
第十六条 网络数据处理者为国家机关、关键信息基础设施运营者提供服务,或者参与其他公共基础设施、公共服务系统建设、运行、维护的,应当依照法律、法规的规定和合同约定履行网络数据安全保护义务,提供安全、稳定、持续的服务。
Article 16 Where a network data processor provides services to state organs or critical information infrastructure operators, or participates in the construction, operation, and maintenance of other public infrastructure or public service systems, it shall fulfill its network data security protection obligations in accordance with the provisions of laws and regulations and as agreed upon in contracts and provide secure, stable, and continuous services.
前款规定的网络数据处理者未经委托方同意,不得访问、获取、留存、使用、泄露或者向他人提供网络数据,不得对网络数据进行关联分析。
第十七条 为国家机关提供服务的信息系统应当参照电子政务系统的管理要求加强网络数据安全管理,保障网络数据安全。
Article 17 For an information system providing services to a state organ, network data security management shall be strengthened to ensure network data security by reference to the requirements for the management of the e-government system.
第十八条 网络数据处理者使用自动化工具访问、收集网络数据,应当评估对网络服务带来的影响,不得非法侵入他人网络,不得干扰网络服务正常运行。
Article 18 A network data processor using automatic tools to access and collect network data shall assess the impact on network services and shall not illegally invade others' networks or interfere with the normal operation of network services.
第十九条 提供生成式人工智能服务的网络数据处理者应当加强对训练数据和训练数据处理活动的安全管理,采取有效措施防范和处置网络数据安全风险。
Article 19 A network data processor providing generative artificial intelligence services shall strengthen the security management of training data and training data processing activities, and take effective measures to prevent and handle network data security risks.
第二十条 面向社会提供产品、服务的网络数据处理者应当接受社会监督,建立便捷的网络数据安全投诉、举报渠道,公布投诉、举报方式等信息,及时受理并处理网络数据安全投诉、举报。
Article 20 A network data processor providing products and services to the public shall accept social supervision, and establish convenient channels for filing complaints and reports on network data security, announce the methods for filing complaints and reports and other information, and promptly accept and handle the complaints and reports on network data security.
Chapter III Personal Information Protection
第二十一条 网络数据处理者在处理个人信息前,通过制定个人信息处理规则的方式依法向个人告知的,个人信息处理规则应当集中公开展示、易于访问并置于醒目位置,内容明确具体、清晰易懂,包括但不限于下列内容:
Article 21 Where a network data processor, before processing personal information, informs an individual in accordance with the law by developing rules for processing personal information, such rules for processing personal information shall be publicly displayed in a centralized manner, easily accessible, and placed in a conspicuous position with explicit, specific, clear, and understandable content, including but not limited to:
(1) the name and contact information of the network data processor;
(二)处理个人信息的目的、方式、种类,处理敏感个人信息的必要性以及对个人权益的影响;
(三)个人信息保存期限和到期后的处理方式,保存期限难以确定的,应当明确保存期限的确定方法;
(四)个人查阅、复制、转移、更正、补充、删除、限制处理个人信息以及注销账号、撤回同意的方法和途径等。
第二十二条 网络数据处理者基于个人同意处理个人信息的,应当遵守下列规定:
Article 22 A network data processor processing personal information based on an individual's consent shall comply with the following provisions:
(一)收集个人信息为提供产品或者服务所必需,不得超范围收集个人信息,不得通过误导、欺诈、胁迫等方式取得个人同意;
(二)处理生物识别、宗教信仰、特定身份、医疗健康、金融账户、行踪轨迹等敏感个人信息的,应当取得个人的单独同意;
(三)处理不满十四周岁未成年人个人信息的,应当取得未成年人的父母或者其他监护人的同意;
(四)不得超出个人同意的个人信息处理目的、方式、种类、保存期限处理个人信息;
(五)不得在个人明确表示不同意处理其个人信息后,频繁征求同意;
(六)个人信息的处理目的、方式、种类发生变更的,应当重新取得个人同意。
法律、行政法规规定处理敏感个人信息应当取得书面同意的,从其规定。
第二十三条 个人请求查阅、复制、更正、补充、删除、限制处理其个人信息,或者个人注销账号、撤回同意的,网络数据处理者应当及时受理,并提供便捷的支持个人行使权利的方法和途径,不得设置不合理条件限制个人的合理请求。
Article 23 Where an individual makes a request for accessing, reproducing, correcting, supplementing, deleting, or restricting the processing of his or her personal information, or if an individual deregisters his or her account or withdraws his or her consent, a network data processor shall promptly accept the request and provide convenient methods and means to support the individual's exercise of rights, and shall not impose unreasonable conditions to restrict the individual's reasonable request.
第二十四条 因使用自动化采集技术等无法避免采集到非必要个人信息或者未依法取得个人同意的个人信息,以及个人注销账号的,网络数据处理者应当删除个人信息或者进行匿名化处理。法律、行政法规规定的保存期限未届满,或者删除、匿名化处理个人信息从技术上难以实现的,网络数据处理者应当停止除存储和采取必要的安全保护措施之外的处理。
Article 24 Where it is impossible to avoid the collection of unnecessary personal information or of an individual's personal information without obtaining the consent of the individual in accordance with the law due to the use of automatic collection technology or any other reason, or an individual deregisters his or her account, the network data processor shall delete or anonymize the personal information. If the preservation period prescribed by any law or administrative regulation has not expired, or it is difficult to delete or anonymize the personal information technically, the network data processor shall cease the processing of personal information other than storing such information and taking necessary security protection measures.
第二十五条 对符合下列条件的个人信息转移请求,网络数据处理者应当为个人指定的其他网络数据处理者访问、获取有关个人信息提供途径:
Article 25 For a request for transferring personal information that meets the following conditions, a network data processor shall provide channels for any other network data processor designated by the individual to access and obtain relevant personal information:
(1) The true identity of the person making the request can be verified.
(二)请求转移的是本人同意提供的或者基于合同收集的个人信息;
(3) The transfer of personal information is technically feasible.
(4) The transfer of personal information does not damage others' lawful rights and interests.
请求转移个人信息次数等明显超出合理范围的,网络数据处理者可以根据转移个人信息的成本收取必要费用。
第二十六条 中华人民共和国境外网络数据处理者处理境内自然人个人信息,依照《中华人民共和国个人信息保护法》第五十三条规定在境内设立专门机构或者指定代表的,应当将有关机构的名称或者代表的姓名、联系方式等报送所在地设区的市级网信部门;网信部门应当及时通报同级有关主管部门。
Article 26 Where a network data processor outside the territory of the People's Republic of China processes the personal information of any natural person within China and establishes a specialized agency or designates a representative within China in accordance with Article 53 of the Personal Information Protection Law of the People's Republic of China, it shall submit such information as the name of the relevant agency or the representative, the contact information, and other information to the local cyberspace administration at the level of a districted city, and the cyberspace administration shall promptly notify the appropriate department at the same level.
第二十七条 网络数据处理者应当定期自行或者委托专业机构对其处理个人信息遵守法律、行政法规的情况进行合规审计。
Article 27 A network data processor shall regularly conduct compliance audits, either on its own or by commissioning a specialized agency, of its processing of personal information in compliance with laws and administrative regulations.
第二十八条 网络数据处理者处理1000万人以上个人信息的,还应当遵守本条例第三十条、第三十二条对处理重要数据的网络数据处理者(以下简称重要数据的处理者)作出的规定。
Article 28 A network data processor processing the personal information of 10 million or more individuals shall also comply with the provisions governing network data processors processing important data (“processors of important data”) as specified in Articles 30 and 32 of this Regulation.
Chapter IV Security of Important Data
第二十九条 国家数据安全工作协调机制统筹协调有关部门制定重要数据目录,加强对重要数据的保护。各地区、各部门应当按照数据分类分级保护制度,确定本地区、本部门以及相关行业、领域的重要数据具体目录,对列入目录的网络数据进行重点保护。
Article 29 The national data security work coordination mechanism shall coordinate relevant departments in developing a catalog of important data to strengthen the protection of important data. Each region or department shall, according to the rules for categorized and hierarchical data protection, determine the specific catalogs of important data in the region or department and in relevant industries and fields, and give priority to the protection of network data listed on the catalogs.
网络数据处理者应当按照国家有关规定识别、申报重要数据。对确认为重要数据的,相关地区、部门应当及时向网络数据处理者告知或者公开发布。网络数据处理者应当履行网络数据安全保护责任。
国家鼓励网络数据处理者使用数据标签标识等技术和产品,提高重要数据安全管理水平。
第三十条 重要数据的处理者应当明确网络数据安全负责人和网络数据安全管理机构。网络数据安全管理机构应当履行下列网络数据安全保护责任:
Article 30 A processor of important data shall specify the person in charge of network data security and the management body for network data security. The management body for network data security shall perform the following responsibilities for network data security protection:
(一)制定实施网络数据安全管理制度、操作规程和网络数据安全事件应急预案;
(二)定期组织开展网络数据安全风险监测、风险评估、应急演练、宣传教育培训等活动,及时处置网络数据安全风险和事件;
(3) accepting and handling complaints and reports on network data security.
网络数据安全负责人应当具备网络数据安全专业知识和相关管理工作经历,由网络数据处理者管理层成员担任,有权直接向有关主管部门报告网络数据安全情况。
掌握有关主管部门规定的特定种类、规模的重要数据的网络数据处理者,应当对网络数据安全负责人和关键岗位的人员进行安全背景审查,加强相关人员培训。审查时,可以申请公安机关、国家安全机关协助。
第三十一条 重要数据的处理者提供、委托处理、共同处理重要数据前,应当进行风险评估,但是属于履行法定职责或者法定义务的除外。
Article 31 A processor of important data shall conduct risk assessment before providing, entrusting others with the processing of, or jointly processing important data with others, except for the performance of statutory duties or statutory obligations.
The risk assessment shall focus on assessing:
(一)提供、委托处理、共同处理网络数据,以及网络数据接收方处理网络数据的目的、方式、范围等是否合法、正当、必要;
(二)提供、委托处理、共同处理的网络数据遭到篡改、破坏、泄露或者非法获取、非法利用的风险,以及对国家安全、公共利益或者个人、组织合法权益带来的风险;
(3) the integrity and compliance of network data recipients and other circumstances;
(四)与网络数据接收方订立或者拟订立的相关合同中关于网络数据安全的要求能否有效约束网络数据接收方履行网络数据安全保护义务;
(五)采取或者拟采取的技术和管理措施等能否有效防范网络数据遭到篡改、破坏、泄露或者非法获取、非法利用等风险;
(6) other assessment content specified by the appropriate department.
第三十二条 重要数据的处理者因合并、分立、解散、破产等可能影响重要数据安全的,应当采取措施保障网络数据安全,并向省级以上有关主管部门报告重要数据处置方案、接收方的名称或者姓名和联系方式等;主管部门不明确的,应当向省级以上数据安全工作协调机制报告。
Article 32 Where the security of important data may be affected due to the business combination, division, dissolution, or bankruptcy, among others, of a processor of important data, the processor shall take measures to ensure network data security and report its important data disposal plan, the name and contact information of the recipient, and other information to the appropriate department at or above the provincial level; and if the appropriate department is not specified, the processor of important data shall report to the data security work coordination mechanism at or above the provincial level.
第三十三条 重要数据的处理者应当每年度对其网络数据处理活动开展风险评估,并向省级以上有关主管部门报送风险评估报告,有关主管部门应当及时通报同级网信部门、公安机关。
Article 33 A processor of important data shall conduct annual risk assessment of its data processing activities, and submit risk assessment reports to the appropriate department at or above the provincial level, which shall promptly notify the cyberspace administration and the public security authority at the same level.
The risk assessment report shall include:
(一)网络数据处理者基本信息、网络数据安全管理机构信息、网络数据安全负责人姓名和联系方式等;
(二)处理重要数据的目的、种类、数量、方式、范围、存储期限、存储地点等,开展网络数据处理活动的情况,不包括网络数据内容本身;
(三)网络数据安全管理制度及实施情况,加密、备份、标签标识、访问控制、安全认证等技术措施和其他必要措施及其有效性;
(四)发现的网络数据安全风险,发生的网络数据安全事件及处置情况;
(5) risk assessment of the provision, entrusted processing, and joint processing of important data;
(6) outbound transfer of network data; and
(7) other information to be reported as specified by the appropriate department.
处理重要数据的大型网络平台服务提供者报送的风险评估报告,除包括前款规定的内容外,还应当充分说明关键业务和供应链网络数据安全等情况。
重要数据的处理者存在可能危害国家安全的重要数据处理活动的,省级以上有关主管部门应当责令其采取整改或者停止处理重要数据等措施。重要数据的处理者应当按照有关要求立即采取措施。
Chapter V Cross-border Security Management of Network Data
第三十四条 国家网信部门统筹协调有关部门建立国家数据出境安全管理专项工作机制,研究制定国家网络数据出境安全管理相关政策,协调处理网络数据出境安全重大事项。
Article 34 The cyberspace administration of the state shall coordinate relevant departments in establishing a special work mechanism for managing the security of outbound data transfer, develop upon research policies related to the security management of the outbound transfer of network data, and coordinate the processing of major matters relating to the outbound transfer of network data.
第三十五条 符合下列条件之一的,网络数据处理者可以向境外提供个人信息:
Article 35 A network data processor may provide personal information to an overseas party if it meets any of the following conditions:
(二)按照国家网信部门的规定经专业机构进行个人信息保护认证;
(三)符合国家网信部门制定的关于个人信息出境标准合同的规定;
(四)为订立、履行个人作为一方当事人的合同,确需向境外提供个人信息;
(五)按照依法制定的劳动规章制度和依法签订的集体合同实施跨境人力资源管理,确需向境外提供员工个人信息;
(七)紧急情况下为保护自然人的生命健康和财产安全,确需向境外提供个人信息;
第三十六条 中华人民共和国缔结或者参加的国际条约、协定对向中华人民共和国境外提供个人信息的条件等有规定的,可以按照其规定执行。
Article 36 Where any international treaty or agreement concluded or acceded to by the People's Republic of China prescribes the conditions for providing personal information to any party outside the territory of the People's Republic of China, among others, such provisions may apply.
第三十七条 网络数据处理者在中华人民共和国境内运营中收集和产生的重要数据确需向境外提供的,应当通过国家网信部门组织的数据出境安全评估。网络数据处理者按照国家有关规定识别、申报重要数据,但未被相关地区、部门告知或者公开发布为重要数据的,不需要将其作为重要数据申报数据出境安全评估。
Article 37 Where it is indeed necessary to provide an overseas party with important data collected and generated by a network data processor during its operation within the territory of the People's Republic of China, it shall be subject to the security assessment of outbound data transfer organized by the cyberspace administration of the state. If a network data processor identifies and declares important data according to the relevant provisions of the state, which has not been informed or announced by the relevant region or department to be important data, it is not required to declare such data as important data for security assessment of outbound data transfer.
第三十八条 通过数据出境安全评估后,网络数据处理者向境外提供个人信息和重要数据的,不得超出评估时明确的数据出境目的、方式、范围和种类、规模等。
Article 38 After passing the security assessment for the outbound transfer of network data, a network data processor shall not provide personal information and important data to an overseas party beyond the purpose, method, scope, type, or scale, among others, of outbound data transfer specified at the time of assessment.
第三十九条 国家采取措施,防范、处置网络数据跨境安全风险和威胁。任何个人、组织不得提供专门用于破坏、避开技术措施的程序、工具等;明知他人从事破坏、避开技术措施等活动的,不得为其提供技术支持或者帮助。
Article 39 The state shall take measures to prevent and address the security risks and threats related to the outbound transfer of network data. No individual or organization may provide programs or tools, among others, specially used to destroy or avoid technical measures and shall not provide a person with technical support or assistance if he or it knows that such a person engages in activities such as destroying or avoiding technical measures.
Chapter VI Obligations of Network Platform Service Providers
第四十条 网络平台服务提供者应当通过平台规则或者合同等明确接入其平台的第三方产品和服务提供者的网络数据安全保护义务,督促第三方产品和服务提供者加强网络数据安全管理。
Article 40 A network platform service provider shall specify the network data security protection obligations of third-party product and service providers that access its platform through platform rules, contracts, or other methods, and urge third-party product and service providers to strengthen their network data security management.
国家鼓励保险公司开发网络数据损害赔偿责任险种,鼓励网络平台服务提供者、预装应用程序的智能终端等设备生产者投保。
第四十一条 提供应用程序分发服务的网络平台服务提供者,应当建立应用程序核验规则并开展网络数据安全相关核验。发现待分发或者已分发的应用程序不符合法律、行政法规的规定或者国家标准的强制性要求的,应当采取警示、不予分发、暂停分发或者终止分发等措施。
Article 41 A network platform service provider providing application distribution services shall establish application verification rules and carry out relevant verification of network data security. If it is found that an application to be distributed or distributed fails to comply with the provisions of laws, administrative regulations, or the compulsory requirements of national standards, measures such as warning, no distribution, and suspension or termination of distribution shall be taken.
第四十二条 网络平台服务提供者通过自动化决策方式向个人进行信息推送的,应当设置易于理解、便于访问和操作的个性化推荐关闭选项,为用户提供拒绝接收推送信息、删除针对其个人特征的用户标签等功能。
Article 42 A network platform service provider pushing information to individuals through automated decision-making shall set up personalized recommendation closing options that are easy to understand, access, and operate, and provide users with such functions as refusing to receive pushed information and deleting user tags targeted at their personal characteristics.
第四十三条 国家推进网络身份认证公共服务建设,按照政府引导、用户自愿原则进行推广应用。
Article 43 The state shall promote the development of public services for online identity authentication and popularize and apply such services under the principles of government guidance and voluntary use by users.
鼓励网络平台服务提供者支持用户使用国家网络身份认证公共服务登记、核验真实身份信息。
第四十四条 大型网络平台服务提供者应当每年度发布个人信息保护社会责任报告,报告内容包括但不限于个人信息保护措施和成效、个人行使权利的申请受理情况、主要由外部成员组成的个人信息保护监督机构履行职责情况等。
Article 44 A large network platform service provider shall issue annual reports on its social responsibility for personal information protection, and the contents of such reports shall include but not be limited to the measures for personal information protection and the effects thereof, the acceptance of applications for the exercise of rights by individuals, and the performance of duties by the supervisory bodies for personal information protection primarily composed of external members.
第四十五条 大型网络平台服务提供者跨境提供网络数据,应当遵守国家数据跨境安全管理要求,健全相关技术和管理措施,防范网络数据跨境安全风险。
Article 45 A large network platform service provider engaging in the cross-border transfer of network data shall comply with the requirements of the state for the security management of cross-border data transfer and improve relevant technical and administrative measures to prevent security risks in the cross-border transfer of network data.
第四十六条 大型网络平台服务提供者不得利用网络数据、算法以及平台规则等从事下列活动:
Article 46 A large network platform service provider shall not engage in the following activities by using network data, algorithms, and platform rules, among others:
(一)通过误导、欺诈、胁迫等方式处理用户在平台上产生的网络数据;
(二)无正当理由限制用户访问、使用其在平台上产生的网络数据;
(4) Other activities prohibited by any law or administrative regulation.
Chapter VII Supervision and Administration
第四十七条 国家网信部门负责统筹协调网络数据安全和相关监督管理工作。
Article 47 The cyberspace administration of the state shall be responsible for coordinating network data security and relevant supervision and administration.
公安机关、国家安全机关依照有关法律、行政法规和本条例的规定,在各自职责范围内承担网络数据安全监督管理职责,依法防范和打击危害网络数据安全的违法犯罪活动。
国家数据管理部门在具体承担数据管理工作中履行相应的网络数据安全职责。
各地区、各部门对本地区、本部门工作中收集和产生的网络数据及网络数据安全负责。
第四十八条 各有关主管部门承担本行业、本领域网络数据安全监督管理职责,应当明确本行业、本领域网络数据安全保护工作机构,统筹制定并组织实施本行业、本领域网络数据安全事件应急预案,定期组织开展本行业、本领域网络数据安全风险评估,对网络数据处理者履行网络数据安全保护义务情况进行监督检查,指导督促网络数据处理者及时对存在的风险隐患进行整改。
Article 48 All appropriate departments shall undertake the duties of supervising and administering network data security in their respective industries and fields, specify the work bodies responsible for ensuring network data security in their respective industries and fields, coordinate the development and organize the implementation of contingency plans for network data security incidents in their respective industries and fields, regularly organize the assessment of network data security risks in their respective industries and fields, supervise and inspect network data processors' fulfillment of network data security protection obligations, and direct and urge network data processors to promptly rectify existing potential risks.
第四十九条 国家网信部门统筹协调有关主管部门及时汇总、研判、共享、发布网络数据安全风险相关信息,加强网络数据安全信息共享、网络数据安全风险和威胁监测预警以及网络数据安全事件应急处置工作。
Article 49 The cyberspace administration of the state shall coordinate appropriate departments in promptly collecting, assessing, sharing, and releasing information relating to network data security risks, and strengthen the sharing of network data security information, the monitoring and early warning of network data security risks and threats, and emergency response to network data security incidents.
第五十条 有关主管部门可以采取下列措施对网络数据安全进行监督检查:
Article 50 The appropriate departments may take the following measures to supervise and inspect network data security:
(一)要求网络数据处理者及其相关人员就监督检查事项作出说明;
(2) consulting and copying the documents and records relating to network data security;
(3) checking the implementation of network data security measures;
(4) checking the equipment and items relating to network data processing activities; and
(5) taking other necessary measures prescribed by laws and administrative regulations.
网络数据处理者应当对有关主管部门依法开展的网络数据安全监督检查予以配合。
第五十一条 有关主管部门开展网络数据安全监督检查,应当客观公正,不得向被检查单位收取费用。
Article 51 The appropriate department shall carry out supervision and inspection of network data security in an objective and impartial manner, and shall not charge any fees from the inspected entity.
有关主管部门在网络数据安全监督检查中不得访问、收集与网络数据安全无关的业务信息,获取的信息只能用于维护网络数据安全的需要,不得用于其他用途。
有关主管部门发现网络数据处理者的网络数据处理活动存在较大安全风险的,可以按照规定的权限和程序要求网络数据处理者暂停相关服务、修改平台规则、完善技术措施等,消除网络数据安全隐患。
第五十二条 有关主管部门在开展网络数据安全监督检查时,应当加强协同配合、信息沟通,合理确定检查频次和检查方式,避免不必要的检查和交叉重复检查。
Article 52 When carrying out supervision and inspection of network data security, the appropriate department shall strengthen coordination and cooperation with each other and information communication, and reasonably determine the frequency and methods of inspection, so as to avoid unnecessary inspections and repeated inspections.
个人信息保护合规审计、重要数据风险评估、重要数据出境安全评估等应当加强衔接,避免重复评估、审计。重要数据风险评估和网络安全等级测评的内容重合的,相关结果可以互相采信。
第五十三条 有关主管部门及其工作人员对在履行职责中知悉的个人隐私、个人信息、商业秘密、保密商务信息等网络数据应当依法予以保密,不得泄露或者非法向他人提供。
Article 53 The appropriate department and its staff members shall legally keep confidential the network data such as personal privacy, personal information, trade secrets, and confidential business information to which they have access in the performance of their duties, and shall not divulge such data or illegally provide such data to others.
第五十四条 境外的组织、个人从事危害中华人民共和国国家安全、公共利益,或者侵害中华人民共和国公民的个人信息权益的网络数据处理活动的,国家网信部门会同有关主管部门可以依法采取相应的必要措施。
Article 54 Where any overseas organization or individual engages in network data processing activities that endanger the national security or public interest of the People's Republic of China or infringe upon the personal information rights and interests of citizens of the People's Republic of China, the cyberspace administration of the state may, in conjunction with the appropriate department, take corresponding necessary measures in accordance with the law.
第五十五条 违反本条例第十二条、第十六条至第二十条、第二十二条、第四十条第一款和第二款、第四十一条、第四十二条规定的,由网信、电信、公安等主管部门依据各自职责责令改正,给予警告,没收违法所得;拒不改正或者情节严重的,处100万元以下罚款,并可以责令暂停相关业务、停业整顿、吊销相关业务许可证或者吊销营业执照,对直接负责的主管人员和其他直接责任人员可以处1万元以上10万元以下罚款。
Article 55 Where anyone violates the provisions of Article 12, Articles 16 through 20, Article 22, paragraphs 1 and 2 of Article 40, Article 41, or Article 42 of this Regulation, the departments of cyberspace affairs, telecommunications, and public security, among others, shall, according to their respective duties, order the violator to take corrective action, give a warning, and confiscate the illegal income of the violator. If the violator refuses to take corrective action or the circumstances are serious, the appropriate department shall impose a fine of not more than one million yuan on the violator, and may order the violator to suspend the relevant business, cease operations for an overhaul, revoke its relevant business permit or business license, and may impose a fine of not less than 10,000 yuan nor more than 100,000 yuan on the directly responsible person in charge and other directly liable persons.
第五十六条 违反本条例第十三条规定的,由网信、电信、公安、国家安全等主管部门依据各自职责责令改正,给予警告,可以并处10万元以上100万元以下罚款,对直接负责的主管人员和其他直接责任人员可以处1万元以上10万元以下罚款;拒不改正或者情节严重的,处100万元以上1000万元以下罚款,并可以责令暂停相关业务、停业整顿、吊销相关业务许可证或者吊销营业执照,对直接负责的主管人员和其他直接责任人员处10万元以上100万元以下罚款。
Article 56 Where anyone violates the provisions of Article 13 of this Regulation, the departments of cyberspace affairs, telecommunications, public security, and national security, among others, shall, according to their respective duties, order the violator to take corrective action, give a warning, and may impose a fine of not less than 100,000 yuan nor more than one million yuan on the violator, and impose a fine of not less than 10,000 yuan nor more than 100,000 yuan on the directly responsible person in charge and other directly liable persons. If the violator refuses to take corrective action or the circumstances are serious, the appropriate department shall impose a fine of not less than one million yuan nor more than 10 million yuan on the violator, and may order the violator to suspend the relevant business, cease operations for an overhaul, revoke its relevant business permit or business license, and may impose a fine of not less than 100,000 yuan nor more than one million yuan on the directly responsible person in charge and other directly liable persons.
第五十七条 违反本条例第二十九条第二款、第三十条第二款和第三款、第三十一条、第三十二条规定的,由网信、电信、公安等主管部门依据各自职责责令改正,给予警告,可以并处5万元以上50万元以下罚款,对直接负责的主管人员和其他直接责任人员可以处1万元以上10万元以下罚款;拒不改正或者造成大量数据泄露等严重后果的,处50万元以上200万元以下罚款,并可以责令暂停相关业务、停业整顿、吊销相关业务许可证或者吊销营业执照,对直接负责的主管人员和其他直接责任人员处5万元以上20万元以下罚款。
Article 57 Where anyone violates the provisions of paragraph 2 of Article 29, paragraphs 2 and 3 of Article 30, Article 31, or Article 32 of this Regulation, the departments of cyberspace affairs, telecommunications, and public security, among others, shall, according to their respective duties, order the violator to take corrective action, give a warning, and may impose a fine of not less than 50,000 yuan nor more than 500,000 yuan on the violator, and impose a fine of not less than 10,000 yuan nor more than 100,000 yuan on the directly responsible person in charge and other directly liable persons. If the violator refuses to take corrective action or causes large-scale data leakage or other serious consequences, the appropriate department shall impose a fine of not less than 500,000 yuan nor more than two million yuan on the violator, and may order the violator to suspend the relevant business, cease operations for an overhaul, revoke its relevant business permit or business license, and may impose a fine of not less than 50,000 yuan nor more than 200,000 yuan on the directly responsible person in charge and other directly liable persons.
第五十八条 违反本条例其他有关规定的,由有关主管部门依照《中华人民共和国网络安全法》、《中华人民共和国数据安全法》、《中华人民共和国个人信息保护法》等法律的有关规定追究法律责任。
Article 58 Whoever violates other relevant provisions of this Regulation shall be held legally liable by the appropriate department in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, and other applicable laws.
第五十九条 网络数据处理者存在主动消除或者减轻违法行为危害后果、违法行为轻微并及时改正且没有造成危害后果或者初次违法且危害后果轻微并及时改正等情形的,依照《中华人民共和国行政处罚法》的规定从轻、减轻或者不予行政处罚。
Article 59 A network data processor who takes the initiative to eliminate or mitigate the harmful consequences of its illegal act, commits any minor illegal act and takes corrective action in a timely manner without causing harmful consequences, or commits any illegal act for the first time with minor harmful consequences and takes corrective action in a timely manner shall be subject to a lighter or mitigated administrative penalty or be exempted from administrative penalty in accordance with the provisions of the Administrative Penalty Law of the People's Republic of China.
第六十条 国家机关不履行本条例规定的网络数据安全保护义务的,由其上级机关或者有关主管部门责令改正;对直接负责的主管人员和其他直接责任人员依法给予处分。
Article 60 Where a state organ fails to fulfill its network data security protection obligations specified in this Regulation, its superior authority or the appropriate department shall order it to take corrective action and take disciplinary actions against the directly responsible person in charge and other directly liable persons in accordance with the law.
第六十一条 违反本条例规定,给他人造成损害的,依法承担民事责任;构成违反治安管理行为的,依法给予治安管理处罚;构成犯罪的,依法追究刑事责任。
Article 61 Whoever violates this Regulation, causing damage to any other person, shall assume civil liability in accordance with the law; and if the violation of public security administration is constituted, the violator shall be subject to a public security administration punishment in accordance with the law; and if the violation constitutes any crime, the offender shall be held criminally liable in accordance with the law.
Chapter IX Supplemental Provisions
Article 62 For the purpose of this Regulation, the following terms shall have the following meanings:
(1) “Network data” means various electronic data processed and generated through networks.
(二)网络数据处理活动,是指网络数据的收集、存储、使用、加工、传输、提供、公开、删除等活动。
(三)网络数据处理者,是指在网络数据处理活动中自主决定处理目的和处理方式的个人、组织。
(四)重要数据,是指特定领域、特定群体、特定区域或者达到一定精度和规模,一旦遭到篡改、破坏、泄露或者非法获取、非法利用,可能直接危害国家安全、经济运行、社会稳定、公共健康和安全的数据。
(五)委托处理,是指网络数据处理者委托个人、组织按照约定的目的和方式开展的网络数据处理活动。
(六)共同处理,是指两个以上的网络数据处理者共同决定网络数据的处理目的和处理方式的网络数据处理活动。
(七)单独同意,是指个人针对其个人信息进行特定处理而专门作出具体、明确的同意。
(八)大型网络平台,是指注册用户5000万以上或者月活跃用户1000万以上,业务类型复杂,网络数据处理活动对国家安全、经济运行、国计民生等具有重要影响的网络平台。
第六十三条 开展核心数据的网络数据处理活动,按照国家有关规定执行。
Article 63 Network data processing activities involving core data shall be carried out in accordance with the relevant provisions issued by the state.
