Nov. 21, 2018
These regulations were issued by the Cyberspace Administration of China (CAC) in its capacity as the primary regulator for online content.
They do not contain new substantive provisions or restrictions on what individuals can put online or on the content or nature of the online services that providers can offer. Rather, they increase the requirements for self-inspection for services with "public opinion properties" or "social mobilization capacity."
Such businesses will, from the end of this month, be required to conduct security self-assessments when they bring new services online, expand the functionality of their existing services, introduce new technologies or applications, experience a significant increase in user base, are used to spread unlawful information, or any other circumstance identified by the cybersecurity authorities.
These measures are a further step in a long line of policies emerging from the CAC since it first came to prominence in 2013 through a high-profile crackdown on the social media landscape. It is clear that one key element of the Chinese government’s definition of cybersecurity is the potential for destabilizing public opinion or public mobilization facilitated through online services.
In pursuing these goals, the CAC's regulatory focus is on outcomes, not processes. That means regulators will be able to evaluate different approaches to solving similar problems across the industry, see what works and what doesn’t, and revise its own approach in this light.
This translation is by Rogier Creemers. During the DigiChina editorial process, a translation available at China Law Translate was also consulted. –Ed.
Regulations for the Security Assessment of Internet Information Services Having Public Opinion Properties or Social Mobilization Capacity
Article 1: These Regulations are formulated In order to strengthen security management of Internet information services having public opinion properties or social mobilization capacity, as well as related new technologies and new applications; to standardize Internet information service activities; to safeguard national security, social order, and the public interest; and on the basis of the "Cybersecurity Law of the People's Republic of China," the "Internet Information Service Management Regulations" and the "Computer Information Network International Connection Security Protection and Management Rules."
Article 2: Internet information services having public opinion properties or social mobilization capacity as named in these Regulations, include the following situations:
(1) running forums, blogs, microblogs, chat rooms, communication groups, public accounts, short videos, online streaming, information sharing, mini-apps, and other such information services or corresponding functions;
(2) running other Internet information services providing public opinion expression channels or having the capacity to incite the public to engage in specific activities.
Article 3: Internet information service providers meeting one of the following conditions shall conduct security assessment according to these Regulations on their own accord and take responsibility for the assessment results:
(1) those whose information services with public opinion properties or social mobilization capacity are online, or who add on corresponding functions to their information services;
(2) those whose use of new technologies and new applications, cause the functional properties, technical realization methods, basic resource allocation, etc., of their information services to undergo major change, leading to major changes in their public opinion properties or social mobilization capacity;
(3) those whose user base is markedly increasing, leading to major changes in the public opinion properties or social mobilization capacity of their information services;
(4) those where unlawful or harmful information has been disseminated and spread, indicating it is difficult for existing security measures to effectively prevent and control cybersecurity risks;
(5) other circumstances where district / city-level or higher cyberspace and informatization departments or public security bodies notify in writing that a security assessment is required.
Article 4: Internet information service providers may carry out security assessments themselves, and may also entrust third-party security assessment bodies to carry them out.
Article 5: Internet information service providers conducting security assessments shall conduct a complete assessment of: the legality of information services, new technologies, and new applications; the efficacy of their implementation of security measures provided in laws, administrative regulations, departmental rules, and standards; the efficacy of their prevention and control of security risks. They shall focus on assessing the following content:
(1) the extent to which they have allotted security management personnel and information verification personnel in line with the services they provide, and have established security management bodies;
(2) measures for user real identity verification and registration information preservation;
(3) preservation measures for logging information concerning users' accounts, times of usage, type of usage, originating and target network addresses, originating network terminals, user terminal hardware characteristics, etc., as well as records of information disseminated by users;
(4) preventative arrangements and relevant record preservation measures for: unlawful and harmful information in the names of user accounts and communication groups, nicknames, brief introductions, comments, and symbols; and for information publishing, re-posting, discussion, as well as communication groups and other such service functions;
(5) technical measures for the protection of personal data as well as the prevention of the dissemination and spread of unlawful and harmful information, and the risk of losing control over social mobilization;
(6) the extent to which: complaints and reporting structures have been established, information on the way to complain or report is published, and relevant complaints and reports are handled promptly;
(7) the extent to which work mechanisms are established to provide technical or data support or assistance to cybersecurity and informatization departments carrying out Internet information service supervision and management duties according to the law;
(8) the extent to which work mechanisms are established to provide technical or data support or assistance to public security bodies or national security bodies safeguarding national security or investigating and prosecuting violations of the law and crime according to the law.
Article 6: Internet information service providers shall, where they discover through security assessment that security vulnerabilities exist, promptly rectify the matter, and eliminate the corresponding security vulnerability.
Those passing security assessment and conforming to laws, administrative regulations, departmental rules, and standards, shall compile a security assessment report. Security assessment reports shall include the following content:
(1) the function, scope of services, hardware and software facilities, location of deployment, and other such basic information concerning the Internet information service, and proof that corresponding licences have been obtained;
(2) the situation of their security management structures and technical measure implementation, as well as risk prevention results;
(3) security assessment conclusions;
(4) other corresponding matters that should be explained.
Article 7: Internet information service providers shall submit the security assessment report to the local district / city-level or higher cybersecurity and informatization department and public security body through the nationwide Internet security management service platform.
Where they meet the circumstances listed in Article 3 Clause 1 or 2 of these Regulations, Internet information service providers shall submit a security assessment report before bringing information services, new technologies, or new applications online, or adding functionality; where they meet the circumstances listed in Article 3 Clause 3, 4, or 5, they shall submit the security assessment report within 30 working days of the occurrence of the corresponding circumstance.
Article 8: District / city-level or higher cybersecurity and informatization departments, and public security bodies, shall conduct a written review of the security assessment report on the basis of their respective duties and responsibilities.
Where they discover deficiencies in the security assessment report content or items, or the security assessment method is manifestly unsuitable, they shall order the Internet information service provider to repeat the assessment within a specific time limit.
Where the security assessment report content is discovered to be unclear, they may order the Internet information service provider to supplement with additional explanation.
Article 9: Cybersecurity and informatization departments and public security bodies shall, with respect to the written review of the security assessment report, where they believe it necessary, on the basis of their respective duties and responsibilities, conduct on-the-spot inspections of Internet information service providers.
Cybersecurity and informatization departments and public security bodies shall, in principle, carry out on-the-spot inspections jointly, and may not interfere with the regular business operations of Internet information service providers.
Article 10: Concerning Internet information services exhibiting relatively major security risks that may influence national security, social order, or the public interest, provincial-level and higher cybersecurity and informatization departments and public security bodies shall organize experts to conduct examination, and may when necessary conduct on-the-spot inspections together with the corresponding local departments.
Article 11: Cybersecurity and informatization departments and public security bodies shall, when conducting on-the-spot inspections, act according to the provisions of relevant laws, administrative regulations and departmental rules.
Article 12: Cybersecurity and informatization departments and public security bodies shall establish supervision and management structures, strengthen cybersecurity risk management, and oversee Internet information service providers' performance of cybersecurity duties according to the law.
Where they discover that Internet information service providers with public opinion properties or social mobilization capacity do not conduct security assessments according to these Regulations, cybersecurity and informatization departments and public security bodies shall notify them to conduct security assessments according to these Regulations.
Article 13: Where cybersecurity and informatization departments and public security bodies discover that Internet information service providers with public opinion properties or social mobilization capacity refuse to conduct security assessment according to these Regulations, they shall make a public notification through the nationwide Internet security management service platform indicating that security risks exist within the Internet information service, and, according to their respective duties and responsibilities, impose supervision and inspection of the Internet information service. Where they discover the existence of unlawful activities, they shall punish these according to the law.
Article 14: Cybersecurity and informatization departments coordinate overall the security assessment work of Internet information services with public opinion properties or social mobilization capacity. Public security bodies' security assessment work conditions will be regularly reported to cybersecurity and informatization departments.
Article 15: Cybersecurity and informatization departments, public security bodies, and their personnel shall strictly preserve the secrecy of national secrets, commercial secrets, or personal information they obtain in the course of exercising their duties and responsibilities, and may not leak, sell, or illegally provide them to other persons.
Article 16: Security assessment for new Internet news information service technologies and applications will be conducted according to the "Internet News Information Service New Technology and Application Security Assessment Management Regulations."
Article 17: These Regulations take effect on 30 November 2018.