On 15 September 2018, the Ministry of Public Security published a new regulation entitled "Regulation on supervision and inspection of the internet by public security authorities". The new regulation will come into effect on 1 November 2018.
The regulation is promulgated pursuant to, amongst other laws, China's new Cyber Security Law, and outlines how the public security authorities are expected to enforce certain provisions contained in the law.
A quick snapshot of the new regulation is set out below:
The new regulation sets out how the public security authorities are expected to exercise their powers of inspection and supervision against two main groups of entities with regard to their compliance of network security obligations.
These two groups of entities are:
Although neither "Internet service providers" nor "network users" is defined in the new regulation itself, in a related regulation entitled "Regulation on internet security technical measures", which has been in force since 1 March 2006, these terms together with the reference in the new regulation, are generally understood to include the following entities:
For Internet service providers, they will include providers of the following services:
For network users, they are intended to include entities which for their own business purposes require international interconnection with the internet.
A number of obligations are mentioned in the new regulation.
We highlight below some of these obligations:
There are, in addition, also other specific obligations which the public security authorities are required to supervise, depending on the specific Internet services being provided.
Very briefly, public security authorities can conduct supervision and inspection in person or remotely.
For remote supervision and inspection, there are a number of requirements imposed on the public security authorities:
The new regulation set out in detail the various sanctions which the public security authorities can impose in the event any supervision or inspection reveals any non-compliance. Specific references are made to the law and regulations on which the sanctions are based on.
Since the coming into force of the Cyber Security Law, the public security authorities have been playing an active role in enforcing the law. The present new regulation whilst may be unsettling to some does provide certain guidance (and requirements) on how the public security authorities may exercise their supervision and inspection powers.