On 15 September 2018, the Ministry of Public Security published a new regulation entitled "Regulation on supervision and inspection of the internet by public security authorities". The new regulation will come into effect on 1 November 2018.
The regulation is promulgated pursuant to, amongst other laws, China's new Cyber Security Law, and outlines how the public security authorities are expected to enforce certain provisions contained in the law.
A quick snapshot of the new regulation is set out below:
Which business is this new regulation aimed at?
The new regulation sets out how the public security authorities are expected to exercise their powers of inspection and supervision against two main groups of entities with regard to their compliance of network security obligations.
These two groups of entities are:
- Internet service providers
- Network users
Although neither "Internet service providers" nor "network users" is defined in the new regulation itself, in a related regulation entitled "Regulation on internet security technical measures", which has been in force since 1 March 2006, these terms together with the reference in the new regulation, are generally understood to include the following entities:
For Internet service providers, they will include providers of the following services:
- Internet access
- Internet data centres (IDC)
- Domain name service
- Content delivery
- Internet information service
- Public Internet access service
For network users, they are intended to include entities which for their own business purposes require international interconnection with the internet.
What compliance obligations are the public security authorities expected to scrutinize?
A number of obligations are mentioned in the new regulation.
We highlight below some of these obligations:
- if a network security administration system and a set of operation rules have been implemented and if the personnel responsible for the entities' cyber security have been confirmed;
- if technical measures have been in place to record registration details of users and records have been kept in accordance with law;
- if technical measures to prevent any virus or cyber attack or hacking have been implemented;
- if measures have been in place to prevent publication and transmission of content which is prohibited by law; and
- if cyber security obligations corresponding to the classification of its network have been complied with.
There are, in addition, also other specific obligations which the public security authorities are required to supervise, depending on the specific Internet services being provided.
How would public security authorities exercise their supervisory or inspection power?
Very briefly, public security authorities can conduct supervision and inspection in person or remotely.
For remote supervision and inspection, there are a number of requirements imposed on the public security authorities:
- they must provide prior notice to the relevant business;
- the notice must include time and scope of their supervision and inspection (note however, that the notice can also be given by general publication); and
- any supervision or inspection should not disrupt the operation of the business.
What sactions can the public security authorities impose?
The new regulation set out in detail the various sanctions which the public security authorities can impose in the event any supervision or inspection reveals any non-compliance. Specific references are made to the law and regulations on which the sanctions are based on.
Since the coming into force of the Cyber Security Law, the public security authorities have been playing an active role in enforcing the law. The present new regulation whilst may be unsettling to some does provide certain guidance (and requirements) on how the public security authorities may exercise their supervision and inspection powers.