The legislative intent of the enactment of the Cybersecurity Law is to promote "safe and controllable" products and services in China. The meaning of "safe and controllable" is three-fold. Firstly, it lies in the "safe and controllable products", i.e., it prohibits network service providers from illegally controlling and manipulating users' equipments through the network, and impairs users' control over equipments and systems; secondly, it lies in the "autonomous and controllable data". Secondly, it lies in the "autonomy and control of data", i.e., network service providers are prohibited from taking advantage of the convenience of providing products or services to illegally obtain important data of users, thus jeopardizing the users' right to control their own data; thirdly, it lies in the "user's choice and control", i.e., the service providers are prohibited from taking advantage of the users' right to control their products and services. Thirdly, it is "user's choice is controllable", which prohibits service providers from taking advantage of the user's dependence on their products and services and restricting the user's choice to use other products and services to the detriment of the user's network security and interests.
Point I
The principle system of cyberspace sovereignty. The Cybersecurity Law unprecedentedly puts forward the concept of cyberspace sovereignty, enriching the scope of sovereignty enjoyed by our country, and it regards cyberspace sovereignty as a natural extension and manifestation of our national sovereignty in cyberspace. Raising the concept of cyberspace to the level of national sovereignty is more conducive to safeguarding China's legitimate cyber rights and interests from infringement by other countries or foreign organizations. All acts of illegal invasion, theft, destruction of computers and other service equipment or provision of related technology in the field of cyberspace in China will be regarded as infringement of China's national sovereignty.
Element 2
Cyber security level protection system. The Cybersecurity Law establishes a network security level protection system that categorizes network security into five levels, and as the level increases, the greater the intensity of intervention by the national information security regulator, thus supervising and checking the security protection of information systems.
The third point
Real-name authentication system. The Network Security Law stipulates that network service operators, providers and other subjects should adopt a real-name authentication system when signing agreements with users or confirming the provision of services, including, but not limited to, network access, domain name registration, access to the network formalities, and the provision of information dissemination, instant messaging, and other services for users. In practice, this system is more flexible and operable, can take the anonymous foreground, background real-name approach. However, real-name authentication must be put in place, if not the implementation of real-name network system, then up to 500,000 yuan of fines can be imposed on the platform.
Point 4
Security review system for critical information infrastructure operators to procure network products and services. The Cybersecurity Law has put forward relevant legal requirements for improving the level of security and controllability of China's critical information infrastructure, and supporting the successive introduction of the Measures for Security Review of Network Products and Services (for Trial Implementation) (both the Measures and the Cybersecurity Law came into effect on June 1, 2017), which clarifies that important network products and services procured by networks and information systems related to national security, and the security, controllability, and safety of network products and The security and controllability of services should be subject to cybersecurity review. Procurement of products and services related to national security, the military and other products and services that may affect national security should be subject to national security review.
Element 5
Security certification and testing system. For network key equipment and network security products, the Network Security Law stipulates that they should be in accordance with the mandatory requirements of relevant national standards, qualified by the security certification of qualified organizations or security testing to meet the requirements before they can be sold or provided.
Element VI
Mandatory local storage system for important data. The system mainly adjusts the legality of critical information infrastructure operators in the collection of important data on personal information, stipulating the need for mandatory local data storage.
Element 7
Overseas data transmission review and assessment system. Locally stored data if indeed the need for data transfer out of the country, the need to meet the following conditions at the same time: 1, after a security assessment that will not jeopardize national security and social public **** interests; 2, by the subject of personal information consent. In addition, the system also provides for some cases proposed by law, such as making international phone calls, sending international emails, cross-border shopping via the Internet, and other individual-initiated behaviors, which can be considered to have obtained the consent of the subject of the personal information.
Point 8
Personal information protection system. The Cybersecurity Law makes a considerable breakthrough on the issue of how to better protect personal information. It establishes the principles of legality, legitimacy and necessity for network operators in the collection and use of personal information. Formally, it further requires that data be collected and used only with the consent of the person being collected, by publicizing the rules of collection and use, and by making clear the purpose, manner and scope of collection and use of information. On the other hand, the Network Security Law has increased the crackdown on network fraud and other unlawful acts, especially the content related to the severe crackdown on network fraud, which hits the key point of the messy leakage of personal information and fully embodies the principle of legislation to protect the legitimate rights of citizens.
Element IX
Personal information circulation system. In response to the current social chaos of illegal trading and illegal sharing of personal information, the Network Security Law gives a heavy blow. It stipulates the obligation of network operators not to disclose, tamper with, or destroy the personal information they collect without the consent of the person being collected. However, it excludes personal information that has been processed in such a way that it cannot identify a specific individual and cannot be recovered. This provision eliminates the illegal abuse of personal information data without affecting the big data analysis problems faced by network operators and managers due to their own business development needs.
Element 10
Network communication control system. The network communications control system was established with the purpose of maintaining a system of national security and social public **** order by giving the government the power to intervene administratively at the expense of some of the right to freedom of communication in the event of a major incident. The practice is a common international practice, for example, in the event of a riot, it can cut off the communication channels of lawless elements to avoid further deterioration of the situation, protect the legitimate rights and interests of users and maintain social stability. However, the impact of this kind of control is relatively large, so the Network Security Law rigorously stipulates that the implementation of temporary network control requires the decision or approval of the State Council. Generally speaking, the implementation of the network communication control system is short-term, once the incident disposal is over, the government will immediately resume normal communication, in order to bring as little inconvenience to personal communication as possible.