1

Article 21 The State implements the classified protection  system for cybersecurity. Network operators shall fulfill the following  obligations of security protection according to the requirements of the  classified protection system for cybersecurity to ensure that the network is  free from interference, damage or unauthorized access, and prevent network  data from being divulged, stolen or falsified,

1. Formulate internal  security management systems and operating instructions, determine the persons  responsible for cybersecurity, and implement the responsibility for  cybersecurity protection;

2. Take technological  measures to prevent computer viruses, network attacks, network intrusions and  other actions endangering cybersecurity;

3. Take technological  measures to monitor and record the network operation status and cybersecurity  incidents, and preserve relevant web logs for no less than six months  according to the provisions;

4. Take measures such  as data classification, and back-up and encryption of important data; and

5. Other obligations  stipulated by laws and administrative regulations.

Article 59 Where a network operator fails to fulfill  obligation of cybersecurity protection set out in Articles 21  and 25 hereof, the competent authority shall warn such operator and order it  to make rectifications. A fine ranging from  10,000 yuan to 100,000 yuan shall be imposed on such operator if it  refuses to make rectifications or in case of  consequential severe damage to the network, and a fine ranging from 5,000 to 50,000 yuan shall be  imposed on the supervisor directly in charge.

……

Where anyone has violated an obligation to  protect network operation security prescribed in Article 21, the first or second paragraph of Article 22 ,  Article 23, the first paragraph of Article 24, Article 25, Article 26,  Article 28, Article 33, Article 34, Article 36, or Article 38 or has caused consequences such as endangering network  operation security, the relevant authority shall order corrections to  be made and issue a warning or a circular of  reprimand; and if corrections are refused or  the circumstances are grave, impose a fine of  up to CNY1 million, and may impose suspension of relevant operations,  suspension of business for rectification, website shutdown, revocation of  relevant business permit or revocation of business license, and impose a fine  of CNY10,000 up to CNY 100,000 on any directly liable individual in charge or  other directly liable individual.

If the circumstances of a violation described  in the preceding paragraph are particularly grave,  the relevant authority at or above the provincial  level shall order corrections to be made and impose a fine of CNY 1 million  up to CNY 50 million or up to 5% of the previous year's revenue, and may  impose suspension of relevant operations, suspension of business for  rectification, website shutdown, revocation of relevant business permit or  revocation of business license; impose a fine of CNY 100,000 up to CNY 1  million on any directly liable individual in charge or other directly liable  individual, and may decide to ban the individual from serving as a director,  supervisor, or executive of a relevant enterprise or engaging in a key  position in network security management or network operations for a certain  period of time.

2

Article  22 Network products and services shall comply  with the compulsory requirements of the relevant national standards.  Providers of network products and services shall not install malwares; when  they discover that their network products or services are subject to risks  such as security defects or bugs, such providers shall take remedial measures  immediately, inform users of the said risks and report the same to the  relevant competent departments in accordance with the provisions.

Providers of network products and services  shall provide security maintenance for their products and services; and shall  not terminate the provision of security maintenance within the stipulated  time limit or the time limit agreed by the parties concerned.

……

Article 60 Where any person conducts any of the following  acts in violation of Paragraph 1 and Paragraph 2 of Article 22,  Paragraph 1 of Article 48 hereof, he shall be ordered to effect rectification  and be warned by the relevant competent departments; where he refuses to  effect rectification or such consequences as  endangering cybersecurity are caused, a  fine of no less than CNY50,000 but no more than CNY500,000 shall be imposed;  as for the persons directly in charge, a fine of no less than CNY10,000 but  no more than CNY100,000 shall be imposed,

1.  Installing malwares;

2.  Failing to take remedial measures immediately against risks, such as security  defects and bugs of their products or services; or failing to promptly inform  users of such risks and reporting the same to the relevant competent  departments in accordance with the relevant provisions; or

3.  Arbitrarily terminating the provision of security maintenance for their  products and services.

Where anyone has violated an obligation to  protect network operation security prescribed in Article 21, the first or second paragraph of  Article 22 , Article 23, the first paragraph of Article 24, Article  25, Article 26, Article 28, Article 33, Article 34, Article 36, or Article 38  or has caused consequences such as endangering network  operation security, the relevant authority shall order corrections to  be made and issue a warning or a circular of  reprimand; and if corrections are refused or  the circumstances are grave, impose a fine of  up to CNY1 million, and may impose suspension of relevant operations,  suspension of business for rectification, website shutdown, revocation of  relevant business permit or revocation of business license, and impose  a fine of CNY10,000 up to CNY 100,000 on any directly liable individual in  charge or other directly liable individual.

If the circumstances of a violation described  in the preceding paragraph are particularly grave,  the relevant authority at or above the provincial  level shall order corrections to be made and impose a fine of CNY 1 million  up to CNY 50 million or up to 5% of the previous year's revenue, and may  impose suspension of relevant operations, suspension of business for  rectification, website shutdown, revocation of relevant business permit or  revocation of business license; impose a fine of CNY 100,000 up to CNY 1  million on any directly liable individual in charge or other directly liable  individual, and may decide to ban the individual from serving as a director,  supervisor, or executive of a relevant enterprise or engaging in a key  position in network security management or network operations for a certain  period of time.

3

Article 23 Critical network equipment and specialized  cybersecurity products shall, pursuant to the compulsory requirements of the  relevant national standards, pass the security certification by qualified  institutions or meet the requirements of security detection before being sold  or provided. The national cyberspace administration authority shall, in  concert with the relevant departments under the State Council, formulate and  release the catalog of critical network equipment and specialized  cybersecurity products, and promote the mutual recognition of security  certification and security detection results, so as to avoid repeated  certifications and detections.

Where anyone has violated an obligation to  protect network operation security prescribed in Article 21, the first or  second paragraph of Article 22 , Article  23, the first paragraph of Article 24, Article 25, Article 26,  Article 28, Article 33, Article 34, Article 36, or Article 38 or has caused consequences such as endangering network  operation security, the relevant authority shall order corrections to be made  and issue a warning or a circular of reprimand; and if corrections are  refused or the circumstances are grave, impose a fine of up to CNY1 million,  and may impose suspension of relevant operations, suspension of business for  rectification, website shutdown, revocation of relevant business permit or  revocation of business license, and impose a fine of CNY10,000 up to CNY  100,000 on any directly liable individual in charge or other directly liable  individual.

If the circumstances of a violation  described in the preceding paragraph are particularly grave, the relevant  authority at or above the provincial level shall order corrections to be made  and impose a fine of CNY 1 million up to CNY 50 million or up to 5% of the  previous year's revenue, and may impose suspension of relevant operations,  suspension of business for rectification, website shutdown, revocation of  relevant business permit or revocation of business license; impose a fine of  CNY 100,000 up to CNY 1 million on any directly liable individual in charge  or other directly liable individual, and may decide to ban the individual  from serving as a director, supervisor, or executive of a relevant enterprise  or engaging in a key position in network security management or network  operations for a certain period of time.

4

Article 24 When network operators handle network access and  domain registration services for users, handle network access formalities for  fixed-line or mobile phone users, or provide users with information  publication services, instant messaging services and other services, they  shall require users to provide real identity information at the time of  signing agreements with users or confirming the provision of services. Where  users do not provide real identify information, network operators shall not  provide them with relevant services.

……

Article  61 Network operators who in violation of Paragraph 1 of Article 24  hereof, fail to request users to provide  authentic identity information, or provide services for those failing to  provide authentic identity information, shall be ordered to effect  rectification by the relevant competent departments; where they refuse to  effect rectification or if the circumstances are serious, a fine of no less than CNY50,000 but no more than  CNY500,000 shall be imposed, and the relevant competent departments  may order them to suspend operation, stop doing business for internal  rectification, close down the website, or may revoke relevant business  permits or their business licenses; and a fine of no less than CNY10,000 but  no more than CNY100,000 shall be imposed on the persons directly in charge  and other directly responsible persons.

Where anyone has violated an obligation to  protect network operation security prescribed in Article 21, the first or  second paragraph of Article 22 , Article 23, the first paragraph of Article 24, Article 25, Article 26,  Article 28, Article 33, Article 34, Article 36, or Article 38 or has caused consequences such as endangering network  operation security, the relevant authority shall order corrections to  be made and issue a warning or a circular of  reprimand; and if corrections are refused or the circumstances are  grave, impose a fine of up to CNY1 million,  and may impose suspension of relevant operations, suspension of business for  rectification, website shutdown, revocation of relevant business permit or  revocation of business license, and impose a fine of CNY10,000 up to CNY  100,000 on any directly liable individual in charge or other directly liable  individual.

If the circumstances of a violation described  in the preceding paragraph are particularly grave,  the relevant authority at or above the provincial  level shall order corrections to be made and impose a fine of CNY 1 million  up to CNY 50 million or up to 5% of the previous year's revenue, and may  impose suspension of relevant operations, suspension of business for  rectification, website shutdown, revocation of relevant business permit or  revocation of business license; impose a fine of CNY 100,000 up to CNY 1  million on any directly liable individual in charge or other directly liable  individual, and may decide to ban the individual from serving as a director,  supervisor, or executive of a relevant enterprise or engaging in a key  position in network security management or network operations for a certain  period of time.

5

Article 25 Network operators shall formulate contingency  plans for cybersecurity incidents, and promptly deal with system bugs,  computer viruses, network attacks and intrusions and other security risks;  when any incident endangering cybersecurity occurs, network operators shall  immediately initiate contingency plans, take corresponding remedial measures,  and report the same to the relevant competent departments in accordance with  the provisions.

Article 59 Network operators, who fail to perform the  obligation of protecting cybersecurity as stipulated by Article 21 or Article  25 of this Law, shall be ordered to effect rectification and be  warned by the relevant competent departments. Where they refuse to effect  rectification, or such consequences as  endangering cybersecurity are caused, a fine of no less than CNY10,000 but no  more than CNY100,000 shall be imposed; as for the persons directly in charge,  a fine of no less than CNY5,000 but no more than CNY50,000 shall be imposed.

……

Where anyone has violated an obligation to  protect network operation security prescribed in Article 21, the first or  second paragraph of Article 22 , Article 23, the first paragraph of Article  24, Article 25, Article 26,  Article 28, Article 33, Article 34, Article 36, or Article 38 or has caused consequences such as endangering network  operation security, the relevant authority shall order corrections to  be made and issue a warning or a circular of  reprimand; and if corrections are refused or  the circumstances are grave, impose a fine of up to CNY1 million, and may  impose suspension of relevant operations, suspension of business for  rectification, website shutdown, revocation of relevant business permit or  revocation of business license, and impose a fine of CNY10,000 up to CNY  100,000 on any directly liable individual in charge or other directly liable  individual.

If the circumstances of a violation described  in the preceding paragraph are particularly grave,  the relevant authority at or above the provincial level shall order  corrections to be made and impose a fine of CNY 1 million up to CNY 50  million or up to 5% of the previous year's revenue, and may impose suspension  of relevant operations, suspension of business for rectification, website  shutdown, revocation of relevant business permit or revocation of business  license; impose a fine of CNY 100,000 up to CNY 1 million on any directly  liable individual in charge or other directly liable individual, and may  decide to ban the individual from serving as a director, supervisor, or  executive of a relevant enterprise or engaging in a key position in network security  management or network operations for a certain period of time.

6

Article 26 Carrying out such activities as cybersecurity  authentication, detection and risk evaluation, and releasing cybersecurity  information like system bugs, computer viruses, network attacks and  intrusions to society shall comply with the relevant regulations of the  State.

Article 62 Anyone that carries out cybersecurity  authentication, detection, risk evaluation and other activities or released  system bugs, computer viruses, network attacks and intrusions and other  cybersecurity information to the public in violation of Article 26  hereof, shall be ordered by the relevant competent departments to make  rectification; where they refuse to make rectification or if the  circumstances are serious, a fine of between  CNY10,000 and CNY100,000 shall be imposed, and the relevant competent  departments may order them to suspend the relevant operation, suspend  business for internal rectification, close down the website, or may revoke  the relevant business permits or their business licenses; and a fine of between CNY5,000 and CNY50,000 shall be  imposed on any directly liable manager or any other directly liable  person.

Where anyone has violated an obligation to  protect network operation security prescribed in Article 21, the first or  second paragraph of Article 22 , Article 23, the first paragraph of Article  24, Article 25, Article 26,  Article 28, Article 33, Article 34, Article 36, or Article 38 or has caused consequences such as endangering network  operation security, the relevant authority shall order corrections to  be made and issue a warning or a circular of  reprimand; and if corrections are refused or  the circumstances are grave, impose a fine of up to CNY1 million, and may  impose suspension of relevant operations, suspension of business for  rectification, website shutdown, revocation of relevant business permit or  revocation of business license, and impose a fine of CNY10,000 up to CNY  100,000 on any directly liable individual in charge or other directly liable  individual.

If the circumstances of a violation described  in the preceding paragraph are particularly grave,  the relevant authority at or above the provincial level shall order  corrections to be made and impose a fine of CNY 1 million up to CNY 50  million or up to 5% of the previous year's revenue, and may impose suspension  of relevant operations, suspension of business for rectification, website  shutdown, revocation of relevant business permit or revocation of business  license; impose a fine of CNY 100,000 up to CNY 1 million on any directly  liable individual in charge or other directly liable individual, and may  decide to ban the individual from serving as a director, supervisor, or  executive of a relevant enterprise or engaging in a key position in network  security management or network operations for a certain period of time.

7

Article 28 Network operators shall provide technical support  and assistance to the public security organs and state security organs in  lawfully safeguarding national security and investigating crimes.

Where anyone has violated an obligation to  protect network operation security prescribed in Article 21, the first or  second paragraph of Article 22 , Article 23, the first paragraph of Article  24, Article 25, Article 26, Article  28, Article 33, Article 34, Article 36, or Article 38 or has caused consequences such as endangering network  operation security, the relevant authority shall order corrections to be made  and issue a warning or a circular of reprimand; and if corrections are  refused or the circumstances are grave, impose a fine of up to CNY1 million,  and may impose suspension of relevant operations, suspension of business for  rectification, website shutdown, revocation of relevant business permit or  revocation of business license, and impose a fine of CNY10,000 up to CNY  100,000 on any directly liable individual in charge or other directly liable  individual.

If the circumstances of a violation  described in the preceding paragraph are particularly grave, the relevant  authority at or above the provincial level shall order corrections to be made  and impose a fine of CNY 1 million up to CNY 50 million or up to 5% of the  previous year's revenue, and may impose suspension of relevant operations,  suspension of business for rectification, website shutdown, revocation of  relevant business permit or revocation of business license; impose a fine of  CNY 100,000 up to CNY 1 million on any directly liable individual in charge  or other directly liable individual, and may decide to ban the individual  from serving as a director, supervisor, or executive of a relevant enterprise  or engaging in a key position in network security management or network  operations for a certain period of time.

8

Article  33 To construct the critical information  infrastructure, it shall be ensured that the critical information  infrastructure has properties for supporting the stable and continuous  operation of the business, and that technical security measures are planned,  established and used concurrently.

Article 59

(Second Paragraph)  Operators of critical information infrastructure who fail to perform the  obligation of cybersecurity protection as stipulated by Article 33,  Article 34, Article 36 and Article 38 of this Law, shall be ordered  to effect rectification and be given a warning. Where they refuse to effect  rectification, or such consequences as endangering cybersecurity are caused,  a fine of no less than CNY100,000 but no more than CNY1 million shall be  imposed; as for the persons directly in charge, a fine of no less than  CNY10,000 but no more than CNY100,000 shall be imposed.

Where anyone has violated an obligation to  protect network operation security prescribed in Article 21, the first or second  paragraph of Article 22 , Article 23, the first paragraph of Article 24,  Article 25, Article 26, Article 28, Article  33, Article 34, Article 36, or Article 38 or  has caused consequences such as endangering network operation security, the  relevant authority shall order corrections to be made and issue a warning or a circular of reprimand; and if corrections are  refused or the circumstances are grave, impose a fine  of up to CNY1 million, and may impose suspension of relevant operations,  suspension of business for rectification, website shutdown, revocation of  relevant business permit or revocation of business license, and impose  a fine of CNY10,000 up to CNY 100,000 on any directly liable individual in  charge or other directly liable individual.

If the circumstances of a violation described  in the preceding paragraph are particularly grave,  the relevant authority at or above the provincial level shall order  corrections to be made and impose a fine of CNY 1 million up to CNY 50  million or up to 5% of the previous year's revenue, and may impose suspension  of relevant operations, suspension of business for rectification, website  shutdown, revocation of relevant business permit or revocation of business  license; impose a fine of CNY 100,000 up to CNY 1 million on any directly  liable individual in charge or other directly liable individual, and may  decide to ban the individual from serving as a director, supervisor, or  executive of a relevant enterprise or engaging in a key position in network  security management or network operations for a certain period of time.

9

Article  34 In addition to the provisions of Article 21  herein, critical information infrastructure operators shall also fulfill the  following obligations of security protection,

1. Set up independent security management  institutions and designate persons responsible for security management, and  review the security background of the said responsible persons and personnel  in key positions;

2. Periodically conduct cybersecurity  education, technical training and skill assessment for practitioners;

3. Make disaster recovery backups of  important systems and databases;

4. Formulate contingency plans for  cybersecurity incidents, and carry out drills periodically; and

5. Other obligations stipulated by laws and  administrative regulations.

10

Article 36 To  purchase network products and services, critical information infrastructure  operators shall enter into security confidentiality agreements with the  providers in accordance with the provisions, in which obligations and  responsibilities in terms of security and confidentiality shall be clarified.

11

Article 38 Critical information infrastructure operators  shall conduct by themselves, or entrust cybersecurity service institutions to  conduct, the detection and assessment of their cybersecurity and any  potential risk at least once a year; and submit the detection and assessment  situations as well as improvement measures to the relevant departments responsible  for the security protection of critical information infrastructure.

12

Article 27 Any individual or organization shall neither  engage in activities endangering cybersecurity, including illegally invading  others' networks, interfering with the normal functions of others' networks  and stealing cyber data, nor provide programs or tools specifically used for  activities endangering cybersecurity, such as network intrusions,  interference with the normal functions and protective measures of the network,  and theft of cyber data; if such individual or organization knows that a  person engages in activities jeopardizing cybersecurity, it shall not provide  technical support, advertising promotion, payment and settlement services or  other types of assistance to such person or organization.

Article 63 Where, in violation of Article 27  hereof, anyone is engaged in activities endangering cybersecurity, provides  programs or tools specifically used for conducting activities endangering  cybersecurity, or provides technical support, advertising promotion, payment  and settlement support or other kinds of assistance to others for conducting  activities endangering cybersecurity, if such activities do not constitute a  crime, public security organs shall confiscate their illegal gains, enforce  detention of up to five days and may, in addition, impose a fine of between  CNY50,000 and CNY500,000, and if the circumstances are serious, the period of  detention shall be no less than 5 days but no more than 15 days and, in  addition, the fine imposed may be no less than CNY100,000 but no more than  CNY1,000,000.

Where an entity  commits any of the violations stipulated in the preceding paragraph, public  security organs shall confiscate its illegal gains, impose a fine of no less  than CNY100,000 but no more than CNY1,000,000, and punish the persons  directly in charge and the other directly responsible persons in accordance  with the provisions of the preceding paragraph.

Any person who  violates Article 27 hereof shall be forbidden from practicing  cybersecurity management and taking key positions in the field of network  operation either within five years if he or she is subject to public security  punishment or for life if he or she is subject to criminal punishment.

Where anyone has violated Article 27 or 46 of this Law  by engaging in activities that endanger network security, or providing a  program or tool specifically used for engaging in activities that endanger  network security, or providing technical support, advertising promotion,  payment and settlement services, or any other assistance for another to  engage in activities that endanger network security, or setting up a website  or communications group for implementing illegal or criminal activities, or  using the Internet to publish information related to the implementation of  illegal or criminal activities, provided that the violation does not  constitute a crime, the public security authority shall confiscate the  illegal proceeds and impose a detention of up to five days, and may  concurrently impose a fine of CNY 50,000 up to CNY 500,000; or, if the  circumstances are relatively grave, shall impose a detention of 5 days up to  15 days, and may concurrently impose a fine of CNY100,000 up to CNY 1  million.

If a violation described in the preceding  paragraph was committed by an entity, the public security authority shall  confiscate the illegal proceeds and impose a fine of CNY 100,000 up to CNY 1  million against the entity, and impose penalties as stated in the preceding  paragraph against any directly liable individual in charge or other directly  liable individual.

Individuals who have violated Article 27 of this Law are banned from engaging in a key  position in network security management or network operations for five years  if they were subjected to public security administration penalties, or are  banned for engaging in a key position in network security management or  network operations for life if they were subjected to criminal penalties.

13

Article 46 Any individual or entity shall be responsible for  their use of the network, but shall neither create a website or set up a  group for communications for illegal and criminal activities, such as  defrauding, passing on crime methods, or producing or selling prohibited or  controlled goods, nor disclose information by taking advantage of the network  that is related to such illegal and criminal activities as defrauding and  producing or selling prohibited or controlled goods.

Article 67 For network operators who violate Article 46  hereof by creating a website or setting up a communications group for illegal  or criminal activities, or disclosing information by making use of the  network that relates to any illegal or criminal activity to be committed, if  such activities do not constitute a crime, public security organs shall put  them into detention for up to five days and may, in addition, impose a fine of no less than CNY10,000 but no more  than CNY100,000; and if the circumstances are serious, such operators  shall be detained for no less than 5 days but no more than 15 days and may,  in addition, be fined no less than CNY50,000 but  no more than CNY500,000. Websites and  communication groups used for conducting illegal and criminal activities  shall be closed down.

Where an entity  commits any of the violations stipulated in the preceding paragraph, public  security organs shall confiscate its illegal gains, impose a fine of no less  than CNY100,000 but no more than CNY500,000,  and punish the persons directly in charge and the other directly responsible  persons in accordance with the provisions of the preceding paragraph.

Where anyone has violated Article 27 or 46 of this Law by engaging in  activities that endanger network security, or providing a program or tool  specifically used for engaging in activities that endanger network security,  or providing technical support, advertising promotion, payment and settlement  services, or any other assistance for another to engage in activities that  endanger network security, or setting up a website or communications group  for implementing illegal or criminal activities, or using the Internet to  publish information related to the implementation of illegal or criminal  activities, provided that the violation does not constitute a crime, the public  security authority shall confiscate the illegal  proceeds and impose a detention of up to five days, and may concurrently impose a fine of CNY 50,000 up to CNY  500,000; or, if the circumstances are relatively grave, shall impose a  detention of 5 days up to 15 days, and may concurrently impose a fine of CNY100,000 up to CNY 1 million.

If a violation described in the preceding  paragraph was committed by an entity, the public security authority shall  confiscate the illegal proceeds and impose a fine of CNY 100,000 up to CNY 1 million against the entity, and impose  penalties as stated in the preceding paragraph against any directly liable  individual in charge or other directly liable individual.

……

14

Article 22

……

(third paragraph)  Where network products and services have the function of collecting users'  information, the providers shall clearly notify their users and obtain their  consent. In the case of involving users' personal information, the providers  shall also comply with the provisions regarding the protection of personal  information as stipulated by this Law, relevant laws and administrative  regulations.

Article 64 Where, in violation of the third paragraph  of Article 22 or Article 41, 42 or 43  of the Law, a network operator or provider of any  cyber product or service commits an infringement of any personal information  right that is legally protected, the competent authority shall order it to  make rectification, and may, depending on the circumstances of the case,  impose on it separately or combined, a warning, the confiscation of illegal  gains, and a fine of between one and ten times the illegal gains, or a fine  of up to CNY1 million if there is no illegal gain; impose a fine of between  CNY10,000 and CNY100,000 on any directly liable manager or any other directly  liable person of the organization; and may, if the circumstances are serious,  order it to suspend the relevant business, suspend business for rectification,  or close down the website, or revoke its relevant business permit or its  business license.

In  the case of a theft of or otherwise illegal acquisition, or illegal sale or  illegal provision of personal information to another in violation of Article  44 of the Law that does not constitute a criminal offense, the person  committing the violation shall be confiscated of the illegal gains and  subject to a fine of between one and ten times the illegal gains or a fine of  up to CNY1 million if there are no illegal gains by the public security.

Any network operator, or network product or  service provider who has violated the  third paragraph of Article 22 or Article 41 through 44  of this Law by infringing the right to legal  protection of personal information, shall be punished in accordance with  relevant laws or administrative regulations.

15

Article 41 To collect and use personal information, network  operators shall follow the principles of legitimacy, rightfulness and  necessity, disclose their rules of data collection and use, clearly express  the purposes, means and scope of collecting and using the information, and  obtain the consent of the persons whose data is gathered.

Network operators  shall neither gather personal information unrelated to the services they  provide, nor gather or use personal information in violation of the  provisions of laws and administrative regulations or the agreements arrived  at; and shall dispose of personal information they have saved in accordance  with the provisions of laws and administrative regulations and agreements  reached with users.

16

Article 42 Network operators shall not disclose, tamper with  or corrupt the personal information collected by them, and shall not provide  any such personal information to any other person without the consent of the  person from whom the information was collected, except where information has  been processed to the extent that it cannot identify a specific individual  and cannot be restored.

Network operators  shall adopt technical measures and other necessary measures to ensure the  security of the personal information they have collected and prevent such  information from being divulged, damaged or lost. If personal information has  been or may be divulged, damaged or lost, it is necessary to take remedial  measures immediately, inform users promptly according to the provisions and  report the same to the relevant competent departments.

17

Article 43 Where individuals discover that network operators  gather or use their personal information in violation of the provisions of  laws and administrative regulations or the agreements arrived at, they have  the right to request the network operators to delete their personal  information; where they find that their personal information gathered or  stored by network operators is subject to any mistake, they have the right to  request the network operators to make corrections. Network operators shall  take measures to delete or correct the said information.

18

Article 44 Any individual or organization may neither acquire  personal information by stealing or through other illegal ways, nor illegally  sell or provide personal information to others.

19

Article 35 Where critical information infrastructure  operators purchase network products and services, which may influence  national security, they shall go through a security review organized by the  national cyberspace administration authority in concert with the relevant  departments under the State Council.

Article 65 Where operators of critical information  infrastructures, in violation of Article 35 hereof, use network  products or services that have neither been examined for security nor passed  the security examination, they shall be ordered by the relevant competent  departments to stop using such products or services, and a fine of no less  than one but no more than ten times the purchase amount shall be imposed; as  for the persons directly in charge or other directly responsible persons, a  fine of no less than CNY10,000 but no more than CNY100,000 shall be imposed.

Where a critical information infrastructure  operator has violated Article 35  of this Law by using a network product or service that has not undergone  security review or has failed to pass security review, the relevant authority  shall order a cessation of the use and impose a fine of one time up to ten  times the purchase price or up to 5% of the previous  year's revenue against the operator, and impose a fine of CNY10,000 up  to CNY100,000 on any directly liable individual in charge or other directly  liable individual.

20

Article 37 Critical information infrastructure operators  shall store personal information and important data gathered and produced  during operations within the territory of the People's Republic of China.  Where it is really necessary to provide such information and data to overseas  parties due to business requirements, a security assessment shall be  conducted in accordance with the measures formulated by the national  cyberspace administration authority in concert with the relevant departments  under the State Council. Where the laws and administration regulations have  other provisions, those provisions shall prevail.

Article 66 Operators of critical information infrastructures  who, in violation of Article 37 hereof, store network data  overseas, or provide network data overseas, the relevant competent departments  shall order them to effect rectification, give a  warning, confiscate illegal gains, and impose a fine of no less than  CNY50,000 but no more than CNY500,000; and may order them to suspend relevant  business, stop business for rectification, close down the website, or revoke  the relevant business permits or their business licenses; as for the persons  directly in charge or other directly responsible persons, a fine of no less  than CNY10,000 but no more than CNY100,000 shall be imposed.

A critical information infrastructure  operator who has violated Article  37 of this Law by storing network data overseas or providing network  data to an overseas party, shall be punished in  accordance with relevant laws or administrative regulations.

21

Article 47 Network operators shall strengthen the management  of the information published by their users, and upon discovery of the  information whose publication or transmission is prohibited by the laws and  administrative regulations, shall immediately stop the transmission of such  information, take disposal measures such as deletion to prevent the  information from spreading, save relevant records, and report the same to the  relevant competent departments.

Article 68 Network operators, who, in violation of Article  47 hereof, fail to stop transmitting or take disposal measures to  remove the information, or save relevant records regarding information that  the relevant departments prohibit from being published or transmitted, they  shall be ordered to effect rectification and be given a warning, and their  illegal gains shall be confiscated by the relevant competent departments;  where the operators refuse to effect rectification or the circumstances are  serious, a fine of no less than CNY100,000 but no  more than CNY500,000 shall be imposed, and they may be ordered to  suspend relevant business, stop business for rectification or close down the  website, and the relevant business permits or their business licenses may be  revoked; as for the persons directly in charge and other directly responsible  persons, a fine of no less than CNY10,000 but no more than CNY100,000 shall  be imposed.

Electronic  messaging service providers or application software download service  providers who fail to fulfill their security management obligations  stipulated in Paragraph 2 of Article 48 hereof, shall be  punished in accordance with the preceding paragraph.

Where anyone who has violated a network  information security protection obligation prescribed in Article 47, 48, or 49 of this Law, or has failed to comply with a requirement by a relevant  authority to cease the transmission of or remove or otherwise dispose of any  information that is prohibited from publication or transmission by laws or  administrative regulations, or has failed to comply  with a requirement by a relevant authority to take measures in response to a  relatively big network security risk that exists or a security incident that  has occurred, the relevant authority shall order corrections to be  made, issue a warning or a circular of reprimand,  and confiscate the illegal proceeds; and if corrections are refused or the  circumstances are grave, impose a fine of up to CNY1  million, and may impose suspension of relevant operations, suspension  of business for rectification, website shutdown, revocation of relevant  business permit or revocation of business license, and impose a fine of  CNY10,000 up to 100,000 on any directly liable individual in charge or other  directly liable individual.

If the circumstances are particularly grave, the relevant authority at or above the  provincial level shall order corrections to be made, confiscate the illegal  proceeds, impose a fine of CNY 1 million up to CNY 50 million or up to 5% of  the previous year's revenue, and may impose suspension of relevant  operations, suspension of business for rectification, website shutdown,  revocation of relevant business permit or revocation of business license;  impose a fine of CNY 100,000 up to CNY 1 million on any directly liable  individual in charge or other directly liable individual, and may decide to  ban the individual from serving as a director, supervisor, or executive of a  relevant enterprise or engaging in a key position in network security  management or network operations for a certain period of time.

22

Article 48 The electronic information sent by and application  software provided by any individual or organization shall neither be  installed with malwares, nor contain any information whose publication or  transmission is prohibited by laws and administrative regulations.

Electronic  information distribution service providers and application software download  service providers shall fulfill their security administration duties; and  where the said providers learn that their users have conducted behaviors  stipulated in the preceding paragraph, they shall stop the provision of  services, take disposal measures such as deletion, keep relevant records and  report the same to the relevant competent departments.

23

Article 49 Network operators shall set up complaint and  reporting systems for network information security, disclose the ways of  complaint and reporting and other information, and promptly accept and handle  complaints and reports related to network information security.

Network operators  shall cooperate with the supervision and detection implemented by cyberspace  administration authorities and the relevant departments according to the law.

Article 69 Network operators who, in violation of the  provisions hereof, conduct any of the following acts shall be ordered to  effect rectification by the competent departments; where they refuse to  effect rectification, or the circumstances are serious, a fine of no less than CNY50,000 but no more than  CNY500,000 shall be imposed; as for the persons directly in charge or  other directly responsible persons, a fine of no less than CNY10,000 but no  more than CNY100,000 shall be imposed,

1. Fail to take  disposal measures such as stopping transmission or removing information whose  publication or transmission is prohibited by the laws or administrative  regulations as required by the relevant departments.

2. Refuse or impede  the supervision and detection implemented by the relevant departments  according to the law; or

3.  Refuse to provide technical support and assistance to public security organs  and state security organs.

24

Article 12 The State protects the rights of citizens, legal  persons and other organizations to use cyberspace according to the law,  promotes the popularity of network access, and raises the level of network  services, so as to provide the public with secure and convenient network  services and guarantee the orderly and free flow of network information in  accordance with the law.

Any individual and  organization using the network shall comply with the constitution and the  laws, follow the public order and respect social moralities, and shall  neither endanger cybersecurity, nor engage in activities by making use of the  network that endanger the national security, honor and interests, incite to  subvert the State power and overthrow the socialist system, incite to split  the country and undermine the national unity, advocate terrorism and  extremism, propaganda of ethnic hatred and discrimination, spread violent and  pornographic information, fabricate or disseminate false information to  disturb the economic and social order, or infringe on the fame, privacy,  intellectual property and other legitimate rights and interests of others.

Article 70 Releasing or transmitting information whose  publication or transmission is prohibited by Paragraph 2 of Article 12  hereof, or by other laws or administrative regulations, shall be punished in  accordance with the provisions of the relevant laws and administrative  regulations.

Anyone who has published or transmitted  information that is prohibited from publication or transmission by the second paragraph of Article 12  of this Law or other laws and administrative regulations, shall be punished  in accordance with relevant laws or administrative regulations.

Where laws and administrative  regulations are silent, the relevant authority shall order corrections to be  made, issue a warning or circular of reprimand, and confiscate the illegal  proceeds; and if corrections are refused or the circumstances are grave,  impose a fine of up to CNY1 million, and may impose suspension of relevant  operations, suspension of business for rectification, website shutdown,  revocation of relevant business permit or revocation of business license, and  impose a fine of CNY10,000 up to 100,000 on any directly liable individual in  charge or other directly liable individual.

If the circumstances are  particularly grave, the relevant authority at or above the provincial level  shall order corrections to be made, confiscate the illegal proceeds, impose a  fine of CNY 1 million up to CNY 50 million or up to 5% of the previous year's  revenue, and may impose suspension of relevant operations, suspension of  business for rectification, website shutdown, revocation of relevant business  permit or revocation of business license; impose a fine of CNY 100,000 up to  CNY 1 million on any directly liable individual in charge or other directly  liable individual, and may decide to ban the individual from serving as a  director, supervisor, or executive of a relevant enterprise or engaging in a  key position in network security management or network operations for a  certain period of time.