records and report to the competent departments once the terrorism information is discovered; and (iv) examine customer identities before providing services. Any violation of the
Anti-Terrorism Law may result in severe penalties, including substantial fines.
In November 2016, the Standing Committee
of the National Peoples Congress promulgated the Cyber Security Law, which will become effective on June 1, 2017. In accordance with the Cyber Security Law, network operators must comply with applicable laws and regulations and fulfill
their obligations to safeguard network security in conducting business and providing services. Network service providers must take technical and other necessary measures as required by laws, regulations and mandatory requirements to safeguard the
operation of networks, respond to network security effectively, prevent illegal and criminal activities, and maintain the integrity, confidentiality and usability of network data.
In addition, the State Secrecy Bureau has issued provisions authorizing the blocking of access to any website it deems to be
leaking state secrets or failing to comply with the relevant legislation regarding the protection of state secrets during online information distribution. Specifically, internet companies in China with bulletin boards, chat rooms or similar services
must apply for specific approval prior to operating such services.
Furthermore, the Provisions on Technological Measures
for Internet Security Protection, promulgated by the Ministry of Public Security, require all ICP operators to keep records of certain information about its users (including user registration information,
log-in and log-out time, IP address, content and time of posts by users) for at least 60 days and submit the above information as required by laws and regulations.
The Network Information Protection Decision states that ICP operators must request identity information from users when ICP operators provide information publication services to the users. If ICP operators come across prohibited information, they
must immediately cease the transmission of such information, delete the information, keep relevant records, and report to relevant government authorities.
Baidu Netcom, BaiduPay and some other entities in our group are ICP operators, and are therefore subject to the regulations
relating to information security. They have taken measures to comply with these regulations. They are registered with the relevant government authority in accordance with the mandatory registration requirement. Baidu Netcoms policy is to
remove links to web pages which to its knowledge contain information that would be in violation of PRC laws or regulations. In addition, we monitor our websites to ensure our compliance with the above-mentioned laws and regulations.
Regulations on Internet Privacy
The PRC Constitution states that PRC law protects the freedom and privacy of communications of citizens and prohibits
infringement of these rights. In recent years, PRC government authorities have enacted legislation on internet use to protect personal information from any unauthorized disclosure. The Network Information Protection Decision provides that electronic
information that identifies a citizen or involves privacy of any citizen is protected by law and must not be unlawfully collected or provided to others. ICP operators collecting or using personal electronic information of citizens must specify the
purposes, manners and scopes of information collection and uses, obtain consent of the relevant citizens, and keep the collected personal information confidential. ICP operators are prohibited from disclosing, tampering with, damaging, selling or
illegally providing others with, collected personal information. ICP operators are required to take technical and other measures to prevent the collected personal information from any unauthorized disclosure, damage or loss. The Administrative
Measures on Internet Information Services prohibit an ICP operator from insulting or slandering a third party or infringing upon the lawful rights and interests of a third party. Pursuant to the Internet Electronic Messaging Service Administrative
Measures, ICP operators that provide electronic messaging services must keep users personal information confidential and must not disclose the personal information to any third party without the users consent or unless required by law.
According to the Provisions on Protection of Personal Information of Telecommunication and Internet Users, telecommunication business operators and ICP operators are responsible for the security of the personal information of users they collect or
use in the course of their