(Adopted at the 29th Session of the Standing Committee of the 13th National People's Congress on June 10, 2021)
Contents
Chapter I General Provisions
Chapter II: Data Security and Development
Chapter III: Data Security Systems
Chapter IV: Data Security Protection Obligations
Chapter V: Security and Openness of Government Data
Chapter VI: Legal Liability
Chapter VII Supplementary Provisions
Chapter I General Provisions
Article 1: This Law is formulated so as to standardize data processing activities, ensure data security, promote the development and utilization of data, protect the lawful rights and interests of individuals and organizations, and preserve national sovereignty, security, and development interests.
Article 2: This Law applies to data processing activities and their safety supervision within the territory of the People's Republic of China.
Where data processing activities are carried out outside the territory of the People's Republic of China, harming the national security or public interest of the People's Republic of China, or the lawful rights and interests of citizens or organizations, legal responsibility is to be pursued in accordance with law.
Article 3: "Data" as used in this Law refers to any record of information electronically or otherwise.
Data processing, including the collection, storage, use, processing, transmission, provision, disclosure, etc. of data.
Data security refers to the ability to ensure that data is effectively protected and legally exploited by taking necessary measures, as well as the ability to ensure a continuous state of security.
Article 4: To maintain data security, we shall adhere to the overall national security concept, establish and complete a data security governance system, and increase data security safeguard capabilities.
Article 5: The central leading body for national security is responsible for decision-making and deliberative coordination of national data security efforts, researching, formulating, and guiding the implementation of national data security strategies and relevant major guidelines and policies, making overall plans and coordinating major matters and important work on national data security, and establishing coordination mechanisms for national data security efforts.
Article 6: Each region and department is responsible for the data collected and generated in the work of that region or department and for data security.
The competent departments of industry, telecommunications, transportation, finance, natural resources, health and health, education, science and technology and other competent departments shall undertake the responsibility for data security supervision in the industry and field.
Public security organs, state security organs, and so forth, are to follow the provisions of this Law and relevant laws and administrative regulations to undertake data security oversight duties within the scope of their respective duties.
The State internet information departments are responsible for overall planning and coordination of network data security and related regulatory efforts in accordance with the provisions of this Law and relevant laws and administrative regulations.
Article 7: The State protects the rights and interests of individuals and organizations related to data, encourages the reasonable and effective use of data in accordance with law, ensures the orderly and free flow of data in accordance with law, and promotes the development of the digital economy with data as a key element.
Article 8: Carrying out data processing activities shall comply with laws and regulations, respect social morality and ethics, abide by commercial ethics and professional ethics, be honest and trustworthy, perform data security protection obligations, bear social responsibility, and must not endanger national security or the public interest, and must not harm the lawful rights and interests of individuals or organizations.
Article 9: The State supports carrying out publicity and popularization of data security knowledge, raising the awareness and level of data security protection throughout society, promoting relevant departments, industry organizations, scientific research institutions, enterprises, individuals, and so forth, to jointly participate in data security protection efforts, forming a good environment for the entire society to jointly maintain data security and promote development.
Article 10: Relevant industry organizations are to follow their charters to lawfully formulate data security codes of conduct and group standards, strengthen industry self-discipline, guide members to strengthen data security protections, raise the level of data security protections, and promote the healthy development of the industry.
Article 11: The State actively carries out international exchanges and cooperation in areas such as data security governance and data development and utilization, participates in the formulation of international rules and standards related to data security, and promotes the safe and free flow of data across borders.
Article 12: Any individual or organization has the right to complain or report to the relevant competent departments about conduct violating the provisions of this Law. Departments receiving complaints or reports shall promptly handle them in accordance with law.
Relevant competent departments shall preserve the confidentiality of relevant information about complaints or whistleblowers, and protect the lawful rights and interests of complaints and whistleblowers.
Chapter II: Data Security and Development
Article 13: The State makes overall plans for development and security, persisting in promoting data security through data development, utilization, and industrial development, and using data security to safeguard data development, utilization, and industrial development.
Article 14: The State implements big data strategies, advances the construction of data infrastructure, and encourages and supports the innovative application of data in all industries and fields.
People's governments at or above the provincial level shall incorporate the development of the digital economy into the national economic and social development plans at the same level, and formulate plans for the development of the digital economy as needed.
Article 15: The State supports the development and use of data to raise the level of intelligence in public services. The provision of intelligent public services shall fully consider the needs of the elderly and the disabled, and avoid causing obstacles to the daily lives of the elderly and the disabled.
Article 16: The State supports data development and utilization and research on data security technologies, encourages technological promotion and commercial innovation in areas such as data development and utilization and data security, and cultivates and develops data development and utilization and data security products and industrial systems.
Article 17: The State advances the establishment of a system of data development and utilization technologies and data security standards. The competent administrative department for standardization under the State Council and the relevant departments under the State Council shall, in accordance with their respective duties, organize the formulation and timely revision of relevant standards for the development and utilization of technologies, products, and data security. The State supports the participation of enterprises, social groups, educational and scientific research institutions in the formulation of standards.
Article 18: The State promotes the development of services such as data security testing and assessment and certification, and supports professional bodies such as for data security testing and assessment and certification in lawfully carrying out service activities.
The State supports relevant departments, industry organizations, enterprises, educational and scientific research institutions, relevant professional institutions, and so forth, in carrying out collaboration in areas such as data security risk assessment, prevention, and disposal.
Article 19: The State is to establish and complete data transaction management systems, standardize data transaction conduct, and cultivate data trading markets.
Article 20: The State supports education, scientific research institutions, and enterprises in carrying out education and training related to data development and utilization technologies and data security, employing a variety of methods to cultivate professionals in data development and utilization technology and data security, and promoting talent exchanges.
Chapter III: Data Security Systems
Article 21: The State is to establish a system for categorical and hierarchical protection of data, carrying out categorical and hierarchical protection of data based on the degree of importance of data in economic and social development, and the degree of harm caused to national security, the public interest, or the lawful rights and interests of individuals or organizations once it has been tampered with, destroyed, leaked, or illegally acquired or used. The national data security work coordination mechanism coordinates relevant departments to formulate important data catalogs and strengthen the protection of important data.
Data related to national security, the lifeline of the national economy, important people's livelihood, major public interests and other data belong to the core data of the state, and a stricter management system is implemented.
Each region and department shall, in accordance with the data classification and grading protection system, determine specific catalogs of important data in that region, that department, and relevant industries and fields, and carry out key protection of data included in the catalog.
Article 22: The State is to establish centralized, unified, efficient and authoritative data security risk assessment, reporting, information sharing, monitoring and early warning mechanisms. The national data security work coordination mechanism coordinates with relevant departments to strengthen efforts to obtain, analyze, judge, and warn data security risk information.
Article 23: The State is to establish data security emergency response mechanisms. In the event of a data security incident, the relevant competent departments shall lawfully initiate an emergency response plan, employ corresponding emergency response measures, prevent the expansion of harm, eliminate potential safety hazards, and promptly release warning information related to the public to the public.
Article 24: The State is to establish data security review systems, conducting national security reviews of data processing activities that affect or may affect national security.
The decision on security review made in accordance with the law is final.
Article 25: The State implements export controls on data belonging to controlled items related to the preservation of national security and interests and the performance of international obligations in accordance with law.
Article 26: Where any country or region adopts discriminatory prohibitions, restrictions or other similar measures against the People's Republic of China in areas such as investment or trade related to data and data development and utilization technologies, the People's Republic of China may take reciprocal measures against that country or region on the basis of actual conditions.
Chapter IV: Data Security Protection Obligations
Article 27: Carrying out data processing activities shall follow the provisions of laws and regulations to establish and complete a full-process data security management system, organize and carry out data security education and training, and employ corresponding technical measures and other necessary measures to ensure data security. The use of the Internet and other information networks to carry out data processing activities shall be based on the graded network security protection system, and the above-mentioned data security protection obligations shall be performed.
Processors of important data shall clarify the person in charge of data security and the management body, and implement data security protection responsibilities.
Article 28: Carrying out data processing activities and researching and developing new data technologies shall be conducive to promoting economic and social development, enhancing people's well-being, and conforming to social morality and ethics.
Article 29: Carrying out data processing activities shall strengthen risk monitoring, and when data security deficiencies, vulnerabilities, or other such risks are discovered, remedial measures shall be immediately employed; when data security incidents occur, disposition measures shall be immediately employed, promptly informing users in accordance with provisions and reporting to the relevant competent departments.
Article 30: Processors of important data shall follow provisions to periodically carry out risk assessments of their data processing activities, and submit risk assessment reports to the relevant competent departments.
The risk assessment report shall include the type and quantity of important data processed, the situation of data processing activities carried out, the data security risks faced and their countermeasures, etc.
Article 31: The provisions of the "Cybersecurity Law of the People's Republic of China" apply to the safe management of important data collected and generated by operators of critical information infrastructure in the course of operations within the territory of the People's Republic of China; measures for the security management of important data collected and generated by other data processors in the course of operations within the territory of the People's Republic of China are to be formulated by the State Internet information departments in conjunction with the relevant departments of the State Council.
Article 32: Any organization or individual collecting data shall employ lawful and proper methods, and must not steal or obtain data in other illegal ways.
Where laws or administrative regulations have provisions on the purpose and scope of data collection or use, the data shall be collected and used within the purpose and scope provided for by the laws or administrative regulations.
Article 33: Institutions engaged in intermediary services for data transactions providing services shall require the data provider to explain the source of the data, review the identities of both parties to the transaction, and retain records of the review and transaction.
Article 34: Where laws or administrative regulations provide that administrative licenses shall be obtained for the provision of services related to data processing, service suppliers shall obtain permits in accordance with law.
Article 35: Public security organs and state security organs collecting data as necessary to preserve national security in accordance with law or to investigate crimes shall follow relevant national provisions and go through strict approval formalities to conduct it in accordance with law, and relevant organizations and individuals shall cooperate.
Article 36: The competent organs of the People's Republic of China handle requests for the provision of data by foreign judicial or law enforcement agencies in accordance with relevant laws and international treaties or agreements concluded or acceded to by the People's Republic of China, or in accordance with the principle of equality and reciprocity. Without the approval of the competent organs of the People's Republic of China, organizations or individuals within the territory of the People's Republic of China must not provide foreign judicial or law enforcement agencies with data stored within the territory of the People's Republic of China.
Chapter V: Security and Openness of Government Data
Article 37: The State vigorously advances the establishment of e-government, increasing the scientificity, accuracy, and timeliness of government affairs data, and increasing the ability to use data to serve economic and social development.
Article 38: State organs collecting or using data as necessary to perform their legally-prescribed duties shall follow the requirements and procedures provided for in laws and administrative regulations within the scope of their performance of their legally-prescribed duties;
Article 39: State organs shall follow the provisions of laws and administrative regulations to establish and complete data security management systems, implement data security protection responsibilities, and ensure the security of government affairs data.
Article 40: State organs entrusting others to construct and maintain e-government systems, and to store and process government affairs data, shall go through strict approval procedures, and shall supervise the trustees in performing corresponding data security protection obligations. The entrusted party shall perform its data security protection obligations in accordance with the provisions of laws and regulations and contractual provisions, and must not retain, use, disclose, or provide government affairs data to others without authorization.
Article 41: State organs shall follow the principles of fairness, fairness, and convenience for the people, and promptly and accurately disclose government affairs data in accordance with provisions. Except where it is not disclosed in accordance with law.
Article 42: The State drafts an open catalog of government affairs data, establishing a unified, standardized, interconnected, secure and controllable open platform for government affairs data, and promoting the open use of government affairs data.
Article 43: The provisions of this chapter apply to organizations authorized by laws or regulations to carry out data processing activities for the purpose of performing legally prescribed duties.
Chapter VI: Legal Liability
Article 44: Where relevant competent departments discover that there are relatively large security risks in data processing activities in the course of performing data security oversight duties, they may follow the scope of authority and procedures provided to conduct interviews with relevant organizations and individuals, and require the relevant organizations or individuals to employ measures to carry out rectification and eliminate hidden dangers.
Article 45: Where organizations or individuals carrying out data processing activities fail to perform the data security protection obligations provided for in Articles 27, 29, and 30 of this Law, the relevant competent departments are to order corrections, give warnings, and may also be fined between 50,000 and 500,000 yuan, and the directly responsible managers and other directly responsible personnel may be fined between 10,000 and 100,000 yuan; those who refuse to make corrections or cause a large number of serious consequences such as data leakage, shall be fined between 500,000 and 2 million yuan. It may also order the suspension of relevant business, suspension of business for rectification, revocation of relevant business licenses or revocation of business licenses, and impose fines of between 50,000 and 200,000 yuan on the directly responsible supervisors and other directly responsible personnel.
Where the national core data management system is violated and the national sovereignty, security, and development interests are endangered, the relevant competent departments are to impose a fine of between 2 million and 10 million yuan, and on the basis of the circumstances, order the suspension of relevant business, suspension of business for rectification, revocation of relevant business licenses, or revocation of business licenses; where a crime is constituted, criminal responsibility is to be pursued in accordance with law.
Article 46: Whoever, in violation of the provisions of Article 31 of this Law, provides important data abroad shall be ordered by the relevant competent departments to make corrections, give a warning, and may also be fined between 100,000 and 1,000,000 yuan, and the directly responsible managers and other directly responsible personnel may be fined between 10,000 and 100,000,000 yuan; if the circumstances are serious, a fine of between 1,000,000,000,000 and 10,000,000,000 yuan may be imposed; The directly responsible supervisors and other directly responsible personnel shall be fined between 100,000 and 1,000,000 yuan.
Article 47: Where institutions engaged in data transaction intermediary services fail to perform their obligations under article 33 of this Law, the relevant competent departments are to order corrections, confiscate the illegal gains, and impose a fine of not less than one time but not more than ten times the illegal gains, and where there are no illegal gains or where the illegal gains are less than 100,000 yuan, a fine of between 100,000 and 1 million yuan, and may order the suspension of relevant business, suspension of business for rectification, revocation of relevant business licenses, or revocation of business licenses The directly responsible supervisors and other directly responsible personnel shall be fined between 10,000 yuan and 100,000 yuan.
Article 48: Whoever, in violation of article 35 of this Law, refuses to cooperate with the collection of data, is to be ordered by the relevant competent departments to make corrections, give a warning, and impose a fine of between 50,000 and 500,000 yuan, and a fine of between 10,000 and 100,000 yuan on the directly responsible managers and other directly responsible personnel.
Whoever, in violation of the provisions of Article 36 of this Law, provides data to a foreign judicial or law enforcement agency without the approval of the competent authority, shall be given a warning by the relevant competent department and may also be fined not less than 100,000 yuan but not more than 1 million yuan, and the directly responsible supervisor and other directly responsible personnel may be fined between 10,000 and 100,000,000 yuan; where serious consequences are caused, a fine of between 1 million and 5 million yuan may be imposed, and the relevant business license may be ordered to be suspended, suspended for rectification, revoked the relevant business license, or revoked the business license. The directly responsible supervisors and other directly responsible personnel shall be fined between 50,000 and 500,000 yuan.
Article 49: Where state organs do not perform the data security protection obligations provided for in this Law, the directly responsible managers and other directly responsible personnel are to be given sanctions in accordance with law.
Article 50: Where state employees performing data security supervision duties derelict their duties, abuse their powers, or engage in favoritism, they are to be given sanctions in accordance with law.
Article 51: Whoever steals or uses other illegal means to obtain data, carries out data processing activities to eliminate or restrict competition, or harms the lawful rights and interests of individuals or organizations, is to be punished in accordance with the provisions of relevant laws and administrative regulations.
Article 52:Whoever violates the provisions of this Law and causes harm to others shall bear civil liability in accordance with law.
Where violations of the provisions of this Law constitute a violation of the administration of public security, a punishment for the administration of public security shall be given in accordance with law; where a crime is constituted, criminal responsibility shall be pursued in accordance with law.
Chapter VII Supplementary Provisions
Article 53: The provisions of the "Law of the People's Republic of China on Guarding State Secrets" and other laws and administrative regulations apply to carrying out data processing activities involving state secrets.
Carrying out data processing activities in statistical and archival work, and carrying out data processing activities involving personal information, shall also comply with the provisions of relevant laws and administrative regulations.
Article 54: Measures for the security protection of military data are to be formulated separately by the Central Military Commission in accordance with this Law.
Article 55:This Law takes effect on September 1, 2021.