Data Security Law of the People's Republic of China
(Adopted at the 29th Session of the Standing Committee of the 13th National People's Congress on June 10, 2021)
Table of Contents
Chapter I: General Provisions
Chapter II: Data Security and Development
Chapter III: Data Security Systems
Chapter IV: Data Security Protection Obligations
Chapter V: Security and Openness of Government Affairs Data
Chapter VI: Legal Responsibility
Chapter VII Supplementary Provisions
Chapter I: General Provisions
Article 1: This Law is drafted so as to regulate data handling activities, ensure data security, promote the development and use of data, protect the lawful rights and interests of individuals and organizations, and preserve national sovereignty, security, and development interests.
Article 2: This Law applies to the carrying out of data handling activities within the mainland territory of the People's Republic of China and their security regulation.
Where data handling activities are carried out outside the territory of the People's Republic of China, harming the national security of the People's Republic of China, the public interest, or the lawful rights and interests of citizens or organizations, legal responsibility is to be pursued in accordance with law.
Article 3: "Data" as used in this Law refers to any electronic or other record of information.
Data processing, including data collection, storage, use, processing, transmission, provision, disclosure, etc.
Data security refers to taking necessary measures to ensure that data is in a state of effective protection and lawful use, as well as having the ability to ensure a state of continuous security.
Article 4: The preservation of data security shall adhere to the overall national security concept, establish and complete data security governance systems, and increase capacity to ensure data security.
Article 5: The central leading institution for national security is responsible for decision-making, deliberation and coordination of national data security efforts, researching, formulating, and guiding the implementation of the national data security strategy and relevant major guidelines and policies, overall planning and coordination of major national data security matters and important work, and establishing coordination mechanisms for national data security efforts.
Article 6: Each region and department is responsible for the data and data security collected and produced in that region's or department's work.
Competent departments such as for industry, telecommunications, transportation, finance, natural resources, health, education, and science and technology are to bear responsibility for data security oversight in that industry or field.
Public security organs, state security organs, and so forth are to undertake data security oversight duties within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations.
In accordance with the provisions of this Law and relevant laws and administrative regulations, the State Internet Information Department is responsible for the overall planning and coordination of network data security and related regulatory efforts.
Article 7: The state protects the rights and interests of individuals and organizations related to data, encourages the reasonable and effective use of data in accordance with law, ensures the orderly and free flow of data in accordance with law, and promotes the development of the digital economy with data as a key element.
Article 8: The carrying out of data handling activities shall comply with laws and regulations, respect social mores and ethics, abide by commercial ethics and professional ethics, be honest and trustworthy, perform data security protection obligations, bear social responsibility, and must not endanger national security or the public interest, and must not harm the lawful rights and interests of individuals or organizations.
Article 9: The state supports the development of publicity and popularization of data security knowledge, increasing the entire society's awareness and level of data security protections, promoting the joint participation of relevant departments, industry organizations, scientific research institutions, enterprises, individuals, and so forth in data security protection efforts, forming a positive environment for the entire society to jointly preserve data security and promote development.
Article 10: In accordance with their charters, relevant industry organizations are to lawfully draft data security conduct norms and group standards, strengthen industry self-discipline, guide members to strengthen data security protections, increase the level of data security protections, and promote the healthy development of the industry.
Article 11: The state is to actively carry out international exchanges and cooperation in areas such as data security governance and data development and utilization, participate in the drafting of international rules and standards related to data security, and promote the secure and free flow of data across borders.
Article 12: All individuals and organizations have the right to make complaints or reports to the relevant competent departments about violations of the provisions of this Law. Departments receiving complaints or reports shall promptly handle them in accordance with law.
The relevant competent departments shall keep confidential the relevant information of the complainant or informant, and protect the lawful rights and interests of the complainant or informant.
Chapter II: Data Security and Development
Article 13: The state is to make overall plans for development and security, persist in promoting data security through the development and use of data and industrial development, and use data security to ensure the development and use of data and industrial development.
Article 14: The state is to implement a big data strategy, advance the establishment of data infrastructure, and encourage and support the innovative use of data in all industries and fields.
People's governments at the provincial level or above shall include the development of the digital economy in their national economic and social development plans, and draft plans for the development of the digital economy as needed.
Article 15: The state supports the development and use of data to increase the level of intelligence in public services. The provision of intelligent public services shall give full consideration to the needs of the elderly and persons with disabilities, and avoid creating obstacles to the daily lives of the elderly and persons with disabilities.
Article 16: The state supports research on data development and utilization and data security technologies, encourages the promotion of technology and commercial innovation in areas such as data development and utilization and data security, and cultivates and develops data development and utilization and data security products and industrial systems.
Article 17: The state is to advance the establishment of a system of technology and data security standards for the development and use of data. On the basis of their respective duties, the State Council's administrative department for standardization and the relevant departments of the State Council are to organize the drafting and timely revision of standards related to data development and utilization technologies, products, and data security. The State supports enterprises, social organizations, and educational and scientific research institutions to participate in the formulation of standards.
Article 18: The state is to promote the development of services such as data security testing, assessment, and certification, and support professional bodies such as for data security testing, assessment, and certification in carrying out service activities in accordance with law.
The state supports relevant departments, industry organizations, enterprises, educational and scientific research institutions, relevant professional bodies, and so forth in carrying out collaboration in areas such as data security risk assessment, prevention, and disposition.
Article 19: The state is to establish and complete systems for data transaction management systems, regulate data transaction conduct, and cultivate data trading markets.
Article 20: The state supports education, scientific research institutions, enterprises, and so forth in carrying out education and training related to data development and utilization technology and data security, employing multiple methods to cultivate data development and utilization technology and data security professionals, and promoting talent exchanges.
Chapter III: Data Security Systems
Article 21: The state is to establish a categorical and hierarchical protection system for data, carrying out categorical and hierarchical protections for data based on the importance of data in economic and social development, as well as the degree of harm to national security, the public interest, or the lawful rights and interests of individuals and organizations once it has been tampered with, destroyed, leaked, or illegally obtained or used. The national coordination mechanism for data security efforts is to coordinate with relevant departments to draft important data catalogs, strengthening the protection of important data.
Data related to national security, the lifeline of the national economy, important people's livelihoods, and major public interests are core national data, and a stricter management system is implemented.
Each region and department shall follow the data classification and hierarchical protection system to designate a specific catalog of important data for that region, that department, and related industries and fields, and carry out key protections for data entered into the catalog.
Article 22: The state is to establish centralized, unified, efficient, and authoritative mechanisms for data security risk assessment, reporting, information sharing, monitoring, and early warning. The national coordination mechanism for data security efforts is to coordinate relevant departments to strengthen efforts on the acquisition, analysis, assessment, and early warning of data security risk information.
Article 23: The state is to establish data security emergency response mechanisms. Where data security incidents occur, the relevant regulatory departments shall initiate emergency response plans in accordance with law, employ corresponding emergency response measures, prevent the expansion of harm, eliminate potential security risks, and promptly release warning information related to the public to the public.
Article 24: The state is to establish a data security review system to conduct national security reviews of data handling activities that impact or might impact national security.
The security review decision made in accordance with the law is final.
Article 25: The state is to lawfully carry out export controls on data that is a controlled item related to the preservation of national security and interests and the performance of international obligations.
Article 26: Where any country or region employs discriminatory prohibitions, restrictions, or other similar measures against the People's Republic of China in areas such as investment or trade related to data and data development and utilization technology, the People's Republic of China may employ reciprocal measures against that country or region on the basis of actual circumstances.
Chapter IV: Data Security Protection Obligations
Article 27: The carrying out of data handling activities shall follow the provisions of laws and regulations, establish and complete systems for data security management of the entire process, organize and carry out data security education and training, and employ corresponding technical measures and other necessary measures to ensure data security. The use of the internet and other information networks to carry out data handling activities shall perform the data security protection obligations described above on the basis of the tiered network security protection system.
Handlers of important data shall clarify the person responsible for data security and the management body, and implement responsibility for data security protection.
Article 28: Carrying out data handling activities and researching and developing new data technologies shall be conducive to promoting economic and social development, increasing the people's well-being, and conforming to social mores and ethics.
Article 29: Risk monitoring shall be strengthened in carrying out data handling activities, and when risks such as data security flaws or vulnerabilities are discovered, remedial measures shall be immediately employed;
Article 30: Processors of important data shall periodically carry out risk assessments of their data handling activities in accordance with provisions, and submit risk assessment reports to the relevant regulatory departments.
The risk assessment report shall include the type and amount of important data handled, the circumstances of data handling activities, the data security risks faced, and the measures to be taken.
Article 31: The provisions of the "Cybersecurity Law of the People's Republic of China" apply to the security management of the export of important data collected and produced by critical information infrastructure operators in the course of operations within the mainland territory of the People's Republic of China;
Article 32: The collection of data by any organization or individual shall employ lawful and proper methods, and must not steal or otherwise illegally obtain data.
Where laws and administrative regulations have provisions on the purpose and scope of data collection and use, the data shall be collected and used within the purpose and scope provided for by the laws and administrative regulations.
Article 33: Establishments engaged in intermediary services for data transactions providing services shall request that the data provider explain the source of the data, review the identities of both parties to the transaction, and retain records of the review and transaction.
Article 34: Where laws and administrative regulations provide that administrative permits shall be obtained for the provision of services related to data handling, the service providers shall obtain permits in accordance with law.
Article 35: Public security organs and state security organs collecting data as needed to preserve national security or investigate crimes in accordance with law shall follow relevant state provisions and go through strict approval formalities to do so in accordance with law, and relevant organizations and individuals shall cooperate.
Article 36: The competent organs of the People's Republic of China are to handle requests from foreign judicial or law enforcement agencies for the provision of data on the basis of relevant laws and international treaties and agreements concluded or acceded to by the People's Republic of China, or in accordance with the principle of equality and reciprocity. Without the approval of the competent organs of the People's Republic of China, organizations and individuals in mainland China must not provide data stored within the territory of the People's Republic of China to foreign judicial or law enforcement agencies.
Chapter V: Security and Openness of Government Affairs Data
Article 37: The state is to vigorously advance the establishment of e-government, increasing the scientificity, accuracy, and timeliness of government affairs data, and increasing the ability to use data to serve economic and social development.
Article 38: The collection and use of data by state organs as needed to perform their legally-prescribed duties shall be conducted within the scope of their performance of legally-prescribed duties in accordance with the requirements and procedures provided for by laws and administrative regulations;
Article 39: State organs shall establish and complete data security management systems in accordance with the provisions of laws and administrative regulations, implement responsibility for data security protections, and ensure the security of government affairs data.
Article 40: State organs entrusting others to build and maintain e-government systems, and store or process government affairs data, shall go through strict approval procedures, and shall supervise the entrusted party's performance of corresponding data security protection obligations. The entrusted party shall perform data security protection obligations in accordance with the provisions of laws and regulations and contractual agreements, and must not retain, use, leak, or provide government affairs data to others without authorization.
Article 41: State organs shall follow the principles of justice, fairness, and convenience for the people, and promptly and accurately disclose government affairs data in accordance with provisions. Except where disclosure is not to be made in accordance with law.
Article 42: The state is to draft a catalog of open government affairs data, building a uniform, standardized, interconnected, secure, and controllable open platform for government affairs data, and promoting the open use of government affairs data.
Article 43: The provisions of this chapter apply to organizations authorized by laws or regulations to have public affairs management functions to carry out data handling activities in order to perform their legally-prescribed duties.
Chapter VI: Legal Responsibility
Article 44: Where, in the course of performing data security oversight duties, relevant regulatory departments discover that there are relatively large security risks in data handling activities, they may follow the scope of authority and procedures provided to give the relevant organizations or individuals a giving a talk, and request that the relevant organizations or individuals employ measures to make corrections and eliminate hidden dangers.
Article 45: Organizations and individuals carrying out data handling activities do not perform articles 27, 29, or Where there are data security protection obligations provided for in article 30, the relevant competent departments are to order corrections, give warnings, and may give a concurrent fine of between 50,000 and 500,000 RMB, and may give a fine of between 10,000 and 100,000 RMB to the directly responsible managers and other directly responsible personnel; Revoke relevant business permits or business licenses, and give the directly responsible managers and other directly responsible personnel a fine of between 50,000 and 200,000 RMB.
Where the national core data management system is violated, endangering national sovereignty, security, and development interests, the relevant competent departments are to give a fine of between 2,000,000,000 and 10,000,000 RMB, and order a suspension of relevant operations, suspend operations for rectification, revoke relevant business permits, or revoke business licenses based on the circumstances;
Article 46: Where the provisions of article 31 of this Law are violated by providing important data overseas, the relevant competent departments are to order corrections, give warnings, and may give a concurrent fine of between 100,000 and 1,000,000 RMB, and the directly responsible managers and other directly responsible personnel may be fined between 10,000 and 100,000 RMB; Revoke relevant business permits or business licenses, and give directly responsible managers and other directly responsible personnel a fine of between 100,000 and 1,000,000 RMB.
Article 47: Where establishments engaged in data transaction intermediary services fail to perform the obligations provided for in article 33 of this Law, the relevant competent departments are to order corrections, confiscate unlawful gains, and give a fine of between 1 and 10 times the value of unlawful gains, and where there are no unlawful gains or unlawful gains are less than 100,000 RMB, a fine of between 100,000 and 1,000,000 RMB is to be given, and may be ordered to suspend relevant operations, suspend operations for rectification, Revoke relevant business permits or business licenses, and give directly responsible managers and other directly responsible personnel a fine of between 10,000 and 100,000 RMB.
Article 48: Where the provisions of article 35 of this Law are violated by refusing to cooperate with the collection of data, the relevant competent departments are to order corrections, give warnings, and give a concurrent fine of between 50,000 and 500,000 RMB, and give the directly responsible managers and other directly responsible personnel a fine of between 10,000 and 100,000 RMB.
Where the provisions of Article 36 of this Law are violated by providing data to foreign judicial or law enforcement agencies without the approval of the competent organs, the relevant competent departments are to give warnings and may give a concurrent fine of between 100,000 and 1,000,000 RMB, and the directly responsible managers and other directly responsible personnel may be fined between 10,000 and 100,000 RMB; Revoke relevant business permits or business licenses, and give the directly responsible managers and other directly responsible personnel a fine of between 50,000 and 500,000 RMB.
Article 49: Where state organs do not perform data security protection obligations as provided for in this Law, the directly responsible managers and other directly responsible personnel are to be given sanctions in accordance with law.
Article 50: Where state employees performing data security oversight duties neglect their duties, abuse their authority, or twist the law for personal gain, sanctions are to be given in accordance with law.
Article 51: Where data is stolen or otherwise illegally obtained, data handling activities are carried out to eliminate or restrict competition, or the lawful rights and interests of individuals or organizations are harmed, punishment is to be given in accordance with the provisions of relevant laws and administrative regulations.
Article 52: Where the provisions of this Law are violated by causing harm to others, civil liability is to be borne in accordance with law.
Anyone who violates the provisions of this Law and constitutes a violation of the administration of public security shall be given a public security administrative punishment in accordance with law;
Chapter VII Supplementary Provisions
Article 53: The provisions of the "Law of the People's Republic of China on Guarding State Secrets" and other laws and administrative regulations apply to carrying out data handling activities involving state secrets.
Carrying out data handling activities in statistical and archival work, and carrying out data processing activities involving personal information, shall also comply with the provisions of relevant laws and administrative regulations.
Article 54: Measures for the security protection of military data are to be separately drafted by the Central Military Commission on the basis of this Law.
Article 55: This Law takes effect on September 1, 2021.
Source: Chinese Network, Yangtze River Cloud
!["4.15" National Security Laws and Regulations Prize Answering Competition[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)