Data Security Law of the People's Republic of China
Release Date: 2021-06-10
Effective Date: 2021-09-01
Source: http://www.npc.gov.cn/npc/c2/c30834/202106/t20210610_311888.html
Original Title: 中华人民共和国数据安全法
Data Security Law of the People's Republic of China
Chapter I General Principles
Article 1 In order to regulate data processing activities, ensure data security, promote data development and utilization, protect the legitimate rights and interests of individuals and organizations, and safeguard national sovereignty, security, and developmental interests, this Law is formulated.
Article 2 This Law applies to data processing activities and their security supervision conducted within the territory of the People's Republic of China.
Data processing activities conducted outside the territory of the People's Republic of China that harm national security, public interest, or the legitimate rights and interests of citizens or organizations shall be subject to legal liability in accordance with the law.
Article 3 The term "data" as used in this Law refers to any record of information in electronic or other forms.
Data processing includes the collection, storage, use, processing, transmission, provision, and disclosure of data.
Data security refers to the necessary measures taken to ensure that data is effectively protected and legally utilized, as well as the capability to maintain a continuous state of security.
Article 4 In maintaining data security, the overall national security concept shall be adhered to, and a sound data security governance system shall be established and improved to enhance data security assurance capabilities.
Article 5 The central national security leadership institution is responsible for decision-making and coordination of national data security work, formulating, guiding, and implementing national data security strategies and major policies, coordinating significant matters and important work related to national data security, and establishing a coordination mechanism for national data security work.
Article 6 Each region and department is responsible for the data collected and generated in their respective areas and for data security.
Relevant authorities in industries such as industry, telecommunications, transportation, finance, natural resources, health, education, and science and technology shall undertake data security supervision responsibilities in their respective fields.
Public security organs and national security organs shall undertake data security supervision responsibilities within their respective jurisdictions according to this Law and relevant laws and administrative regulations.
The national internet information department shall be responsible for coordinating network data security and related supervision work in accordance with this Law and relevant laws and administrative regulations.
Article 7 The state protects the rights and interests of individuals and organizations related to data, encourages the reasonable and effective utilization of data in accordance with the law, ensures the orderly and free flow of data, and promotes the development of a digital economy where data is a key factor.
Article 8 Data processing activities shall comply with laws and regulations, respect social ethics and morals, adhere to commercial ethics and professional ethics, act in good faith, fulfill data security protection obligations, assume social responsibilities, and shall not harm national security or public interest, nor infringe upon the legitimate rights and interests of individuals or organizations.
Article 9 The state supports the promotion of data security knowledge to raise awareness and levels of data security protection across society, encourages participation from relevant departments, industry organizations, research institutions, enterprises, and individuals in data security protection efforts, and fosters a favorable environment for the collective maintenance of data security and development.
Article 10 Relevant industry organizations shall, in accordance with their charters, formulate data security behavior standards and group standards in accordance with the law, strengthen industry self-discipline, guide members to enhance data security protection, and improve data security protection levels to promote healthy industry development.
Article 11 The state actively engages in international exchanges and cooperation in data security governance, data development and utilization, participates in the formulation of international rules and standards related to data security, and promotes the secure and free cross-border flow of data.
Article 12 Any individual or organization has the right to lodge complaints or report behaviors that violate the provisions of this Law to the relevant competent authorities. The departments receiving complaints or reports shall handle them in accordance with the law in a timely manner.
Relevant competent authorities shall keep the information of complainants and reporters confidential and protect their legitimate rights and interests.
Chapter II Data Security and Development
Article 13 The state coordinates development and security, promoting data security through data development and utilization and industrial development, and ensuring data development and utilization through data security.
Article 14 The state implements a big data strategy, advances the construction of data infrastructure, and encourages and supports the innovative application of data across various industries and fields.
People's governments at the provincial level and above shall incorporate the development of the digital economy into their national economic and social development plans and formulate development plans for the digital economy as needed.
Article 15 The state supports the development and utilization of data to enhance the intelligence level of public services. In providing intelligent public services, the needs of the elderly and disabled should be fully considered to avoid hindering their daily lives.
Article 16 The state supports research on data development and utilization and data security technologies, encourages the promotion of technologies in the fields of data development and utilization and data security, and cultivates and develops data development and utilization products and industrial systems.
Article 17 The state advances the construction of technical standards for data development and utilization and data security. The standardization administrative department of the State Council and relevant departments shall organize the formulation and timely revision of relevant standards for data development and utilization technologies, products, and data security according to their respective responsibilities. The state supports enterprises, social organizations, and educational and research institutions in participating in standard formulation.
Article 18 The state promotes the development of services related to data security testing and evaluation, certification, and supports professional institutions in data security testing, evaluation, and certification in carrying out service activities in accordance with the law.
The state supports relevant departments, industry organizations, enterprises, educational and research institutions, and relevant professional institutions in cooperating in data security risk assessment, prevention, and disposal.
Article 19 The state establishes and improves a data trading management system, regulates data trading behaviors, and fosters a data trading market.
Article 20 The state supports educational and research institutions and enterprises in carrying out education and training related to data development and utilization technologies and data security, adopts various methods to cultivate professionals in data development and utilization technologies and data security, and promotes talent exchange.
Chapter III Data Security System
Article 21 The state establishes a classification and grading protection system for data, based on the importance of data in economic and social development, and the extent of harm caused to national security, public interest, or the legitimate rights and interests of individuals or organizations in the event of tampering, destruction, leakage, illegal acquisition, or illegal use. The national data security work coordination mechanism shall coordinate relevant departments to formulate a catalog of important data and strengthen the protection of important data.
Data related to national security, the lifeblood of the national economy, important livelihood, and major public interests is classified as core national data and shall be subject to stricter management systems.
Regions and departments shall determine the specific catalog of important data for their respective areas, departments, and relevant industries and fields according to the classification and grading protection system for data, and shall focus on protecting the data listed in the catalog.
Article 22 The state establishes a centralized, unified, efficient, and authoritative mechanism for data security risk assessment, reporting, information sharing, monitoring, and early warning. The national data security work coordination mechanism shall coordinate relevant departments to strengthen the acquisition, analysis, assessment, and early warning of data security risk information.
Article 23 The state establishes a data security emergency response mechanism. In the event of a data security incident, the relevant competent authorities shall activate the emergency plan in accordance with the law, take corresponding emergency response measures to prevent the expansion of harm, eliminate security risks, and promptly issue warning information related to the public.
Article 24 The state establishes a data security review system to conduct national security reviews of data processing activities that affect or may affect national security.
The security review decisions made in accordance with the law are final decisions.
Article 25 The state implements export controls on data that is related to maintaining national security and interests and fulfilling international obligations.
Article 26 If any country or region adopts discriminatory prohibitions, restrictions, or other similar measures against the People's Republic of China in investment, trade, and other aspects related to data and data development and utilization technologies, the People's Republic of China may take reciprocal measures against that country or region based on actual circumstances.
Chapter IV Data Security Protection Obligations
Article 27 Data processing activities shall be carried out in accordance with the provisions of laws and regulations, establish and improve a comprehensive data security management system, organize data security education and training, and take corresponding technical measures and other necessary measures to ensure data security. When conducting data processing activities using the Internet or other information networks, the aforementioned data security protection obligations shall be fulfilled based on the network security level protection system.
Processors of important data shall designate a data security officer and management body, and implement data security protection responsibilities.
Article 28 Data processing activities and research and development of new data technologies shall promote economic and social development, enhance the well-being of the people, and comply with social ethics and morals.
Article 29 Data processing activities shall strengthen risk monitoring. When data security defects, vulnerabilities, and other risks are detected, remedial measures shall be taken immediately; in the event of a data security incident, disposal measures shall be taken immediately, and users shall be informed in a timely manner and reported to the relevant competent authorities in accordance with regulations.
Article 30 Processors of important data shall regularly conduct risk assessments of their data processing activities in accordance with regulations and submit risk assessment reports to the relevant competent authorities.
Risk assessment reports shall include the types and quantities of important data processed, the circumstances of data processing activities, the data security risks faced, and corresponding countermeasures.
Article 31 The security management of the outbound important data collected and generated by operators of critical information infrastructure during operations within the territory of the People's Republic of China shall be subject to the provisions of the Cybersecurity Law of the People's Republic of China; the outbound security management measures for important data collected and generated by other data processors during operations within the territory of the People's Republic of China shall be formulated by the national internet information department in conjunction with relevant departments of the State Council.
Article 32 Any organization or individual collecting data shall do so in a lawful and legitimate manner and shall not steal or otherwise illegally obtain data.
Where laws and administrative regulations prescribe the purposes and scope of data collection and use, data shall be collected and used within the purposes and scope prescribed by laws and administrative regulations.
Article 33 Institutions providing intermediary services for data trading shall require data providers to explain the source of the data, verify the identities of both parties to the transaction, and retain audit and transaction records.
Article 34 Where laws and administrative regulations require that the provision of data processing-related services must obtain administrative permission, service providers shall obtain such permission in accordance with the law.
Article 35 Public security organs and national security organs shall, for the purpose of maintaining national security or investigating crimes, retrieve data in accordance with national regulations and through strict approval procedures, and relevant organizations and individuals shall cooperate.
Article 36 The competent authorities of the People's Republic of China shall handle requests from foreign judicial or law enforcement agencies for data provision in accordance with relevant laws and international treaties or agreements concluded or participated in by the People's Republic of China, or based on the principle of equality and mutual benefit. Without the approval of the competent authorities of the People's Republic of China, organizations and individuals within the territory of the People's Republic of China shall not provide data stored within the territory of the People's Republic of China to foreign judicial or law enforcement agencies.
Chapter V Government Data Security and Openness
Article 37 The state vigorously promotes the construction of e-governance, improves the scientificity, accuracy, and timeliness of government data, and enhances the ability to utilize data to serve economic and social development.
Article 38 When state organs collect and use data necessary for fulfilling their statutory responsibilities, they shall do so within the scope of their statutory responsibilities and in accordance with the conditions and procedures prescribed by laws and administrative regulations; data such as personal privacy, personal information, commercial secrets, and confidential business information known during the performance of their duties shall be kept confidential in accordance with the law and shall not be disclosed or illegally provided to others.
Article 39 State organs shall establish and improve data security management systems in accordance with laws and administrative regulations, implement data security protection responsibilities, and ensure the security of government data.
Article 40 When state organs entrust others to build and maintain e-governance systems and store and process government data, they shall go through strict approval procedures and supervise the entrusted party to fulfill corresponding data security protection obligations. The entrusted party shall fulfill data security protection obligations in accordance with laws, regulations, and contractual agreements, and shall not retain, use, disclose, or provide government data to others without authorization.
Article 41 State organs shall adhere to the principles of fairness, equity, and convenience, and shall publicly disclose government data in a timely and accurate manner in accordance with regulations, except as otherwise provided by law.
Article 42 The state shall formulate a catalog of open government data, establish a unified, standardized, interconnected, secure, and controllable government data open platform, and promote the open utilization of government data.
Article 43 Organizations authorized by laws and regulations to manage public affairs and engage in data processing activities in order to fulfill statutory responsibilities shall be subject to the provisions of this chapter.
Chapter VI Legal Responsibilities
Article 44 Relevant competent authorities, in the performance of their data security supervision responsibilities, may, when discovering significant security risks in data processing activities, conduct interviews with relevant organizations or individuals according to prescribed authority and procedures, and require relevant organizations or individuals to take corrective measures to eliminate hidden dangers.
Article 45 Organizations and individuals engaged in data processing activities who fail to fulfill the data security protection obligations prescribed in Articles 27, 29, and 30 of this Law shall be ordered by the relevant competent authorities to make corrections, receive warnings, and may be fined between fifty thousand and five hundred thousand yuan. Directly responsible personnel and others directly responsible may be fined between ten thousand and one hundred thousand yuan; if they refuse to correct or cause significant data leakage or other serious consequences, they may be fined between five hundred thousand and two million yuan, and may be ordered to suspend relevant business, cease operations for rectification, revoke relevant business licenses, or revoke business licenses, and directly responsible personnel and others directly responsible may be fined between fifty thousand and two hundred thousand yuan.
Violations of the core national data management system that harm national sovereignty, security, and developmental interests shall be fined between two hundred thousand and ten million yuan by the relevant competent authorities, and may be ordered to suspend relevant business, cease operations for rectification, revoke relevant business licenses, or revoke business licenses based on the circumstances; if a crime is constituted, criminal responsibility shall be pursued in accordance with the law.
Article 46 Violations of the provisions of Article 31 of this Law, providing important data to foreign entities, shall be ordered by the relevant competent authorities to make corrections, receive warnings, and may be fined between one hundred thousand and one million yuan. Directly responsible personnel and others directly responsible may be fined between ten thousand and one hundred thousand yuan; if the circumstances are serious, they may be fined between one hundred thousand and one million yuan, and may be ordered to suspend relevant business, cease operations for rectification, revoke relevant business licenses, or revoke business licenses, and directly responsible personnel and others directly responsible may be fined between ten thousand and one hundred thousand yuan.
Article 47 Institutions providing intermediary services for data trading that fail to fulfill the obligations prescribed in Article 33 of this Law shall be ordered by the relevant competent authorities to make corrections, confiscate illegal gains, and be fined between one time and ten times the illegal gains. If there are no illegal gains or the illegal gains are less than one hundred thousand yuan, they shall be fined between one hundred thousand and one million yuan, and may be ordered to suspend relevant business, cease operations for rectification, revoke relevant business licenses, or revoke business licenses; directly responsible personnel and others directly responsible may be fined between ten thousand and one hundred thousand yuan.
Article 48 Violations of the provisions of Article 35 of this Law, refusing to cooperate with data retrieval, shall be ordered by the relevant competent authorities to make corrections, receive warnings, and be fined between fifty thousand and fifty thousand yuan. Directly responsible personnel and others directly responsible may be fined between ten thousand and one hundred thousand yuan.
Violations of the provisions of Article 36 of this Law, providing data to foreign judicial or law enforcement agencies without approval from the competent authorities, shall be warned by the relevant competent authorities, and may be fined between one hundred thousand and one million yuan. Directly responsible personnel and others directly responsible may be fined between ten thousand and one hundred thousand yuan; if serious consequences occur, they may be fined between one hundred thousand and five hundred thousand yuan, and may be ordered to suspend relevant business, cease operations for rectification, revoke relevant business licenses, or revoke business licenses, and directly responsible personnel and others directly responsible may be fined between fifty thousand and fifty thousand yuan.
Article 49 If state organs fail to fulfill the data security protection obligations prescribed in this Law, directly responsible personnel and others directly responsible shall be punished in accordance with the law.
Article 50 National staff responsible for data security supervision who neglect their duties, abuse their powers, or engage in malpractice shall be punished in accordance with the law.
Article 51 Those who steal or illegally obtain data, engage in data processing activities that exclude or restrict competition, or harm the legitimate rights and interests of individuals or organizations shall be punished in accordance with relevant laws and administrative regulations.
Article 52 Violations of this Law that cause damage to others shall bear civil liability in accordance with the law.
Violations of this Law that constitute violations of public security management shall be punished in accordance with public security management regulations; if a crime is constituted, criminal responsibility shall be pursued in accordance with the law.
Chapter VII Supplementary Provisions
Article 53 Data processing activities involving state secrets shall be subject to the provisions of the Law of the People's Republic of China on Guarding State Secrets and other laws and administrative regulations.
Data processing activities in statistics and archival work, as well as those involving personal information, shall also comply with relevant laws and administrative regulations.
Article 54 The methods for protecting military data security shall be separately formulated by the Central Military Commission in accordance with this Law.
Article 55 This Law shall come into effect on September 1, 2021.