Data Security Law of the People’s Republic of China (Draft)

Release Date: 07-03-2020

Source: http://www.npc.gov.cn (PDF)

Original Title: 数据安全法 (草案)

According to the China National People’s Congress website, the 20th meeting of the 13th National People’s Congress Standing Committee reviewed the “Data Security Law (Draft)” (hereinafter referred to as the draft) and released the contents of the draft. The full text of the “Draft” consists of seven chapters and 51 articles.

Table of Contents

Chapter 1 General Provisions

Chapter II Data Security and Development

Chapter III Data Security System

Chapter IV Data Security Protection Obligations

Chapter V Security and Openness of Government Data

Chapter VI Legal Responsibilities

Chapter VII Supplementary Provisions

Chapter 1 General Provisions

Article 1 This law is formulated to ensure data security, promote data development and utilization, protect the legitimate rights and interests of citizens and organizations, and safeguard national sovereignty, security, and development interests.

Article 2 This law applies to data activities within the territory of the People’s Republic of China.

Organizations and individuals outside the People’s Republic of China that carry out data activities that harm the national security, public interests of the People’s Republic of China or the legitimate rights and interests of citizens or organizations shall be investigated for legal responsibility in accordance with the law.

Article 3 “Data” as used in this Law refers to any record of information in electronic or non-electronic form.

Data activities refer to the collection, storage, processing, use, provision, transaction, and disclosure of data.

Data security refers to the ability to ensure that data is effectively protected and legally used by taking necessary measures, and that it remains in a safe state continuously.

Article 4 To maintain data security, it is necessary to adhere to the overall national security concept, establish a sound data security governance system, and improve data security assurance capabilities.

Article 5 The state protects the rights and interests of citizens and organizations related to data, encourages the rational and effective use of data in accordance with the law, guarantees the orderly and free flow of data in accordance with the law, promotes the development of a digital economy with data as a key element, and enhances the well-being of the people.

Article 6 The central national security leadership agency is responsible for the decision-making and overall coordination of data security work, researching, formulating, and guiding the implementation of the national data security strategy and related major policies.

Article 7 All regions and departments are responsible for the data and data security generated, aggregated, and processed in the work of the region and the department.

Industry, telecommunications, natural resources, health, education, national defense technology industry, financial industry and other industry authorities are responsible for data security supervision in this industry and this field.

Public security organs, national security organs, etc., in accordance with the provisions of this Law and relevant laws and administrative regulations, shall undertake data security supervision responsibilities within their respective responsibilities.

The national cybersecurity and informatization department shall, in accordance with the provisions of this law and relevant laws and administrative regulations, be responsible for overall planning and coordination of network data security and related supervision work.

Article 8 To carry out data activities, one must abide by laws and administrative regulations, respect social ethics and ethics, observe business ethics, be honest and trustworthy, perform data security protection obligations, assume social responsibilities, and must not endanger national security and public interests, and must not harm citizens and organizations’ legal rights.

Article 9 The State establishes and completes a data security collaborative governance system, promotes relevant departments, industry organizations, enterprises, and individuals to participate in data security protection work together, and forms a good environment for the whole society to jointly maintain data security and promote development.

Article 10 The state actively carries out international exchanges and cooperation in the field of data, participates in the formulation of international rules and standards related to data security, and promotes the safe and free flow of data across borders.

Article 11 Any organization or individual has the right to complain to and report to the relevant competent authorities for violations of the provisions of this law. The department that receives the complaint or report shall deal with it in a timely manner in accordance with the law.

Chapter 2 Data Security and Development

Article 12 The state insists on maintaining data security and promoting data development and utilization equally, promoting data security through data development and utilization and industrial development, and ensuring data development and utilization and industrial development through data security.

Article 13 The State implements a big data strategy, promotes the construction of data infrastructure, encourages and supports the innovative application of data in various industries and fields, and promotes the development of the digital economy.

People’s governments at or above the provincial level shall formulate a digital economy development plan and incorporate it into the national economic and social development plan at the corresponding level.

Article 14 The state strengthens basic research on data development and utilization technologies, supports technical promotion and business innovation in the fields of data development and utilization and data security, and fosters and develops data development and utilization and data security products and industrial systems.

Article 15 The state promotes the establishment of data development and utilization technologies and data security standard systems. The standardization administrative department of the State Council and the relevant departments of the State Council, in accordance with their respective responsibilities, organize the formulation and timely revision of relevant standards for data development and utilization technologies, products, and data security. The state supports enterprises, research institutions, institutions of higher learning, and related industry organizations to participate in the formulation of standards.

Article 16 The State promotes the development of services such as data security testing, evaluation, and certification, and supports professional institutions such as data security testing, assessment, and certification to carry out service activities in accordance with the law.

Article 17 The state establishes and completes a data transaction management system, regulates data transaction behavior, and cultivates a data transaction market.

Article 18 The State supports institutions of higher learning, secondary vocational schools, and enterprises to carry out education and training related to data development and utilization technology and data security, and adopts various methods to train data development and utilization technology and data security professionals, and promote talent exchanges.

Chapter III Data Security System

Article 19 The state shall, based on the importance of data in economic and social development, and the degree of harm to national security, public interests, or the legitimate rights and interests of citizens and organizations once it has been tampered with, destroyed, leaked, or illegally obtained or used illegally. Data is protected by classification and classification.

All regions and departments shall, in accordance with relevant national regulations, determine the important data protection catalogs of their respective regions, departments, and industries, and carry out key protection of the data listed in the catalogs.

Article 20 The State establishes a centralized, unified, efficient and authoritative data security risk assessment, reporting, information sharing, monitoring and early warning mechanism, and strengthens the acquisition, analysis, research and judgment, and early warning of data security risk information.

Article 21 The state establishes a data security emergency response mechanism. In the event of a data security incident, the relevant competent authority shall initiate an emergency plan in accordance with the law, take corresponding emergency response measures, eliminate potential safety hazards, prevent the expansion of the hazard, and promptly release warning information related to the public to the public.

Article 22 The State establishes a data security review system to conduct national security reviews of data activities that affect or may affect national security.

The safety review decision made in accordance with the law is the final decision.

Article 23 The state implements export control in accordance with the law on data belonging to controlled items related to the fulfillment of international obligations and the maintenance of national security.

Article 24 Where any country or region adopts discriminatory prohibitions, restrictions or other similar measures against the People’s Republic of China in terms of investment and trade related to data and data development and utilization technologies, the People’s Republic of The country or region takes corresponding measures.

Chapter IV Data Security Protection Obligations

Article 25 Data activities shall be carried out in accordance with the provisions of laws, administrative regulations and mandatory requirements of national standards, establish and improve a whole-process data security management system, organize and carry out data security education and training, and adopt corresponding technical measures and other necessary measures. Ensure data security.

The processor of important data shall establish a data security officer and management agency to implement data security protection responsibilities.

Article 26 The development of data activities and the research and development of new data technologies shall be conducive to promoting economic and social development, enhancing the well-being of the people, and conforming to social ethics and ethics.

Article 27 In carrying out data activities, risk monitoring shall be strengthened, and remedial measures shall be taken immediately when risks such as data security deficiencies and loopholes are discovered; when data security incidents occur, users shall be notified in a timely manner and reported to relevant competent authorities in accordance with regulations.

Article 28 The processor of important data shall, in accordance with regulations, conduct regular risk assessments on its data activities and submit risk assessment reports to the relevant competent authorities.

The risk assessment report shall include the types and quantities of important data held by the organization, the collection, storage, processing, and use of the data, the data security risks faced and the countermeasures, etc.

Article 29 Any organization or individual must adopt legal and proper methods to collect data, and must not steal or obtain data in other illegal ways.

Where laws and administrative regulations stipulate the purpose and scope of data collection and use, the data shall be collected and used within the purpose and scope prescribed by the laws and administrative regulations, and shall not exceed the necessary limits.

Article 30 Institutions engaged in data transaction intermediary services shall, when providing transaction intermediary services, require the data provider to explain the source of the data, verify the identities of both parties to the transaction, and keep records of the review and transaction.

Article 31 Operators who specialize in providing online data processing and other services shall obtain business license or record in accordance with the law. The specific measures shall be formulated by the competent department of telecommunications under the State Council in conjunction with relevant departments.

Article 32 Public security organs and national security organs shall, in accordance with relevant national regulations, go through strict approval procedures and proceed in accordance with the law in order to obtain data for the maintenance of national security or criminal investigations in accordance with the law, and relevant organizations and individuals shall cooperate.

Article 33 Where overseas law enforcement agencies request to retrieve data stored in the territory of the People’s Republic of China, relevant organizations and individuals shall report to the relevant competent authority and provide them only after obtaining approval. If the international treaties and agreements concluded or acceded to by the People’s Republic of China have provisions for foreign law enforcement agencies to obtain domestic data, follow those provisions.

Chapter V Security and Openness of Government Data

Article 34 The State vigorously promotes the construction of e-government affairs, improves the scientificity, accuracy, and timeliness of government affairs data, and enhances the ability to use data to serve economic and social development.

Article 35 The collection and use of data by state agencies to perform their statutory duties shall be conducted in accordance with the conditions and procedures prescribed by laws and administrative regulations within the scope of their statutory duties.

Article 36 State agencies shall, in accordance with the provisions of laws and administrative regulations, establish and improve data security management systems, implement data security protection responsibilities, and ensure the security of government data.

Article 37 State agencies entrust others to store and process government affairs data, or provide government affairs data to others, shall go through strict approval procedures, and shall supervise the receiving party to perform corresponding data security protection obligations.

Article 38 State agencies shall follow the principles of justice, fairness, and convenience for the people, and disclose government affairs data in a timely and accurate manner in accordance with regulations. Except for those that are not disclosed in accordance with the law.

Article 39 The state formulates an open catalog of government affairs data, builds a unified, standardized, interconnected, secure and controllable government affairs data open platform, and promotes the open utilization of government affairs data.

Article 40 For organizations with public affairs management functions to carry out data activities in order to perform public affairs management functions, the provisions of this chapter shall apply.

Chapter VI Legal Responsibilities

Article 41 When the relevant competent authority discovers that there are significant security risks in data activities during the performance of its data security supervision duties, it may conduct interviews with relevant organizations and individuals in accordance with the prescribed authority and procedures. Relevant organizations and individuals shall take measures in accordance with the requirements to carry out rectifications and eliminate hidden dangers.

Article 42 Organizations and individuals carrying out data activities fail to perform the data security protection obligations specified in Article 25, Article 27, Article 28, and Article 29 of this Law or fail to take necessary security measures If measures are taken, the relevant competent department shall order corrections and give warnings, and may concurrently impose a fine of 10,000 yuan to 100,000 yuan, and the directly responsible person in charge may impose a fine of 5,000 yuan to 50,000 yuan; refusal to correct or cause a large amount of For serious consequences such as data leakage, a fine of 100,000 yuan up to one million yuan shall be imposed, and the directly responsible person in charge and other directly responsible persons shall be fined 10,000 yuan up to 100,000 yuan.

Article 43 If a data transaction intermediary institution fails to perform its obligations as stipulated in Article 30 of this law and causes data transactions from illegal sources, the relevant competent authority shall order corrections, confiscate the illegal gains, and impose a fine of one to ten times the illegal gains. If there is no illegal income, a fine of more than 100,000 yuan and less than one million yuan shall be imposed, and relevant business licenses or business licenses may be revoked by the relevant competent department; the directly responsible persons in charge and other directly responsible persons shall be imposed a fine of more than 10,000 yuan and more than 100,000 yuan. Fines below 10,000 yuan.

Article 44 Anyone who engages in the business specified in Article 31 of this law without obtaining a license or filing, shall be ordered by the relevant competent department to make corrections or banned, the illegal gains shall be confiscated, and a fine of one to ten times the illegal gains shall be imposed; In case of illegal gains, a fine of 100,000 yuan up to 1 million yuan shall be imposed; the directly responsible person in charge and other directly responsible persons shall be fined 10,000 yuan up to 100,000 yuan.

Article 45 If a state agency fails to fulfill its data security protection obligations under this law, the directly responsible person in charge and other directly responsible persons shall be punished in accordance with the law.

Article 46 National staff who perform data security supervision responsibility for negligence of duty, abuse of power, or malpractice for personal gains, and do not constitute a crime, shall be punished in accordance with the law.

Article 47 Anyone who endangers national security or public interests through data activities, or harms the legitimate rights and interests of citizens or organizations, shall be punished in accordance with the provisions of relevant laws and administrative regulations.

Article 48 Anyone who violates the provisions of this law and causes damage to others shall bear civil liability in accordance with the law. Anyone who violates the provisions of this law and constitutes a violation of public security management punishment shall be given public security management punishment according to law; if a crime is constituted, criminal responsibility shall be investigated according to law.

Chapter VII Supplementary Provisions

Article 49 For data activities involving state secrets, the provisions of laws and administrative regulations such as the Law of the People’s Republic of China on Keeping State Secrets shall apply.

Data activities involving personal information shall comply with relevant laws and administrative regulations.

Article 50 Measures for the security protection of military data shall be separately formulated by the Central Military Commission.

Article 51 This law shall come into force on year, month and day.

Get started with AppInChina today.

Sign up for a free account on our dashboard or send us a message with your questions. We'll put together a custom plan tailored to your needs.

Feedback

logo

What do you think about this piece?

Great!
Not what I needed