Data Security Law of the People’s Republic of China
Release Date: 2021-06-10
Source: http://www.npc.gov.cn/npc/c30834/202106/7c9af12f51334a73b56d7938f99a788a.shtml
Original Title: 中华人民共和国数据安全法
Presidential Decree No. 84
The Data Security Law of the People’s Republic of China, adopted at the 29th Session of the Standing Committee of the Thirteenth National People’s Congress of the People’s Republic of China on June 10, 2021, is hereby promulgated, effective September 1, 2021.
Xi Jinping
President of the People’s Republic of China
(Adopted at the 29th Session of the Standing Committee of the 13th National People’s Congress on June 10, 2021)
Chapter 1 General Provisions
Article 1 This Law is enacted in order to regulate data processing activities, guarantee data security, promote the development and utilization of data, protect the legitimate rights and interests of individuals and organizations, and safeguard the sovereignty, security and developmental interests of the State.
Article 2 This Law shall apply to data processing activities and security supervision of such activities within the territory of the People’s Republic of China.Where data processing activities outside the territory of the People’s Republic of China damage the national security, public interests or the legitimate rights and interests of citizens and organizations, legal liability shall be investigated according to law.
Article 3 For the purpose of this Law, the term “data” refers to any recording of information by electronic or other means.Data processing includes the collection, storage, use, processing, transmission, availability and disclosure of data, etc.
Data security refers to the adoption of necessary measures to ensure the effective protection and legal use of data, and the capability to guarantee the continuous security of data.
Article 4 To safeguard data security, it is imperative to adhere to the overall national security concept, establish and improve the data security governance system, and improve the data security protection capability.
Article 5 The Central Leadership Body of State Security is responsible for the decision-making, deliberation and coordination of the national data security work, research and formulate and guide the implementation of the national data security strategy and relevant major guidelines and policies, coordinate major matters and important work in respect of national data security, and establish a coordination mechanism for national data security work.
Article 6 All regions and departments are responsible for data collected and generated in their respective work as well as data security.Competent authorities of industry, telecommunications, transport, finance, natural resources, health, education, science and technology, etc. assume the responsibilities of data security regulation for their respective industries or fields.
Public security organs and national security organs, etc. assume the responsibilities of data security regulation within the scope of their respective functions and duties.
The cyberspace administration of the State is responsible for the overall planning and coordination of cyber data security and relevant regulatory work in accordance with the provisions of this Law and relevant laws and administrative regulations.
Article 7 The State protects the rights and interests of individuals and organizations relating to data, encourages the lawful, reasonable and effective use of data, guarantees the orderly and free flow of data in accordance with the law, and promotes the development of the digital economy with data as a key element.
Article 8 Whoever carries out data processing activities shall abide by laws and regulations, show respect for social morality and ethics, observe business ethics and professional ethics, be honest and trustworthy, perform the obligations of data security protection and undertake social responsibilities, and shall not endanger national security or public interests, or damage the legitimate rights and interests of individuals or organizations.
Article 9 The State supports the publicity and popularization of data security knowledge, improves the awareness and level of data security protection of the whole society, and promotes the relevant departments, trade organizations, scientific research institutions, enterprises and individuals to jointly participate in data security protection work, so as to create a good environment for the whole society to jointly safeguard data security and promote development.
Article 10 Relevant trade organizations shall, in accordance with their articles of association, formulate data security codes of conduct and group standards in accordance with the law, strengthen self-regulation in their respective industries, guide their members to strengthen data security protection, improve data security protection level, and promote the healthy development of the industries.
Article 11 The State actively carries out international exchange and cooperation in such fields as data security governance and data development and utilization, participates in the formulation of international rules and standards relating to data security, and promotes the safe and free flow of data across borders.
Article 12 All individuals and organizations shall have the right to complain or report to the relevant competent authorities on any acts in violation of the provisions hereof. The authorities receiving such complaints or reports shall promptly handle them in accordance with the law.The relevant competent authorities shall keep confidential the information on complainants or informants and protect the legitimate rights and interests thereof.
Chapter 2 Data Security and Development
Article 13 The State integrates development and security, promotes data security through data development and utilization and industrial development, and safeguards data development and utilization and industrial development with data security.
Article 14 The State implements the big data strategy, promotes the construction of data infrastructure, and encourages and supports the innovative application of data in various industries and fields.The people’s governments at or above the provincial level shall incorporate the development of digital economy into their plans for national economic and social development at the same level and formulate plans for the development of digital economy as needed.
Article 15 The State supports the development and utilization of data to enhance the intelligence of public services. When providing intelligent public services, the needs of the elderly and the disabled shall be taken into full consideration, so as to avoid causing obstacles to the daily life of the elderly and the disabled.
Article 16 The State supports the research of data development and utilization and data security technologies, encourages the technical promotion and commercial innovation in such fields as data development and utilization and data security, and fosters and develops the product and industrial system for data development and utilization and data security.
Article 17 The State promotes the development of data development and utilization technologies and a system of data security standards. The administrative department of standardization under the State Council and the relevant departments under the State Council shall, ex officio, organize the formulation of and make revisions in due time to the standards relating to data development and utilization technologies, products and data security. The State supports enterprises, social organizations, educational and scientific research institutions, etc. in participation in the formulation of standards.
Article 18 The State promotes the development of data security testing, evaluation, certification, and other services, and supports data security testing, evaluation, certification, and other specialized agencies to carry out service activities in accordance with the law.The State supports the relevant departments, trade organizations, enterprises, educational and scientific research institutions, the relevant specialized agencies, etc. in collaboration in such aspects as data security risk assessment, prevention, disposal, etc.
Article 19 The State establishes a sound data trading management system, regulates data trading practices and fosters a data trading market.
Article 20 The State supports educational and scientific research institutions and enterprises in carrying out education and training relating to data development and utilization technologies and data security, adopts a variety of methods to cultivate professionals in such fields as data development and utilization technologies and data security, and promotes the exchange of professionals.
Chapter 3 Data Security System
Article 21 The State establishes a data classification and hierarchical protection system to protect data by classification and level, depending on the importance of the data in economic and social development, and the damage caused to national security, public interests, or the legitimate rights and interests of individuals and organizations if the data is falsified, damaged, disclosed, illegally obtained or illegally used. The national data security coordination mechanism shall coordinate the relevant departments to formulate catalogs of important data, and strengthen the protection of important data.Data concerning national security, lifelines of the national economy, important people’s livelihood, major public interests, etc. are core data of the State, and shall be subject to a stricter management system.
All regions and departments shall, under the data classification and hierarchical protection system, determine the specific catalogue of important data for their respective regions and departments and for relevant industries and fields, and give priority to the protection of data included in the catalogue.
Article 22 The State establishes a centralized, unified, efficient and authoritative data security risk assessment, reporting, information sharing, monitoring, and early warning mechanism. The national data security coordination mechanism shall coordinate the relevant departments to strengthen the acquisition, analysis, study and judgment, and early warning of data security risk information.
Article 23 The State establishes a data security emergency response mechanism. In the event of a data security incident, the relevant competent authority shall activate the emergency response plan in accordance with the law, take the corresponding emergency response measures, prevent the spread of harm, eliminate potential security risks, and timely publicize the relevant warning information to the public.
Article 24 The State establishes a data security review system, under which data processing activities that affect or may affect national security shall be reviewed for national security.A decision on security review made in accordance with the law shall be final.
Article 25 The State exercises export control over the data which falls under controlled items and is related to the safeguarding of national security and interests and the fulfillment of international obligations in accordance with the law.
Article 26 Where any country or region takes any discriminatory prohibitive or restrictive measure or other similar measure against the People’s Republic of China in respect of investment or trade related to data and data development and utilization technology, the People’s Republic of China may take reciprocal measures against such country or region in light of the actual circumstances.
Chapter 4 Obligations for Data Security Protection
Article 27 Whoever carries out data processing activities shall establish a sound data security management system throughout the whole process, organize data security education and training, and take corresponding technical measures and other necessary measures to ensure data security, in accordance with the provisions of laws and regulations. To carry out data processing activities by making use of the Internet or any other information network, the aforesaid obligations for data security protection shall be performed on the basis of the graded protection system for cyber security.Processors of important data shall specify the person (s) responsible for data security and the management body, and implement the responsibility of data security protection.
Article 28 Carrying out data processing activities and the research and development of new data technologies shall be conducive to promoting the economic and social development, enhancing the well-being of the people, and complying with social morality and ethics.
Article 29 Risk monitoring shall be strengthened when carrying out data processing activities, and remedial measures shall be taken immediately upon discovery of any data security defect or bug; and disposal measures shall be taken immediately upon occurrence of a data security incident, users shall be timely notified in accordance with the relevant provisions and reports shall be made to the relevant competent authority.
Article 30 Processors of important data shall, in accordance with the relevant provisions, carry out risk assessment on their data processing activities on a regular basis and submit a risk assessment report to the relevant competent authority.The risk assessment report shall include the types and quantities of important data processed, information on data processing activities carried out, data security risks faced and countermeasures therefor.
Article 31 The Cyber Security Law of the People’s Republic of China shall apply to the security management for the cross-border transfer of important data collected and produced during operation by key information infrastructure operators within the territory of the People’s Republic of China; and the administrative measures for the security management for the cross-border transfer of important data collected and produced during operation by other data processors within the territory of the People’s Republic of China shall be formulated by the state cyberspace administration in concert with the relevant departments under the State Council .
Article 32 Any organization or individual shall collect data by lawful and proper means and shall not acquire data by theft or other illegal means.Where laws and administrative regulations provide for the purposes and scope of data collection and use, the data shall be collected and used for the purposes and within the scope prescribed by such laws and administrative regulations.
Article 33 In the provision of services, an institution engaged in data transaction intermediary services shall require the data provider to explain the data source, examine the identities of both parties to the transaction, and keep the examination and transaction records.
Article 34 Where laws and administrative regulations provide that the provision of services relating to data processing is subject to administrative license, the service provider shall obtain such license in accordance with the law.
Article 35 Where a public security organ or State security organ needs to retrieve data for the purpose of safeguarding national security or investigating crimes in accordance with the law, it shall, in accordance with the relevant provisions of the State, go through strict approval formalities and conduct such retrieval in accordance with the law, and the relevant organizations and individuals shall provide cooperation.
Article 36 The competent authorities of the People’s Republic of China shall, in accordance with the relevant laws and the international treaties and agreements concluded or acceded to by the People’s Republic of China or on the principle of equality and mutual benefit, handle the requests made by foreign judicial or law enforcement authorities for the provision of data. No organization or individual within the territory of the People’s Republic of China may provide foreign judicial or law enforcement authorities with the data stored within the territory of the People’s Republic of China without the approval of the competent authorities of the People’s Republic of China.
Chapter 5 Government Data Security and Openness
Article 37 The State makes great efforts to promote the development of e-government, make government data more scientific, accurate and timely, and improve the ability of using data to serve economic and social development.
Article 38 Where a State organ needs to collect or use data for the purpose of performing its statutory duties, it shall collect or use data within the scope of its statutory duties under the conditions and procedures prescribed by laws and administrative regulations; it shall keep confidential in accordance with the law personal privacy, personal information, trade secrets, confidential business information and other data known in the performance of its duties, and shall not divulge or illegally provide such data to others.
Article 39 State organs shall, in accordance with the provisions of laws and administrative regulations, establish a sound data security management system, implement data security protection responsibilities and ensure the security of government data.
Article 40 Where a State organ entrusts others with the construction and maintenance of the e-government system, or the storage and processing of government data, it shall go through strict approval procedures and it shall supervise the performance of the corresponding data security protection obligations by the entrusted party. The entrusted party shall perform its data security protection obligations in accordance with the provisions of laws and regulations and the contractual agreement, and shall not retain, use, disclose or provide others with government data without authorization.
Article 41 State organs shall, under the principles of impartiality, fairness and convenience for the people, disclose government data in a timely and accurate manner in accordance with the provisions. Data that shall not be disclosed in accordance with the law shall be excluded.
Article 42 The State formulates the catalogue of government data for disclosure, establishes a unified, standardized, interconnected, safe and controllable government data disclosure platform, and promotes the disclosure and utilization of government data.
Article 43 The provisions of this Chapter shall apply to the data processing activities carried out by the organizations with the functions of administering public affairs as authorized by laws and regulations for the purpose of performing their statutory duties.
Chapter 6 Legal Liability
Article 44 Where the relevant competent authority finds in the performance of its duties of data security regulation that there are relatively serious security risks in data processing activities, it may, in accordance with the prescribed authority and procedures, conduct an interview with the relevant organization or individual and require the relevant organization or individual to take measures to make rectifications and eliminate hidden dangers.
Article 45 Where an organization or individual carrying out data processing activities fails to perform the data security protection obligations stipulated by Articles 27, 29 and 30 hereof, it/he will be ordered by the relevant competent authority to make rectifications and given a warning, and may be concurrently fined not less than 50,000 yuan but not more than 500,000 yuan, and the person directly in charge and other directly liable persons may be fined not less than 10,000 yuan but not more than 100,000 yuan; if it/he refuses to make rectifications or causes serious consequences such as massive data leakage, it/he will be fined not less than 500,000 yuan but not more than 2 million yuan, and may be ordered to suspend the relevant business or stop the business for rectification, and the relevant business permit or business license will be revoked.The person directly in charge and other directly liable persons will be fined not less than 50,000 yuan but not more than 200,000 yuan.Where the national core data management system is violated, which endangers the sovereignty, security and development interests of the State, the relevant competent authority will impose a fine of not less than 2 million yuan but not more than 10 million yuan, and may order suspension of the relevant business, stop the business for rectification, and revoke the relevant business permit or business license as the case may be; if a crime is constituted, criminal liability will be investigated in accordance with the law.
Article 46 Whoever, in violation of Article 31 hereof, provides important data overseas, it/he will be ordered by the relevant competent authority to make rectifications and given a warning, and may be concurrently fined not less than 100,000 yuan but not more than 1 million yuan , and the person directly in charge and other directly liable persons may be fined not less than 10,000 yuan but not more than 100,000 yuan; if the circumstances are serious, it/he will be fined not less than 1 million yuan but not more than 10 million yuan, and may be ordered to suspend the relevant business, stop the business for rectification, and its/his relevant business permit or business license will be revoked. The person directly in charge and other directly liable persons will be fined not less than 100,000 yuan but not more than 1 million yuan.
Article 47 Where an institution engaged in the intermediary service of data transactions fails to fulfill the obligations prescribed in Article 33 hereof, it will be ordered by the relevant competent authority to make rectifications, its illegal gains shall be confiscated, and it will be fined not less than one time but not more than ten times the illegal gains; if there are no illegal gains or the illegal gains are less than 100,000 yuan, it will be fined not less than 100,000 yuan but not more than 1 million yuan, and may be ordered to suspend the relevant business, stop the business for rectification, and its relevant business permit or business license will be revoked; and the person directly in charge and other directly liable persons will be fined not less than 10,000 yuan but not more than 100,000 yuan .
Article 48 Whoever, in violation of Article 35 hereof, refuses to cooperate in the data collection will be ordered by the relevant competent authority to make rectifications and given a warning, and may be concurrently fined not less than 50,000 yuan but not more than 500,000 yuan , and the person directly in charge and other directly liable persons will be fined not less than 10,000 yuan but not more than 100,000 yuan.Whoever, in violation of Article 36 hereof, provides data to a foreign judicial or law enforcement agency without the approval of the competent authority will be given a warning by the relevant competent authority, and may be concurrently fined not less than 100,000 yuan but not more than 1 million yuan, and the person directly in charge and other directly liable persons may be fined not less than 10,000 yuan but not more than 100,000 yuan; if serious consequences are caused, a fine of not less than 1 million yuan but not more than 5 million yuan will be imposed, and the organization may be ordered to suspend the relevant business, suspend the operation for rectification, or its relevant business permit or business license will be revoked, and the person directly in charge and other directly liable persons will be fined not less than 50,000 yuan but not more than 500,000 yuan.
Article 49 Where a State organ fails to fulfill its data security protection obligation as stipulated herein, the person directly in charge and other directly liable persons will be punished in accordance with the law.
Article 50 Where a state functionary who performs his/her duties of data security supervision neglects his/her duties, abuses his/her power or engages in malpractice for personal gains, he/she will be punished in accordance with the law.
Article 51 Whoever steals or otherwise illegally obtains data, carries out data processing activities, eliminates or restricts competition, or damages the legitimate rights and interests of any individual or organization, will be punished in accordance with the relevant laws and administrative regulations.
Article 52 Whoever violates the provisions of this Law and causes damage to others shall bear civil liability in accordance with the law.Where a violation of the provisions of this Law constitutes a violation of public security administration, a public security administration punishment will be imposed in accordance with the law; where a crime is constituted, criminal liability will be pursued in accordance with the law.
Chapter 7 Supplementary Provisions
Article 53 The Law of the People’s Republic of China on Guarding State Secrets and other laws and administrative regulations shall apply to the data processing activities involving state secrets.The provisions of the relevant laws and administrative regulations shall also be observed in carrying out data processing activities in statistical and archival work and data processing activities involving personal information.
Article 54 Measures for the security protection of military data shall be separately formulated by the Central Military Commission in accordance with this Law.
Article 55 This Law shall come into force as of September 1, 2021.