People's Republic of China Data Security Law

（ Adopted at the 29th Meeting of the Standing Committee of the 13th National People's Congress on June 10, 2021）

Contents

Chapter 1 General Provisions

Chapter 2 Data Security and Development

Chapter 3 Data Security System

Chapter 4 Data Security Protection Obligations

Chapter 5 Government Data Security and Openness

Chapter 6 Legal Liabilities

Chapter 7 Supplementary Provisions

Chapter 1 General     Provisions

Article 1 　This Law is enacted for the purpose of regulating data processing activities, ensuring data security, promoting data development and utilization, protecting the legitimate rights and interests of individuals and organizations, and safeguarding national sovereignty, security, and development interests.

Article 2 　This Law shall apply to data processing activities and their safety supervision conducted within the People's Republic of China.

Data processing activities conducted outside the People's Republic of China that harm the national security, public interests, or the legitimate rights and interests of citizens and organizations of the People's Republic of China shall be investigated for legal liabilities in accordance with the law.

Article 3 　For the purposes of this Law, "data" refers to any record of information in electronic or other forms.

Data processing includes the collection, storage, use, processing, transmission, provision, and public disclosure of data.

Data security refers to the state where data is effectively protected and legally utilized through necessary measures, and the ability to ensure its continued security.

Article 4 　In maintaining data security, the overall national security outlook shall be upheld, a sound data security governance system shall be established and improved, and data security protection capabilities shall be enhanced.

Article 5 　The Central National Security Leading Group is responsible for decision-making and coordination of national data security work, research and development, guidance and implementation of national data security strategies and relevant major policies, overall coordination of major and important matters and work related to national data security, and establishment of a national data security work coordination mechanism.

Article 6 　Various regions and departments are responsible for the data and data security collected and generated in their work.

Supervisory authorities of industry, telecommunications, transportation, finance, natural resources, health, education, and science and technology undertake data security supervision responsibilities in their respective industries and fields.

Public security organs, national security organs, etc., shall assume data security supervision responsibilities within their respective duties in accordance with this Law and relevant laws and administrative regulations.

The national cyberspace administration department is responsible for the overall coordination and supervision of network data security and related work in accordance with this Law and relevant laws and administrative regulations.

Article 7 　The state protects the rights and interests of individuals and organizations related to data, encourages the lawful, reasonable, and effective use of data, ensures the orderly and free flow of data in accordance with the law, and promotes the development of the digital economy with data as a key element.

Article 8 　Data processing activities shall comply with laws and regulations, respect social ethics and morality, abide by business ethics and professional ethics, be honest and trustworthy, fulfill data security protection obligations, and assume social responsibilities. They shall not endanger national security or public interests, nor shall they harm the legitimate rights and interests of individuals or organizations.

Article 9 　The state supports the popularization of data security knowledge, improves the awareness and level of data security protection throughout society, and promotes the joint participation of relevant departments, industry organizations, research institutions, enterprises, and individuals in data security protection work, creating a good environment for the whole society to jointly maintain data security and promote development.

Article 10 　Relevant industry organizations shall, in accordance with their articles of association, formulate data security codes of conduct and group standards in accordance with the law, strengthen industry self-discipline, guide members to strengthen data security protection, improve data security protection levels, and promote the healthy development of the industry.

Article 11 　The state actively carries out international exchanges and cooperation in the fields of data security governance and data development and utilization, participates in the formulation of international rules and standards related to data security, and promotes the safe and free flow of cross-border data.

Article 12 Any individual or organization has the right to complain or report violations of the provisions of this Law to the relevant competent authorities. The departments that receive complaints or reports shall deal with them in a timely manner in accordance with the law.

Relevant competent authorities shall keep confidential the relevant information of complainants or informants and protect their legitimate rights and interests.

Chapter 2 Data Security and Development

Article 13 The state coordinates development and security, adhering to the principle of promoting data security through data development, utilization, and industrial development, and ensuring data development, utilization, and industrial development through data security.

Article 14 　The state implements the big data strategy, promotes the construction of data infrastructure, and encourages and supports the innovative application of data in various industries and fields.

People's governments at or above the provincial level shall incorporate the development of the digital economy into their national economic and social development plans and formulate digital economy development plans as needed.

Article 15 　The state supports the development and utilization of data to improve the intelligence level of public services. In providing intelligent public services, the needs of the elderly and people with disabilities should be fully considered to avoid obstacles to their daily lives.

Article 16 　The state supports research on data development, utilization, and data security technologies, encourages technological promotion and commercial innovation in the fields of data development, utilization, and data security, and cultivates and develops data development, utilization, and data security products and industrial systems.

Article 17 　The state promotes the construction of data development and utilization technologies and data security standards systems. The competent standardization administrative department of the State Council and relevant departments of the State Council shall organize the formulation and timely revision of relevant standards for data development and utilization technologies, products, and data security according to their respective responsibilities. The state supports enterprises, social groups, and educational and scientific research institutions to participate in standard setting.

Article 18 The state promotes the development of data security testing, evaluation, and certification services and supports professional institutions engaged in data security testing, evaluation, and certification to conduct services in accordance with the law.

The state supports relevant departments, industry organizations, enterprises, education and research institutions, and relevant professional institutions to cooperate in data security risk assessment, prevention, and disposal.

Article 19 　The state shall establish and improve a data transaction management system, regulate data transaction behavior, and cultivate the data transaction market.

Article 20 　The state shall support educational, scientific research institutions and enterprises to carry out data development and utilization technologies and data security-related education and training, cultivate data development and utilization technology and data security professionals through various methods, and promote personnel exchanges.

Chapter 3 Data Security System

Article 21 　The state shall establish a data classification and grading protection system. According to the importance of data in economic and social development, and the degree of harm caused to national security, public interest, or the legitimate rights and interests of individuals and organizations once it is tampered with, destroyed, leaked, or illegally obtained or used, data shall be subject to classified and graded protection. The national data security work coordination mechanism shall coordinate relevant departments in formulating important data catalogs and strengthen the protection of important data.

Data related to national security, the lifeline of the national economy, important people's livelihood, and major public interests belong to national core data and shall be subject to stricter management systems.

Various regions and departments shall, in accordance with the data classification and grading protection system, determine the specific catalogs of important data in their respective regions, departments, and related industries and fields, and provide key protection for the data included in the catalogs.

Article 22 　The state shall establish a centralized, unified, efficient, and authoritative data security risk assessment, reporting, information sharing, and monitoring and early warning mechanism. The national data security work coordination mechanism shall coordinate relevant departments to strengthen the acquisition, analysis, judgment, and early warning of data security risk information.

Article 23 　The state shall establish a data security emergency response mechanism. In the event of a data security incident, the relevant competent departments shall initiate emergency plans in accordance with the law, take corresponding emergency response measures, prevent the expansion of harm, eliminate safety hazards, and promptly release warning information related to the public.

Article 24 　The state shall establish a data security review system to conduct national security reviews of data processing activities that affect or may affect national security.

The security review decision made in accordance with the law shall be the final decision.

Article 25 　The state shall, in accordance with the law, implement export control over data that is subject to control and is related to maintaining national security and interests and fulfilling international obligations.

Article 26 　If any country or region adopts discriminatory prohibitions, restrictions, or other similar measures against the People's Republic of China in investment, trade, and other aspects related to data and data development and utilization technologies, the People's Republic of China may take equivalent measures against that country or region based on the actual situation.

Chapter 4 Data Security Protection Obligations

Article 27 Data processing activities shall be carried out in accordance with the provisions of laws and regulations, establish and improve a full-process data security management system, organize data security education and training, and adopt corresponding technical measures and other necessary measures to ensure data security. Data processing activities carried out using the Internet and other information networks shall, on the basis of the network security level protection system, fulfill the above-mentioned data security protection obligations.

The processors of important data shall clearly define the person in charge of data security and the management institution, and implement the responsibility for data security protection.

Article 28 　The development of data processing activities and new data technologies should contribute to economic and social development, enhance the well-being of the people, and comply with social morality and ethics.

Article 29 　Data processing activities should strengthen risk monitoring. When data security defects, vulnerabilities, and other risks are discovered, remedial measures should be taken immediately; in the event of a data security incident, disposal measures should be taken immediately, and users should be notified and relevant competent departments reported in accordance with regulations.

Article 30 　Processors of important data shall, in accordance with regulations, conduct regular risk assessments of their data processing activities and submit risk assessment reports to the relevant competent departments.

The risk assessment report shall include the types and quantities of important data processed, the status of data processing activities, data security risks faced, and corresponding measures.

Article 31 The security management of the export of important data collected and generated during operations within the People's Republic of China by operators of critical information infrastructure shall apply to the provisions of the Cybersecurity Law of the People's Republic of China; the methods for security management of the export of important data collected and generated during operations within the People's Republic of China by other data processors shall be formulated by the national cyberspace administration department together with the relevant departments of the State Council.

Article 32 　Any organization or individual collecting data shall adopt legal and legitimate methods and shall not steal or obtain data in other illegal ways.

Where laws and administrative regulations stipulate the purpose and scope of collecting and using data, data shall be collected and used within the purpose and scope stipulated by laws and administrative regulations.

Article 33 　When providing services in data transaction intermediary services, institutions shall require data providers to explain the source of the data, verify the identities of both parties to the transaction, and retain records of verification and transactions.

Article 34 　Where laws and administrative regulations stipulate that administrative permission is required to provide data processing related services, service providers shall obtain permission in accordance with the law.

Article 35 　Public security organs and national security organs, when retrieving data for the purpose of maintaining national security or investigating crimes in accordance with the law, shall do so in accordance with relevant national regulations, after strict approval procedures, and in accordance with the law; relevant organizations and individuals shall cooperate.

Article 36 　The competent authorities of the People's Republic of China shall handle requests from foreign judicial or law enforcement agencies for the provision of data in accordance with relevant laws and international treaties or agreements concluded or acceded to by the People's Republic of China, or in accordance with the principle of equality and reciprocity. Organizations and individuals within the country shall not provide data stored within the People's Republic of China to foreign judicial or law enforcement agencies without the approval of the competent authorities of the People's Republic of China.

Chapter 5 Government Data Security and Openness

Article 37 　The state vigorously promotes the construction of e-government, improves the scientificity, accuracy, and timeliness of government data, and enhances the ability to use data to serve economic and social development.

Article 38 　State organs collecting and using data for the purpose of performing statutory duties shall do so within the scope of their statutory duties and in accordance with the conditions and procedures prescribed by laws and administrative regulations; they shall keep confidential personal privacy, personal information, trade secrets, confidential business information, and other data known in the performance of their duties, and shall not disclose or illegally provide them to others.

Article 39 　State organs shall, in accordance with the provisions of laws and administrative regulations, establish and improve data security management systems, implement data security protection responsibilities, and ensure the security of government data.

Article 40 　State organs entrusting others with the construction and maintenance of e-government systems, and the storage and processing of government data, must undergo strict approval procedures and supervise the entrusted party's fulfillment of its corresponding data security protection obligations. The entrusted party shall fulfill its data security protection obligations in accordance with the provisions of laws, regulations, and contract agreements, and shall not arbitrarily retain, use, leak, or provide government data to others.

Article 41 　State organs shall follow the principles of fairness, impartiality, and convenience for the people, and shall promptly and accurately disclose government data in accordance with regulations, except for those that are not to be disclosed by law.

Article 42 The state shall formulate a directory of open government data, build a unified, standardized, interconnected, and secure and controllable open government data platform, and promote the open use of government data.

Article 43 Organizations authorized by laws and regulations to perform public affairs management functions shall apply the provisions of this Chapter to data processing activities in the performance of their statutory duties.

Chapter 6 Legal Liabilities

Article 44 If, in performing data security supervision duties, the relevant competent authorities find that data processing activities pose significant security risks, they may, in accordance with the prescribed authority and procedures, interview the relevant organizations and individuals and require them to take measures to rectify the situation and eliminate the hidden dangers.

Organizations and individuals that engage in data processing activities and fail to fulfill the data security protection obligations stipulated in Articles 27, 29, and 30 of this Law shall be ordered by the relevant competent authorities to rectify the situation, be given a warning, and may be fined not less than 50,000 yuan and not more than 500,000 yuan; the persons directly in charge and other directly responsible personnel may be fined not less than 10,000 yuan and not more than 100,000 yuan; if they refuse to rectify the situation or cause serious consequences such as large-scale data leakage, they shall be fined not less than 500,000 yuan and not more than 2 million yuan, and their relevant business may be suspended, they may be ordered to suspend operations for rectification, or their relevant business licenses or business licenses may be revoked, and the persons directly in charge and other directly responsible personnel may be fined not less than 50,000 yuan and not more than 200,000 yuan.

Violations of the national core data management system that endanger national sovereignty, security, and development interests shall be subject to fines of not less than 2 million yuan and not more than 10 million yuan by the relevant competent authorities, and relevant businesses may be suspended, operations may be suspended for rectification, relevant business licenses may be revoked, or business licenses may be revoked according to the circumstances; if a crime is constituted, criminal responsibility shall be investigated according to law.

Article 46 For violations of the provisions of Article 31 of this Law, providing important data to foreign countries shall be ordered to be rectified by the relevant competent authorities, given a warning, and may be fined not less than 100,000 yuan and not more than 1 million yuan; the persons directly in charge and other directly responsible personnel may be fined not less than 10,000 yuan and not more than 100,000 yuan; in serious cases, a fine of not less than 1 million yuan and not more than 10 million yuan may be imposed, and the relevant business may be suspended, operations may be suspended for rectification, relevant business licenses or business licenses may be revoked, and the persons directly in charge and other directly responsible personnel may be fined not less than 100,000 yuan and not more than 1 million yuan.

Article 47 If an institution providing data transaction intermediary services fails to fulfill the obligations stipulated in Article 33 of this Law, the relevant competent authorities shall order it to rectify the situation, confiscate its illegal gains, and impose a fine of not less than one and not more than ten times the illegal gains; if there are no illegal gains or the illegal gains are less than 100,000 yuan, a fine of not less than 100,000 yuan and not more than 1 million yuan shall be imposed, and the relevant business may be suspended, operations may be suspended for rectification, or relevant business licenses or business licenses may be revoked; the persons directly in charge and other directly responsible personnel shall be fined not less than 10,000 yuan and not more than 100,000 yuan.

Article 48 For violations of the provisions of Article 35 of this Law, refusal to cooperate with data retrieval shall be ordered to be rectified by the relevant competent authorities, given a warning, and fined not less than 50,000 yuan and not more than 500,000 yuan; the persons directly in charge and other directly responsible personnel shall be fined not less than 10,000 yuan and not more than 100,000 yuan.

For violations of the provisions of Article 36 of this Law, failure to obtain the approval of the competent authority before providing data to foreign judicial or law enforcement agencies shall result in a warning from the relevant competent authorities, and a fine of not less than 100,000 yuan and not more than 1 million yuan may be imposed, and the persons directly in charge and other directly responsible personnel may be fined not less than 10,000 yuan and not more than 100,000 yuan; if serious consequences are caused, a fine of not less than 1 million yuan and not more than 5 million yuan shall be imposed, and the relevant business may be suspended, operations may be suspended for rectification, relevant business licenses or business licenses may be revoked, and the persons directly in charge and other directly responsible personnel may be fined not less than 50,000 yuan and not more than 500,000 yuan.

Article 49 If state organs fail to fulfill the data security protection obligations stipulated in this Law, the persons directly in charge and other directly responsible personnel shall be given disciplinary sanctions according to law.

Article 50 State functionaries performing data security supervision duties who neglect their duties, abuse their power, or engage in malpractice for personal gain shall be given disciplinary sanctions according to law.

Article 51 Those who steal or otherwise illegally obtain data, engage in data processing activities to eliminate or restrict competition, or infringe upon the legitimate rights and interests of individuals or organizations shall be punished in accordance with the relevant laws and administrative regulations.

Article 52 If a violation of this Law causes damage to others, civil liability shall be borne in accordance with the law.

Violations of the provisions of this Law that constitute violations of public security management shall be subject to public security management penalties in accordance with the law; if a crime is constituted, criminal responsibility shall be investigated in accordance with the law.

Chapter 7 Supplementary Provisions

Article 53 Data processing activities involving state secrets shall be subject to the provisions of the "National People's Republic of China Law on Keeping State Secrets" and other laws and administrative regulations.

Data processing activities in statistical and archival work, and data processing activities involving personal information, shall also comply with relevant laws and administrative regulations.

Article 54 The measures for the protection of military data security shall be formulated separately by the Central Military Commission in accordance with this Law.

Article 55 This Law shall come into effect on September 1, 2021.