On June 10, 2021, the 29th meeting of the Standing Committee of the 13th National People's Congress passed the third review of the "Data Security Law", which will be officially implemented on September 1, 2021. The full text of the "Data Security Law" consists of seven chapters and fifty-five articles, which stipulate data security protection obligations and corresponding legal responsibilities from the perspectives of data security and development, data security systems, data security protection obligations, and government data security and openness.
As the highest level of special law in the field of data security, the "Data Security Law", together with the "Cyber Security Law" that came into effect on June 1, 2017, supplements the legal system for security governance under the framework of the "National Security Law", and provides a more comprehensive There are laws to follow to ensure national security in all industries and fields.
As far as regulatory agencies are concerned, national security agencies, public security agencies, cybersecurity and informatization agencies, and industry, telecommunications, transportation, and financial authorities have the right to supervise and manage data security within their respective powers. Therefore, the "Data Security Law" continues the "one axis, two wings and multiple levels" regulatory system since the "Cyber Security Law" came into effect. The “one axis” refers to the national security agency, and the two wings refer to the public security agency and the cybersecurity and informatization sector. The multi-level industry horizontal scope is mainly reflected in the joint participation of industry, telecommunications, transportation, and financial industry authorities, and the administrative structure is mainly reflected in the various sectors. Regions and departments conduct safety management on the data collected and generated during work.
Data Security Law of the People's Republic of China
(Adopted at the 29th meeting of the Standing Committee of the 13th National People's Congress on June 10, 2021)
table of Contents
Chapter One General Provisions
Chapter 2 Data Security and Development
Chapter III Data Security System
Chapter IV Data Security Protection Obligations
Chapter V Security and Openness of Government Data
Chapter VI Legal Liability
Chapter 7 Supplementary Provisions
Chapter One General Provisions
Article 1 This law is formulated in order to regulate data processing activities, ensure data security, promote data development and utilization, protect the legitimate rights and interests of individuals and organizations, and safeguard national sovereignty, security and development interests.
Article 2 This law applies to data processing activities and safety supervision within the territory of the People's Republic of China.
Anyone who conducts data processing activities outside the People's Republic of China that harms the national security, public interests, or the legitimate rights and interests of citizens or organizations of the People's Republic of China shall be investigated for legal responsibility according to law.
Article 3 The data mentioned in this law refers to any record of information electronically or in other ways.
Data processing, including the collection, storage, use, processing, transmission, provision, and disclosure of data.
Data security refers to the adoption of necessary measures to ensure that data is in a state of effective protection and legal use, as well as the ability to ensure continuous security.
Article 4 To maintain data security, it is necessary to adhere to the overall national security concept, establish a sound data security governance system, and improve data security assurance capabilities.
Article 5 The central national security leadership agency is responsible for the decision-making and coordination of national data security work, researching, formulating and guiding the implementation of the national data security strategy and related major policies, and coordinating major issues and important tasks for national data security, and establishing national data security Work coordination mechanism.
Article 6 All regions and departments shall be responsible for the data and data security collected and generated in the work of their respective regions and departments.
The competent departments of industry, telecommunications, transportation, finance, natural resources, health, education, and science and technology are responsible for data security supervision in their respective industries and fields.
Public security organs, national security organs, etc., in accordance with the provisions of this Law and relevant laws and administrative regulations, shall undertake data security supervision responsibilities within their respective responsibilities.
The national cybersecurity and informatization department is responsible for overall planning and coordination of network data security and related supervision work in accordance with the provisions of this law and relevant laws and administrative regulations.
Article 7 The state protects the rights and interests of individuals and organizations related to data, encourages the rational and effective use of data in accordance with the law, guarantees the free flow of data in an orderly manner in accordance with the law, and promotes the development of a digital economy with data as a key element.
Article 8. Data processing activities shall comply with laws and regulations, respect social ethics and ethics, observe business ethics and professional ethics, be honest and trustworthy, perform data security protection obligations, assume social responsibilities, and shall not endanger national security and public interests, and shall not harm The legitimate rights and interests of individuals and organizations.
Article 9 The state supports the promotion and popularization of data security knowledge, raises the awareness and level of data security protection of the whole society, and promotes relevant departments, industry organizations, scientific research institutions, enterprises, individuals, etc. to participate in data security protection work, and form a joint data security protection work for the whole society Safe and good environment for development.
Article 10: Relevant industry organizations shall formulate data security codes of conduct and group standards in accordance with the articles of association, strengthen industry self-discipline, guide members to strengthen data security protection, improve data security protection levels, and promote the healthy development of the industry.
Article 11 The State actively carries out international exchanges and cooperation in the fields of data security governance, data development and utilization, participates in the formulation of international rules and standards related to data security, and promotes the safe and free flow of data across borders.
Article 12 Any individual or organization shall have the right to complain to and report to the relevant competent authorities for violations of the provisions of this law. The department that receives the complaint or report shall deal with it in a timely manner in accordance with the law.
The relevant competent authorities shall keep confidential the relevant information of the complainant and informant, and protect the lawful rights and interests of the complainant or informant.
Chapter 2 Data Security and Development
Article 13: The State makes overall plans for development and security, insists on using data development and utilization and industrial development to promote data security, and uses data security to ensure data development, utilization and industrial development.
Article 14 The state implements a big data strategy, promotes the construction of data infrastructure, encourages and supports the innovative application of data in various industries and fields.
People's governments at or above the provincial level shall incorporate the development of the digital economy into the national economic and social development plan at the corresponding level, and formulate a digital economy development plan as needed.
Article 15 The state supports the development and utilization of data to improve the intelligence level of public services. In the provision of intelligent public services, the needs of the elderly and the disabled shall be fully considered to avoid obstacles to the daily lives of the elderly and the disabled.
Article 16 The State supports data development and utilization and data security technology research, encourages technical promotion and business innovation in the fields of data development and utilization and data security, and fosters and develops data development and utilization and data security products and industrial systems.
Article 17 The state promotes the development of data development and utilization technologies and the establishment of a data security standard system. The standardization administrative department of the State Council and the relevant departments of the State Council, in accordance with their respective responsibilities, organize the formulation and timely revision of relevant standards for data development and utilization technologies, products, and data security. The state supports enterprises, social organizations and educational and scientific research institutions to participate in the formulation of standards.
Article 18 The state promotes the development of services such as data security testing, evaluation, and certification, and supports professional institutions such as data security testing, assessment, and certification to carry out service activities in accordance with the law.
The state supports relevant departments, industry organizations, enterprises, education and scientific research institutions, and relevant professional institutions to collaborate in data security risk assessment, prevention, and disposal.
Article 19: The state establishes a sound data transaction management system, regulates data transaction behavior, and cultivates a data transaction market.
Article 20 The State supports education, scientific research institutions, and enterprises to carry out education and training related to data development and utilization technology and data security, and adopts various methods to train data development and utilization technology and data security professionals, and promote talent exchanges.
Chapter III Data Security System
Article 21 The state establishes a data classification and hierarchical protection system, based on the importance of data in economic and social development, and once it has been tampered with, destroyed, leaked, or illegally acquired or used, it will affect national security, public interests, or individuals or organizations. The degree of harm caused by legitimate rights and interests is classified and classified and protected. The National Data Security Work Coordination Mechanism coordinates relevant departments to formulate important data catalogs and strengthen the protection of important data.
Data related to national security, the lifeline of the national economy, important people's livelihood, and major public interests belong to the country's core data, and a more stringent management system is implemented.
All regions and departments shall, in accordance with the data classification and hierarchical protection system, determine specific catalogs of important data in their respective regions, departments, and related industries and fields, and carry out key protection of the data listed in the catalog.
Article 22 The State establishes a centralized, unified, efficient and authoritative data security risk assessment, reporting, information sharing, monitoring and early warning mechanism. The National Data Security Work Coordination Mechanism coordinates relevant departments to strengthen the acquisition, analysis, research and judgment, and early warning of data security risk information.
Article 23 The state establishes a data security emergency response mechanism. In the event of a data security incident, the relevant competent authority shall initiate an emergency plan in accordance with the law, adopt corresponding emergency response measures to prevent the expansion of the hazard, eliminate potential safety hazards, and promptly release warning information related to the public to the public.
Article 24 The State establishes a data security review system to conduct national security reviews on data processing activities that affect or may affect national security.
The safety review decision made in accordance with the law is the final decision.
Article 25: The state implements export control in accordance with the law on data belonging to controlled items related to safeguarding national security and interests and fulfilling international obligations.
Article 26: Where any country or region adopts discriminatory prohibitions, restrictions or other similar measures against the People’s Republic of China in terms of investment and trade related to data and data development and utilization technologies, the People’s Republic of China may take measures based on actual conditions. The country or region will take equal measures.
Chapter IV Data Security Protection Obligations
Article 27: Data processing activities shall be carried out in accordance with the provisions of laws and regulations, establish and improve the whole-process data security management system, organize and carry out data security education and training, and adopt corresponding technical measures and other necessary measures to ensure data security. The use of the Internet and other information networks to carry out data processing activities shall perform the above-mentioned data security protection obligations on the basis of the network security level protection system.
The processor of important data shall clarify the person in charge of data security and the management agency, and implement the responsibility for data security protection.
Article 28 The development of data processing activities and the research and development of new data technologies shall be conducive to promoting economic and social development, enhancing the well-being of the people, and conforming to social morality and ethics.
Article 29: In carrying out data processing activities, risk monitoring shall be strengthened, and remedial measures shall be taken immediately when risks such as data security deficiencies, loopholes, etc. are discovered; when data security incidents occur, treatment measures shall be taken immediately, and users shall be notified in a timely manner in accordance with regulations and relevant The competent authority reports.
Article 30 The processor of important data shall, in accordance with regulations, carry out regular risk assessments of its data processing activities, and submit risk assessment reports to the relevant competent authorities.
The risk assessment report shall include the type and quantity of important data processed, the status of data processing activities, the data security risks faced and the countermeasures, etc.
Article 31 The exit security management of important data collected and generated by operators of critical information infrastructures in the territory of the People’s Republic of China shall be governed by the provisions of the Cybersecurity Law of the People’s Republic of China; other data processors are in the People’s Republic of China The exit security management measures for important data collected and generated in domestic operations shall be formulated by the State Cyberspace Administration of China in conjunction with relevant departments of the State Council.
Article 32 Any organization or individual shall adopt legal and proper methods to collect data, and shall not steal or obtain data by other illegal methods.
Where laws and administrative regulations stipulate the purpose and scope of data collection and use, the data shall be collected and used within the purpose and scope stipulated by the laws and administrative regulations.
Article 33 Institutions engaged in data transaction intermediary services providing services shall require the data provider to explain the source of the data, verify the identities of both parties to the transaction, and keep records of the review and transaction.
Article 34: Where laws and administrative regulations provide that the provision of data processing-related services shall obtain an administrative license, the service provider shall obtain the license in accordance with the law.
Article 35: Public security organs and national security organs shall, in accordance with relevant state regulations, go through strict approval procedures and proceed in accordance with the law in order to obtain data for maintaining national security or investigating crimes in accordance with the law, and relevant organizations and individuals shall cooperate.
Article 36 The competent authority of the People’s Republic of China shall process requests for data provision by foreign judicial or law enforcement agencies in accordance with relevant laws and international treaties and agreements concluded or acceded to by the People’s Republic of China, or in accordance with the principle of equality and reciprocity. Without the approval of the competent authority of the People's Republic of China, domestic organizations and individuals shall not provide data stored in the territory of the People's Republic of China to foreign judicial or law enforcement agencies.
Chapter V Security and Openness of Government Data
Article 37 The state vigorously promotes the construction of e-government, improves the scientificity, accuracy, and timeliness of government data, and enhances the ability to use data to serve economic and social development.
Article 38 The collection and use of data by state agencies to perform their statutory duties shall be carried out in accordance with the conditions and procedures prescribed by laws and administrative regulations within the scope of their statutory duties; Data such as information, business secrets, and confidential business information shall be kept confidential in accordance with the law, and shall not be leaked or illegally provided to others.
Article 39: State agencies shall establish and improve data security management systems in accordance with the provisions of laws and administrative regulations, implement data security protection responsibilities, and ensure the security of government data.
Article 40: State agencies entrust others to construct and maintain e-government systems, store and process government affairs data, shall go through strict approval procedures, and shall supervise the entrusted party to perform corresponding data security protection obligations. The entrusted party shall perform its data security protection obligations in accordance with the provisions of laws and regulations and contractual agreements, and shall not retain, use, disclose or provide government affairs data to others without authorization.
Article 41: State agencies shall follow the principles of justice, fairness, and convenience for the people, and disclose government affairs data in a timely and accurate manner in accordance with regulations. Except for those that are not disclosed in accordance with the law.
Article 42 The State formulates an open catalog of government affairs data, builds a unified, standardized, interconnected, secure and controllable government affairs data open platform, and promotes the open utilization of government affairs data.
Article 43: The provisions of this chapter shall apply to organizations authorized by laws and regulations with the function of managing public affairs to carry out data processing activities in order to perform statutory duties.
Chapter VI Legal Liability
Article 44: In performing data security supervision responsibilities, if relevant competent authorities find that data processing activities have significant security risks, they may conduct interviews with relevant organizations and individuals in accordance with the prescribed authority and procedures, and require relevant organizations and individuals to take measures. Take measures to rectify and eliminate hidden dangers.
Article 45: Organizations and individuals carrying out data processing activities that fail to perform their data security protection obligations under Article 27, Article 29, and Article 30 of this Law shall be ordered by the relevant competent authority to make corrections and give warnings. A fine of not less than 50,000 yuan but not more than 500,000 yuan may be imposed, and the directly responsible person in charge and other directly responsible personnel may be fined not less than 10,000 yuan but not more than 100,000 yuan; those who refuse to make corrections or cause a large amount of data leakage and other serious consequences, Impose a fine of not less than 500,000 yuan but not more than 2 million yuan, and may order the suspension of related businesses, suspend business for rectification, revoke related business licenses or revoke business licenses, and impose a fine of more than 50,000 yuan on the directly responsible persons in charge and other directly responsible persons A fine of less than 100,000 yuan.
Violation of the national core data management system and endangering national sovereignty, security and development interests shall be fined between RMB 2 million and RMB 10 million by the relevant competent authority, and shall be ordered to suspend relevant business, suspend business for rectification, and revoke relevant business licenses according to the circumstances Or revoke the business license; if a crime is constituted, criminal responsibility shall be investigated in accordance with the law.
Article 46 Anyone who violates the provisions of Article 31 of this Law and provides important data overseas shall be ordered by the relevant competent authority to make corrections, given a warning, and may concurrently impose a fine of 100,000 yuan up to 1 million yuan, and the person directly responsible The person in charge and other directly responsible persons may impose a fine of 10,000 yuan to 100,000 yuan; if the circumstances are serious, a fine of 1 million yuan but less than 10 million yuan may be imposed, and the relevant business may be suspended, closed for rectification, and related business licenses revoked Or revoke the business license, and the person directly in charge and other persons directly responsible shall be fined 100,000 yuan up to 1 million yuan.
Article 47: Institutions engaged in data transaction intermediary services that fail to perform the obligations stipulated in Article 33 of this law shall be ordered by the relevant competent authority to make corrections, the illegal gains shall be confiscated, and a fine of one to ten times the illegal gains shall be imposed. If the income or illegal income is less than 100,000 yuan, a fine of 100,000 yuan up to 1 million yuan shall be imposed, and the relevant business may be suspended, closed for rectification, related business license revoked, or business license revoked; the person in charge and other persons who are directly responsible The person directly responsible shall be fined not less than 10,000 yuan but not more than 100,000 yuan.
Article 48 Anyone who violates Article 35 of this Law and refuses to cooperate with data retrieval shall be ordered by the relevant competent authority to make corrections, given a warning, and imposed a fine of not less than 50,000 yuan but not more than 500,000 yuan. Those who are directly responsible The person in charge and other persons directly responsible shall be fined not less than 10,000 yuan but not more than 100,000 yuan.
Violation of Article 36 of this Law by providing data to foreign judicial or law enforcement agencies without the approval of the competent authority shall be given a warning by the relevant competent authority, and may be fined 100,000 yuan up to 1 million yuan, and directly responsible Persons in charge and other directly responsible persons can be fined 10,000 yuan to 100,000 yuan; if serious consequences are caused, they can be fined 1 million yuan to 5 million yuan, and can be ordered to suspend related businesses, suspend business for rectification, and revoke related businesses If the permit or business license is revoked, the directly responsible person in charge and other directly responsible persons shall be fined 50,000 yuan up to 500,000 yuan.
Article 49: If a state agency fails to perform its data security protection obligations under this law, the directly responsible person in charge and other directly responsible persons shall be punished in accordance with the law.
Article 50: State personnel who perform data security supervision duties neglect their duties, abuse their powers, or engage in malpractices for personal gains, they shall be punished in accordance with the law.
Article 51 Whoever steals or obtains data in other illegal ways, carries out data processing activities to eliminate or restrict competition, or harm the lawful rights and interests of individuals or organizations, shall be punished in accordance with relevant laws and administrative regulations.
Article 52 Anyone who violates the provisions of this law and causes damage to others shall bear civil liability in accordance with the law.
Violation of the provisions of this law and constitutes a violation of public security management shall be given public security management penalties in accordance with the law; if a crime is constituted, criminal responsibility shall be investigated in accordance with the law.
Chapter 7 Supplementary Provisions
Article 53: To carry out data processing activities involving state secrets, the provisions of laws and administrative regulations such as the Law of the People's Republic of China on Keeping State Secrets shall apply.
To carry out data processing activities in statistics and archival work, and to carry out data processing activities involving personal information, the relevant laws and administrative regulations shall also be complied with.
Article 54: Measures for the security protection of military data shall be separately formulated by the Central Military Commission in accordance with this Law.
Article 55 This law shall come into force on September 1, 2021.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。