On June 10, 2021, the 29th Meeting of the Standing Committee of the 13th National People’s Congress passed the third draft of the Data Security Law, which will be formally implemented on September 1, 2021. “Data Security Law” full text of a total of seven chapters of 55, respectively from the data security and development, data security system, data security protection obligations, government data security and opening of the perspective of data security protection obligations and the corresponding legal responsibility.

The Data Security Law, as a special law of the highest rank in the field of data security, complements the legal system of security governance under the framework of the National Security Law together with the Cyber Security Law implemented on June 1, 2017, and more comprehensively guarantees the legal basis for national security in all industries and fields.

As far as regulatory authorities are concerned, national security organs, public security organs, Internet and information departments, as well as industry, telecommunications, transportation, finance and other competent authorities have the right to supervise and manage data security within their respective functions and powers. Therefore, the “Data Security Law” continues the “one axis, two wings and multi-level” supervision system since the “Network Security Law” came into effect. “One axis” refers to a state security organ, the two wings refers to the public security organ and the network department letter, multi-stage horizontal range is mainly manifested in the industry in the industrial, telecommunications, transportation, and the participation of the competent department of finance industry, mainly in terms of administrative structure in all regions and departments to work on the data collection and security management.

Data Security Law of the People’s Republic of China

(Adopted at the 29th Meeting of the Standing Committee of the 13th National People’s Congress on June 10, 2021)

directory

Chapter I General Provisions

Chapter II Data Security and Development

Chapter III Data Security System

Chapter IV Obligations of Data Security Protection

Chapter V Security and Opening of Government Data

Chapter VI Legal Liability

Chapter VII Supplementary Provisions

Chapter I General Provisions

Article 1 This Law is formulated with a view to regulating data processing activities, ensuring data security, promoting data development and utilization, protecting the legitimate rights and interests of individuals and organizations, and safeguarding the sovereignty, security and development interests of the State.

Article 2 This Law is applicable to data processing activities and safety supervision within the territory of the People’s Republic of China.

Anyone who conducts data processing activities outside the territory of the People’s Republic of China and impairs the national security and public interests of the People’s Republic of China or the legitimate rights and interests of a citizen or an organization shall be investigated for legal responsibility according to law.

Article 3 “Data” as used in this Law means any electronic or other means of recording information.

Data processing, including data collection, storage, use, processing, transmission, provision, disclosure, etc.

Data security refers to taking necessary measures to ensure that data is in a state of effective protection and legal use, as well as the ability to guarantee a continuous state of security.

Article 4 To maintain data security, it shall adhere to the overall concept of national security, establish and improve the data security governance system, and improve the ability to guarantee data security.

Article 5 The leading organ of the central government for national security shall be responsible for decision-making, deliberation and coordination of the work of national data security, study, formulate and guide the implementation of national data security strategies and relevant major principles and policies, plan and coordinate major matters and work of national data security, and establish a coordination mechanism for the work of national data security.

Article 6 All regions and departments shall be responsible for the data collected and generated in the work of their respective regions and departments and for the safety of the data.

Competent departments of industry, telecommunications, transportation, finance, natural resources, health, education, science and technology shall assume the responsibilities of data security supervision in their respective industries and fields.

Public security organs and state security organs shall, in accordance with the provisions of this Law and relevant laws and administrative regulations, assume the responsibilities of data security supervision and control within the scope of their respective functions and duties.

The Cyberspace Administration of the People’s Republic of China shall, in accordance with the provisions of this Law, relevant laws and administrative regulations, be responsible for overall planning and coordination of network data security and relevant supervision.

Article 7 The State protects the rights and interests of individuals and organizations related to data, encourages the lawful, reasonable and effective use of data, safeguards the lawful, orderly and free flow of data, and promotes the development of the digital economy with data as the key element.

Article 8 Data processing activities shall be carried out in compliance with laws and regulations, respect social ethics and ethics, observe business ethics and professional ethics, be honest and trustworthy, perform data security protection obligations and assume social responsibilities, and shall not endanger national security and public interests, or damage the legitimate rights and interests of individuals and organizations.

Article 9 The State supports the publicity and popularization of data security knowledge, raises the awareness and level of data security protection of the whole society, and urges relevant departments, industrial organizations, scientific research institutions, enterprises and individuals to jointly participate in data security protection work, so as to form a good environment for the whole society to jointly safeguard data security and promote development.

Article 10 Relevant industrial organizations shall, in accordance with the articles of association, formulate data security codes of conduct and group standards according to law, strengthen industry self-discipline, guide members to strengthen data security protection, improve data security protection level, and promote the healthy development of the industry.

Article 11 The State actively carries out international exchanges and cooperation in the fields of data security governance, data development and utilization, participates in the formulation of international rules and standards related to data security, and promotes the safe and free flow of data across borders.

Article 12 Any individual or organization shall have the right to make a complaint or report to the competent department concerned about any act in violation of the provisions of this Law. The departments that have received complaints and reports shall handle them in time according to law.

The competent authorities concerned shall keep confidential the information of the complainant or informant, and protect the legitimate rights and interests of the complainant or informant.

Chapter II Data Security and Development

Article 13 The State makes overall plans for development and security, and adheres to promoting data security through data development and utilization and industrial development, and guaranteeing data development and utilization and industrial development through data security.

Article 14 The State implements the big data strategy, promotes the construction of data infrastructure, and encourages and supports the innovative application of data in all industries and fields.

People’s governments at or above the provincial level shall incorporate the development of digital economy into their national economic and social development plans and formulate plans for the development of digital economy according to their needs.

Article 15 The State supports the development and utilization of data to enhance the intelligence level of public services. In providing intelligent public services, full consideration should be given to the needs of the elderly and the disabled and obstacles should be avoided to their daily lives.

Article 16 The State supports research on data development and utilization and data security technology, encourages technical popularization and commercial innovation in the fields of data development and utilization and data security, and fosters and develops products and industrial systems for data development and utilization and data security.

Article 17 The State promotes the construction of data development and utilization technology and data security standard system. The department of Standardization Administration under the State Council and other relevant departments under the State Council shall, on the basis of their respective functions and duties, organize the formulation and timely revision of relevant data development and utilization technology, product and data security related standards. The state supports the participation of enterprises, social organizations, educational and scientific research institutions in the formulation of standards.

Article 18 The State promotes the development of such services as data security testing, assessment and certification, and supports such professional institutions as data security testing, assessment and certification to carry out service activities according to law.

The State supports the cooperation of relevant departments, industry organizations, enterprises, educational and scientific research institutions and relevant professional institutions in data security risk assessment, prevention and disposal.

Article 19 The State establishes and improves a data trading management system, standardizes data trading activities, and fosters a data trading market.

Article 20 The State shall support educational institutions, scientific research institutions and enterprises in carrying out education and training related to data exploitation and utilization technology and data security, cultivate professionals in data exploitation and utilization technology and data security in various ways, and promote personnel exchanges.

Chapter III Data Security System

Article 21 the state shall establish a data classification grading protection system, important degree according to the data in the economic and social development, and once from alteration or damage, leaks or illegally obtained, illegal use, to national security, public interests and individual, the organization degree of the damage the legitimate rights and interests, implements classified classification for data protection. The national data security coordination mechanism coordinates with relevant departments to formulate important data catalogs and strengthen the protection of important data.

Data related to national security, the lifeblood of the national economy, important people’s livelihood, and major public interests are core national data, and a stricter management system will be implemented.

All localities and departments shall, in accordance with the data classification and grading protection system, determine the specific catalogues of important data in their localities, departments and related industries and fields, and give priority protection to the data listed in the catalogues.

Article 22 The State establishes centralized, unified, efficient and authoritative data security risk assessment, reporting, information sharing, monitoring and early warning mechanisms. National data security work coordination mechanism to coordinate the relevant departments to strengthen data security risk information acquisition, analysis, analysis, early warning work.

Article 23 The State establishes a data security emergency disposal mechanism. In case of a data security incident, the competent department concerned shall initiate the emergency preplan according to law, take corresponding emergency disposal measures, prevent the expansion of hazards, eliminate security hidden dangers, and timely release the warning information related to the public to the society.

Article 24 The State establishes a data security examination system to conduct a State security examination of data processing activities that affect or may affect State security.

The safety review decision made in accordance with the law shall be final.

Article 25 The State shall, according to law, exercise export control over the data of controlled items related to safeguarding national security and interests and fulfilling international obligations.

Article 26 Where any country or region adopts discriminatory prohibitions, restrictions or other similar measures against the People’s Republic of China in respect of investment or trade related to data and data development and utilization technologies, the People’s Republic of China may, in light of actual conditions, take reciprocal measures against the country or region.

Chapter IV Obligations of Data Security Protection

Article 27 When carrying out data processing activities, it shall, in accordance with the provisions of laws and regulations, establish and improve the data security management system for the whole process, organize and carry out data security education and training, and take corresponding technical measures and other necessary measures to guarantee data security. Where data processing activities are carried out through the Internet and other information networks, the above-mentioned data security protection obligations shall be fulfilled on the basis of the hierarchical network security protection system.

The person who handles important data shall define the person in charge of data security and the management organization, and implement the responsibility of data security protection.

Article 28 Data processing activities and research and development of new data technologies shall be conducive to promoting economic and social development, improving the well-being of the people and conforming to social morality and ethics.

Article 29 In carrying out data processing activities, risk monitoring shall be strengthened, and remedial measures shall be taken immediately when data security defects, loopholes and other risks are found; In the event of a data security incident, it shall take immediate measures to deal with it, inform the user in time and report to the relevant competent authorities in accordance with relevant provisions.

Article 30 Important data processors shall, in accordance with relevant provisions, carry out regular risk assessments of their data processing activities and submit risk assessment reports to the relevant competent authorities.

The risk assessment report shall include the type and quantity of important data to be processed, the situation of carrying out data processing activities, the data security risks faced and the corresponding measures, etc.

Article 31 The provisions of the Cybersecurity Law of the People’s Republic of China shall apply to the exit security management of important data collected and generated by the operators of critical information infrastructure during their operations within the territory of the People’s Republic of China; Measures for the exit safety administration of important data collected and generated by other data processors in their operations within the territory of the People’s Republic of China shall be formulated by the Cyberspace Administration of China in conjunction with the relevant departments of the State Council.

Article 32 Any organization or individual shall collect data by legal and legitimate means, and may not steal or obtain data by any other illegal means.

Where laws or administrative rules and regulations have provisions on the purposes and scope of data collection and use, the data shall be collected and used within the purposes and scope prescribed by laws or administrative rules and regulations.

Article 33 When providing services, an agency engaging in intermediary services for data trading shall require the data provider to explain the source of data, verify the identities of both parties to the transaction, and keep records of examination and verification and transaction.

Article 34 Where the provision of data processing related services is required to obtain an administrative license according to laws and administrative regulations, the service provider shall obtain the license according to law.

Article 35 When a public security organ or a State security organ seeks to retrieve data for the purpose of safeguarding State security or investigating crimes according to law, it shall, in accordance with the relevant provisions of the State, go through strict approval procedures and proceed in accordance with the law. The organizations and individuals concerned shall provide cooperation.

Article 36 The competent authorities of the People’s Republic of China shall, in accordance with relevant laws and the international treaties and agreements concluded or acceded to by the People’s Republic of China, or in accordance with the principle of equality and reciprocity, handle requests for the provision of data by foreign judicial or law enforcement agencies. No organization or individual within the territory of the People’s Republic of China may provide data stored in the territory of the People’s Republic of China to a foreign judicial or law enforcement agency without the approval of the competent authorities of the People’s Republic of China.

Chapter V Security and Opening of Government Data

Article 37 The State vigorously promotes the construction of e-government affairs, improves the scientificity, accuracy and timeliness of government affairs data, and enhances the ability of using data to serve economic and social development.

Article 38 State organs shall collect and use data for the purpose of performing their statutory functions and duties in accordance with the conditions and procedures prescribed by laws and administrative rules and regulations within the scope of their statutory functions and duties. The personal privacy, personal information, trade secrets, confidential business information and other data obtained during the performance of duties shall be kept confidential according to law, and shall not be disclosed or illegally provided to others.

Article 39 State organs shall, in accordance with the provisions of laws and administrative regulations, establish and improve the data security management system, implement the responsibility of data security protection, and guarantee the security of government affairs data.

Article 40 Where a state organ entrusts others to build and maintain an e-government system, store and process government data, it shall go through strict approval procedures, and shall supervise the entrusted party to fulfill corresponding obligations of data security protection. The Agent shall perform the data security protection obligations in accordance with the provisions of laws and regulations and the contract, and shall not retain, use, disclose or provide administrative data to others without authorization.

Article 41 State organs shall, in accordance with the principles of fairness, fairness and convenience to the people, timely and accurately disclose administrative data in accordance with relevant regulations. With the exception of those not disclosed according to law.

Article 42 The State formulates a catalogue of government affairs data opening, builds a unified, standardized, interconnected, secure and controllable government affairs data opening platform, and promotes the open utilization of government affairs data.

Article 43 The provisions of this Chapter shall apply to organizations authorized by laws and regulations to manage public affairs to carry out data processing activities in the performance of their statutory duties.

Chapter VI Legal Liability

Article 44 In the course of performing the functions and duties of data security supervision, the competent departments concerned may, upon finding that there are large security risks in data processing activities, conduct interviews with the organizations or individuals concerned within the prescribed limits of authority and procedures, and require the organizations or individuals concerned to take measures to rectify and eliminate hidden dangers.

Article 45 Any organization or individual engaging in data processing activities that fails to fulfill the data security protection obligations prescribed in Article 27, 29 and 30 of this Law shall be ordered to make corrections, given a warning and may also be imposed a fine of not less than 50,000 yuan but not more than 500,000 yuan by the competent authorities concerned. The person in charge directly responsible and other persons directly responsible may be imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan; Refuses to correct or cause serious consequences such as large amounts of data disclosed, a fine of not more than five hundred thousand yuan and two million yuan, and can be ordered to suspend the relevant business, closed, his related business licence revoked or revoke the business license, the person in charge directly responsible and other persons directly responsible shall be imposed a penalty fine not exceeding fifty thousand yuan and two hundred thousand yuan.

In case of violation of the national core data management system and endangering the sovereignty, security and development interests of the State, the relevant competent authorities shall impose a fine of not less than 2 million yuan but not more than 10 million yuan, and order the suspension of relevant business, suspension of business for rectification, revocation of relevant business license or revocation of business license according to the circumstances; If the case constitutes a crime, the offender shall be investigated for criminal responsibility according to law.

Article 46 Whoever, in violation of the provisions of Article 31 of this Law, provides important data abroad shall be ordered to make corrections, given a warning and may also be imposed a fine of not less than 100, 000 yuan but not more than 1, 000 yuan by the competent authorities concerned, and the person-in-charge directly responsible and other persons directly responsible may be imposed a fine of not less than 10, 000 yuan but not more than 100, 000 yuan; If the circumstances are serious, a fine of not less than one million yuan but not more than 10 million yuan shall be imposed, and the relevant business may be ordered to suspend or suspend business for rectification, the relevant business license may be revoked or the business license may be revoked, and the person-in-charge directly responsible and other persons directly responsible shall be imposed a fine of not less than one million yuan but not more than one million yuan.

Article 47 in data transaction intermediary service institution fails to fulfill its obligations as stipulated in article 33 of this law, the competent department shall be ordered to correct, have their illegal incomes confiscated, fined not more than twice and less than 10 times the illegal income, no illegal proceeds or illegal income of less than one hundred thousand yuan, a fine of not more than one hundred thousand yuan and one million yuan, And may order the suspension of the relevant business, suspend business for rectification, revoke the relevant business license or revoke the business license; The person in charge directly responsible and other persons directly responsible shall be imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan.

Article 48 Whoever, in violation of the provisions of Article 35 of this Law, refuses to cooperate with data retrieval shall be ordered to make corrections, given a warning and imposed a fine of not less than 50,000 yuan but not more than 500,000 yuan, and the person in charge directly responsible and other persons directly responsible shall be imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan.

In violation of the provisions of article 36 of the regulation, without the approval of the competent authority to foreign judicial or law enforcement agencies to provide data, by the competent department to give warning, a fine may concurrently be fined between one hundred thousand yuan and one million yuan, the person in charge directly responsible and other directly responsible personnel may be fined between ten thousand yuan and one hundred thousand yuan; If serious consequences have been caused, a fine of not less than one million yuan but not more than five million yuan may be imposed, and the relevant business license may be revoked or the relevant business license revoked, and the person-in-charge directly responsible and other persons directly responsible may be imposed on a fine of not less than 50,000 yuan but not more than 500,000 yuan.

Article 49 If a State organ fails to fulfill its data security protection obligations as provided for in this Law, the person in charge directly responsible and other personnel directly responsible shall be subject to sanctions according to law.

Article 50 State functionaries performing the functions of data security supervision and control who neglect their duties, abuse their powers, or engage in malpractices for personal gain shall be punished according to law.

Article 51 Whoever steals or obtains data by other illegal means, carries out data-processing activities to eliminate or limit competition, or impairs the lawful rights and interests of individuals or organizations shall be punished in accordance with the provisions of relevant laws and administrative regulations.

Article 52 Anyone who violates the provisions of this Law and causes damage to another person shall bear civil liability in accordance with law.

Whoever violates the provisions of this Law and constitutes an act against the administration of public security shall be given administrative penalties for public security according to law; If the case constitutes a crime, the offender shall be investigated for criminal responsibility according to law.

Chapter VII Supplementary Provisions

Article 53 Data processing activities involving state secrets shall be governed by the Law of the People’s Republic of China on Guarding State Secrets and other laws and administrative regulations.

In carrying out data processing activities in statistics and archival work and in carrying out data processing activities involving personal information, the provisions of relevant laws and administrative regulations shall also be observed.

Article 54 Measures for the security protection of military data shall be formulated separately by the Central Military Commission in accordance with this Law.

Article 55 This Law shall come into force as of September 1, 2021.