Order of the President of the People's Republic of China
The Data Security Law of the People's Republic of China, adopted at the 29th Meeting of the Standing Committee of the Thirteenth National People's Congress of the People's Republic of China on June 10, 2021, is hereby promulgated, and shall go into effect on September 1, 2021.
President of the People's Republic of China
June 10, 2021
Data Security Law of the People's Republic of China
(Adopted at the 29th Meeting of the Standing Committee of the Thirteenth National People's Congress on June 10, 2021)
Chapter I General Provisions
Chapter II Data Security and Development
Chapter III Data Security Systems
Chapter IV Data Security Protection Obligations
Chapter V Security and Openness of Government Data
Chapter VI Legal Liability
Chapter VII Supplementary Provisions
Article 1 This Law is enacted for the purpose of regulating data processing, ensuring data security, promoting development and utilization of data, protecting the lawful rights and interests of individuals and organizations, and safeguarding the sovereignty, security, and development interests of the state.
Article 2 This Law shall apply to data processing activities and security supervision and regulation of such activities within the territory of the People's Republic of China.
Where data processing outside the territory of People's Republic of China harms the national security, public interests, or the lawful rights and interests of individuals or organizations of the People's Republic of China, legal liability shall be investigated in accordance with the law.
Article 3 For the purpose of this Law, the term "data" refers to any record of information in electronic or any other form.
"Data processing" includes the collection, storage, use, processing, transmission, provision, and disclosure of data, among others.
"Data security" refers to ensuring that data is effectively protected and lawfully used through adopting necessary measures, and to possessing the capacity to guarantee the continuous security of data.
Article 4 In preserving data security, the holistic approach to national security shall be adopted, sound data security governance systems shall be established, and data security and protection capabilities shall be improved.
Article 5 The central leading authority for national security shall be responsible for the decision-making, deliberation and coordination of the national data security work; researching, formulating, and guiding the implementation of the national data security strategy and related major guidelines and policies; coordinating major matters and important work in respect of national data security; and establishing a coordination mechanism for national data security.
Article 6 All localities and departments shall bear responsibility for the management of the data collected or generated in their work as well as for the data security thereof.
The competent departments of industry, telecommunications, transport, finance, natural resources, health, education, technology and other relevant competent departments shall assume the responsibilities of supervising and regulating data security in their respective trades and sectors.
Public security organs and national security organs, etc. shall assume the responsibilities of supervising and regulating data security within the scopes of their respective duties in accordance with the provisions of this Law and other relevant laws and administrative regulations.
The national cyberspace affairs department shall be in charge of the overall planning and coordination of network data security and the related supervision and regulation in accordance with the provisions of this Law and other relevant laws and administrative regulations.
Article 7 The state shall protect the data-related rights and interests of individuals and organizations, encourage the lawful, reasonable, and effective use of data, ensure free flow of data in an orderly manner and in accordance with the law, and promote the development of a digital economy with data as the key factor.
Article 8 Whoever processes data shall observe laws and regulations, respect social morality and ethics, observe business and professional ethics, uphold honesty and trustworthiness, fulfill data security protection obligations, and undertake social responsibilities; and shall not endanger national security and public interests, nor harm the lawful rights and interests of individuals and organizations.
Article 9 The state supports the dissemination and popularization of knowledge of data security to raise public awareness in this regard and ability to protect data security, and promotes the joint participation by relevant departments, industry organizations, research institutions, enterprises, and individuals in data security protection, so as to create a good environment for members of the whole society to jointly protect data, ensure data security and promote development of relevant industries.
Article 10 Relevant industry associations shall, in accordance with their articles of association, formulate the code of conduct and standards to ensure data security according to the law, strengthen self-regulation in their respective industries, guide members to strengthen data security protection, improve their protection level and promote the healthy development of the industries.
Article 11 The state shall actively carry out international exchanges and cooperation in fields such as data security governance and data development and utilization, participate in the formulation of relevant international rules and standards for data security, and promote the safe and free flow of data across borders.
Article 12 Any individual or organization shall have the right to file complaints about or report violations of this Law to the competent departments. The departments receiving such complaints or reports shall deal with them in a timely manner in accordance with the law.
The competent departments shall keep confidential the relevant information of those making such complaints or reports, and protect their lawful rights and interests.
Data Security and Development
Article 13 The state shall make an overall plan to coordinate development and security, to promote data security through data development and utilization and through industrial development on one hand, and on the other hand, to ensure that data security facilitates data development and utilization as well as industrial development.
Article 14 The state shall implement the big data strategy, advance the construction of data infrastructure, and encourage and support the innovative application of data in all industries and fields.
People's governments at or above the provincial level shall incorporate the development of digital economy into their national economic and social development plans, and formulate development plans for the digital economy as needed.
Article 15 The state supports development and utilization of data to render public services smarter. In providing smarter public services, the needs of the elderly and the disabled shall be taken into full account to avoid posing obstacles to their daily lives.
Article 16 The state supports research on development and utilization of data and on data security related technologies, encourages popularization and commercial innovation of technologies in the foregoing fields, and fosters and develops products and industrial systems for development and utilization of data and for data security.
Article 17 The state shall advance the forming of the standards for data development and the standards for data utilization technologies and data security. The department in charge of standardization under the State Council and other relevant departments under the State Council shall, within the scopes of their respective duties and functions, organize the establishment of, and make revisions in due time to the standards for technologies and products for data development and data utilization and the standards for data security. The state shall support enterprises, social groups, and education or research institutions, etc. in their participation in the establishment of such standards.
Article 18 The state encourages the development of services such as data security testing, evaluation, and accreditation, and supports agencies specialized in data security testing, evaluation, accreditation, etc. to provide services according to the law.
The state supports collaboration among relevant departments, industry associations, enterprises, education and research institutions, relevant specialized agencies, etc. in the fields such as data security related risk assessment, prevention, and disposal .
Article 19 The state shall establish sound systems for data trading management, standardize data trading activities, and foster a data trading market.
Article 20 The state supports education and research institutions, enterprises, and other entities in carrying out education and training on technologies for data development and utilization and on data security, cultivates professionals in data development and utilization technologies and in data security by a variety of means, and promotes talent exchanges.
Data Security Systems
Article 21 The state shall establish a categorized and classified system and carry out data protection based on the importance of the data in economic and social development, as well as the extent of harm to national security, public interests, or the lawful rights and interests of individuals or organizations that will be caused once the data are altered, destroyed, leaked, or illegally obtained or used. The coordination mechanism for national data security shall coordinate the relevant departments to formulate a catalog of important data and strengthen protection of important data.
Data concerning national security, lifelines of the national economy, important aspects of people's lives, major public interests, ect., are core data of the state, for which a stricter management system shall be implemented.
All localities and departments shall, in accordance with the categorized and classified data protection system, prepare specific catalogs of important data for their respective regions, departments, and relevant industries and sectors, and give priority to the data listed in the catalogs in terms of data protection.
Article 22 The state shall establish a centralized, unified, highly effective, and authoritative mechanism for assessing, reporting, information sharing, monitoring, and early alert of data security risks. The coordinating mechanism for national data security shall make an overall plan on and coordinate relevant departments in strengthening the work about acquiring, analyzing, researching and evaluating information of data security risks and the work about early alert of such risks.
Article 23 The state shall establish a data security emergency response mechanism. Where a data security incident occurs, the relevant competent departments shall initiate emergency response in accordance with the plan and the law, take corresponding measures to prevent further harm and eliminate security hazards, and send out warnings to the public by publishing information relevant thereto in a timely manner.
Article 24 The state shall establish a review system for data security, conducting national security reviews of data processing that affects or may affect national security.
Security review decisions made in accordance with the law are final decisions.
Article 25 The state shall apply export control in accordance with the law on data that are controlled items and concern national security and interests and the performance of international obligations.
Article 26 Where any country or region adopts discriminatory prohibitions, restrictions, or other similar measures against the People's Republic of China in respect of investment, trade or any other field related to data and data development and utilization technologies, the People's Republic of China may take countermeasures against that country or region in light of the actual circumstances.