Chapter 1 General Provisions
Article 1 is to regulate data processing activities, ensure data security, promote data development and utilization, protect the legitimate rights and interests of individuals and organizations, and safeguard national sovereignty, security and To develop interests, this law is enacted.
Article 2 This Law shall apply to data processing activities and security supervision within the territory of the People’s Republic of China.
Anyone who carries out data processing activities outside the territory of the People's Republic of China and harms the national security of the People's Republic of China, public interests, or the legitimate rights and interests of citizens and organizations will be investigated for legal responsibility in accordance with the law.
Article 3 The term “data” as mentioned in this Law refers to any record of information in electronic or other ways.
Data processing, including data collection, storage, use, processing, transmission, provision, disclosure, etc.
Data security refers to taking necessary measures to ensure that data is effectively protected and used legally, as well as having the ability to ensure continued security.
Article 4: To maintain data security, we should adhere to the overall national security concept, establish and improve the data security governance system, and improve data security assurance capabilities.
Article 5 The central national security leadership agency is responsible for the decision-making and coordination of national data security work, research, formulation, guidance and implementation of national data security strategies and relevant major principles and policies, and overall coordination of major national data security matters and Important work is to establish a national data security work coordination mechanism.
Article 6: All regions and departments are responsible for the data and data security collected and generated in the work of their respective regions and departments.
The competent departments of industry, telecommunications, transportation, finance, natural resources, health, education, science and technology are responsible for data security supervision in their own industries and fields.
Public security agencies, national security agencies, etc. shall assume data security supervision responsibilities within the scope of their respective responsibilities in accordance with the provisions of this Law and relevant laws and administrative regulations.
The national cybersecurity and informatization department is responsible for coordinating network data security and related supervision work in accordance with the provisions of this Law and relevant laws and administrative regulations.
Article 7: The state protects the data-related rights and interests of individuals and organizations, encourages the reasonable and effective use of data in accordance with the law, ensures the orderly and free flow of data in accordance with the law, and promotes the development of a digital economy with data as a key element.
Article 8 When carrying out data processing activities, one must abide by laws and regulations, respect social morality and ethics, abide by business ethics and professional ethics, be honest and trustworthy, fulfill data security protection obligations, assume social responsibilities, and must not endanger the country Safety and public security interests must not be harmed to the legitimate rights and interests of individuals and organizations.
Article 9: The state supports the promotion and popularization of data security knowledge, improves the awareness and level of data security protection in the whole society, and promotes the equal participation of relevant departments, industry organizations, scientific research institutions, enterprises, and individuals in data security. Security protection work creates a good environment for the whole society to jointly maintain data security and promote development.
Article 10: Relevant industry organizations shall formulate data security codes of conduct and group standards in accordance with the law in accordance with their charters, strengthen industry self-discipline, guide members to strengthen data security protection, improve data security protection levels, and promote the healthy development of the industry.
Article 11: The state actively carries out international exchanges and cooperation in the fields of data security governance, data development and utilization, participates in the formulation of international rules and standards related to data security, and promotes the safe and free flow of data across borders.
Article 12: Any individual or organization has the right to complain or report violations of this Law to the relevant competent authorities. Departments that receive complaints or reports should handle them promptly and in accordance with the law.
Relevant competent departments should keep confidential the relevant information of complaints and whistleblowers, and protect the legitimate rights and interests of complainants and whistleblowers.
Chapter 2 Data Security and Development
Article 13: The state coordinates development and security, insists on promoting data security through data development and utilization and industrial development, and guarantees data development and utilization through data security and industrial development.
Article 14: The state implements the big data strategy, promotes the construction of data infrastructure, and encourages and supports the innovative application of data in various industries and fields.
People's governments at or above the provincial level should incorporate digital economic development into their national economic and social development plans and formulate digital economic development plans as needed.
Article 15: The state supports the development and utilization of data to improve the intelligence level of public services. When providing intelligent public services, the needs of the elderly and disabled people should be fully considered to avoid obstacles to the daily lives of the elderly and disabled people.
Article 16 The state supports data development and utilization and data security technology research, encourages technology promotion and business innovation in the fields of data development and utilization and data security, and cultivates and develops data development and utilization and data security products and industries. system.
Article 17: The state promotes the construction of data development and utilization technology and data security standard systems. The standardization administrative department of the State Council and relevant departments of the State Council shall, in accordance with their respective responsibilities, organize the formulation and timely revision of standards related to data development and utilization technologies, products and data security. The state supports enterprises, social groups and educational and scientific research institutions to participate in the formulation of standards.
Article 18: The state promotes the development of data security testing, evaluation, certification and other services, and supports data security testing, evaluation, certification and other professional institutions to carry out service activities in accordance with the law.
The state supports relevant departments, industry organizations, enterprises, educational and scientific research institutions, and relevant professional institutions to cooperate in data security risk assessment, prevention, and disposal.
Article 19: The state shall establish and improve a data transaction management system, standardize data transaction behavior, and cultivate a data transaction market.
Article 20: The state supports education, scientific research institutions and enterprises to carry out education and training related to data development and utilization technology and data security, adopts various methods to cultivate data development and utilization technology and data security professionals, and promotes talents comminicate.
Chapter 3 Data Security System
Article 21: The state establishes a data classification and hierarchical protection system. According to the importance of data in economic and social development, and once it is tampered with, To the extent of damage, leakage, illegal acquisition, or illegal use that causes harm to national security, public interests, or the legitimate rights and interests of individuals and organizations, data shall be protected by classification and classification. The national data security coordination mechanism coordinates relevant departments to formulate important data catalogs and strengthen the protection of important data.
Data related to national security, the lifeline of the national economy, important people's livelihood, and major public interests are national core data and are subject to a more stringent management system.
Each region and each department should determine the specific catalog of important data in their region, department and related industries and fields in accordance with the data classification and hierarchical protection system, and carry out key protection for the data listed in the catalog.
Article 22: The state establishes a centralized, unified, efficient and authoritative data security risk assessment, reporting, information sharing, monitoring and early warning mechanism. The national data security work coordination mechanism coordinates relevant departments to strengthen the acquisition, analysis, research and judgment of data security risk information, and early warning work.
Article 23: The state establishes a data security emergency response mechanism. When a data security incident occurs, the relevant competent authorities shall activate emergency plans in accordance with the law, adopt corresponding emergency response measures, prevent the expansion of harm, eliminate safety hazards, and promptly release public-related warning information to the society.
Article 24: The state shall establish a data security review system to conduct national security review of data processing activities that affect or may affect national security.
The security review decision made in accordance with the law is final.
Article 25: The state shall implement export controls in accordance with the law on data belonging to controlled items related to safeguarding national security and interests and fulfilling international obligations.
Article 26 Any country or region adopts discriminatory prohibitions, restrictions or other similar measures against the People's Republic of China in terms of investment, trade, etc. related to data and data development and utilization technology. If measures are taken, the People's Republic of China may take reciprocal measures against the country or region based on the actual situation.
Chapter 4 Data Security Protection Obligations
Article 27: To carry out data processing activities, we must establish and improve a full-process data security management system in accordance with the provisions of laws and regulations, and organize and carry out data processing activities. Security education and training, and taking corresponding technical measures and other necessary measures to ensure data security. Those who use information networks such as the Internet to carry out data processing activities must fulfill the above-mentioned data security protection obligations on the basis of the network security level protection system.
Processors of important data should identify the person in charge of data security and the management organization, and implement data security protection responsibilities.
Article 28: Carrying out data processing activities and research and development of new data technologies should be conducive to promoting economic and social development, enhancing people's well-being, and complying with social morality and ethics.
Article 29 Risk monitoring should be strengthened when carrying out data processing activities. When data security defects, vulnerabilities and other risks are discovered, remedial measures should be taken immediately; when a data security incident occurs, disposal measures should be taken immediately, in accordance with Provides prompt notification to users and reporting to relevant authorities.
Article 30: Processors of important data shall conduct regular risk assessments of their data processing activities in accordance with regulations and submit risk assessment reports to the relevant competent authorities.
The risk assessment report should include the types and quantities of important data processed, the status of data processing activities, data security risks faced and their countermeasures, etc.
Article 31: The outbound security management of important data collected and generated by operators of critical information infrastructure during operations within the territory of the People’s Republic of China and the People’s Republic of China shall be governed by the provisions of the People’s Republic of China and the People’s Republic of China. According to the provisions of the Cybersecurity Law; the measures for the outbound security management of important data collected and generated by other data processors in their operations within the People's Republic of China and the People's Republic of China shall be formulated by the national cybersecurity and informatization department in conjunction with relevant departments of the State Council.
Article 32: Any organization or individual must collect data in a legal and proper manner, and shall not steal or obtain data through other illegal means.
If laws and administrative regulations stipulate the purpose and scope of collecting and using data, data should be collected and used within the purpose and scope specified by laws and administrative regulations.
Article 33: When providing services, institutions engaged in data transaction intermediary services shall require the data provider to explain the source of the data, verify the identity of both parties to the transaction, and retain audit and transaction records.
Article 34: If laws and administrative regulations stipulate that the provision of data processing-related services requires an administrative license, the service provider shall obtain the license in accordance with the law.
Article 35 Public security organs and national security organs must collect data in accordance with the law to maintain national security or investigate crimes, and must go through strict approval procedures in accordance with relevant national regulations. Relevant organizations, Individuals should cooperate.
Article 36 The competent authorities of the People’s Republic of China shall handle foreign judicial affairs in accordance with relevant laws and international treaties and agreements concluded or acceded to by the People’s Republic of China, or in accordance with the principle of equality and reciprocity. or requests from law enforcement agencies for data. Without the approval of the competent authorities of the People's Republic of China, organizations and individuals within the country may not provide data stored in the territory of the People's Republic of China to foreign judicial or law enforcement agencies.
Chapter 5 Government Data Security and Openness
Article 37: The state vigorously promotes the construction of e-government, improves the scientificity, accuracy and timeliness of government data, and improves the use of data The ability to serve economic and social development.
Article 38: When state agencies need to collect and use data to perform their statutory duties, they shall do so within the scope of their statutory duties and in accordance with the conditions and procedures stipulated in laws and administrative regulations; Personal privacy, personal information, business secrets, confidential business information and other data learned by the Company shall be kept confidential in accordance with the law and shall not be disclosed or illegally provided to others.
Article 39: State agencies shall, in accordance with the provisions of laws and administrative regulations, establish and improve data security management systems, implement data security protection responsibilities, and ensure the security of government data.
Article 40: When state agencies entrust others to build and maintain e-government systems and store and process government data, they must go through strict approval procedures and supervise the entrusted party to perform corresponding data security protection obligations. The entrusted party shall perform data security protection obligations in accordance with laws, regulations and contractual agreements, and shall not retain, use, leak or provide government data to others without authorization.
Article 41: State agencies shall abide by the principles of impartiality, fairness, and convenience for the people, and promptly and accurately disclose government data in accordance with regulations. Except for those that are not allowed to be disclosed according to law.
Article 42: The state formulates an open government data catalog, builds a unified, standardized, interconnected, secure and controllable government data open platform, and promotes the open utilization of government data.
Article 43: When organizations authorized by laws and regulations with the function of managing public affairs carry out data processing activities to perform legal duties, the provisions of this chapter shall apply.
Chapter 6 Legal Responsibilities
Article 44 If the relevant competent authorities discover that there are major security risks in data processing activities while performing their data security supervision responsibilities, they may Interview relevant organizations and individuals according to their authority and procedures, and require relevant organizations and individuals to take measures to make rectifications and eliminate hidden dangers.
Article 45 If organizations or individuals that carry out data processing activities fail to fulfill the data security protection obligations stipulated in Articles 27, 29, and 30 of this Law, the relevant supervisors shall The department orders correction and gives a warning, and may also impose a fine of not less than 50,000 yuan but not more than 500,000 yuan, and the directly responsible person in charge and other directly responsible personnel may be fined not less than 10,000 yuan but not more than 100,000 yuan; if the department refuses to make corrections or causes a large number of In the event of serious consequences such as data leakage, a fine of not less than RMB 500,000 but not more than RMB 2 million will be imposed, and the relevant business may be suspended, suspended for rectification, the relevant business license revoked or the business license revoked, and the directly responsible person in charge and other directly responsible persons may be fined. Personnel shall be fined not less than 50,000 yuan but not more than 200,000 yuan.
Anyone who violates the national core data management system and endangers national sovereignty, security and development interests will be fined not less than RMB 2 million but not more than RMB 10 million by the relevant competent authorities, and ordered to suspend relevant business or suspend business according to the circumstances. Rectify and revoke relevant business licenses or revoke business licenses; if a crime is constituted, criminal liability shall be pursued in accordance with the law.
Article 46 Anyone who violates the provisions of Article 31 of this Law by providing important data overseas shall be ordered to make corrections by the relevant competent authorities and given a warning, and may also be fined not less than RMB 100,000 but not more than RMB 1 million. The following fines may be imposed on the directly responsible person in charge and other directly responsible personnel: a fine of not less than 10,000 yuan but not more than 100,000 yuan; if the circumstances are serious, a fine of not less than 1 million yuan but not more than 10 million yuan may be imposed, and the relevant business may be ordered to be suspended. Suspend business for rectification, revoke relevant business licenses or revoke business licenses, and impose a fine of not less than 100,000 yuan but not more than 1 million yuan on the directly responsible person in charge and other directly responsible personnel.
Article 47: If an institution engaged in data transaction intermediary services fails to perform its obligations stipulated in Article 33 of this Law, the relevant competent department shall order it to make corrections, confiscate the illegal gains, and impose a fine of more than double the illegal gains. If a fine of not more than ten times is imposed, and there is no illegal income or the illegal income is less than 100,000 yuan, a fine of not less than 100,000 yuan but not more than 1 million yuan will be imposed, and the relevant business may be ordered to be suspended, suspended for rectification, the relevant business license revoked, or the business license revoked; The directly responsible person in charge and other directly responsible personnel shall be fined not less than RMB 10,000 but not more than RMB 100,000.
Article 48 Anyone who violates the provisions of Article 35 of this Law and refuses to cooperate with data collection shall be ordered to make corrections by the relevant competent authorities, given a warning, and fined not less than RMB 50,000 and RMB 500,000. For the following fines, the directly responsible person in charge and other directly responsible personnel shall be fined not less than RMB 10,000 but not more than RMB 100,000.
Anyone who violates the provisions of Article 36 of this Law and provides data to foreign judicial or law enforcement agencies without the approval of the competent authority shall be given a warning by the relevant competent authority and may also be fined not less than RMB 100,000 but not more than RMB 1 million. The following fines may be imposed on the directly responsible person in charge and other directly responsible personnel: a fine of not less than 10,000 yuan but not more than 100,000 yuan; if serious consequences are caused, a fine of not less than 1 million yuan but not more than 5 million yuan may be imposed, and the relevant business may be ordered to be suspended. , suspend business for rectification, revoke relevant business licenses or revoke business licenses, and impose a fine of not less than 50,000 yuan but not more than 500,000 yuan on the directly responsible person in charge and other directly responsible personnel.
Article 49: If a state agency fails to fulfill its data security protection obligations stipulated in this Law, the directly responsible person in charge and other directly responsible personnel shall be punished in accordance with the law.
Article 50: If state personnel who perform data security supervision duties neglect their duties, abuse their power, or practice favoritism for personal gain, they shall be punished in accordance with the law.
Article 51: Anyone who steals or obtains data through other illegal means, conducts data processing activities to exclude or restrict competition, or harms the legitimate rights and interests of individuals or organizations shall be punished in accordance with the provisions of relevant laws and administrative regulations.
Article 52: Anyone who violates the provisions of this Law and causes damage to others shall bear civil liability in accordance with the law.
Any violation of the provisions of this Law that constitutes a violation of public security management shall be subject to public security management penalties in accordance with the law; if it constitutes a crime, criminal liability shall be pursued in accordance with the law.
Chapter 7 Supplementary Provisions
Article 53: To carry out data processing activities involving state secrets, the "Law of the People's Republic of China on the Protection of State Secrets" and other laws and administrative regulations shall apply regulations.
When carrying out data processing activities in statistical and archival work and data processing activities involving personal information, you must also comply with the provisions of relevant laws and administrative regulations.
Article 54: Measures for the security protection of military data shall be separately formulated by the Central Military Commission in accordance with this Law.
Article 55 This Law will come into effect on September 1, 2021.