TLDR; Below is the English-translated version of the China DSL (Data Security Law) in China, and it’s effective since September 1, 2021.


Chapter 1 General Provisions

Article 1 This Law is formulated in order to regulate data processing activities, ensure data security, promote data development and utilization, protect the legitimate rights and interests of individuals and organizations, and safeguard national sovereignty, security, and development interests.

Article 2 This Law shall apply to the conduct of data processing activities and their security supervision within the territory of the People’s Republic of China.

Those who carry out data processing activities outside the People’s Republic of China and damage the national security of the People’s Republic of China, public interests or the legitimate rights and interests of citizens and organizations shall be investigated for legal responsibility according to law.

Article 3 The term “data” as mentioned in this Law refers to any record of information in electronic or other ways.

Data processing, including data collection, storage, use, processing, transmission, provision, disclosure, etc.

Data security refers to taking necessary measures to ensure that data is in a state of effective protection and legal use, as well as the ability to ensure continuous security.

Article 4 To maintain data security, the overall national security concept shall be adhered to, a data security governance system shall be established and improved, and data security assurance capabilities shall be improved.

Article 5 The central national security leading agency is responsible for the decision-making, deliberation and coordination of national data security work, researching, formulating, and guiding the implementation of national data security strategies and relevant major policies, making overall plans and coordinating major matters and important work on national data security, and establishing national data security Work coordination mechanism.

Article 6 All regions and departments are responsible for the data and data security collected and generated in the work of their regions and departments.

Competent departments of industry, telecommunications, transportation, finance, natural resources, health, education, science and technology are responsible for data security supervision in their respective industries and fields.

The public security organs, national security organs, etc. shall, in accordance with the provisions of this Law and relevant laws and administrative regulations, undertake data security supervision responsibilities within the scope of their respective duties.

The national cybersecurity and informatization department shall, in accordance with the provisions of this Law and relevant laws and administrative regulations, be responsible for coordinating and coordinating network data security and related supervision.

Article 7 The state protects the rights and interests of individuals and organizations related to data, encourages the rational and effective use of data in accordance with the law, guarantees the orderly and free flow of data in accordance with the law, and promotes the development of a digital economy with data as a key element.

Article 8 When carrying out data processing activities, one should abide by laws and regulations, respect social morality and ethics, abide by business ethics and professional ethics, be honest and trustworthy, perform data security protection obligations, assume social responsibilities, and must not endanger national security, public interests, or damage The legitimate rights and interests of individuals and organizations.

Article 9 The state supports the publicity and popularization of data security knowledge, improves the awareness and level of data security protection in the whole society, and promotes relevant departments, industry organizations, scientific research institutions, enterprises, individuals, etc. to jointly participate in data security protection work, so as to form the whole society to jointly maintain data Safe and conducive environment for development.

Article 10 Relevant industry organizations shall, in accordance with the articles of association, formulate data security code of conduct and group standards, strengthen industry self-discipline, guide members to strengthen data security protection, improve the level of data security protection, and promote the healthy development of the industry.

Article 11 The state actively conducts international exchanges and cooperation in the fields of data security governance, data development and utilization, participates in the formulation of international rules and standards related to data security, and promotes cross-border security and free flow of data.

Article 12 Any individual or organization has the right to file a complaint or report to the relevant competent authority for acts violating the provisions of this Law. The departments that receive complaints and reports shall deal with them in a timely manner in accordance with the law.

The relevant competent departments shall keep the relevant information of the complainant and whistleblower confidential, and protect the legitimate rights and interests of the complainant and whistleblower.


Chapter 2 Data Security and Development

Article 13 The state makes overall plans for development and security, insists on promoting data security through data development and utilization and industrial development, and guarantees data development, utilization and industrial development through data security.

Article 14 The state implements the big data strategy, promotes the construction of data infrastructure, and encourages and supports the innovative application of data in various industries and fields.

The people’s governments at or above the provincial level shall incorporate the development of the digital economy into their national economic and social development plans, and formulate plans for the development of the digital economy as needed.

Article 15 The state supports the development and utilization of data to improve the intelligence level of public services. To provide intelligent public services, the needs of the elderly and the disabled should be fully considered, and obstacles to their daily lives should be avoided.

Article 16 The state supports data development and utilization and data security technology research, encourages technology promotion and commercial innovation in the fields of data development and utilization and data security, and fosters and develops data development and utilization and data security products and industrial systems.

Article 17 The state promotes the construction of data development and utilization technology and data security standard system. The standardization administrative department of the State Council and the relevant departments of the State Council shall, according to their respective duties, organize the formulation and timely revision of relevant standards for data development and utilization technologies, products and data security. The state supports enterprises, social groups, and educational and scientific research institutions to participate in the formulation of standards.

Article 18 The state promotes the development of services such as data security testing, evaluation, and certification, and supports professional institutions such as data security testing, evaluation, and certification to carry out service activities in accordance with the law.

The state supports relevant departments, industry organizations, enterprises, educational and scientific research institutions, and relevant professional institutions to collaborate in data security risk assessment, prevention, and disposal.

Article 19 The state establishes and improves data transaction management systems, regulates data transaction behavior, and fosters data transaction markets.

Article 20 The state supports education, scientific research institutions, and enterprises to carry out education and training related to data development and utilization technology and data security, and adopts various methods to cultivate data development and utilization technology and data security professionals, and promote talent exchanges.


Chapter 3 Data Security System

Article 21 The state establishes a data classification and grading protection system, according to the importance of data in economic and social development, and the impact of data on national security, public interests, or individuals or organizations once it is tampered, destroyed, leaked, or illegally obtained or used. The degree of harm caused by legitimate rights and interests shall be classified and graded for protection of data. The National Data Security Work Coordination Mechanism shall coordinate relevant departments to formulate catalogues of important data and strengthen the protection of important data.

Data related to national security, the lifeline of the national economy, important people’s livelihood, and major public interests belong to the country’s core data, and a stricter management system is implemented.

All regions and departments shall, in accordance with the data classification and grading protection system, determine the specific catalogues of important data in their own regions, departments, and related industries and fields, and focus on protecting the data included in the catalogues.

Article 22 The state establishes a centralized, unified, efficient and authoritative data security risk assessment, reporting, information sharing, monitoring and early warning mechanism. The National Data Security Work Coordination Mechanism shall coordinate relevant departments to strengthen the acquisition, analysis, research and judgment, and early warning of data security risk information.

Article 23: The state establishes a data security emergency response mechanism. In the event of a data security incident, the relevant competent authorities shall activate emergency plans in accordance with the law, take corresponding emergency response measures, prevent the expansion of hazards, eliminate potential security risks, and promptly release warning information related to the public to the public.

Article 24: The state establishes a data security review system, and conducts national security review of data processing activities that affect or may affect national security.

The security review decision made in accordance with the law is final.

Article 25: The state exercises export control on data belonging to controlled items related to safeguarding national security and interests, and fulfilling international obligations.

Article 26 Where any country or region adopts discriminatory prohibitions, restrictions or other similar measures against the People’s Republic of China in respect of investment, trade, etc. related to data and data development and utilization technologies, the People’s Republic of China may, according to the actual situation The country or region shall take measures accordingly.

 

Chapter 4 Data Security Protection Obligations

Article 27: Data processing activities shall be carried out in accordance with the provisions of laws and regulations, establish and improve the whole-process data security management system, organize and carry out data security education and training, and take corresponding technical measures and other necessary measures to ensure data security. Using the Internet and other information networks to carry out data processing activities shall perform the above data security protection obligations on the basis of the network security level protection system.

The processor of important data shall clarify the person in charge of data security and the management agency, and implement the responsibility for data security protection.

Article 28: Carrying out data processing activities and researching and developing new technologies for data shall be conducive to promoting economic and social development, enhancing people’s well-being, and conforming to social morality and ethics.

Article 29 When carrying out data processing activities, risk monitoring shall be strengthened, and remedial measures shall be taken immediately when risks such as data security defects and loopholes are found; Competent authority report.

Article 30 Processors of important data shall conduct regular risk assessments of their data processing activities in accordance with regulations, and submit risk assessment reports to relevant competent authorities.

The risk assessment report shall include the type and quantity of important data processed, the situation of data processing activities, the data security risks faced and countermeasures, etc.

 

Article 31 The outbound security management of important data collected and generated by operators of critical information infrastructure during their operations within the territory of the People’s Republic of China shall be governed by the provisions of the Cybersecurity Law of the People’s Republic of China; other data processors are located in the People’s Republic of China Measures for the security management of the exit of important data collected and generated in domestic operations shall be formulated by the national cybersecurity and informatization department in conjunction with the relevant departments of the State Council.

Article 32 Any organization or individual collecting data shall adopt legal and proper methods, and shall not steal or obtain data in other illegal ways.

Where laws and administrative regulations stipulate the purpose and scope of data collection and use, the data shall be collected and used within the purpose and scope stipulated by laws and administrative regulations.

Article 33 Institutions engaged in data transaction intermediary services providing services shall require the data provider to explain the source of the data, review the identities of both parties to the transaction, and keep review and transaction records.

Article 34 Where laws and administrative regulations stipulate that an administrative license shall be obtained for the provision of services related to data processing, the service provider shall obtain a license in accordance with the law.

Article 35: When public security organs and state security organs obtain data for the needs of safeguarding national security or investigating crimes in accordance with the law, they shall go through strict approval procedures in accordance with relevant state regulations, and proceed in accordance with the law, and relevant organizations and individuals shall cooperate.

Article 36: The competent authorities of the People’s Republic of China shall, in accordance with relevant laws and international treaties and agreements concluded or acceded to by the People’s Republic of China, or in accordance with the principle of equality and reciprocity, process requests for data provision by foreign judicial or law enforcement agencies. Organizations and individuals within the territory of the People’s Republic of China shall not provide data stored in the territory of the People’s Republic of China to foreign judicial or law enforcement agencies without the approval of the competent authorities of the People’s Republic of China.


Chapter 5 Government Affairs Data Security and Opening

Article 37 The state vigorously promotes the construction of e-government, improves the scientificity, accuracy, and timeliness of government data, and enhances the ability to use data to serve economic and social development.

Article 38 The collection and use of data by state organs in order to perform their statutory duties shall be carried out within the scope of their statutory duties in accordance with the conditions and procedures prescribed by laws and administrative regulations; Information, trade secrets, confidential business information and other data shall be kept confidential in accordance with the law, and shall not be leaked or illegally provided to others.

Article 39: State organs shall, in accordance with the provisions of laws and administrative regulations, establish and improve data security management systems, implement data security protection responsibilities, and ensure the security of government data.

 

Article 40 State organs entrusting others to build and maintain e-government systems, store and process government data, shall go through strict approval procedures, and shall supervise the entrusted party to perform corresponding data security protection obligations. The entrusted party shall perform data security protection obligations in accordance with the provisions of laws, regulations and contracts, and shall not retain, use, leak or provide government data to others without authorization.

Article 41: State organs shall follow the principles of impartiality, fairness, and convenience for the people, and promptly and accurately disclose government affairs data in accordance with regulations. Except for those not disclosed by law.

Article 42: The state formulates a government data open catalog, builds a unified, standardized, interconnected, safe and controllable government data open platform, and promotes the open use of government data.

Article 43 The provisions of this chapter shall apply to organizations authorized by laws and regulations with functions of managing public affairs to carry out data processing activities in order to perform their statutory duties.


Article 44 In the performance of data security supervision duties, if the relevant competent department finds that there is a relatively large security risk in data processing activities, it may conduct interviews with relevant organizations and individuals in accordance with the prescribed authority and procedures, and require relevant organizations and individuals to take measures. Take corrective measures to eliminate hidden dangers.

Article 45: Organizations or individuals that carry out data processing activities do not perform the data security protection obligations stipulated in Articles 27, 29 and 30 of this Law, the relevant competent departments shall order corrections and give warnings, A fine of not less than 50,000 yuan but not more than 500,000 yuan may be imposed concurrently, and the directly responsible person in charge and other directly responsible persons may be fined not less than 10,000 yuan but not more than 100,000 yuan; if corrections are refused or serious consequences such as large data leakage are caused, the A fine of not less than 500,000 yuan but not more than 2 million yuan may be imposed, and may be ordered to suspend relevant businesses, suspend business for rectification, revoke relevant business licenses, or revoke business licenses; A fine of not more than 100,000 yuan.

Those who violate the national core data management system and endanger national sovereignty, security and development interests shall be fined between RMB 2 million and RMB 10 million by the relevant competent authorities, and shall be ordered to suspend relevant businesses, suspend business for rectification, and revoke relevant business licenses according to the circumstances. Or revoke the business license; if a crime is constituted, criminal responsibility shall be investigated according to law.

Article 46 Anyone who violates the provisions of Article 31 of this Law by providing important data overseas shall be ordered by the relevant competent department to make corrections, given a warning, and may also be fined not less than 100,000 yuan but not more than 1,000,000 yuan. The person in charge and other directly responsible personnel may be fined between 10,000 yuan and 100,000 yuan; if the circumstances are serious, a fine of between 1 million yuan and 10 million yuan may be imposed, and may be ordered to suspend relevant businesses, suspend business for rectification, and revoke relevant business licenses Certificates or revocation of business licenses, the directly responsible person in charge and other directly responsible personnel shall be fined not less than 100,000 yuan but not more than 1,000,000 yuan.

Article 47 If an institution engaged in data transaction intermediary services fails to perform the obligations stipulated in Article 33 of this Law, the relevant competent department shall order it to make corrections, confiscate the illegal income, and impose a fine of not less than one time but not more than ten times the illegal income. If the income or illegal income is less than 100,000 yuan, a fine of not less than 100,000 yuan but not more than 1,000,000 yuan shall be imposed, and the relevant business shall be suspended for rectification, the relevant business license shall be revoked, or the business license shall be revoked; The person directly responsible shall be fined not less than 10,000 yuan but not more than 100,000 yuan.

Article 48 Anyone who violates the provisions of Article 35 of this Law and refuses to cooperate with data retrieval shall be ordered to make corrections, given a warning, and imposed a fine of not less than 50,000 yuan but not more than 500,000 yuan. The person in charge and other directly responsible persons shall be fined not less than 10,000 yuan but not more than 100,000 yuan.

Anyone who violates the provisions of Article 36 of this Law by providing data to foreign judicial or law enforcement agencies without the approval of the competent authority shall be given a warning by the relevant competent authority and may also be fined not less than 100,000 yuan but not more than 1,000,000 yuan. The person in charge and other directly responsible personnel may be fined between 10,000 yuan and 100,000 yuan; if serious consequences are caused, a fine of between 1 million yuan and 5 million yuan, and may be ordered to suspend relevant business, suspend business for rectification, or revoke relevant business If the license or business license is revoked, the directly responsible person in charge and other directly responsible personnel shall be fined not less than 50,000 yuan but not more than 500,000 yuan.

Article 49: Where state organs fail to perform the data security protection obligations stipulated in this Law, the directly responsible person in charge and other directly responsible personnel shall be punished according to law.

Article 50: State functionaries performing data security supervision duties who neglect their duties, abuse their powers, or engage in malpractices for personal gain shall be punished in accordance with the law.

Article 51 Whoever steals or obtains data by other illegal means, conducts data processing activities to exclude or restrict competition, or damage the legitimate rights and interests of individuals or organizations, shall be punished in accordance with the provisions of relevant laws and administrative regulations.

Article 52 Whoever violates the provisions of this Law and causes damage to others shall bear civil liability according to law.

Those who violate the provisions of this Law and constitute violations of public security administration shall be given public security administration penalties according to law; if a crime is constituted, criminal responsibility shall be investigated according to law.


Chapter 7 Supplementary Provisions

Article 53: Data processing activities involving state secrets shall be governed by the Law of the People’s Republic of China on Guarding State Secrets and other laws and administrative regulations.

When carrying out data processing activities in statistical and archival work, and carrying out data processing activities involving personal information, the relevant laws and administrative regulations shall also be complied with.

Article 54 Measures for the security protection of military data shall be formulated separately by the Central Military Commission in accordance with this Law.

Article 55 This Law shall come into force on September 1, 2021.



Closing

The original Data Security Law is written in Chinese; we translated it into English, which is what you read above. This document only serves the purpose of a quick understanding of the Law; use it at your own risk..

If you need further help from our team, contact us today, and our experts will explain to you all the secrets of making your site live in China!


Ready to make your app work in China?

Get Started Questions? Talk to an expert.


Ready to try 21YunBox?

Get Started