Data Security Law of the People's Republic of China

Data Security Law of the People's Republic of China 中华人民共和国数据安全法 Order of the President of the People's Republic of China (No. 84) The Data Security Law of the People's Republic of China, as adopted at the 29th session of the Standing Committee of the Thirteenth National People's Congress of the People's Republic of China on June 10, 2021, is hereby issued, and shall come into force on September 1, 2021. Xi Jinping, President of the People's Republic of China June 10, 2021 Data Security Law of the People's Republic of China (Adopted at the 29th session of the Standing Committee of the Thirteenth National People's Congress on June 10, 2021) Contents Chapter I General Provisions Chapter II Data Security and Development Chapter III Data Security Systems Chapter IV Data Security Protection Obligations Chapter V Security and Public Availability of Government Data Chapter VI Legal Liability Chapter VII Supplemental Provisions Chapter I General Provisions Article 1 This Law is enacted for the purposes of regulating data processing activities, safeguarding data security, promoting data development and utilization, protecting the lawful rights and interests of individuals and organizations, and maintaining national sovereignty, security, and development interests. Article 2 This Law shall apply to data processing activities and the security supervision thereof conducted in the territory of the People's Republic of China. Those that conduct data processing activities outside the territory of the People's Republic of China to the detriment of the national security, public interest, or lawful rights and interests of citizens and organizations of the People's Republic of China shall be held legally liable in accordance with the law. Article 3 For the purposes of this Law, "data" means any record of information in electronic or any other form. "Data processing" includes but is not limited to the collection, storage, use, processing, transmission, provision, and public disclosure of data. "Data security" means that necessary measures are taken to ensure the state of effective protection and lawful utilization of data and have the capability to safeguard the continuing state of security. Article 4 In the maintenance of data security, a holistic approach to national security shall be adhered to, a data security governance system shall be established and improved, and the capability to safeguard data security shall be enhanced. Article 5 The central leading body for national security shall be responsible for coordinating the policymaking and deliberations on national data security work, researching, developing, guiding the implementation of national data security strategies and relevant major guidelines and policies, conducting overall coordination of significant affairs and important tasks concerning national data security, and establishing a national data security work coordination mechanism. Article 6 Each region or department shall be responsible for the data collected and generated in its work and the data security. Industrial sector, telecommunications, transportation, finance, natural resources, health, education, science and technology, and other departments shall undertake the duty to supervise data security in their respective industries and fields. Public security authorities and national security authorities, among others, shall, in accordance with the provisions of this Law and relevant laws and administrative regulations, undertake the duty to supervise data security within their respective purviews. The national cyberspace authority shall, in accordance with the provisions of this Law and relevant laws and administrative regulations, be responsible for conducting overall coordination of cyber data security and related supervision work. Article 7 The state shall protect the data-related rights and interests of individuals and organizations, encourage the lawful, reasonable and effective utilization of data, safeguard the orderly and free flow of data in accordance with the law, and promote the development of a digital economy with data as a key factor. Article 8 When conducting data processing activities, one shall comply with laws and regulations, respect social norms and ethics, observe business and professional ethics, act in good faith, perform data security protection obligations, and undertake social responsibilities, and shall neither compromise national security and public interest nor harm the lawful rights and interests of any organization or individual. Article 9 The state shall support the publicity and dissemination of knowledge on data security, raise the awareness and level of data security protection in the whole society, and push relevant departments, industry organizations, scientific research institutions, enterprises, and individuals, among others, to jointly participate in data security protection work, so as to create a favorable environment for the whole society to jointly maintain data security and promote development. Article 10 A relevant industry organization shall, in accordance with its articles of association, formulate a code of conduct and group standards for data security in accordance with the law, strengthen industry self-regulation, guide members in strengthening data security protection, improve the level of data security protection, and promote the sound development of the industry. Article 11 The state shall proactively engage in international exchanges and cooperation in data security governance, data development and utilization, and other fields, participate in the formulation of international rules and standards related to data security, and promote the secure and free cross-border flow of data. Article 12 Any individual or organization shall have the right to complain and report to an appropriate department on a violation of this Law. The department that receives the complaint or report shall handle it in a timely manner in accordance with the law. The appropriate department shall keep confidential the relevant information on the complainant or reporting person, and protect the lawful rights and interests of the complainant or reporting person. Chapter II Data Security and Development Article 13 The state shall coordinate development and security, and adhere to promoting data security with data development and utilization and industry development and safeguarding data development and utilization and industry development with data security. Article 14 The state shall implement a big data strategy, advance the construction of data infrastructure, and encourage and support the innovative application of data in various industries and fields. The people's government at or above the provincial level shall incorporate the development of a digital economy into the national economic and social development plan at the level, and formulate a general plan on digital economy development as needed. Article 15 The state shall support the development and utilization of data to improve the intelligence level of public services. In the provision of intelligent public services, the needs of the elderly and the disabled shall be fully considered to avoid creating obstacles to their daily life. Article 16 The state shall support the technological research on data security and data development and utilization, encourage technological promotion and commercial innovation in the fields of data development and utilization and data security, among others, and cultivate and develop data development and utilization and data security product and industry systems. Article 17 The state shall advance the construction of the data development and utilization technology and data security standards system. The standardization department of the State Council and the relevant departments of the State Council shall, within their respective purviews, organize ......