Data Security Law of the People’s Republic of China (Mainland China)

Karl Zhang

On June 10, 2021, the Standing Committee of the National People’s Congress adopted the Data Security Law of the People’s Republic of China (the “Data Security Law”), which will go into effect on September 1, 2021, with the following main contents:

I. General provisions

The Data Security Law applies to all data processing activities within the territories of the People’s Republic of China and their security supervision.  However, if data processing activities carried out outside the territories of the People’s Republic of China infringes on the national security, public interests, or the rights and interests of citizens or organizations of the People’s Republic of China, they shall still be penalized in accordance with law.  Data are information recorded by electronic or other means.  Data processing includes the collection, storage, use, processing, transmission, provision, disclosure, etc., of data.  Data security means taking the necessary measures to ensure that the data are being effectively protected and lawfully used, and the ability to maintain such data in a secured state.

The state protects the data-related rights and interests of individuals and organizations, encourages the reasonable and effective use of data, safeguards the orderly and free flow of data, and promotes the development of the digital economy with data as a key element.

II. Data security and development

The state coordinates the overall development and security in promoting the construction of a data infrastructure and encourages and supports innovative data applications in various industries and fields.  The state also supports the development and use of data to enhance the level of smart public services, as well as the research of data security technologies to promote the data development technologies and data security standards system, data security testing and certification services, improving the digital transaction administration system, and the fostering of professional talents in data development, usage and security.

III. Data security system 

The state will establish a tiered data classification and protection system, mechanisms for the assessment, reporting, information sharing, monitoring and early warning of data security risks, as well as a data security emergency handling mechanism.  At the same time, the state will also establish a data security review system to conduct a national security review of data processing activities that affect or may affect national security, and implement export controls over data relating to performance of international obligations and the maintenance of national security and interests.

The People’s Republic of China may, in response to any country or region that imposes discriminatory prohibitions, restrictions or other similar measures against the People’s Republic of China in terms of investments, trade, and other aspects relating to data and data development and usage technologies, take reciprocal measures against such country or region according to the circumstances.

IV. Data security protection obligations

A sound and comprehensive data security management system should be established to engage in data processing activities so as to ensure data security.  The use of the Internet and other information networks to carry out data processing activities should comply with the above data security protection obligations based on the cybersecurity classification protection system.  In addition, there shall be improved risk monitoring so that in the case of a data security incident, the handling measures may be immediately engaged, and such incident timely reported to the subscribers and the relevant competent authorities pursuant to applicable requirements.

The outbound security management of the important data collected and generated by critical information infrastructure operators in the territories of the People’s Republic of China is governed by the Cybersecurity Act of the People’s Republic of China; the state cybersecurity and information departments in conjunction with relevant departments of the State Council shall draft the outbound security management rules for the important data collected and generated by other data operators in the territories of the People’s Republic of China.  No organization or individual shall provide data stored within the territories of the People’s Republic of China to any foreign judicial or enforcement agency without the approval of the competent authorities of the People’s Republic of China.

Organizations or individuals shall collect data in a lawful and appropriate method, and shall not steal or obtain data in an unlawful manner.  An agency engaging in digital transaction intermediary services is required to request the data providers to indicate the data sources, review the identity of the parties to the transactions, and retain the review and transaction records.

V. Government data security and transparency

State organs that need to collect and use data to perform their statutory duties should follow the conditions and procedures set forth in laws and administrative regulations.  Any private personal information trade secrets, confidential business information, etc., encountered during such performance shall be kept confidential and not disclosed or illegally provided to others.

VI. Legal liability

The Data Security Law provides that relevant organizations and responsible persons who fail to perform data security protection obligations, violation of the national core data management system, illegally leaks important data to any overseas parties, fails to perform intermediary obligations, or commits other legal violations may be punished depending on the circumstances by fines, suspension of business, internal rectification and revocation of business licenses.