Translation: China's 'Data Security Law (Draft)'

China's data governance regime grows, with data markets contemplated and government data regulated
Blog Post
Shutterstock.com
July 2, 2020

This translation is part of the DigiChina Project, a joint effort of the Stanford Cyber Policy Center and New America. It was translated collaboratively by Emma Rafaelof, Rogier Creemers, Samm Sacks, Katharin Tai, and Kevin Neville, and edited by DigiChina editor Graham Webster, who drafted the introduction based on insights from Rafaelof and Sacks.

The Chinese government this week released a draft Data Security Law for public comment. The law marks a significant evolution in China’s data protection regime, building on existing structures set up by the Cybersecurity Law and related regulations, and introducing rules around markets for data, government data collection and handling, and classification of different types of data.

Together with the Personal Information Protection Law, which is also expected to emerge in draft form this year, the Data Security Law is set to specify new responsibilities and authorities for government offices and private actors.

Note: DigiChina completed a translation (below) based on a copy of the draft law posted on the National People’s Congress (NPC) website and republished by the Chinese legislation watchers at NPC Observer. The original document has since been deleted from the official government site, according to NPC Observer, so before it is republished it is possible that some details may change, or the timing of the comment period (initially announced to last through July 31, 2020) may be revised. If the Data Security Law (Draft) changes when it is republished by the NPC, DigiChina will update this post. [Update: The draft has been republished with a new comment period conclusion date of August 16, 2020. –Ed., July 3, 2020]

Some of the notable provisions in this draft include:

  • Article 2 states that legal liability would be pursued even if entities outside China “engage in data activities that harm the national security, the public interest, or the lawful interests of citizens or organizations” in China.
  • Article 19 introduces a new system for regulating data based on “different grades and classifications, according to the degree of importance to economic and social development” and to the severity of harm that might come from abuse of the data.
  • Article 19 also charges regional government and sectoral regulators with producing catalogs of what constitutes “important data,” which would distribute responsibility widely as to determining the reach of data security responsibilities and requirements.
  • Article 24 would establish a way to retaliate for measures by foreign governments that target China with discriminatory prohibitions, limitations, etc., around data investment or technology.
  • The law also outlines but does not detail procedures for national security or law enforcement authorities seeking data from private data holders (Article 32), and for providing data in China to law enforcement authorities abroad (Article 33).


[Chinese-language original]

TRANSLATION

Data Security Law of the People’s Republic of China (Draft)

Table of Contents

Chapter I: General Provisions

Chapter II: Data Security and Development

Chapter III: Data Security Systems

Chapter IV: Data Security Protection Responsibilities

Chapter V: Government Data Security and Openness

Chapter VI: Legal Liability
Chapter VII: Supplementary Provisions

Chapter I: General Provisions

Article 1: In order to ensure data security, promote data development and use, protect the lawful rights and interests of citizens and organizations, and safeguard national sovereignty, security, and development interests, this Law is formulated.

Article 2: This Law is applicable to the conduct of data activities within the mainland territory of the People’s Republic of China.

Where organizations or individuals outside of the mainland territory of the People’s Republic of China engage in data activities that harm the national security, the public interest, or the lawful interests of citizens or organizations of the People’s Republic of China, legal liability will be investigated according to the law.

Article 3: “Data,” as mentioned in this Law, refers to any record of information in electronic or non-electronic form.

“Data activities” refers to data collection, storage, processing, use, provision, transaction, publication, and other such activities.

“Data security” refers to the ability to ensure that data is effectively protected and lawfully used through adopting necessary measures, and remains continually in a secure state.

Article 4: In ensuring data security, the overall national security concept shall be upheld, data security governance systems shall be established and completed, and data security protection capabilities increased.

Article 5: The State: protects the data-related rights of citizens and organizations; encourages lawful, reasonable, and effective data use; ensures the lawful and orderly free flow of data; and stimulates the development of the digital economy with data as a key factor, enhancing the people’s welfare.

Article 6: The Central national security leading body is responsible for policy decisions on and comprehensive coordination of data security work, researching, formulating, and guiding the implementation of national data security strategies and related major policies and plans.

Article 7: All localities and all departments bear primary responsibility for the data created, collected, or processed through the work of that locality or department as well as for data security. Supervising bodies are responsible for the supervision of data security in trades or sectors such as: industry; telecommunications; natural resources; hygiene and health; education; national defense science, technology, and industry; finance; etc.

Public security bodies and national security bodies are, according to the provisions of this Law and relevant laws and administrative regulations, responsible for the supervision of data security within their respective scope of duties.

The national cybersecurity and informatization department is, according to the provisions of this Law and relevant laws and administrative regulations, responsible for the comprehensive coordination of online data security and related supervision work.

Article 8: When conducting data activities, laws and administrative regulations must be observed, social public morals and ethics respected, commercial ethics observed, sincerity and trustworthiness upheld, data security protection duties fulfilled, and social responsibilities undertaken. It is prohibited to harm national security or the public interest, and it is prohibited to harm the lawful rights and interests of citizens and organizations.

Article 9: The State establishes and completes a data security coordinated governance system, it promotes relevant departments and sectoral organizations, enterprises, and individuals to jointly participate in data security protection work, and create a beneficial environment in which all of society jointly safeguards data security and promotes development.

Article 10: The State actively engages in international exchange and cooperation in the data area, participates in the formulation of international regulation and standard-setting related to data security, and promotes the secure and free flow of data across borders.

Article 11: Any organization or individual has the right to file a complaint about or report acts violating the provisions of this Law to the relevant competent department. Departments receiving complaints or reports shall handle them promptly and according to the law.

Chapter II: Data Security and Development

Article 12: The State firmly places equal emphasis on safeguarding data security and promoting data development and use, promoting data security through data development and use and through industrial development, and ensuring data development and use and industrial development through data security.

Article 13: The State implements a big data strategy to enhance data infrastructure construction, to encourage and support the innovative application of data in all industries and sectors, and to promote the development of the digital economy.

Provincial-level or higher People’s Governments shall formulate digital economy development plans, and include them in their economic and social development plans.

Article 14: The State strengthens basic research on data development and use technology; supports the dissemination and commercial innovation of technologies in areas such as data development and use, data security, etc.; and fosters and develops products and industrial systems for data development and use, and for data security.

Article 15: The State advances the construction of data development and use technology and data security standards systems. The State Council administrative department for standardization and relevant State Council departments will, according to their respective duties and responsibilities, organize the formulation and timely revision of standards concerning data development and use technologies and products and security-related standards. The State supports enterprises, research institutions, institutions of higher education, related sectoral organizations, etc., to participate in the formulation of standards.

Article 16: The State promotes the development of services such as data security monitoring and assessment, certification, etc., and it supports specialized bodies for data security monitoring and assessment, certification, etc., to develop services according to law.

Article 17: The State establishes and completes data transaction management systems, standardizes data transaction activities, and cultivates a data transaction market.

Article 18: The State supports institutions of higher education, secondary vocational schools, enterprises, etc., to develop education and training in data development and use technologies and data security, to adopt a variety of methods to cultivate talent in data development and use technologies and data security, advancing talent exchange.

Chapter 3: Data Security Systems

Article 19: The State shall implement data protection for data at different grades and classifications, according to the degree of importance to economic and social development; and according to the impact on national security, the public interest, or the lawful rights and interests of citizens or organizations if it is falsified, destroyed, leaked or illegally acquired, or illegally used.

Each region and department, according to relevant national provisions, shall determine a regional, departmental, and industrial important data protection catalog, and undertake special protections for that which is listed in the catalog.

Article 20: The State establishes a centralized, efficient, and authoritative mechanism for data security risk assessment, reporting, information sharing, supervision, and early warning, and strengthens work on data security risk information acquisition, analysis, determination, and early warning.

Article 21: The State establishes a data security emergency management mechanism. In the event of a data security incident, the relevant department shall, according to law, activate a contingency plan, adopt appropriate emergency management measures, eliminate security gaps, prevent expansion of harms, and promptly publish to society warning information relevant to the public.

Article 22: The State establishes a data security review system, where data activities that affect or may affect national security undergo national security review. Security review decisions issued according to law are final decisions.

Article 23: The State implements export controls according to law on data belonging to controlled categories to carry out international duties and safeguard national security.

Article 24: For any country or region that adopts discriminatory prohibitions, limitations or other such measures toward the People’s Republic of China with respect to investment or trade related to data, data development and use, or technology, the People’s Republic of China may, according to the actual circumstances, adopt corresponding measures toward that country or region.

Chapter IV: Data Security Protection Responsibilities

Article 25: Those conducting data activities shall, according to the provisions of laws and administrative regulations as well as mandatory requirements in national standards, establish and complete a data security management system across the entire workflow, organize and conduct data security education and training, and adopt corresponding technical measures and other necessary measures to ensure data security.

Those handling important data shall establish responsible data security personnel, and management bodies shall be established, to implement data security protection responsibilities.

Article 26: Those conducting data activities as well as research and development of new data technologies shall benefit the advancement of economic and social development, enhance the people’s welfare, and conform to social morals and ethics.

Article 27: Those conducting data activities shall strengthen risk monitoring, and where they discover data security shortcomings, leaks, and other such dangers, immediately adopt remedial measures; when data security incidents occur, they shall promptly notify users according to regulations and report the matter to the relevant competent department.

Article 28: Those handling important data shall, according to regulations, periodically conduct risk assessments of their data activities, and submit a risk assessment report to the relevant competent department. The risk assessment report shall include: the categories and quantities of important data controlled by said organization; how data is collected, stored, processed and used; the data security risks faced and countermeasures; etc.

Article 29: Any organization or individual collecting data must adopt lawful and proper methods; they may not steal data or obtain it by other illegal means. Where laws and administrative regulations contain provisions on the purpose or scope of data collection or use, data shall be collected and used for the purpose and within the scope prescribed by laws and administrative regulations, and may not exceed the limits of necessity.

Article 30: Bodies engaging in data transaction intermediary services shall, when providing trading intermediary services, require that the data providing party explain the source of the data, examine and verify the identity of both sides, and retain examination, verification, and transaction records.

Article 31: Operators providing specialized online data handling and other such services shall obtain a business license or register according to the law. Specific rules will be formulated by the State Council competent department for telecommunications jointly with relevant departments.

Article 32: Where public security departments and national departments need to consult data in order to lawfully safeguard national security or investigate a crime, they shall, according to relevant State regulations, undergo strict approval procedures and proceed according to the law; relevant organizations and individuals shall grant cooperation.

Article 33: Where foreign law enforcement bodies need to consult data stored within the mainland territory of the People’s Republic of China, relevant organizations and individuals shall report the matter to the relevant competent department, and may only provide it after having obtained permission. Where the People’s Republic of China has concluded or joined an international treaty or agreement with provisions on foreign law enforcement bodies consulting domestic data, those provisions shall be followed.

Chapter V: Government Data Security and Openness

Article 34: The State forcefully advances the construction of e-government, increases the scientific nature, accuracy, and efficacy of government data, and enhances capabilities to use data to serve economic and social development.

Article 35: Where State bodies need to collect or use data to implement their statutory duties, they shall do so within the scope of the statutory duties they implement, and according to the conditions and procedures provided in laws and administrative regulations.

Article 36: State bodies shall, according to the provisions of laws and administrative regulations, establish and complete data security management systems, implement data security protection responsibilities, and ensure government data security.

Article 37: Where State bodies entrust other persons to store or process government data, or provide government data to others, they shall undergo strict approval procedures, and shall supervise the receiving party’s implementation of corresponding data security protection duties.

Article 38: State bodies shall abide by the principles of fairness, impartiality, and convenience for the people and promptly and accurately publish government data according to regulations, except where it should not be published according to the law.

Article 39: The State: formulates government data openness catalogs; builds a uniform and standard, interconnected and interactive, secure and controllable government data openness platform; and promotes the open use of government data.

Article 40: Where organizations with public affairs management functions conduct data activities in order to implement their public affairs management functions, the provisions of this Law apply.

Article 41: When relevant departments in the course of carrying out data security supervision duties discover the existence of major security risks in data activities, according to jurisdictional rules and procedures they may engage with relevant organizations and individuals. Relevant organizations and individuals shall, according to requirements, adopt measures, carry out reforms, and eliminate threats.

Article 42: For organizations and individuals conducting data activities that do not comply with the data security duties and provisions under Articles 25, 27, 28, and 29 of this Law, or have not yet implemented required security measures, the relevant departments order corrections, provide warning, and at the same time may also impose a fine of more than 10,000 RMB and less than 100,000 RMB; immediately responsible managing personnel are subject to a fine of more than 5,000 RMB and less than 50,000 RMB; those who refuse corrections or create large data leakages or such serious consequences are subject to a fine of more than 100,000 RMB and less than 1,000,000 RMB; and directly responsible managing personnel and other directly responsible personnel are subject to a fine of more than 10,000 RMB and less than 100,000 RMB.

Article 43: For data transaction intermediary organizations that have not yet carried out the duties under the provisions of Article 30 of this Law, resulting in the transactione of data from illegal sources, the relevant departments order corrections, confiscate any illegal income; and impose a fine of more than the amount of the income and less than 10 times the amount of the income; in the case of no illegal income, authorities impose a fine of more than 100,000 RMB and less than 1,000,000 RMB. Relevant departments may revoke relevant business permits or business operation licenses. Directly responsible managing personnel and other directly responsible personnel are subject to a fine of more than 10,000 RMB and less than 100,000 RMB.

Article 44: Businesses operating without permits or registration under Article 31 of this Law are subject to correction by relevant departments, banning, confiscation of illegal income, imposition of a fine more than the amount of their illegal income and less than 10 times the amount of the illegal income; in the case of no illegal income, they are subject to a fine of more than 100,000 RMB and less than 1,000,000 RMB; directly responsible managing personnel and other directly responsible personnel are subject to a fine of more than 10,000 RMB and less than 100,000 RMB.

Article 45: If State organs do not carry out the data security protection duties provided for in this Law, directly responsible managing personnel and other directly responsible personnel will be punished according to law.

Article 46: If government employees with the responsibility of overseeing data security neglect their duty, abuse their power, or abuse their position for private gain, yet it does not constitute a crime, they shall be sanctioned in accordance with the law.

Article 47: Using data activities to harm national security or the public interest, or to harm the lawful rights and interests of citizens or organizations, shall be punished according to relevant provisions of law and administrative regulations.

Article 48: Someone who violates the provisions of this law and causes harm to other individuals assumes civil liability according to the law. If someone violates the provisions of this law, constituting a violation of public security subject to administrative penalty, they shall be given public security sanction according to law. If a crime is constituted, they shall be investigated for criminal responsibility.

Chapter VII: Supplementary Provisions

Article 49: For data activities involving state secrets, laws and administrative regulations such as the “Law of the People’s Republic of China on Guarding State Secrets” are applicable. Those undertaking data activities involving personal information shall abide by relevant laws and administrative regulations.

Article 50: Measures for protecting military data are formulated separately by the Central Military Commission.

Article 51: This law takes effect on [month] [day], [year].