Press "Enter" to skip to content

Data Security Management Measures (Draft for Solicitation of Comments)


Chapter I: General Provisions

Chapter II: Data Collection

Chapter III: Data Processing and Use

Chapter IV: Data Security Oversight and Management

Chapter V: Supplementary Provisions

Chapter I: General Provisions

Article 1: These Measures are formulated on the basis of the "Cybersecurity Law of the People's Republic of China" and other laws and regulations, so as to preserve national security and the societal public interest; to protect the lawful rights and interests of citizens, legal persons, and other organizations in cyberspace; and to safeguard the security of personal information and important data.

Article 2: These measures apply to use of networks to carry out activities such as the collection, retention, transmission, processing, and use of data (hereinafter simple 'data activities') in the mainland territory of the People's Republic of China, as well as to data security protections and oversight management. Excluding purely family or individual matters.

Where laws and administrative regulations provide otherwise, those provisions control.

Article 3: The state is to persist in giving equal importance to safeguarding data security and development, encourage research and development of data security protection techniques, actively advance the development and use of data resources, and ensure the orderly and free flow of data in accordance with law.

Article 4: The state is to employ measures to monitor, defend against, and address data security risks and threats originating both inside and out the mainland territory of the People's Republic of China; to protect data from leaks, theft, alteration, destruction, illegal use, and so forth; and to lawfully punish illegal and criminal activities that endanger data security.

Article 5: Under the leadership of the Central Cyberspace Affairs Commission, the State internet information departments are to do overall planning and coordination, guiding and overseeing data security protection work for personal information and important data.

On the basis of their duties, Internet information departments at the local (city) level or above are to guide and oversee data security protection work for personal information and important data within that administrative region

Article 6: Network operators shall follow the provisions of relevant laws and administrative regulations and referencen national network security standards in performing data security protection obligations, establishing systems for data security management responsibility and assesment evaluations, drafting data security plans, implementing technical protections for data security, carrying out data security risk assessments, drafting emergency response plans for network security incidents, promptly handling security incidents, and organizing data security education and training.

Chapter II: Data Collection

Article 7: Network operators collecting personal information through websites, applications, or other products, shall separately draft and disclose rules for the collection. Rules for the collection and use of data may be included in the privacy policy of the website, applications, or other products, and may also be provided to users in other forms.

Article 8: Rules for the collection and use of data shall be clear and specific, simple and straightforward, easily accessible, and shall highlight the following content":

(1) The network operators' basic information;

(2) The names and contact methods for the network operators' principle responsible persons and the persons responsible for data security;

(3) The purpose, types, volume, frequency, methods, and scope of collection and use of personal information;

(4) The location and time period for storage of personal information, as well as the methods for handling it at the end of the time period;

(5) Rules for providing personal information to others, if it is provided to others;

(6) The personal information security protection strategy and related information;

(7) Paths and means for personal information subjects to revoke consent, as well as to make inquiries, corrections, or deletions of personal information;

(8) Channels and means for making complaints or reports;

(9) Other content provided for by laws or administrative regulations.

Article 9: If collection and usage rules are contained in the privacy policy, they shall be relatively concentrated and conspicuously labeled to facilitate reading. Network operators may collect personal information only after users are informed of the collection and usage rules, and clearly consent.

Article 10: Network operators shall strictly follow the collection and usage rules, and the design of functions of websites or applications that collect or use personal information should be consistent with the privacy policy, and adjusted simultaneously with it.

Article 11: Network operators must not compell or mislead personal information subjects into consenting to collection of their personal information through means such as making authorization the default or bundling functions, on the grounds of improving service quality, improving user experience, targeting information delivery, or researching new products.

After personal information subjects consent to collection of personal information that ensures the operation of network products' core operational functions, network operators shall provide the core operational function services to the personal information subjects, and must not refuse to provide the core operational function services because the personal information subjects refuse or revoke consent for the collection of personal information other than that described above.

Article 12: Where collecting the personal information of minors under the age of 14, their guardians' consent shall be acquired.

Article 13: Network operators must not employ discriminatory conduct against personal information subjects on the basis of whether the personal information subject authorized the collection of personal information or the scope of authorization; including differences in service quality and pricing.

Article 14: Network operators have the same responsibility and obligation to protect personal information obtained from other channels and that which they directly collect.

Article 15: Where network operators collect important data or sensitive personal information for business purposes, they should record this with the internet information office for their area. The content of the records is to include the collection and usage rules, and the purpose, scale, methods, scope, types, and time limits for collection and use; but does not include the data content itself.

Article 16: Network operators employing automated methods to visit and collect from websites must not obstruct the websites'normal operation; When this type of conduct seriously impacts website operations, such as where the volume automated visits and collection exceed 1/3 of a website's total daily traffic, and the website requests that the automated visits and collection be stopped, they shall be stopped.

Article 17: Where network operators collect important data or sensitive personal information for business purposes, they shall clarify the persons responsible for data security.

Persons with relevant management work experience and expert knowledge of data security are to serve as the persons responsible for data security, participate in in important decision making related to data activities, and directly report on the work to the principle responsible persons for the network operators.

Article 18: The persons responsible for data security are to perform the following duties:

(1) Organizing the drafting of data protection plans and oversee their implementation;

(2) Organizing and carrying out data security risk assessments, and urging corrections of latent security dangers;

(3) Reporting on data security protections and incident handling as requested by relevant departments and internet information offices;

(4) Accepting and handling user complaints and reports.

Network operators should provide the persons responsible for data security with the necessary resources to ensure their independent performance of their duties.

Chapter III: Data Processing and Use

Article 19: Network operators shall reference relevant state standards to employ measures such as data categorization, backups, and encryption, to strengthen the protection of personal information and important data.

Article 20: Network operators storage of personal information should not exceed the storage period in the collection and usage rules, and shall delete personal information after users deregister accounts, except where it has been processed so that it is not connected with specified individual and cannot be restored (hereinafter 'anonymization processing').

Article 21: When network operators receive requests related to inquiries, changes, or deletion of personal information, or about deregistration of user accounts, they shall provide the inquiries, corrections, deletions, or deregistration within a reasonable time and price range.

Article 22: Network operators must not use personal information in violation of the collection and usage rules. Where due to operational requirements, it is truly necessary to expand the scope of use for personal information, the personal information subjects' consent shall be obtained.

Article 23: Network operators' using user data and algorithms to deliver news information or commercial advertisements (hereinafter simply "targeted delivery') shall conspicuously label them with the words 'targeted' and provide users with functionality to stop receiving information from targeted delivery; and when users select to stop receiving information from targeted delivery, the delivery shall stop and device ID codes and other such user data and personal information that has already been collected shall be deleted.

Network operators carrying out targeted delivery activities should obey laws and administrative regulations; respect social mores, commercial ethics, and good customs; and prohibit conduct such as discrimination and fraud.

Article 24: Network operators using technologies such as big data and artificial intelligence to automatically compose news, blogs, posts, comments, and other such information, should clearly label it as 'composed; and must not automate information composition for the purpose of obtaining benefits or harming the interests of others.

Article 25: Network operators should employ measures to urge and remind users of their responsibility for online conduct and to strengthen self-discipline, and where users transmit information created by others on social media, should automatically note the creator's social media account or an unchanging user identifier.

Article 26: When network operators receive reports and complaints of information published under counterfeited, imitated, or pirated versions of others' names, they shall promptly respond, and once verified immediately stop the transmission and delete it.

Article 27: Before network operators provide personal information to others, they shall assess the security risks it might bring about and obtain the personal information subjects' consent. The following circumstances are excepted:

(1) That which is collected from lawful and open channels, where not clearly against the will of the personal information subjects;

(2) That which is proactively disclosed by the personal information subject;

(3) That which has been processed for anonymization;

(4) That which is required by law enforcement organs lawful performance of their duties;

(5) That which is required for preserving national security, the societal public interest, and personal information subjects' security in their lives.

Article 28: Before network operators publish, share, exchange important data or provide it outside the mainland territory, they shall assess the security risks it might bring about and get the consent of the competent industry oversight departments; where it is unclear which department is competent for industry oversight, they shall get approval from the provincial level internet information office.

Provision of personal information outside the mainland territory is to be implemented in accordance with relevant provisions.

Article 29: Where mainland users visit the mainland internet, their traffic must not be routed outside the mainland.

Article 30: Network operators should make data security requirements and responsibilities clear to third-party applications linked to their platform, and urge and oversee the third party application operators strengthening of data security management. Where data security incidents occur in third-party applications causing harm to users, network operators shall bear partial or full responsibility unless the network operators can prove they had no fault.

Article 31: Where network operators merge, reorganize, or go bankrupt, the party inheriting the data inherits the data security responsibilities and obligations. Where there is no party inheriting the data, the data shall be deleted. Where laws and administrative regulations provide otherwise, those provisions control.

Article 32: Network operators' analysis and use of data resources they hold to publish market predictions, statistical information, personal and enterprise credit, and other such information, must not impact network operators, economic operations, or social stability, and must not harm the lawful rights and interests of others.

Chapter IV: Data Security Oversight and Management

Article 33: Internet information departments discovering in the course of performing their duties that network operators have not adequately implemented data security management responsibilities, should give the network operators' principle responsible persons a talking to and urge corrections, in accordance with the scope of authority and procedures provided.

Article 34: The state encourages network operators to voluntarily go through data security management certification and application security certification, and encourages search engines, app stores, and others to clearly label and give priority to recommending certified applications.

The State network information departments, together with the State Council department for market oversight and regulation, is to guide the State network security review and certification bodies, organizing data security management certification application security certification efforts.

Article 35: Where data security incidents such as leaks, destruction, or loss of personal information occur, or when the risk of a data security incident occurring clearly increases, network operators shall immediately employ remedial measures, promptly inform personal information subjects by phone, text message, email, letter, or other means, and report to the competent departments for industry oversight and internet information departments as requested.

Article 36: Where, in accordance with provisions of laws and administrative regulations, the relevant competent departments of the State Council request that network operators provide data in their grasp as required for the performance of duties such as preserving national security, social management, and economic regulation and controls, the national security shall provide it.

The relevant competent departments of the State Council bear responsibility for protecting the security of data provided by network operators, and must not use it other than for performance of their duties.

Article 37: Where network operators violate the provisions of these Measures, the relevant departments, in accordance with laws and administrative regulations, and in light of the circumstances, are to give punishments such as public exposure, confiscation of illegal income, suspension of related operations, stopping operations for rectification, closing websites, cancelling relevant operational permits, or canceling business licenses; and where a crime is constituted, criminal responsibility is pursued in accordance with law.

Chapter V: Supplementary Provisions

Article 38: The meanings of the following terms used in these Measures:

(1) "Network operators" refers to network owners, managers and network service providers.

(2) "Network data" refers to all kinds of electronic data collected, stored, transmitted, processed, and produced through networks.

(2) "Personal information" refers to all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person's identity, including, but not limited to, natural persons' full names, birth dates, identification numbers, personal biometric information, addresses, telephone numbers, and so forth.

(4) "Personal information subject" refers to the natural persons identified and related to personal information.

(5) "Important Information" refers to data that once released might directly impact national security, economic security, social stability, or public health and safety, such as unpublished government information, or population, genetic and health, geographic, and mineral resource information over a large area. Important Information does not normally include business or internal management information produced by enterprises, personal information, and so forth.

Article 39: Enforcement for data activities that involve information or codes that are state secrets is to be in accordance with relevant state provisions.

Article 40: These Measures take effect on XX/XX/XX.


Click to rate this post!
[Total: 0 Average: 0]

Print this entry

CLT is a crowdsourced, crowdfunded legal translation project that enables English speaking people to better understand Chinese law.

Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *