THE FINALIZED VERSION OF THIS LAW HAS BEEN PASSED. THIS IS ONLY A DRAFT.
The 20th meeting of the Standing Committee of the 13th National People's Congress deliberated the "Data Security Law of the People's Republic of China (Draft)". The "Data Security Law of the People's Republic of China (Draft)" is now published on the NPC website, and the public can log in directly to (www.npc.gov.cn)to submit an opinion, you can also send the opinion to the Legal Work Committee of the Standing Committee of the National People’s Congress (No. 1, Qianmen West Street, Xicheng District, Beijing, 100805. Please indicate the draft data security law on the envelope for comments). Deadline for comments: August 16, 2020.
Article 1: This law is formulated so as to ensure data security, promote the development and exploitation of data, protect citizens' and organizations' lawful rights and interests, and preserve state sovereignty, security, and development interests.
Article 2: This law applies to data activities carried out within the [mainland] territory of the People’s Republic of China.
Organizations and individuals outside the P.R.C. that carry out data security activities harming the national security of the P.R.C., the public interest, or the lawful rights and interests of citizens' and organizations, are to be pursued for legal responsibility in accordance with law.
Article 3: "Data" as used in this Law refers to any record of information in electronic or other forms.
"Data activities" refers to acts of collection, storage, processing, use, provision, transaction, or disclosure of data.
"Data Security" refers to the employment of necessary measures to ensure that data is effectively protected and legally used, and to ensure its capacity to remain in a secure state.
Article 4: The preservation of data security shall adhere to an overall state security perspective, and establish and complete a system of data security governance, to increase capacity to ensure data security.
Article 5: The state is to protect citizens' and organizations' rights and interests related to data and is to encourage the reasonable and effective use of data in accordance with law, is to ensure the lawful and orderly free flow of data and is to promote the lawful development of the digital economy with data as a key element, to increase the people's prosperity.
Article 6: The central leading group on national security is responsible for major decision making and overall coordination on data security, and is to research, draft, and guide the implementation of a national data security strategy and major directives and policies.
Article 7: Each region and department bears primary responsibility for that region or department's efforts on data production, aggregation, and processing, as well as data security.
Regulatory departments such as for industry, telecommunications, natural resources, health, education, national defense technology and industry, and finance are to undertake data security regulatory duties in the corresponding sector.
Public security organs, state security organs, and so forth are to follow the provisions of this Law, relevant laws, and administrative regulations, to undertake data security regulation duties within the scope of their duties.
The State internet information departments are to follow this Law, relevant laws, and administrative regulations to take responsibility for the overall coordination of online data security and relevant regulatory efforts.
Article 8: In carrying out data activities, one must comply with laws and administrative regulations, respect social mores and ethics, comply with business ethics, be honest and trustworthy, perform obligations to protect data security, and bear social responsibility; and must not endanger national security, the public interest, or harm the lawful rights and interests of citizens and organizations.
Article 9: The state is to establish and complete systems for collaborative governance of data security, pushing relevant departments, industry organizations, enterprises, and individuals to jointly participate in efforts to protect data security, and forming a positive environment for the entire society to jointly preserve data security and promote development.
Article 10: The state is to actively carry out international exchanges and cooperation in the data sector, participate in the formulation of international rules and standards related to data security, and promote the safe and free flow of data across borders.
Article 11: Every organization and individual has the right to make complaints or reports about violations of this law to the relevant authorities. Departments receiving complaints or reports shall handle them promptly and in accordance with law.
Article 12: The state is to persist in equally emphasizing data security and the promotion of data use; promoting data security through data use, development, and industry development; and ensuring data use, development, and industry development through data security.
Article 13: The state is to implement a big data strategy, advancing the establishment of data infrastructure, and encouraging and supporting innovative applications of data in each industry and field, to promote the development of the digital economy.
People's governments at provincial-level or higher shall draft digital economy development plans and include them in the people's economic and social development plans for that level.
Article 14: The state is to strengthen basic research into technologies for data use and development, support the spread and commercial innovation in areas such as the use and development of data and data security, to foster and develop data use and development, data security products, and industrial systems for the use and development of data.
Article 15: The state is to advance the establishment of a system of standards for data development and exploitation technologies and data security. Within the scope of their respective duties, the State Council departments in charge of standardization and other relevant State Council departments are to organize the formulation and appropriate revision of standards related to technology and products for the development and use of data and to data security. The state is to support enterprises, research institutions, schools of higher education, and relevant industry organizations to organize and participate in the formulation of standards.
Article 16: The state is to promote the development of services such as data security testing, appraisals, and certification, and support professional institutions carrying out data security testing, appraisals, and certification service activities.
Article 17: The state is to establish and complete systems for data transactions and management, regulating data transaction conduct, and fostering the data transaction market.
Article 18: The State is to support schools of higher education, secondary vocational schools, enterprises, and so forth, is carrying out education and training related to data use and development and data security, employing diverse methods to cultivate professional data use and development and data security talent, and promote professional exchanges.
Article 19: The state is to implement graded and categorical data protections based on the level of importance of data in economic and social development and the extent of harm that would be caused to national security, the public interest, or the lawful rights and interests of citizens and organizations if the data were altered, destroyed, lacked, or illegally obtained or used.
Each region and each department shall follow relevant state provisions to designate a catalog of important data for protection in the corresponding region, departments, or industry, and carry out key protections for data included in the catalog.
Article 20: The state is to establish a uniform, highly effective, and authoritative data security risk assessment, reporting, information sharing, monitoring, and early warning system to strengthen the acquisition, analyses, assessment, and early warnings for information on data security risks.
Article 21: The state is to establish data security emergency response mechanisms. Where data security incidents occur, the relevant regulatory departments shall initiate the emergency response plan and employ corresponding emergency response measures, eliminate security threats, and prevent the harms from expanding, and promptly publish relevant warning information to the public.
Article 22: The state is to establish systems for data security reviews and conduct national security reviews of data activities that impact or might impact national security.
Security review decisions made in accordance with law are final decisions.
Article 23: The state is to implement export controls in accordance with law for data that are controlled items related to fulfilling international obligations and maintaining national security.
Article 24: Where any nation or region employs discriminatory, restrictive, or other similar measures against the PRC in terms of investment or trade in data and technology for the exploitation and development of data, the P.R.C. may employ corresponding measures against that nation or region based on the actual circumstances.
Article 25: The carrying out of data activities shall be in accordance with laws and administrative regulations and national the mandatory requirements of national standards, establishing and completing a data management system for the entire process, organizing education and training on data security, and employing related technical measures and other necessary measures to ensure data security.
Those processing important data shall set up persons responsible for data security and data security management bodies to implement the responsibility for data security protections.
Article 26: The carrying out of data activities and research into new data technologies shall be conducive to promoting economic and social development, further the people's wellbeing, and comply with social mores and ethics.
Article 27: The carrying out of data activities shall strengthen risk monitoring, and where risks such as data security flaws or holes are discovered, remedial measures shall be employed immediately; when data security incidents are discovered, users shall be promptly informed and a report made to the relevant regulatory departments.
Article 28: Those processing important data shall follow provisions to periodically carry out risk assessments of their data activities as provided, and send risk assessment reports to the relevant regulatory departments.
Risk assessment reports shall include the types and amounts of important data in the organization's hands; the circumstances of data storage, processing, and usage; the data risks being confronted and methods for addressing them.
Article 29: Any organization or individual collecting data must employ lawful and appropriate methods and must not steal or obtain data through other illegal methods.
Where laws and administrative regulations have provisions on the purpose or scope of data collection and use, data is to be collected or used within the purpose and scope provided for in those laws and administrative regulations, and must not exceed necessary limits.
Article 30: When institutions engaged in data transaction intermediary services provide those services, they shall require the party providing data to explain the sources of the data, verify the identities of both parties, and store a record of the review and transaction.
Article 31: Businesses specializing in providing services such as online data handling shall lawfully obtain business operation permits or make filings. The specific measures are to be formulated by the State Council's departments for regulating telecommunications in conjunction with relevant departments.
Article 32: Public security organs and state security organs collecting data as necessary to lawfully preserve national security or investigate crimes shall follow relevant state provisions and complete strict approval formalities to do so, and relevant organizations and individuals shall cooperate.
Article 33: Where foreign [non-mainland] law enforcement bodies request to collect data stored in the [mainland] P.R.C., relevant organizations and individuals shall report to the relevant regulatory departments and may provide it only after receiving approval. Where international treaties and agreements concluded or participated in by the People’s Republic of China have provisions for foreign law enforcement bodies accessing data domestic [mainland] data, follow their provisions.
Article 34: The state is to forcefully advance the establishment of e-governance, increasing the scientific nature, accuracy, and efficacy of government affairs data, and increasing the use of data in service of economic and social development.
Article 35: State organs performance of legally-prescribed duties that require the collection and use of data shall be within the scope of the legally-prescribed duties and proceed in accordance with the requirements and procedures of laws and administrative regulations.
Article 36: State organs shall follow laws and administrative regulations to establish and complete data security management systems and implement responsibility for data security protections to ensure the security of government affairs data.
Article 37: Where state organs entrust others to store or process government affairs data or provide others with government affairs data, they shall go through strict approval procedures shall oversee the receiving party's performance of the corresponding data security protection olbigations.
Article 38: State organs shall follow the principles of justice, fairness, and convenience for the people, to promptly and accurately disclose government affairs data as provided. Except for that which is not to be disclosed in accordance with law.
Article 39: The state is to draft a catalog of government affairs data to be disclosed, and build a uniform, regulated, interconnected, secure, and controllable platform for disclosure of government affairs data and promoting the use of disclosed government affairs data.
Article 40: The provisions of this chapter apply to organizations that have public affairs management functions performance of those functions.
Article 41: Where relevant regulatory departments performing data security oversight and management duties discover that data activities have larger security risks, they may give the relevant organizations and individuals a talking to in accordance with the authority and procedures provided. Relevant organizations and individuals shall employ measures as required, making corrections and eliminating latent risks.
Article 42: Where organizations or individuals carrying out data activities do not perform the data security protection provided for in articles 25, 27, 28, and 29, or fail to employ security measures, the relevant regulatory departments are to order that corrections be made, give warnings, and may give a fine of between 10,000 and 100,000 RMB and fine the directly responsible managers between 5,000 and 50,000 RMB; where corrections are refused or serious consequences such as leaks of large amount of data are caused, a fine of between 100,000 and 1,000,000 RMB is to be given, and the directly responsible managers and other directly responsible persons are to be given a fine of between 10,000 and 100,000 RMB.
Article 43: Where data transaction intermediary establishments fail to perform the obligations provided for in article 30 of this Law leading to transactions in data from illegal sources, the relevant regulatory departments are to order corrections, confiscate unlawful gains, and give a fine of between 1 and 10 times the value of unlawful gains; where there are no unlawful gains, a fine of between 100,000 and 1,000,000 RMB is to be given, and the relevant regulatory departments are to revoke relevant permits or business licenses; and the directly responsible managers and other directly responsible personnel are to be given a fine of between 10,000 and 100,000 RMB.
Article 44: Where without getting permits or making filings one engages in the operations provided for in article 31 of this Law without authorizations, the relevant regulatory departments are to order that corrections be made or shut them down, confiscate unlawful gains, and give a fine of between 1 and 10 times the value of unlawful gains; where there are not unlawful gains, give a fine of between 100,000 and 1,000,000 RMB; and give a fine of between 10,000 and 100,000 RMB to directly responsible managers and other directly responsible personnel.
Article 45: Where state organs do not perform obligations to protect data security as provided for in this Law, the directly responsible managers and other directly responsible personnel are to be given sanctions in accordance with law.
Article 46: Where state personnel with responsibility for regulating data security derelict their duties, abuse their authority, or twist the law for personal gain, and it does not constitute a crime, they are to be sanctioned in accordance with law.
Article 47: Where data activities are used to harm national security or the public interest, or to harm the lawful rights and interests of citizens, and organizations, punishment is to be given in accordance with relevant laws and administrative regulations.
Article 48: Where violations of this Law's provisions cause harms to others, civil liability is to be borne in accordance with Law.
Where violations of this Law constitute violations of public security administration, public security administration punishments are to be given in accordance with law; where crimes are constituted, criminal responsibility is to be pursued in accordance with law.
Article 49: Data activities that involve state secrets are to apply the "P.R.C. Law on the Protection of State Secrets" and other relevant laws and administrative regulations.
The carrying out of data activities involving personal information shall comply with relevant laws and administrative regulations.
Article 50: Methods for military data security are to be separately drafted by the Central Military Commission.
Article 51: This Law shall take effect on xx-xx-xxxx.