Article 1 This Law is formulated in order to standardize data processing activities, ensure data security, promote data development and utilization, protect the legitimate rights and interests of individuals and organizations, and safeguard national sovereignty, security and development interests.
Article 2 This Law shall apply to data processing activities and safety supervision within the territory of People's Republic of China (PRC).
Anyone who conducts data processing activities outside People's Republic of China (PRC) and China and damages the national security, public interests or the legitimate rights and interests of citizens and organizations in People's Republic of China (PRC) and China shall be investigated for legal responsibility according to law.
Article 3 The term "data" as mentioned in this Law refers to information recorded electronically or by other means.
Data processing, including data collection, storage, use, processing, transmission, provision and disclosure.
Data security refers to taking necessary measures to ensure that data is in a state of effective protection and legal utilization, and has the ability to ensure continuous security.
Article 4 To maintain data security, we should adhere to the overall national security concept, establish and improve the data security governance system, and improve the data security guarantee capability.
Article 5 The central national security leading body is responsible for the decision-making and deliberation and coordination of national data security work, studying, formulating and guiding the implementation of national data security strategies and related major principles and policies, coordinating major issues and important work of national data security, and establishing a coordination mechanism for national data security work.
Article 6 All regions and departments shall be responsible for the data collected and generated in the work of their own regions and departments and their data safety.
Departments in charge of industry, telecommunications, transportation, finance, natural resources, health, education, science and technology shall assume the responsibility of data security supervision in this industry and field.
Public security organs and state security organs shall, in accordance with the provisions of this Law and relevant laws and administrative regulations, undertake data security supervision duties within their respective scope of duties.
The national network information department is responsible for coordinating network data security and related supervision in accordance with this law and relevant laws and administrative regulations.
Article 7 The state protects the rights and interests of individuals and organizations related to data, encourages the rational and effective use of data according to law, ensures the orderly and free flow of data according to law, and promotes the development of digital economy with data as the core element.
Article 8 Data processing activities shall abide by laws and regulations, respect social morality and ethics, abide by business ethics and professional ethics, be honest and trustworthy, fulfill data security protection obligations, and assume social responsibilities, and shall not endanger national security and public interests, or damage the legitimate rights and interests of individuals and organizations.
Article 9 The state supports the popularization of data security knowledge, improves the awareness and level of data security protection in the whole society, and encourages relevant departments, industry organizations, scientific research institutions, enterprises and individuals to participate in data security protection, thus forming a good environment for the whole society to maintain data security and promote development.
Article 10 Relevant industry organizations shall, in accordance with their articles of association, formulate codes of conduct and group standards for data security according to law, strengthen industry self-discipline, guide their members to strengthen data security protection, improve the level of data security protection, and promote the healthy development of the industry.
Article 11 The State actively conducts international exchanges and cooperation in the fields of data security governance, data development and utilization, participates in the formulation of international rules and standards related to data security, and promotes the safe and free flow of data across borders.
Article 12 Any individual or organization has the right to complain and report to the relevant competent departments for acts that violate the provisions of this law. The department that receives the complaint or report shall promptly handle it according to law.
The relevant competent departments shall keep confidential the relevant information of complaints and informants, and protect the legitimate rights and interests of complaints and informants.
Chapter II Data Security and Development
Article 13 The State makes overall plans for development and security, insists on promoting data security through data development and utilization and industrial development, and ensures data development and utilization and industrial development through data security.
Article 14 The state implements the big data strategy, promotes the construction of data infrastructure, and encourages and supports the innovative application of data in various industries and fields.
The people's governments at or above the provincial level shall incorporate the development of digital economy into the national economic and social development plan at the corresponding level, and formulate the development plan of digital economy according to the needs.
Article 15 The State supports the development and utilization of data and improves the intelligent level of public services. To provide intelligent public services, we should give full consideration to the needs of the elderly and the disabled and avoid obstacles to their daily lives.
Article 16 The State supports research on data development and utilization and data security technology, encourages technical popularization and commercial innovation in the fields of data development and utilization and data security, and cultivates and develops data development and utilization and data security products and industrial systems.
Article 17 The State promotes the construction of data development and utilization technology and data security standard system. The standardization administrative department of the State Council and the relevant departments of the State Council shall, according to their respective responsibilities, organize the formulation and timely revision of relevant standards for data development and utilization technology, products and data security. The state supports enterprises, social organizations and educational and scientific research institutions to participate in the formulation of standards.
Article 18 The State promotes the development of service industries such as data security detection, evaluation and certification, and supports professional organizations such as data security detection, evaluation and certification to carry out service activities according to law.
The state supports relevant departments, industry organizations, enterprises, educational and scientific research institutions and relevant professional institutions to cooperate in data security risk assessment, prevention and disposal.
Article 19 The State shall establish and improve the data transaction management system, standardize the data transaction behavior and cultivate the data transaction market.
Article 20 The state supports educational and scientific research institutions and enterprises to carry out education and training related to data development and utilization technology and data security, and adopts various ways to train professionals in data development and utilization technology and data security, so as to promote talent exchange.
Chapter III Data Security System
Article 21 The State establishes a data classification and level protection system to protect data according to its importance in economic and social development and its harm to national security, public interests or the legitimate rights and interests of individuals and organizations once it is tampered with, destroyed, leaked or illegally obtained or used. The national data security coordination mechanism coordinates relevant departments to formulate important data catalogues and strengthen the protection of important data.
Data related to national security, the lifeline of the national economy, important people's livelihood and major public interests belong to the national core data, and a stricter management system is implemented.
All regions and departments shall, in accordance with the data classification and classification protection system, determine the specific catalogue of important data in their own regions, departments and related industries and fields, and focus on protecting the data included in the catalogue.
Article 22 The State establishes a centralized, unified, efficient and authoritative data security risk assessment, reporting, information sharing, monitoring and early warning mechanism. The national data security coordination mechanism coordinates relevant departments to strengthen the acquisition, analysis, judgment and early warning of data security risk information.
Article 23 The State shall establish an emergency mechanism for data security. When a data security incident occurs, the relevant competent department shall start the emergency plan according to law, take corresponding emergency measures, prevent the harm from expanding, eliminate potential safety hazards, and timely release early warning information related to the public to the society.
Article 24 The State establishes a data security review system to conduct national security review on data processing activities that affect or may affect national security.
The safety review decision made according to law is final.
Article 25 The State shall, according to law, exercise export control over the data of controlled items related to safeguarding national security and interests and fulfilling international obligations.
Article 26 Where any country or region adopts discriminatory prohibitions, restrictions or other similar measures against People's Republic of China (PRC) in terms of investment and trade related to data and data development and utilization technology, People's Republic of China (PRC) may take reciprocal measures against that country or region according to actual conditions.
Chapter IV Obligations of Data Security Protection
Twenty-seventh to carry out data processing activities should be in accordance with the provisions of laws and regulations, establish and improve the whole process of data security management system, organize data security education and training, and take corresponding technical measures and other necessary measures to ensure data security. When using the Internet and other information networks to carry out data processing activities, the above data security protection obligations shall be fulfilled on the basis of the network security level protection system.
The processor of important data should define the person in charge of data security and the management organization, and implement the responsibility of data security protection.
Twenty-eighth to carry out data processing activities and research and development of new data technology, should be conducive to promoting economic and social development, enhance people's well-being, in line with social morality and ethics.
Twenty-ninth to carry out data processing activities should strengthen risk monitoring, and take remedial measures immediately when discovering risks such as data security defects and loopholes; When a data security incident occurs, measures should be taken immediately to inform users in time and report to the relevant competent departments in accordance with regulations.
Thirtieth important data processors shall regularly assess the risk of their data processing activities in accordance with the provisions, and submit the risk assessment report to the relevant competent departments.
The risk assessment report shall include the type and quantity of important data processed, data processing activities, data security risks faced and countermeasures.
Article 31 The provisions of the Cyber Security Law of the People's Republic of China shall apply to the exit security management of important data collected and generated by key information infrastructure operators during their operations in People's Republic of China (PRC). Measures for the exit safety management of important data collected and generated by other data processors during their operation in People's Republic of China (PRC) shall be formulated by the State Network Information Department in conjunction with relevant departments of the State Council.
Article 32 Any organization or individual shall collect data in a lawful and proper way, and shall not steal or obtain data by other illegal means.
Where laws and administrative regulations stipulate the purpose and scope of data collection and use, data shall be collected and used within the purpose and scope stipulated by laws and administrative regulations.
Thirty-third institutions engaged in data transaction intermediary services shall require data providers to explain the source of data, audit the identities of both parties to the transaction, and keep audit and transaction records.
Article 34 Where laws and administrative regulations stipulate that administrative license shall be obtained for providing data processing related services, the service provider shall obtain the license according to law.
Thirty-fifth public security organs and state security organs shall strictly perform the examination and approval procedures in accordance with the relevant provisions of the state for the purpose of safeguarding national security or investigating crimes according to law, and relevant organizations and individuals shall cooperate.
Article 36 The competent authorities of People's Republic of China (PRC) shall handle the requests for data provided by foreign judicial organs or law enforcement organs in accordance with relevant laws and international treaties and agreements concluded or acceded to by People's Republic of China (PRC), or in accordance with the principle of equality and reciprocity. Without the approval of the competent authorities in People's Republic of China (PRC), domestic organizations and individuals may not provide foreign judicial or law enforcement agencies with data stored in People's Republic of China (PRC).
Chapter V Security and Openness of Government Affairs Data
Article 37 The state vigorously promotes the construction of e-government, improves the scientificity, accuracy and timeliness of government data, and enhances the ability of using data to serve economic and social development.
Article 38 State organs shall, within the scope of performing their statutory duties, collect and use data for performing their statutory duties in accordance with the conditions and procedures prescribed by laws and administrative regulations; Personal privacy, personal information, business secrets, business secrets and other information learned in the performance of duties shall be kept confidential according to law, and shall not be disclosed or illegally provided to others.
Thirty-ninth state organs shall, in accordance with the provisions of laws and administrative regulations, establish and improve the data security management system, implement the responsibility of data security protection, and ensure the safety of government data.
Article 40 When a state organ entrusts others to build and maintain an e-government system and store and process government data, it shall go through strict examination and approval procedures, and shall supervise the entrusted party to fulfill the corresponding obligations of data security protection. The trustee shall fulfill the obligation of data security protection in accordance with the provisions of laws and regulations and the contract, and shall not retain, use, disclose or provide government data to others without authorization.
Forty-first state organs should follow the principles of justice, fairness and convenience, and disclose government affairs data in a timely and accurate manner in accordance with regulations. Except those that are not disclosed according to law.
Article 42 The State shall formulate the open directory project Project for Government Data, build a unified, standardized, interconnected, safe and controllable open platform for government data, and promote the open utilization of government data.
Article 43 The provisions of this chapter shall apply to the data processing activities of organizations authorized by laws and regulations to manage public affairs in order to perform their statutory duties.
Chapter VI Legal Liability
Article 44 In the process of performing the duties of data security supervision, the relevant competent departments may interview relevant organizations and individuals in accordance with the prescribed authority and procedures, and ask them to take measures to rectify and eliminate the hidden dangers.
Article 45 If an organization or individual carrying out data processing activities fails to fulfill the data security protection obligations stipulated in Articles 27, 29 and 30 of this Law, the relevant competent department shall order it to make corrections, give it a warning, and may impose a fine of not less than 50,000 yuan but not more than 500,000 yuan, and impose a fine of not less than 10,000 yuan but not more than 100,000 yuan on the directly responsible person in charge and other directly responsible personnel; Those who refuse to correct or cause serious consequences such as a large number of data leaks shall be fined not less than 500,000 yuan but not more than 2 million yuan, and may be ordered to suspend business, suspend business for rectification, revoke relevant business licenses or revoke business licenses, and the directly responsible person in charge and other directly responsible personnel shall be fined not less than 50,000 yuan but not more than 200,000 yuan.
Violation of the national core data management system, endangering national sovereignty, security and development interests, by the relevant competent departments at more than 20000 yuan100000 yuan fine, and according to the situation shall be ordered to suspend related business, suspend business for rectification, revoke the relevant business license or revoke the business license; If a crime is constituted, criminal responsibility shall be investigated according to law.
Article 46 Whoever, in violation of the provisions of Article 31 of this Law, provides important data abroad shall be ordered by the relevant competent department to make corrections and given a warning, and may be fined between 1 00000 yuan and100000 yuan, and the directly responsible person in charge and other directly responsible personnel may be fined between110000 yuan and100000 yuan; If the circumstances are serious, a fine of more than1000000 yuan and less than1000000 yuan may be imposed, and the company may be ordered to suspend business, suspend business for rectification, revoke the relevant business license or revoke its business license, and impose a fine of more than100000 yuan and less than100000 yuan on the directly responsible person in charge and other directly responsible personnel.
Article 47 Where an institution engaged in data transaction intermediary services fails to fulfill its obligations as stipulated in Article 33 of this Law, the relevant competent department shall order it to make corrections, confiscate its illegal income and impose a fine of more than 1 times its illegal income and less than 10 times its illegal income. If there is no illegal income or the illegal income is less than100000 yuan, a fine of more than100000 yuan and less than1000000 yuan may be imposed, and the company may be ordered to suspend business, suspend business for rectification, revoke relevant business licenses or revoke business licenses. The directly responsible person in charge and other directly responsible personnel shall be fined 1 more than 10,000 yuan1less than 0,000 yuan.
Article 48 Whoever, in violation of the provisions of Article 35 of this Law, refuses to cooperate with data retrieval shall be ordered by the relevant competent department to make corrections, given a warning and fined between 50,000 yuan and 500,000 yuan, and the directly responsible person in charge and other directly responsible personnel shall be fined between 10,000 yuan and 100,000 yuan.
Whoever, in violation of the provisions of Article 36 of this Law, provides data to a foreign judicial or law enforcement organ without the approval of the competent authority, shall be given a warning by the relevant competent authority and may be fined 1 0,000 yuan but not more than/kloc-0,000 yuan, and the directly responsible person in charge and other directly responsible persons may be fined/kloc-0,000 yuan and not more than/kloc-0,000 yuan; If serious consequences are caused, a fine of100000 yuan to 5 million yuan shall be imposed, and the company may be ordered to suspend business, suspend business for rectification, revoke relevant business licenses or revoke business licenses, and the directly responsible person in charge and other directly responsible personnel shall be fined 50,000 yuan to 500,000 yuan.
Article 49 If a state organ fails to fulfill its obligation of data security protection as stipulated in this Law, the directly responsible person in charge and other directly responsible personnel shall be punished according to law.
Article 50 Any state functionary who performs the duties of data security supervision who neglects his duty, abuses his power or engages in malpractices for personal gain shall be punished according to law.
Article 51 Whoever steals or obtains data by other illegal means and conducts data processing activities that exclude or restrict competition, thereby harming the legitimate rights and interests of individuals and organizations, shall be punished in accordance with the provisions of relevant laws and administrative regulations.
Article 52 Whoever violates the provisions of this Law and causes damage to others shall bear civil liability according to law.
Anyone who violates the provisions of this law and constitutes a violation of public security administration shall be punished by the public security administration organ according to law; If a crime is constituted, criminal responsibility shall be investigated according to law.
Chapter VII Supplementary Provisions
Article 53 Data processing activities involving state secrets shall be governed by the Law of People's Republic of China (PRC) on Guarding State Secrets and other laws and administrative regulations.
To carry out data processing activities in statistics and archives work and data processing activities involving personal information, we should also abide by the provisions of relevant laws and administrative regulations.
Article 54 Measures for the security protection of military data shall be formulated separately by the Central Military Commission (CMC) in accordance with this Law.
Article 55 This Law shall come into force on September 0, 20265438.