---
title_en: "Data Security Law of the People's Republic of China"
title_zh: "中华人民共和国数据安全法"
abbreviation: "DSL"
hierarchy: "law"
issuing_body: "National People's Congress Standing Committee"
adopted_date: 2021-06-10
effective_date: 2021-09-01
status: "effective"
related_laws: ["pipl", "csl"]
domains: ["data-security", "cross-border"]
url: https://datacompliancechina.com/laws/dsl/
summary: "The Data Security Law is the second of China's three foundational data statutes (alongside CSL and PIPL). It governs all data processing activities — not just personal information — and establishes the data classification and grading regime, the 'important data' and 'national core data' categories, security obligations for data handlers, the cross-border transfer restrictions on important data, and the prohibition on providing data to foreign judicial or enforcement bodies without approval."
---
**Promulgated by:** National People's Congress Standing Committee.  
**Document No.:** Order of the President No. 84.  
**Adopted at the 29th Session of the Standing Committee of the 13th National People's Congress on June 10, 2021. Effective September 1, 2021.**

---

## Chapter 1 General Provisions

**Article 1.** In order to regulate data handling activities, ensure data security, promote data exploitation and use, protect the lawful rights and interests of individuals and organizations, and safeguard national sovereignty, security and development interests, this Law is enacted.

**Article 2.** This Law shall apply to data handling activities carried out within the territory of the People's Republic of China and to the security regulation thereof. Where data handling activities are carried out outside the territory of the People's Republic of China, which damage the national security or public interest of the People's Republic of China or the lawful rights and interests of citizens or organizations, legal liability shall be investigated in accordance with the law.

**Article 3.** For the purposes of this Law, the term "data (records)" refers to any record of information made electronically or by other means. Data handling includes the collection, storage, use, processing, transmission, provision and disclosure of data, among others. Data security refers to the state of effective protection and lawful use of data achieved by taking necessary measures, and the capacity to ensure that such a state of continuous security is maintained.

**Article 4.** In maintaining data security, the overall national security concept shall be upheld, a sound data security governance system shall be established and improved, and the capacity for safeguarding data security shall be enhanced.

**Article 5.** The central national security leadership body shall be responsible for decision-making and deliberation and coordination with respect to national data security work, shall study, formulate and guide the implementation of the national data security strategy and relevant major guidelines and policies, shall overall plan and coordinate major matters and important tasks of national data security, and shall establish a data security coordination mechanism at the National level.

**Article 6.** Each region and each department shall be responsible for the data (records) collected and generated in the course of its work in its respective region and department, and for the security of such data. Departments in charge of industries and sectors such as industry, telecommunications, transport, finance, natural resources, health, education and science and technology shall undertake data security regulatory responsibilities for their respective industries and sectors. Public security organs, state security organs and others shall, in accordance with this Law and relevant Laws and Administrative Regulations, undertake data security regulatory responsibilities within the scope of their respective duties. The national cyberspace administration shall, in accordance with this Law and relevant Laws and Administrative Regulations, be responsible for overall planning and coordination of network data security and related regulatory work.

**Article 7.** The State shall protect the rights and interests of individuals and organizations related to data (records), encourage the lawful, reasonable and effective exploitation and use of data (records), ensure the lawful, orderly and free flow of data (records), and promote the development of the digital economy in which data (records) are a key factor of production.

**Article 8.** In carrying out data handling activities, Laws and Administrative Regulations shall be observed, social morality and ethics shall be respected, business ethics and professional ethics shall be observed, honesty and good faith shall be maintained, data security protection obligations shall be performed, social responsibilities shall be assumed, and national security and public interest shall not be jeopardized, nor shall the lawful rights and interests of individuals or organizations be harmed.

**Article 9.** The State shall support the dissemination and popularization of knowledge on data security, raise the awareness and level of the whole society in protecting data security, and promote the joint participation of relevant departments, industry organizations, research institutions, enterprises and individuals in data security protection work, so as to form a sound environment in which the whole society jointly maintains data security and promotes development.

**Article 10.** Relevant industry organizations shall, in accordance with their articles of association, formulate in accordance with the law codes of conduct for data security and group standards, strengthen self-discipline in their industries, guide their members in strengthening data security protection, improve data security protection standards, and promote the sound development of their industries.

**Article 11.** The State shall actively conduct international exchanges and cooperation in the fields of data security governance and data exploitation and use, participate in the formulation of international rules and standards related to data security, and promote the secure and free cross-border flow of data (records).

**Article 12.** Any individual or organization shall have the right to lodge complaints or reports with the relevant competent departments against acts that violate the provisions of this Law. The departments receiving complaints or reports shall handle them in a timely manner in accordance with the law. The relevant competent departments shall keep confidential the relevant information of the complainants and informants and protect their lawful rights and interests.

## Chapter 2 Data Security and Development

**Article 13.** The State shall coordinate development and security, and shall adhere to the promotion of data security through data exploitation and use and industrial development, and the safeguarding of data exploitation and use and industrial development through data security.

**Article 14.** The State shall implement a big data strategy, promote the construction of data infrastructure, and encourage and support innovative applications of data (records) in all industries and fields. People's governments at or above the provincial level shall incorporate the development of the digital economy into the national economic and social development plans at their respective levels, and may, as needed, formulate digital economy development plans.

**Article 15.** The State shall support the exploitation and use of data (records) to improve the level of intelligence of public services. In providing intelligent public services, the needs of the elderly and persons with disabilities shall be fully taken into account, so as to avoid creating obstacles to the daily life of the elderly and persons with disabilities.

**Article 16.** The State shall support research into data exploitation and use and data security technologies, encourage the promotion of technologies and commercial innovation in the fields of data exploitation and use and data security, and cultivate and develop systems of products and industries for data exploitation and use and data security.

**Article 17.** The State shall promote the development of systems of standards for data exploitation and use technologies and for data security. The administrative department of standardization under the State Council and the relevant departments under the State Council shall, according to their respective functions, organize the formulation and timely revision of standards related to data exploitation and use technologies, products and data security. The State shall support enterprises, social organizations and educational and research institutions in participating in standard-setting.

**Article 18.** The State shall promote the development of services such as data security testing and appraisal and certification, and shall support professional institutions engaging in data security testing and appraisal, certification and other such services in carrying out service activities in accordance with the law. The State shall support relevant departments, industry organizations, enterprises, educational and research institutions and relevant professional institutions in carrying out cooperation in data security risk appraisal, prevention and handling.

**Article 19.** The State shall establish and improve a data trading governance scheme, regulate data trading activities, and foster a data trading market.

**Article 20.** The State shall support educational and research institutions and enterprises in conducting education and training related to data exploitation and use technologies and data security, cultivate, through multiple means, professionals in data exploitation and use technologies and data security, and promote the exchange of such professionals.

## Chapter 3 Data Security Regime

**Article 21.** The State shall establish a data tiered protection regime, under which data (records) shall be accorded classified and tiered protection according to the importance of such data (records) to economic and social development and the degree of harm that may be caused to national security or public interest or to the lawful rights and interests of individuals and organizations if such data (records) are tampered with, destroyed, leaked, or illegally obtained or illegally used. The data security coordination mechanism at the National level shall coordinate relevant departments in formulating catalogues of significant data and shall strengthen the protection of significant data. Data (records) related to national security, the lifelines of the national economy, critical livelihoods of the people and major public interest shall fall under national core datasets and shall be subject to a more stringent management regime. Each region and each department shall, in accordance with the data tiered protection regime, determine specific catalogues of significant data for its respective region, department and related industries and sectors, and shall provide key protection for data (records) included in the catalogues.

**Article 22.** The State shall establish a centralized, unified, efficient and authoritative mechanism for data security risk appraisal, reporting, information sharing and monitoring and early warning. The data security coordination mechanism at the National level shall coordinate relevant departments in strengthening efforts to obtain, analyze, assess and provide early warnings of data security risk information.

**Article 23.** The State shall establish a data security contingency system. In the event of a data security incident, the relevant competent departments shall, in accordance with the law, initiate contingency plans, take corresponding emergency response measures, prevent the expansion of harm, eliminate security hazards, and promptly release to the public warning information relevant to the public.

**Article 24.** The State shall establish a data security review framework and conduct national security reviews for data handling activities that affect or might affect national security. Security review decisions lawfully made shall be final decisions.

**Article 25.** The State shall, in accordance with the law, impose export control on data (records) that fall under controlled items and relate to safeguarding national security and interests and performing international obligations.

**Article 26.** Where any country or region adopts discriminatory prohibitions, restrictions or other similar measures against the People's Republic of China in respect of investment, trade or other matters related to data (records) and data exploitation and use technologies, the People's Republic of China may, based on actual circumstances, adopt reciprocal measures against such country or region.

## Chapter 4 Obligations for Data Security Protection

**Article 27.** Those carrying out data handling activities shall, in accordance with the provisions of Laws and Administrative Regulations, establish and improve a data security management system covering the whole process, organize and carry out data security education and training, and adopt corresponding technical and other necessary measures to ensure data security. Those carrying out data handling activities by using the Internet and other information networks shall perform the above-mentioned data security protection obligations on the basis of the multilevel cybersecurity protection regime. Handlers of significant data shall designate persons in charge of data security and establish a management body, and shall implement data security protection responsibilities.

**Article 28.** Data handling activities and research and development of new data technologies shall be conducive to promoting economic and social development, improving the well-being of the people, and conforming to social morality and ethics.

**Article 29.** In carrying out data handling activities, risk monitoring shall be strengthened. Where risks such as data security defects and vulnerabilities are discovered, remedial measures shall be taken immediately; where a data security incident occurs, handling measures shall be taken immediately, users shall be promptly informed in accordance with the provisions, and reports shall be made to the relevant competent departments.

**Article 30.** Handlers of significant data shall, in accordance with the provisions, periodically carry out risk appraisal of their data handling activities and shall submit risk appraisal reports to the relevant competent departments. Risk appraisal reports shall include such contents as the types and quantities of significant data handled, the circumstances of data handling activities, the data security risks faced, and the measures taken to address such risks.

**Article 31.** The outbound security management of significant data collected and generated in the course of operations within the territory of the People's Republic of China by operators of critical information infrastructure shall be governed by the provisions of the Cybersecurity Law of the People's Republic of China; the measures for outbound security management of significant data collected and generated in the course of operations within the territory of the People's Republic of China by other data handlers shall be formulated by the national cyberspace administration in conjunction with the relevant departments under the State Council.

**Article 32.** Any organization or individual collecting data (records) shall adopt lawful and proper means and shall not steal or obtain data (records) by other illegal means. Where Laws or Administrative Regulations contain provisions on the purposes and scope of the collection and use of data (records), data (records) shall be collected and used within the purposes and scope prescribed by such Laws and Administrative Regulations.

**Article 33.** Institutions engaging in data trading intermediary services, when providing services, shall require data providers to explain the sources of the data (records), shall verify the identities of both parties to the transaction, and shall retain verification and transaction records.

**Article 34.** Where Laws or Administrative Regulations provide that administrative licences shall be obtained for the provision of services related to data handling, service providers shall obtain such licences in accordance with the law.

**Article 35.** Where public security organs or state security organs, for the purpose of lawfully safeguarding national security or investigating crimes, need to obtain data (records), they shall do so in accordance with the relevant provisions of the State, after undergoing strict approval procedures and in accordance with the law, and the relevant organizations and individuals shall cooperate.

**Article 36.** The competent authorities of the People's Republic of China shall, in accordance with relevant Laws and the international treaties and agreements to which the People's Republic of China is a party or in which it participates, or on the basis of the principle of equality and reciprocity, handle requests from foreign judicial or law enforcement authorities for the provision of data (records). Without the approval of the competent authorities of the People's Republic of China, organizations and individuals within the territory shall not provide data (records) stored within the territory of the People's Republic of China to foreign judicial or law enforcement authorities.

## Chapter 5 Security and Openness of Government Data

**Article 37.** The State shall vigorously promote the development of e-government, improve the scientificity, accuracy and timeliness of government data (records), and enhance the capacity to use data (records) to serve economic and social development.

**Article 38.** Where State organs, for the purpose of performing their statutory duties, need to collect and use data (records), they shall do so within the scope of their statutory duties and in accordance with the conditions and procedures prescribed by Laws and Administrative Regulations; data such as personal privacy, personal information, trade secrets and confidential business information learned in the course of performing their duties shall be kept confidential in accordance with the law and shall not be divulged or illegally provided to others.

**Article 39.** State organs shall, in accordance with the provisions of Laws and Administrative Regulations, establish and improve data security management systems, implement data security protection responsibilities, and ensure the security of government data (records).

**Article 40.** Where State organs entrust others with the construction and maintenance of e-government systems or the storage and processing of government data (records), they shall undergo strict approval procedures and shall supervise the entrusted parties in performing the corresponding data security protection obligations. The entrusted parties shall, in accordance with the provisions of Laws and Administrative Regulations and the contractual agreements, perform data security protection obligations, and shall not retain, use, divulge or provide government data (records) to others without authorization.

**Article 41.** State organs shall, in accordance with the principles of justice, fairness and convenience for the people, disclose government data (records) in a timely and accurate manner in accordance with the provisions, except where such data (records) are not to be disclosed in accordance with the law.

**Article 42.** The State shall formulate catalogues for the openness of government data (records), establish a unified, standardized, interconnected and secure and controllable platform for the openness of government data (records), and promote the openness and use of government data (records).

**Article 43.** The provisions of this Chapter shall apply to data handling activities carried out by organizations authorized by Laws and Regulations to manage public affairs functions for the purpose of performing their statutory duties.

## Chapter 6 Legal Liability

**Article 44.** Where, in the course of performing data security regulatory responsibilities, the relevant competent departments discover that data handling activities involve relatively high security risks, they may, in accordance with the prescribed powers and procedures, conduct interviews with the relevant organizations and individuals, and may require the relevant organizations and individuals to take measures to make rectifications and eliminate hidden dangers.

**Article 45.** Where organizations or individuals carrying out data handling activities fail to perform the data security protection obligations prescribed in Articles 27, 29 and 30 of this Law, the relevant competent departments shall order them to make corrections, issue a warning, and may impose a fine of not less than 50,000 yuan but not more than 500,000 yuan; and a fine of not less than 10,000 yuan but not more than 100,000 yuan may be imposed on the persons directly in charge and other directly responsible persons; where they refuse to make corrections or where serious consequences such as the leakage of a large amount of data (records) are caused, a fine of not less than 500,000 yuan but not more than 2,000,000 yuan shall be imposed, and they may also be ordered to suspend relevant business, suspend operations for rectification, have the relevant business permits revoked or have their business licences revoked, and a fine of not less than 50,000 yuan but not more than 200,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons. Where the management regime for national core datasets is violated and national sovereignty, security and development interests are jeopardized, the relevant competent departments shall impose a fine of not less than 2,000,000 yuan but not more than 10,000,000 yuan and, depending on the circumstances, may order the suspension of relevant business, suspension of operations for rectification, revocation of relevant business permits or revocation of business licences; where a crime is constituted, criminal liability shall be investigated in accordance with the law.

**Article 46.** Where significant data are provided overseas in violation of the provisions of Article 31 of this Law, the relevant competent departments shall order corrections to be made, issue a warning, and may impose a fine of not less than 100,000 yuan but not more than 1,000,000 yuan, and a fine of not less than 10,000 yuan but not more than 100,000 yuan may be imposed on the persons directly in charge and other directly responsible persons; where the circumstances are serious, a fine of not less than 1,000,000 yuan but not more than 10,000,000 yuan shall be imposed, and they may also be ordered to suspend relevant business, suspend operations for rectification, have the relevant business permits revoked or have their business licences revoked, and a fine of not less than 100,000 yuan but not more than 1,000,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons.

**Article 47.** Where an institution engaging in data trading intermediary services fails to perform the obligations prescribed in Article 33 of this Law, the relevant competent departments shall order it to make corrections, confiscate its unlawful gains and impose a fine of not less than one time but not more than ten times the amount of the unlawful gains; where there are no unlawful gains or the unlawful gains are less than 100,000 yuan, a fine of not less than 100,000 yuan but not more than 1,000,000 yuan shall be imposed, and it may also be ordered to suspend relevant business, suspend operations for rectification, have the relevant business permits revoked or have its business licence revoked; and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons.

**Article 48.** Where the provisions of Article 35 of this Law are violated by refusing to cooperate in the retrieval of data (records), the relevant competent departments shall order corrections to be made, issue a warning, and impose a fine of not less than 50,000 yuan but not more than 500,000 yuan, and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons. Where the provisions of Article 36 of this Law are violated by providing data (records) to foreign judicial or law enforcement authorities without the approval of the competent authorities, the relevant competent departments shall issue a warning and may impose a fine of not less than 100,000 yuan but not more than 1,000,000 yuan, and a fine of not less than 10,000 yuan but not more than 100,000 yuan may be imposed on the persons directly in charge and other directly responsible persons; where serious consequences are caused, a fine of not less than 1,000,000 yuan but not more than 5,000,000 yuan shall be imposed, and they may also be ordered to suspend relevant business, suspend operations for rectification, have the relevant business permits revoked or have their business licences revoked, and a fine of not less than 50,000 yuan but not more than 500,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons.

**Article 49.** Where State organs fail to perform the data security protection obligations prescribed by this Law, the persons directly in charge and other directly responsible persons shall be given sanctions in accordance with the law.

**Article 50.** Where State functionaries performing data security regulatory responsibilities commit dereliction of duty, abuse of power or engage in malpractices for personal gain, they shall be given sanctions in accordance with the law.

**Article 51.** Where data (records) are stolen or obtained by other illegal means, or data handling activities are carried out to exclude or restrict competition, or the lawful rights and interests of individuals or organizations are harmed, punishment shall be imposed in accordance with the provisions of relevant Laws and Administrative Regulations.

**Article 52.** Where the provisions of this Law are violated and damage is caused to others, civil liability shall be borne in accordance with the law. Where violations of the provisions of this Law constitute acts violating public security administration, public security administration penalties shall be imposed in accordance with the law; where a crime is constituted, criminal liability shall be investigated in accordance with the law.

## Chapter 7 Supplementary Provisions

**Article 53.** Data handling activities involving State secrets shall be governed by the provisions of the Law of the People's Republic of China on Guarding State Secrets and other Laws and Administrative Regulations. Data handling activities carried out in statistics and archival work, and data handling activities involving personal information, shall also comply with the provisions of relevant Laws and Administrative Regulations.

**Article 54.** The measures for the protection of military data security shall be formulated separately by the Central Military Commission in accordance with this Law.

**Article 55.** This Law shall enter into force as of September 1, 2021. Data Security Law of the People's Republic of China PAGE/NUMPAGES PAGE/NUMPAGES