---
title_en: "Provisions on the Protection of Trade Secrets"
title_zh: "商业秘密保护规定"
abbreviation: "Trade Secret Protection Provisions"
hierarchy: "rule"
issuing_body: "State Administration for Market Regulation (SAMR)"
adopted_date: 2026-02-24
effective_date: 2026-06-01
status: "effective"
related_laws: ["anti-unfair-competition-law", "dsl"]
domains: ["data-security"]
url: https://datacompliancechina.com/laws/trade-secret-protection-provisions/
summary: "SAMR's rewrite of China's 1995 trade-secret enforcement rules — issued as Order No. 126 under the Anti-Unfair Competition Law — folds algorithms, data, and source code squarely into the definition of a protectable technical-information trade secret, and for the first time recognizes tiered access, data masking, and audit-log retention as adequate confidentiality measures for remote-work and cross-border collaboration setups. It also names electronic intrusion and unauthorized transfer of files to personal cloud drives or external storage as 'improper means' of misappropriation, giving SAMR an administrative-enforcement path for conduct that would otherwise only surface as a data-security incident or a cybercrime case. For overseas counsel, it matters less as a data-protection instrument than as the rule that now lets an aggrieved company route an insider data-exfiltration episode through market-regulation enforcement rather than the police or the courts alone."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/trade-secret-protection-provisions/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Provisions on the Protection of Trade Secrets", https://datacompliancechina.com/laws/trade-secret-protection-provisions/
> *DCC catalogue entry — summary, not full text.*

## Why this law matters for the data field

The **Provisions on the Protection of Trade Secrets (商业秘密保护规定)** are
**SAMR Order No. 126**, adopted 24 February 2026 and effective 1 June 2026.
They replace the **1995 Several Provisions on Prohibiting Infringements of
Trade Secrets** (原国家工商行政管理局令第41号) and sit under the
**Anti-Unfair Competition Law (反不正当竞争法, "AUCL")** — this is
fundamentally an IP / unfair-competition instrument, not a data-protection
law. DCC tracks it because three of its provisions land squarely on data
practice: what counts as a protectable "technical information" trade secret,
what counts as a "reasonable confidentiality measure," and what counts as an
"improper means" of taking one.

## Algorithms, data, and code as trade secrets — Article 5

Article 5 defines a trade secret as commercial information that is **not
publicly known, has commercial value, and is subject to appropriate
confidentiality measures by its rights holder**. Its second paragraph spells
out what counts as **technical information**: structures, raw materials,
formulas, materials, samples, patterns, processes, methods, **data,
algorithms, computer programs and code** (数据、算法、计算机程序、代码).
Putting algorithms, data, and code in the same statutory list as classic
industrial trade secrets (formulas, processes) gives companies an explicit
IP hook for treating a proprietary dataset or model as a trade secret asset,
separate from — and stackable with — data-security classification under the
DSL.

## Confidentiality measures for remote and cross-border work — Article 9

Article 9 lists eight categories of "reasonable confidentiality measures"
that satisfy the statute's protection requirement. Seven track familiar
practice (confidentiality agreements, staff training, restricted physical
access, marking/classifying/encrypting materials, device-access controls,
exit procedures for departing employees, and a catch-all). The new one is
**item (4): technical confidentiality measures for remote-work and
cross-border collaboration scenarios (远程办公、跨境协作等场景) — tiered
access permissions (权限分级), data de-sensitization (数据脱敏), and
retained operation logs (操作日志留痕)**. This is the first time these
specific technical controls have been named in a Chinese trade-secret rule,
and it effectively tells multinational companies and distributed teams what
SAMR will look for as evidence of "adequate" protection when a
misappropriation claim turns on whether the rights holder actually secured
the information.

## Electronic intrusion and cloud exfiltration as "improper means" — Article 10

Article 10 prohibits acquiring a trade secret by theft, bribery, fraud,
coercion, **"electronic intrusion" (电子侵入)**, or other improper means, and
then lists five qualifying scenarios. Two are squarely data-security
conduct: **item (3)** — unauthorized access to the rights holder's digital
office systems, servers, mailboxes, cloud drives, or application accounts,
or use of malicious programs or exploited vulnerabilities to obtain the
secret — and **item (4)** — downloading or transmitting a trade secret,
without authorization, beyond the scope of authorization, or after
authorization has lapsed, **to an email account, cloud drive, or other
network storage or device not controlled by the rights holder**. In effect,
Article 10 supplies an administrative-enforcement analogue to conduct that
would otherwise only be pursued as a data-security incident report or a
cybercrime prosecution: an employee who copies a proprietary dataset to a
personal cloud drive before resigning is now squarely "improper means"
misappropriation that SAMR can investigate and fine, independent of any
criminal referral.

## How it fits with related DCC-tracked laws

The Provisions implement **AUCL Article 26**, which sets the penalty
band (RMB 100,000–1,000,000, rising to RMB 1,000,000–5,000,000 for
aggravated cases) that Article 24 of this rule cross-references directly
— see DCC's entry on the
[Anti-Unfair Competition Law](/laws/anti-unfair-competition-law/). They also
overlap functionally with the **[Data Security Law](/laws/dsl/)**: where the
DSL's classification-and-grading regime (important data, core data) governs
a company's *general* data-security obligations, the Trade Secret Protection
Provisions give a company an *ownership-based* claim over a specific dataset,
algorithm, or codebase, enforceable against a named actor (an employee, a
competitor, a departing contractor) rather than against the world. Companies
building cross-border compliance programs will increasingly want both: DSL-
grade classification for regulatory risk, and trade-secret confidentiality
measures under Article 9 of this rule for enforceable ownership.

## Briefs on this law

DCC briefs that turn on the Trade Secret Protection Provisions are linked
from this page's "Briefs on this law" section (any post whose `laws:`
references this entry).
