Data Security Law was promulgated on 10 June 2021, and entered into force on 1 Sept. 2021.
There are 55 articles in total. The Law aims to regulate data processing activities, ensure data security, promote the development and utilization of data, protect the legitimate rights and interests of individuals and organizations, and safeguard the sovereignty, security and development interests of the State.
The key points are as follows:
This Law shall apply to the data processing activities and the security supervision thereof within the territory of the People’s Republic of China. Anyone engaging in data processing activities outside the territory of the People’s Republic of China that jeopardize the national security, public interests or the legitimate rights and interests of citizens or organizations will be held legally liable in accordance with the law.
The State shall establish a system for categorized and hierarchical data protection, which protects data by category and hierarchy according to the importance of data in economic and social development, and the damage caused to national security, public interests or legitimate rights and interests of individuals and organizations in the event of tampering, destruction, leakage, or illegal access or use of data.
The State shall establish a data security review system to review data processing activities that affect or may affect national security. The State shall implement export control over the data which falls under controlled items and is related to the safeguarding of national security and interests and the fulfillment of international obligations in accordance with the law.
The competent authorities of the People’s Republic of China shall, in accordance with the relevant laws and the international treaties and agreements concluded or acceded to by the People’s Republic of China, or under the principles of equality and reciprocity, handle requests from foreign judicial or law enforcement authorities for the provision of data. In the absence of the approval of the competent authorities of the People’s Republic of China, no domestic organization or individual may provide foreign judicial or law enforcement authorities with data stored within the territory of the People’s Republic of China.