Data Security Law?of the People's Republic of China
中華人民共和國(guó)數(shù)據(jù)安全法
(Adopted at the 29th Meeting of the Standing Committee of?the Thirteenth National People’s Congress on June 10, 2021)
(2021年6月10日第十三屆全國(guó)人民代表大會(huì)常務(wù)委員會(huì)第二十九次會(huì)議通過)
Chapter I General Provisions
第一章 總 則
Article 1?This Law is enacted for the purpose of regulating data processing, ensuring data security, promoting development and utilization of data, protecting the lawful rights and interests of individuals and organizations, and safeguarding the sovereignty, security, and development interests of the state.
第一條 為了規(guī)范數(shù)據(jù)處理活動(dòng),保障數(shù)據(jù)安全,促進(jìn)數(shù)據(jù)開發(fā)利用,保護(hù)個(gè)人、組織的合法權(quán)益,維護(hù)國(guó)家主權(quán)、安全和發(fā)展利益,制定本法。
Article 2?This Law shall apply to data processing activities and security supervision and regulation of such activities within the territory of the People’s Republic of China.
第二條 在中華人民共和國(guó)境內(nèi)開展數(shù)據(jù)處理活動(dòng)及其安全監(jiān)管,適用本法。
Where data processing outside the?territory of?People’s Republic of China harms?the national security, public interests, or the lawful rights and interests of individuals or organizations of the People’s Republic of China, legal?liabilityshall be investigated in accordance with the law.
在中華人民共和國(guó)境外開展數(shù)據(jù)處理活動(dòng),損害中華人民共和國(guó)國(guó)家安全、公共利益或者公民、組織合法權(quán)益的,依法追究法律責(zé)任。
Article 3?For the purpose of this Law, the term “data” refers to any record?of information in electronic or any other form.
第三條 本法所稱數(shù)據(jù),是指任何以電子或者其他方式對(duì)信息的記錄。
“Data processing” includes the?collection, storage, use, processing, transmission, provision, and disclosure of data, among others.
數(shù)據(jù)處理,包括數(shù)據(jù)的收集、存儲(chǔ)、使用、加工、傳輸、提供、公開等。
“Data security” refers to ensuring that data is effectively protected and lawfully used through adopting necessary measures, and to possessing the capacity to guarantee the continuous security of data.
數(shù)據(jù)安全,是指通過采取必要措施,確保數(shù)據(jù)處于有效保護(hù)和合法利用的狀態(tài),以及具備保障持續(xù)安全狀態(tài)的能力。
Article 4?In?preserving data security, the holistic approach to national security shall be adopted, sound data security?governance?systems shall be established, and data security and protection capabilities shall be improved.
第四條 維護(hù)數(shù)據(jù)安全,應(yīng)當(dāng)堅(jiān)持總體國(guó)家安全觀,建立健全數(shù)據(jù)安全治理體系,提高數(shù)據(jù)安全保障能力。
Article 5?The central leading authority for national security shall be responsible for the decision-making, deliberation and coordination of the national data security work; researching,?formulating, and?guiding?the implementation of the national data security strategy and related major guidelines and policies;?coordinating?major matters and important work in respect of national data security; and establishing?a coordination mechanism for national data security.
第五條 中央國(guó)家安全領(lǐng)導(dǎo)機(jī)構(gòu)負(fù)責(zé)國(guó)家數(shù)據(jù)安全工作的決策和議事協(xié)調(diào),研究制定、指導(dǎo)實(shí)施國(guó)家數(shù)據(jù)安全戰(zhàn)略和有關(guān)重大方針政策,統(tǒng)籌協(xié)調(diào)國(guó)家數(shù)據(jù)安全的重大事項(xiàng)和重要工作,建立國(guó)家數(shù)據(jù)安全工作協(xié)調(diào)機(jī)制。
Article 6?All localities and departments shall bear responsibility for the management of the data collected or generated in their work as well as for the data security thereof.
第六條 各地區(qū)、各部門對(duì)本地區(qū)、本部門工作中收集和產(chǎn)生的數(shù)據(jù)及數(shù)據(jù)安全負(fù)責(zé)。
The competent departments of industry, telecommunications, transport, finance, natural resources, health, education, technology and other relevant competent departments shall assume the responsibilities of supervising and regulating data security in their respective trades and sectors.
工業(yè)、電信、交通、金融、自然資源、衛(wèi)生健康、教育、科技等主管部門承擔(dān)本行業(yè)、本領(lǐng)域數(shù)據(jù)安全監(jiān)管職責(zé)。
Public security organs and national security organs, etc. shall assume the responsibilities of supervising and regulating data security within the scopes of their respective duties in accordance with the provisions of this Law and other relevant laws and administrative regulations.
公安機(jī)關(guān)、國(guó)家安全機(jī)關(guān)等依照本法和有關(guān)法律、行政法規(guī)的規(guī)定,在各自職責(zé)范圍內(nèi)承擔(dān)數(shù)據(jù)安全監(jiān)管職責(zé)。
The national cyberspace?affairs department?shall be in charge of the overall planning and coordination of network data security and the related supervision and regulation in accordance with the provisions of this Law and other relevant laws and administrative regulations.
國(guó)家網(wǎng)信部門依照本法和有關(guān)法律、行政法規(guī)的規(guī)定,負(fù)責(zé)統(tǒng)籌協(xié)調(diào)網(wǎng)絡(luò)數(shù)據(jù)安全和相關(guān)監(jiān)管工作。
Article 7?The state shall protect the data-related rights and interests of individuals and organizations, encourage the lawful, reasonable, and effective use of data, ensure free flow of data in an orderly manner and in accordance with the law, and promote the development of a digital economy with data as the key factor.
第七條 國(guó)家保護(hù)個(gè)人、組織與數(shù)據(jù)有關(guān)的權(quán)益,鼓勵(lì)數(shù)據(jù)依法合理有效利用,保障數(shù)據(jù)依法有序自由流動(dòng),促進(jìn)以數(shù)據(jù)為關(guān)鍵要素的數(shù)字經(jīng)濟(jì)發(fā)展。
Article 8?Whoever?processes data?shall observe laws and regulations, respect social morality and ethics, observe business and professional ethics, uphold honesty and trustworthiness, fulfill data security protection obligations, and undertake social responsibilities; and shall not endanger national security and public interests, nor harm the lawful rights and interests of individuals and organizations.
第八條 開展數(shù)據(jù)處理活動(dòng),應(yīng)當(dāng)遵守法律、法規(guī),尊重社會(huì)公德和倫理,遵守商業(yè)道德和職業(yè)道德,誠(chéng)實(shí)守信,履行數(shù)據(jù)安全保護(hù)義務(wù),承擔(dān)社會(huì)責(zé)任,不得危害國(guó)家安全、公共利益,不得損害個(gè)人、組織的合法權(quán)益。
Article 9?The state supports the dissemination?and popularization?of knowledge of data security to raise public awareness in this regard and ability to protect data security,?and?promotes?the joint participation by relevant departments, industry organizations, research institutions, enterprises, and individuals in data security protection, so as to create a good environment for members of the whole society to jointly protect data,?ensure?data security and promote development of relevant industries.
第九條 國(guó)家支持開展數(shù)據(jù)安全知識(shí)宣傳普及,提高全社會(huì)的數(shù)據(jù)安全保護(hù)意識(shí)和水平,推動(dòng)有關(guān)部門、行業(yè)組織、科研機(jī)構(gòu)、企業(yè)、個(gè)人等共同參與數(shù)據(jù)安全保護(hù)工作,形成全社會(huì)共同維護(hù)數(shù)據(jù)安全和促進(jìn)發(fā)展的良好環(huán)境。
Article 10?Relevant industry associations shall,?in accordance with their articles of association, formulate?the?code of conduct and standards to ensure data security according to the law, strengthen self-regulation in their respective industries, guide members to strengthen data security protection, improve their protection level and promote the healthy development of the industries.
第十條 相關(guān)行業(yè)組織按照章程,依法制定數(shù)據(jù)安全行為規(guī)范和團(tuán)體標(biāo)準(zhǔn),加強(qiáng)行業(yè)自律,指導(dǎo)會(huì)員加強(qiáng)數(shù)據(jù)安全保護(hù),提高數(shù)據(jù)安全保護(hù)水平,促進(jìn)行業(yè)健康發(fā)展。
Article 11?The state shall actively carry out international exchanges and cooperation in fields such as data security?governance?and data development and utilization, participate in the formulation of relevant international rules and standards for data security, and promote the safe?and free flow of data across borders.
第十一條 國(guó)家積極開展數(shù)據(jù)安全治理、數(shù)據(jù)開發(fā)利用等領(lǐng)域的國(guó)際交流與合作,參與數(shù)據(jù)安全相關(guān)國(guó)際規(guī)則和標(biāo)準(zhǔn)的制定,促進(jìn)數(shù)據(jù)跨境安全、自由流動(dòng)。
Article 12?Any individual or organization shall have the right to file complaints about or report violations of this Law to the competent departments. The departments receiving such complaints or reports shall deal with them in a timely manner in accordance with the law.
第十二條 任何個(gè)人、組織都有權(quán)對(duì)違反本法規(guī)定的行為向有關(guān)主管部門投訴、舉報(bào)。收到投訴、舉報(bào)的部門應(yīng)當(dāng)及時(shí)依法處理。
The competent departments shall keep confidential the relevant information of those making such complaints or reports, and protect their lawful rights and interests.
有關(guān)主管部門應(yīng)當(dāng)對(duì)投訴、舉報(bào)人的相關(guān)信息予以保密,保護(hù)投訴、舉報(bào)人的合法權(quán)益。
Chapter II Data Security and Development
第二章 數(shù)據(jù)安全與發(fā)展
Article 13?The state shall make an overall plan to coordinate development and security, to promote data security through data development and utilization and through industrial development on one hand, and on the other hand, to ensure that data security facilitates data development and utilization as well as industrial development.
第十三條 國(guó)家統(tǒng)籌發(fā)展和安全,堅(jiān)持以數(shù)據(jù)開發(fā)利用和產(chǎn)業(yè)發(fā)展促進(jìn)數(shù)據(jù)安全,以數(shù)據(jù)安全保障數(shù)據(jù)開發(fā)利用和產(chǎn)業(yè)發(fā)展。
Article 14?The state shall implement?the?big data strategy, advance the construction of data infrastructure, and encourage and support the innovative application of data in all industries and fields.
第十四條 國(guó)家實(shí)施大數(shù)據(jù)戰(zhàn)略,推進(jìn)數(shù)據(jù)基礎(chǔ)設(shè)施建設(shè),鼓勵(lì)和支持?jǐn)?shù)據(jù)在各行業(yè)、各領(lǐng)域的創(chuàng)新應(yīng)用。
People’s governments at or above the provincial level shall incorporate the development of digital economy into their national economic and social development plans, and formulate development plans for the digital economy as needed.
省級(jí)以上人民政府應(yīng)當(dāng)將數(shù)字經(jīng)濟(jì)發(fā)展納入本級(jí)國(guó)民經(jīng)濟(jì)和社會(huì)發(fā)展規(guī)劃,并根據(jù)需要制定數(shù)字經(jīng)濟(jì)發(fā)展規(guī)劃。
Article 15?The state supports development and utilization of data to?renderpublic services?smarter. In providing smarter public services, the needs of the elderly and the disabled shall be taken into full account to avoid posing obstacles to their daily lives.
第十五條 國(guó)家支持開發(fā)利用數(shù)據(jù)提升公共服務(wù)的智能化水平。提供智能化公共服務(wù),應(yīng)當(dāng)充分考慮老年人、殘疾人的需求,避免對(duì)老年人、殘疾人的日常生活造成障礙。
Article 16?The state supports research on development and utilization of data and on data security related technologies, encourages?popularization and commercial innovation of technologies in the?foregoing?fields,?and fosters?and develops?products and industrial systems for development and utilization of data and for data security.
第十六條 國(guó)家支持?jǐn)?shù)據(jù)開發(fā)利用和數(shù)據(jù)安全技術(shù)研究,鼓勵(lì)數(shù)據(jù)開發(fā)利用和數(shù)據(jù)安全等領(lǐng)域的技術(shù)推廣和商業(yè)創(chuàng)新,培育、發(fā)展數(shù)據(jù)開發(fā)利用和數(shù)據(jù)安全產(chǎn)品、產(chǎn)業(yè)體系。
Article 17?The state shall advance the forming of the standards for data development and the standards for data utilization technologies and data security. The department in charge of standardization under the State Council and other relevant departments under the State Council shall, within the scopes of their respective duties and functions, organize the establishment of, and make revisions in due time to the standards for technologies and products for data development and data utilization and the standards for data security. The state shall support enterprises, social groups, and education or research institutions, etc. in their participation in the establishment of such standards.
第十七條 國(guó)家推進(jìn)數(shù)據(jù)開發(fā)利用技術(shù)和數(shù)據(jù)安全標(biāo)準(zhǔn)體系建設(shè)。國(guó)務(wù)院標(biāo)準(zhǔn)化行政主管部門和國(guó)務(wù)院有關(guān)部門根據(jù)各自的職責(zé),組織制定并適時(shí)修訂有關(guān)數(shù)據(jù)開發(fā)利用技術(shù)、產(chǎn)品和數(shù)據(jù)安全相關(guān)標(biāo)準(zhǔn)。國(guó)家支持企業(yè)、社會(huì)團(tuán)體和教育、科研機(jī)構(gòu)等參與標(biāo)準(zhǔn)制定。
Article 18?The state encourages the development of services such as data security testing, evaluation, and accreditation, and supports?agencies specialized in?data security testing, evaluation, accreditation,?etc.?to?provide servicesaccording to the law.
第十八條 國(guó)家促進(jìn)數(shù)據(jù)安全檢測(cè)評(píng)估、認(rèn)證等服務(wù)的發(fā)展,支持?jǐn)?shù)據(jù)安全檢測(cè)評(píng)估、認(rèn)證等專業(yè)機(jī)構(gòu)依法開展服務(wù)活動(dòng)。
The state supports collaboration among relevant departments, industry?associations, enterprises, education and research institutions, relevant specialized agencies, etc. in the fields such as data security related risk assessment, prevention, and disposal .
國(guó)家支持有關(guān)部門、行業(yè)組織、企業(yè)、教育和科研機(jī)構(gòu)、有關(guān)專業(yè)機(jī)構(gòu)等在數(shù)據(jù)安全風(fēng)險(xiǎn)評(píng)估、防范、處置等方面開展協(xié)作。
Article 19?The state shall establish sound systems for data trading management, standardize data trading activities, and foster a data trading market.
第十九條 國(guó)家建立健全數(shù)據(jù)交易管理制度,規(guī)范數(shù)據(jù)交易行為,培育數(shù)據(jù)交易市場(chǎng)。
Article 20?The state supports education and research institutions, enterprises, and other entities in carrying out education and training on technologies for data development and utilization and on data security, cultivatesprofessionals in data development and utilization technologies and in data security by a variety of means, and promotes?talent exchanges.
第二十條 國(guó)家支持教育、科研機(jī)構(gòu)和企業(yè)等開展數(shù)據(jù)開發(fā)利用技術(shù)和數(shù)據(jù)安全相關(guān)教育和培訓(xùn),采取多種方式培養(yǎng)數(shù)據(jù)開發(fā)利用技術(shù)和數(shù)據(jù)安全專業(yè)人才,促進(jìn)人才交流。
Chapter III Data Security Systems
第三章 數(shù)據(jù)安全制度
Article 21?The state shall establish a categorized and?classified?system and carry out data protection based on the importance of the data in economic and social development, as well as the extent of harm to national security, public interests, or the lawful rights and interests of individuals or organizations that will be caused once the data?are?altered, destroyed, leaked, or illegally obtained or used. The coordination mechanism for national data security shall coordinate the relevant departments to formulate a catalog of?important data?and strengthen protection of?important data.
第二十一條 國(guó)家建立數(shù)據(jù)分類分級(jí)保護(hù)制度,根據(jù)數(shù)據(jù)在經(jīng)濟(jì)社會(huì)發(fā)展中的重要程度,以及一旦遭到篡改、破壞、泄露或者非法獲取、非法利用,對(duì)國(guó)家安全、公共利益或者個(gè)人、組織合法權(quán)益造成的危害程度,對(duì)數(shù)據(jù)實(shí)行分類分級(jí)保護(hù)。國(guó)家數(shù)據(jù)安全工作協(xié)調(diào)機(jī)制統(tǒng)籌協(xié)調(diào)有關(guān)部門制定重要數(shù)據(jù)目錄,加強(qiáng)對(duì)重要數(shù)據(jù)的保護(hù)。
Data concerning national security, lifelines of the national economy, important aspects of people’s lives, major public interests, ect., are core data of the state, for which a stricter management system shall be implemented.
關(guān)系國(guó)家安全、國(guó)民經(jīng)濟(jì)命脈、重要民生、重大公共利益等數(shù)據(jù)屬于國(guó)家核心數(shù)據(jù),實(shí)行更加嚴(yán)格的管理制度。
All localities and departments shall, in accordance with the categorized and classified data protection system, prepare specific catalogs of?important data?for their respective regions, departments, and relevant industries and sectors, andgive priority to the data listed in the catalogs in terms of data protection.
各地區(qū)、各部門應(yīng)當(dāng)按照數(shù)據(jù)分類分級(jí)保護(hù)制度,確定本地區(qū)、本部門以及相關(guān)行業(yè)、領(lǐng)域的重要數(shù)據(jù)具體目錄,對(duì)列入目錄的數(shù)據(jù)進(jìn)行重點(diǎn)保護(hù)。
Article 22?The state shall establish a centralized, unified, highly effective, and authoritative mechanism for?assessing, reporting, information sharing, monitoring, and early alert of data security risks. The coordinating mechanism for national data security shall make an overall plan on and coordinate relevant departments in strengthening the work about acquiring, analyzing, researching and evaluating information of data security risks and the work about early alert of such risks.
第二十二條 國(guó)家建立集中統(tǒng)一、高效權(quán)威的數(shù)據(jù)安全風(fēng)險(xiǎn)評(píng)估、報(bào)告、信息共享、監(jiān)測(cè)預(yù)警機(jī)制。國(guó)家數(shù)據(jù)安全工作協(xié)調(diào)機(jī)制統(tǒng)籌協(xié)調(diào)有關(guān)部門加強(qiáng)數(shù)據(jù)安全風(fēng)險(xiǎn)信息的獲取、分析、研判、預(yù)警工作。
Article 23?The state shall establish a data security emergency response mechanism. Where a data security incident occurs, the relevant competent departments shall initiate emergency response in accordance with the plan and the law, take corresponding measures to prevent further harm and eliminate security hazards, and?send out warnings to the public by publishing information relevant thereto in a timely manner.
第二十三條 國(guó)家建立數(shù)據(jù)安全應(yīng)急處置機(jī)制。發(fā)生數(shù)據(jù)安全事件,有關(guān)主管部門應(yīng)當(dāng)依法啟動(dòng)應(yīng)急預(yù)案,采取相應(yīng)的應(yīng)急處置措施,防止危害擴(kuò)大,消除安全隱患,并及時(shí)向社會(huì)發(fā)布與公眾有關(guān)的警示信息。
Article 24?The state shall establish a review system for data security, conducting national security reviews of data processing that affects?or may affect national security.
第二十四條 國(guó)家建立數(shù)據(jù)安全審查制度,對(duì)影響或者可能影響國(guó)家安全的數(shù)據(jù)處理活動(dòng)進(jìn)行國(guó)家安全審查。
Security review decisions made in accordance with the law are final decisions.
依法作出的安全審查決定為最終決定。
Article 25?The state shall apply export control in accordance with the law on data that are controlled items and concern national security and interests and the performance of international obligations.
第二十五條 國(guó)家對(duì)與維護(hù)國(guó)家安全和利益、履行國(guó)際義務(wù)相關(guān)的屬于管制物項(xiàng)的數(shù)據(jù)依法實(shí)施出口管制。
Article 26?Where any country or region adopts discriminatory prohibitions, restrictions, or other similar measures against the People’s Republic of China in respect of investment, trade or any other field related to data and data development and utilization technologies, the People’s Republic of China may take countermeasures against that country or region in light of the actual circumstances.
第二十六條 任何國(guó)家或者地區(qū)在與數(shù)據(jù)和數(shù)據(jù)開發(fā)利用技術(shù)等有關(guān)的投資、貿(mào)易等方面對(duì)中華人民共和國(guó)采取歧視性的禁止、限制或者其他類似措施的,中華人民共和國(guó)可以根據(jù)實(shí)際情況對(duì)該國(guó)家或者地區(qū)對(duì)等采取措施。
Chapter IV Data Security?Protection?Obligations
第四章 數(shù)據(jù)安全保護(hù)義務(wù)
Article 27?In data processing, the laws and regulations shall be complied with, a sound data security management system throughout the whole process shall be established, data security education and training shall be organized and conducted, and corresponding technical measures and other necessary measures shall be adopted to ensure data security. In data processing by making use of the internet or any other information networks, the abovementioned data security obligations shall be fulfilled on the basis of the classified protection system for cyber security.
第二十七條 開展數(shù)據(jù)處理活動(dòng)應(yīng)當(dāng)依照法律、法規(guī)的規(guī)定,建立健全全流程數(shù)據(jù)安全管理制度,組織開展數(shù)據(jù)安全教育培訓(xùn),采取相應(yīng)的技術(shù)措施和其他必要措施,保障數(shù)據(jù)安全。利用互聯(lián)網(wǎng)等信息網(wǎng)絡(luò)開展數(shù)據(jù)處理活動(dòng),應(yīng)當(dāng)在網(wǎng)絡(luò)安全等級(jí)保護(hù)制度的基礎(chǔ)上,履行上述數(shù)據(jù)安全保護(hù)義務(wù)。
Processors of?important data?shall be clear?about?their?persons responsible for data security and the data security management bodies, and fulfill the responsibilities for data security.
重要數(shù)據(jù)的處理者應(yīng)當(dāng)明確數(shù)據(jù)安全負(fù)責(zé)人和管理機(jī)構(gòu),落實(shí)數(shù)據(jù)安全保護(hù)責(zé)任。
Article 28?Data processing as well as research and development of new data technologies shall be?conducive?to furthering economic and social development, and?improving?the well-being of people, and shall conform to social morals and ethics.
第二十八條 開展數(shù)據(jù)處理活動(dòng)以及研究開發(fā)數(shù)據(jù)新技術(shù),應(yīng)當(dāng)有利于促進(jìn)經(jīng)濟(jì)社會(huì)發(fā)展,增進(jìn)人民福祉,符合社會(huì)公德和倫理。
Article 29?Closer risk monitoring shall be applied in data processing. Where data security defects, bugs, or other risks are discovered, remedial measures shall be taken immediately. Where a data security incident occurs, measures shall be taken immediately to address it,?and?users shall be notified and reports made to relevant competent departments in a timely manner in accordance with relevant provisions.
第二十九條 開展數(shù)據(jù)處理活動(dòng)應(yīng)當(dāng)加強(qiáng)風(fēng)險(xiǎn)監(jiān)測(cè),發(fā)現(xiàn)數(shù)據(jù)安全缺陷、漏洞等風(fēng)險(xiǎn)時(shí),應(yīng)當(dāng)立即采取補(bǔ)救措施;發(fā)生數(shù)據(jù)安全事件時(shí),應(yīng)當(dāng)立即采取處置措施,按照規(guī)定及時(shí)告知用戶并向有關(guān)主管部門報(bào)告。
Article 30?Processors of?important data?shall, in accordance with the relevant provisions, conduct risk assessments of their data processing on a regular basis and submit risk assessment reports to relevant competent departments.
第三十條 重要數(shù)據(jù)的處理者應(yīng)當(dāng)按照規(guī)定對(duì)其數(shù)據(jù)處理活動(dòng)定期開展風(fēng)險(xiǎn)評(píng)估,并向有關(guān)主管部門報(bào)送風(fēng)險(xiǎn)評(píng)估報(bào)告。
Risk assessment reports shall include the types and amounts of?important data?processed, information on data processing, data security risks and the response measures for them.
風(fēng)險(xiǎn)評(píng)估報(bào)告應(yīng)當(dāng)包括處理的重要數(shù)據(jù)的種類、數(shù)量,開展數(shù)據(jù)處理活動(dòng)的情況,面臨的數(shù)據(jù)安全風(fēng)險(xiǎn)及其應(yīng)對(duì)措施等。
Article 31?The provisions of the Cyber Security Law of the People’s Republic of China shall apply to the outbound security management of the?important data?collected or produced by critical information infrastructure operators during their operation within the territory of the People’s Republic of China, and the measures for the outbound security management of the?important data?collected or produced by others data processors during their operation within the territory of the People’s Republic of China shall be formulated by the national cyberspace authority in conjunction with the relevant departments under the State Council.
第三十一條 關(guān)鍵信息基礎(chǔ)設(shè)施的運(yùn)營(yíng)者在中華人民共和國(guó)境內(nèi)運(yùn)營(yíng)中收集和產(chǎn)生的重要數(shù)據(jù)的出境安全管理,適用《中華人民共和國(guó)網(wǎng)絡(luò)安全法》的規(guī)定;其他數(shù)據(jù)處理者在中華人民共和國(guó)境內(nèi)運(yùn)營(yíng)中收集和產(chǎn)生的重要數(shù)據(jù)的出境安全管理辦法,由國(guó)家網(wǎng)信部門會(huì)同國(guó)務(wù)院有關(guān)部門制定。
Article 32?An organization or individual shall collect data by lawful and proper means, and shall not acquire data by theft or in other illegal manners.
第三十二條 任何組織、個(gè)人收集數(shù)據(jù),應(yīng)當(dāng)采取合法、正當(dāng)?shù)姆绞剑坏酶`取或者以其他非法方式獲取數(shù)據(jù)。
Where laws or administrative regulations have provisions on the purposes or scopes of data collection and use, data shall be collected and used for the purposes and within the scopes provided for by those laws and administrative regulations.
法律、行政法規(guī)對(duì)收集、使用數(shù)據(jù)的目的、范圍有規(guī)定的,應(yīng)當(dāng)在法律、行政法規(guī)規(guī)定的目的和范圍內(nèi)收集、使用數(shù)據(jù)。
Article 33?When providing services, data transaction intermediaries shall require data providers to specify the sources of the data, verify the identities of both parties to the transactions, and retain the verification and transaction records.
第三十三條 從事數(shù)據(jù)交易中介服務(wù)的機(jī)構(gòu)提供服務(wù),應(yīng)當(dāng)要求數(shù)據(jù)提供方說明數(shù)據(jù)來源,審核交易雙方的身份,并留存審核、交易記錄。
Article 34?Where laws or administrative regulations require that administrative permissions be acquired for providing services related to data processing, service providers shall obtain such administrative permissions in accordance with these provisions.
第三十四條 法律、行政法規(guī)規(guī)定提供數(shù)據(jù)處理相關(guān)服務(wù)應(yīng)當(dāng)取得行政許可的,服務(wù)提供者應(yīng)當(dāng)依法取得許可。
Article 35?Where a public security organ or national security organ needs to obtain data for the sake of national security or for investigating crimes in accordance with the law, strict approval formalities shall be completed in accordance with the relevant provisions of the state and data be obtained in accordance with the law, and the relevant organizations and individuals shall?cooperate.
第三十五條 公安機(jī)關(guān)、國(guó)家安全機(jī)關(guān)因依法維護(hù)國(guó)家安全或者偵查犯罪的需要調(diào)取數(shù)據(jù),應(yīng)當(dāng)按照國(guó)家有關(guān)規(guī)定,經(jīng)過嚴(yán)格的批準(zhǔn)手續(xù),依法進(jìn)行,有關(guān)組織、個(gè)人應(yīng)當(dāng)予以配合。
Article 36?The competent authorities of the People’s Republic of China shall handle requests?for data?made by foreign judicial or law enforcement authorities, in accordance with the relevant laws and international treaties or agreements concluded or acceded to by the People’s Republic of China, or in accordance with the principles of equality and reciprocity. Without the approval of the competent authorities of the People’s Republic of China, organizations?or individuals?in the People’s Republic of China?shall not?provide data stored within the territory of the People’s Republic of China to any overseas judicial or law enforcement body.
第三十六條 中華人民共和國(guó)主管機(jī)關(guān)根據(jù)有關(guān)法律和中華人民共和國(guó)締結(jié)或者參加的國(guó)際條約、協(xié)定,或者按照平等互惠原則,處理外國(guó)司法或者執(zhí)法機(jī)構(gòu)關(guān)于提供數(shù)據(jù)的請(qǐng)求。非經(jīng)中華人民共和國(guó)主管機(jī)關(guān)批準(zhǔn),境內(nèi)的組織、個(gè)人不得向外國(guó)司法或者執(zhí)法機(jī)構(gòu)提供存儲(chǔ)于中華人民共和國(guó)境內(nèi)的數(shù)據(jù)。
Chapter V Security and Openness of Government Data
第五章 政務(wù)數(shù)據(jù)安全與開放
Article 37?The state shall make great efforts to promote the development of e-government, make government database more scientific, accurate, and time-efficient, and improve the ability of using data to serve economic and social development.
第三十七條 國(guó)家大力推進(jìn)電子政務(wù)建設(shè),提高政務(wù)數(shù)據(jù)的科學(xué)性、準(zhǔn)確性、時(shí)效性,提升運(yùn)用數(shù)據(jù)服務(wù)經(jīng)濟(jì)社會(huì)發(fā)展的能力。
Article 38?Where state organs need to collect or use data to perform their statutory duties, they shall collect or use data within the scope as needed for performance of their statutory duties and under the conditions and procedures provided by laws and administrative regulations. They shall, in accordance with the law, preserve the confidentiality of?the?data?accessed?in the course of performing their duties, such as personal privacy, personal information, trade secrets, and confidential business information, and shall not divulge?such data?or illegally provide?them?to others.
第三十八條 國(guó)家機(jī)關(guān)為履行法定職責(zé)的需要收集、使用數(shù)據(jù),應(yīng)當(dāng)在其履行法定職責(zé)的范圍內(nèi)依照法律、行政法規(guī)規(guī)定的條件和程序進(jìn)行;對(duì)在履行職責(zé)中知悉的個(gè)人隱私、個(gè)人信息、商業(yè)秘密、保密商務(wù)信息等數(shù)據(jù)應(yīng)當(dāng)依法予以保密,不得泄露或者非法向他人提供。
Article 39?State organs shall, in accordance with the provisions of laws and administrative regulations, establish sound data security management systems, fulfill data security?protection?responsibilities, and ensure the security of government data.
第三十九條 國(guó)家機(jī)關(guān)應(yīng)當(dāng)依照法律、行政法規(guī)的規(guī)定,建立健全數(shù)據(jù)安全管理制度,落實(shí)數(shù)據(jù)安全保護(hù)責(zé)任,保障政務(wù)數(shù)據(jù)安全。
Article 40?Where a state organ entrusts others to construct or maintain e-government systems, or to store or process government data, the state organ shall go through strict approval procedures, and shall supervise the entrusted party in the performance of data security?protection?obligations. The entrusted party shall perform its data security?protection?obligations in accordance with the provisions of laws, regulations, and contracts signed, and shall not retain, use, divulge, or provide others with government data without authorization.
第四十條 國(guó)家機(jī)關(guān)委托他人建設(shè)、維護(hù)電子政務(wù)系統(tǒng),存儲(chǔ)、加工政務(wù)數(shù)據(jù),應(yīng)當(dāng)經(jīng)過嚴(yán)格的批準(zhǔn)程序,并應(yīng)當(dāng)監(jiān)督受托方履行相應(yīng)的數(shù)據(jù)安全保護(hù)義務(wù)。受托方應(yīng)當(dāng)依照法律、法規(guī)的規(guī)定和合同約定履行數(shù)據(jù)安全保護(hù)義務(wù),不得擅自留存、使用、泄露或者向他人提供政務(wù)數(shù)據(jù)。
Article 41?State organs shall, under the principles of fairness, equality and convenience for the people, disclose government data in a timely and accurate manner in accordance with the provisions, except those which shall not be disclosed in accordance with the law.
第四十一條 國(guó)家機(jī)關(guān)應(yīng)當(dāng)遵循公正、公平、便民的原則,按照規(guī)定及時(shí)、準(zhǔn)確地公開政務(wù)數(shù)據(jù)。依法不予公開的除外。
Article 42?The?state shall formulate the catalog of open government data, build an open,?uniform,?standardized, interconnected, safe and controllable government data platform, and promote the release and utilization of government data.
第四十二條 國(guó)家制定政務(wù)數(shù)據(jù)開放目錄,構(gòu)建統(tǒng)一規(guī)范、互聯(lián)互通、安全可控的政務(wù)數(shù)據(jù)開放平臺(tái),推動(dòng)政務(wù)數(shù)據(jù)開放利用。
Article 43?The provisions of this Chapter shall apply to the data processing carried out by the organizations with the functions of administering public affairs as authorized by laws and regulations for the purpose of performing their statutory duties.
第四十三條 法律、法規(guī)授權(quán)的具有管理公共事務(wù)職能的組織為履行法定職責(zé)開展數(shù)據(jù)處理活動(dòng),適用本章規(guī)定。
Chapter VI Legal Liability
第六章 法律責(zé)任
Article 44?Where competent departments discover the existence of major security risks in data processing when they perform their regulatory duties as regards data security, they may, in accordance with the prescribed limits of authority and procedures, conduct?regulatory?talks with the relevant organizations and
第四十四條 有關(guān)主管部門在履行數(shù)據(jù)安全監(jiān)管職責(zé)中,發(fā)現(xiàn)數(shù)據(jù)處理活動(dòng)存在較大安全風(fēng)險(xiǎn)的,可以按照規(guī)定的權(quán)限和程序?qū)τ嘘P(guān)組織、個(gè)人進(jìn)行約談,并要求有關(guān)組織、個(gè)人采取措施進(jìn)行整改,消除隱患。
Article 45?Where an organization or individual?that processes data?fails to perform the data security protection obligations provided in Articles 27, 29 and 30 of this Law,?the?organization or individual shall be ordered to make rectifications and be given a warning, and may be concurrently fined not less than?RMB?50,000 yuan but not more than?RMB?500,000 yuan by the competent department, and the?directly liable persons in charge?and other?directly liable persons?may be fined not less than?RMB?10,000 yuan but not more than?RMB100,000 yuan. Where the organization or individual refuses to make rectifications or has caused serious consequences such as a massive data breach,?the?organization or individual?shall be fined not less than?RMB?500,000 yuan but not more than?RMB?2 million yuan, and may be ordered to suspend the relevant business or suspend operations for rectification, or have relevant business permits or the business license revoked, and the?directly liable persons in chargeand other?directly liable persons?shall be fined not less than?RMB?50,000 yuan but not more than?RMB?200,000 yuan.
第四十五條 開展數(shù)據(jù)處理活動(dòng)的組織、個(gè)人不履行本法第二十七條、第二十九條、第三十條規(guī)定的數(shù)據(jù)安全保護(hù)義務(wù)的,由有關(guān)主管部門責(zé)令改正,給予警告,可以并處五萬(wàn)元以上五十萬(wàn)元以下罰款,對(duì)直接負(fù)責(zé)的主管人員和其他直接責(zé)任人員可以處一萬(wàn)元以上十萬(wàn)元以下罰款;拒不改正或者造成大量數(shù)據(jù)泄露等嚴(yán)重后果的,處五十萬(wàn)元以上二百萬(wàn)元以下罰款,并可以責(zé)令暫停相關(guān)業(yè)務(wù)、停業(yè)整頓、吊銷相關(guān)業(yè)務(wù)許可證或者吊銷營(yíng)業(yè)執(zhí)照,對(duì)直接負(fù)責(zé)的主管人員和其他直接責(zé)任人員處五萬(wàn)元以上二十萬(wàn)元以下罰款。
Where the organization or individual violates the national core data management rules and endangers national sovereignty, security, or development interests of the state, the competent department shall impose upon the organization or individual?a fine of not less than?RMB?2 million yuan but not more than?RMB?10 million yuan, and may, based on the circumstances, order a suspension of relevant business or a suspension of operations for rectification, or revoke relevant business permits or the business license. Where a crime is constituted, criminal responsibilities shall be investigated in accordance with the law.
違反國(guó)家核心數(shù)據(jù)管理制度,危害國(guó)家主權(quán)、安全和發(fā)展利益的,由有關(guān)主管部門處二百萬(wàn)元以上一千萬(wàn)元以下罰款,并根據(jù)情況責(zé)令暫停相關(guān)業(yè)務(wù)、停業(yè)整頓、吊銷相關(guān)業(yè)務(wù)許可證或者吊銷營(yíng)業(yè)執(zhí)照;構(gòu)成犯罪的,依法追究刑事責(zé)任。
Article 46?Whoever, in violation of the provisions of Article 31 of this Law, provides?important data?abroad, shall be ordered to make rectifications and be given a warning by the competent department, and may be concurrently fined not less than?RMB?100,000 yuan but not more than?RMB?1 million yuan, and the?directly liable persons in charge?and other?directly liable persons?may be fined not less than?RMB?10,000 yuan but not more than?RMB?100,000 yuan. Where the circumstances are serious, the violator shall be fined not less than?RMB?1 million but not more than?RMB?10 million yuan, and may also be ordered to suspend the relevant business or suspend operations for rectification, or have relevant business permits or the business license revoked, and the?directly liable persons in charge?and other?directly liable persons?shall be fined not less than?RMB?100,000 yuan but not more than?RMB?1 million yuan.
第四十六條 違反本法第三十一條規(guī)定,向境外提供重要數(shù)據(jù)的,由有關(guān)主管部門責(zé)令改正,給予警告,可以并處十萬(wàn)元以上一百萬(wàn)元以下罰款,對(duì)直接負(fù)責(zé)的主管人員和其他直接責(zé)任人員可以處一萬(wàn)元以上十萬(wàn)元以下罰款;情節(jié)嚴(yán)重的,處一百萬(wàn)元以上一千萬(wàn)元以下罰款,并可以責(zé)令暫停相關(guān)業(yè)務(wù)、停業(yè)整頓、吊銷相關(guān)業(yè)務(wù)許可證或者吊銷營(yíng)業(yè)執(zhí)照,對(duì)直接負(fù)責(zé)的主管人員和其他直接責(zé)任人員處十萬(wàn)元以上一百萬(wàn)元以下罰款。
Article 47?Where a data transaction intermediary fails to perform the obligations prescribed in Article 33 of this Law, it shall be ordered by the competent department to make rectifications, its illegal gains, if any, shall be confiscated, and it shall also be fined not less than?the amount of?but not more than ten times the amount of the illegal gains; if there are no illegal gains or the illegal gains are less than?RMB?100,000 yuan, it shall be fined not less than?RMB?100,000 yuan but not more than?RMB?1 million yuan. It may be concurrently ordered to suspend the relevant business or suspend operations for rectification, or have relevant business permits or the business license revoked. The?directly liable persons in charge?and other?directly liable persons?shall be fined not less than?RMB?10,000 yuan but not more than?RMB?100,000 yuan.
第四十七條 從事數(shù)據(jù)交易中介服務(wù)的機(jī)構(gòu)未履行本法第三十三條規(guī)定的義務(wù)的,由有關(guān)主管部門責(zé)令改正,沒收違法所得,處違法所得一倍以上十倍以下罰款,沒有違法所得或者違法所得不足十萬(wàn)元的,處十萬(wàn)元以上一百萬(wàn)元以下罰款,并可以責(zé)令暫停相關(guān)業(yè)務(wù)、停業(yè)整頓、吊銷相關(guān)業(yè)務(wù)許可證或者吊銷營(yíng)業(yè)執(zhí)照;對(duì)直接負(fù)責(zé)的主管人員和其他直接責(zé)任人員處一萬(wàn)元以上十萬(wàn)元以下罰款。
Article 48?Whoever in violation of Article 35 of this Law, refuses to cooperate when a public organ or national security organ needs to?access?the data, shall be ordered by the competent department to make rectifications and be given a warning, and shall be concurrently fined not less than?RMB?50,000 yuan but nor more than?RMB?500,000 yuan, and the?directly liable persons in chargeand other?directly liable persons?may be fined not less than?RMB?10,000 yuan but not more than?RMB?100,000 yuan.
第四十八條 違反本法第三十五條規(guī)定,拒不配合數(shù)據(jù)調(diào)取的,由有關(guān)主管部門責(zé)令改正,給予警告,并處五萬(wàn)元以上五十萬(wàn)元以下罰款,對(duì)直接負(fù)責(zé)的主管人員和其他直接責(zé)任人員處一萬(wàn)元以上十萬(wàn)元以下罰款。
Whoever, in violation of Article 36 of this Law, provides data to an overseas judicial or law enforcement body without the approval of the competent authorities, shall be given a warning by the competent department, and may be concurrently fined not less than?RMB?100,000 yuan but not more than?RMB?1 million yuan, and the?directly liable persons in charge?and other?directly liable persons?may be fined?not less than?RMB?10,000 yuan but not more than?RMB?100,000 yuan. If serious consequences are caused, the violator shall be fined not less than?RMB?1 million yuan but not more than?RMB?5 million yuan, and may be ordered to suspend the relevant business or suspend operations for rectification, or have relevant business permits or the business license revoked. The?directly liable persons in charge?and other?directly liable persons?shall be fined not less than?RMB?50,000 yuan but not more than?RMB?500,000 yuan.
違反本法第三十六條規(guī)定,未經(jīng)主管機(jī)關(guān)批準(zhǔn)向外國(guó)司法或者執(zhí)法機(jī)構(gòu)提供數(shù)據(jù)的,由有關(guān)主管部門給予警告,可以并處十萬(wàn)元以上一百萬(wàn)元以下罰款,對(duì)直接負(fù)責(zé)的主管人員和其他直接責(zé)任人員可以處一萬(wàn)元以上十萬(wàn)元以下罰款;造成嚴(yán)重后果的,處一百萬(wàn)元以上五百萬(wàn)元以下罰款,并可以責(zé)令暫停相關(guān)業(yè)務(wù)、停業(yè)整頓、吊銷相關(guān)業(yè)務(wù)許可證或者吊銷營(yíng)業(yè)執(zhí)照,對(duì)直接負(fù)責(zé)的主管人員和其他直接責(zé)任人員處五萬(wàn)元以上五十萬(wàn)元以下罰款。
Article 49?Where a state organ fails to perform data security obligations as provided for in this Law, the?directly liable persons in charge?and other?directly liable persons?shall be given a sanction in accordance with the law.
第四十九條 國(guó)家機(jī)關(guān)不履行本法規(guī)定的數(shù)據(jù)安全保護(hù)義務(wù)的,對(duì)直接負(fù)責(zé)的主管人員和其他直接責(zé)任人員依法給予處分。
Article 50?Any state functionary performing data security related regulation regulation neglects his duty, abuses power, or engages in malpractice for personal gain, shall be given a sanction in accordance with the law.
第五十條 履行數(shù)據(jù)安全監(jiān)管職責(zé)的國(guó)家工作人員玩忽職守、濫用職權(quán)、徇私舞弊的,依法給予處分。
Article 51?Whoever obtains data through theft or by any other illegal means, or eliminates or restricts competition in data processing, or harms the lawful rights and interests of individuals or organizations, shall be punished in accordance with the provisions of relevant laws and administrative regulations.
第五十一條 竊取或者以其他非法方式獲取數(shù)據(jù),開展數(shù)據(jù)處理活動(dòng)排除、限制競(jìng)爭(zhēng),或者損害個(gè)人、組織合法權(quán)益的,依照有關(guān)法律、行政法規(guī)的規(guī)定處罰。
Article 52?Whoever, in violation of this Law, causes damages to others shall bear civil liability in accordance with the law.
第五十二條 違反本法規(guī)定,給他人造成損害的,依法承擔(dān)民事責(zé)任。
Where a violation of the provisions of this Law constitutes a violation of public security administration, a public security administrative penalty shall be given in accordance with the law. Where a crime is constituted, criminal responsibility shall be investigated in accordance with the law.
違反本法規(guī)定,構(gòu)成違反治安管理行為的,依法給予治安管理處罰;構(gòu)成犯罪的,依法追究刑事責(zé)任。
Chapter VII Supplementary Provisions
第七章 附 則
Article 53?The provisions of the Law of the People’s Republic of China on Guarding State Secrets and other relevant laws and administrative regulations shall apply to data processing?that?involves?state secrets.
第五十三條 開展涉及國(guó)家秘密的數(shù)據(jù)處理活動(dòng),適用《中華人民共和國(guó)保守國(guó)家秘密法》等法律、行政法規(guī)的規(guī)定。
The provisions of relevant laws and administrative regulations shall also be observed when data are?processed?in statistical or archival work and in data processing involving personal information.
在統(tǒng)計(jì)、檔案工作中開展數(shù)據(jù)處理活動(dòng),開展涉及個(gè)人信息的數(shù)據(jù)處理活動(dòng),還應(yīng)當(dāng)遵守有關(guān)法律、行政法規(guī)的規(guī)定。
Article 54?Measures for the military data security and protection shall be separately formulated by the Central Military Commission in accordance with this Law.
第五十四條 軍事數(shù)據(jù)安全保護(hù)的辦法,由中央軍事委員會(huì)依據(jù)本法另行制定。
Article 55?This Law shall come into force as of September 1, 2021.
第五十五條 本法自2021年9月1日起施行。