Data Security Law of the People's Republic of China -- Comprehensive Review

Executive Summary

The Data Security Law (DSL) of the People's Republic of China was adopted on June 10, 2021, at the 29th session of the Standing Committee of the 13th National People's Congress and came into effect on September 1, 2021. It is the foundational legislation in China's data security domain, forming one of three pillars of China's data governance legal framework alongside the Cybersecurity Law (2017) and the Personal Information Protection Law (2021).

The law comprises seven chapters and fifty-five articles, systematically establishing a legal framework for data security protection. It articulates four interrelated legislative purposes: regulating data processing activities, safeguarding data security, promoting data development and utilization, and protecting the lawful rights and interests of individuals, organizations, and national sovereignty. Notably, the law does not focus exclusively on security restrictions but simultaneously emphasizes data utilization and digital economy development, embodying the legislative philosophy of "balancing development and security."

The law adopts an expansive definition of "data" as "any record of information in electronic or other forms" and defines "data processing" to encompass the full lifecycle of data activities, including collection, storage, use, processing, transmission, provision, and disclosure. This broad definitional scope ensures comprehensive applicability across virtually all data activities in the digital era, establishing regulatory jurisdiction over both electronic and non-electronic data formats.

Key Provisions

Data Security Regulatory System. The law establishes four core institutional mechanisms. First, a classified and graded data protection system (Article 21) that categorizes data based on its importance to economic and social development and the degree of harm from compromise. This provision introduces the concept of "national core data" -- data concerning national security, the lifelines of the national economy, critical public welfare, and major public interests -- subject to the strictest management regime. Second, a centralized, unified, efficient, and authoritative risk assessment, reporting, information sharing, and monitoring/early warning mechanism (Article 22). Third, a data security emergency response mechanism (Article 23) requiring immediate activation of contingency plans. Fourth, a data security review system (Article 24) for data processing activities that affect or may affect national security, with review decisions being final and non-appealable.

Data Security Protection Obligations. The law requires all data processors to establish comprehensive, full-process data security management systems (Article 27). Processors of important data must designate dedicated data security officers and management bodies. Continuous risk monitoring is mandated (Article 29), with immediate remedial action required upon discovery of security defects. Processors of important data must conduct periodic risk assessments and submit reports to competent authorities (Article 30), detailing the types and quantities of important data processed, processing activities conducted, and security risks with countermeasures.

Cross-Border Data Management. The law imposes strict controls on data exports. Critical information infrastructure operators' important data exports are governed by the Cybersecurity Law (Article 31). Without approval from competent Chinese authorities, domestic organizations and individuals are prohibited from providing data stored in China to foreign judicial or law enforcement bodies (Article 36). For discriminatory measures by any country or region regarding data-related investment or trade, China may adopt reciprocal countermeasures (Article 26). Article 25 establishes export controls on data qualifying as controlled items related to national security and international obligations.

Government Data Security and Openness. A dedicated chapter (Chapter 5, Articles 37-43) governs government data management. It requires state organs to maintain confidentiality of personal privacy, personal information, and trade secrets encountered in duty performance, while simultaneously mandating orderly government data openness through unified, standardized, interconnected, and secure government data open platforms.

Legal Liability. The law establishes a graduated penalty system. General violations carry fines of 50,000 to 500,000 yuan, with severe violations incurring fines of 500,000 to 2 million yuan plus potential business suspension or license revocation. Violations of national core data management systems attract fines of 2 million to 10 million yuan, with criminal liability for constituting crimes. Unauthorized provision of important data overseas carries fines of 100,000 to 10 million yuan. Data intermediary service violations are penalized at one to ten times the illegal gains. Individual liability extends to directly responsible managers and other personnel.

Goals and Timelines

The law took effect on September 1, 2021, marking the formal establishment of China's data security legal framework. As a fundamental, permanently effective statute, it does not set explicit phased timelines. However, its provisions mandate that each region and department determine specific catalogs of important data for their respective areas and sectors under the classified and graded protection system.

The national data security work coordination mechanism is responsible for coordinating relevant departments to formulate the important data catalog. Each industry regulator (covering industry, telecommunications, transportation, finance, natural resources, health, education, and science and technology) bears data security supervision responsibilities within their respective domains, requiring progressive development of sector-specific data security management rules within the legal framework.

The law effectively sets an ongoing implementation timeline, as the classified and graded protection system, important data catalogs, and sector-specific regulations require continuous development and refinement by numerous government bodies at national, provincial, and local levels.

Implementation Mechanisms

The law constructs a multi-tiered regulatory implementation architecture. At the central level, the Central National Security Leading Body is responsible for supreme decision-making and coordination of national data security work, establishing the national data security work coordination mechanism. The Cyberspace Administration of China (CAC) is responsible for overall coordination of network data security and related regulatory work. At the sectoral level, industry regulators bear data security supervision responsibilities within their respective domains. Public security organs and national security organs undertake regulatory duties within their respective jurisdictions. At the local level, each region is responsible for data collected and generated in its governance activities.

Enforcement tools include: an interview (regulatory conversation) mechanism (Article 44) for addressing significant security risks through required rectification; administrative penalties (Articles 45-48) establishing a graduated spectrum from warnings to license revocation; civil liability for damages (Article 52); and criminal prosecution mechanisms. The law also encourages industry organizations to formulate data security codes of conduct and group standards (Article 10), fostering industry self-regulation. The public complaint and reporting mechanism (Article 12) provides additional civil society oversight.

Industry Impact

The Data Security Law has had profound and far-reaching effects on China's IT industry and digital economy.

Compliance Costs and System Building. Implementation has compelled enterprises to comprehensively establish data security management systems, including appointing data security officers, building data classification and grading systems, conducting regular risk assessments, and developing emergency response plans. For major technology companies and platform enterprises, data compliance teams have expanded significantly and compliance expenditures have increased substantially. This has created both challenges for existing businesses and opportunities for data security service providers.

Cross-Border Data Flows. The law's strict regulations on cross-border data transfers have significantly impacted multinational enterprise operations. Article 36's restrictions on providing data to foreign judicial or law enforcement bodies directly affect compliance architectures of foreign companies operating in China. Combined with the subsequently issued "Measures for Data Export Security Assessment" (effective September 2022), a complete data export regulatory system has formed. Companies including major cloud providers, technology firms, and financial institutions have had to restructure data architectures and establish China-specific data residency solutions.

Data Trading Markets. Article 19's requirement to establish data trading management systems has provided the legal foundation for regulated data market development. The establishment and operation of the Shenzhen Data Exchange, Shanghai Data Exchange, and others rely on this law as their legal basis, creating a nascent but growing ecosystem for legitimate data transactions.

Data Security Industry. The law has catalyzed rapid development of emerging service sectors including data security assessment, certification, and auditing. The market for data security products and solutions has grown rapidly, data security startups have attracted substantial investment, and talent demand in the field has surged dramatically. This has become one of the fastest-growing segments of China's cybersecurity industry.

Platform Economy Regulation. Combined with the Anti-Monopoly Law and Personal Information Protection Law, the DSL provides critical legal tools for strengthening platform economy regulation, driving data security compliance reviews for major internet platforms. The law's broad definition of data processing has ensured that platform companies' core business models fall squarely within its regulatory scope.

International Dimension. The law's extraterritorial provisions (Article 2, Paragraph 2) and countermeasure provisions (Article 26) reflect China's firm stance on data sovereignty, serving as an important legal instrument in China's participation in global data governance. The law establishes a framework that asserts Chinese jurisdiction over data processing activities conducted outside China that harm Chinese national security, public interests, or the rights of Chinese citizens and organizations.

Amendment History

The Data Security Law was adopted on June 10, 2021, at the 29th session of the Standing Committee of the 13th National People's Congress, promulgated under Presidential Order No. 84, and took effect on September 1, 2021. It remains currently effective with no amendments to date.

During the legislative process, the law underwent three readings: the initial draft was reviewed by the NPC Standing Committee in June 2020, the second reading occurred in April 2021, and the third reading resulted in adoption in June 2021. From draft to final passage, the law underwent significant revisions and improvements in areas including the classified and graded data protection system, cross-border data management, and legal liability provisions. The scope of "national core data" and associated penalties were notably strengthened in the final version.