Overview & Analysis
The Data Security Law of the People's Republic of China (DS Law) is an essential piece of legislation for data protection in China, aiming to regulate data processing activities, ensure data security, and promote data development and utilization. The law sets out the basic requirements for data processing, including security measures for data collection, storage, use, and transmission, with a particular focus on national security, public interest, and the legal rights and interests of individuals and organizations. It mandates strict review and management for activities involving sensitive data and cross-border data transfers. Companies are required to fulfill their data security obligations, conduct regular risk assessments, and implement necessary protective measures. For non-compliance, the law outlines penalties including significant fines and operational restrictions.
The DS Law is especially important in the context of AI development. AI technologies rely on large amounts of data — particularly personal and sensitive information — and cross-border data flows are crucial for AI system operations. Companies must ensure that they comply with data security regulations when collecting data, training models, and conducting inference processing, particularly in scenarios involving cross-border data transfers and sensitive data. Through this law, companies can promote the healthy development of AI technologies while ensuring data compliance, preventing data misuse and privacy breaches. Multinational companies need to pay special attention to how compliance measures are implemented to ensure the security of data both within China and across borders.
The DS Law is especially relevant when dealing with personal information, sensitive data, and cross-border data flows in AI applications. AI technologies often rely on large datasets — frequently including personal and sensitive data — for model training and optimization, all of which must comply with data security requirements and undergo necessary risk assessments.
1. Using Personal Information & Sensitive Data in AI Projects
AI systems typically rely on large volumes of personal information and sensitive data — such as biometric data and financial information — for model training and inference. Under the DS Law, companies must adhere to strict data security requirements when processing such data, ensuring that it is not misused or leaked. Companies must conduct risk assessments before processing data to ensure that their activities are lawful and compliant.
2. Conducting Cross-Border Data Transfers in AI Applications
Cross-border data flows are inevitable in AI projects, especially when companies share data globally. According to the law, when transferring personal or sensitive data across borders, companies must ensure that the data is secure, implement appropriate protective measures, and conduct rigorous risk assessments. Cross-border data transfers must comply with China's data security regulations, and companies should follow lawful compliance paths.
3. Providing Cross-Border Data Processing in AI Platform Services
Multinational companies offering AI platform services often need to process and transfer cross-border data. Under the DS Law, service providers must ensure the security of the data, implement multi-layered protection measures, and conduct security assessments to ensure that their cross-border data processing activities do not harm China's national security and public interests.
4. Using AI in Data Security Testing & Certification Services
The application of AI in data security testing, risk assessments, and certification services is also affected by this law. Particularly when handling sensitive or important data, AI companies need to comply with the legal framework for data security, conduct detailed risk assessments, and ensure security certifications are in place as required by law.
5. Processing Data Security in AI Algorithms
AI algorithms often process large amounts of data, which may include sensitive or personal information. According to the DS Law, companies must ensure the security and privacy of the data during algorithm processing, preventing data leakage or misuse. This applies throughout the model lifecycle — from data collection and pre-processing to training, inference, and output generation.
The DS Law provides multinational companies in China with a detailed data security management framework, particularly in scenarios involving cross-border data flows and sensitive data. To ensure compliance, companies should plan ahead and adopt multi-layered risk assessments and management measures.
Incorporate Data Security into the AI Project Design Phase
In the design and development stages of AI projects, managers should consider data security management — especially when handling cross-border data flows, sensitive data, and personal information. The most effective approach is to require teams to classify data in detail and assess which data requires special protection and which can be processed through standard procedures.
Strengthen Compliance Management for Cross-Border Data Flows
Cross-border data flows are an inevitable part of AI projects, especially for multinational companies. Managers should ensure that data transfers comply with Chinese legal requirements and undergo necessary security reviews. Companies should strengthen compliance reviews to ensure that data processing activities are lawful and avoid legal risks arising from data leakage or misuse.
Enhance the Application of Data Security Technical Measures
Managers should drive AI projects to adopt robust technical measures such as data encryption, access control, and identity authentication to ensure data protection throughout the processing cycle. For sensitive data, companies should implement additional security measures such as data anonymization and access restrictions to reduce risks of leakage and misuse.
Conduct Regular Risk Assessments & Compliance Checks
AI projects must undergo regular data security risk assessments, especially in scenarios involving sensitive data and cross-border data flows. Managers should require teams to regularly review the security of data processing activities, identify potential risks, and take corrective actions when necessary. Companies should conduct compliance checks throughout the entire project lifecycle.
Strengthen Compliance Collaboration with Partners
Multinational companies often collaborate with external partners, which involves data sharing and cross-border data transfers. Managers should ensure that all partners understand and comply with Chinese regulations, and sign contracts that meet data protection requirements. In AI platforms and data processing services, ensure that partners implement sufficient security measures to prevent data leakage and misuse.
The DS Law provides a solid data security framework for the healthy development of AI technologies, helping companies ensure compliance when handling cross-border data flows and sensitive data. By planning ahead, implementing risk management measures, and enhancing cross-border data protection, multinational companies can successfully implement AI projects in China while minimizing compliance risks related to data security.
Complete Legislative Text
Table of Contents
Where data processing activities conducted outside the territory of the People's Republic of China harm national security, public interests, or the lawful rights and interests of citizens or organizations of the People's Republic of China, legal liability shall be pursued in accordance with the law.
"Data processing" includes the collection, storage, use, processing, transmission, provision, and disclosure of data.
"Data security" refers to ensuring that data is in a state of effective protection and lawful utilization through necessary measures, and possessing the capability to ensure continuous security.
Competent authorities in industries such as industry, telecommunications, transportation, finance, natural resources, health, education, and science and technology shall assume supervisory responsibilities for data security within their respective sectors and fields.
Public security organs and state security organs shall, in accordance with this Law and other relevant laws and regulations, undertake data security supervision within their respective duties.
The national cyberspace administration department shall, in accordance with this Law and relevant laws and regulations, be responsible for overall coordination of network data security and related supervision.
Relevant authorities shall keep the information of complainants confidential and protect their lawful rights and interests.
People's governments at or above the provincial level shall incorporate digital economy development into national economic and social development plans and formulate corresponding plans as needed.
Data relating to national security, the national economy and people's livelihood, critical public interests, and similar areas constitutes core national data and shall be subject to stricter management.
Regions and departments shall, in accordance with the classification and hierarchical protection system, define important data directories for their areas and fields and provide focused protection for data included in those directories.
Security review decisions made in accordance with the law are final decisions.
Processors of important data shall designate a person in charge of data security and a management body, and implement data security protection responsibilities.
Risk assessment reports shall include the types and quantities of important data processed, the status of data processing activities, the data security risks faced and corresponding countermeasures, and related matters.
Where laws and administrative regulations specify the purposes and scope of data collection and use, data shall be collected and used within the purposes and scope prescribed by laws and administrative regulations.
Where correction is refused or serious consequences such as large-scale data leakage are caused, a fine of not less than RMB 500,000 but not more than RMB 2,000,000 shall be imposed, and the competent department may also order suspension of relevant business, suspension of business for rectification, revocation of relevant business licenses or revocation of the business license; the persons directly responsible shall be fined not less than RMB 50,000 but not more than RMB 200,000.
Where staff members of State organs engage in the conduct described in Article 36 of this Law without authorization, they shall be given heavier sanctions in accordance with the law.
Where a violation of this Law constitutes a violation of public security administration, public security administrative penalties shall be imposed in accordance with the law; where a crime is constituted, criminal liability shall be pursued in accordance with the law.
Data processing activities in the work of statistics and archives management, and data processing activities involving personal information, shall also comply with the provisions of relevant laws and administrative regulations.
中华人民共和国数据安全法
(2021年6月10日第十三届全国人民代表大会常务委员会第二十九次会议通过)
来源:中国人大网 2021年06月10日
在中华人民共和国境外开展数据处理活动,损害中华人民共和国国家安全、公共利益或者公民、组织合法权益的,依法追究法律责任。
数据处理,包括数据的收集、存储、使用、加工、传输、提供、公开等。
数据安全,是指通过采取必要措施,确保数据处于有效保护和合法利用的状态,以及具备保障持续安全状态的能力。
工业、电信、交通、金融、自然资源、卫生健康、教育、科技等主管部门承担本行业、本领域数据安全监管职责。
公安机关、国家安全机关等依照本法和有关法律、行政法规的规定,在各自职责范围内承担数据安全监管职责。
国家网信部门依照本法和有关法律、行政法规的规定,负责统筹协调网络数据安全和相关监管工作。
省级以上人民政府应当将数字经济发展纳入本级国民经济和社会发展规划,并根据需要制定数字经济发展规划。
国家支持有关部门、行业组织、企业、教育和科研机构、有关专业机构等在数据安全风险评估、防范、处置等方面开展协作。
关系国家安全、国民经济命脉、重要民生、重大公共利益等数据属于国家核心数据,实行更加严格的管理制度。
各地区、各部门应当按照数据分类分级保护制度,确定本地区、本部门以及相关行业、领域的重要数据具体目录,对列入目录的数据进行重点保护。
依法作出的安全审查决定为最终决定。
重要数据的处理者应当明确数据安全负责人和管理机构,落实数据安全保护责任。
风险评估报告应当包括处理的重要数据的种类、数量,开展数据处理活动的情况,面临的数据安全风险及其应对措施等。
法律、行政法规对收集、使用数据的目的、范围有规定的,应当在法律、行政法规规定的目的和范围内收集、使用数据。
国家机关工作人员在履行职责中知悉的个人隐私、个人信息、商业秘密、保密商务信息等数据的处理违反本法规定,构成违法的,依法给予处分;构成犯罪的,依法追究刑事责任。
违反本法规定,构成违反治安管理行为的,依法给予治安管理处罚;构成犯罪的,依法追究刑事责任。
在统计、档案工作中开展数据处理活动,开展涉及个人信息的数据处理活动,还应当遵守有关法律、行政法规的规定。
