Original source: http://www.cac.gov.cn/2019-05/28/c_1124546022.htm

TRANSLATION: Data Security Management Measures (Draft for Comment)

Published: May 28, 2019

Chapter I: General Principles 

Article 1: In order to safeguard national security and society's public interest, to protect the lawful rights and interests of citizens, legal persons, and other organizations in cyberspace, to ensure personal information and important data security, and in accordance with Cybersecurity Law of People's Republic of China and other laws and regulations, these measures are formulated.

Article 2: These Measures apply to activities such as data collection, storage, transmission, processing, and use (hereinafter referred to as "Data Activities"), as well as the protection, supervision, and administration of data security, through networks within the People's Republic of China, except in the course of purely household and personal matters.

Where laws and administrative regulations provide other requirements, such requirements apply.

Article 3: The State upholds the equal importance of safeguarding data security and development, encourages the research and development of data security protection techniques, actively promotes the development and use of data resources, and ensures the free flow of data in a lawful and orderly manner.

Article 4: The State adopts measures to monitor, defend against, and deal with data security risks and threats from inside and outside of the territory of the People’s Republic of China, protects data from leaks, theft, alteration, destruction, illegal use, etc., and punishes illegal and criminal activities endangering data security in accordance with the law.

Article 5: Under the leadership of the Central Commission for Cybersecurity and Informatization, national cybersecurity and informatization departments will coordinate, guide, and supervise personal information and important data security protection work.

The cybersecurity and informatization departments of the prefecture (city)-level and above instruct and supervise the data security work of personal information and important data within each jurisdiction and in accordance with their respective duties.

Article 6: Network operators shall, following relevant laws and administrative rules and referring to national cybersecurity standards: perform obligations of safeguarding data security; establish a mechanism for data security management responsibility, evaluation, and assessment; formulate data security plans; implement data security technical protections, develop data security risk assessments; make cybersecurity incident response plans; tackle security incidents promptly; and organize data security education and training.

Chapter II: Data Collection

Article 7: Network operators that collect and use personal information through products such as websites and applications shall separately formulate and make public rules for the collection and use of data. These collection and use rules can be included in the privacy policy of websites, applications, etc., or they can be provided to users in other forms.

Article 8: The collection and use rules shall be clear, specific, simple and easy to understand, and accessible. They shall highlight the following content:

1. Basic information about the network operator;
2. The name and contact information of the network operator’s main person responsible, and the person responsible for data security;
3. The purpose, type, quantity, frequency, method, and scope of the collection and use of personal information;
4. Where the personal information is stored, the duration for which it is stored, and the handling method after the storage period expires;
5. The rules for providing personal information to other parties, if it is provided to others;
6. Relevant information such as the strategy for personal information security protection;
7. Channels and methods for the personal information subject to revoke consent, as well as to access, correct, and delete personal information;
8. Channels and methods for complaints, reporting, etc.;
9. Other content as stipulated by law and administrative regulation.

Article 9: If rules for collection and use are included in the privacy policy, they should be correspondingly assembled and clear, to facilitate reading. Network operators may collect personal information only after the user is informed of the rules for collection and use and explicitly agrees to them.

Article 10: Network operators shall strictly abide by the rules for collection and use, and the function for collecting and using personal information on the website or application should reflect the privacy policy and be updated accordingly.

Article 11: Network operators may not coerce or mislead personal information subjects into agreeing to the collection of their personal information by means of tacit consent, functionality bundling, etc., for reasons of improving service quality, improving user experience, targeting recommendation of information, or developing new products.

After the personal information subject agrees to the collection of their personal information, network operators shall provide them with core business functions and services and may not withhold core business functions or services if the personal information agent refuses to provide or revokes consent for the collection of additional information.

Article 12: Collecting personal information of a minor under the age of 14 requires obtaining the consent of the minor’s guardian.

Article 13: Network operators may not discriminate against personal information subjects on the basis of whether the personal information subject consented to personal information collection or the scope of consent to collect personal information, including by reducing service quality or charging a different price, etc.

Article 14: Network operators that obtain personal information from other sources have the same responsibilities and obligations as the operator that directly collected the personal information.

Article 15: If network operators collect important data or sensitive personal information for business purposes, they shall file the matter with the local cybersecurity and informatization department. The filing should include rules for collection and use, as well as the purpose, scale, method, scope, type, retention period, etc., of data collection and use, but it should not include the content of the data itself.

Article 16: Network operators that use automated methods to access and collect data from websites may not hinder the normal operation of the websites. If such behavior seriously impacts the operation of websites, for instance if traffic from automated access and collection exceeds one third of all web traffic, when websites request a halt to automated access and collection, it should halt.

Article 17: If a network operator collects important data or sensitive personal information for business purposes, it shall designate a person responsible for data security.

Persons responsible for data security must have relevant management work experience and data security expertise, participate in important decisions about data activities, and report directly to the network operator’s responsible person.

Article 18: The person responsible for data security performs the following duties:

1. Organize the formulation of a data protection plan and supervise its implementation;
2. Organize the conduct of a data security risk assessment and supervise the rectification of potential safety hazards;
3. Report data security protection and incident handling developments to relevant departments and the cybersecurity and informatization departments as required;
4. Receive and handle user complaints and reports.

Network operators should provide persons responsible for data security with the necessary resources to ensure that they can perform their duties independently.

Chapter III: Data Processing and Use

Article 19: Network operators should refer to relevant national standards and adopt measures such as data classification, backup, and encryption to strengthen the protection of personal information and important data.

Article 20: The network operator’s storage of personal information should not exceed the retention period in the collection and use rules. After a user cancels their account, the network operator should promptly delete their personal information, unless the information cannot be associated with a specific individual and cannot be recovered after processing (hereinafter referred to as “anonymization processing”).

Article 21: When a network operator receives a request for personal information access, correction, deletion, or cancellation of an account, it shall grant access, correct, delete, or cancel the account within a reasonable time and within reasonable price range.

Article 22: Network operators may not use personal information in violation of the rules for collection and use. If it is necessary to expand the scope of use of personal information due to business operation requirements, they should obtain consent from the personal information subject.

Article 23: Network operators who use user data and algorithms to recommend news information, commercial advertisements, etc., (hereinafter referred to as “targeted recommendation”) should clearly indicate the words “targeted recommendation” in an obvious way and provide users with the function of stopping targeted recommendation information. When the user chooses to stop receiving targeted recommendation information, operators should stop targeted recommendation and delete user data and personal information, such as device IDs, that they have already collected.

Network operators engaging in targeted recommendation activities should comply with laws and administrative regulations; respect social ethics, business ethics, public order, and good customs; and be honest and trustworthy. Discrimination, fraud, and similar activities are strictly prohibited.

Article 24: Network operators who use big data, artificial intelligence, or similar technologies to automatically synthesize news articles, blog posts, forum posts, comments, etc., should clearly indicate the word “synthesized”; they should not automatically synthesize information with the aim of seeking benefits or harming other people’s interests.

Article 25: Network operators should adopt measures to urge and remind users to be responsible in their online behaviour, to strengthen self-discipline. For users who use social networks to forward information written by other people, the original author’s account should be automatically indicated, or an unalterable user identifier included.

Article 26: When a network operator receives a report or complaint related to impersonation, faking, or illegitimately transmitting information in someone else’s name, they should promptly respond; once a report or complaint has been verified, they should immediately stop transmission and perform deletion.

Article 27: Before providing personal information to others, network operators should assess possible security risks and obtain the consent of the personal information subject. The following situations are exempt from this:

1. Collection through lawful public channels that does not clearly violate the personal information subject’s wishes;
2. When the personal information subject has made it public of their own accord;
3. When having undergone anonymization processing;
4. When necessary for law enforcement bodies to perform their duties in accordance with the law;
5. When necessary to safeguard national security, the social public interest, or the safety of the personal information subject’s life.

Article 28: Before publishing, publicly sharing, or conducting a business transaction with important data, or providing it overseas, network operators should assess possible security risks and report to the sectoral controlling supervisory authority for approval; if the relevant sectoral controlling supervisory authority is not clear, they should obtain approval from the province-level cybersecurity and informatization department.

They should act in accordance with relevant regulations when providing personal information to locations outside of China.

Article 29: If a domestic user accesses the domestic internet, their traffic may not be routed outside the country.

Article 30: Network operators should clarify data security requirements and responsibilities for third-party applications accessing their platform and urge and supervise third-party application operators to strengthen their data security management. If a third-party application experiences a data security breach that causes harm to the user, the network operator shall bear partial or full responsibility, unless the network operator can prove that they are not at fault.

Article 31: When a network operator is acquired, is reorganized, or goes bankrupt, the party receiving the data shall receive the responsibilities and obligations for data security. If there is no party receiving the information, the network operator should delete the data. If there are other provisions in laws and administrative regulations, such provisions shall apply.

Article 32: Network operators who conduct analyses using data sources they have obtained, and publish data such as market forecasts, statistical information, and personal and corporate credit information, may not affect national security, the functioning of the economy, and social stability, and they should not harm others’ lawful rights and interests.

Chapter IV: Data Security Supervision and Management

Article 33: If in fulfilling their duties, cybersecurity and informatization departments find that the network operator’s responsibility for the management of data security is not in place, they should supervise rectification in accordance with the prescribed authority and procedures in consultation with the responsible person for the network operator.

Article 34: The state encourages network operators to voluntarily pass data security management and application procedure security certifications, and encourages search engines and application stores to clearly identify and recommend those applications which have passed the certifications.

State cybersecurity and informatization departments, in conjunction with the market supervision and administration departments under the State Council, will guide the national cybersecurity review and certification agencies and organize certifications for data security management and application procedure security.

Article 35: When data security incidents such as leaking, damage, or loss of personal information occur, or when the risk of these data security incidents increases significantly, the network operator should take immediate remedial measures and promptly notify the respective personal information subject via telephone, text message, email, letter, etc., and report to the relevant regulatory authorities and cybersecurity and informatization departments as required.

Article 36: When the relevant departments of the State Council, in order to fulfill the requirements of their responsibilities in safeguarding national security, social management, economic regulation, etc., and in accordance with the provisions of laws and administrative regulations, request network operators provide them with relevant data in their possession, network operators should provide it.

The relevant departments of the State Council shall be responsible for the security protection of the data provided by the network operator, and it may not be used for purposes unrelated to the performance of duties.

Article 37: If a network operator violates the provisions of these measures, the respective departments, in accordance with relevant laws and administrative regulations, shall impose penalties such as public exposure, confiscation of illegal income, suspension of business operations, restructuring of business, closure of websites, and/or revocation of relevant business licenses and permits according to the circumstances. Where it constitutes a crime, criminal liability will be investigated according to law.

Chapter V: Supplementary Articles

Article 38: The meanings of the following terms in these Measures:

1. “Network operator” refers to the owners, managers, and network service providers for the network.
2. “Network data” refers to various electronic data collected, stored, transmitted, processed, and generated through the network.
3. “Personal information” refers to various information recorded by electronic or other means that can identify a natural person’s personal identity alone or in combination with other information, including but not limited to the name of the natural person, date of birth, ID number, personal biometric information, address, phone number, etc.
4. “Personal information subject” refers to the natural person identified or associated with the personal information.
5. “Important data” refers to data that, if divulged, may directly affect national security, economic security, social stability, or public health and safety, such as undisclosed government information or large-scale data on the population, genetic health, geography, mineral resources, etc. Important data generally does not include enterprises’ production, operations, and internal management information, personal information, etc.

Article 39: Data activities involving the use of state secret information and encryption shall be carried out in accordance with relevant state regulations.

Article 40: These Measures shall come into force on the [day] of [month], [year].

数据安全管理办法（征求意见稿）

2019年5月28日

第一章 总 则

第一条 为了维护国家安全、社会公共利益，保护公民、法人和其他组织在网络空间的合法权益，保障个人信息和重要数据安全，根据《中华人民共和国网络安全法》等法律法规，制定本办法。

第二条 在中华人民共和国境内利用网络开展数据收集、存储、传输、处理、使用等活动（以下简称数据活动），以及数据安全的保护和监督管理，适用本办法。纯粹家庭和个人事务除外。

法律、行政法规另有规定的，从其规定。

第三条 国家坚持保障数据安全与发展并重，鼓励研发数据安全保护技术，积极推进数据资源开发利用，保障数据依法有序自由流动。

第四条 国家采取措施，监测、防御、处置来源于中华人民共和国境内外的数据安全风险和威胁，保护数据免受泄露、窃取、篡改、毁损、非法使用等，依法惩治危害数据安全的违法犯罪活动。

第五条 在中央网络安全和信息化委员会领导下，国家网信部门统筹协调、指导监督个人信息和重要数据安全保护工作。

地（市）及以上网信部门依据职责指导监督本行政区内个人信息和重要数据安全保护工作。

第六条 网络运营者应当按照有关法律、行政法规的规定，参照国家网络安全标准，履行数据安全保护义务，建立数据安全管理责任和评价考核制度，制定数据安全计划，实施数据安全技术防护，开展数据安全风险评估，制定网络安全事件应急预案，及时处置安全事件，组织数据安全教育、培训。

第二章 数据收集

第七条 网络运营者通过网站、应用程序等产品收集使用个人信息，应当分别制定并公开收集使用规则。收集使用规则可以包含在网站、应用程序等产品的隐私政策中，也可以其他形式提供给用户。

第八条 收集使用规则应当明确具体、简单通俗、易于访问，突出以下内容：

（一）网络运营者基本信息；

（二）网络运营者主要负责人、数据安全责任人的姓名及联系方式；

（三）收集使用个人信息的目的、种类、数量、频度、方式、范围等；

（四）个人信息保存地点、期限及到期后的处理方式；

（五）向他人提供个人信息的规则，如果向他人提供的；

（六）个人信息安全保护策略等相关信息；

（七）个人信息主体撤销同意，以及查询、更正、删除个人信息的途径和方法；

（八）投诉、举报渠道和方法等；

（九）法律、行政法规规定的其他内容。

第九条 如果收集使用规则包含在隐私政策中，应相对集中，明显提示，以方便阅读。另仅当用户知悉收集使用规则并明确同意后，网络运营者方可收集个人信息。

第十条 网络运营者应当严格遵守收集使用规则，网站、应用程序收集或使用个人信息的功能设计应同隐私政策保持一致，同步调整。

第十一条 网络运营者不得以改善服务质量、提升用户体验、定向推送信息、研发新产品等为由，以默认授权、功能捆绑等形式强迫、误导个人信息主体同意其收集个人信息。

个人信息主体同意收集保证网络产品核心业务功能运行的个人信息后，网络运营者应当向个人信息主体提供核心业务功能服务，不得因个人信息主体拒绝或者撤销同意收集上述信息以外的其他信息，而拒绝提供核心业务功能服务。

第十二条 收集14周岁以下未成年人个人信息的，应当征得其监护人同意。

第十三条 网络运营者不得依据个人信息主体是否授权收集个人信息及授权范围，对个人信息主体采取歧视行为，包括服务质量、价格差异等。

第十四条 网络运营者从其他途径获得个人信息，与直接收集个人信息负有同等的保护责任和义务。

第十五条 网络运营者以经营为目的收集重要数据或个人敏感信息的，应向所在地网信部门备案。备案内容包括收集使用规则，收集使用的目的、规模、方式、范围、类型、期限等，不包括数据内容本身。

第十六条 网络运营者采取自动化手段访问收集网站数据，不得妨碍网站正常运行；此类行为严重影响网站运行，如自动化访问收集流量超过网站日均流量三分之一，网站要求停止自动化访问收集时，应当停止。

第十七条 网络运营者以经营为目的收集重要数据或个人敏感信息的，应当明确数据安全责任人。

数据安全责任人由具有相关管理工作经历和数据安全专业知识的人员担任，参与有关数据活动的重要决策，直接向网络运营者的主要负责人报告工作。

第十八条 数据安全责任人履行下列职责：

（一）组织制定数据保护计划并督促落实；

（二）组织开展数据安全风险评估，督促整改安全隐患；

（三）按要求向有关部门和网信部门报告数据安全保护和事件处置情况；

（四）受理并处理用户投诉和举报。

网络运营者应为数据安全责任人提供必要的资源，保障其独立履行职责。

第三章 数据处理使用

第十九条 网络运营者应当参照国家有关标准，采用数据分类、备份、加密等措施加强对个人信息和重要数据保护。

第二十条 网络运营者保存个人信息不应超出收集使用规则中的保存期限，用户注销账号后应当及时删除其个人信息，经过处理无法关联到特定个人且不能复原（以下称匿名化处理）的除外。

第二十一条 网络运营者收到有关个人信息查询、更正、删除以及用户注销账号请求时，应当在合理时间和代价范围内予以查询、更正、删除或注销账号。

第二十二条 网络运营者不得违反收集使用规则使用个人信息。因业务需要，确需扩大个人信息使用范围的，应当征得个人信息主体同意。

第二十三条 网络运营者利用用户数据和算法推送新闻信息、商业广告等（以下简称“定向推送”），应当以明显方式标明“定推”字样，为用户提供停止接收定向推送信息的功能；用户选择停止接收定向推送信息时，应当停止推送，并删除已经收集的设备识别码等用户数据和个人信息。

网络运营者开展定向推送活动应遵守法律、行政法规，尊重社会公德、商业道德、公序良俗，诚实守信，严禁歧视、欺诈等行为。

第二十四条 网络运营者利用大数据、人工智能等技术自动合成新闻、博文、帖子、评论等信息，应以明显方式标明“合成”字样；不得以谋取利益或损害他人利益为目的自动合成信息。

第二十五条 网络运营者应采取措施督促提醒用户对自己的网络行为负责、加强自律，对于用户通过社交网络转发他人制作的信息，应自动标注信息制作者在该社交网络上的账户或不可更改的用户标识。

第二十六条 网络运营者接到相关假冒、仿冒、盗用他人名义发布信息的举报投诉时，应当及时响应，一旦核实立即停止传播并作删除处理。

第二十七条 网络运营者向他人提供个人信息前，应当评估可能带来的安全风险，并征得个人信息主体同意。下列情况除外：

（一）从合法公开渠道收集且不明显违背个人信息主体意愿；

（二）个人信息主体主动公开；

（三）经过匿名化处理；

（四）执法机关依法履行职责所必需；

（五）维护国家安全、社会公共利益、个人信息主体生命安全所必需。

第二十八条 网络运营者发布、共享、交易或向境外提供重要数据前，应当评估可能带来的安全风险，并报经行业主管监管部门同意；行业主管监管部门不明确的，应经省级网信部门批准。

向境外提供个人信息按有关规定执行。

第二十九条 境内用户访问境内互联网的，其流量不得被路由到境外。

第三十条 网络运营者对接入其平台的第三方应用，应明确数据安全要求和责任，督促监督第三方应用运营者加强数据安全管理。第三方应用发生数据安全事件对用户造成损失的，网络运营者应当承担部分或全部责任，除非网络运营者能够证明无过错。

第三十一条 网络运营者兼并、重组、破产的，数据承接方应承接数据安全责任和义务。没有数据承接方的，应当对数据作删除处理。法律、行政法规另有规定的，从其规定。

第三十二条 网络运营者分析利用所掌握的数据资源，发布市场预测、统计信息、个人和企业信用等信息，不得影响国家安全、经济运行、社会稳定，不得损害他人合法权益。

第四章 数据安全监督管理

第三十三条 网信部门在履行职责中，发现网络运营者数据安全管理责任落实不到位，应按照规定的权限和程序约谈网络运营者的主要负责人，督促整改。

第三十四条 国家鼓励网络运营者自愿通过数据安全管理认证和应用程序安全认证，鼓励搜索引擎、应用商店等明确标识并优先推荐通过认证的应用程序。

国家网信部门会同国务院市场监督管理部门，指导国家网络安全审查与认证机构，组织数据安全管理认证和应用程序安全认证工作。

第三十五条 发生个人信息泄露、毁损、丢失等数据安全事件，或者发生数据安全事件风险明显加大时，网络运营者应当立即采取补救措施，及时以电话、短信、邮件或信函等方式告知个人信息主体，并按要求向行业主管监管部门和网信部门报告。

第三十六条 国务院有关主管部门为履行维护国家安全、社会管理、经济调控等职责需要，依照法律、行政法规的规定，要求网络运营者提供掌握的相关数据的，网络运营者应当予以提供。

国务院有关主管部门对网络运营者提供的数据负有安全保护责任，不得用于与履行职责无关的用途。

第三十七条 网络运营者违反本办法规定的，由有关部门依照相关法律、行政法规的规定，根据情节给予公开曝光、没收违法所得、暂停相关业务、停业整顿、关闭网站、吊销相关业务许可证或吊销营业执照等处罚；构成犯罪的，依法追究刑事责任。

第五章 附 则

第三十八条 本办法下列用语的含义：

（一）网络运营者，是指网络的所有者、管理者和网络服务提供者。

（二）网络数据，是指通过网络收集、存储、传输、处理和产生的各种电子数据。

（三）个人信息，是指以电子或者其他方式记录的能够单独或者与其他信息结合识别自然人个人身份的各种信息，包括但不限于自然人的姓名、出生日期、身份证件号码、个人生物识别信息、住址、电话号码等。

（四）个人信息主体，是指个人信息所标识或关联到的自然人。

（五）重要数据，是指一旦泄露可能直接影响国家安全、经济安全、社会稳定、公共健康和安全的数据，如未公开的政府信息，大面积人口、基因健康、地理、矿产资源等。重要数据一般不包括企业生产经营和内部管理信息、个人信息等。

第三十九条 涉及国家秘密信息、密码使用的数据活动，按照国家有关规定执行。

第四十条 本办法自 年 月 日起施行。