Data Security Law of the People's Republic of China

China's Data Security Law (DSL), effective September 1, 2021, establishes a comprehensive framework for data security governance based on a data classification and grading system. The DSL introduces the concept of "important data" — data that, if tampered with, destroyed, leaked, or illegally obtained or used, may endanger national security, economic operation, social stability, or public health and safety. Organizations must implement data security management systems commensurate with the classification level of data they process. The DSL requires organizations to conduct data security risk assessments and report significant risks to competent authorities. Cross-border transfer of important data requires a government security assessment. The DSL applies to data processing activities conducted within China and to activities outside China that harm China's national security, public interests, or the lawful rights of Chinese citizens and organizations. Penalties for violations range from RMB 50,000 to RMB 10 million, with criminal liability for serious violations. The DSL works alongside the CSL and PIPL to form China's data governance trilogy.