What does the Data Security Law actually protect?

It governs the security of all data, not just personal information, and applies escalating obligations based on a data classification and grading system.

What is important data under the DSL?

Important data is data that, if leaked or misused, could endanger national security, the public interest, or the rights of individuals and organizations; it triggers heightened protection and transfer restrictions.

Can a company give China-stored data to a foreign court or regulator?

Not without prior approval from the competent Chinese authorities; the DSL prohibits providing data stored in China to foreign judicial or law enforcement bodies absent that approval.

🇨🇳 China · Data security

DSL

Data Security Law

The Data Security Law took effect 1 September 2021, governing data handling activities broadly rather than only personal information. It establishes a tiered data classification system, with escalating protections for important data and core data tied to national security.

Jurisdiction:🇨🇳 China

Type:Data security

In effect:2021

Authority:Cyberspace Administration of China (CAC)

Who it applies to

Data handling activities and their security within China, extending extraterritorially to data activities outside China that harm China's national security, public interest, or the lawful rights of Chinese citizens and organizations.

Identity requirements

Classify and grade data according to its importance, applying stronger controls to important data and core data
Establish a data security management system, conduct risk monitoring, and carry out periodic risk assessments for important data
Restrict cross-border provision of important data, with CII operators subject to CSL rules and other handlers to CAC measures
Obtain government approval before providing data stored in China to foreign judicial or law enforcement authorities
Implement remedial and reporting measures when data security incidents occur
Protect data, including identity-related datasets, throughout collection, storage, processing, and transmission

How it impacts identity systems

Identity area	Impact
Data residency & cross-border transfer	Important data is subject to export restrictions and assessment, and data stored in China cannot be handed to foreign authorities without prior government approval.
Identity governance (IGA)	Organizations must classify and grade data, including identity datasets, and govern access in line with its sensitivity tier.
Audit, logging & accountability	Handlers must run risk assessments and maintain a data security management system to demonstrate compliance.
Breach notification	On a data security incident, handlers must take remedial action and promptly notify users and the competent authorities.

Penalties

Penalties range from rectification orders and fines up to 10 million yuan for the most serious violations, suspension or revocation of business permits, and personal fines for responsible individuals.

Official source

https://digichina.stanford.edu/work/translation-data-security-law-of-the-peoples-republic-of-china/

DSL: frequently asked questions

What does the Data Security Law actually protect?: It governs the security of all data, not just personal information, and applies escalating obligations based on a data classification and grading system.
What is important data under the DSL?: Important data is data that, if leaked or misused, could endanger national security, the public interest, or the rights of individuals and organizations; it triggers heightened protection and transfer restrictions.
Can a company give China-stored data to a foreign court or regulator?: Not without prior approval from the competent Chinese authorities; the DSL prohibits providing data stored in China to foreign judicial or law enforcement bodies absent that approval.

Educational summary, not legal advice. Confirm current requirements with the relevant authority or counsel. See all China regulations or the full country index.