Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · TRADE SECRET PROTECTION PROVISIONS

Provisions on the Protection of Trade Secrets.

商业秘密保护规定

FILED UNDER · Data Security

DCC catalogue entry — summary, not full text.

Why this law matters for the data field

The Provisions on the Protection of Trade Secrets (商业秘密保护规定) are SAMR Order No. 126, adopted 24 February 2026 and effective 1 June 2026. They replace the 1995 Several Provisions on Prohibiting Infringements of Trade Secrets (原国家工商行政管理局令第41号) and sit under the Anti-Unfair Competition Law (反不正当竞争法, “AUCL”) — this is fundamentally an IP / unfair-competition instrument, not a data-protection law. DCC tracks it because three of its provisions land squarely on data practice: what counts as a protectable “technical information” trade secret, what counts as a “reasonable confidentiality measure,” and what counts as an “improper means” of taking one.

Algorithms, data, and code as trade secrets — Article 5

Article 5 defines a trade secret as commercial information that is not publicly known, has commercial value, and is subject to appropriate confidentiality measures by its rights holder. Its second paragraph spells out what counts as technical information: structures, raw materials, formulas, materials, samples, patterns, processes, methods, data, algorithms, computer programs and code (数据、算法、计算机程序、代码). Putting algorithms, data, and code in the same statutory list as classic industrial trade secrets (formulas, processes) gives companies an explicit IP hook for treating a proprietary dataset or model as a trade secret asset, separate from — and stackable with — data-security classification under the DSL.

Confidentiality measures for remote and cross-border work — Article 9

Article 9 lists eight categories of “reasonable confidentiality measures” that satisfy the statute’s protection requirement. Seven track familiar practice (confidentiality agreements, staff training, restricted physical access, marking/classifying/encrypting materials, device-access controls, exit procedures for departing employees, and a catch-all). The new one is item (4): technical confidentiality measures for remote-work and cross-border collaboration scenarios (远程办公、跨境协作等场景) — tiered access permissions (权限分级), data de-sensitization (数据脱敏), and retained operation logs (操作日志留痕). This is the first time these specific technical controls have been named in a Chinese trade-secret rule, and it effectively tells multinational companies and distributed teams what SAMR will look for as evidence of “adequate” protection when a misappropriation claim turns on whether the rights holder actually secured the information.

Electronic intrusion and cloud exfiltration as “improper means” — Article 10

Article 10 prohibits acquiring a trade secret by theft, bribery, fraud, coercion, “electronic intrusion” (电子侵入), or other improper means, and then lists five qualifying scenarios. Two are squarely data-security conduct: item (3) — unauthorized access to the rights holder’s digital office systems, servers, mailboxes, cloud drives, or application accounts, or use of malicious programs or exploited vulnerabilities to obtain the secret — and item (4) — downloading or transmitting a trade secret, without authorization, beyond the scope of authorization, or after authorization has lapsed, to an email account, cloud drive, or other network storage or device not controlled by the rights holder. In effect, Article 10 supplies an administrative-enforcement analogue to conduct that would otherwise only be pursued as a data-security incident report or a cybercrime prosecution: an employee who copies a proprietary dataset to a personal cloud drive before resigning is now squarely “improper means” misappropriation that SAMR can investigate and fine, independent of any criminal referral.

The Provisions implement AUCL Article 26, which sets the penalty band (RMB 100,000–1,000,000, rising to RMB 1,000,000–5,000,000 for aggravated cases) that Article 24 of this rule cross-references directly — see DCC’s entry on the Anti-Unfair Competition Law. They also overlap functionally with the Data Security Law: where the DSL’s classification-and-grading regime (important data, core data) governs a company’s general data-security obligations, the Trade Secret Protection Provisions give a company an ownership-based claim over a specific dataset, algorithm, or codebase, enforceable against a named actor (an employee, a competitor, a departing contractor) rather than against the world. Companies building cross-border compliance programs will increasingly want both: DSL- grade classification for regulatory risk, and trade-secret confidentiality measures under Article 9 of this rule for enforceable ownership.

Briefs on this law

DCC briefs that turn on the Trade Secret Protection Provisions are linked from this page’s “Briefs on this law” section (any post whose laws: references this entry).

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →