The complete file.
Every brief DCC has filed since publication began. 79 total.
- § 01 · CROSS-BORDER
The Negative-List Map, Region by Region: Ten Zones, Two Models, and the Year Data Export Went Province-Wide
As of July 2026, ten Chinese regions — nine free-trade zones plus the Hainan Free Trade Port — have published data-export negative lists under Article 6 of the 2024 Cross-border Data Flows Provisions, and this year Beijing and Shanghai took the mechanism province- and city-wide, off the FTZ footprint entirely. DCC's roundup maps the full set: which sectors each zone lists (from Tianjin's 13 commodity categories to Guangdong's smart-manufacturing and personal-credit fields, Chongqing's intelligent-connected-vehicle chain, and Jiangsu's biopharma-only list), the two management models that have crystallized — pre-export filing versus Shanghai and Guangdong's 'transfer-first, report-after' — and how an overseas team should read the map. Compiled from the CAC's national negative-list index and each region's official notice, and paired with DCC's new downloadable negative-list registry.
- § 02 · E-COMMERCE-LAW
China's 2026 Draft E-Commerce Law Amendment: From Marketplace Transactions to Platform-Economy Governance
On July 4, 2026, the State Administration for Market Regulation and the Ministry of Commerce released the Draft Amendment to the E-Commerce Law for public comment, with comments due August 4, 2026. The draft has 20 articles and, according to the official notice and Xinhua Q&A, moves in five directions: expanding the law's adjustment scope beyond platforms and in-platform operators to other platform-economy participants; strengthening the platform responsibility system with richer, more graduated regulatory tools; building an integrated supervision mechanism for cross-sector platform operations, including consistent online/offline business supervision and stronger department and central-local coordination; targeting prominent illegal conduct in e-commerce; and deepening open cooperation by aligning rules, regulation, management and standards with international practice, supporting industry self-discipline and orderly outbound expansion, and adding countermeasure tools to protect Chinese enterprises. DCC reads the amendment as an attempt to reposition the E-Commerce Law from a transaction/platform statute into a platform-economy governance statute, with operational implications for platform rulemaking, merchant and worker protection, consumer governance, data/network security clauses, competition compliance, and outbound platform expansion.
- § 03 · DATA-PROPERTY-RIGHTS
China's Data Property Rights Registration Guide Is Final: The Draft-to-Trial Diff
On 1 July 2026, the National Data Administration issued the Data Property Rights Registration Work Guide (Trial), converting its April 2026 consultation draft into China's first national framework for registering the Right to Hold Data, Right to Use Data and Right to Operate Data. The final text keeps the same six-chapter, 42-article structure, but the diff is not cosmetic: security and public-interest gates are stronger; derived data is now defined; the national infrastructure shifts from a service platform to a service system; registrars face tighter qualification, disclosure, annual-evaluation, change-reporting and exit rules; public-data registration is softened from mandatory to conditional/voluntary wording; unclear contractual entitlement receives a cure path; evidence preservation, not certificate issuance, now starts the validity period; and certificate use is sharpened for data-asset balance-sheet entry, financing guarantees and valuation-based equity contribution.
- § 04 · AI-GOVERNANCE
China's AI-Companion Rule Takes Effect July 15 — A Clause-by-Clause Field Guide to What Actually Changed
China's Interim Measures for AI Anthropomorphic Interaction Services (人工智能拟人化互动服务管理暂行办法) — the world's first dedicated rule on 'companion'-style AI — take effect on 15 July 2026. This DCC brief synthesises three Chinese-language readings published in the days before the effective date: 数据合规肖大国's article-by-article practitioner walkthrough, 网安寻路人 (Hong Yanqing)'s multi-part work on how to scope anthropomorphic interaction (including his 'Sentiment Interaction Event / SIE' indicator system), and AI前沿信息笔记's read of the business-model logic the rule is really aimed at. Three throughlines: (1) what changed between the consultation draft and the final text — real fines were added, a 'continuity (持续性)' qualifier now narrows scope, the emergency-contact duty was widened beyond vulnerable groups, and the mandatory 'human takeover' of at-risk conversations was dropped; (2) the scope question the rule leaves under-specified — which services are 'continuous emotional interaction' at all — and the SIE-style indicator approach practitioners are reaching for to answer it; and (3) the paradigm shift the rule marks, from *content-safety* governance (AI as tool) to *relationship* governance (AI as social role), which finally gives regulators a handle on attention-economy and emotional-dependency business models. For overseas counsel shipping companion, emotional-AI or character-AI products into China: this is the operational checklist and the open-question list, two weeks out.
- § 05 · ENFORCEMENT
MIIT Public-Naming Bulletin 2026 Batch 4 (Total Batch 57): 32 Apps and SDKs Cited for PI Violations, Excessive Permission Demands, and SDK Disclosure Failures
On July 2, 2026, MIIT's Information & Communications Administration Bureau issued its fourth public-naming bulletin of 2026 (total Batch 57), citing 32 apps and SDKs for infringing user rights — unlawful and beyond-scope collection of personal information, forced/frequent/excessive permission demands, frequent self-starting and chained starting, uncloseable and redirect-abusing information windows, and inadequate SDK information disclosure. The batch runs under the same 2026 CAC + MIIT + MPS special campaign as the earlier CAC notification and Shanghai takedown covered in DCC's enforcement tracker, on the same rectify-or-face-disposition pathway. DCC transcribes the full 32-entry list from the bulletin's attached image table. The profile: a mobility-and-transport long tail (ride-hailing driver apps, EV charging, bus-information tools) alongside recognizable names — Neta Auto's app, PetroChina Kunlun's charging app, NetDragon's fortune-telling app, iFlyPlus — plus two WeChat mini-programs, multiple Apple App Store listings, one developer named twice, and three SDKs, one of which (闪登 SDK) drew four separate findings including the headline SDK-disclosure failure.
- § 06 · AI-AGENTS
TC260's Practice Guide on AI-Agent Deployment: A Five-Stage Lifecycle Checklist, Read Against PIPL, DSL, and CSL Obligations
On July 1, 2026 the National Cybersecurity Standardization Technical Committee (TC260) issued the Cybersecurity Standards Practice Guide — Security Guidelines for the Deployment and Use of AI Agents (网络安全标准实践指南——智能体部署使用安全指引), covering the full lifecycle of high-permission, LLM-based personal-assistant agents across five stages: assessment, preparation, deployment, use, and decommissioning, plus a star-rated security checklist (Appendix A) and an organizational management framework including shadow-agent discovery (Appendix B). This DCC brief adapts the HexCode reading published on 数据何规 — itself generated, the account notes, by its own AI agent — which maps each stage onto hard-law anchors: PIPIA duties under PIPL Article 55 and DSL Article 27 risk monitoring at assessment; the GenAI Measures' filed-model requirement and the ban on unverified API relays at preparation; least privilege, directory isolation, CSL Article 21 log retention, and high-risk-operation confirmation lists at deployment; minimum-necessary provision of personal information and long-term-memory management in use; and credential revocation and data disposal at decommissioning. Practice guides are soft law — but in Chinese enforcement practice they calibrate what 'necessary measures' means, and this one is the first lifecycle baseline for the agent era.
- § 07 · PIPL
When Is a Business Partner a 'Joint Handler'? A Shanghai Insurance-Policy Leak Works Through PIPL Article 20
A consumer bought insurance through a broker, on a platform company's website, from an insurer — and later found her full policy, personal details included, retrievable by searching her own phone number. The Shanghai judgment behind case (2024)沪01民终410号 had to decide which of the three companies were 'joint handlers' of her personal information under PIPL Article 20, and therefore jointly and severally liable. Writing on 数据何规, Lu Ying and Zhang Bingbin work through the allocation: the platform operating the website was the direct handler; the broker that steered the purchase through a site it presented as its own was a joint handler; the insurer — with an independent, contract-related purpose and no role in downstream processing decisions — was not. The article distills three identification factors (common purpose and conduct; pre-agreed division of roles as joint determination; the appearance presented to the user), separates joint processing from sharing and entrusted processing, and argues that PIPL Article 20(2) is an independent claim basis: a victim can sue all joint handlers for joint and several damages directly. For any broker/platform/underwriter or comparable multi-party data chain, this is the operative test.
- § 08 · CROSS-BORDER
First Filing Under Shanghai's Citywide Data-Export Negative List: Inditex's China Arm Drops from Security Assessment to Standard-Contract Filing
On June 26, 2026, ITX Asia Pacific Enterprise Management Co., Ltd. (爱特思亚太企业管理有限公司) — the Inditex group entity behind ZARA and Pull&Bear in China — received Shanghai's first data-export negative-list filing result notice (数据出境负面清单备案结果通知书) issued under the Shanghai Data-Export Negative List Administrative Measures, cleared jointly by the Shanghai CAC and the Shanghai Data Bureau after same-day district-level initial review at the Jing'an District Cross-Border Data Service Center. The practical effect: member-information exports that previously sat in Data Export Security Assessment territory now clear on a Personal Information Standard Contract filing. DCC reads the case as the first operational proof of Shanghai's two policy moves — negative-list eligibility extended citywide beyond Pudong-registered enterprises, and volume thresholds inside listed scenarios (retail member management) raised so that non-sensitive member data between 1 and 10 million individuals falls to the standard-contract/certification tier. For overseas retail groups running membership programs out of China, this is the template case.
- § 01 · ENFORCEMENT
From Naming to Takedown: Shanghai Pulls 46 Apps That Missed the Rectification Window
On June 24, 2026 the Shanghai Communications Administration (上海市通信管理局, the MIIT's directly-administered local communications authority) issued a notification ordering the takedown of 46 apps and SDKs that, after public naming and a rectification window, still had not fixed user-rights and personal-information violations. DCC reads it as the next rung on the enforcement ladder above the CAC's 30-app naming notification: same 2026 CAC + MIIT + MPS special campaign, but the local communications-administration tier converting an unrectified naming into an operative sanction — removal from distribution, with further measures flagged (suspension of access, administrative penalty, inclusion in the telecom-business bad-record list). The legal basis is PIPL, the Cybersecurity Law, the Telecom Regulations, and the Telecom and Internet User PI Protection Provisions. The 46-app list — transcribed here from the notice's attached image — is almost entirely Shanghai-registered long-tail O2O lifestyle apps (moving, housekeeping and cleaning, pet services, local travel agencies, community group-buy food, fitness and restaurants), and several operators appear with multiple apps taken down at once. DCC's read for overseas counsel: the provincial communications administrations are where a missed rectification window becomes a removed app, and the takedown tier sweeps the small-operator long tail, not just big nationals.
- § 02 · IMPORTANT-DATA
Are You Caught by the Annual Assessment? TRIMPS's Self-Identification Guide for 'Important-Data Handlers'
With the Network Data Security Risk Assessment Measures (Order No. 24) taking effect August 20, 2026, the annual risk-assessment duty stops being a principle and becomes a hard calendar event — but only for 'important-data handlers' (重要数据处理者). DCC's summary of a self-identification guide from the Data Security R&D Center of the Ministry of Public Security's Third Research Institute (公安部三所 / TRIMPS), author Lü Mingxuan, walks the threshold test the institution that helps draft the standards wants processors to run before the clock starts. There are three independent gates, any one of which puts you in: (1) you process data meeting the 'important data' definition under Article 62 of the Network Data Security Management Regulation; (2) the deeming rule — you process the personal information of more than 10 million people, which pulls you into the important-data duties of Regulation Arts. 30 and 32 regardless of whether you hold any 'important data'; or (3) your data sits on a regional, departmental, or sectoral important-data catalogue. Entrusted processors inherit the duty from an important-data-handler client; CIIO status and important-data-handler status are separate, intersecting tests; and identifying important data runs through GB/T 43697-2024 Appendix G's 18 factors plus the applicable catalogues. The guide then lays out the operating requirements once you are in: annual mandatory assessment plus trigger-based instant assessments, a stacked PIPIA for the 10-million-PI cohort, three-year report retention, and submission within 20 working days. DCC's read for overseas counsel: classification is the gate, the 10-million-PI deeming rule is the trap for consumer businesses with no 'important data' at all, and the self-ID needs to happen now.
- § 03 · DATA-ECONOMY
Li Yang: Why 'Data Rights-Confirmation' Is a Category Error — Dynamic Data Can't Be a Registration Object, and AUCL Article 13 Is the Better Path
DCC's summary of an opinion piece by Li Yang (李扬), professor at China University of Political Science and Law, arguing that the whole project of 'data rights-confirmation' (数据确权) — and the data-IP registration pilots run under it — rests on a category error. In Chinese IP law, 'confirmation' (确权) is the authoritative validation of an already-existing right, and it presupposes three things data lacks: a determinate object, defined rights content, and clear boundaries. Civil Code Art. 127 only defers the question; 'data IP' is a policy concept, not a legal one; and data is co-produced by many parties, so registration proves who submitted data, not who owns it. Li Yang's sharpest move is the dynamic-object problem: registration regimes (real estate, IP, equity) require a persistently stable object, but data's value lives in continuous updating, so the data at registration is never the data in dispute — and blockchain/hash/timestamp '存证' only fix a historical snapshot, never the living data stream, confusing proof-of-existence with object-identification. He concludes that registration's real functions are evidentiary and publicity/transaction-support — not rights-confirmation — and that data governance should move from rights-confirmation to interest-protection, from static-rights thinking to dynamic-competition thinking, protecting commercial-data interests under Article 13 of the Anti-Unfair Competition Law. DCC's read for overseas counsel, against the data-IP registration regime and the Beijing Internet Court's first AUCL Article 13 ruling.
- § 04 · ANTI-UNFAIR-COMPETITION
How the Beijing Internet Court Found a Platform 'Lawfully Held' Its Data Under the New AUCL Article 13 — and Where It Meets the 'Right to Hold Data'
The Beijing Internet Court's 30 April 2026 judgment — the first published application of the data clause (Article 13) of the 2025-revised Anti-Unfair Competition Law, effective 15 October 2025 — turns on one threshold question: did the plaintiff platform 'lawfully hold' (合法持有) the scraped career data? DCC walks through exactly how the court got to 'yes', step by step: the data originated as personal information collected with user consent under the platform's Service Agreement and Privacy Policy (no unlawful processing on record); the operator's build-and-run investment aggregated scattered records into a dataset with standalone economic value; and that dataset is the foundational input for the platform's matching business and competitive advantage. From those three findings the court derives its operative definition — data lawfully collected/stored/used, formed through substantial investment, and capable of generating business benefit or competitive advantage — and holds that the defendant's crawler-and-resale scheme, circumventing login and access controls, was unfair competition (¥200,000 + ¥30,000-plus in costs). The brief then takes up the doctrinal question: does Article 13's 'lawfully held data' correspond to the 'right to hold data' (数据持有权) in the Data 20 Articles' three-rights framework? The answer is a functional yes — the court is enforcing the holding right's purely defensive content, exactly as Hong Yanqing's analysis predicted AUCL Article 13 would — but not a doctrinal one: it builds a competition-tort interest on investment and lawful sourcing, deliberately sidestepping any claim that data is a typed property right. DCC's case brief for overseas counsel, drawn against the earlier AUCL Article 2 general-clause data cases.
- § 05 · GBT-35273
From Consent to Governance: What the 2026 Draft Revision of GB/T 35273 Changes Against the 2020 Standard
On June 17, 2026 the National Cybersecurity Standardization Technical Committee (TC260), with CESI as drafting lead, released for public comment a systematic revision of GB/T 35273 — China's most-cited personal-information standard, the de-facto 'small PIPL.' The draft retitles the standard from 'Information Security Technology' to 'Data Security Technology' and expands its normative references from one standard to eight. DCC reads the revision as a role change, not a clause count: the standard moves from a consent-and-notice manual into a governance-capability framework. The substantive increments against GB/T 35273-2020: a new Chapter 5 importing PIPL Article 13's seven lawful bases as a standalone chapter with hard boundaries on each (contract-necessity, HR, public-disclosure) plus an evidence-chain duty; a sensitive-PI redefinition aligned to PIPL Article 28 with a new aggregation rule (multiple items that together meet the threshold are treated as sensitive as a whole); a formal 'separate consent' definition (3.7) with a negative list; a new eighth basic principle, 'quality assurance' (Chapter 4(f)); dedicated AI clauses on the collection side (6.7), in minimum-necessity (6.1 d–f), in aggregation/training (8.4), and a new generative-AI use clause (8.5.4) with output review and a 15-working-day deletion SLA; a unified-account-system clause (8.6) aimed at one-account-many-products groups; a terminal/IoT collection clause (6.8); a wholly new Chapter 11 on overseas-jurisdiction determination and conflict handling; and a systematized internal-control chapter (13) covering the person in charge of personal information protection, working body, processing-activity records, impact assessment, and a GB/T 46903-anchored compliance audit. Subject-rights response time tightens from 30 days to 15 working days. Clause numbers are from the comment draft and are not final; formal release is expected after 2027.
- § 06 · RISK-ASSESSMENT
From Principle to Running System: How the Network Data Security Risk Assessment Measures Operationalize the Data Security Law
On June 18, 2026 the CAC, MIIT and the Ministry of Public Security jointly issued the Measures for Network Data Security Risk Assessment as Order No. 24, effective August 20, 2026. The 25-article rule adds no new substantive duty; it turns the Data Security Law's open-ended 'conduct risk assessment' obligation into an executable, verifiable, trigger-able governance system. DCC reads it as a three-tier standing model plus an event-driven escalation layer: important-data handlers must assess every year (general-data handlers are encouraged to every three), retain the report for three years and submit it within 20 working days; sectoral competent authorities run annual inspection plans filed by end-January; the national cyberspace administration consolidates and cross-shares reports with telecom, public-security and state-security departments; and where a high-risk finding or a breach of important data or large-scale personal information appears, regulators can compel assessment by a certified institution and order the operator to cease processing important data. The four institutional increments over the DSL: an annual mandatory action, networked multi-department supervision, a three-track assessment structure, and dynamic event-triggered oversight.
- § 07 · PUBLIC-DATA
Guangdong Prices the Public-Data Operator Like a Utility: Inside the Province's Authorized-Operation Price-Management Measures
On 12 May 2026 the Guangdong DRC and the Guangdong Administration of Government Services and Data issued the Guangdong Province Public Data Resource Authorized-Operation Price Management Measures — one of the first provincial implementations of the national NDRC/NDA price-formation notice (发改价格〔2025〕65号). The 20-article rule prices the 'public-data operation service fee' (公共数据运营服务费) with a regulated-utility toolkit: government-guided pricing, a maximum permitted revenue equal to operating cost + permitted profit + tax, and a permitted profit rate capped at the prior-year 10-year treasury yield plus no more than 6 percentage points. DCC reads the full text (carried by 数据行者X) against the Guangdong DRC's official interpretation (carried by 砖济咨询) to draw out what overseas counsel needs: this is cost-of-service, rate-of-return regulation imported into the data-element market, with periodic resets every three years, a ±10% annual adjustment band, mandatory cost separation, and a carve-out keeping public-governance and public-welfare data 'conditionally free.'
- § 08 · ENFORCEMENT
Ctrip's ¥10 Million Fine: China's First Publicly Disclosed Cross-Border Data Penalty — and the 'Necessity' Doctrine Behind Four Cases
In June 2026 Shanghai's cyberspace authority fined Shanghai Ctrip Commerce ¥10 million for unlawfully exporting personal information without implementing data-export security-assessment requirements — the first time a Chinese cross-border data penalty amount has been made public. DCC reads the fine against the three earlier Shanghai / MPS cross-border cases compiled by HexCode in 数据何规 (a hotel company that exported fields the CAC assessment had rejected, a property company that exported accommodation and financial-account data with no approval at all, and the Dior breach case) to surface the doctrine all four share: building a CRM or central-reservation system offshore does not make the bulk transfer of customer PI to headquarters 'necessary,' so it cannot escape the security-assessment / standard-contract / certification gate or PIPL's separate-consent and individual-notification requirements. The enforcement gradient — the assessment-rejected exporter was fined while the no-approval exporter was only warned — signals that subjective culpability is weighing on penalty severity.
- § 09 · ENFORCEMENT
CAC Names 30 Apps and Mini-Programs for PI Violations — Nearly Half for Ineffective Account Cancellation
On June 11, 2026 the Office of the Central Cyberspace Affairs Commission published a notification naming 30 apps and mini-programs for personal-information collection and use violations, found in testing organized under the 2026 CAC + MIIT + MPS joint special campaign. The violations fall into four categories — undisclosed PI collection rules (7 apps), frequent demands for non-essential permissions (4), incomplete SDK disclosure (5), and, the dominant category at 14 of 30, failure to provide an effective account-cancellation function. DCC reads the notification as the CAC tier of the same campaign whose MIIT testing tier we covered in the Batch 56 brief: a broader perimeter that expressly includes mini-programs, a 15-working-day rectify-and-report deadline, and a clear signal that exit rights — account cancellation and deletion — are a 2026 testing priority.
- § 10 · DATA-PROPERTY-RIGHTS
Data 'Parallel Property Rights' — They Can Confer Status, but Can't Secure Control
Part four — and the synthesis — of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' data-property framework takes up 'parallel property rights' (数据平行财产权): how to allocate rights when the *same* data is held, used, and operated by *multiple* parties at once. Building on Xiong Bingwan and Zhuang Hongshan's 'one-data, multiple-rights' (一数数权) idea — data is non-rivalrous and copyable, so the same right over the same data can sit with several parties without excluding each other — Hong argues parallel property rights are best understood as *default rules* for incomplete-contract, collaborative-production settings: internally, parallel use is presumed; externally, operation is classified by data type (by-products each party may operate alone; purpose-built or fused data needs the others' consent); and parallel holders share a *joint defensive* interest against third parties. But the substance, he shows, falls back on derivative data — and here Xiong, Xu Ke (许可), and Shen Weixing (申卫星), despite different scenarios and tests, all tilt the derivative-data right to the *processor*, leaving the data contributor with contract/compensation/tort/PI remedies rather than ownership of the new product. DCC's read for overseas counsel: parallel property rights cut *attribution* uncertainty (who may use, operate, defend) but not *control* uncertainty (future use, detection, tracing, modelled value, third-party chains, ongoing compliance) — status, not control.
- § 11 · AI-GOVERNANCE
China's First AI-Ghostwritten 'Seeding Post' Case — a Duty of Care for Generative-AI Providers
China's first unfair-competition case over AI batch-ghostwritten 'seeding posts' (种草笔记 — the staged, first-person product-recommendation notes that drive discovery commerce on Xiaohongshu/RED). On appeal, the Hangzhou Intermediate People's Court ((2025) Zhe 01 Min Zhong No. 3998) held that the operators of an 'AI writing' tool ('AI写作鹅') that let users one-click-generate fake first-person Xiaohongshu notes — fabricating personal experiences and feelings — committed unfair competition under Article 2 (the general clause) of the Anti-Unfair Competition Law. The court built an explicit four-factor duty-of-care test for generative-AI providers (is it generative AI; does it target a specific scenario/another's product as its 'application layer'; is it directional and inducing; is it a paid, for-profit service), citing Articles 4(3), 5(1) and 22 of the Generative AI Services Interim Measures. Because the tool was named after Xiaohongshu, marketed to mass-produce on-brand 'seeding' copy, charged a membership fee, and shipped with no notice or reminder against the foreseeable misuse, the providers were at fault. The appeal court affirmed liability but cut damages from RMB 200,000 to RMB 100,000 on an 'inclusive and prudent' (包容审慎) view of AI, and reversed joint liability for the third defendant that merely hosted the download. DCC OCR'd the full judgment from the source images; this is our case brief for overseas counsel.
- § 12 · DATA-PROPERTY-RIGHTS
Why Upstream Won't Operate Its Data — Control Degradation, Derivative Data, and Irreducible Uncertainty
Part three of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' framework turns to the Right to Operate Data (数据经营权) — the right to provide data externally by transfer, licence, capital contribution, or pledge — and asks a question prior to 'what does operation transfer?': in real conditions, *will* an upstream party operate its data at all? His answer: yes, but narrowly. Control-dependent upstreams (platforms, holders of core user or irreplaceable industrial/training data) tend not to provide open, raw, autonomous access, and shift to controlled use or simply decline. The reason is structural. Once a downstream party is licensed to use data, the derivative data it produces is a *new object*: the upstream's *erga omnes* (对世) control over the raw data does not reach it, leaving the upstream — at most — a contractual claim against one counterparty. Hong then catalogues the uncertainties an upstream faces *ex ante*: some that attribution rules could touch but can't eliminate (qualification of the output, default ownership, good-faith of the processor, measurement of remedy), and some no rule can reach (combinatorial/unforeseeable value, undetectable misuse, the privity-and-insolvency chain, fusion and co-ownership, abstraction leakage into model parameters and learned skills, personal-information exposure, and counterparty hold-up). DCC's read for overseas counsel: this is the rigorous explanation of why Chinese data 'supply' is thin and why sandbox / privacy-computing structures dominate — defining a right does not supply the conditions to exercise it.
- § 13 · DATA-PROPERTY-RIGHTS
When the 'Right to Use Data' Goes External — Provision, Derivative Data, and the Erosion of Upstream Control
Part two of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' data-property framework turns to the Right to Use Data (数据使用权). The official definition (国家数据局, Common Data Terms Batch 2) makes the use right an *internal* power — 'I use my own data' to process, aggregate, analyse, and form derivative data — exercised on the premise of *not* providing data externally. So 'granting a use right to a downstream party' is not the use right travelling outward; it is the upstream party exercising its **operation right** to license, while the downstream party acquires a use right. That externalisation flips the downstream's legal position from PIPL **entrusted processor** (委托处理) to **provision** (提供) or **joint processing** — triggering notice and *separate consent* for personal information, and the Network Data Security Regulation's contracting duties. And because a strong use right lets the downstream form **derivative data** (衍生数据) — models, scores, indices, labels — value migrates downstream even though the raw data stays upstream. DCC's read for overseas counsel: in China data deals the use right is real but never self-bounding; whether a partner will grant an open, autonomous use right depends on its business model (control-dependent vs monetisation), and the default structure you should expect is *controlled use* (sandbox, privacy computing, federated modelling), not a clean copy.
- § 14 · DATA-ECONOMY
China Halts Data-Asset ABS: Exchanges Pull the Handbrake on a ¥200 Billion Pipeline
According to reporting by Caixin (财新) and 财联社 circulated on 3–5 June 2026, the Shanghai and Shenzhen stock exchanges issued window guidance bringing the entire data-asset ABS (数据资产ABS) business chain to a stop — new filings turned away, approved-but-unissued deals told to pause, even issuance-approved deals told to delay. This halts a category that exploded from roughly 11 issuances raising ~¥4.6bn in 2025 to 21 issuances and ¥15.4bn in the first five months of 2026, with a declared pipeline approaching ¥200bn. The stated trigger is mission drift: pure-data-asset deals are under 2% of the market, while local-government financing vehicles (城投/LGFV) used the loose, fast 'data-asset' label to repackage existing non-standard debt as standardised bonds — data as window-dressing, with no real data cash flow behind it. DCC reads the event, the structural reasons, the three審查 gates the exchanges are expected to harden, and what it means for anyone underwriting, rating, or investing in China data-asset financing.
- § 15 · DATA-ECONOMY
What a 'Data-Asset ABS' Actually Securitises — The Collateral Is Data, the Cash Flow Is Not
The name misleads. A Chinese 'data-asset ABS' (数据资产证券化) is labelled as such when data-pledged collateral exceeds 50% of the asset pool — but the underlying assets that actually generate the repayment cash flow are conventional financial claims: supply-chain receivables, trust-loan beneficiary rights, or finance-lease claims. Data is the collateral, the credit-enhancement, or the pricing-and-monitoring tool — not the cash-flow source. This brief, the second in DCC's data-asset-ABS series, unpacks the mechanism overseas counsel need to price the risk: the four live deal structures (trust-loan, receivables, finance-lease, data-empowerment); the difference between accounting recognition (入表) and legal right-confirmation (确权); and the four legal infirmities that make these deals fragile — unsettled data property rights, the true-sale problem created by data's non-exclusivity, the limits of bankruptcy isolation when asset value depends on the originator's continued operation, and the PIPL/DSL eligibility gates. It reads the flagship deals (平安-如皋, 华鑫-鑫欣, 青岛, 杭州高新金投) for what each actually did.
- § 16 · DATA-ECONOMY
From Collateral to Cash Flow: The 'Secondary Licensing' Model That Would Make Data-Asset ABS Real
If today's data-asset ABS is '1.0' — data as collateral behind a conventional debt claim — then '2.0' is the version where the data's own cash flow (licensing fees, data-service subscriptions) directly repays the securities, upgrading data from credit-enhancement tool to genuine underlying asset. This third brief in DCC's data-asset-ABS series examines the structure most likely to get there: the 'secondary licensing' (二次许可) model borrowed from intellectual-property ABS, in which a holder exclusively licenses data to an originator for an upfront lump sum, then takes a reverse exclusive licence back and pays periodic fees that become the ABS cash flow — ownership never moving. It maps the obstacles (data's non-exclusivity defeats 'exclusive licence' and 'exclusive possession'; PIPL/DSL cap what can be licensed; valuation is immature), the finance-lease-of-data variant, and the early policy encouragement (Anhui's March 2026 measures endorsing reverse-licensing). The irony the June 2026 halt exposed: regulators want real data cash flow — which is exactly what 2.0 promises but cannot yet deliver at scale.
- § 17 · DATA-PROPERTY-RIGHTS
Two Paths for the 'Right to Hold Data' — and Why the Narrow One May Add Little
Hong Yanqing (洪延青, 网安寻路人) works through the most unstable concept in China's 'separation of three rights' data-property framework — the Right to Hold Data (数据持有权). He pushes two readings to their logical ends. Path 1, the official 'complete separation' (三权完全切割): if the rights to hold, use, and operate data are truly independent, the holding right shrinks to a bare 'lawful-control state' whose only content is defensive — and that defense is already provided, against the world, by PIPL Article 10, DSL Article 32, the Network Data Security Regulation, and Article 13 of the Anti-Unfair Competition Law, so its incremental value as a standalone property right is thin. Path 2, the 'mother-right' reconstruction (持有权母权化): redefine 'holding' from factual control to a normative control that contains utilization potential, so the rights to use and operate are carved out from within it. DCC's read for overseas counsel: in Chinese data deals the tradeable substance sits in the rights to use and operate plus contract, registration, and compliance — not in 'who holds the data' — and China's data-property theory is still genuinely unsettled.
- § 18 · AI-GOVERNANCE
China's First 'AI Hallucination' Tort Judgment — GenAI Is a Service, Not a Product, and the Chatbot's '¥100,000 Promise' Binds No One
The Hangzhou Internet Court has decided China's first 'AI hallucination' (AI幻觉) tort case — written into the Supreme People's Court's 2026 work report to the NPC. A user asking a chatbot about college applications was told, across seven rounds, that a non-existent campus existed; when finally shown the official website, the model 'apologised' and 'promised' to pay ¥100,000, even generating a fake lawsuit template telling him to sue. He did. The court dismissed every claim and, in doing so, laid down the first judicial articulation of China's generative-AI liability framework: (1) an AI model is not a civil subject, so its 'promise' is no declaration of intent — and is not attributable to the provider either; (2) generative AI is a service, not a product, so fault liability under Civil Code Article 1165 applies, not product liability's no-fault rule under Article 1202; (3) there is no result-based duty to guarantee accuracy for ordinary inaccurate output — only a process duty of care (conspicuous AI-content labelling plus industry-standard accuracy measures), which the provider had discharged; and (4) no proven damage, no causation. For any company deploying GenAI to the Chinese public, this is the operating liability surface and the evidentiary playbook.
- § 19 · HEALTH-DATA
China's Hospitals Get Their Own Data Rulebook: Reading the 2026 Healthcare Data Security & PI Measures
On 12 February 2026 five agencies — the National Health Commission, the Ministry of Public Security, the Cyberspace Administration of China, the National Administration of Traditional Chinese Medicine, and the National Disease Control and Prevention Administration — jointly issued the Measures for the Administration of Data Security and Personal Information Protection of Healthcare Institutions (Trial). It is the first operational, sector-specific rulebook that turns the Data Security Law, PIPL, and the Network Data Security Regulation into concrete hospital obligations: a three-tier core/important/general data classification keyed to MLPS levels and commercial cryptography; a five-pillar full-lifecycle security system; a ten-item data prohibition list and an eight-item personal-information prohibition list; heightened protection for special groups; limits on facial recognition and AI; and a real enforcement chain running from named-person accountability through regulatory interviews, administrative penalties, civil tort liability, and criminal referral. DCC reads it for overseas pharma, medtech, and hospital-JV counsel — with the cross-border choke point and its academic-cooperation carve-out as the parts that most affect global clinical-data flows.
- § 20 · AI-GOVERNANCE
Prompt Stacks and Prompt Governance — Why System-Level Prompts Are Emerging as a Regulatory Lever (and Where They Fall Short)
A Chinese AI-law reading of Neumann, Sargeant and Singh's FAccT 2026 paper Prompt Governance? — and what it means for how China, the EU, and the US treat 'system prompts' as a regulatory object. Li Wenlong (科技利维坦) walks through the four-layer 'prompt stack' (system instructions → system guidelines → developer instructions → user prompts), five properties practitioners need to understand (layered, hidden, natural-language, malleable, loosely coupled to behaviour), and the comparative regulatory landscape: the EU GPAI Code of Practice requires signatories to disclose system prompts to regulators in model reports; the Trump EO 14319 / OMB M-26-04 stops at model / system / data cards and leaves system-prompt disclosure voluntary; the UK's AI Cybersecurity Code says effectively nothing. China's current GenAI safety regime (TC260-003 plus the GenAI Interim Measures) is output-evaluation-based — filing and pre-launch scoring, with no architectural hook into system prompts. Li predicts a Brussels Effect: system-prompt disclosure to regulators will become a global compliance baseline, analogous to the DPIA in data law. For overseas counsel: this is what is coming, what to start archiving now, and why 'what you write' in a system prompt is not 'what the model executes.'
- § 01 · DATA-PLEDGE-FINANCING
Data Pledge Financing in China: What Is Actually Being Pledged, and Where the Law Gets Stuck
As Chinese banks and data exchanges experiment with data pledge financing (数据质押融资), a threshold question remains unresolved: what, legally, is being pledged? Chen Yiqian of Shenzhen Data Exchange walks through the two available routes under the Civil Code — chattel pledge (动产质权) and rights pledge (权利质权) — and the three operational problems that make chattel pledge difficult and the two doctrinal barriers that make rights pledge harder still. The analysis converges on a practical conclusion: chattel pledge via a third-party data custodian is the most workable path today, while data property rights and data intellectual-property rights both remain insufficiently legalised to support a reliable pledge. For overseas counsel advising on China data-asset financing, the gap between policy ambition and legal infrastructure is the central risk to price. Connects to the broader data property-rights registration project and the unresolved question of how data enters corporate balance sheets.
- § 02 · CRITICAL-INFORMATION-INFRASTRUCTURE
Are You a CII Operator or an Important-Data Handler? A Practitioner's Assessment Framework Under China's New Rules
China's Cybersecurity Law, Data Security Law, and Network Data Security Management Regulations impose materially heavier compliance obligations on critical information infrastructure (CII) operators (关键信息基础设施运营者) and important-data handlers (重要数据处理者) than on ordinary data processors. This brief, drawing on a DEXC+ practitioner analysis by Gu Qingzhuo (古青卓) of the Shenzhen Data Exchange compliance team, explains how the two statuses are determined under the current framework, why neither is self-evident from a company's own assessment alone, how recent rules — including the Regulations on Promoting and Regulating Cross-Border Data Flows and the national standard GB/T 43697-2024 — have clarified but not fully resolved the important-data identification problem, and what overseas counsel should do when advising clients that operate in China's critical sectors.
- § 03 · JUDICIAL
Datatang v. Yinmu — China's First Ruling on a Data-IP Registration Certificate, and Why Open-Sourced Data Is Still Protected
A consolidated case study of 数据堂诉隐木科技 (Datatang v. Yinmu) — the Beijing IP Court's June 2024 appeal ruling, widely called China's first case on the evidentiary effect of a data-IP registration certificate. The dispute: Datatang built voice datasets for AI training, open-sourced some under a license; Yinmu took and redistributed them in the same data-services market. DCC synthesizes four commentaries (the case report, a Tsinghua analysis, and two Shenzhen Data Exchange DEXC+ deep-dives) into the four holdings that matter for overseas counsel: (1) a data-IP registration certificate is prima facie evidence of property-type interests and lawful sourcing — but not an absolute property right (property-rights-statutism); (2) open-sourced data, though neither trade secret nor copyrightable compilation, is protectable under the Anti-Unfair Competition Law's general clause; (3) the protection hierarchy (compilation work → trade secret → AUCL Art. 2); and (4) whether the taker honored the open-source license is the hinge for 'improper conduct.'
- § 04 · ANONYMIZATION
Reviving a Zombie Provision — Xu Ke's Concentric-Circle Reconstruction of the Anonymization Regime
Xu Ke (UIBE) calls PIPL Article 4's anonymization carve-out a 'zombie provision' (僵尸法条) — on the books, never used, and one of the biggest blockages in the data-element market. His diagnosis: the zombie state is caused not by the text but by three unaddressed worries (processors fear the standard is unattainable or value-destroying; regulators fear anonymization becomes an evasion tool; users fear it's a hollow promise). His cure is a concentric-circle architecture that maps three risk types (systemic / operational / residual) onto three layers of anonymity (presumptive / determined / trust). This is the most complete academic blueprint yet for making the anonymization clause operational — and it pairs directly with TRIMPS's risk-based, recipient-relative reading.
- § 05 · DATA-PROPERTY-RIGHTS
The 'Rights Block' — Xu Ke's Structural Theory Behind China's Data-Property Framework
Xu Ke's highly-cited (255×) 政法论坛 article on the structure of data rights — the theoretical scaffolding that the Data 20 Articles' three-rights framework rests on. He maps the field's two warring paradigms (formalist 'empowerment' vs substantivist 'conduct regulation'), argues both fail alone, and integrates them via a 'reflexive law' approach. The payoff is a taxonomy of three possible rights structures — rights-ball, rights-bundle, rights-block — and the case that the 'data rights block' (数据权利块) best fits data's 'one principle, many manifestations' character. For overseas counsel, this is the conceptual map that explains why Chinese data rights are structured the way they are — and why Western property and IP analogies keep failing.
- § 06 · DATA-ASSET
When Does Data Become an Asset? Xu Ke on Identifying and Defining Data Assets
Xu Ke (UIBE), writing for a practitioner audience, draws the line between data resource (国家视角, public/strategic) and data asset (市场主体视角, commercial), then between the broad sense (anything that creates value for the enterprise) and the narrow sense (meets the MOF accounting-standard test for on-balance-sheet recognition — owned/controlled, generates economic benefit, reliably measurable). He works the three-rights framework into operational boundaries by data type (personal / enterprise / government) and flags the practical questions overseas counsel face when a Chinese counterparty wants to put data on its balance sheet.
- § 07 · ANONYMIZATION
From 'Cannot Be Restored' to 'Difficult to Restore' — TRIMPS on Whether Anonymization Is Absolute, and Whether It's Recipient-Relative
The Third Research Institute of the Ministry of Public Security (TRIMPS) — the body behind China's classified-protection regime and national eID platform — takes on the two questions that determine whether anonymization actually gets data out of PIPL scope. First: does PIPL's 'cannot be restored' standard (Art 73) require re-identification probability of literally zero? The 2025 draft PI Anonymization Guide quietly softened it to 'difficult to restore,' aligning China with the GDPR 'all reasonable means' test and reframing anonymization as a dynamic, continuously-assessed, risk-based process rather than a one-time terminal state. Second: is anonymization recipient-relative — can the same dataset be PI in one party's hands and anonymized in another's? TRIMPS reads the EU SRB v EDPS case and UK ICO guidance toward 'yes,' with major implications for how overseas counsel structure data sharing and cross-border transfer.
- § 08 · AI-GOVERNANCE
Zhu Xiaofeng — Who Pays When GenAI Causation Is Unclear? Applying Civil Code Article 1254 by Analogy
Zhu Xiaofeng (Central University of Finance and Economics Law School) takes on the GenAI causation black hole — when a personal-information harm clearly arises from a GenAI service but specific causation among model designer, model provider, model user, and data provider cannot be established, who pays? Zhu's structural answer: when conventional construction-element-analysis and Article 998 interest-balancing both fail (and they do), apply Civil Code Article 1254's 'unclear-causation' rule by analogy — the same rule used for falling-object-from-building cases. The doctrinal scaffolding: communication-safety theory, gain-and-risk allocation theory, causation proof + harm prevention. Critically: each potential injurer compensates the full damage; among themselves, allocation is proportional, with judges determining specific amounts case-by-case. Highly relevant for multinationals deploying GenAI in China — the proposed framework restructures the operating liability surface.
- § 09 · PERSONAL-INFORMATION
Ai Lin — Why Platform Gig Workers Need PI-Protection Tilt and How to Build It
Ai Lin (Jilin University Law School) takes on the under-attended question of personal-information protection for platform gig workers — the food-delivery couriers, ride-hail drivers, freight drivers, and 'internet marketers' who occupy China's new-employment-form category. The structural problem: PIPL's individual-consent baseline doesn't work in employment relations where the worker has no meaningful bargaining power against the platform's algorithmic management. Ai imports the alienated-labor framework from Marx and the 'scenario fairness' principle from contextual integrity to argue for a tilt-protection regime. Three operational responses: enhanced transparency + tiered PI safeguards; treating algorithmic rules as workplace regulations subject to collective bargaining; full-process regulatory accountability. Highly relevant for multinationals operating platform-gig models in China or contracting with Chinese platform workforces.
- § 10 · DATA-ECONOMY
Tang Linyao — Data-Broker Derivative Harms and the 'Data Integration Analysis Framework'
Tang Linyao (Chinese Academy of Social Sciences) maps the regulatory gap for data-broker derivative harms — the harms that arise not from direct PI leakage but from the integration and aggregation activity that data brokers themselves perform. The analytical core: a vertical / horizontal data-relations framework that explains why existing PIPL-style protection (vertical-relationship-focused) systematically fails to address horizontal-relationship harms; and the 'abstract risk substantialization' doctrine borrowed from US precedent and EU GDPR to bring data-broker risk into ex-ante regulatory scope. Operationally, Tang proposes a 'Data Integration Analysis Framework' with concrete tiering (三高 / 双高 / 单高 / 三低) that translates academic doctrine into compliance-program-grade controls. Applied to a real Shenzhen Data Exchange listing as worked example.
- § 11 · DATA-PROPERTY-RIGHTS
Wang Nian — Data Source's Rights as a 'Fair Use' Right Alongside the Three Rights
Wang Nian (Tsinghua Law) takes on the unresolved fourth-right question in the Data 20 Articles framework: what is the data source's right (数据来源者权), and how does it relate to the three rights (hold/use/operate)? Drawing on the 'data symbiosis' (数据共生) framework from the ALI-ELI Data Economy Principles and the EU Data Act, Wang argues that pre-existing legal entitlements — privacy, PI rights, IP, trade secrets — cover only part of the source's interest, leaving a residual that needs an independent legal protection. He frames the data-source right as a 'fair use right' (公平使用权): a contractual-relationship right against the specific data processor, distinct from the property-style three rights, that captures the value contribution of the source's participation in data co-creation. The corporate-data-portability analog DCC flagged in our NDA brief gets its doctrinal foundation here.
- § 12 · ENFORCEMENT
Seven Lessons for Data Compliance Teams from the SAMR 'Ghost Takeout' Series — 3.5 Billion Yuan, 9-Month Suspensions, and the Per-Merchant Aggregation Doctrine
In April 2026, the State Administration for Market Regulation (SAMR) imposed administrative penalties on seven major e-commerce platforms in the 'ghost takeout' series — 3.5 billion yuan in aggregate corporate fines, nearly 20 million yuan in individual fines on legal representatives and food-safety officers, and 3-to-9-month business suspensions. While the cases were ostensibly food-safety enforcement, their analytical structure — pierce-the-paper-compliance, per-merchant aggregation of penalties, identification of licensed-entity liability holders, dual penalties on individual compliance officers — translates directly to data-compliance enforcement. Adapted from a substantive practitioner analysis by 黄春林 (Huang Chunlin), this DCC brief works through seven operational lessons that DSO / PIPO / DPO and compliance counsel should apply *before* the analogous enforcement wave reaches data compliance.
- § 13 · AI-AGENTS
Mapping the AI Agent Risk Surface — A Ten-Category Taxonomy Under China's New 智能体新规
China's Cyberspace Administration jointly issued the Implementation Opinions on Standardized Application and Innovation Development of AI Agents (the '智能体新规' or 'Agent Rules') on May 8, 2026 — the first dedicated regulatory document on AI agents anywhere in the world. This DCC brief works through the ten-category risk taxonomy that practitioners are now using to map the agent attack surface: goal hijacking, tool misuse, identity/permission abuse, supply-chain compromise, unintended code execution, memory and context poisoning, inter-agent communication insecurity, cascade failures, human-machine trust exploitation, and rogue agents. With the agent risk mapped, the brief works the legal-liability vector: how each risk maps to administrative, civil, and criminal exposure under existing PIPL, CSL, Anti-Unfair Competition, and trade-secret regimes. Closes with the Guangzhou Internet Court's recent dual-authorization ruling against an open-source agent that bypassed a chat platform's risk controls — the first Chinese case to articulate the dual-authorization principle for AI agents accessing third-party platforms.
- § 14 · AI-AGENTS
Operationalizing AI Agent Governance — A Ten-Step Internal Control Framework
Part 2 of DCC's brief on the Chinese Agent Rules (《智能体规范应用与创新发展实施意见》, May 2026). After mapping the ten-category risk taxonomy in Part 1, this brief works through the ten-step internal governance framework practitioners are now building to operationalize agent compliance: cross-functional governance organization + agent asset inventory; use-case admission and classification (L1 read-only / L2 limited-write / L3 sensitive-data / L4 high-impact); security assessment and AI red-team testing; identity authorization and permission control (with the under-discussed 'permission inheritance' trap); data protection; tool and protocol security; human-in-the-loop design; supply-chain security; continuous monitoring; and AI-specific incident response. Closes with five operational priorities for teams that need to start now without waiting for the 'big-and-comprehensive' regime build.
- § 15 · AI-GOVERNANCE
Open-Source Does Not Mean Open Data — Zhang Ping on Training-Data Compliance for Open-Source AI
Peking University Law School professor Zhang Ping, writing in 人民论坛 (People's Tribune), takes apart two misconceptions that have dominated the Chinese open-source AI discussion: that 'open source' means training data has no copyright protection, and that 'algorithm open-source' compels 'training data publication.' Both false. Zhang lays out the structural distinction: 'open source is conditional authorization under license' — applied to model weights, not to the training corpus, which is a legally independent object. She then maps the full-chain compliance risk (acquisition / processing / output) and proposes a four-tier differentiated governance framework that finance, healthcare, and government AI deployments can actually use to map their training-data inventory against compliance gates.
- § 16 · ENFORCEMENT
MIIT Public-Naming Bulletin 2026 Batch 3 (Total Batch 56): 31 Apps and SDKs Cited for PI Violations and Window-Redirect Abuse
MIIT's Information & Communications Administration Bureau published its 2026 Batch 3 public-naming bulletin (total Batch 56) on May 21, 2026, citing 31 apps and SDKs for violations of personal-information collection rules and window-redirect abuse. DCC frames this as the first entry in our enforcement tracker — explaining the joint CAC + MIIT + MPS 2026 Special Campaign that authorizes the batches, the four-statute legal architecture invoked, the rectification-then-enforcement pathway each named entity faces, the cadence of the bulletin series (roughly monthly, 56 batches since inception), and the operational picture this gives overseas counsel of which PI-protection violations actually attract enforcement in the Chinese mobile-app channel.
- § 17 · DATA-PROPERTY-RIGHTS
NDA Explains the Three-Rights Framework — A Plain-Language Walk-Through from the Regulator Itself
The National Data Administration's official 政策解读 (policy interpretation) on the three-rights framework — the right to hold, the right to use, and the right to operate data — established by the Data 20 Articles. NDA walks through what each right means, illustrative scenarios (group-company data subsidiaries; hospital-pharma research pools; data-broker commission arrangements), how the rights relate to each other (independently severable; non-exclusive across parties for the same data), and why the structural-separation design was chosen over a unitary-ownership model. The clearest available statement of the regulator's own intent on the framework that anchors every downstream rule — data-resource registration, data-property-rights registration, FTZ data-circulation negative lists, on-floor / over-the-counter trading rules.
- § 18 · DATA-PROPERTY-RIGHTS
Who Is the 'Data Processor' Under the Three-Rights Framework — NDA's Farm-Equipment Hypothetical
NDA's official 政策解读 on the threshold question that every three-rights allocation depends on: who is the 'data processor' and who is the 'information subject'? NDA uses a farm-equipment hypothetical — a farm rents tractor, irrigation, and fertilizer equipment from three different vendors; cultivation data is captured in the process — to work through who collects, who decides processing purposes, and how the property-rights regime balances the data-processor's commercial interest against the information-subject's rights to access copies of relevant data. The piece sketches the basic information-subject vs. data-processor dichotomy that anchors the entire downstream data-element regime, and surfaces the access-to-data right (data portability for commercial entities) that overseas counsel often miss.
- § 19 · DATA-PROPERTY-RIGHTS
Cloud, BPO, and Other Entrusted-Processing Arrangements: Why the Processor Doesn't Get the Rights
NDA's official 政策解读 on a tactically critical sub-question of the three-rights framework: when a data processor outsources storage, processing, or analysis to a third-party service provider — typical cloud, BPO, or e-government-system arrangements — does the entrusted party acquire any of the three property rights? NDA's clear answer: no. The entrusted processor (受托人) is not a 'data processor' in the property-rights sense — it merely executes instructions on behalf of the data processor (the principal). It cannot use the data outside the entrusted scope, cannot transfer the data into market circulation, and cannot apply the data to its own debt repayment or bankruptcy distribution. The line is anchored to the Civil Code's contract-of-mandate rules — a long-standing piece of Chinese commercial law extended cleanly into the data-element regime.
- § 20 · PUBLIC-DATA
Public Data Under Franchise and Concession Operations: Who Owns It and Can It Be Traded?
Infrastructure and public-utility operators in China — gas networks, urban parking, water systems, and similar franchise/concession (特许经营) businesses — generate data that falls within the statutory definition of 'public data.' That classification creates compliance questions that standard enterprise-data analysis does not answer: does a franchise agreement confer the right to process and sell that data, and under what conditions? Two Shenzhen Data Exchange compliance officers work through the asset-ownership and revenue-attribution routes for establishing data-use authority, flag the asset-transfer risk that attaches to API and dataset licensing, and explain why franchise-generated public data should not be silently assimilated into the authorised-operation (授权运营) model now being piloted across Chinese cities. The operational takeaway: amend legacy concession agreements to address data rights explicitly, and build the data-rights clause into every new franchise contract before signing.
- § 21 · DATA-PROPERTY-RIGHTS
Inside the Reviewer's Mind — A Compliance Guide to Data Property-Rights Registration at Shenzhen Data Exchange
China's data property-rights registration (数据产权登记) regime has no single national rulebook yet, which makes the reviewer's checklist at the registrar level the operational baseline for any applicant. This brief summarises a practitioner guide by two compliance managers at Shenzhen Data Exchange (深圳数据交易所), explaining what registration reviewers actually scrutinise: whether the subject-matter falls within the platform's accepted scope; whether the applicant can substantiate entitlement to one or more of the three data-property rights (持有权 / 使用权 / 经营权); and whether the submitted materials are internally consistent and complete. The guide also clarifies common misconceptions about the 'three rights' structure — including why 'data ownership' is not a legally recognised concept and why holding-right does not automatically confer use-right or operating-right. For overseas counsel advising clients on data-asset registration, this is the clearest available account of how the first-mover registrar reads applications.
- § 22 · PUBLIC-DATA
Authorized to Operate, Not Authorized to Ignore: Public-Data Operators Still Owe the Full PIPL/DSL Stack
China's public-data authorized-operation regime — established by the January 2025 Implementation Specifications and its companion instruments — does not exempt operators from the personal information and data-security duties that sit underneath it. This brief, drawn from the Shenzhen Data Exchange's DEXC+ compliance column, sets out six specific areas where authorized operators routinely fall short: failure to classify data before operating it, misreading the operator's role in multi-party processing chains, skipping notification obligations, misidentifying the lawful basis for processing, misapplying consent that was gathered for a different purpose, and omitting the separate impact-assessment and annual risk-evaluation obligations under PIPL and the Network Data Security Regulations. The operational takeaway for overseas counsel advising operators or investors: government authorization is the entry ticket to the public-data market, not a waiver of the compliance checklist that governs what happens once inside.
- § 23 · PUBLIC-DATA
Inside the Gate: How Enterprises Can Compliantly Process, Operate, and Trade Public Data Under China's Authorized-Operation Model
China's public-data authorized-operation regime (公共数据授权运营) is the primary route for enterprises to commercialise government-held data. A DEXC+ analysis by Yang Haoran maps the full compliance arc: what qualifies as public data, how it must be processed within a sandboxed platform, and what a data product needs to clear before it can be listed on an exchange. Drawing on the National Data Administration's draft Authorized-Operation Implementation Specifications and Shenzhen Data Exchange's own 3×4 dynamic-compliance framework — covering subject compliance, subject-matter compliance, and circulation compliance across legal, security, integrity, and rights dimensions — the brief gives overseas counsel a structured view of the obligations that attach at each stage of the public-data supply chain, from first authorisation to on-exchange listing.
- § 24 · DATA-TRADING
Mapping the Red Lines: Compliance Assessment for Surveying and Geographic-Information Data Products on a Chinese Data Exchange
When Sichuan province's first surveying and geographic-information (测绘地理信息) data product was listed on the Shenzhen Data Exchange (深圳数据交易所), the compliance team from Si Chuan Rui Li Heng Law Firm worked through a seven-point assessment framework that goes well beyond general data-trading rules. This brief walks overseas counsel through that framework: why the surveying-and-mapping regime (测绘法 and subordinate rules) adds a specialist qualification layer on top of the Network Data Security Management Regulations; how the classified-surveying-results (涉密测绘成果) screen works in practice; what 'important geographic-information data' (重要地理信息数据) means for tradability; and why data origin — self-collected versus purchased versus project-derived — changes the due-diligence checklist materially. The operational takeaway: for this sector, general data-exchange compliance is necessary but not sufficient.
- § 25 · SENSITIVE-PERSONAL-INFORMATION
Seven Highlights of China's New Sensitive Personal Information Processing Standard — and What They Mean in Practice
GB/T 45574-2025 《数据安全技术 敏感个人信息处理安全要求》 (Data Security Technology — Security Requirements for Processing Sensitive Personal Information) is China's first dedicated national standard on sensitive personal information (敏感个人信息), effective 1 November 2025. Authored by Wang Yi, Zhao Yanming, and Zeng Lingwei of the Shenzhen Data Exchange DEXC+ program, this brief walks through the seven highlights the standard introduces: a recalibrated scope of what counts as sensitive personal information under PIPL, dynamic classification logic, a new linkage between sensitive-PI volume and the important data threshold, industry-specific and group-specific protections, data-security-maturity requirements, a model written-consent template, and tightened lifecycle obligations covering collection, storage, display, and audit. The operational takeaway for overseas counsel: the standard converts PIPL's high-level sensitive-PI obligations into testable, auditable requirements — compliance teams should treat it as the primary implementation guide for PIPL Article 28 and beyond.
- § 26 · PIA
The PIA as a Trading-Compliance Line — What the Network Data Security Management Regulations Add for Personal-Information Data Products
China's personal-information protection impact assessment (PIA / 个人信息保护影响评估) has long been a statutory requirement under PIPL, but uptake in data-trading contexts remains low. A DEXC+ analysis by Wang Senpeng of Shenzhen Data Exchange argues that the Network Data Security Management Regulations (网络数据安全管理条例, 'Network Data Regs') significantly refine when and how a PIA must be conducted before a personal-information data product changes hands. The brief maps three trigger layers — subject compliance, subject-matter compliance, and circulation compliance — and then draws out the evaluation dimensions the Regulations add: a new 'dual-list' privacy-policy requirement, data-processing-agreement minimum contents, a three-year record-keeping obligation, and tightened rules on web-scraping and de-identification. For overseas counsel: a PIA is no longer just a cross-border formality — it is the primary compliance gate for trading sensitive data, delegated-processing arrangements, and any automated-decision-making data product.
- § 27 · DERIVATIVE-DATA
Derivative Data Products and Public Data Opening — Legal Challenges and Compliance Points
As China opens public-sector datasets for commercial exploitation, companies building derivative data products (衍生数据产品) face a layered compliance problem: the definition of 'derivative data' in the National Data Administration's 2025 glossary is deliberately high-threshold (substantial transformation, significant value uplift); provincial rules on automated collection, source-labelling, and sensitive-data assessment are inconsistent; and a three-way collision between the open-data rules, third-party platform terms, and the 2025 Anti-Unfair Competition Law amendments has no clean resolution. Wang Yi and Yu Hao (both DEXCO-certified partners at Global Law Office Shenzhen) map the definitional landscape, five categories of operational red lines, and four protective strategies — including the new data-specific provision in the revised Anti-Unfair Competition Law — for practitioners building or advising on derivative-data businesses.
- § 28 · DATA-PROPERTY-RIGHTS
From Copyright to Data Property: The Three-Layer Compliance Test for Registering Employee-Created Data in China
China's data property-rights registration regime treats copyright and data property (数据产权) as separate legal categories — a distinction that catches many applicants off guard when employee-created works are involved. This brief summarises a practitioner analysis by two Shenzhen Data Exchange compliance officers, who explain the three-layer 'penetrating review' (穿透审核) logic that registrars actually apply: lawful acquisition (合法获取), factual control (事实持有), and defined scope of use (使用范围). For overseas counsel advising clients that hold data generated by employees — including code, engineering drawings, maps, and other special categories of work-made-for-hire under China's Copyright Law — the key operational takeaway is that a copyright certificate alone is insufficient. Registration of all three data property rights (holding right, use right, operating right) requires distinct evidence chains for each, and the employment contract is the starting document, not the copyright certificate.
- § 29 · IMPORTANT-DATA
'Important Data' Is a Category, Not a Tier
Hong Yanqing argues the mainstream reading of Article 21 of the Data Security Law confuses enterprise asset-inventory language with state-level legal-interest protection — with real consequences for cross-border transfers, enforcement, and how PIPL and DSL stack.
- § 01 · FOREIGN-INVESTMENT-SECURITY-REVIEW
Why China Used Foreign Investment Security Review on Manus — Not Tech or Data Export
Hong Yanqing on Beijing's banning of Meta's Manus acquisition. The regulator's choice of pathway — Foreign Investment Security Review, not Technology or Data Export — signals a shift from 'transaction-level' to 'capability-level' oversight of frontier AI projects, with implications for any overseas tech investment touching China.
- § 02 · TOKENS
Cold Water on 'Token Trading' — Wang Qinglan on the NDA's High-Quality Data Set Initiative
In March 2026, the National Data Administration released the *Implementation Plan for Promoting High-Quality Industry Data Set Construction (Draft for Public Consultation)*, which explores a 'token (词元) based value system' and 'token trading as a new transaction mode' for high-quality data sets. The Chinese AI policy community immediately heralded the move as 'revolutionizing data trading.' Wang Qinglan pours cold water: token is a measuring unit, not a magic transformer. AI tokens are not crypto tokens. The bottleneck in China's data-element market isn't measurement — it's supply, rights clarity, compliance cost, and data silos.
- § 03 · CRIMINAL-LIABILITY
When PIPL Violation Becomes a Crime — Hong Yanqing on China's Personal Information Criminal Threshold
Hong Yanqing on the criminal-side analog to PIPL — when does mishandling personal information cross from administrative violation into the crime of 'infringing on citizens' personal information'? His critique: the two key elements ('relevant State provisions' and 'serious circumstances') are too loose, and courts have stretched them in ways that should worry compliance teams.
- § 04 · FACIAL-RECOGNITION
When Is Facial Recognition in a Public Place 'Necessary for Public Security'? Hong Yanqing's Four-Element Framework
Hong Yanqing on how to operationalize PIPL Article 26's 'necessary for public security' principle for public-place video surveillance and facial recognition. His framework: a four-step necessity test, tiered risk regime with a published prohibited list, three-fold technical controls, and a lifecycle closure mechanism — drawing on EU AI Act and US state-level practice.
- § 01 · AI-GOVERNANCE
Where China's Draft AI Anthropomorphic-Interaction Measures Need Work — A Scholar's Reform Map
Li Wenlong (科技利维坦) walks through the directions in which he would amend China's draft Interim Measures for the Administration of AI Anthropomorphic Interaction Services (人工智能拟人化互动服务管理办法) — the country's first dedicated rule on 'companion'-style AI. His critique is structural, not cosmetic: the core definition of '拟人化 (anthropomorphisation)' is too broad because it anchors on human-like expression rather than the real harm (relational dependency); the invented concept of '交互数据 (interaction data)' should be deleted and folded back into PIPL rather than blanket-prohibited; Chapter 2 mixes three incompatible duty types and should be split; the '1M registered / 100k MAU' security-assessment trigger is borrowed from other regimes and does not track real risk; and the training-data duties are horizontal obligations misplaced in a vertical rule. For overseas counsel building companion-AI or emotional-AI products for the China market: this is a map of where the draft is likely to move, and which duties fall on deployers versus base-model providers.
- § 01 · AI-GOVERNANCE
AI Agents and the Limits of Consent — When 'Authorisation' Stops Being One Click
Li Wenlong (科技利维坦) takes the Doubao phone assistant — an AI that 'reads your screen' and acts across apps — and asks whether the consent/authorisation mechanism that traditional data law leans on can survive the agent era. His four challenges: the app-bounded 'private' environment dissolves as data and permissions move across apps (with Nissenbaum's Contextual Integrity as the only real conceptual anchor, and far from operational); agents that *act* (not just retrieve) push informed consent past the point of failure already reached by personalised ads; purpose limitation collapses because an agent chooses its own path, means and decisions from a low-information instruction, edging into automated decision-making; and ultra vires agency shifts liability from user to platform, with China's 'hallucination case' and the Air Canada case as the only thin precedents. For overseas counsel building or advising on agentic AI in China: a map of why 'authorisation' is becoming a problem of agency, system control, liability allocation and autonomy — not a checkbox — and why transparency is now a prerequisite, not a feature.
- § 02 · CSL
China's Cybersecurity Law Just Got Teeth — The 2025 Amendment and What Changed
On October 28, 2025, the NPC Standing Committee adopted the first amendment to China's Cybersecurity Law since 2017, effective January 1, 2026. Compliance Talker's global legal policy team walks through what changed across 14 amendments: a new framework provision on AI safety and development, harmonization with PIPL and the Civil Code on personal information, sharply increased penalties (10× cap on top fines), expanded application of the dual-penalty system to individual officers, and broader extraterritorial reach. For overseas teams, the operational takeaway is that cybersecurity compliance is now an executive-level risk, not a documentation exercise.
- § 03 · CROSS-BORDER
Cross-Border Data Discovery — How the U.S., EU, and China Each Play Offense and Defense
When a foreign authority wants data stored in China — or vice versa — three doctrines compete. The U.S. uses a 'data controller standard' (CLOUD Act) that reaches globally on offense and shields domestically through ECPA blocking on defense. The EU uses 'market access' leverage (GDPR Article 3 jurisdictional reach plus Article 48 blocking). China uses a 'data location standard' (territorial sovereignty plus the MLA Law, DSL, and PIPL blocking clauses). Wang Qinglan maps the four discovery paths, the three jurisdictional doctrines, and what compliance teams should build to survive the squeeze.
- § 01 · DATA-PROPERTY-RIGHTS
Will Judicial Review 'Reset' the Data Registration Rush? — Reading Wang Qinglan on the SPC's New Data Disputes Case Category
Wang Qinglan, head of compliance at a Chinese data exchange, asks what the Supreme People's Court's new 'data disputes' case category — effective January 1, 2026 — does to the data property rights registration certificates that institutions across the country have been issuing. Her argument: certificates issued through formal-only review will not survive substantive judicial scrutiny, and a single rejected certificate could erode trust in the entire registration regime. The path forward is a three-tiered protection model and aligned standards across regulators, registration institutions, and courts.
- § 02 · PERSONAL-INFORMATION
PIPO vs. DPO — How China's Personal Information Protection Officer Differs from the GDPR Data Protection Officer
The Cyberspace Administration of China announced in July 2025 that personal-information processors handling data on 1 million or more individuals must submit Personal Information Protection Officer (PIPO) information to CAC. Compliance Talker's global legal policy research team contrasts China's PIPO regime under PIPL Article 52 with the GDPR's Data Protection Officer (DPO) framework under Articles 37–39. The most consequential difference: PIPO carries individual administrative liability — up to RMB 1 million in personal fines and industry bans — where DPO does not.
- § 03 · AI-GOVERNANCE
Reverse Interoperability: Li Wenlong's Frame for the Doubao On-Device Agent Fight
ByteDance's Doubao phone assistant — preinstalled at the device layer to operate other apps on a user's behalf — was met with pop-up blocks from WeChat and others citing security and risk-control. Li Wenlong (科技利维坦) argues the dispute is, at bottom, a question of how China's competition-law toolkit (反不正当竞争法 / 反垄断法) absorbs the idea of interoperability — and specifically what he calls 'reverse interoperability (反向互操作性)'. The classic interoperability problem is a platform refusing to open up, with antitrust used as a market remedy to force access. Doubao inverts it: interoperability is fully achieved at the device level, and the legal question becomes whether the law should restrict 'over-interoperation.' Li maps interoperability's journey from the Microsoft case through GDPR data portability and the DMA to the agent era, distinguishes the Doubao fight from the decade-old 3Q War, and predicts on-device-agent governance will look less like classic antitrust and more like the ex-ante, conditional-use compliance model emerging for AI training data. For overseas counsel: a structural read on the platform-access war that on-device AI agents are about to intensify.
- § 04 · PERSONAL-INFORMATION
Is There Such a Thing as 'Game Data Compliance' in China? — Li Wenlong's Field Notes
Li Wenlong (科技利维坦) reports field observations on personal-data collection inside Chinese games, framed around three questions: is there an industry-specific 'game data compliance' mode; where is enforcement actually concentrated; and does the Chinese picture differ from abroad. His read: domestic game-data compliance is still at a 'wild-west stage' — the violations being caught are the blunt, clearly-unlawful kind (a game demanding photo-album permission), and the enforcement frontier is no different from any other app ecosystem. A principle-level framework was in place before 2023, but the yardstick stays crude, with no breakthrough on concrete evaluation standards — which caps how deep either enforcement or compliance can go. Overseas (GDPR and consumer law), games were under-scrutinised until the last year or two. The forward warning: games will be the main carrier of VR and will embed many models, so the compliance picture is about to get far more complex. For overseas counsel advising game studios on the China market: a reality check on what is — and isn't — being enforced.
- § 01 · CROSS-BORDER
Mutual Trust Mechanisms for Cross-Border Data Flow — China's 'Trusted Data Space' Bet
Compliance Talker's global legal policy team analyzes three competing models for cross-border data mutual trust: the EU's 'rule trust' (adequacy + SCC), the US's 'market trust' (CLOUD Act + DPF), and China's 'technology trust' bet on Trusted Data Spaces (TDS). The NDA's November 2024 *TDS Development Action Plan 2024-2028* makes confidential computing, federated learning, and blockchain the technical layer through which China seeks to demonstrate cross-border data flow can be 'usable but invisible.' For overseas teams, this is the most concrete view of where Chinese cross-border data infrastructure is heading.
- § 01 · FACIAL-RECOGNITION
Reading the FRT Application Measures — What the 100k-Record Filing Threshold Actually Triggers
The Administrative Measures for the Application Security of Facial Recognition Technology took effect June 1, 2025. The May 2025 announcement on FRT filing implementation followed. Compliance Talker's global legal policy team walks through the seven specific compliance obligations the Measures impose — the non-exclusive-use rule, end-side storage default, 100k-individual filing threshold, separate-consent reinforcement, PIA mandate, and more — with practical implementation guidance on each. For overseas firms with any China-facing FRT deployment, this is the operational walkthrough.
- § 02 · IMPORTANT-DATA
How to Identify 'Important Data' — A Plain-Language Method from Wang Qinglan
Wang Qinglan, head of compliance at a Chinese data exchange, walks through China's unique 'important data' concept in plain language: where it came from, why no other major jurisdiction has anything quite like it, how the U.S., EU, Japan and Korea solve the same problem differently, and — most useful for compliance teams — three methods to identify whether a dataset is 'important' in practice. Her own 'unorthodox' shortcut: ask whether a hostile foreign actor could use this data to cause trouble. If yes, treat it as important data.
- § 01 · DATA-FUNDAMENTALS
What Is Data, Really? — A Plain-Language Primer on Rules and Compliance
What does it actually mean to call something 'data,' and what turns raw recordings into a data asset? Wang Qinglan uses a toy storage room metaphor to walk through the foundational concept overseas readers often skip: data is not just 'records' — it's records made under rules. Master data, metadata, ontology, the three-tier compliance taxonomy (legal / ethical / promised), and the three-step compliance workflow (select / allocate / execute) — all anchored in a concrete example a non-specialist can follow.
- § 02 · DATA-GOVERNANCE
Data Governance vs. Data Management vs. Data Compliance — A Plain-Language Disambiguation
Wang Qinglan disambiguates three terms that compliance and data teams habitually conflate: data governance, data management, and data compliance. Using a 'data manor' metaphor (the family council vs. the steward team vs. the community monitor), she maps each function to its job — setting direction, executing efficiently, and operating sustainably within external rules and self-imposed commitments. The piece is useful precisely where bilingual confusion is highest: 'data governance' in English carries different connotations than 数据治理 in Chinese practice.
- § 03 · CROSS-BORDER
FTZ Data Export Negative Lists — How 17 Sectors Across Seven Provinces Now Identify Important Data
Article 6 of the 2024 CBDF Provisions authorized Free Trade Zones to publish data-export negative lists. Since then, Tianjin, Beijing, Hainan, Shanghai, Zhejiang and others have published negative lists covering 17 sectors — automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industry, seed industry, and more. Compliance Talker's analysis walks through the structural convergence of the negative lists, the important-data identification refinements each FTZ has produced, and the operational impact on enterprises both inside and outside the FTZs.
- § 01 · DATA-PROPERTY-RIGHTS
What Does Data Registration Actually Confirm? — A Doctrinal Reading
Long before the SPC's January 2026 'data disputes' case category started squeezing data registration certificates against judicial review, Wang Qinglan had already written the foundational critique: data registration does not 'confirm rights' because there are no legal data rights to confirm. The Data 20 Articles created data property rights, not data legal rights, and Chinese property rights are not Article-conferred civil rights. Registration certificates are 'trust credentials,' not 'rights certificates.' This is the doctrinal essay overseas counsel should read before the SPC sequel.
- § 01 · DATA-EXCHANGES
On-Exchange vs. Off-Exchange Data Trading — A Uniquely Chinese Market Structure
Why does China have data exchanges? Wang Qinglan's piece opens with an observation overseas readers will recognize: 'When you tell foreigners about China's on-exchange data trading market, you get blank stares — because exchange-organized data trading is uniquely Chinese.' The analogy she offers — Shenzhen Data Exchange is to data what the Shenzhen Stock Exchange is to securities — unlocks the architecture. Five tiers of trading venues by public-risk level. Three waves of Chinese data-exchange evolution. And the operational meaning of why on-exchange and off-exchange trading coexist.
- § 01 · DATA-ECONOMY
What Is Actually Traded on China's Data Exchanges — A Bakery Metaphor
Per the Shenzhen Provisional Measures for Data Trading Administration, four categories of object can be traded on a Chinese data exchange: data products, data services, data tools, and other regulator-approved objects. Wang Qinglan walks through what each means in plain language with a bakery metaphor — wheat (raw data) becomes flour (data resources) becomes cakes (data products); a baker is a data service; the oven is a data tool. The piece is useful precisely because it answers a question overseas teams rarely think to ask: what are the data exchanges actually selling?
- § 01 · PUBLIC-DATA
Case Study — A Public-Data Operator Hands Personal Data to a Bank. Two Compliance Failures.
A real-case analysis from Wang Qinglan. A state-affiliated auction company holds the public-data operating right for vehicle license-plate auction data. A bank persuades it to hand over the personal data of winning bidders. The bank builds a targeted credit product and pays the auction company RMB 12 million a year in revenue share. Two compliance failures: (1) no individual consent under PIPL; (2) no credit reference business license under the Credit Reference Industry Regulation and Credit Reference Business Measures. Public-data authorized operation does not displace the credit reference licensing regime.