Promulgated by: National Development and Reform Commission (NDRC) and National Data Administration (NDA).
Document No.: Fa Gai Shu Ju Gui [2025] No. 27 (发改数据规〔2025〕27号).
Issued January 8, 2025. Effective March 1, 2025. Five-year validity period.
DCC translation. No official English translation exists. Translated against DCC’s bilingual glossary for terminology consistency with PIPL, DSL, CSL, and related rules.
Chapter I General Provisions
Article 1. These Specifications are enacted in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, and other laws and regulations, and pursuant to the Opinions of the CPC Central Committee and the State Council on Building a More Complete Market-Based Allocation Mechanism for Factors of Production, the Opinions of the CPC Central Committee and the State Council on Building a Fundamental Data System to Better Leverage the Role of Data as a Factor of Production, and the Opinions of the General Office of the CPC Central Committee and the General Office of the State Council on Accelerating the Development and Utilization of Public Data Resources, in order to advance the development and utilization of public data resources, standardize the authorized operation of public data resources, promote the cultivation of an integrated data market, and unlock the value of data as a factor of production.
Article 2. These Specifications apply to public data resource authorized operation activities carried out within the territory of the People’s Republic of China.
Article 3. “Authorized operation” (授权运营) refers to the activity of authorizing qualified operating institutions, in accordance with laws, regulations, and relevant requirements, to govern and develop public data resources held by local people’s governments at and above the county level or by national sectoral competent authorities, and to provide data products and technical services fairly to the market.
“Implementing institutions” refers to entities, determined by local people’s governments at and above the county level or by national sectoral competent authorities in conjunction with the authorization model, that are specifically responsible for organizing the conduct of authorized operation activities.
“Operating institutions” refers to legal-person organizations that have obtained authorization through standardized procedures and that develop and operate public data resources within the scope of authorization.
Article 4. Authorized operation of public data resources shall follow the principles of legality and compliance, fairness and impartiality, public-interest priority, reasonable returns, and security and controllability.
Chapter II Basic Requirements
Article 5. Local people’s governments at and above the county level, and national sectoral competent authorities, may include lawfully held public data resources within the scope of authorized operation, provided that the requirements of the data classification and grading protection system are implemented and that national security, the public interest, trade secrets, personal privacy, and personal information rights and interests are not harmed.
Where public data of other regions or departments — obtained through government data sharing — is to be used for authorized operation, the consent of the unit that provided the shared data shall be obtained.
Article 6. In conducting authorized operation activities, administrative power or market-dominant position shall not be abused to exclude or restrict competition, and data, algorithms, technology, or capital advantages shall not be used to engage in monopolistic conduct.
Operating institutions shall conduct business within the scope of authorization in accordance with laws and regulations, and shall not directly or indirectly participate in the further development of public data products and services already delivered within their authorized scope. Other operating entities are encouraged to further develop the public data products and services delivered by operating institutions, integrate multi-source data, enhance the value of data products and services, and contribute to a flourishing data-industry ecosystem.
Article 7. The National Data Administration is responsible for the overall coordination and administration of national public data resource authorized operation work; it shall dynamically monitor the national authorized-operation situation and strengthen policy and operational guidance.
Provincial-level data administration authorities shall play a comprehensive coordinating role, strengthen the integration of data resources, enhance data service capacity, fully leverage the scale-of-application effect of public data resources, and conduct supervision and administration of authorized operation work within their region.
Data administration bodies of national sectoral competent authorities are responsible for advancing the authorized operation work of public data resources in their department and for guiding the sector to strengthen administration of sectoral data resources within the scope of authorized operation.
Chapter III Plan Preparation
Article 8. Data administration authorities of local people’s governments at and above the county level, and data administration bodies of national sectoral competent authorities, shall take the lead in organizing or guiding the various implementing institutions in their region or department to prepare implementation plans for the authorized operation of public data resources. Implementation plans shall balance economic and social benefits and ensure feasibility of execution.
Article 9. Implementation plans shall include the following content:
(I) The name of the authorized operation;
(II) Argumentation of the necessity and feasibility of the authorized operation;
(III) Selection criteria for operating institutions, including capacity in funding, management, technology, service, and security;
(IV) The authorization model — overall authorization, field-by-field authorization, or scenario-based authorization, etc.;
(V) The scope of authorized-operation data resources, the data resource catalogue, data update frequency, and data-quality conditions;
(VI) The authorized-operation period, construction content, technical safeguards, implementation schedule, evaluation standards, exit mechanism, asset administration, etc.;
(VII) The list of proposed public data products and services, which shall include two major categories — supporting public governance and public welfare, and supporting industry development and sectoral development — as well as the expected form of products and services;
(VIII) The cost and revenue accounting mechanism within the operating institution’s authorized scope, and the revenue distribution mechanism;
(IX) Data security, personal information protection measures, and emergency-response measures;
(X) Rights and obligations of the implementing institution, operating institution, and other relevant participants;
(XI) Supervision, administration, and performance-evaluation requirements for the authorized operation;
(XII) Other matters that should be clarified.
Article 10. Feasibility argumentation shall include, but not be limited to, full lifecycle management services for authorized-operation data, social demand, market scale, expected effectiveness, and risk control.
Article 11. Implementation plans for authorized operation of public data resources shall be deliberated and approved in accordance with the “three majors and one large” (三重一大) decision-making mechanism requirements before implementation.
Data administration authorities of local people’s governments at and above the county level shall be responsible for, or shall assist in, submitting the implementation plan of their region to the people’s government at the same level for deliberation. Data administration bodies of national sectoral competent authorities shall be responsible for, or shall assist in, submitting the implementation plan of their department to the ministerial executive meeting for deliberation.
Implementation plans that have been deliberated and approved shall not, in principle, be arbitrarily changed; where major changes are genuinely required, they shall be re-submitted for deliberation and approval through the original process.
Provincial-level data administration authorities and data administration bodies of national sectoral competent authorities shall properly conduct filing administration for the implementation plans of their region or department.
Chapter IV Agreement Execution
Article 12. Implementing institutions shall, in accordance with the deliberated and approved implementation plan, select operating institutions through fair-competition methods such as public bidding, invited bidding, or negotiation, as required by laws and regulations. The content of the bidding, procurement, and negotiation documents relating to the authorized-operation agreement shall fully solicit the opinions of relevant parties.
Operating institutions shall possess the management and technical service capacity required for data resource processing and operation, shall have sound business and credit standing, and shall comply with the State’s data security protection requirements.
Article 13. The implementing institution shall, independently or together with the relevant business-competent department at the same level, enter into a public data resource authorized-operation agreement with the lawfully selected operating institution after deliberation and approval by the implementing institution’s “three majors and one large” decision-making mechanism. Provincial-level data administration authorities and data administration bodies of national sectoral competent authorities shall properly conduct filing administration for the various authorized-operation agreements in their region or department, and strengthen dynamic monitoring of agreement performance.
Article 14. The content of the public data resource authorized-operation agreement shall include:
(I) The scope and data resource catalogue of the authorized-operation public data resources;
(II) The operating period, which shall not exceed five years in principle;
(III) The list of proposed public data products and services, and the technical standards, security review requirements, and business-compliance review requirements applicable to them;
(IV) The technical support platform for the public data resource authorized-operation work;
(V) Asset ownership, including ownership of software and hardware equipment and of public data products and services;
(VI) Information-disclosure requirements regarding the authorized-operation work, and the requirement that the operating institution shall not directly or indirectly participate in further development;
(VII) Accounting requirements for cost and revenue within the operating institution’s authorized scope, and the revenue distribution mechanism;
(VIII) Data security and personal information protection requirements, and risk monitoring and emergency-response measures;
(IX) Operating-effectiveness evaluation, and renewal or exit mechanism;
(X) Liability for breach of contract;
(XI) Dispute resolution methods;
(XII) Conditions for modification and termination of the agreement;
(XIII) Other matters requiring clarification.
Chapter V Operation and Implementation
Article 15. Implementing institutions shall establish a sound, safe, and controllable development and utilization environment, make full use of existing information system resources, encourage integrated construction, support the application of safe and trusted circulation technologies such as privacy computing, and ensure that the development and utilization of data resources is manageable, controllable, and traceable.
Article 16. Implementing institutions and operating institutions shall, respectively, register the public data resources, and the public data products and services, within the scope of authorized operation in accordance with the public data resource registration administration requirements.
Article 17. Prices of public data products and services shall be implemented in accordance with the State’s relevant pricing policies.
Article 18. Implementing institutions shall publicly disclose the situation of authorized operation as required, regularly disclose to society the authorized subjects, content, scope, and term, and accept social supervision.
Article 19. Operating institutions shall publicly disclose the list of public data products and services, regularly disclose to society the use of public data resources, and accept social supervision.
Article 20. Authorized operation shall protect the lawful rights and interests of all participating parties. Implementing institutions and operating institutions are encouraged to support the data governance and service capacity construction of all regions and departments through technology, products and services, revenue, and other means, in a lawful and compliant manner.
Chapter VI Operation Administration
Article 21. Implementing institutions shall establish a sound administration system, strengthen data governance, enhance data quality, implement the requirements of the data classification and grading protection system, strengthen technical support and data security administration, strictly control the direct entry into the market of unpublished original public data resources, and strengthen internal control and audit of operating institutions with respect to authorized-operation activities.
Operating institutions shall fulfill their primary responsibility for data security, strengthen internal control administration, technical administration, and personnel administration, shall not use public data resources beyond the scope of authorization, and shall strictly prevent data-security risks in the processing, operation, and service stages.
Implementing institutions and operating institutions shall, through administrative and technical measures, strengthen the identification and control of risks arising from data association and aggregation, in order to safeguard data security.
Article 22. Operating institutions shall strengthen internal administration of costs, revenue, and expenses related to public data products and services; financial revenue and expenditure related to public data products and services shall be administered in accordance with existing financial-administration systems and subject to supervision in accordance with the law.
Article 23. In conducting public data resource authorized operation, the responsible action of cadres shall be encouraged and protected; an atmosphere of encouraging and tolerating innovation shall be fostered; at the same time, the abuse of data for private gain shall be resolutely prevented.
In conducting authorized operation, safety risks arising from improper handling of the data-asset and data-asset-capitalization process shall be effectively identified and controlled, and financial risks shall be earnestly prevented and resolved.
Chapter VII Supplementary Provisions
Article 24. Data administration authorities of local people’s governments at and above the county level, and data administration bodies of national sectoral competent authorities, may formulate implementation rules in accordance with these Specifications, in light of their actual circumstances.
For authorized operations conducted before these Specifications take effect, the operations shall be progressively brought into conformity with these Specifications. Authorized operation activities newly conducted after these Specifications take effect shall be carried out in accordance with these Specifications.
Article 25. Authorized operation of public data resources held by central Party-and-mass organs and by local Party committees at and above the county level shall be carried out with reference to these Specifications.
The development and utilization of public data resources held by public utility enterprises in sectors such as water supply, gas supply, heating, electricity, and public transportation may be authorized for use with reference to the relevant procedural requirements of these Specifications, in order to safeguard the public interest and the lawful data rights and interests of enterprises, and to accept supervision by the government and society.
Article 26. The National Data Administration is responsible for the interpretation of these Specifications.
Article 27. These Specifications shall come into force on March 1, 2025, with a validity period of 5 years, and shall be revised and adjusted in due course as the situation warrants.