# Data Compliance China — Full Corpus > Generated 2026-05-29 from https://datacompliancechina.com This file contains the full text of DCC's editorial corpus: 35 laws and regulatory instruments, 36 briefings, and a 361-term bilingual glossary. Intended for one-pass ingestion by LLM crawlers and research tools. Canonical URLs and per-page markdown: - Briefs: `/posts/.md` - Laws: `/laws/.md` - Glossary JSON: `/glossary.json` - Curated index: `/llms.txt` - Structured catalog: `/manifest.json` --- # I. LAWS AND REGULATIONS ## China–Singapore Joint Data Compliance Guide: Practical Handbook — China Chapter - Chinese title: 中国—新加坡联合数据合规指引:实务手册(中国篇) - Abbreviation: CN-SG Joint Guide - Hierarchy: handbook - Issuing body: Shenzhen Data Exchange · Asian Business Law Institute (Singapore) · Authority of Qianhai · Shenzhen Bureau of Justice - Effective: 2025-08-01 - Status: effective - URL: https://datacompliancechina.com/laws/cs-joint-data-compliance-guide/ - Markdown: https://datacompliancechina.com/laws/cs-joint-data-compliance-guide.md ### Summary A 110-page bilingual practitioner handbook on Chinese data compliance, jointly compiled by the Shenzhen Data Exchange and Singapore's Asian Business Law Institute under the guidance of the Qianhai Authority. The China Chapter is structured around the Guide's two-axis compliance model: subject obligations (organizational structure, policy, classification & grading, partners, risk assessment, incident response) crossed with object types (general / important / personal / public / industry-specific data). Includes the regulator map, cross-border path selection trees, and worked examples. Current as of August 2025. This is the single most accessible authoritative reference DCC has identified for overseas counsel approaching the Chinese data regime. ### Full text **Issued by:** Shenzhen Data Exchange (深圳数据交易所) and the Asian Business Law Institute (亚洲商法研究所), Singapore. **Guiding Organizations:** Shenzhen Municipal Service and Data Administration · Shenzhen Municipal Bureau of Justice · Authority of Qianhai Shenzhen-Hong Kong Modern Service Industry Cooperation Zone · Shenzhen Law Society. **Supporting Organization:** Network Data Security Compliance Laboratory (Shenzhen Qianhai). **Current as of:** August 2025. > *Editor's Note — DCC.* > > This is the most useful single document DCC has come across for orienting > overseas counsel to the architecture of China's data-compliance regime. > It is not a statute and does not bind anyone — but it is co-authored by > the institution that operates China's national data circulation > infrastructure (Shenzhen Data Exchange) and the most senior China data > bar (Fangda, Han Kun, Zhong Lun, Global Law, KWM, Tianda & Gonghe, > V&T, Simmons & Simmons). Its conceptual contribution — the **two-axis > compliance framework** (subject obligations × object types) — is the > mental model we recommend overseas readers internalize first. > > The Guide explicitly permits non-commercial reproduction with source > attribution. The chapter outline below is reproduced from the Guide's > own Table of Contents; the conceptual summaries are DCC's distillation. > The [DCC Overview page](/overview/) renders the same framework in > visual form for first-time readers. ## Why this matters for overseas teams China's data regime has accumulated more than a decade of statutes, regulations, departmental rules, standards, judicial interpretations, and policy directives. For someone approaching it cold, the volume is the obstacle. The Joint Guide solves this in three ways: - **A single mental model.** The Guide explicitly organizes the regime around a *Subject × Object* grid — what an organization must do (Subject Compliance), crossed with what each type of data requires (Object Compliance). Every detailed obligation in the regime fits into one of the resulting cells. - **A regulator map.** Six categories of regulators with overlapping mandates (CAC, MIIT, MPS, SAMR, industry regulators, and the National Data Security Coordination Mechanism) are mapped in Chapter II with each one's specific authority. - **A path-selection framework for cross-border data.** Chapter V walks through the decision logic that maps a specific data transfer to the right compliance pathway — security assessment, standard contract filing, certification, or exemption. For overseas counsel, the Guide is the closest thing in 2025 to an authoritative single-source orientation to the Chinese data regime. ## Chapter outline The Guide's seven chapters in the China Chapter: ### Chapter I — Overview and User Guide - **I.** Introduction: The Context of China–Singapore Digital Cooperation - *(i) The Practical Basis of China–Singapore Data Cooperation and Enterprise Needs* - *(ii) Evolution and Opening Trends of China's Data Compliance Framework* - **II.** China's Practical Framework and Compliance Logic — the **two-axis model** - *(i) Subject Compliance: Core Obligations of Data Processors* (org structure, policy, classification, partners, risk assessment, incident response) - *(ii) Object Compliance: Special Requirements for Different Types of Data* (general / important / personal / public / industry-specific) - **III.** Guidelines for Use and Practical Tools (content index + usage tips) ### Chapter II — Regulatory System and Departmental Responsibilities - **I.** Cyberspace Administration of China (CAC) - **II.** Ministry of Industry and Information Technology (MIIT) - **III.** Public Security Authorities - **IV.** Market Regulation Authorities - **V.** Industry Regulators and Other Authorities (PBoC, NFRA, NHC, MNR, MoE, MoT, etc.) - **VI.** National Data Security Coordination Mechanism ### Chapter III — Compliance Requirements for Data Processing Entities (the Subject Axis) - **I.** Organizational Structure (PIPO appointments, internal committees, reporting lines) - **II.** Policy Development and Personnel Management (internal rules, training, access controls) - **III.** Data Classification and Grading (per GB/T 43697-2024 and sector-specific catalogues) - **IV.** Management of External Partners (entrusted processing, joint processing, third-party sharing) - **V.** Risk Assessment Mechanisms (PIA, important-data risk assessment, network-data activity assessment) - **VI.** Security Incident Response and Handling ### Chapter IV — Compliance Standards for Data Objects (the Object Axis) - **I.** General Data — common requirements (definition, types, key compliance requirements) - **II.** Important Data — identification, assessment, management obligations (per DSL + Network Data Security Regulation) - **III.** Personal Information — PIPL implementation requirements (lawful bases, individual rights, separate consent, cross-border) - **IV.** Public Data — definition, identification, sharing and opening (per Data 20 Articles + NDA registration regime) - **V.** Special Industry Data - *(i) Surveying, Mapping and Geographic Information Data* - *(ii) Health and Medical Data* - *(iii) Financial Credit Reference Data* - *(iv) Automotive Data* - *(v) Other industry-specific verticals* ### Chapter V — Compliance Paths for Cross-Border Data Flow - **I.** Path Selection for Outbound Data Flow - *(i) Security assessment declarations / standard contract filings / PI protection certifications under the applicable compliance paths* - **II.** Requirements for Data Processors in Outbound Data Flow - **III.** Localization Data Storage Requirements - **IV.** Important Data Cross-Border Transfer (compliance requirements + security assessment for important data export) ### Chapter VI — Good Compliance Practice Guidelines Worked examples, scenario-based recommendations, and benchmark practices observed in foreign-invested-enterprise compliance work. ### Chapter VII — Frequently Asked Questions Practical Q&A clarifying common edge cases (small-volume processors, group structures, vendor cascades, etc.). ## The conceptual contribution: Subject × Object The Guide's most useful idea is also its simplest. Every concrete compliance question can be located on a 2D grid: | | **Org structure** | **Policy** | **Classification** | **Partners** | **Risk assess** | **Incident response** | |------------------------------|:----:|:----:|:----:|:----:|:----:|:----:| | **General data** | · | · | · | · | · | · | | **Important data** | · | · | · | · | · | · | | **Personal information** | · | · | · | · | · | · | | **Public data** | · | · | · | · | · | · | | **Industry-specific data** | · | · | · | · | · | · | The grid's value: every detailed obligation in CSL, DSL, PIPL, NDR, the cross-border provisions, the PI audit measures, the GenAI rules, and the sector-specific regulations slots into one of the cells. Once a compliance team has internalized the grid, the corpus stops feeling like a chaos of rules and starts behaving like a structured matrix. See the [DCC Overview page](/overview/) for the rendered grid with each cell anchored to the underlying laws. ## Editorial choices in DCC's coverage of the Guide - **No full text reproduction.** The Guide is 110+ pages. DCC treats it as a primary reference and links overseas readers to the official PDF for the full text. - **Concept distillation.** DCC's [Overview page](/overview/) renders the Guide's framework visually so first-time readers get the model in five minutes. - **Derivative briefs.** Each of Chapters II–V will be the subject of standalone DCC briefs (1500–2500 words each), credited to the Guide. ## Source Original document: *China–Singapore Joint Data Compliance Guide: Practical Handbook* (中国—新加坡联合数据合规指引:实务手册), China Chapter. Jointly compiled by the Shenzhen Data Exchange (深圳数据交易所) and the Asian Business Law Institute (Singapore), under the guidance of the Authority of Qianhai Shenzhen-Hong Kong Modern Service Industry Cooperation Zone. Released August 2025. Official PDF (hosted by Qianhai Authority): [qh.sz.gov.cn/attachment/1/1661/1661659/12551073.pdf](https://qh.sz.gov.cn/attachment/1/1661/1661659/12551073.pdf) The Guide is non-commercial and explicitly permits reproduction with source attribution. --- ## Measures for the Security Assessment of Data Export - Chinese title: 数据出境安全评估办法 - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) - Adopted: 2022-05-19 - Effective: 2022-09-01 - Status: effective - URL: https://datacompliancechina.com/laws/data-export-security-assessment-measures/ - Markdown: https://datacompliancechina.com/laws/data-export-security-assessment-measures.md ### Summary The first of CAC's three cross-border transfer pathways. Required for CIIOs transferring any personal information or important data abroad, and for non-CIIO handlers above certain thresholds. Establishes the application procedure, evaluation factors, validity period, and self-assessment requirements. Read together with the 2024 Cross-border Data Flow Provisions, which relaxed thresholds. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC). **Document No.:** Decree No. 11 of the Cyberspace Administration of China. **Adopted at the 10th executive meeting of the CAC in 2022 on May 19, 2022. Effective September 1, 2022.** --- **Article 1.** These Measures are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China and other laws and regulations to regulate data provision abroad, protect personal information rights and interests, safeguard national security and social and public interests, and promote the security and free flow of data across borders. **Article 2.** These Measures apply to the security assessment of critical data and personal information collected and generated by a data handler in its operation in the People's Republic of China, which are to be provided abroad. Where it is otherwise provided for in laws and administrative regulations, such provisions shall prevail. **Article 3.** Security assessment for data provision abroad shall follow principles of the combination of ex-ante assessment and continuous supervision and the combination of risk self-assessment and security assessment, so as to prevent the security risks arising from data provision abroad, and ensure the orderly and free flow of data according to the law. 100 **Article 4.** To provide data abroad under any of the following circumstances, a data handler shall declare security assessment for its provision of data abroad to the Cyberspace Administration of China ("CAC") through the local cyberspace administration at the provincial level: (I) where a data handler provides critical data abroad; (II) where a key information infrastructure operator or a data handler processing the personal information of more than one million people provides personal information abroad; (III) where a data handler has provided personal information of 100,000 people or sensitive personal information of 10,000 people in total abroad since January 1 of the previous year; and (IV) other circumstances prescribed by the CAC for which declaration for security assessment for data provision abroad is required. **Article 5.** Prior to declaring security assessment for data provision abroad, a data handler shall conduct self-assessment on the risks of data provision abroad, with focus on the assessment of the following matters: (I) the legality, legitimacy and necessity of the purpose, scope and method of data provision abroad and data processing by the overseas recipient; (II) the scale, scope, type and sensitivity of the data to be provided abroad, and the risks to national security, public interests or the legitimate rights and interests of individuals or organizations caused by data provision abroad; (III) the responsibilities and obligations that the overseas recipient promises to undertake, and whether the overseas recipient's management and technical measures and capabilities for performing its responsibilities and obligations can guarantee the security of data provision abroad; (IV) risks of the data to be tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after data provision abroad; whether the channel for the maintenance of personal information rights and interests is smooth; (V) whether the relevant contracts on the data to be concluded with the overseas recipient or other legally binding documents (hereinafter referred to collectively as the "legal documents") have fully agreed on the responsibilities and obligations to protect the data security; and (VI) other matters that may affect the security of data provision abroad. **Article 6.** To declare security assessment for data provision abroad, the following materials shall be submitted: (I) a declaration form; (II) self- assessment report on the risks of data provision abroad; (III) the legal documents to be concluded by the data handler and the overseas recipient; and (IV) other materials necessary for security assessment. 5 7 Article 7 The cyberspace department at the provincial level shall complete the examination of the completeness of declaration materials within five working days after receiving them. Where the declaration materials are complete, they shall be submitted to the CAC; where the application materials are incomplete, they shall be returned to the data handler and the data handler shall be informed on a one-time basis of materials to be supplemented. The CAC shall, within seven working days after receipt of declaration materials, determine whether or not to accept the same, and notify the data handler of the same in writing. **Article 8.** The security assessment for data provision abroad shall focus on the assessment of the risks to national security, public interests, or the legitimate rights and interests of individuals or organizations that may be caused by the activity of data provision abroad, mainly including the following matters: (I) the legality, legitimacy and necessity of the purpose, scope, and method of data provision abroad; (II) the impact of the data security protection policies and regulations and the cybersecurity environment of the country or region where the overseas recipient is located on the security of data to be provided abroad, and whether the data protection level of the overseas recipient meets the requirements of the laws and administrative regulations of the People's Republic of China and mandatory national standards; (III) the size, scope, types and sensitivity of data to be provided abroad, and the risks that the data may be tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the data is provided abroad; (IV) whether data security and personal information rights and interests can be fully and effectively guaranteed; (V) whether the legal documents to be concluded by the data handler and the overseas recipient have fully agreed on the responsibilities and obligations of data security protection; (VI) compliance with Chinese laws, administrative regulations and departmental rules; and (VII) other matters that the CAC considers necessary to be assessed. **Article 9.** A data handler shall expressly agree on the responsibilities and obligations of data security protection in the legal documents concluded with the overseas recipient, which shall at least include the following contents: (I) the purpose and method of data provision abroad and the scope of the data, and the purpose and method, etc. for processing the data by the overseas recipient; (II) the location and duration of storage of the data abroad, as well as the handling measures for data provision abroad after the storage period expires, the agreed purpose is completed, or the legal documents are terminated; (III) restrictive requirements on the overseas recipient's re-provision of the data provided abroad to other organizations and individuals; (IV) the security measures to be taken by an overseas recipient when actual control or business scope has changed substantially, data security protection policies and regulations and cybersecurity environment of the country or region where the overseas recipient is located have changed, or the occurrence of any other force majeure event, under which data security cannot be ensured; (V) remedial measures, liability for breach of contract and dispute resolution in the event of violation of data security protection obligations agreed in legal documents; and (VI) the requirements to properly carry out emergency response when the data provided abroad is at risk of being tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used, as well as the ways and methods to protect people's personal information rights and interests. **Article 10.** After accepting a declaration, the CAC shall organize the relevant departments of the State Council, the cyberspace administration concerned at the provincial level and specialized agencies to conduct security assessment in light of the declaration. **Article 11.** During the security assessment, if it is found that the declaration materials submitted by a data handler fail to meet requirements, the CAC may require the data handler to supplement or correct the materials. In case that the data handler fails to supplement or correct the materials without justified reasons, the CAC may terminate the security assessment. A data handler shall be responsible for the authenticity of the materials submitted. If a data handler submits false materials on purpose, it shall be deemed as failing in the assessment, and the data handler shall be held legal liable correspondingly according to the law. 45 **Article 12.** The CAC shall, within 45 working days of issuing a written notice of acceptance to the data handler , complete the security assessment for data provision abroad; if the situation is complicated or supplementary or corrected materials are needed, the assessment may be extended appropriately, and the data handler shall be notified of the expected extension period. The data handler shall be informed of the assessment results in writing. 15 Article 13 Where a data handler has any objection to the assessment results, it may, within 15 working days of receiving the results, apply to the CAC for a re-assessment, and the re-assessment results are final. 2 60 Article 14 The results of security assessment for data provision abroad are valid for two years, commencing from the date when the results are issued. The data handler shall re-apply for assessment if any of the following circumstances occurs within the valid period of time: (I) the purpose, method, scope and type of data provision abroad, or the purpose and method of data processing by the overseas recipient have changed, affecting the security of the data provided abroad, or extending the period of storage of personal information and critical data abroad; (II) the security of the data provided abroad is affected due to changes in the data security protection policies or regulations or the cybersecurity environment of the country or region where the overseas recipient is located, any other force majeure event, or any change in the actual control of the data handler or the overseas recipient, or any change in the legal documents between the data handler and the overseas recipient; and (III) any other circumstance affecting the security of the data provided abroad. If it is necessary to continue data provision abroad after the expiration of the period of validity, the data handler shall declare anew assessment 60 working days before the expiration of the period of validity. **Article 15.** The relevant institutions and personnel participating in security assessment shall keep confidential state secrets, personal privacy, personal information, trade secrets, confidential business information and other data they have accessed to in fulfilling their duties, in accordance with the law, and shall not divulge or illegally provide the same to others or illegally use such data. **Article 16.** Any organization or individual who discovers the provision of data abroad in violation of these Measures by any data handler may report the case to a cyberspace administration at the provincial level or above. **Article 17.** Where the CAC finds that data provision abroad that has passed assessment no longer meets the requirements for security management of data provision abroad in the process of actual processing, it shall notify in writing the data handler to terminate data provision abroad. If the data handler needs to continue carrying out data provision abroad, it shall make rectification as required and, upon completion of the rectification, apply for assessment anew. **Article 18.** Any violation of these Measures shall be dealt with in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China and other laws and regulations; if a crime is constituted, criminal liability shall be investigated in accordance with the law. **Article 19.** For the purpose of these Measures, the term "critical data" refers to the data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and security, etc. 2022 9 1 6 Article 20 These Measures shall come into force on September 1, 2022. For data provision abroad that have been carried out before effectiveness of these Measures, if not in compliance with these Measures, rectification shall be completed within six months from the effectiveness of these Measures. PAGE/NUMPAGES PAGE/NUMPAGES --- ## Security Protection Regulations for Critical Information Infrastructure - Chinese title: 关键信息基础设施安全保护条例 - Abbreviation: CII Regulations - Hierarchy: regulation - Issuing body: State Council - Adopted: 2021-04-27 - Effective: 2021-09-01 - Status: effective - URL: https://datacompliancechina.com/laws/cii-protection-regulations/ - Markdown: https://datacompliancechina.com/laws/cii-protection-regulations.md ### Summary These Regulations operationalize the Critical Information Infrastructure (CII) regime under CSL Articles 31–39. They define CII identification rules, set out CIIO obligations (specialized security body, annual testing and risk assessment, security review of network products, breach reporting), and establish the inter-agency coordination structure under CAC + Ministry of Public Security. ### Full text **Promulgated by:** State Council. **Document No.:** Decree No. 745 of the State Council. **Adopted at the 133rd executive meeting of the State Council on April 27, 2021. Effective September 1, 2021.** Premier Li Keqiang. --- ## Chapter I General Provisions **Article 1.** These Regulations are enacted in accordance with the Cybersecurity Law of the People's Republic of China for the purposes of protecting the security of critical information infrastructure and maintaining cyber security. **Article 2.** For the purpose of these Regulations, critical information infrastructure refer to the important network facilities and information systems in important industries and fields such as public telecommunications, information services, energy, transportation, water conservancy, finance, public services, e-government and national defense science, technology and industry, as well as other important network facilities and information systems which, in case of destruction, loss of function or leak of data, may result in serious damage to national security, the national economy and the people's livelihood and public interests. **Article 3.** Under the overall planning and coordination of the Cyberspace Administration of China (hereinafter referred to as the CAC), the public security department under the State Council is responsible for guiding and supervising the protection of the security of critical information infrastructure. The competent telecommunications department of the State Council and other relevant departments shall, in accordance with provisions of these Regulations and relevant laws and administrative regulations, be responsible for protecting, supervising and administering the security of critical information infrastructure within the scope of their respective duties. Relevant departments of the provincial people's government shall protect, supervise and administer the security of critical information infrastructure ex officio. **Article 4.** For the security protection of critical information infrastructure, it is imperative to the principles of comprehensive coordination, division of responsibilities and legal protection, strengthen and implement the responsibilities of critical information infrastructure operators (hereinafter referred to as the "operators") as subjects, and give full play to the role of the government and all sectors of society, so as to jointly protect the security of critical information infrastructure. **Article 5.** The State gives priority to the protection of critical information infrastructure, takes measures to monitor, defends against and deal with cyber security risks and threats from both within and outside the territory of the People's Republic of China, protects critical information infrastructure from attacks, intrusions, interference and damage, and punishes illegal and criminal activities endangering the security of critical information infrastructure in accordance with the law. No individual or organization may illegally invade, interfere with or destroy the critical information infrastructure, or endanger the security of the critical information infrastructure. **Article 6.** Operators shall, in accordance with the provisions of these regulations, relevant laws and administrative regulations and compulsory requirements of national standards, take technical protection measures and other necessary measures based on the graded protection for cyber security, respond to cyber security incidents, prevent cyber attacks and illegal and criminal activities, guarantee the safe and stable operation of critical information infrastructure, and maintain the integrity, confidentiality and availability of data. **Article 7.** Entities and individuals that have made remarkable achievements in or outstanding contributions to the security protection of critical information infrastructure shall be commended in accordance with relevant provisions of the State. ## Chapter II Identification of Critical Information Infrastructure **Article 8.** For the important industries and fields mentioned in Article 2 hereof, the competent authorities and supervisory authorities are the authorities responsible for the security protection of critical information infrastructure (hereinafter referred to as the "protection authorities"). **Article 9.** The protection authorities shall, in light of the actual conditions of respective industries and fields, develop rules for the identification of critical information infrastructure, and file such rules with the public security department under the State Council for the record. The following factors shall be taken into account in the formulation of identification rules: (I) the degree of importance of network facilities, information systems, etc. for the key and core business of the industry and field concerned; (II) the degree of harm that may be caused in the event of any destruction, loss of function or leak of data of network facilities or information systems; and (III) the impact on the relevance to other industries and fields. **Article 10.** The protection authorities shall, in accordance with identification rules, be responsible for organizing the identification of critical information infrastructure of respective industries and fields, notify the operators concerned of the identification results in a timely manner, and report the same to the public security department under the State Council. 3 Article 11 Operators shall report relevant information on any material change in critical information infrastructure that may affect the identification results to the protection authorities in a timely manner. The protection authorities shall complete the identification again within three months upon receipt of the report, notify the operator concerned of the identification results, and report the same to the public security department under the State Council. ## Chapter III Responsibilities and Obligations of an Operator **Article 12.** The security protection measures shall be planned, established and put into use simultaneously with the critical information infrastructure. **Article 13.** An operator shall establish sound cyber security protection system and the responsibility system to ensure the input of manpower, financial and material resources. The person chiefly in charge of the operator shall take overall responsibility for the protection of the security of critical information infrastructure, lead the security protection of critical information infrastructure and the disposal of major cyber security incidents, and organize the study and resolution of major cyber security issues. **Article 14.** An operator shall set up a specialized security management body, and conduct security background review of the person in charge of the specialized security management body and persons in key positions. During the review, the public security authority and national security authority shall provide assistance. **Article 15.** The specialized security management body of an operator shall be specifically responsible for the security protection of critical information infrastructure of the operator, and shall perform the following duties: (I) Establishing the sound cyber security management, evaluation and assessment system, and drafting the security protection plan for critical information infrastructure; (II) Organizing and promoting the development of cyber security protection capacity, and conducting the monitoring, testing and risk assessment of cyber security; (III) Developing the operator's own emergency plans, conducting regular emergency drills, and disposing of cyber security incidents in accordance with the national and industrial emergency plans for cyber security incidents; (IV) Identifying key positions for cyber security, organizing the assessment of cyber security work, and proposing rewards and punishments; (V) Organizing cyber security education and training; (VI) Performing the responsibility of personal information and data security protection, and establishing the sound personal information and data security protection system; (VII) Conducting security management of services such as design, construction, operation and maintenance of critical information infrastructure; and (VIII) Reporting cyber security incidents and important matters as required. **Article 16.** An operator shall ensure the operation funds for its specialized security management body, allocate corresponding personnel, and have the personnel of the specialized security management body participate in making decisions relating to cyber security and informatization. **Article 17.** An operator shall conduct by itself or entrust a cyber security service agency to conduct cyber security testing and risk assessment on its critical information infrastructure at least once a year, timely rectify security problems discovered, and report information as required by the protection authorities. **Article 18.** In the event of occurrence of any major cyber security incident or discovery of any major cyber security threat for the critical information infrastructure, the operator shall report to the protection authorities and the public security authorities as required. For any particularly major cyber security incident such as disruption of the operation of critical information infrastructure in whole or major function failure, divulgence of national basic information and other important data, divulgence of large scale personal information, large economic losses or spread of illegal information over a large scale, or discovery of any particularly major cyber security threat, the protection authorities shall, after receiving such report, timely report to the CAC and the public security department under the State Council. **Article 19.** Operators shall give priority to safe and reliable networking products or services purchased. If the purchase of networking products or services may affect national security, it is required to pass the security review in accordance with the national cyber security provisions. **Article 20.** In purchasing networking products or services, operators shall enter into a security confidentiality agreement with a networking product or service provider in accordance with the relevant provisions of the State, specifying the technical support and security confidentiality obligations and responsibilities of the provider, and supervise the fulfillment of the obligations and responsibilities. **Article 21.** In the event of merger, division or dissolution, an operator shall report to the protection department in a timely manner, and deal with the critical information infrastructure as required by the protection department to ensure security. ## Chapter IV Guarantee and Promotion **Article 22.** The protection authorities shall work out a security plan for the critical information infrastructure of the industry or field, specifying protection objectives, basic requirements, tasks and specific measures. **Article 23.** The CAC shall coordinate with the relevant authorities to establish a cyber security information sharing mechanism, timely summarize, study, judge, share and release cyber security threats, vulnerabilities, incidents and other information, and promote cyber security information sharing among the relevant authorities, protection authorities, operators and cyber security service agencies. **Article 24.** The protection authorities shall establish a sound monitoring and early warning system for the cyber security of the critical information infrastructure of the industry or field, timely learn about the operation status and security situation of the critical information infrastructure of the industry or field, give an early warning and notify threats and hazards to cyber security, and guide the security prevention work. **Article 25.** The protection authorities shall, in accordance with the requirements of the State emergency plan for cyber security incidents, establish the sound emergency plan for cyber security incidents of the industry or field, regularly organize emergency drills, guide the operator to respond to and deal with cyber security incidents, and organize to provide technical support and assistance as needed. **Article 26.** The protection authorities shall regularly organize inspections and testing of the cyber security of the critical information infrastructure of the industry or field, and guide and supervise the operator to promptly rectify potential security risks and improve security measures. **Article 27.** The CAC shall coordinate with the public security department under the State Council and the protection authorities to inspect and test cyber security of the critical information infrastructure and propose improvement measures. When carrying out inspections of the cyber security of the critical information infrastructure, relevant authorities shall strengthen cooperation and information communication to avoid unnecessary inspections and cross and repeated inspections. No fees shall be charged for the inspections, and the inspected entities shall not be required to purchase the products or services of designated brands or designated manufacturers or sellers. **Article 28.** Operators shall cooperate with the inspections and testing of the cybersecurity of the critical information infrastructure carried out by the protection authorities, and the inspections of the cybersecurity of the critical information infrastructure carried out by the public security department, State security department, secrecy administration, password administration and other relevant authorities in accordance with the law. **Article 29.** The CAC, the competent telecommunications department of the State Council and the public security department under the State Council shall, in accordance with the needs of the protection authorities, provide technical support and assistance in a timely manner during the protection of the security of the critical information infrastructure. **Article 30.** The CAC, public security organs, protection authorities and other relevant authorities, cyber security service agencies and the staff thereof shall use the information acquired in the protection of the security of the critical information infrastructure only for the purpose of maintaining cyber security, and the security of such information shall be ensured in strict accordance with the requirements of relevant laws and administrative regulations, and such information shall not be divulged, sold or illegally provided to others. **Article 31.** Without the approval of the CAC and the public security department under the State Council or the authorization of the protection authorities or an operator, no individual or organization may carry out vulnerability testing, penetration testing and other activities that may affect or endanger the security of the critical information infrastructure. Before carrying out vulnerability testing, penetration testing and other activities on the basic telecommunications network, it is required to report to the competent telecommunications department under the State Council in advance. **Article 32.** The State takes measures to give priority to the safe operation of critical information infrastructure such as energy and telecommunications. Energy and telecommunications industries shall take measures to give priority to the safe operation of critical information infrastructure in other industries and fields. **Article 33.** Public security organs and State security organs shall, ex officio, strengthen the security protection of critical information infrastructure in accordance with the law, and prevent and crack down on illegal and criminal activities against the critical information infrastructure and illegal and criminal activities by using the aforesaid information. **Article 34.** The State formulates and improves the security standards for critical information infrastructure, guides and regulates the protection of the security of critical information infrastructure. **Article 35.** The State takes measures to encourage specialized cyber security talent to engage in the protection of the security of critical information infrastructure and includes the training of security management personnel and security technicians of the operator in the national continuing education system. **Article 36.** The State supports technological innovation and industrial development in respect of security protection for critical information infrastructure and organizes efforts to make technological breakthroughs in respect of security protection for critical information infrastructure. **Article 37.** The State strengthens the construction and management of cyber security service agencies, formulates administrative requirements and reinforces supervision and guidance, constantly improves the capability of service agencies, and gives full play to their role in the protection of the security of critical information infrastructure. **Article 38.** The State strengthens military and civilian integration of cyber security and protects the security of critical information infrastructure through military-civilian collaboration. ## Chapter V Legal Liability **Article 39.** For an operator falling under any of the following circumstances, the competent authorities shall order it to make corrections and give it a warning ex officio. In case of refusal to make corrections or resulting in such consequence as endangering cyber security, it shall be subject to a fine of not less than 100,000 yuan but not more than 1 million yuan, and the person directly in charge shall be subject to a fine of not less than 10,000 yuan but not more than 100,000 yuan: (I) Failing to report relevant information to the competent protection authorities in a timely manner when the identification result may be affected due to material changes in critical information infrastructure; (II) Failing to plan, construct or put into use security protection measures and critical information infrastructure simultaneously; (III) Failing to establish a sound cyber security protection system and responsibility system; (IV) Failing to set up a specialized security management body; (V) Failing to conduct background review on the person in charge and personnel in key positions of a specialized security management body; (VI) Failing to have the personnel of a specialized security management body participate in making decisions relating to cyber security and informatization; (VII) Failing to perform the duties specified in Article 15 of these Regulations by a specialized security management body; (VIII) Failing to conduct cyber security testing and risk assessment for critical information infrastructure at least once a year, failing to make timely rectification of security problems found out, or failing to report the relevant information as required by the competent protection authorities; (IX) Failing to enter into a security confidentiality agreement with the provider of networking products or services in accordance with the relevant provisions of the State when purchasing networking products or services; or (X) Failing to report to the competent protection authorities in a timely manner in the event of merger, division or dissolution, or failing to deal with critical information infrastructure as required by the competent protection authorities. 10 100 1 10 Article 40 For any operator failing to report to the competent protection authorities or the public security organ as required when a major cybersecurity incident occurs or a major cybersecurity threat is discovered with respect to critical information infrastructure, the competent protection authorities or the public security organ shall, ex officio, order it to make rectifications and give it a warning; in case of refusal to make rectifications or resulting in such consequence as endangering cybersecurity, a fine of not less than 100,000 yuan but not more than 1 million yuan shall be imposed on it, and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the person directly in charge of the operator. 1 10 1 10 Article 41 For an operator failing to conduct security review in accordance with the provisions on cybersecurity of the State when purchasing networking products or services that may affect national security, the CAC and other competent authorities shall, ex officio, order it to make rectifications, impose a fine of not less than one time but not more than ten times the purchase amount on it, and impose a fine of not less than 10,000 yuan but not more than 100,000 yuan on the person directly in charge and other persons directly liable. 5 50 1 10 Article 42 Where an operator refuses to cooperate with the inspection and testing of the cybersecurity of the critical information infrastructure carried out by the protection authorities, or refuses to cooperate with the inspection and testing of the cybersecurity of the critical information infrastructure carried out by the public security, national security, secrecy administration, password administration and other relevant authorities in accordance with the law, the competent authorities shall order it to make rectifications. If it refuses to make rectifications, a fine of not less than 50,000 yuan but not more than 500,000 yuan will be imposed, and a fine of not less than 10,000 yuan but not more than 100,000 yuan will be imposed on the person directly in charge and other persons directly liable. In a serious case, the operator shall be investigated for corresponding legal liability in accordance with the law. 5 5 50 5 15 10 100 5 Article 43 Whoever illegally intrudes into, interferes with or destroys critical information infrastructure, which endangers the security of such infrastructure, but does not constitute a crime, the public security organ concerned shall, in accordance with the Cybersecurity Law of the People's Republic of China, confiscate his/her illegal gains, detain him/her for not more than five days, and may jointly impose a fine of not less than 50,000 yuan but not more than 500,000 yuan on him/her; if the circumstances are relatively serious, the public security organ concerned shall detain him/her for not less than five days but not more than 15 days, and impose a fine of not less than 100,000 yuan but not more than 1 million yuan on him/her. Where an entity commits any of the acts prescribed in the preceding paragraph, the public security organ concerned shall confiscate its illegal gains, impose a fine of not less than 100,000 yuan but not more than 1 million yuan on it, and punish the person directly in charge and other persons directly liable in accordance with the provisions of the preceding paragraph. Whoever violates the provisions of Paragraph 2 of Article 5 and Article 31 hereof and is subject to public security administrative penalties shall not hold key posts of cyber security management and network operation for five years, and whoever is subject to criminal penalties shall not hold key posts of cyber security management and network operation for life. **Article 44.** Where a cyberspace administration, public security organ, protection authorities or any other relevant authority, as well as their staff, fail to perform their duties of protecting, supervising and administering the security of critical information infrastructure, neglects their duties, abuses their powers, or plays favoritism and commits irregularities, the person directly in charge and other persons directly liable shall be punished in accordance with the law. **Article 45.** In conducting a cybersecurity inspection of critical information infrastructure, where a public security organ, protection authorities or any other relevant authority charges fees, or requires the inspection object to purchase products or services of designated brands or designated production or sales entities, the superior organ shall order it to make corrections and to return the fees collected; if the circumstances are serious, the person directly in charge and other persons directly liable shall be punished in accordance with the law. **Article 46.** Where a cyberspace administration, public security organ, protection authority or any other relevant department, a cyber security service agency and any staff thereof use the information acquired in the security protection of critical information infrastructure for any other purpose, or divulge, sell or illegally provide such information to others, the person directly in charge and other persons directly liable shall be punished in accordance with the law. **Article 47.** For a major cybersecurity incident or an extremely major cybersecurity incident occurred to critical information infrastructure, which is determined as a liability accident upon investigation, the liability of the operator shall be investigated and pursued in accordance with the law, and the liability of the relevant cyber security service agency and relevant department shall also be investigated. In the case of dereliction of duty, malpractice or other illegal acts, liability shall be pursued in accordance with the law. **Article 48.** The operator of a critical information infrastructure for e-government failing to perform the cybersecurity protection obligation as stipulated in these regulations shall be punished in accordance with the relevant provisions of the Cybersecurity Law of the People's Republic of China. **Article 49.** Whoever violates the provisions of these Regulations, causing damage to others, shall bear civil liability in accordance with the law. Whoever violates the provisions of these Regulations, constituting a violation of public security administration, shall be imposed a penalty for public security administration in accordance with the law and, if a crime is constituted, be investigated for criminal liability in accordance with the law. ## Chapter VI Supplementary Provisions **Article 50.** The protection of the security of storage and processing of any critical information infrastructure involving State secrets shall also be subject to the laws and administrative regulations on confidentiality. The password use and management for a critical information infrastructure shall also be governed by the provisions of the relevant laws and administrative regulations. 2021 9 1 Article 51 These regulations shall come into force as of September 1, 2021. PAGE/NUMPAGES PAGE/NUMPAGES --- ## Opinions of the CPC Central Committee and the State Council on Building a Basic Data System to Better Play the Role of Data Elements - Chinese title: 中共中央 国务院关于构建数据基础制度更好发挥数据要素作用的意见 - Abbreviation: Data Twenty Opinions - Hierarchy: regulation - Issuing body: CPC Central Committee and State Council - Adopted: 2022-12-02 - Effective: 2022-12-02 - Status: effective - URL: https://datacompliancechina.com/laws/data-foundation-system-opinions/ - Markdown: https://datacompliancechina.com/laws/data-foundation-system-opinions.md ### Summary The foundational 20-article policy directive jointly issued by the CPC Central Committee and the State Council laying out China's national data basic system: data property rights structural subdivision (holding right / processing right / operation right), classified-and-graded right confirmation for public/enterprise/personal data, the on-floor + over-the-counter trading framework, the income distribution mechanism for data elements, and a multi-party governance model. This is the policy text that informs subsequent national-level legislation and rules on data assets, public data, and data property rights registration. ### Full text **Promulgated by:** CPC Central Committee and State Council. Jointly issued by the CPC Central Committee and the State Council on December 2, 2022. Effective December 2, 2022. --- ## I. General Requirements (I) Guiding ideology. Guided by Xi Jinping Thought on Socialism with Chinese Characteristics for a New Era, we should thoroughly implement the guidelines of the 20th National Congress of the Communist Party of China ("CPC"), implement new development concepts in a complete, accurate and comprehensive manner and accelerate the construction of a new development pattern. It is imperative to adhere to reform innovation and system planning, take protecting national data security and protecting personal information and trade secrets as the premise, take promoting compliant and efficient data circulation and use and empowering the real economy as the main line, focus on data property rights, circulation trading, income distribution and security governance, deeply participate in the development of international high-standard digital rules, establish a basic data system that adapts to data characteristics, conforms to the law of development of the digital economy, ensures national data security and highlights the innovation leadership, fully realize the value of data elements, promote the sharing of development dividends of the digital economy by all the people and provide strong support for deepening innovation-driven development, promoting high-quality development and boosting the modernization of the national governance system and governance capacity. (II) Work principles. - **Following the law of development and innovating institutional arrangements.** We should fully understand and master the basic laws governing data property rights, circulation, trading, use, distribution, governance and security etc., explore the property system and market system that are conducive to the security protection, effective use and compliant circulation of data, improve the systems and mechanisms for the data element market, improve the systems and mechanisms in practice and develop them in exploration so as to promote the formation of a new production relation compatible with digital productivity. - **Adhering to the principle of sharing and releasing value dividends.** We should lower the threshold for market players to access data to a reasonable extent, enhance the sharing and inclusiveness of data elements, stimulate innovation, entrepreneurship and creation, and strengthen anti-monopoly and anti-unfair competition, so as to form a development model featuring regulation according to the law, joint participation, taking what is needed, and sharing dividends. - **Strengthening quality supply and promoting compliant circulation.** We should, following the trend of digital transformation of the economy and society, promote the adjustment and optimization of data element supply and improve the quantity and quality of data element supply. We should also establish a data credibility circulation system and enhance the usability, credibility, circulatable nature and traceability level of data. Efforts should be made to make dynamic management in the whole process of data circulation and activate data value in the process of compliant circulation and use. - **Improving the governance system and supporting the safe development.** It is imperative to coordinate development and safety, implement the overall national security concept, strengthen the construction of the data security support system, ensure safety throughout the whole process of data supply, circulation and use, and define the bottom line and red line of supervision. We should strengthen the management of data by category and by level, effectively control what should be under management and delegate what should be delegated, actively and effectively prevent and resolve various data risks, and form a data governance structure that integrates government regulation with market self-discipline, the rule of law with industrial autonomy, and domestic and international coordination. - **Deepening opening up and cooperation to achieve mutual benefits and win-win situation.** It is imperative to actively participate in the formulation of international rules for cross-border flow of data and explore ways to become a member of regional institutional arrangements for cross-border flow of international data. We should also promote bilateral and multilateral negotiations for cross-border flow of data, boost the establishment of institutional arrangements such as rules of mutual benefits. Moreover, we encourage the exploration of new ways and models for cross-border data flow and cooperation. ## II. Establishing a Data Property Right System for Protection of Rights and Interests and Compliant Use It is imperative to explore the establishment of a data property right system, promote the structural subdivision and orderly circulation of data property rights, and strengthen the supply of high-quality data elements in light of the characteristics of data elements; under the national data classification and hierarchical protection system, we should promote classified and hierarchical right confirmation and authorized use and market-oriented circulation and transactions of data, and perfect the data element right protection system, so as to gradually form a data property right system with Chinese characteristics. (III) Exploring a structural subdivision system for data property rights. It is imperative to establish a classified and hierarchical right confirmation and authorization system for public data, corporate data and personal data. We should, in light of the data source and data generation characteristics, respectively define the legitimate rights of various participants in the process of data production, circulation and use, and establish a mechanism for operating property rights such as the right to hold data resources, right to process and use data and right to operate data products. We should also promote the new model of "joint use and benefit sharing" of non- public data under the market-oriented mode to provide a basic institutional guarantee for the activation of data element value creation and value realization. Meanwhile, we should study the new methods for data property rights registration. Under the premise of ensuring security, efforts should be made to promote data handlers to develop and utilize original data in accordance with the laws and regulations, support data handlers in exercising relevant rights to data application in accordance with the laws and regulations, promote the reuse and full utilization of data use value, and promote the exchange and market-oriented circulation of data use rights. Moreover, we should prudently treat transfer trading of original data. (IV) Promoting the implementation of the right confirmation and authorization mechanism for public data. As for public data generated in the process of Party and government organs at all levels, enterprises and public institutions performing their duties or providing public services in accordance with the law, we should strengthen convergence, sharing and open development, enhance overall authorization for use and management, promote interconnection and break "isolated data islands". We encourage public data to be provided to society in the form of products and services such as models and verification services on the premise of protecting personal privacy and ensuring public security and in accordance with the requirements of "original data within domain and data available but not visible". As for the public data that carries no personal information and does not affect public security, we should promote to expand the scope of supply and use according to their purposes. We should also promote the conditional free use of public data used for public governance and public welfare undertakings and explore the conditional free use of public data used for industrial development. The public data that should be kept confidential in accordance with laws and regulations should not be opened, and the original public data that has not been disclosed in accordance with the laws and regulations should be strictly controlled to directly enter the market, so as to protect the public interest in the supply and use of public data. (V) Promoting the establishment of an enterprise data right confirmation and authorization mechanism. As for data collected and processed by various market players in the production and operation activities not involving personal information and public interests, market players have the right to hold and use them and obtain income from them in accordance with laws and regulations, and we should ensure reasonable returns for their input of labor and other factor contribution, as well as strengthen incentives for the supply of data factors. We encourage the exploration of the new model for the authorized use of enterprise data, give play to the leading role of state-owned enterprises, guide industry leading enterprises and Internet platform enterprises to play their driving roles, promote two-way fair authorization with micro, small and medium-sized enterprises, jointly and reasonably use data, and empower micro, small and medium-sized enterprises for the digital transformation. Meanwhile, we support third-party institutions and intermediary service organizations in strengthening data collection and the formulation of quality assessment standards, promote the standardization of data products, and develop industries such as data analysis and data services. Government departments may, in performing their duties, obtain relevant data of enterprises and institutions in accordance with laws and regulations, provided that they must agree on and strictly observe requirements for use restrictions. (VI) Establishing a sound right confirmation and authorization mechanism for personal information data. For the data carrying personal information, we should promote data handlers to collect, hold, host and use data according to the scope of individual authorization in accordance with laws and regulations and regulate the processing of personal information. It is not allowed to excessively collect personal information by adopting "package authorization", compulsory consent and other means, so as to promote the reasonable use of personal information. We should also explore the mechanism under which the trustees represent individual interests to supervise market players' collection, processing and use of personal information data. The special personal information data involving national security may be authorized to relevant entities in accordance with laws and regulations. We should intensify the protection of personal information and promote key industries to establish sound long-term protection mechanisms. We should strengthen the responsibilities of enterprises as subjects and regulate the collection and use of personal information by enterprises. We should also innovate technical means, promote anonymous handling of personal information, and protect information security and personal privacy in the use of personal information data. (VII) Establishing a sound system for protection of the legitimate rights and interests of various participants of data elements. Efforts should be made to fully protect the legitimate rights and interests of the party with data sources, promote data circulation and use models based on informed consent or with statutory causes, and protect the rights and interests of the party with data sources to acquire, copy or transfer the data generated due to its contribution. We should reasonably protect the rights and interests of data handlers in independent control over the data they hold in accordance with laws and regulations. On the premise of protecting public interests, data security and the legitimate rights and interests of the party with data sources, we should recognize and protect the right to process and use data obtained in accordance with legal provisions or contractual agreements, respect the labor and other contribution factors of data handlers in data collection, processing and other aspects, and fully protect data handlers' rights to use data and obtain benefits therefrom. We should also protect the management right of data or data derivatives formed by processing, analysis or otherwise, regulate the rights of data handlers to license others to use data or data derivatives in accordance with laws and regulations, and promote the circulation and reuse of data elements. Meanwhile, we should establish a sound mechanism for the transfer of data-related property rights and interests on the basis of legal provisions or contractual agreements. When a data handler is merged, divided, dissolved or declared bankruptcy, we should promote the synchronous transfer of related rights and obligations in accordance with laws and regulations. ## III. Establishing a Compliant and Efficient Data Element Circulation and Trading System Combining On-Floor and Over-the-Counter Markets We should improve and regulate data circulation rules, establish a trading system that promotes use and circulation as well as combination of on the floor and over-the-counter markets, regulate and guide over-the-counter transactions, and cultivate and expand floor trading; we should also orderly develop cross-border data circulation and trading, and establish a reliable data circulation system with identifiable data sources, definable scope of use, traceable circulation process and preventable security risks. (VIII) Improving the system of whole-process data compliance and regulation rules. It is imperative to establish data circulation access standards and rules, strengthen whole-process compliance governance for data of market players, and ensure legal sources of circulation data, effective privacy protection, and standardized circulation and trading. We should, in light of the data circulation scope, impact degree and potential risks, distinguish use scenarios and usage quantities, establish data classification and hierarchical authorization use specifications, explore the development of a data quality standardization system, accelerate the promotion of data collection and interface standardization, and promote data integration, interconnection and interoperability. Meanwhile, we support data handlers in the circulation of data on the floor and over the counter in accordance with laws and regulations in such manners as opening, sharing, exchange and trading. We encourage the exploration of technologies, standards and plans for safeguarding data circulation security. We also support the exploration of diversified pricing models and price formation mechanisms in line with the characteristics of data elements, and promote paid use of public data used for digital development under the government-guided pricing and independent pricing of enterprise and personal information data in the market. Efforts should be made to strengthen the development and regulation of enterprise data compliance system, severely crack down on black market transactions, and ban industries with illegal data circulation. We should also establish and implement data security management certification system, in a bid to guide enterprises to improve data security management through certification. (IX) Building standardized and efficient data trading venues on an overall basis. It is imperative to strengthen the system design of data trading venues, optimize the planning and layout of data trading venues on an overall basis, and strictly control the number of trading venues. We should introduce administrative measures for data trading venues, establish sound data trading rules, and formulate a unified national system of standards for data trading and security to reduce trading costs. We should also guide the joint development of various types of data trading venues, highlight the compliance supervision and basic service functions of national data trading venues, strengthen their public attributes and positioning for public interests, promote the separation of functions of data trading venues and data dealers, and encourage all kinds of data dealers to trade in data trading venues. Meanwhile, efforts should be made to standardize regional data trading venues and industrial data trading platforms established by various regions and departments, build a multi-level market trading system, and promote the circulation and use of regional and industrial data. We should promote the interconnection between regional data trading venues and industrial data trading platforms and national data trading venues. We should also build intensive and efficient data circulation infrastructure to provide a low-cost, efficient and reliable circulation environment for centralized trading on the floor and over-the-counter decentralized trading. (X) Cultivating the circulation and trading service ecology for data elements. We should, by orienting towards the need to promote the compliant, efficient, safe and orderly circulation and trading of data elements, cultivate a number of data dealers and third-party specialized service agencies. Through data dealers, we should provide both parties to data trading with the development, release and underwriting of data products and the compliance, standardization and value-added services of data assets so as to promote improvements to the efficiency of data trading. In key areas such as intelligent manufacturing, energy conservation and carbon reduction, green construction, new energy and smart city, we should vigorously cultivate industrial and industrialized data dealers close to business needs, and encourage data dealers of different ownerships to develop together and compete on an equal footing. It is imperative to orderly cultivate third-party specialized service agencies engaged in data integration, data brokerage, compliance certification, security audit, data notarization, data insurance, data custody, asset evaluation, dispute arbitration, risk assessment and talent training, and enhance the service capability for the whole process of data circulation and trading. (XI) Establishing a safe, compliant and orderly cross-border circulation mechanism for data. We should carry out international exchange and cooperation in terms of data exchange, business interconnection, mutual recognition of supervision and service sharing, etc., promote the construction of cross-border digital trade infrastructure, and should, on the basis of the Global Initiative on Data Security, actively participate in the formulation of international rules and digital technology standards for data flow, data security, certification and evaluation, digital currency and so on. It is imperative to adhere to open development, and promote cross-border two-way orderly data flow. We encourage domestic and foreign enterprises and organizations to carry out business cooperation on cross-border data flow in accordance with the law, support foreign investment in entering open fields in accordance with the law, and promote the formation of an international market with fair competition. We should also explore safe and standardized cross-border data flow modes for typical application scenarios such as cross-border e-commerce, cross-border payment, supply chain management and service outsourcing. We should coordinate data development and utilization and data security protection and explore the establishment of a mechanism for classified and hierarchical management of cross-border data. Data processing, cross-border data transmission, foreign mergers and acquisitions and other activities that affect or may affect national security shall be subject to national security review in accordance with the laws and regulations. According to the principle of reciprocity, we should implement export control over the data that are controlled items relating to the safeguarding of national security and interests and the fulfillment of international obligations in accordance with the law, ensure that the data are used for legitimate purposes, and prevent the security risk of transmitting data abroad. Moreover, we should explore the establishment of a multi-channel and convenient cross-border data flow regulatory mechanism and improve the cross-border data flow regulatory system with coordination and cooperation among multiple departments. We oppose data hegemony and data protectionism and should effectively cope with the "long-arm jurisdiction" in the data field. ## IV. Establishing the Distribution System for Income from Data Elements that Reflects Efficiency and Promotes Fairness It is imperative to follow the development trends of digital industrialization and industrial digitalization, give full play to the decisive role of the market in resource allocation, and better play the role of the government. We should improve the mechanism for market-oriented allocation of data elements and expand the scope of market-oriented allocation of data elements and the channels for participating in the allocation based on value contribution. We should also improve the redistribution adjustment mechanism for income from data elements, so that all people can better share the fruits of the development of digital economy. (XII) Improving the mechanism in which the contribution of data elements is evaluated by the market and the remuneration is determined based on the contribution. We should, in light of the characteristics of data elements, optimize the distribution structure, and establish a fair, efficient data value distribution mechanism combining incentives and regulation. It is imperative to adhere to the principle of "Two unswervingly" and the principle of "whoever invests and contributes will benefits", focus on protecting the input and output income of all participants of data elements, and safeguard the rights and interests of data resource assets in accordance with the laws and regulations. Efforts should be made to explore the ways for individuals, enterprises and public data to share value and benefits, establish and improve a more reasonable market evaluation mechanism, and promote the matching between labor contribution and labor remuneration. We should promote the reasonable allocation of income from data elements to the creators of data value and use value, ensure that the investment in all stages of data value development and mining has corresponding returns, and strengthen the orientation of incentives based on data value creation and value realization. In addition, we should, by various ways of income sharing such as dividend and commission, balance the distribution of benefits among the relevant entities in different stages such as data content collection, processing, circulation and application. (XIII) Giving better play to the role of government in guiding and regulating the distribution of income from data elements. It is imperative to gradually establish a system or mechanism for distribution of income from data elements that ensures fairness and pay more attention to public interests and relatively disadvantaged groups. We should increase efforts of government guidance and regulation, explore the establishment of a mechanism for reasonably sharing the benefits from the opening of public data resources, and allow and encourage various types of enterprises to provide public services based on public data in accordance with the laws and regulations. We should also promote large data enterprises to actively undertake social responsibility, strengthen the support and assistance for disadvantaged groups, and vigorously and effectively deal with various risks and challenges in the process of digital transformation. Meanwhile, we should continue to improve the systems and rules for the data element market, so as to prevent and regulate, in accordance with laws and regulations, problems such as the disorderly expansion of capital in the data field and the formation of market monopoly. We should also coordinate the use of multi-channel fund resources, carry out data knowledge popularization, education and training, improve the digital literacy of the whole society, strive to eliminate the digital divide between different regions and different groups of people, enhance social equity, guarantee people's livelihood and well-being, and promote common prosperity. ## V. Establishing a Safe, Controllable, Flexible and Inclusive System for the Governance of Data Elements It is imperative to integrate safety throughout the whole process of data governance, establish a governance model with multi-party collaboration among government, enterprise and society, innovate government governance modes, clarify the responsibilities and obligations of all parties, improve the industry self-discipline mechanism, regulate the market development order, and form a data element governance pattern combining an effective market with a promising government. (XIV) Innovating the government data governance mechanism. We should give full play to the role of the government in orderly guidance and standardized development, hold the bottom line of safety, clarify the red line of regulation, and create a safe and reliable, innovative, fair and open, and regulation-effective data element market environment. We should also intensify sub-industry regulation and cross-industry collaborative regulation, establish a joint data management and governance mechanism, and establish a sound fault tolerance and error correction mechanism that encourages and embraces innovation. Meanwhile, we should establish systems of compliance notarization, security review, algorithm review, monitoring and early warning for the whole process of production and circulation of data elements, and guide all parties to perform their responsibilities and obligations for data element circulation security. We should also establish a sound data circulation regulatory system, develop a negative list of data circulation and trading clarifying the data items that cannot be traded or that are strictly restricted for trading. Efforts should be made to strengthen anti-monopoly and anti-unfair competition, enhance enforcement and justice in key fields, strengthen the review of concentration of undertakings in accordance with the laws and regulations, investigate and punish monopoly agreements, abuse of market dominance, and illegal concentration of undertakings in accordance with the laws and regulations, and create a fair, competitive, standardized and orderly market environment. We should, on the basis of implementing the graded protection system for cybersecurity, comprehensively strengthen data security protection work, improve the network and data security protection system, and enhance the capabilities of protection in depth and comprehensive defense. (XV) Specifying the data governance responsibilities of enterprises. It is imperative to adhere to the principle of "easy access and strict management", firmly establish the awareness of responsibility and self-discipline of enterprises. We encourage enterprises to actively participate in the construction of the data element market, and should, by orienting towards data source, data property rights, data quality and data use, etc., promote the statement and commitment system for data circulation trading for data dealers and third-party specialized service agencies. We should also strictly implement relevant laws and regulations and promote enterprises to assume corresponding responsibilities in accordance with laws and regulations in various aspects such as data collection and convergence, processing, circulation trading, sharing and utilization. Enterprises shall strictly comply with the Anti-monopoly Law and other relevant laws and regulations, and shall not use data, algorithms and other advantages and technical means to exclude or restrict competition or implement unfair competition. Moreover, efforts should be made to regulate the security management of government data in enterprises' participation in government informatization construction, and ensure that there are rules to follow, development in an orderly manner, and security and controllability. We should also establish a sound data element registration and disclosure mechanism, enhance the social responsibility of enterprises, break the "data monopoly", and promote fair competition. (XVI) Giving full play to the collaborative governance role with multi-party participation by social forces. We encourage industry associations and other social forces to actively participate in the construction of data element market, support the research and development of security technologies and services relating to data circulation, and promote the safe and reliable circulation of data elements in different scenarios. We should also establish a data element market credit system, and gradually improve mechanisms for the identification of dishonest practice, incentives for honesty, punishments for dishonesty, credit repair and objection handling, etc. in respect of data transactions. Efforts should be made to smooth channels for reporting, complaints and dispute arbitration, and maintain good order of data element market. Moreover, effort should be made to accelerate the implementation of national standards for data management capacity maturity and data element management regulations and promote various departments and industries to improve metadata management, data desensitization, data quality, value evaluation and other standards systems. ## VI. Supporting Measures It is imperative to intensify overall promotion, strengthen task implementation, and innovate policy support. We encourage qualified regions and industries to carry out pilot programs in respect of institutional construction, technical paths, and development models, etc. We also encourage enterprises to innovate their internal data compliance management systems and constantly explore and improve the basic data system. (XVII) Effectively strengthening organization and leadership. Efforts should be made to strengthen the CPC's overall leadership in the work of building a basic data system. Under the centralized and unified leadership of the CPC Central Committee, we should give full play to the role of the Inter-ministerial Joint Conference for the Development of the Digital Economy, strengthen the overall planning of work and promote cross-regional and cross-departmental coordination and linkage to strengthen supervision and guidance. All regions and departments should attach great importance to the development of the basic data system, unify their thinking and understanding, intensify reform efforts, formulate work measures in light of their respective realities, refine the division of tasks, and do a good job in promotion and implementation. (XVIII) Increasing policy support. It is imperative to accelerate the development of the data element market and make data element enterprises bigger and stronger. We should improve financial services, guide venture capital enterprises to increase investment in data element enterprises, encourage credit reporting agencies to provide diversified credit reporting services based on business operation data and other various data elements, and support real economy enterprises, especially micro, small and medium-sized enterprises, in carrying out credit financing in enabling digital transformation. Meanwhile, efforts should be made to explore new models for data assets to be included into balance sheet. (XIX) Actively encouraging experimental exploration. We should, by adhering to the combination of top-level design and grassroots exploration, support Zhejiang and other regions and qualified industries and enterprises to carry out pilot practices, give play to the role of high-level open platforms such as free trade ports and free trade pilot zones, and guide enterprises and scientific research institutions to promote innovation in technology and industrial applications relating to data elements. Meanwhile, we should, by adopting the approach of "result-oriented bidding", support qualified departments and industries in accelerating to make breakthroughs in key technologies such as reliable data circulation and security governance, establish innovative fault tolerance mechanisms, explore and improve policies, standards and institutional mechanisms for data element property rights, pricing, circulation, trading, use, distribution, governance and security, and better play the active role of data elements. (XX) Steadily promoting system development. We should, by orienting towards the establishment of a basic data system, gradually improve policies and standards for key links of major areas such as definition of data property rights, data circulation and trading, distribution of income from data elements, authorized use of public data, development of data trading venues and data governance. We should also strengthen theoretical research and legislative research on, among others, data property right protection, data element market system development, data element price formation mechanism, data element income distribution, cross-border data transmission and dispute resolution, and promote the improvement to the relevant legal systems. Meanwhile, efforts should be made to timely summarize and refine replicable and propagable experience and practices and promote new breakthroughs in the building of the basic data system by using the experience of key points to promote work in all areas. The Inter-ministerial Joint Conference for the Development of the Digital Economy shall regularly evaluate the development of the basic data system, make dynamic adjustments in due time, and promote the continuous enrichment and improvement of the basic data system. --- ## Data Property Rights Registration Work Guide (Trial) — Draft for Public Consultation - Chinese title: 数据产权登记工作指引(试行)(公开征求意见稿) - Hierarchy: draft - Issuing body: National Data Administration (NDA), Comprehensive Department - Adopted: 2025-05-23 - Status: draft - URL: https://datacompliancechina.com/laws/data-property-rights-registration-guide-draft/ - Markdown: https://datacompliancechina.com/laws/data-property-rights-registration-guide-draft.md ### Summary NDA's first comprehensive draft framework for the registration of Data Property Rights — the rights to hold, use, and operate data established under the Data 20 Articles policy. The Guide sets out registration institutions, registration procedure (application, acceptance, review, public announcement, evidence preservation, certificate issuance), the eight ownership-clarity rules that determine who can register which right over which data, the five registration types (initial, transfer, change, renewal, deregistration), and liability for institutions and applicants. Includes six annexed form templates and a 15-digit certificate coding scheme. Released by NDA Comprehensive Department for public consultation. DCC translation; this is a draft and is not yet in force. ### Full text **Promulgated by:** National Data Administration (NDA), Comprehensive Department. **Status:** Draft for public consultation. Not yet effective. --- > *DCC translation. Translated from the public-consultation draft. The content is subject to change before the Guide is finalized and issued. Translated against [DCC's bilingual glossary](/glossary) for terminology consistency, including the data-property-rights vocabulary established by the Data 20 Articles policy (Right to Hold Data, Right to Use Data, Right to Operate Data).* ## Chapter 1 General Provisions **Article 1. Purpose.** This Guide is enacted in accordance with the Civil Code of the People's Republic of China, the Data Security Law of the People's Republic of China, and other laws and regulations, in order to establish and improve the Data Property Rights system, build a nationally unified Data Property Rights registration system, and cultivate the nationally integrated data market. **Article 2. Scope.** Data Property Rights registration activities and the administration thereof carried out within the territory of the People's Republic of China shall be conducted with reference to this Guide. This Guide applies to Data Property Rights registration of data in various forms, including data resources and data products. **Article 3. Definitions.** For the purposes of this Guide: - **Data Property Rights** refers to the property rights enjoyed by a rights-holder over specific data, including the Right to Hold Data, the Right to Use Data, and the Right to Operate Data. - **Right to Hold Data** refers to the right of a rights-holder to hold lawfully acquired data, by itself or through another holder it entrusts. - **Right to Use Data** refers to the right of a rights-holder to use data through processing, aggregation, analysis, and other methods to optimize production and operations or to form derived data. - **Right to Operate Data** refers to the right of a rights-holder to provide data externally — for consideration or without consideration — through transfer, licensing, capital contribution, or the lawful creation of security interests over the data. - **Data Property Rights registration** refers to the act of a Data Property Rights registration institution reviewing the description, source, and rights content of data in accordance with this Guide, recording information including the attribution of data rights, and issuing a registration certificate. - **Registration institution** refers to a legal person selected and confirmed by the national data administration authority, included in the National Data Property Rights Registration Institution Catalogue, that carries out Data Property Rights registration activities. - **Registration applicant** refers to a natural person, legal person, or non-legal-person organization that applies to a registration institution for Data Property Rights registration. **Article 4. Principles.** Data Property Rights registration shall follow the principles of equal autonomy, standardization and unification, fairness and good faith, and convenience and efficiency. **Article 5. Administration responsibilities.** The national data administration authority is responsible for the administration of national Data Property Rights registration. Specific duties include: establishing and improving the nationally unified Data Property Rights registration system; piloting and refining the supervisory rules and detailed registration rules for registration institutions; guiding and supervising national Data Property Rights registration activities; administering the National Data Property Rights Registration Service Platform; and other duties prescribed by laws and regulations. Provincial-level data administration authorities are responsible for administration of Data Property Rights registration within their administrative region. Specific duties include: recommending registration institutions within their region; guiding and supervising Data Property Rights registration activities within their region; and other duties prescribed by laws and regulations. Provincial-level data administration authorities may entrust municipal-level data administration authorities to carry out specific work. **Article 6. Registration platform.** The National Data Property Rights Registration Service Platform serves the whole country and provides unified Data Property Rights registration public announcement, result inquiry and verification, and objection-filing services. It supports the administration of registration institutions. ## Chapter 2 Registration Institutions **Article 7. Basic qualifications.** Registration institutions shall meet the following basic qualifications: (I) Be a legal person established under the law within the territory of the People's Republic of China, such as an enterprise or public institution, with sound operations; for enterprises, the paid-up registered capital shall not be less than CNY 100 million; (II) Have fixed office premises and infrastructure that meet operational needs; (III) Have at least two years of experience providing data circulation services; (IV) Have a sound governance structure, a registration-business administration system, a data security administration system, a data-security risk-response plan, and a service-withdrawal protection plan; (V) Have a full-time review team whose members have professional qualifications in data, law, and related fields and at least three years of work experience; (VI) Have built an information system that supports Data Property Rights registration business, completed Multi-Level Protection Scheme (MLPS) Level 3 or higher filing for that system, and meet the basic conditions to interface with the National Data Property Rights Registration Service Platform; (VII) Have no record of unfair competition, operational abnormality, or material illegal or non-compliant conduct in the past three years. **Article 8. Selection principle.** Registration institutions are recommended by provincial-level data administration authorities and confirmed by the national data administration authority through selection. Selected registration institutions are included in the National Data Property Rights Registration Institution Catalogue, publicly disclosed, and connected to the National Data Property Rights Registration Service Platform. **Article 9. Selection procedure.** Provincial-level data administration authorities shall conduct recommendation in accordance with the following requirements: (I) Organize qualified legal persons, including enterprises and public institutions, to submit applications; (II) Conduct initial review of materials, expert evaluation, and collective decision-making to determine the recommendation list, and submit it to the national data administration authority. Where the national data administration authority confirms an entity as a registration institution through the selection process, the provincial-level data administration authority shall organize the entity to submit registration-institution information on the National Data Property Rights Registration Service Platform. **Article 10. General requirements for conducting registration business.** A registration institution may practice nationally. A registration institution shall conduct registration business in accordance with the following requirements: (I) Conduct Data Property Rights registration in a public, fair, and impartial manner; (II) Properly preserve registration materials, with a retention period of not less than 20 years; (III) Promptly and accurately disclose the Data Property Rights registration process, fee schedule, complaint channels, etc., to enhance work transparency and accept social supervision; (IV) Operate and maintain the information system supporting Data Property Rights registration business and properly interface with the National Data Property Rights Registration Service Platform; (V) Establish an information-reporting system and report Data Property Rights registration matters to the data administration authority in a timely manner as required; (VI) Undertake confidentiality obligations with respect to materials provided by registration applicants and take necessary measures to safeguard data security; shall not disclose or unlawfully use such materials; (VII) Shall not engage in activities that affect the fairness or independence of registration; shall not conduct profit-making data-provision activities; and shall not, as a registration applicant, apply for registration at its own registration institution; (VIII) Shall strive to enhance registration service capacity, reduce registration costs, and provide reasonably priced registration services; shall not coerce bundling with other charged items. **Article 11. Administration of registration institutions.** Provincial-level data administration authorities shall strengthen the administration of registration institutions. They may, based on supervisory needs, guide registration institutions to conduct Data Property Rights registration business in compliance with laws and regulations through means such as supervision-and-direction and regulatory interview. Where a registration institution conducts Data Property Rights registration business in violation of laws and regulations, the data administration authority, in conjunction with relevant departments, shall verify and take effective measures. Suspected criminal leads shall be referred to relevant departments for handling in accordance with the law. The provincial-level data administration authority of the place where a registration institution is domiciled conducts day-to-day administration of the institution and receives and handles public opinions regarding registration activities. Where a registration institution practices outside its domicile and engages in illegal or non-compliant conduct, the provincial-level data administration authority of the place of practice shall coordinate with the institution's domicile provincial-level data administration authority. Where disagreements cannot be resolved through consultation, the national data administration authority shall provide guidance to resolve the issue. The national data administration authority shall formulate annual evaluation standards for registration institutions and conduct examination of evaluation outcomes. Registration institutions shall, by March 31 of each year, report the previous year's Data Property Rights registration business to the provincial-level data administration authority of their domicile, ensuring that the materials reported are true, accurate, and complete. The domicile provincial-level data administration authority shall conduct annual evaluation of registration institutions and submit the evaluation results and related materials to the national data administration authority by April 30 each year. **Article 12. Changes in registration institution information.** Where a registration institution undergoes any of the following changes, it shall report to its domicile provincial-level data administration authority within five working days, and, upon review and confirmation, update the information on the National Data Property Rights Registration Service Platform within five working days: (I) Change of name; (II) Change of domicile; (III) Change of registered capital (for enterprise legal persons); (IV) Change of legal representative or change of controlling shareholder or actual controller (for enterprise legal persons); (V) Other material matters that may affect the normal conduct of registration business. **Article 13. Withdrawal of registration institutions.** A registration institution that wishes to withdraw from Data Property Rights registration business shall report to its domicile provincial-level data administration authority at least two months in advance and submit a withdrawal plan. The domicile provincial-level data administration authority shall make a decision on the withdrawal plan within 20 working days of receiving the report and plan. If withdrawal is approved, the relevant information shall be submitted to the national data administration authority within five working days of approval. Upon review and approval by the national data administration authority, the matter shall be publicly disclosed on the National Data Property Rights Registration Service Platform, and the National Data Property Rights Registration Institution Catalogue shall be adjusted. If a registration institution withdraws from Data Property Rights registration business and the institution's legal-person status remains, the institution shall preserve the materials and bear corresponding responsibilities. If the institution is merged, the surviving institution after the merger or the newly established institution shall preserve the materials and bear corresponding responsibilities. If the institution declares bankruptcy or is dissolved, the provincial-level data administration authority shall designate another institution to preserve the Data Property Rights registration materials and properly handle related matters. Where a registration institution withdraws from Data Property Rights registration business, the Data Property Rights registration certificates issued during its registration business period remain unaffected. ## Chapter 3 Registration Procedure **Article 14. Registration procedure.** Data Property Rights registration is conducted through the procedures of application, acceptance, review, public announcement, objection handling, information evidence preservation, and certificate issuance. **Article 15. Subject matter eligible for registration.** Data that can circulate in the market may be subject to Data Property Rights registration. For data involving public data resources, the following shall apply: - Data collected and produced by Party and government organs in the performance of their statutory duties, and data collected by other enterprises and public institutions on the basis of need to perform statutory duties, shall not be subject to Data Property Rights registration; - After the authorized operation of public data resources, the public data products and services formed through development shall be subject to Data Property Rights registration only after completion of registration on the public data resource registration platform; - Data produced by public utility enterprises and public institutions in sectors such as water supply, gas supply, heating, electricity, and public transportation in the course of providing public services may be subject to Data Property Rights registration, unless otherwise provided. **Article 16. Registration application.** Registration applicants shall, on a voluntary basis, apply for Data Property Rights registration to a registration institution by themselves or by entrusting others; they shall submit a registration application form and supporting materials regarding data source, Data Property Rights attribution, and other matters. Materials submitted shall be true, accurate, and complete, with no false records, misleading statements, or material omissions. **Article 17. Acceptance.** Upon receipt of Data Property Rights registration application materials, the registration institution shall handle the application as follows and inform the applicant of the acceptance result within three working days: (I) Where application materials are erroneous, incomplete, or non-conforming, the institution shall provide written notice of non-acceptance and inform the applicant in one go of the materials to be supplemented and the time limit for supplementation. If the applicant does not supplement materials on time, the application is deemed not made; (II) Where application materials are complete and conforming, or where all required supplementary materials have been submitted as required, the institution shall accept the application and inform the applicant in writing. A registration institution shall not refuse to accept an application without legitimate reason. The acceptance date is the date on which the institution informs the applicant of acceptance. Where the registration institution fails to provide written notice of non-acceptance as required, the application is deemed accepted. The first working day after the notification time limit expires is the date of acceptance of the registration. **Article 18. Review principles.** After accepting an application, the registration institution shall conduct reasonable and prudent review of the accuracy of the data description, the compliance of the data source, and the clarity of the Data Property Rights. The registration institution may require the applicant to supplement supporting materials and, where necessary, verify with interested parties or other relevant subjects. **Article 19. Accuracy review of data description.** When reviewing the accuracy of the data description, the registration institution shall focus on whether the data name is concise, accurate, and unambiguous. The data name shall, in principle, include time, region, sector, content, and data type. **Article 20. Compliance review of data source.** A registration applicant does not enjoy Data Property Rights over data obtained in violation of laws or regulations. When reviewing the compliance of the data source, the registration institution shall review the following: - For data generated through collection, whether the collection conduct is lawful and compliant; - For data obtained through agreement, whether the relevant agreement stipulates that the applicant enjoys the relevant Data Property Rights; - For public data collected through automated procedures, whether the registered data is public data and whether the applicant's means and methods of data collection are lawful and compliant; - For data created through derivation, whether the applicant has the Right to Use Data over the original data; and whether the agreement stipulates the property-rights attribution of derived data — if no clear stipulation exists, whether there is a substantial and significant difference in content, form, and structure from the original data, and whether the derived data has significantly higher value than the original data; - For data involving personal information, whether the data was obtained in compliance with the Personal Information Protection Law of the People's Republic of China and other laws and regulations; - For data involving important data, whether the data was obtained in compliance with the Data Security Law of the People's Republic of China and other laws and regulations. **Article 21. Clarity review of Data Property Rights.** The registration institution shall review the clarity of Data Property Rights in accordance with the following requirements: (I) Data processors may register the Right to Hold, the Right to Use, and the Right to Operate over data collected and generated in their own production and operations, or in jointly participated production and operations, provided that the data was collected without violating laws, regulations, or contractual terms; (II) Where various subjects, based on civil contract, authorize others to collect data that they cause to be produced, and they have the right to obtain or to copy and transfer the relevant data, they may register the Right to Hold, the Right to Use, and the Right to Operate; (III) Natural persons may register the Right to Hold, the Right to Use, and the Right to Operate over data they lawfully collect, generate, or obtain; (IV) For public data collected through automated procedures by a data processor that implements the national data classification and grading protection system requirements — and that does so without unlawful intrusion into others' networks, without disrupting normal network service operations, without destroying effective technical measures, and without harming the lawful rights and interests of individuals or organizations — the data processor may register the Right to Hold and the Right to Use. For data products formed therefrom — provided they do not substantively substitute for the products and services of the data-collected party — the data processor may register the Right to Hold, the Right to Use, and the Right to Operate; (V) Where multiple data processors cooperatively advance data integration and development, they shall register the relevant rights in accordance with their contract. Where there is no contractual stipulation on Data Property Rights over integrated data, or where the stipulation is unclear, each participating party may register the Right to Hold and the Right to Use. Subject to obtaining the consent of the other participating parties, the parties may register the Right to Operate; (VI) Where a data processor, on the basis of the Right to Use Data held by it, applies professional knowledge — processing, modeling and analysis, key information extraction, etc. — to effect a substantial change in the content, form, or structure of the data, and thereby significantly enhances the value of the data to form derived data, the data processor may register the Right to Hold, the Right to Use, and the Right to Operate over the derived data, on the premise of protecting the lawful rights and interests of all parties; (VII) Where another party is entrusted to process data, except as otherwise provided by law or stipulated by contract, the entrusted party may not register the Right to Hold, the Right to Use, or the Right to Operate over the original data, process data, or result data of the entrusted processing. The Right to Hold Data, the Right to Use Data, and the Right to Operate Data are mutually independent. The same rights-holder may hold all of them or only one or more of them; over the same data and the same right, different rights-holders may hold rights simultaneously without exclusion. **Article 22. Non-registration.** Where, upon review, any of the following circumstances exists, the registration institution shall not register and shall provide written notice to the applicant: (I) The data involves national security, state secrets, or the like; (II) The data source violates the provisions of laws and administrative regulations; (III) There is an unresolved data-attribution dispute concerning the data; (IV) The applicant has concealed actual circumstances or provided false certifications; (V) Other circumstances stipulated by laws and administrative regulations as not eligible for registration. **Article 23. Recording of rights limitations.** Where the exercise of Data Property Rights is subject to the following limitations, the limitations shall be recorded by way of remark: (I) Where the term, conditions, or other matters of exercise of Data Property Rights are stipulated; (II) Property-preservation measures, including seizure, lawfully implemented by the people's court, people's procuratorate, public security organ, or other authorized organ; (III) Temporary control measures taken by the administrative competent authority for the purpose of safeguarding national security and the public interest; (IV) Other matters that the registration institution deems necessary to record. **Article 24. Public announcement.** Where none of the circumstances in Article 22 apply, the registration institution shall publicly announce, on the National Data Property Rights Registration Service Platform, the applicant's information, data name, data overview, and recorded rights limitations. With legitimate reasons, the applicant may apply to the registration institution for non-publication; the registration institution shall determine the matter in light of the actual circumstances. The public announcement period is five working days, calculated from the date the announcement is published on the National Data Property Rights Registration Service Platform. **Article 25. Handling of objections during the announcement period.** Where an objection is raised against the announcement content, the objecting party shall provide reasons and related materials. The registration institution shall investigate the objection within 10 working days from receipt of the objection, may require the applicant to provide explanation, and shall promptly issue a handling decision. Where, during the announcement period, the institution finds that registration should not occur, it shall make a decision not to register. **Article 26. Information evidence preservation.** The registration institution shall, on the National Data Property Rights Registration Service Platform, perform evidence preservation on important matters and registration results during the registration process, including but not limited to the applicant's basic information, basic data situation, rights content, and rights limitations. This shall ensure that registration information cannot be tampered with, that the registration process is traceable, and that registration content can be verified. The applicant may voluntarily provide data watermark, data fingerprint, or similar information for the registration institution to preserve as evidence. The registered matters are deemed registered upon completion of evidence preservation of the registration information. **Article 27. Certificate issuance.** Upon completion of registration, the registration institution shall issue a certificate in accordance with the unified format and coding requirements provided by the National Data Property Rights Registration Service Platform and shall affix the institution's dedicated registration seal. (A sample certificate and the coding rules appear in Annex 6.) Where the content of the registration certificate is inconsistent with the information preserved on the National Data Property Rights Registration Service Platform, the latter shall prevail. A Data Property Rights registration certificate takes effect on the date of issuance. The validity period is generally no longer than five years. Renewal requires renewal registration. **Article 28. Time limit for registration.** The registration institution shall complete Data Property Rights registration procedures within 10 working days from acceptance of the application. Where extension is required due to complex data source, large data scale, or other reasons, the period may be appropriately extended, but the extension shall not exceed an additional 10 working days. Registration institutions are encouraged to optimize and innovate registration services to improve efficiency and shorten time limits. Time spent supplementing supporting materials, public announcement, and objection handling is not counted toward the period specified in the preceding paragraph. **Article 29. Handling of objections after registration is complete.** Where an objecting party considers that a Data Property Rights registration involves an attribution dispute or a registration error, the party may raise an objection to the registration institution via the National Data Property Rights Registration Service Platform. Submission of an objection requires the objection application and preliminary evidence. The registration institution shall review the completeness of the objection materials. If complete, the institution shall provide written notice to the registration applicant within five working days of receiving the materials. If the applicant acknowledges the objection content, the registration institution shall, in accordance with procedures, modify the registration content or deregister. If the applicant does not acknowledge the objection content, the applicant shall submit relevant explanatory materials. The registration institution may require the applicant and the objecting party to cooperate in the investigation and may issue an objection-handling conclusion. If both parties accept the conclusion, the registration institution shall handle the matter accordingly. If either the applicant or the objecting party disputes the registration institution's handling conclusion, the party may, as agreed, apply to an arbitration institution for arbitration or institute a lawsuit with a people's court. The registration institution shall handle the matter in accordance with the effective legal instrument of the people's court or arbitration institution. Local data administration authorities with conditions to do so are encouraged to provide mediation services. **Article 30. Inquiry of registration materials.** A registration applicant or interested party may, in accordance with the law, inquire about and copy necessary Data Property Rights registration materials. The registration institution shall provide them. Relevant state organs may, in accordance with the provisions of laws and administrative regulations, inquire about and copy Data Property Rights registration materials related to the matters they are investigating or handling. Units and individuals that inquire about or copy Data Property Rights registration materials shall explain the purpose of inquiry and copying to the registration institution. They shall not use the materials obtained for other purposes; without the consent of the rights-holder, they shall not disclose the materials obtained. **Article 31. Use of registration certificates and national mutual recognition.** In the following activities, a Data Property Rights registration certificate may serve as proof of the attribution and content of Data Property Rights: (I) In data circulation transactions, as proof of Data Property Rights; (II) In data balance-sheet entry, financing, equity contribution, and similar activities, as proof of lawful ownership or control of data; (III) In the resolution of data-related disputes, as evidence of attribution determination; (IV) In support policies such as data-enterprise cultivation and accreditation, as evidence to judge a company's data situation. Registration institutions are encouraged to strengthen business coordination among Data Property Rights registration, data quality evaluation, value evaluation, etc., providing full-process services to the market on the premise that registration fairness and independence are not affected. When data circulation service institutions provide services, they shall accept the registration certificate issued under this Guide. Without legitimate reason, they shall not conduct duplicate review or duplicate charge. ## Chapter 4 Registration Types **Article 32. Types.** Data Property Rights registration includes initial registration, transfer registration, change registration, renewal registration, and deregistration. **Article 33. Initial registration.** Initial registration means the first registration of Data Property Rights over specific data with a registration institution. To apply for initial registration, the applicant shall submit an initial registration application form (see template in Annex 1), supporting materials of the applicant's identity, supporting materials of the lawful acquisition of Data Property Rights, data samples, and data description, among other materials. For the same data, other types of registration can only be conducted after initial registration is completed. Other registration types shall be handled by the registration institution that handled the initial registration. **Article 34. Transfer registration.** Where a transferor has completed initial registration and holds the Right to Hold Data, the Right to Use Data, and the Right to Operate Data, and intends to transfer all or part of the Data Property Rights to a transferee without retaining the transferred portion, the transferor and the transferee shall jointly apply for transfer registration. To apply for transfer registration, the applicant shall submit a transfer registration application form (see template in Annex 2), the transfer contract, and the initial registration certificate, among other materials. If the registration institution accepts and approves the transfer registration, it shall adjust the transferor's Data Property Rights registration certificate accordingly. **Article 35. Change registration.** Where matters such as the rights-holder, data source, or rights type do not involve major changes, but the following circumstances arise, the applicant may apply for change registration: (I) Changes in applicant identity information, such as name, legal representative, or address; (II) Errors in or changes to the data description information, data time-span, or similar matters. To apply for change registration, the applicant shall submit a change registration application form (see template in Annex 3), the initial registration certificate, and supporting materials for the change content. **Article 36. Renewal registration.** Within six months before the expiration of the validity period of the Data Property Rights registration certificate, the applicant may apply to the registration institution for renewal registration. Where the validity period of the Data Property Rights registration certificate expires and renewal registration is not applied for, the registration certificate automatically becomes invalid. To apply for renewal registration, the applicant shall submit a renewal registration application form (see template in Annex 4) and the initial registration certificate. **Article 37. Deregistration.** Under the following circumstances, the registration institution shall deregister registered Data Property Rights: (I) The applicant applies for deregistration; (II) The Data Property Rights of the original rights-holder have been extinguished due to data destruction or similar reasons; (III) Deregistration should be conducted in accordance with the outcome of objection handling; (IV) Other circumstances stipulated by laws and administrative regulations. To apply for deregistration, the applicant shall submit a deregistration application form (see template in Annex 5), the initial registration certificate, and other materials required by the registration institution. Where the registration institution finds that the registration certificate should be deregistered, it may deregister on its own initiative and notify the original applicant by appropriate means. ## Chapter 5 Legal Liability **Article 38. Liability of registration institutions.** Registration institutions are liable in accordance with the law for the accuracy of registration results. Where a registration institution or its staff engages in any of the following conduct, with relatively minor circumstances, the provincial-level data administration authority of the institution's domicile shall order rectification within a time limit and suspend the institution from publishing registration information on the National Data Property Rights Registration Service Platform. Where circumstances are serious or rectification is refused, the institution shall be removed from the National Data Property Rights Registration Institution Catalogue. Where a violation constitutes a crime, criminal liability shall be borne in accordance with the law: (I) Registering an application that does not meet registration requirements or registering erroneously, due to intent or gross negligence; (II) Tampering with, damaging, or forging Data Property Rights registration information and registration certificates; (III) Disclosing Data Property Rights registration materials, registration information, etc., and thereby harming national security, the public interest, or others' lawful rights and interests; (IV) Other illegal or non-compliant conduct. Where the registration institution engages in the above conduct and causes harm to others, it shall bear liability for damages in accordance with the law. After bearing liability, the registration institution may, in accordance with the law, seek recourse against other responsible parties. **Article 39. Liability of registration applicants.** Where a registration applicant engages in any of the following conduct that causes harm to others, the applicant shall bear civil liability for damages in accordance with the law; where a crime is constituted, the applicant shall bear corresponding liability in accordance with the law: (I) Obtaining registration by deception, including concealment of true circumstances and provision of false materials; (II) Intentionally seeking improper benefit through duplicate registration; (III) Harming national security, the public interest, or others' lawful rights and interests; (IV) Other illegal or non-compliant conduct. **Article 40. Liability of data administration authority staff.** Staff of data administration authorities who, in administering Data Property Rights registration activities, abuse power, neglect duty, or engage in malpractice for personal gain shall bear corresponding penalties or administrative sanctions in accordance with the law; where a crime is constituted, criminal liability shall be borne in accordance with the law. ## Chapter 6 Supplementary Provisions **Article 41. Coordination with other registrations.** Before this Guide takes effect, for data registrations of other types that have been completed and where the matters reviewed are consistent with the requirements of this Guide, the registration institution may, in light of specific circumstances, simplify the review procedure. **Article 42. Meaning of "or more" and "or less".** As used in this Guide, the terms "or more" (以上) and "or less" (以内) include the cited number. ## Annexes The draft Guide attaches six annexes, summarized here rather than translated verbatim: - **Annex 1 — Initial Registration Application Form.** Fields: applicant identity, contact information, business information; data information (name, overview, sector under GB/T 4754, source, geographic and temporal range, update frequency, data volume, data form, use restrictions); rights configuration. - **Annex 2 — Transfer Registration Application Form.** Fields: data name, original certificate number; transferor and transferee identity, contact, and address; content of rights transferred. - **Annex 3 — Change Registration Application Form.** Fields: data name, certificate number; applicant identity; change matter (before/after content). - **Annex 4 — Renewal Registration Application Form.** Fields: data name, certificate number; applicant identity; renewal matter (renewal period, rights types being renewed). - **Annex 5 — Deregistration Application Form.** Fields: data name, certificate number; applicant identity; reason for deregistration. - **Annex 6 — Data Property Rights Registration Certificate Sample and Coding Rules.** The certificate code is 15 digits, consisting of: fixed identifier (2 digits — "SJ"), region (2 digits — per PRC administrative-division codes), registration institution (1 digit), code-issuance date (6 digits — YYYY-MM), and serial number (4 digits, capped at 9999 per month). Total positions: 15. --- ## GB/T 44297—2024 Data Items of Video and Image Information for Public Security - Chinese title: GB/T 44297—2024 公共安全视频图像信息数据项 - Abbreviation: GB/T 44297—2024 - Hierarchy: standard - Issuing body: Standardization Administration of China (SAC) and State Administration for Market Regulation (SAMR), proposed by Ministry of Public Security (MPS) - Adopted: 2024-08-23 - Effective: 2024-08-23 - Status: effective - URL: https://datacompliancechina.com/laws/gbt-44297-public-security-video-data-items/ - Markdown: https://datacompliancechina.com/laws/gbt-44297-public-security-video-data-items.md ### Summary GB/T 44297—2024 is the national recommended standard that specifies the data items used in public-security video image information systems — the underlying field-level schema that camera systems, video platforms, and analysis tools use to describe and exchange video and image data. It applies to data exchange in networked public-security video applications. The standard catalogs more than twenty top-level data-item groups — covering camera information, system/platform information, equipment status, video clips, images, file objects, persons of interest, vehicles of interest, non-motor vehicles, items, scenes, events, regions, motion targets, subscriptions, feature vectors, organized data libraries, and real-time matching against reference lists — plus a set of normative code tables (Appendix D) used to encode the field values. The standard is technical reference material for system integrators and data engineers operating public-security video systems. Cross-reference to the *Administrative Regulation for Public Security Video Image Information Systems* (State Council Decree No. 799) and the *Facial Recognition Technology Application Measures* (CAC + MPS Decree No. 19), which set the legal duties; this standard tells operators what field-level data to capture and exchange in order to meet those duties. ### Full text This entry is a reference pointer to a recommended national standard, not a translation. GB/T 44297—2024 is a technical specification — its substantive content is a catalogue of data-item attributes (name, identifier, format, code tables) used by public-security video systems for inter-system data exchange. The standard runs to 130 pages and is structured around appendices containing 44 code tables (Appendix D), region-code rules (Appendix C), and full data-item examples (Appendix E). For the regulatory and compliance context that frames this technical standard, see the [Administrative Regulation for Public Security Video Image Information Systems](/laws/public-security-video-image-system-regulations/) and the [Facial Recognition Technology Application Measures](/laws/facial-recognition-technology-application-measures/). > *DCC has not reproduced the standard text. The standard is published by the Standardization Administration of China; it is available through SAC's official channels and through the standards portal at www.sac.gov.cn.* --- ## Measures on the Standard Contract for the Outbound Transfer of Personal Information - Chinese title: 个人信息出境标准合同办法 - Abbreviation: SCC Measures - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) - Adopted: 2023-02-22 - Effective: 2023-06-01 - Status: effective - URL: https://datacompliancechina.com/laws/personal-info-standard-contract-measures/ - Markdown: https://datacompliancechina.com/laws/personal-info-standard-contract-measures.md ### Summary The second of CAC's three cross-border transfer pathways: signing a CAC-prescribed Standard Contract with the overseas recipient and filing it with the provincial CAC. Used by handlers below the Security Assessment thresholds. The Measures establish eligibility criteria, the filing procedure, ongoing obligations after filing, and the CAC's right to invalidate the contract on the recipient side. The Standard Contract template itself is annexed. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC). **Document No.:** Decree No. 13 of the Cyberspace Administration of China. **Adopted at the 11th executive meeting of the CAC in 2023 on February 22, 2023. Effective June 1, 2023.** --- **Article 1.** For the purposes of protecting personal information rights and interests, and regulating outbound transfer of personal information, the Measures on the Standard Contract for Outbound Transfer of Personal Information (the "Measures") are enacted in accordance with the Personal Information Protection Law of the People's Republic of China and other laws and administrative regulations of the People's Republic of China. **Article 2.** Any personal information handler who enters into a standard contract for the outbound transfer of personal information outside the People's Republic of China (the "Standard Contract") with a foreign recipient shall apply the Measures. **Article 3.** When conducting any outbound transfer of personal information by means of concluding the Standard Contract, the personal information handler shall stick to the combination of autonomous contracting with record-filing management, the protection of interests with security risk prevention, and the ensurance of security and free flow of personal information. **Article 4.** Any personal information handler transferring personal information abroad by entering into the Standard Contract shall meet all of the following conditions: (1) it is not a critical information infrastructure operator; (2) it processes the personal information of less than 1 million individuals; (3) it has cumulatively transferred abroad the personal information of less than 100,000 individuals since January 1 of the previous year; and (4) it has cumulatively transferred abroad the sensitive personal information of less than 10,000 individuals since January 1 of the previous year. Where there are other relevant provisions in any laws, administrative regulations or rules of the Cyberspace Administration of China, such provisions shall apply. When using the Standard Contract for outbound transfer of personal information, the personal information handler shall not use methods such as quantity splitting of the personal information that is required by law to undergo the outbound security assessment. **Article 5.** Prior to the outbound transfer of personal information, the personal information handler shall conduct a personal information protection impact assessment, with the focus of the following: (1) the legality, legitimacy and necessity of the purpose, scope and method of the processing personal information by the personal information handler and the foreign recipient; (2) the volume, scope, category, and sensitivity of personal information to be transferred abroad, and the risks to the personal information rights and interests that may be caused by the outbound transfer of personal information; (3) the obligations that the foreign recipient promises to undertake, and whether the management and technical measures and capabilities of the foreign recipient to perform the obligations can ensure the security of the personal information to be transferred abroad; (4) risk of tampering, damage, leakage, loss and abuse after outbound transfer of personal information, and whether the channels for individuals to exercise their personal information rights and interests are accessible and smooth; (5) the impact of policies and regulations for the protection of personal information on the performance of the Standard Contract in the country or region where the foreign recipient is located; and (6) other factors that may affect the security of outbound transfer of personal information. **Article 6.** The Standard Contract shall be concluded in strict accordance with the Annex of the Measures. The Cyberspace Administration of China may adjust the Annex in light of actual circumstances. The personal information handler may agree on other terms with the foreign recipient, provided that such terms do not conflict with the Standard Contract. The outbound transfer of personal information shall not be carried out until the Standard Contract enters into force. 10 **Article 7.** The personal information handler shall, within 10 working days after the Standard Contract enters into effect, apply for filing with the cyberspace administration at the provincial level. The following materials shall be submitted for the record-filing: (1)the Standard Contract; and (2) the personal information protection impact assessment report. The personal information handler shall be responsible for the authenticity of the record-filing materials. **Article 8.** Where any of the following circumstances occurs during the validity period of the Standard Contract, the personal information handler shall conduct personal information protection impact assessment again, supplement or re-sign the Standard Contract, and conduct relevant record-filing formalities: (1) the purpose, scope, category, sensitivity, method and storage location of personal information transferred abroad, or the purpose and method of personal information processing by the foreign recipient has changed, or the retention period of personal information located abroad is extended; (2) the personal information rights and interests will be affected by the changes in the policies and regulations on personal information protection in the country or region where the foreign recipient is located; or (3) other circumstances that may affect the personal information rights and interests. **Article 9.** The cyberspace administration and its personnel shall keep confidential the personal privacy, personal information, trade secrets, confidential business information, etc. that they have accessed in performing their duties in accordance with the law, and shall not disclose them, illegally provide them to others, or illegally use them. **Article 10.** Any organization or individual may report to the cyberspace administration at the provincial level or above if it finds that any personal information handler has engaged in outbound transfer of personal information in violation of the Measures. **Article 11.** Where the cyberspace administration at the provincial level or above finds that there are relatively high risks in the outbound transfer of personal information, or that a personal information security incident has occurred, it may interview the personal information handler in accordance with the law. The personal information handler shall make rectifications and eliminate hidden dangers as required. **Article 12.** Any violation of the Measures shall be punished in accordance with the Personal Information Protection Law of the People's Republic of China, and other laws and regulations; where a crime is constituted, criminal responsibility shall be investigated according to the law. ____________________ ______________________________ __________________________ _____ _________________ ________________________ ______________________________ __________________________ _____ _________________ ____ __ __ _________ “ ” “ ” “ ” “ ” “ ” “ ” “ ” “ ” “ ” “ ” 30 __________________________________________ “ ” (1) (2) (3) (4) “ ” (1) (2) (3) __________________________ _____________ __ __ __ Article 13 The Measures shall enter into force on June 1, 2023. For the outbound transfer of personal information that has already happened before the Measures takes effect, if it is found that any such transfer is not in compliance with the Measures, rectification shall be completed within 6 months upon the effective date of the Measures. Annex: Standard Contract for Outbound Transfer of Personal Information Formulated by the Cyberspace Administration of China In order to ensure that the activity of processing Personal Information by the Foreign Recipient meets the standards of Personal Information protection stipulated by the Relevant Laws and Regulations of the People's Republic of China, and to specify the rights and obligations of the Personal Information Handler and the Foreign Recipient, the Parties hereby enter into this Contract upon negotiation. Personal Information Handler: _______________________________ Address: ___________________________________________________ Contact Information: _________________________ Contact person: __________ Position: __________ Foreign Recipient: __________________________________________ Address: ___________________________________________________ Contact Information: _________________________ Contact person: __________ Position: __________ The Personal Information Handler and the Foreign Recipient will carry out the activities concerning the outbound transfer of Personal Information in accordance with this Contract. The Parties [have entered into] / [agreed to enter into] a commercial contract to further the commercial acts related to such activities, namely [description of commercial contract] on [MM/DD/YY]. The major body of this Contract is drafted in accordance with the requirements of the Measures on the Standard Contract for Outbound Transfer of Personal Information. Other agreements between the parties, if any, may be specified in Appendix II. The Appendix forms an integrated part of this Contract. Article 1Definitions In this Contract, unless the context otherwise requires: 1. "Personal Information Handler" refers to any organization or individual that independently decides the purpose and method of the Personal Information processing activities and transfers Personal Information outside the territory of the People's Republic of China. 2. "Foreign Recipient" refers to an organization or individual outside the territory of the People's Republic of China that receives Personal Information from the Personal Information Handler. 3. Personal Information Handler or Foreign Recipient are referred to individually as a "Party", and collectively as the "Parties". 4. "Personal Information Subject" refers to a natural person identified by or associated with the Personal Information. 5. "Personal Information" refers to all kinds of information related to identified or identifiable natural persons that are electronically or otherwise recorded, excluding information that has been anonymized. 6. "Sensitive Personal Information" refers to the Personal Information that , once leaked or illegally used, is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety, including biometric recognition, religious belief, specific identity, medical health, financial account, personal whereabouts, and the Personal Information of minors under the age of 14. 7. "Regulatory Authority" refers to the Cyberspace Administration of the People's Republic of China at the provincial level or above. 8. "Relevant Laws and Regulations" refer to the laws and regulations of the People's Republic of China, such as the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Civil Code of the People's Republic of China, Civil Procedure Law of the People's Republic of China, and Measures on the Standard Contract for Outbound Transfer of Personal Information. 9. The meanings of other terms not defined in the Contract are in line with those stipulated in the Relevant Laws and Regulations. Article 2Obligations of the Personal Information Handler The Personal Information Handler shall perform the following obligations: 1. Process Personal Information in accordance with the Relevant Laws and Regulations. The Personal Information to be transferred abroad shall be limited to the minimum scope required for the purpose of processing. 2. Inform the Personal Information Subject of matters such as the name and contact information of the Foreign Recipient, the purpose of processing, method of processing, type of Personal Information, retention periods, and the methods and procedures for the Personal Information Subject to exercise his/her rights specified in Appendix I "Description of the Outbound Transfer of Personal Information". Where Sensitive Personal Information is transferred abroad, the Personal Information Subject shall be informed of the necessity of the outbound transfer of Sensitive Personal Information and the impact on the rights and interests of the Personal Information Subject, unless otherwise provided in the laws and administrative regulations that such notification is not require 3. If Personal Information is transferred abroad based on the consent of the individual, the separate consent of the Personal Information Subject shall be obtained. Where the Personal Information involves that of a minor under the age of 14, the separate consent of the minor's parent or any other guardian, shall be obtained. Where written consent is required by laws and administrative regulations, the written consent shall be obtained. 4. Inform the Personal Information Subject that the Personal Information Handler and the Foreign Recipient have agreed that the Personal Information Subject is a third-party beneficiary under this Contract, and if the Personal Information Subject fails to raise an express rejection within thirty days, the Personal Information Subject shall be entitled to act as a third-party beneficiary in accordance with the Contract. 5. Make reasonable efforts to ensure that the Foreign Recipient has taken the following technical and organizational measures to perform its obligations under this Contract (taking into account potential Personal Information security risks that may be caused by the purpose of Personal Information processing, the type, scale, scope and sensitivity of the Personal Information, the scale and frequency of the transfer, the period of the outbound transfer of Personal Information, the period of retention by the Foreign Recipient, and other matters that may lead to a Personal Information security risk): (such as encryption, anonymization, de-identification, access control or other technical and organizational measures) 6. Provide copies of Relevant Laws and Regulations and technical standards to the Foreign Recipient upon request. 7. Reply to inquiries from the Regulatory Authority about the Foreign Recipient's processing activities. 8. Carry out a Personal Information Protection Impact Assessment in accordance with the Relevant Laws and Regulations regarding the proposed transfer of Personal Information to the Foreign Recipient. The assessment shall focus on the following matters: (1) the legality, legitimacy and necessity of the purpose, scope and method of processing Personal Information by the Personal Information Handler and Foreign Recipient; (2) the scale, scope, type, and sensitivity of Personal Information to be transferred overseas, and the risks to Personal Information that may be caused by the outbound transfer of Personal Information; (3) the obligations that the Foreign Recipient promises to undertake, and whether the organizational and technical measures and capabilities to perform the obligations can guarantee the security of the Personal Information to be transferred abroad; (4) risk of Personal Information being tampered with, destroyed, leaked, lost, illegally used, etc. after the outbound transfer, and whether there are channels for individuals to smoothly exercise Personal Information rights and interests etc.; (5) in accordance with Article 4 hereof, to evaluate whether the performance of this Contract will be affected by the local policies and regulations with respect to protection of Personal Information; and (6) other matters that may affect the security of outbound transfer of Personal Information. The Personal Information Protection Impact Assessment Report shall be kept for at least three years. 9. Provide a copy of this Contract to the Personal Information Subject upon the Personal Information Subject 's request. If trade secrets or confidential business information are involved, the relevant contents of the copy of this Contract may be appropriately redacted, provided that such redaction will not affect the understanding of the Personal Information Subject. 10. Assume a burden of proof for the performance of obligations under this Contract. 11. In accordance with Relevant Laws and Regulations, provide the Regulatory Authority with all information as described in Article 3.11, including all compliance audit results. Article 3Obligations of the Foreign Recipient The Foreign Recipient shall perform the following obligations: 1. Process the Personal Information in accordance with Appendix I "Description of the Outbound Transfer of Personal Information". Where the Foreign Recipient processes the Personal Information in a way beyond the purpose and method of the Personal Information processing, and types of the Personal Information as agreed, it shall obtain the separate consent of the Personal Information Subject in advance if the processing of Personal Information is based on the consent of the Personal Information Subject; where the Personal Information of a minor under the age of 14 is involved, the separate consent of the minor's parent,or any other guardian, shall be obtained. 2. Where the Foreign Recipient is contracted by the Personal Information Handler to process Personal Information, the Foreign Recipient shall process the Personal Information in accordance with the agreement with the Personal Information Handler and shall not process the Personal Information in a way beyond the purpose or method of the Personal Information processing. 3. Provide a copy of this Contract to the Personal Information Subject upon the Personal Information Subject's request. If trade secrets or other confidential business information are involved, relevant parts of this Contract may be appropriately redacted, provided that such redaction will not affect the understanding of the Personal Information Subject. 4. Process the Personal Information in a manner that has the least impact on the rights and interests of the Personal Information Subject. 5. The retention period of Personal Information shall be the minimum period necessary for achieving the purpose of processing. Upon expiry of the retention period, the Personal Information (including all back-up copies) shall be deleted. Where the processing of Personal Information is contracted by the Personal Information Handler, and the personal information processing agreement fails to become effective, becomes null and void, or is cancelled or terminated, the Personal Information being processed shall be returned to the Personal Information Handler or deleted, and a written statement shall be provided to the Personal Information Handler. If it is technically difficult to delete the Personal Information, the processing of the Personal Information, other than the storage and any necessary measures taken for security protection, shall be ceased. 6. Ensure the security of Personal Information processing in the following ways: (1) take technical and organizational measures including but not limited to those listed in Article 2.5 of this Contract and carry out regular inspections to ensure the security of Personal Information; and (2) ensure that the personnel authorized to process Personal Information perform their confidentiality obligations and establish access control permissions of minimum authorization. 7. In the event that Personal information is or may be tampered with, destroyed, leaked, lost, illegally used, provided or accessed without authorization, the Foreign Recipient shall: (1) promptly take appropriate measures to mitigate the adverse impact on the Personal Information Subject; (2) immediately notify the Personal Information Handler and report to the Regulatory Authority in accordance with the Relevant Laws and Regulations. The notice shall contain the following contents: i. the type of Personal Information to which the tampering with, destruction, leakage, loss, illegal use, unauthorized provision or access occurs or may occur, the cause of such event or potential event, and the potential harm; ii. remedial measures that have been taken; iii. measures that can be taken by the Personal Information Subject to mitigate harm; and iv. contact information of the person, or team, in charge of handling the situation. (3) where the Relevant Laws and Regulations require the notification of the Personal Information Subject, the content of the notice shall include the foregoing contents in Article 3.7. (2) above; where the processing of Personal Information is contracted by the Personal Information Handler, the Personal Information Handler shall notify the Personal Information Subject; (4) record and retain all the situations thereof relating to the occurrence or potential occurrence of tampering, destruction, leakage, loss, illegal use, unauthorized provision or access, including all remedial measures taken. 8. The Foreign Recipient may provide Personal Information to the third party located outside the territory of the People's Republic of China only, if all of the following requirements are met: (1) there is a necessity from the business perspective; (2) the Personal Information Subject has been informed of such third party's name, contact information, the purpose of processing, method of processing, type of Personal Information, retention periods, and the methods and procedures for the Personal Information Subject to exercise his/her rights. Where Sensitive Personal Information is provided to such third party, the Personal Information Subject should also be informed of the necessity of the outbound transfer of Sensitive Personal Information and the impact on the rights and interests of the Personal Information Subject. However, unless otherwise provided by laws and administrative regulations that such notification is not required; (3) Where the processing of Personal Information is based on the consent of the Personal Information Subject, the separate consent of the Personal Information Subject shall be obtained; where the Personal Information of a minor under the age of 14 is involved, the separate consent of the minor's parent, or any other guardian, shall be obtained. Where written consent is required by laws and administrative regulations, such written consent shall be obtained; (4) enter into a written agreement with the third party to ensure that the processing of Personal Information by the third party meets the standards for protection of Personal Information required by the Relevant Laws and Regulations of the People's Republic of China, and the Foreign Recipient will assume the liability for the infringement of Personal Information Subject's rights due to the provision of Personal Information to the third party located outside the territory of the People's Republic of China; (5) provide a copy of the above agreement to the Personal Information Subject upon the Personal Information Subject's request. If trade secrets or other confidential business information are involved, relevant parts of the agreement may be appropriately redacted provided that such redaction will not affect the understanding of the Personal Information Subject. 9. Where the Foreign Recipient is contracted by the Personal Information Handler to process Personal Information, and the Foreign Recipient intends to sub-contract the processing to a third party, the Foreign Recipient shall obtain the consent of the Personal Information Handler in advance and shall ensure that the sub-contractor will not process Personal Information in a way beyond the purpose and method of the processing as specified in Appendix I "Description of the Outbound Transfer of Personal Information", and shall monitor the Personal Information processing activities of the third party. 10. When making use of Personal Information for automated decision-making, the Foreign Recipient shall ensure the transparency of decision-making and fair and impartial results, and shall not carry out unreasonable or differential treatment of the Personal Information Subject in terms of transaction conditions, such as transaction price. Where automated decision-making is used for pushing information and commercial marketing to the Personal Information Subject, the Foreign Recipient shall also provide the Personal Information Subject with options that are not specific to the individuals' characteristics, or a convenient way for the Personal Information Subject to reject the automated decision-making. 11. Undertake to provide the Personal Information Handler with all necessary information required to comply with the obligations under this Contract, provide the Personal Information Handler access to review the necessary data documents, and files, or conduct a compliance audit of the processing activities under this Contract, and the Foreign Recipient shall facilitate the compliance audit conducted by the Personal Information Handler. 12. Maintain an accurate record of the Personal Information processing activities carried out for at least 3 years and provide the relevant records and documents to the Regulatory Authority directly or through the Personal Information Handler, as required by the Relevant Laws and Regulations. 13. Agree to be subject to supervision by the Regulatory Authority during an enforcement procedure related to supervising the implementation of this Contract, including but not limited to responding to inquiries and inspections by the Regulatory Authority, following the actions taken or decisions made by the Regulatory Authority, and providing written confirmation that necessary measures have been taken etc. Article 4The Impact of Personal Information Protection Policies and Regulations in the Foreign Recipient's Country or Region on the Performance of this Contract 1. The Parties warrant that they have exercised reasonable care when entering into this Contract and are not aware of Personal Information protection polices and regulations in the Foreign Recipient's country or region (including any requirements on providing Personal Information or authorizing public authorities to access Personal Information) that would have an impact on the Foreign Recipient's performance of its obligations under this Contract. 2. The Parties declare that, when making the warranties in Article 4.1, they have conducted the assessment in conjunction with the following circumstances: (1) the specific circumstances of outbound transfer, including the purpose of processing the Personal Information, the types, scale, scope and sensitivity of the Personal Information transferred, the scale and frequency of transfer, the period of the outbound transfer of Personal Information and the retention period of the Foreign Recipient, the previous experience of the Foreign Recipient with respect to outbound transfer and processing of similar Personal Information, whether any Personal Information security incident had occurred to the Foreign Recipient and whether such incident was timely and effectively handled, whether the Foreign Recipient has received any request to provide Personal Information to the public authority of the country or region where it is located and how the Foreign Recipient has responded to such request; (2) the Personal Information protection policies and regulations of the country or region where the Foreign Recipient is located, including the following elements: i. the existing Personal Information protection laws, regulations and generally applicable standards of the country or region; ii. the regional or global organizations of Personal Information protection that the country or region accedes to, and binding international commitments made by the country or region; and iii. the mechanisms for Personal Information protection implemented in the country or region, such as whether there are supervision and enforcement authorities and relevant judicial authorities responsible for protecting Personal Information. (3) the Foreign Recipient's security management system and technical capabilities. 3. The Foreign Recipient warrants that it has used its best efforts to provide the Personal Information Handler with the necessary relevant information for the assessment under Article 4.2. 4. The Parties shall keep a record of any such assessment carried out under Article 4.2 as well as the assessment results. 5. Where the Foreign Recipient is unable to perform this Contract due to any change in the policies and regulations on Personal Information protection of the country or region where the Foreign Recipient is located (including any change of laws or mandatory measures in the country or region where the Foreign Recipient is located), the Foreign Recipient shall notify the Personal Information Handler immediately after being aware of the aforesaid change. 6. If the Foreign Recipient receives a request for provision of Personal Information under this Contract from a governmental authority or judicial authority in the country or region where the Foreign Recipient is located, it shall promptly notify the Personal Information Handler. Article 5Rights of the Personal Information Subject The Parties agree that the Personal Information Subject shall be entitled to the following rights as a third-party beneficiary under this Contract. 1. The Personal Information Subject, in accordance with Relevant Laws and Regulations, has the right to know and to make decisions on the processing of the Personal Information, the right to restrict or refuse processing of the Personal Information Subject's Personal Information by others, the right to request access to, copy, correct, supplement or delete the Personal Information, and the right to request others to explain the rules for the processing of the Personal Information Subject's Personal Information. 2. When the Personal Information Subject requests to exercise the above-mentioned rights regarding their Personal Information that has been transferred abroad, the Personal Information Subject may request the Personal Information Handler to take appropriate measures for the realization of those rights, or directly make the request to the Foreign Recipient. If the Personal Information Handler is unable to realize those rights, it shall notify the Foreign Recipient and request the Foreign Recipient to assist in the realization. 3. The Foreign Recipient shall, as notified by the Personal Information Handler or requested by the Personal Information Subject, realize the rights that the Personal Information Subject is entitled to within a reasonable period and in accordance with the Relevant Laws and Regulations. The Foreign Recipient shall inform the Personal Information Subject about the relevant information which shall be true, accurate and complete, in an obvious way and using clear and understandable language. 4. If the Foreign Recipient intends to refuse the request of the Personal Information Subject, it shall inform the Personal Information Subject the reasons of the refusal, as well as the channels for the Personal Information Subject to raise complaints with the relevant Regulatory Authority and seek judicial remedies. 5. The Personal Information Subject, as a third-party beneficiary to this Contract, has the right to claim against one or both of the Personal Information Handler and the Foreign Recipient in accordance with this Contract and require them to perform the following clauses under this Contract relating to the rights of the Personal Information Subject: (1) Article 2, except for Articles 2.5, 2.6 and 2.7; (2) Article 3, except for Articles 3.7(2) and 3.7(4), 3.9, 3.11, 3.12 and 3.13; (3) Article 4, except for Articles 4.5 and 4.6; (4) Article 5; (5) Article 6; (6) Article 8.2 and 8.3; and (7) Article 9.5. The above agreement shall not affect the rights and interests of the Personal Information Subject in accordance with the Personal Information Protection Law of the People's Republic of China. Article 6Remedies 1. The Foreign Recipient shall identify a contact person who is authorized to respond to enquiries or complaints concerning the processing of Personal Information, and it shall promptly deal with any enquiries or complaints from the Personal Information Subject. The Foreign Recipient shall notify the Personal Information Handler of the contact information and shall inform the Personal Information Subject of the contact information in a manner which is easy to understand, by separate notice or announcement on its website. To be specific: Contact person and contact information (office phone number or email address). 2. If a dispute arises between either Party and the Personal Information Subject with respect to the performance of this Contract, such Party shall notify the other Party and the Parties shall cooperate to resolve the dispute. 3. If the dispute cannot be resolved amicably and the Personal Information Subject exercises the rights as a third-party beneficiary in accordance with Article 5, the Foreign Recipient shall accept that the Personal Information Subject may safeguard his/her rights through either of the following means: (1) lodging a complaint with the Regulatory Authority; and (2) bringing a lawsuit to the court specified in Article 6.5. 4. The Parties agree that when the Personal Information Subject exercises the rights as a third-party beneficiary with respect to a dispute under this Contract, if the Personal Information Subject chooses to apply the Relevant Laws and Regulations of the People's Republic of China, such choice shall prevail. 5. The parties agree that if the Personal Information Subject exercises the rights as a third-party beneficiary with respect to a dispute under this Contract, the Personal Information Subject may file a lawsuit with a competent court in accordance with the Civil Procedure Law of the People's Republic of China. 6. The Parties agrees that the choices made by the Personal Information Subject to safeguard his/her rights will not impair the rights of the Personal Information Subject to seek remedies in accordance with other laws and regulations. Article 7Termination of the Contract 1. If the Foreign Recipient breaches the obligations specified in this Contract or the Foreign Recipient is unable to perform this Contract due to a change in the policies and regulations on Personal Information protection in the Foreign Recipient's country or region (including amendment to the laws or adoption of compulsory measures in the Foreign Recipient's country or region), the Personal Information Handler may suspend the provision of Personal Information to the Foreign Recipient until the breach is corrected or the Contract is terminated. 2. In case of any of the following circumstances, the Personal Information Handler shall be entitled to terminate this Contract and notify the Regulatory Authority where necessary: (1) where the Personal Information Handler has suspended the provision of Personal Information to the Foreign Recipient for more than one month in accordance with Article 7.1; (2) the Foreign Recipient's compliance with this Contract will violate the laws and regulations of its own country or region; (3) the Foreign Recipient seriously or persistently breaches the obligations under this Contract; (4) the Foreign Recipient or the Personal Information Handler have breached this Contract pursuant to a final decision of a competent court or the regulatory body supervising the Foreign Recipient; and The Foreign Recipient may also terminate this Contract in case of sub-paragraph (1), (2) or (4) of above. 3. The Contract may be terminated upon mutual agreement by the Parties, provided that such termination shall not exempt the Parties from the obligations of protecting Personal Information during the processing of the Personal Information. 4. If the Contract is terminated, the Foreign Recipient shall promptly return or delete the Personal Information (including all back-up copies) received hereunder and provide the Personal Information Handler with a written statement. If it is technically difficult to delete the Personal Information, any processing of the Personal Information, other than the storage and taking necessary security protection measures, shall be ceased. Article 8Liability for Breach of the Contract 1. Each Party shall be liable to the other Party for any damage as a result of its breach of this Contract. 2. Each Party shall bear civil liabilities to the Personal Information Subject if its breach of this Contract infringes the rights of the Personal Information Subject, without prejudice to the administrative, criminal or other legal liabilities that shall be assumed by the Personal Information Handler under the Relevant Laws and Regulations. 3. The Parties shall assume joint and several liability in accordance with the law. The Personal Information Subject shall have the right to request each Party or the Parties to assume liability. When the liability assumed by one Party exceeds the liability such Party shall be assumed, it shall have the right to claim against the other Party accordingly. Article 9Miscellaneous 1. If this Contract conflicts with any other legal documents existing between the Parties, the provisions of this Contract shall prevail. -2. The formation, validity, performance and interpretation of this Contract and any dispute between the Parties arising from this Contract shall be governed by the Relevant Laws and Regulations of the People's Republic of China. -3. All notices shall be promptly transmitted or posted by electronic mail, cable, telex, facsimile (confirmation copy sent by airmail), or registered airmail to (specify address _________________________ or such other address as may be substituted for such address by written notice). Receipt of any notice under this Contract shall be deemed to have been received ________ days after its postmark-date in the case of registered airmail and ________ working days after dispatch in the case of e-mail, cable, telex or facsimile transmission. -4. Any dispute arising from this Contract between the Parties, the Personal Information Handler and the Foreign Recipient, as well as a claim by either Party against the other for recovery of compensation already paid to the Personal Information Subject, shall be resolved by the Parties through negotiation; if such negotiation fails, either Party may adopt any of the following methods to resolve the dispute (check the box for the chosen arbitration institution, if arbitration is required):1 □ □ □ □ □ ___________ ____________ 2 __ __ ______________ ____________ ____ __ __ ________________ ____ __ __ GB/T 35273 GB/T 35273 (1) Arbitration. The dispute shall be submitted to: China International Economic and Trade Arbitration Commission China Maritime Arbitration Commission Beijing Arbitration Commission (Beijing International Arbitration Center) Shanghai International Arbitration Center Other arbitration institutions that are members of the Convention on the Recognition and Enforcement of Foreign Arbitral Awards The arbitration shall be conducted in ________ (the place of arbitration) in accordance with its arbitration rules then in force. (2) Litigation. Submit the dispute to a Chinese court with jurisdiction in accordance with the applicable laws. -5. This Contract shall be interpreted in accordance with Relevant Laws and Regulations and shall not be interpreted in a manner inconsistent with the rights and obligations set forth in Relevant Laws and Regulations. -6. This Contract shall be executed in _________ originals, and the Parties, the Personal Information Handler and the Foreign Recipient, shall each hold _________ original(s), with equal legal effect. This contract is signed at (place). This Contract is made and entered into by and between the Personal Information Handler and the Foreign Recipient at _________. Personal Information Handler: ______________________________________ (Seal) Legal Representative/Proxy: ______________________ (Signature or Seal) Date: ______________________ Foreign Recipient: ______________________________________ (Seal) Legal Representative/Proxy: ______________________ (Signature or Seal) Date: ______________________ Appendix I Description of the Outbound Transfer of Personal Information The details of the outbound transfer of Personal Information under this Contract are as follows: -1. Purpose of processing: -2. Method of processing: -3. The scale of Personal Information to be transferred abroad: -4. Type of Personal Information to be transferred abroad (see the types in the Information Security Technologies - Personal Information Security Specifications (GB/T 35273) and relevant standards): -5. Type of Sensitive Personal Information to be transferred abroad (where applicable, see the types in the Information Security Technologies - Personal Information Security Specifications of GB/T 35273 and relevant standards): -6. The Foreign Recipient transfers Personal Information only to the following third parties outside the People's Republic of China (if applicable): -7. Method of transfer: -8. Retention period after the cross-border transfer: From [MM/DD/YY] to [MM/DD/YY] -9. Storage location after the outbound transfer: -10. Other matters (to be filled in as appropriate): Appendix II Other Terms as Agreed by the Parties (If Necessary). Note: this translation work is presented by Shihui Partners, translated by Jing Lu, Jeanette Wang and Raymond Wang and reviewed by Ian Read. ## Annex Standard Contract for Outbound Transfer of Personal Information PAGE/NUMPAGES PAGE/NUMPAGES --- ## Personal Information Protection Law of the People's Republic of China - Chinese title: 中华人民共和国个人信息保护法 - Abbreviation: PIPL - Hierarchy: law - Issuing body: National People's Congress Standing Committee - Adopted: 2021-08-20 - Effective: 2021-11-01 - Status: effective - URL: https://datacompliancechina.com/laws/pipl/ - Markdown: https://datacompliancechina.com/laws/pipl.md ### Summary PIPL is China's comprehensive personal-information protection regime. It is structured around the concept of the personal information handler — a Chinese-law term that should not be flattened to GDPR's data controller. PIPL governs consent, sensitive personal information, cross-border transfer, and the rights of individuals, with extraterritorial reach to handlers outside China that target domestic natural persons. ### Full text **Promulgated by:** Standing Committee of the National People's Congress. **Document No.:** Presidential Decree No. 91. **Adopted at the 30th Session of the Standing Committee of the 13th National People's Congress on August 20, 2021.** **Effective November 1, 2021.** --- ## Chapter 1 General Provisions **Article 1.** This Law is enacted in accordance with the Constitution to protect the rights and interests of personal information, regulate the handling of personal information and promote the reasonable use of personal information. **Article 2.** The personal information of a natural person shall be protected by law, and no organization or individual may infringe upon the personal information rights and interests of natural persons. **Article 3.** This Law shall apply to the handling of the personal information of natural persons within the territory of the People's Republic of China. This Law shall also apply to the handling of the personal information of natural persons within the territory of the People's Republic of China outside the territory of the People's Republic of China under any of the following circumstances: (I) where the purpose is to provide domestic natural persons with products or services; (II) where the activities of domestic natural persons are analyzed and evaluated; and (III) other circumstances as prescribed by laws and administrative regulations. **Article 4.** Personal information refers to all kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information handled anonymously. The handling of personal information includes the collection, storage, use, processing, transmission, provision, disclosure and deletion, etc. of personal information. **Article 5.** The handling of personal information shall follow the principles of lawfulness, legitimacy, necessity and good faith, and it is not allowed to handle personal information by misleading, fraud, coercion or otherwise. **Article 6.** The handling of personal information shall be for a definite and reasonable purpose, be directly related to the purpose of handling and shall be conducted in a way that minimizes the impact on personal rights and interests. The collection of personal information shall be limited to the minimum scope for achieving the purpose of handling and it is not allowed to excessively collect personal information. **Article 7.** The handling of personal information shall follow the principles of openness and transparency, make public the rules for handling personal information and expressly indicate the purpose, method and scope of such handling. **Article 8.** The quality of personal information shall be ensured in the handling of personal information to avoid the adverse impact on personal rights and interests caused by inaccurate or incomplete personal information. **Article 9.** A personal information handler shall be responsible for its handling of personal information and take necessary measures to ensure the security of the personal information handled. **Article 10.** No organization or individual may illegally collect, use, process or transmit the personal information of others, illegally buy or sell, provide or make public the personal information of others, or engage in the handling of personal information that endangers the national security or public interests. **Article 11.** The State establishes a sound personal information protection system, prevents and punishes the infringement upon personal information rights and interests, strengthens the publicity and education on personal information protection, and promotes the formation of a good environment in which the government, enterprises, relevant social organizations and the public jointly participate in personal information protection. **Article 12.** The State actively participates in the development of international rules for personal information protection, promotes the international exchange and cooperation in personal information protection, and promotes the mutual recognition of the rules and standards for personal information protection with other countries, regions and international organizations. ## Chapter 2 Rules for Handling Personal Information ### Section 1 General Provisions **Article 13.** Only under any of the following circumstances may a personal information handler handle personal information: (I) where the consent of the individual concerned is obtained; (II) where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, or for the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract concluded in accordance with the law; (III) where it is necessary for the performance of statutory duties or statutory obligations; (IV) where it is necessary for the response to a public health emergency or for the protection of the life, health and property safety of a natural person in an emergency; (V) where such acts as news reporting and supervision by public opinions are carried out for the public interest, and the handling of personal information is within a reasonable scope; (VI) where it is necessary to handle the personal information disclosed by the individual concerned or other personal information that has been legally disclosed within a reasonable scope in accordance with the provisions of this Law; and (VII) other circumstances prescribed by laws and administrative regulations. The handling of personal information shall be subject to the consent of the individual concerned in accordance with other relevant provisions of this Law, however, the consent of the individual concerned is not required under the circumstances set forth in Items (II) to (VII) of the preceding paragraph. **Article 14.** Where the handling of personal information is based on the consent of the individual concerned, such consent shall be given by the individual concerned in a voluntary and explicit manner in the condition of full knowledge. Where laws and administrative regulations provide that the handling of personal information shall be subject to the separate consent or written consent of the individual concerned, such provisions shall prevail. Where the purpose or method of handling personal information or the type of personal information to be handled changes, the consent of the individual concerned shall be obtained again. **Article 15.** Where the handling of personal information is based on the consent of the individual concerned, the individual is entitled to withdraw his/her consent. The personal information handler shall provide a convenient method for the individual to withdraw his/her consent. Withdrawal of consent by the individual concerned does not affect the validity of any personal information handling activity conducted based on the consent of the individual before such withdrawal. **Article 16.** A personal information handler shall not refuse to provide products or services for an individual on the grounds that the individual does not agree to handle his/her personal information or withdraws his/her consent, unless the handling of personal information is necessary for providing products or services. **Article 17.** Prior to the handling of an individual's personal information, the personal information handler shall truthfully, accurately and completely inform the individual of the following matters in a conspicuous manner and in clear and understandable language: (I) the title or name and contact information of the personal information handler; (II) the purpose and method of handling personal information, and the type and retention period of the handled personal information; (III) the method and procedure for the individual to exercise the rights provided for in this Law; and (IV) other matters that shall be informed in accordance with the provisions of laws and administrative regulations. Where any of the matters specified in the preceding paragraph is changed, the individual shall be notified of such change. Where a personal information handler informs individuals of the matters specified in the first Paragraph by formulating rules on handling personal information, such rules shall be open to the public for easy access and storage. **Article 18.** A personal information handler is allowed not to inform the individual concerned of the matters prescribed in Paragraph 1 of the preceding article if there are circumstances in which the personal information should be kept confidential as required by laws or administrative regulations or does not need to be informed. Where it is unable to timely inform the individual concerned in an emergency for the purpose of protecting the life, health and property safety of natural persons, the personal information handler shall timely inform the individual after the elimination of the emergency. **Article 19.** Unless otherwise stipulated by laws and administrative regulations, the retention period of personal information shall be the minimum period necessary for achieving the purpose of handling. **Article 20.** Where two or more personal information handlers jointly determine the purpose and method of handling personal information, their respective rights and obligations shall be agreed upon. However, such agreement shall not affect an individual's request to any of the personal information handlers to exercise the rights stipulated in this law. Where personal information handlers who jointly handle personal information, thus infringing upon personal information rights and interests and causing damage shall bear joint and several liability in accordance with the law. **Article 21.** Where a personal information handler entrusts others with the handling of personal information, it shall agree with the agent on the purpose, time limit and method of entrusted handling, type of personal information and protection measures, as well as the rights and obligations of both parties, and supervise the personal information handling activities of the agent. The agent shall handle personal information as agreed and shall not handle personal information beyond the agreed purpose and method of handling ; where the entrustment contract is not effective, invalid, revoked or terminated, the agent shall return personal information to the personal information handler or delete it, and shall not retain it. Without the consent of the personal information handler, the agent shall not re-entrust others with the handling of personal information. **Article 22.** Where a personal information handler needs to transfer personal information due to merger, division, dissolution or declaration of bankruptcy, etc., it shall inform the individual concerned of the name and contact information of the recipient. The recipient shall continue to fulfill its obligations as a personal information handler. Where the recipient changes the original purpose and method of handling, it shall obtain the consent of the individual concerned anew in accordance with this Law. **Article 23.** Where a personal information handler provides other personal information handlers with the personal information of an individual it handles, it shall inform the individual of the name and contact information of the recipient, purpose and method of handling and type of personal information, and shall obtain the individual's separate consent. The recipient shall handle personal information within the scope of the above purpose and method of handling and type of personal information. It shall obtain the consent of the individual anew in accordance with this Law in case of changes in the original purpose and method of handling. **Article 24.** Where a personal information handler makes use of personal information to make automatic decision, it shall ensure the transparency of the decision-making and the fairness and impartiality of the results, and shall not impose unreasonable discriminatory treatment on individuals in respect of the transaction price and transaction conditions. Information pushing and commercial marketing to an individual through automated decision- making shall be accompanied by options that do not target the individual's personal characteristics, or convenient rejection ways shall be provided to the individual. Where a decision is made through automatic decision-making that has a significant impact on an individual's rights and interests, the individual shall have the right to require the personal information handler to make an explanation and reject the decision made by the personal information handler only through automatic decision- making. **Article 25.** A personal information handler shall not make public the personal information of an individual it handles, except with the individual's separate consent. **Article 26.** The image capturing, and personal identification equipment installed in public places shall be necessary for maintaining public security, comply with the relevant provisions of the State, and conspicuous prompting signs shall be set up. An individual's personal image and personal identification information collected may only be used for the purpose of maintaining public security and shall not be used for any other purpose, except with the individual's separate consent. **Article 27.** A personal information handler may, within a reasonable scope, handle the personal information that is disclosed by the individual concerned himself/herself or other personal information that has been legally publicized, unless the individual expressly refuses such handling. A personal information handler shall obtain the consent of an individual in accordance with the provisions of this Law if the handling of the individual's disclosed personal information has a major impact on the rights and interests of the individual. ### Section 2 Rules for Handling Sensitive Personal Information **Article 28.** Sensitive personal information refers to the personal information that is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety once disclosed or illegally used, including such information as biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the personal information of minors under the age of 14. Only for a specific purpose and sufficient necessity, and strict protection measures have been taken, may a personal information handler handle sensitive personal information. **Article 29.** The handling of sensitive personal information of an individual shall be subject to the individual's separate consent; where laws and administrative regulations provide that the handling of sensitive personal information shall be subject to the written consent, such provisions shall prevail. **Article 30.** For the sensitive personal information of an individual, the personal information handler shall, in addition to the matters specified in Paragraph 1 of Article 17 hereof, inform the individual of the necessity of handling his/her sensitive personal information and the impact on his/her personal rights and interests, except for the circumstances that may be exempted from informing the individual of such information in accordance with this Law. **Article 31.** To handle the personal information of a minor under the age of 14, a personal information handler shall obtain the consent of the minor's parents or other guardians. To handle the personal information of minors under the age of 14, a personal information handler shall formulate specialized rules for handling personal information. **Article 32.** Where laws and administrative regulations provide that the handling of sensitive personal information shall be subject to the relevant administrative license or other restrictions, such provisions shall prevail. ### Section 3 Special Provisions on Handling Personal Information by State Organs **Article 33.** This Law shall apply to the activities of a State organ to handle personal information; where there are special provisions in this Section, such provisions shall apply. **Article 34.** A State organ shall handle personal information for the purpose of performing its statutory duties in accordance with the authority and procedures prescribed by laws and administrative regulations and shall not exceed the scope and limit necessary for the performance of its statutory duties. **Article 35.** A State organ handling personal information for the purpose of performing its statutory duties shall perform its obligation of informing in accordance with this Law, except for the circumstances stipulated in Paragraph 1 of Article 18 hereof, or the informing will hinder the State organ from performing its statutory duties. **Article 36.** The personal information handled by a State organ shall be stored within the territory of the People's Republic of China; where it is necessary to provide such information to an overseas party, a security evaluation shall be conducted. Relevant authorities may be required to provide support and assistance for the security evaluation. **Article 37.** Where organizations with functions of administering public affairs as authorized by laws and regulations handle personal information for the purpose of performing their statutory duties, the provisions of this Law on handling personal information by State organs shall apply. ## Chapter 3 Rules for Cross-border Provision of Personal Information **Article 38.** Where a personal information handler really needs to provide personal information outside the territory of the People's Republic of China due to business or other needs, it shall meet any of the following conditions: (I) it shall pass the security evaluation organized by the Cyberspace Administration of China in accordance with the provisions of Article 40 hereof; (II) it shall have been certified by a specialized agency for protection of personal information in accordance with the provisions of the Cyberspace Administration of China; (III) it shall enter into a contract with the overseas recipient under the standard contract formulated by the Cyberspace Administration of China, specifying the rights and obligations of both parties; and (IV) it shall meet other conditions prescribed by laws, administrative regulations or the Cyberspace Administration of China. Where the international treaties or agreements concluded or acceded to by the People's Republic of China contain provisions on the conditions for provision of personal information outside the territory of the People's Republic of China, such provisions may prevail. The personal information handler shall take necessary measures to ensure that the activities of handling personal information by the overseas recipient meet the standards for protection of personal information as prescribed herein. **Article 39.** To provide the personal information of an individual to an overseas recipient outside the territory of the People's Republic of China, the personal information handler shall inform the individual of such matters as the name of the overseas recipient, contact information, purpose and method of handling, type of personal information and the method and procedure for the individual to exercise the rights stipulated herein against the overseas recipient, and shall obtain the individual's separate consent. **Article 40.** Critical information infrastructure operators and personal information handlers whose quantity of handling of personal information reaches that as prescribed by the Cyberspace Administration of China ("CAC") shall store personal information collected and generated within the territory of the People's Republic of China within the territory of the People's Republic of China. Where it is necessary to provide such information and data to an overseas party, such provision shall pass the security evaluation organized by the CAC; where the laws, administrative regulations and the provisions of the CAC stipulate that security evaluation is not required, such stipulation shall prevail. **Article 41.** The competent authorities of the People's Republic of China shall, in accordance with the relevant laws and the international treaties and agreements concluded or acceded to by the People's Republic of China or under the principles of equality and mutual benefit, handle the requests made by foreign judicial or law enforcement authorities for providing the personal information stored within the territory of China. Without the approval of the competent authorities of the People's Republic of China, no personal information handler may provide the personal information stored within the territory of the People's Republic of China to foreign judicial or law enforcement authorities. **Article 42.** Where an overseas organization or individual engages in the personal information handling activities infringing upon the personal information rights and interests of citizens of the People's Republic of China or endangering the national security and public interests of the People's Republic of China, the CAC may include such organization or individual in the list of subjects to whom provision of personal information is restricted or prohibited, announce the same, and take measures such as restricting or prohibiting provision of personal information to such organization or individual. **Article 43.** Where any country or region takes discriminatory prohibitive, restrictive or other similar measures against the People's Republic of China in terms of protection of personal information, the People's Republic of China may take reciprocal measures against such country or region as the case may be. ## Chapter 4 Rights of Individuals in Activities of Handling Personal Information **Article 44.** An individual has the right to know and make decisions on the handling of his/her personal information, and the right to restrict or refuse others to handle his/her personal information, unless otherwise provided for by laws and administrative regulations. **Article 45.** An individual is entitled to consult or copy his/her personal information from a personal information handler, except for the circumstances stipulated in Paragraph 1 of Article 18 and Article 35 hereof. Where an individual requests to consult or copy his/her personal information, the personal information handler shall provide such information in a timely manner. Where an individual requests to transfer his/her personal information to a personal information handler designated by him/her, which meets the conditions stipulated by the CAC, the personal information handler shall provide a way for the transfer. **Article 46.** Where an individual finds that his/her personal information is inaccurate or incomplete, he/she is entitled to request the personal information handler to make corrections or supplements. Where an individual requests for corrections or supplements to his/her personal information, the personal information handler shall make verification and make corrections or supplements to such information in a timely manner. **Article 47.** Under any of the following circumstances, a personal information handler shall take the initiative to delete personal information; if the personal information handler fails to delete such information, the individual concerned is entitled to request the deletion of such information: (I) where the purpose of handling has been achieved, it is impossible to achieve such purpose, or it is no longer necessary to achieve such purpose; (II) where the personal information handler ceases to provide products or services, or the storage period has expired; (III) where the individual withdraws his/her consent; (IV) where the personal information handler handles personal information in violation of laws, administrative regulations or the agreement; or (V) other circumstances stipulated by laws and administrative regulations. Where the storage period as stipulated by laws and administrative regulations does not expire, or the deletion of personal information is difficult to be realized technically, the personal information handler shall stop the handling other than storage and necessary security protection measures. **Article 48.** Individuals are entitled to request a personal information handler to explain its handling rules for personal information. **Article 49.** Where a natural person dies, his/her close relatives may, for the purpose of their own lawful and legitimate interests, exercise such rights as consulting, copying, correcting and deleting the relevant personal information of the deceased as prescribed in this Chapter, unless otherwise arranged by the deceased prior to his/her death. **Article 50.** A personal information handler shall establish a convenient mechanism for accepting and handling applications from individuals to exercise their rights. If an individual's request for exercising his/her rights is rejected, the reasons shall be stated. Where the personal information handler refuses an individual's request for exercising his/her rights, the individual may file a lawsuit with a people's court in accordance with the law. ## Chapter 5 Obligations of Personal Information Handlers **Article 51.** A personal information handler shall, according to the purpose and method of handling personal information, types of personal information, impacts on personal rights and interests and possible security risks, take the following measures to ensure the compliance of personal information handling activities with provisions of laws and administrative regulations and prevent unauthorized access and divulgence, falsification and loss of personal information: (I) formulating internal management systems and operating procedures; (II) implementing category-based management of personal information; (III) taking corresponding technical security measures such as encryption and de-identification; (IV) reasonably determining the authority to handle personal information and conducting security education and training for relevant employees on a regular basis; (V) formulating and organizing the implementation of emergency plans for personal information security incidents; and (VI) other measures stipulated by laws and administrative regulations. **Article 52.** Where the quantity of personal information handled reaches that specified by the CAC, the personal information handler shall designate a person in charge of personal information protection to be responsible for supervising the activities of handling of personal information and the adopted protection measures. The personal information handler shall make public the contact information of the person in charge of personal information protection and submit the name and contact information of the person in charge of personal information protection to the authorities performing duties of personal information protection. **Article 53.** Any personal information handler outside the territory of the People's Republic of China as prescribed in Paragraph 2 of Article 3 hereof shall establish a special agency or designate a representative within the territory of the People's Republic of China to be responsible for handling matters relating to personal information protection, and submit the name and contact information of the relevant agency or the representative to the authorities performing duties of personal information protection. **Article 54.** A personal information handler shall regularly conduct compliance audits on its handling of personal information in accordance with laws and administrative regulations. **Article 55.** Under any of the following circumstances, a personal information handler shall conduct an impact assessment on personal information protection beforehand and keep a record of the handling: (I) handling sensitive personal information; (II) making use of personal information to make automatic decision-making; (III) entrusting others to handle personal information, providing other personal information handlers with personal information and publicizing personal information; (IV) providing personal information to overseas parties; or (V) other personal information handling activities that have significant impact on personal rights and interests. **Article 56.** An impact assessment on personal information protection shall include the following contents: (I) whether the purpose and method of handling personal information are lawful, legitimate, and necessary; (II) impact on personal rights and interests and security risks; and (III) whether the protection measures taken are lawful, effective and commensurate with the degree of risks. The report on personal information protection impact assessment and records of handling shall be kept for at least three years. **Article 57.** Where personal information has been or may be divulged, tampered with or lost, the personal information handler shall immediately take remedial measures and notify the authorities performing duties of personal information protection and the individuals concerned. The notice shall include the following matters: (I) the types, reasons and possible harm of the information that has been involved or may be involved in the divulgence, tampering with or loss of personal information; (II) the remedial measures taken by the personal information handler and the measures that can be taken by the individuals to mitigate harm; and (III) the contact information of the personal information handler. Where the personal information handler has taken measures to effectively avoid harm caused by divulgence, tampering with or loss of information, the personal information handler may opt not to notify the individuals concerned; if the authorities performing duties of personal information protection believe that harm may be caused, they may require the personal information handler to notify the individuals concerned. **Article 58.** Any personal information handler that provides important Internet platform services with a large number of users and complicated business type shall perform the following obligations: (I) establishing a sound compliance system for personal information protection in accordance with the provisions of the State and setting up an independent agency mainly composed of external members to supervise personal information protection; (II) following the principles of openness, fairness and impartiality, formulating platform rules specifying the standards for the handling of personal information by product or service providers on the platform and their obligations to protect personal information; (III) ceasing to provide services to product or service providers on the platform that handle personal information in serious violation of laws and administrative regulations; and (IV) regularly releasing social responsibility reports on personal information protection for social supervision. **Article 59.** The agent that accepts the entrustment of a personal information handler to handle personal information shall, in accordance with the provisions of this Law and relevant laws and administrative regulations, take necessary measures to ensure the security of the personal information handled and assist the personal information handler to perform the obligations stipulated in this Law. ## Chapter 6 Authorities Performing Duties of Personal Information Protection **Article 60.** The CAC is responsible for coordinating the protection of personal information and relevant supervision and administration work. Relevant departments of the State Council are responsible for protecting, supervising and administering the protection of personal information within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations. The duties of relevant departments of local people's governments at or above the county level in protecting, supervising and administering the protection of personal information shall be determined in accordance with relevant provisions of the State. The departments mentioned in the preceding two paragraphs are collectively referred to as the authorities performing duties of personal information protection. **Article 61.** Authorities performing duties of personal information protection shall perform the following duties of personal information protection: (I) carrying out publicity and education on personal information protection, and guiding and supervising personal information handlers to protect personal information; (II) accepting and handling complaints and reports related to personal information protection; (III) organizing the evaluation of applications and other organizations on the protection of personal information, and disclosing the evaluation results; (IV) investigating and handling illegal personal information handling activities; and (V) other duties stipulated by laws and administrative regulations. **Article 62.** The CAC shall make overall planning and coordinate relevant authorities to promote the following work of personal information protection in accordance with this Law: (I) formulating specific rules and standards for personal information protection; (II) formulating specialized rules and standards for personal information protection for small personal information handlers, handling sensitive personal information and new technologies and applications such as face recognition and artificial intelligence; (III) supporting the research, development and popularization of secure and convenient electronic identity authentication technologies, and promoting the development of public services for network identity authentication; (IV) promoting the development of a socialized service system for personal information protection, and supporting relevant organizations in carrying out evaluation and authentication services on personal information protection; and (V) improving the mechanism for complaints and whistleblowing reports on personal information protection. **Article 63.** Authorities performing duties of personal information protection may take the following measures when performing such duties: (I) inquiring the parties concerned and investigating the circumstances relating to personal information handling activities; (II) consulting and copying contracts, records, account books and other relevant materials relating to personal information handling ; activities of the parties concerned; (III) carrying out on-site inspection and investigation of personal information handling activities suspected of violating laws; and (IV) checking the equipment and articles relating to personal information handling activities; and the equipment and articles that are proved to be used for illegal personal information handling activities may be seized or detained upon written reports to and approval by the person chiefly in charge of the authority concerned. The parties concerned shall provide assistance and cooperation in ; the performance of duties of personal information protection by the authorities concerned in accordance with the law and shall not refuse or obstruct such performance. **Article 64.** Where authorities performing duties of personal information protection find in their performance of such duties that there are high risks in personal information handling activities or personal information security incidents have occurred, they may, according to prescribed authority and procedures, have an interview with the legal representative or person chiefly in charge of the personal information handler concerned, or require such handler to entrust a specialized agency to conduct a compliance audit on its personal information handling activities. The personal information handler shall take measures to make rectification and eliminate hidden dangers as required. Where authorities performing duties of personal information protection find in their performance of such duties that illegal handling of personal information is suspected of constituting crimes, they shall timely refer the case to the public security authorities for handling in accordance with the law. **Article 65.** Any organization or individual shall have the right to complain or report illegal personal information handling activities to the authorities performing duties of personal information protection. The said authorities receiving such complaints or reports shall timely handle them in accordance with the law and notify the complainants or reporters of the handling results. Authorities performing duties of personal information protection shall make public the contact information for accepting complaints or reports. ## Chapter 7 Legal Liability **Article 66.** In the event that personal information is handled in violation of the provisions of this Law, or that personal information is handled without performing the obligation of protecting personal information as stipulated in this Law, the authorities performing duties of personal information protection shall order the party concerned to make corrections, give a warning to it and confiscate its illegal gains. Any application that illegally handles personal information shall be ordered to suspend or terminate the provision of services; if it refuses to make corrections, a fine of not more than 1 million yuan shall be imposed on it concurrently; and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the person directly in charge and other directly liable persons. For any illegal act specified in the preceding paragraph with serious circumstances, the authorities performing duties of personal information protection at or above the provincial level shall order the party concerned to make corrections, confiscate its illegal gains, and impose a fine of not more than 50 million yuan or not more than 5% of its turnover of the previous year on it, and may also order it to suspend relevant business or suspend business for rectification, and inform the relevant competent authorities to revoke the relevant business permit or business license; a fine of not less than 100,000 yuan but not more than 1 million yuan shall be imposed on the person directly in charge and other directly liable persons, and a decision may be made to prohibit the said persons from acting as directors, supervisors, senior executives and persons-in-charge of personal information protection of relevant enterprises within a certain period of time. **Article 67.** Any illegal act specified in this Law shall be recorded in the credit archives in accordance with the provisions of relevant laws and administrative regulations and shall be disclosed to the public. **Article 68.** Where a State organ fails to perform its obligation of protecting personal information as stipulated in this Law, its superior organ or the authorities performing duties of personal information protection shall order it to make corrections; and impose sanctions on the person directly in charge and other directly liable persons in accordance with the law. Where any staff member of the authorities performing duties of personal information protection neglects his/her duty, abuses his/her power, plays favoritism and commits irregularities, which does not constitute a crime, sanctions shall be imposed on him/her in accordance with the law. **Article 69.** Where the handling of personal information infringes upon personal information rights and interests and causes damage, the personal information handler concerned shall bear liability for damages and other tort liabilities if it cannot prove that it is not at fault. The liability for damages specified in the preceding paragraph shall be determined based on the losses thus suffered by the individual concerned or the benefits thus obtained by the personal information handler; if the losses thus suffered by the individual concerned or the benefits thus obtained by the personal information handler are difficult to be determined, the amount of damages shall be determined in accordance with the actual circumstances. **Article 70.** Where any personal information handler handles personal information in violation of this Law, which infringes upon the rights and interests of a large number of individuals, the People's Procuratorate, the consumer organizations specified by law and the organizations determined by the CAC may bring a lawsuit to a people's court in accordance with the law. **Article 71.** Where any violation of the provisions hereof constitutes a violation of public security administration, a public security administrative punishment shall be imposed in accordance with the law; and if a crime is constituted, criminal liability shall be investigated in accordance with the law. ## Chapter 8 Supplementary Provisions **Article 72.** This Law shall not apply to the handling of personal information by a natural person for his or her personal or family affairs. Where there are legal provisions on the handling of personal information in the statistical and archive administration organized and implemented by the people's governments at all levels and the relevant departments thereof, such provisions shall apply. **Article 73.** For the purposes of this Law, the following terms shall have the following meanings: (I) "Personal information handler " refers to an organization or individual that independently determines the handling purpose and method in the handling of personal information. (II) "Automatic decision-making" refers to the activities of automatically analyzing and evaluating an individual's behavior habits, hobbies or economic, health or credit status through computer programs and making decisions. (III) "De-identification" refers to the process in which personal information is handled so that it is impossible to identify certain natural persons without the aid of additional information. (IV) "Anonymization" refers to the process in which personal information is handled so that it is impossible to identify certain natural persons and that it cannot be recovered. **Article 74.** This Law shall come into force as of November 1, 2021 2021. --- ## Provisions of the Supreme People's Court on Several Issues Concerning the Application of Law in the Trial of Civil Cases Involving the Use of Facial Recognition Technology to Process Personal Information - Chinese title: 最高人民法院关于审理使用人脸识别技术处理个人信息相关民事案件适用法律若干问题的规定 - Abbreviation: FRT Judicial Interpretation - Hierarchy: judicial - Issuing body: Supreme People's Court - Adopted: 2021-06-08 - Effective: 2021-08-01 - Status: effective - URL: https://datacompliancechina.com/laws/facial-recognition-judicial-interpretation/ - Markdown: https://datacompliancechina.com/laws/facial-recognition-judicial-interpretation.md ### Summary The Supreme People's Court's interpretation of how civil courts should apply law in cases involving facial recognition. Defines what counts as 'processing facial information', enumerates conduct that infringes personality rights, addresses consent validity (mandatory consent through a service agreement is not valid), and sets out remedies and burden-of-proof allocation. Issued before PIPL took effect but designed to interoperate with PIPL's sensitive-personal-information regime. ### Full text **Promulgated by:** Supreme People's Court. **Document No.:** Fa Shi [2021] No. 15. **Adopted at the 1841st Meeting of the Judicial Committee of the Supreme People's Court on June 8, 2021. Effective August 1, 2021.** --- **Article 1.** These Provisions shall apply to civil cases arising from the use of facial recognition technologies by information processors to process facial information or process facial information generated on the basis of facial recognition technologies in violation of laws, administrative regulations or the agreement between both parties. The processing of facial information includes the collection, storage, use, processing, transmission, provision and disclosure of facial information. For the purpose of these Provisions, facial information is the "biometric information" as specified in Article 1034 of the Civil Code. **Article 2.** Where an information processor falls under any of the following circumstances in the processing of facial information, the People's Court shall determine that it is an infringement upon the personality rights and interests of a natural person: (I) using facial recognition technologies to verify, recognize or analyze faces in such business places or public places as hotels, shopping malls, banks, stations, airports, stadiums and gymnasiums or entertainment venues in violation of laws and administrative regulations; (II) failing to disclose the rules for the processing of facial information or to clearly indicate the processing purpose, method and scope; (III) where the processing of facial information is subject to an individual's consent, the sole consent of the natural person or his/her guardian is not obtained, or the written consent of the natural person or his/her guardian is not obtained in accordance with laws and administrative regulations; (IV) violating the purpose, method and scope of the processing of facial information as expressly indicated by the information processor or agreed between both parties; (V) failing to take due technical measures or other necessary measures to ensure the security of facial information it collects and stores, which results in the disclosure, falsification or loss of facial information; (VI) providing facial information to others in violation of the provisions of laws and administrative regulations or the agreement between both parties; (VII) processing facial information in violation of public order and good customs; and (VIII) other circumstances under which facial information is processed in violation of the principles of legality, legitimacy and necessity. **Article 3.** When determining that an information processor shall bear civil liability for its infringement upon the personality rights and interests of a natural person, the People's Court shall apply Article 998 of the Civil Code and, in light of the specific circumstances of the case, comprehensively consider whether the victim is a minor, the notification of consent, the necessity for information processing and other factors. **Article 4.** Under any of the following circumstances, if the information processor defends itself on the ground that it has obtained the consent of the natural person or his/her guardian, the People's Court shall not support such defense: (I) where the information processor requires the natural person to agree to process his/her facial information before providing a product or service, unless the processing of such facial information is necessary for providing the product or service; (II) where the information processor requires the natural person to agree to process his/her facial information by bundling such consent with any other authorization; or (III) other circumstances under which the information processor forces or forces in a disguised manner a natural person to agree to process his/her facial information. **Article 5.** Under any of the following circumstances, if the information processor claims that it shall not bear any civil liability, the People's Court shall support such claim according to law: (I) where the processing of facial information is necessary for responding to a public health emergency or for protecting the life, health and property safety of a natural person; (II) where the facial recognition technology is used in public places in accordance with the relevant provisions of the State for the purpose of maintaining public security; (III) where the facial information is processed within a reasonable scope to carry out such activities as news reporting and supervision by public opinions for the public interest; (IV) where the facial information is reasonably processed within the scope agreed by the natural person or his/her guardian; or (V) other circumstances as prescribed by laws and administrative regulations. **Article 6.** Where a party concerned requests the information processor to bear civil liability, the People's Court shall determine the burden of proof of both parties in accordance with Article 64 of the Civil Procedure Law, Articles 90 and 91 of the Interpretation of the Supreme People's Court on the Application of the Civil Procedure Law of the People's Republic of China, and the Several Provisions of the Supreme People's Court on Evidence in Civil Procedures. Where the information processor claims that its conduct falls under the circumstances as prescribed in Paragraph 1 of Article 1035 of the Civil Code, it shall bear the burden of proof for the facts on which such conduct is based. Where the information processor claims that it shall not bear civil liability, it shall bear the burden of proof to the extent that its conduct falls under the circumstances as prescribed in Article 5 hereof. **Article 7.** Where several information processors, when processing facial information, infringe upon the personality rights and interests of a natural person, and the natural person claims that the multiple information processors shall bear tort liability based on the degree of fault and the extent of damage caused, the People's Court shall uphold such claim; where the corresponding circumstances as prescribed in Article 1168, Paragraph 1 of Article 1169, Article 1170 and Article 1171 of the Civil Code are met, and the natural person claims that the multiple information processors shall bear joint and several liability, the People's Court shall uphold such claim. Where an information processor, when processing facial information by using network services, infringes upon the personality rights and interests of a natural person, Articles 1195, 1196 and 1197 of the Civil Code and other provisions shall apply. **Article 8.** Where an information processor, when processing facial information, infringes upon the personality rights and interests of a natural person, and the natural person claims compensation for property damage in accordance with Article 1182 of the Civil Code, the People's Court shall uphold such claim according to law. The reasonable expenses paid by the natural person in order to stop the infringement may be determined as property losses as prescribed in Article 1182 of the Civil Code. Reasonable expenses include reasonable expenses incurred to the natural person or his/her agent for investigation and collection of evidence on the infringement. The People's Court may, at the request of the party concerned and in light of the specific circumstances of the case, include the reasonable attorney's fees into the scope of compensation. **Article 9.** Where a natural person has evidence to prove that an information processor is committing or will commit any act infringing upon his/her right to privacy or other rights and interests of personality by using a facial recognition technology, and that his/her legitimate rights and interests will be damaged irreparably if such act is not stopped in time, and he/she applies to a People's Court for taking measures to order the information processor to stop the relevant act, the People's Court may, as the case may be, issue an injunction against the infringement upon the personality right in accordance with the law. **Article 10.** Where a property service enterprise or any other building manager uses facial recognition as the only means of authentication for owners or property users to enter or leave the property service area, and an owner or property user who disagrees on such means requests it to provide other reasonable means of authentication, the People's Court shall uphold such request according to law. For a property service enterprise or any other building manager falls under any of the circumstances specified in Article 2 hereof, if a party concerned claims that the property service enterprise or the building manager shall bear tort liability, the People's Court shall uphold such claim according to law. **Article 11.** In the event that an information processor adopts standard terms to enter into a contract with a natural person, requiring the natural person to grant it such rights as unlimited, irrevocable or sub-authorizable authorization to process facial information, if the natural person claims to confirm the invalidity of the standard terms in accordance with Article 497 of the Civil Code, the People's Court shall uphold such claim according to law. **Article 12.** Where an information processor, in violation of the agreement, processes facial information of a natural person and the natural person claims that the information processor shall bear the liability for breach of contract, the People's Court shall uphold such claim according to law. If the natural person filing the said claim requests the information processor to delete facial information, the People's Court shall uphold such request according to law; where the information processor defends itself on the ground that both parties fail to make an agreement on the deletion of facial information, the People's Court shall not uphold such defense. **Article 13.** Where disputes arise in relation to the processing of facial information by the same information processor, which infringes upon the personality rights and interests of natural persons, and multiple victims sue separately in the same People's Court, the People's Court may, with the consent of the parties, consolidate the trials of the cases. **Article 14.** Where the processing of facial information by an information processor complies with the relevant provisions of Article 55 of the Civil Procedure Law, Article 47 of the Law on the Protection of Consumers' Rights and Interests or other laws on civil public interest lawsuits, and the authorities and relevant organizations specified by the law institute civil public interest lawsuits, the People's Court shall accept such case. **Article 15.** These Provisions shall apply to the circumstance where, after the death of a natural person, the information processor processes his/her facial information in violation of the provisions of laws or administrative regulations or the agreement between both parties, and the close relative of the deceased requests the information processor to bear civil liability in accordance with Article 994 of the Civil Code. **Article 16.** These Provisions shall come into force as of August 1, 202(I) These Provisions shall not apply to the circumstance where an information processor's use of facial recognition technologies to process facial information or processes facial information generated by facial recognition technologies has occurred prior to the effectiveness of these Provisions. PAGE/NUMPAGES PAGE/NUMPAGES --- ## Provisions on Promoting and Regulating Cross-border Data Flows - Chinese title: 促进和规范数据跨境流动规定 - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) - Adopted: 2023-11-28 - Effective: 2024-03-22 - Status: effective - URL: https://datacompliancechina.com/laws/cross-border-data-flows-provisions/ - Markdown: https://datacompliancechina.com/laws/cross-border-data-flows-provisions.md ### Summary The 2024 Cross-border Data Flow Provisions are CAC's relaxation package on outbound data transfer. They introduce thresholds and exemptions for the security assessment, standard contract, and certification pathways, plus a free trade zone (FTZ) negative-list mechanism. For overseas counsel, this is the regulation that practically determines whether a routine cross-border transfer needs to clear formal CAC review or not. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC). **Document No.:** Decree No. 16 of the Cyberspace Administration of China. **Adopted at the 26th executive meeting in 2023 of the CAC on November 28, 2023.** **Promulgated and effective March 22, 2024.** Zhuang Rongwen, Minister of CAC. --- **Article 1.** In order to protect data security, protect personal information rights and interests, and promote the orderly and free flow of data in accordance with the law, these Provisions are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, and other relevant laws and regulations for the implementation of systems for provision of data abroad, such as security assessment for data to be provided abroad, the standard contract for provision of personal information abroad and personal information protection authentication. **Article 2.** Data handlers shall identify and declare important data in accordance with relevant provisions. If the data have not been informed or publicly announced as important data by relevant departments or regions, data handlers are not required to declare security assessment for cross-border provision of the data as important data. **Article 3.** To provide the data collected and generated in such activities as international trade, cross-border transport, academic cooperation, transnational manufacturing and marketing, which do not contain personal information or important data, to overseas parties, it is exempted from declaring security assessment for data to be provided abroad, concluding a standard contract for personal information to be provided abroad or passing authentication for protection of personal information. **Article 4.** Where a data handler provides personal information collected and generated abroad to overseas parties after being provided to China for processing, and no domestic personal information or important data is introduced in the process of processing, the data handler is exempted from declaring security assessment for data to be provided abroad, concluding a standard contract for personal information to be provided abroad or passing authentication for protection of personal information. **Article 5.** A data handler providing personal information abroad may be exempted from declaring security assessment for data to be provided abroad, concluding a standard contract for personal information to be provided abroad or passing authentication for protection of personal information if it satisfies any of the following conditions: 1. Where it is really necessary to provide personal information abroad for the purpose of concluding or performing a contract to which an individual concerned is a party, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel reservation, visa handling and examination services; 2. Where it is really necessary to provide employees' personal information abroad for the purpose of conducting cross-border human resources management in accordance with the employment rules and regulations formulated in accordance with the law and collective contracts concluded in accordance with the law; 3. Where it is really necessary to provide personal information abroad in an emergency to protect the life, health and property safety of a natural person; or 4. Where a data handler other than a critical information infrastructure operator provides abroad the personal information (excluding sensitive personal information) of not more than 100,000 persons accumulatively as of January 1 of the current year. For the purpose of the preceding paragraph, "personal information provided abroad" does not include important data. **Article 6.** Under the framework of the national system for classified and hierarchical protection of data, pilot free trade zones may, at their own discretion, formulate lists of data that need to be included in the scope of administration of security assessment for providing data abroad, the standard contract for providing personal information abroad and authentication for personal information protection (hereinafter referred to as the "negative list" in short), which shall be filed with the national cyberspace administration and the national data administration for the record upon approval by the cyberspace administration at the provincial level. Any data handler in a pilot free trade zone providing overseas parties with any data not included in the negative list may be exempted from declaring a security assessment for providing data abroad, concluding a standard contract for providing personal information abroad or passing authentication for personal information protection. **Article 7.** To provide data abroad, any data handler shall declare security assessment for providing data abroad to the national cyberspace administration through the cyberspace administration authority at the provincial level at its locality if it satisfies either of the following condition: 1. Where a critical information infrastructure operator provides personal information or important data abroad; or 2. Where any data handler other than a critical information infrastructure operator provides important data abroad or, as of January 1 of the current year, provides personal information (excluding sensitive personal information) of not less than 1 million people or sensitive personal information of not less than 10,000 people in aggregate to overseas parties. Where the circumstance falls under the provisions of Article 3, 4, 5 1 1 or 6 hereof, such provisions shall apply. **Article 8.** Where any data handler other than a critical information infrastructure operator provides abroad the 1 personal information (excluding sensitive personal information) of not less than 100,000 but not more than 1 million persons, or the sensitive personal information of not 100 more than 10,000 persons, accumulatively as of January 1 of the current year, it shall conclude a standard contract with 1 overseas recipients for provision of personal information abroad or go through the authentication on protection of personal information in accordance with the law. Where the circumstance falls under the provisions of Article 3, 4, 5 or 6 hereof, such provisions shall apply. **Article 9.** The result of security assessment for providing data abroad remains valid for three years, commencing from the 3 date of issuance of the assessment result. Where it is necessary to continue providing the data abroad and there is no circumstance requiring re-declaration for security assessment for the data abroad upon expiry of the period of validity, the data handler may, within 60 workdays by the expiry of the period of validity, apply to the national cyberspace administration through the local cyberspace administration at the provincial level for extending the period 60 of validity of the assessment result. Upon approval by the national cyberspace administration, the period of validity of the assessment result may be extended by three years. 3 **Article 10.** To provide personal information abroad, a data handler shall, in accordance with laws and administrative regulations, perform obligations such as notification, obtaining individual consent and conducting assessment of impact of personal information protection. **Article 11.** Any data handler providing data abroad shall abide by the provisions of laws and regulations, perform data security protection obligations, and take technical and other necessary measures to ensure the security of data to be provided abroad. If a data security incident occurs or may occur, the data handler shall take remedial measures, and report to the cyberspace administration at the provincial level or above and other competent authorities in a timely manner. **Article 12.** Local cyberspace administrations shall strengthen guidance and supervision over the cross-border provision of data by data handlers, improve the security assessment system for data to be provided abroad, and optimize the assessment process; they shall also strengthen the whole- chain and full-range regulation before the event, during the event and after the event, and require the data handler to make rectifications and eliminate hidden dangers if it is found that there are relatively high risks in the data to be provided abroad or that a data security incident has occurred; and the data handler shall be investigated for legal liability according to the law if it refuses to make rectifications or the accident has caused serious consequences. **Article 13.** In case of any discrepancy between these Provisions and the relevant provisions such as the Security Assessment Measures for Data Provision Abroad (Decree No. 11 of the Cyberspace Administration of China) promulgated 11 on July 7, 2022 and the Measures on Standard Contracts for 2023 2 22 Cross-border Provision of Personal Information (Decree No. 13 of the Cyberspace Administration of China) promulgated on February 22, 2023, these Provisions shall prevail. 13 **Article 14.** These Provisions shall come into force as of the date of promulgation. --- ## Regulation on Network Data Security Management - Chinese title: 网络数据安全管理条例 - Hierarchy: regulation - Issuing body: State Council - Adopted: 2024-08-30 - Effective: 2025-01-01 - Status: effective - URL: https://datacompliancechina.com/laws/network-data-security-regulations/ - Markdown: https://datacompliancechina.com/laws/network-data-security-regulations.md ### Summary The Network Data Security Management Regulation is the State Council's overarching implementing regulation for the three foundational data-protection statutes (CSL, DSL, PIPL). It consolidates network-data security obligations, important-data identification and classification, cross-border transfer rules, security-incident reporting, and operator obligations for large data handlers and internet platforms. Promulgated as State Council Decree No. 790. ### Full text **Promulgated by:** State Council. **Document No.:** Decree No. 790 of the State Council. **Adopted at the 40th executive meeting of the State Council on August 30, 2024.** **Promulgated September 24, 2024. Effective January 1, 2025.** Premier Li Qiang. --- ## Chapter I General Provisions **Article 1.** In order to regulate network data handling activities, ensure the security of network data, promote the reasonable and effective use of network data in accordance with the law, protect the legitimate rights and interests of individuals and organizations, and safeguard national security and public interests, this Regulation is enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Law of the People's Republic of China on the Protection of Personal Information and other relevant laws. **Article 2.** This Regulation applies to network data handling activities and the supervision and administration of security thereof carried out within the territory of the People's Republic of China. This Regulation also applies to the activities outside the territory of the People's Republic of China to handle the personal information of natural persons within the territory of the People's Republic of China, which conform to the circumstances prescribed in the second paragraph of Article 3 of the Law of the People's Republic of China on the Protection of Personal Information. Any network data handling activities outside the territory of the People's Republic of China that damage the national security, public interests or the legitimate rights and interests of citizens and organizations of the People's Republic of China shall be investigated for legal liability in accordance with the law. **Article 3.** Network data security management shall be carried out by adhering to the leadership of the Communist Party of China, implementing the overall concept of national security, and promoting the development and utilization of network data and ensuring the security of network data on an overall basis. **Article 4.** The State encourages the innovative application of network data in various industries and fields, strengthens the development of the capacity for protection of network data security, supports the innovation of technologies, products and services relating to network data, carries out publicity, education and talent training for network data security, and promotes the development and utilization of network data and the industrial development. **Article 5.** The State protects network data by category and by grade, according to the importance of network data in economic and social development, as well as the extent of the damage caused to national security, public interests or the legitimate rights and interests of individuals and organizations by network data once the network data are tampered with, destroyed, divulged, illegally acquired or illegally utilized. **Article 6.** The State actively participates in the development of international rules and standards relating to network data security to promote international exchange and cooperation. **Article 7.** The State supports relevant industry organizations in developing codes of conduct for network data security pursuant to their articles of association, strengthening industry self-regulation, guiding their members to strengthen network data security protection, improving the level of network data security protection and promoting the healthy development of the industry. ## Chapter II General Rules **Article 8.** No individual or organization may use network data to engage in any illegal activities or engage in any illegal network data handling activities such as stealing or acquiring network data by other illegal means, illegally selling or illegally providing network data to others. No individual or organization may provide any program or tool specially used for the illegal activities as mentioned in the preceding Paragraph; any individual or organization who is fully aware that a person engages in the illegal activities mentioned in the preceding Paragraph shall not provide the person with Internet access, server hosting, network storage, communication transmission and other technical support or with advertising and promotion, payment and settlement and other assistance. **Article 9.** Network data handlers shall, in accordance with the provisions of laws and administrative regulations and the mandatory requirements of national standards, and on the basis of classified protection of cyber security, strengthen the protection of network data security, establish and perfect the system of network data security management, and take technical measures such as encryption, backup, access control and security authentication as well as other necessary measures to protect network data from being falsified, destroyed, divulged or illegally acquired or used, dispose of network data security incidents, prevent illegal and criminal activities aiming at and using network data, and assume primary responsibility for the security of the network data handled by them. **Article 10.** Network products and services provided by a network data handler shall comply with the compulsory requirements of the relevant national standards; in the case of any risk such as security defect or bug discovered to be associated with a network product or service, the network data handler shall take remedial measures forthwith, notify users in a timely manner and report the same to the relevant competent authority in accordance with the provisions; in the case of any harm to the national security or public interest, the network data handler shall also report the same to the relevant competent authority within 24 hours. 24 **Article 11.** Network data handlers shall establish and perfect their emergency response plan for network data security incidents. In the case of a network data security incident, the network data handler shall activate its emergency response plan forthwith, with measures taken to prevent the expansion of the harm and to eliminate the potential security hazard and report the same to the competent authority as required. Where a network data security incident causes harm to the legitimate rights and interests of individuals or organizations, the network data handler shall promptly notify the interested parties of the security incident, risks, harm consequences, remedial measures taken and so on by means of telephone calls, text messages, instant messaging tools, e-mails, announcements or otherwise; where laws and administrative regulations provide that such notification may not be made, such provisions shall prevail. When finding any clue of suspected crime during its handling of a network data security incident, the network data handler shall report the case to the public security organ or State security organ as required and cooperate in the detection, investigation and handling of the case. **Article 12.** When providing other network data handlers with personal information and important data or entrusts other network data handlers to process personal information and important data, a network data handler shall, by contract or otherwise, agree with the network data recipient on the processing purpose, method and scope as well as the security protection obligations of the network data recipient, and supervise the network data recipient's performance of such obligations. Records of the personal information and important data provided to other network data handlers or the processing of such personal information and important data upon entrustment shall be kept for at least three years. The network data recipient shall perform its obligations of network data security protection, and process personal information and 3 important data according to the agreed purpose, method and scope. Where two or more network data handlers jointly decide on the purpose and method of the handling of personal information and important data, they shall agree upon their respective rights and obligations. **Article 13.** Where network data handlers carry out network data processing activities that affect or may affect national security, they shall undergo a national security review in accordance with relevant national regulations. **Article 14.** Where a network data handler needs to transfer network data due to merger, demerger, dissolution or bankruptcy, the network data recipient shall continue to perform its network data security protection obligations. **Article 15.** A State organ that entrusts others to build, operate and maintain its e-government system, or to store and handle government data shall go through strict approval procedures in accordance with the relevant provisions of the State, specify the entrusted party's authority for processing network data and protection responsibilities, among others, and supervise the entrusted party's performance of network data security protection obligations. **Article 16.** A network data handler that provides services for state agencies or critical information infrastructure operators, or participates in the construction, operation and maintenance of other public infrastructure or public service systems, shall perform its obligation of network data security protection and provide secure, stable and continuous services in accordance with the provisions of laws and regulations and contractual stipulations. Without the consent of the entrusting party, the network data handler as referred to in the preceding paragraph shall not access, obtain, retain, use, divulge or provide others with network data, nor shall it conduct association analysis of network data. **Article 17.** An information system providing services to State organs shall strengthen network data security management to ensure network data security according to the management requirements for e-government system mutatis mutandis. **Article 18.** When accessing and collecting network data by using automatic tools, network data handlers shall assess the impact of such access on network services and shall not illegally invade into others' networks or interfere with the normal operation of network services. **Article 19.** A network data handler providing generative artificial intelligence services shall strengthen its security management of training data and training data handling activities and take effective measures to prevent and dispose of network data security risks. **Article 20.** A network data handler providing products and services to the public shall subject itself to social supervision and shall establish a convenient channel for complaining and reporting about network data security, make public the ways to complain and report and other information, and promptly accept and handle complaints and reports about network data security. ## Chapter III Protection of Personal Information **Article 21.** Prior to handling personal information, if a network data handler informs individuals according to the law by formulating rules for handling personal information, such rules shall be publicly displayed in a centralized manner, easily accessible and put in an eye-catching position, and the content shall be definite, specific, clear and understandable, including but not limited to the following: (1) the title or name and contact information of the network data handler; (2) the purpose, method and type of handling of personal information, as well as the necessity of handling of sensitive personal information and the impact of handling on individuals' rights and interests; (3) the retention period of personal information and the method for handling such information upon expiration; If it is difficult to determine the retention period, the method for determining the retention period shall be specified; and (4) Methods and channels etc. for individuals to access, reproduce, transfer, correct, supplement, delete and restrict handling of personal information, to deregister accounts and withdraw their consents. When informing individuals of the purpose, method and type of personal information to be collected and provided to other network data handlers, as well as the information of the network data recipient in accordance with the provisions of the preceding paragraph, the network data handler shall state such information in the form of a checklist, among others. Where handling the personal information of minors under the age of 14, the network data handler shall also develop special rules for handling personal information. **Article 22.** Where the handling of personal information of an individual is subject to the individual's consent, the network data handler shall comply with the following provisions: (1) It shall not collect personal information beyond the scope and shall not obtain the individual's consent by means of misleading, fraud or coercion, etc. if the collection of personal information is necessary for the provision of products or services to the individual. (2) It shall obtain the individual's separate consent if the individual's sensitive personal information such as biometric information, religious belief, specific identity, medical health information, financial accounts and whereabouts is handled. (3) It shall obtain the consent of the individual's parents or other guardians if the personal information of the individual who is under the age of 14 is handled. (4) It shall not handle personal information beyond the purpose, method, type and period of storage agreed by the individual for handling of his/her personal information; (5) It shall not frequently ask for consent after the individual has explicitly expressed disagreement with the handling of his/her personal information; and (6) It shall obtain the individual's consent again if the purpose, method or type of handling of the individual's personal information changes. Where laws and administrative regulations provide that the handling of sensitive personal information is subject to written consent, such provisions shall prevail. **Article 23.** Where an individual requests to access, copy, correct, supplement, delete or restrict the handling of his/her personal information, or where an individual deregisters his/her account or withdraws his/her consent, the network data handler shall accept the request in a timely manner and provide convenient methods and channels to support the individual in exercising his/her rights, and shall not set up unreasonable conditions to restrict the individual's reasonable request. **Article 24.** Where it is impossible to avoid the collection of unnecessary personal information by using automatic collection technology or an individual's personal information without obtaining his/her consent according to the law, or an individual deregisters his/her account, the network data handler shall delete or anonymize the personal information. Where the storage period as prescribed by laws and administrative regulations has not expired, or it is difficult to delete or anonymize the personal information technically, the network data handler shall cease the handling other than storing such information and taking necessary security protection measures. **Article 25.** For the request of an individual for transfer of personal information that meets the following conditions, the network data handler shall provide channels for the network data handler designated by the individual to access or obtain relevant personal information: (1) where the true identity of the person making the request can be verified; (2) where the personal information requested for transfer is the personal information that the individual has agreed to provide or has been collected on the basis of a contract; (3) where the transfer of personal information is technically feasible; and (4) where the transfer of personal information does not damage the legitimate rights and interests of others. If the number of requests for transfer of personal information significantly exceeds a reasonable range, the network data handler may charge necessary fees based on the costs of transferring personal information. **Article 26.** Where an overseas network data handler who handles the personal information of domestic natural persons establishes a special agency or designates a representative within the territory of the People's Republic of China in accordance with Article 53 of the Law of the People's Republic of China on the Protection of Personal Information, it shall submit such information as the name and contact information of the agency or the representative to the local cyberspace administration of the city divided into districts, and the local cyberspace administration shall promptly notify the competent authority at the same level. **Article 27.** A network data handler shall periodically conduct compliance audits, either on its own or by commissioning a specialized agency, of its handling of personal information in compliance with laws and administrative regulations. **Article 28.** A network data handler handling the personal information of more than 10 million individuals shall also 1000 comply with the provisions governing network data handlers handling important data (hereinafter referred to as the "handlers of important data" in short) as specified in Articles 30 and 32 hereof. ## Chapter IV Security of Important Data **Article 29.** The national data security work coordination mechanism arranges and coordinates the relevant departments in formulating catalogs of important data and strengthens the protection of important data. All regions and departments shall, under the system for data classification and hierarchical protection, determine the specific catalogs of important data of their respective regions, departments as well as related industries and fields, and focus on protection of network data included in the catalogs. Network data handlers shall identify and declare important data in accordance with the relevant provisions of the State. For data that is confirmed as important data, the relevant region and department shall promptly notify network data handlers or publicly announce the same. Network data handlers shall perform their responsibility of network data security protection. The State encourages network data handlers to use technologies and products such as data labels and identifiers to improve important data security management. **Article 30.** Handlers of important data shall specify the person in charge of network data security and the management body for network data security. The management body for network data security shall perform the following responsibilities of network data security protection: (1) formulating and implementing network data security management systems and operation procedures as well as emergency response plans for network data security incidents; (2) organizing activities such as network data security risk monitoring, risk assessment, emergency drills, publicity, education and training on a regular basis, and promptly disposing of network data security risks and incidents; and (3) accepting and handling complaints and reports about network data security. The person in charge of network data security shall have professional knowledge of network data security and relevant management experience and shall be a member of the management team of the network data handler, with the right to directly report the situation of network data security to the relevant competent authority. Network data handlers that control important data of specific type and scale specified by the relevant competent authority shall conduct security background review of the person in charge of network data security and personnel in key positions and strengthen the training for the relevant personnel. When conducting such review, they may apply for assistance from the public security authorities and State security authorities. **Article 31.** Handlers of important data shall conduct risk assessment prior to providing, entrusting others to handle or jointly handling important data, except for the performance of statutory duties or obligations. The risk assessment shall focus on assessing the following aspects: (1) whether the provision, entrusted handling, and joint handling of network data, as well as the purpose, method or scope of handling of network data by network data recipients are legal, proper and necessary; (2) the risk that the network data provided, entrusted for handling or jointly handled may be tampered with, destroyed, divulged, illegally obtained or illegally used, and the risk to national security, public interests, or the legitimate rights and interests of individuals and organizations; (3) the integrity and compliance of network data recipients; (4) whether the requirements on network data security set forth in the relevant contract concluded or to be concluded with a network data recipient can effectively constrain the network data recipient to perform its obligations for network data security protection; (5) whether the technical and management measures taken or to be taken can effectively prevent the risks that network data may be tampered with, destroyed, divulged, illegally obtained or illegally used; and (6) other assessment contents specified by the relevant competent authority. **Article 32.** Where the security of important data may be affected due to merger, demerger, dissolution or bankruptcy of a handler of important data, the handler of important data shall take measures to ensure the security of network data, and report its important data disposal plan and the title or name and contact information of the recipient to the competent authority at or above the provincial level; if the competent authority is not specified, the handler of important data shall report to the coordination mechanism for data security at or above the provincial level. **Article 33.** Handlers of important data shall conduct risk assessment of their network data handling activities on an annual basis and submit risk assessment reports to the competent authorities at or above the provincial level, which shall in turn promptly notify the cyberspace administration and the public security organ at the same level. The risk assessment report shall include the following aspects: (1) basic information of the network data handler, information of the management body for network data security, and the name and contact information of the person in charge of network data security; (2) the purpose, type, quantity, method, scope, storage period and storage location etc. of the important data handled as well as the information on network data handling activities carried out, excluding the contents of network data themselves, (3) management systems for network data security and the implementation thereof, technical measures such as encryption, backup, label identification, access control, security authentication and other necessary measures and the effectiveness thereof; (4) network data security risks discovered, network data security incidents that have occurred and the handling thereof; (5) risk assessment of the provision, entrusted handling and joint handling of important data; (6) cross-border transmission of network data; and (7) other information to be reported as specified by the competent authority. The risk assessment report submitted by the service provider of a large network platform that handles important data shall include, in addition to the information specified in the preceding paragraph, an adequate description of the network data security of key businesses and supply chains. For a handler of important data whose important data handling activities might endanger the national security, the competent authority at or above the provincial level shall order it to take measures such as making rectifications or ceasing the handling of important data. The handler of important data shall take measures forthwith as required. ## Chapter V Cross-border Security Management of Network Data **Article 34.** The state cyberspace administration shall make overall planning and coordinate with the relevant authorities to establish a special work mechanism of national data cross- border security management, develop upon study relevant policies for national network data cross-border security management, and coordinate the handling of major matters relating to network data cross-border security. **Article 35.** A network data handler may transmit personal information abroad if it meets any of the following conditions: (1) having passed the security assessment for data cross-border transmission organized by the state cyberspace administration; (2) having been certified by a specialized agency in respect of the protection of personal information in accordance with the provisions of the state cyberspace administration; (3) meeting the provisions on standard contract for cross-border transmission of personal information as developed by the state cyberspace administration; (4) necessary to provide personal information abroad in order to conclude or perform a contract to which it is a party; (5) necessary to provide personal information of employees abroad under the employment rules and regulations formulated in accordance with the law and collective contracts concluded in accordance with the law; (6) necessary to provide personal information abroad in order to perform statutory duties or obligations; (7) necessary to provide personal information abroad in order to protect the life, health and property security of natural persons in an emergency; and (8) other conditions provided for in laws, administrative regulations or by the state cyberspace administration. **Article 36.** Where the international treaties or agreements concluded or acceded to by the People's Republic of China have provisions on conditions for provision of personal information outside the territory of the People's Republic of China, among others, such provisions may prevail. **Article 37.** Where it is necessary to provide important data generated or collected by a network data handler during its operation within the territory of the People's Republic of China to overseas parties, such provision shall pass the security assessment for data cross-border transmission organized by the state cyberspace administration. If a network data handler identifies and declares important data according to relevant provisions of the State, which have not been notified by the relevant region or department or have not been announced to the public as important data, no security assessment is required for cross-border transmission of such data as important data. **Article 38.** After passing the security assessment for data cross-border transmission, the provision of personal information and important data abroad by the network data handler shall not beyond the purpose, method, scope, type and scale etc. of the data to be transmitted abroad as specified at the time of the assessment. **Article 39.** The State takes measures to prevent and deal with cross-border security risks and threats to network data. No individual or organization may provide programs or tools etc. specially designed to destroy or avoid technical measures and shall not provide a person with technical support or assistance if he/it is fully aware of such activities as destroying or avoiding technical measures committed by the person. ## Chapter VI Obligations of Network Platform Service Providers **Article 40.** Network platform service providers shall specify the network data security protection obligations of third-party product and service providers accessing their platforms through platform rules, contracts or otherwise, and urge third- party product and service providers to strengthen network data security management. The provisions of the preceding paragraph apply to the manufacturers of equipment such as smart terminals pre-installed with applications. Where a third-party product or service provider carries out network data handling activities in violation of laws, administrative regulations, platform rules or contracts, causing damage to users, the network platform service provider, the third-party product or service provider, the manufacturer of equipment such as smart terminals pre-installed with applications shall assume corresponding liability in accordance with the law. The State encourages insurance companies to develop liability insurance products for damage caused to network data and encourages network platform service providers and manufacturers of equipment such as smart terminals pre-installed with applications to take out insurance. **Article 41.** Network platform service providers providing application distribution service shall establish application verification rules and carry out relevant verification of network data security. Where it is found that the applications to be distributed or distributed do not comply with the provisions of laws, administrative regulations or the mandatory requirements of national standards, measures such as warning, no distribution, suspension or termination of distribution shall be taken. **Article 42.** Network platform service providers pushing information to individuals in an automatic decision -making manner shall set up a personalized recommendation closing option that is easy to understand, access and operate, and provide users with such functions as refusing to receive pushed information and deleting user tags targeted at their personal characteristics. **Article 43.** The State promotes the development of public services for network identity authentication and popularizes and applies such services under the principles of government guidance and user voluntariness. Network platform service providers are encouraged to support users in using the national network identity authentication public services for registration and verification of their identity information. **Article 44.** Large network platform service providers shall release annual social responsibility reports on personal information protection, and the contents of such reports shall include but not be limited to the measures for personal information protection and the effects thereof, the acceptance of applications for the exercise of rights by individuals, and the performance of duties by the supervision body for personal information protection which is mainly composed of external members. **Article 45.** Where the service provider of a large network platform provides cross-border network data, it shall comply with the administrative requirements of the State on cross- border data security management and improve the relevant technical and administrative measures to prevent cross- border security risks of network data. **Article 46.** The service provider of a large network platform shall not engage in the following activities by using network data, algorithms and platform rules: (1) handling network data generated by users on the platform by misleading, fraud, coercion or other means; (2) restricting users' access to or use of network data generated on the platform without justified reasons; (3) giving unreasonable differential treatment to users, which damages the legitimate rights and interests of users; and (4) other activities prohibited by laws and administrative regulations. ## Chapter VII Supervision and Administration **Article 47.** The state cyberspace administration is responsible for the overall planning and coordination of network data security and relevant supervision and administration. Public security authorities and national security authorities shall, pursuant to the provisions of relevant laws, administrative regulations and this Regulation, assume the responsibility for supervising and administering network data security ex officio, and prevent and crack down on illegal and criminal activities which endanger network data security in accordance with the law. The national data management body shall perform corresponding responsibilities for network data security in its specific work of data management. Local regions and their departments shall be responsible for the network data collected and generated during their work and for the network data security. **Article 48.** All competent authorities concerned shall assume the responsibility for supervising and administering the network data security of their respective industries and fields, designate the agencies responsible for the protection of network data security of their respective industries and fields, develop and organize the implementation of emergency response plans for network data security incidents in their respective industries and fields on an overall basis, regularly organize the assessment of network data security risks of their respective industries and fields, supervise and inspect the performance by network data handlers of their obligations of protecting network data security, and guide and urge network data handlers to promptly rectify existing potential risks. **Article 49.** The state cyberspace administration shall coordinate with the competent authorities concerned to promptly summarize, study and determine, share and release information relating to network data security risks, and strengthen the sharing of network data security information, the monitoring and early warning of network data security risks and threats, and the emergency response to network data security incidents. **Article 50.** The competent authorities concerned may take the following measures to supervise and inspect network data security: (1) requiring a network data handler and its relevant personnel to explain the items under supervision and inspection; (2) consulting and copying documents and records relating to network data security; (3) inspecting the operation of network data security measures; (4) inspecting the equipment and articles relating to network data handling activities; and (5) taking other necessary measures as prescribed by laws and administrative regulations. The network data handler shall cooperate in the supervision and inspection of network data security conducted by competent authorities in accordance with the law. **Article 51.** When carrying out the supervision and inspection of network data security, the competent authorities concerned shall be objective and fair, and shall not charge any fees from the entity under inspection. During the supervision and inspection of network data security, the competent authorities concerned shall not access or collect business information that is not related to network data security, and the information obtained may only be used as necessary for the purpose of maintaining network data security and should not be used for any other purpose. Where finding that there are relatively high security risks in the network data handling activities of a network data handler, the competent authorities concerned may, according to its prescribed authority and procedures, require the network data handler to suspend relevant services, modify platform rules, and improve technical measures to eliminate potential security risks of network data. **Article 52.** When carrying out supervision and inspection of network data security, the competent authorities concerned shall strengthen coordination and cooperation with each other and information communication, and reasonably determine the frequency and methods of inspection, so as to avoid unnecessary inspection and cross and repeated inspection. The compliance audit in respect of personal information protection, risk assessment for important data, security assessment for cross-border transfer of important data and so on shall be connected more closely to avoid repeated assessment and audit. Where the contents of risk assessment and cybersecurity grade assessment for important data overlap, the relevant results can be mutually admissible. **Article 53.** The competent authorities concerned and their staff members shall keep confidential, in accordance with the law, the network data such as personal privacy, personal information, trade secrets and confidential business information that they have accessed in the performance of their responsibility, and shall not disclose or illegally provide the same to others. **Article 54.** The state cyberspace administration may, in concert with the competent authorities concerned, take corresponding necessary measures in accordance with the law against any overseas organization or individual who engages in network data handling activities that endanger the national security or public interests of the People's Republic of China or infringe upon the personal information rights and interests of the citizens of the People's Republic of China. ## Chapter VIII Legal Liability **Article 55.** For violation of Article 12, Articles 16-20, Article 22, Paragraphs 1 and 2 of Article 40, Article 41 and Article 42 hereof, the competent authorities in charge of cyberspace, telecommunications and public security, etc. shall, ex officio, order the violator to make rectification, give a warning to the violator, and confiscate the illegal income of the violator. In case of refusal to make rectification or serious circumstances, the violator shall be subject to a fine of not more than 1 million yuan, and may be ordered to suspend relevant business, cease operation for rectification, or have the relevant business permit or business license revoked, and the 100 person directly in charge and other directly liable persons shall be subject to a fine of not less than 10,000 yuan but not more than 100,000 yuan. **Article 56.** For violation of Article 13 hereof, the competent authorities in charge of cyberspace, telecommunications, public security, national security, etc. shall, ex officio, order the violator to make rectification, give a warning to the violator, impose a fine of not less than 100,000 yuan but not more than 1 million yuan concurrently on the violator, and impose a fine of not less than 10,000 yuan but not more than 100,000 yuan concurrently on the person directly in charge and other directly liable persons; in case of refusal to make rectification or serious circumstances, the violator shall be subject to a fine of not less than 1 million yuan but not more than 10 million yuan, and may be ordered to suspend relevant business, cease operation for rectification, or have the relevant business permit or business license revoked, and the person directly in charge and other directly liable persons shall be subject to a fine of not less than 100,000 yuan but not more than 1 million yuan. **Article 57.** For violation of Paragraph 2 of Article 29, Paragraphs 2 and 3 of Article 30, Article 31 and Article 32 hereof, the competent authorities in charge of cyberspace, telecommunications and public security, etc. shall, ex officio, order the violator to make rectification, give a warning to the violator, impose a fine of not less than 50,000 yuan but not more than 500,000 yuan concurrently on the violator, and impose a fine of not less than 10,000 yuan but not more than 5 50 100,000 yuan concurrently on the person directly in charge and other directly liable persons; in case of refusal to make rectification or serious consequences such as massive data 1 leakage are caused, the violator shall be subject to a fine of not less than 500,000 yuan but not more than 2 million yuan, 10 and may be ordered to suspend relevant business, cease operation for rectification, or have the relevant business permit or business license revoked, and the person directly in charge and other directly liable persons shall be subject to a fine of not less than 50,000 yuan but not more than 200,000 yuan. **Article 58.** For violation of other relevant provisions hereof, the violator shall be prosecuted for legal liability by the competent authority concerned in accordance with the Cybersecurity Law of the People's Republic of China, Data Security Law of the People's Republic of China, Law of the People's Republic of China on the Protection of Personal Information and other applicable laws. **Article 59.** A network data handler who voluntarily eliminates or mitigates the harmful consequences of its illegal acts, commits minor illegal acts and makes rectification in a timely manner without causing harmful consequences, or commits illegal acts for the first time with minor harmful consequences and makes rectification in a timely manner, shall be subject to a lighter or mitigated administrative penalty or be exempted from administrative penalty in accordance with the Law of the People's Republic of China on Administrative Penalties. **Article 60.** For a state agency that fails to perform its obligations of network data security protection set forth herein, its superior authority or the competent authority concerned shall order it to make rectification and impose disciplinary actions on the person directly in charge and other directly liable persons in accordance with the law. **Article 61.** Whoever violates this Regulation, with damage to others caused, shall be subject to the civil liability pursuant to the law; if the violation of public security administration is constituted, a penalty for public security administration shall be imposed pursuant to the law; and if a crime is constituted, criminal liability shall be investigated pursuant to the law. ## Chapter IX Supplementary Provisions **Article 62.** The following terms as used herein shall have the following meanings: (1) "Network data" refers to various electronic data handled and generated through networks. (2) "Network data handling activities" refer to the collection, storage, use, processing, transmission, provision, disclosure and deletion of network data. (3) "Network data handler" refers to an individual or organization that independently determines the handling purpose and handling method in network data handling activities. (4) "Important data" refers to the data in a specific field, group or region or with a certain precision and scale, which, once tampered with, destroyed, divulged, illegally obtained or illegally used, may directly endanger national security, economic operation, social stability, public health and security. (5) "Entrusted handling" refers to the network data handling activities carried out by any individual or organization entrusted by a network data handler according to the agreed purpose and method. (6) "Joint handling" refers to the network data handling activities in which two or more network data handlers jointly determine the handling purpose and handling method for network data. (7) "Separate consent" refers to that an individual specifically gives specific and clear consent with respect to a specific handling of his/her personal information. (8) "Large network platform" refers to a network platform with more than 50 million registered users or more than 10 million monthly active users, complex business types, and network data handling activities having a significant impact on national security, economic operation, national welfare and people's livelihood, etc. **Article 63.** The network data handling activities in respect of core data shall be carried out in accordance with the relevant regulations of the State. This Regulation does not apply to the handling of personal information by natural persons due to personal or family affairs. The provisions of the Law of the People's Republic of China on Guarding State Secrets and other laws and administrative regulations shall apply to the network data handling activities involving state secrets or work secrets. **Article 64.** This Regulation shall come into force on January 1, 2025 2025. --- ## Guide to the Filing of the Standard Contract for Outbound Transfer of Personal Information (First Edition) - Chinese title: 个人信息出境标准合同备案指南(第一版) - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) - Adopted: 2023-05-30 - Effective: 2023-05-30 - Status: effective - URL: https://datacompliancechina.com/laws/personal-info-standard-contract-filing-guide/ - Markdown: https://datacompliancechina.com/laws/personal-info-standard-contract-filing-guide.md ### Summary CAC's procedural guide accompanying the SCC Measures. Specifies the filing materials required, where to file (provincial CAC), online filing system mechanics, materials acceptance and review timeline, and standardized templates for the power of attorney, the letter of commitment, the Standard Contract itself, and the Personal Information Protection Impact Assessment Report. Read together with the SCC Measures for the operational filing path. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC). **Issued by CAC on May 30, 2023. Effective the same day.** --- **I.** Scope of Application Where a personal information handler provides personal information abroad by concluding a standard contract, all of the following circumstances shall be met concurrently: (I) It shall not be a critical information infrastructure operator; 100 (II) The number of people whose personal information is processed by it shall be less than one million; (III) The number of people whose personal information has been provided abroad accumulatively shall be less than 100,000 since January 1 of the previous year; and (IV) The number of people whose sensitive personal information has been provided abroad accumulatively shall be less than 10,000 since January 1 of the previous year. Where laws, administrative regulations or the Cyberspace Administration of China ("CAC") stipulates otherwise, such provisions shall prevail. Personal information handlers shall not take such means as quantity splitting to provide overseas personal information that should pass exit security assessment according to law by entering into a Standard Contract. The following circumstances are deemed as acts of outbound transfer of personal information: (I) where a personal information handler transfers or stores abroad the personal information collected and generated in its domestic operation; (II) where the personal information collected and generated by a personal information handler is stored domestically but can be inquired, retrieved, downloaded and exported by overseas institutions, organizations or individuals; and (III) other acts of outbound transfer of personal information as prescribed by the CAC. 10 II . Methods of Filing A personal information handler shall, within ten working days from the effective date of a Standard Contract, file the Standard Contract with the local provincial cyberspace administration for the record by serving written materials attached with the electronic version thereof. **III.** Filing Process The filing process for a Standard Contract includes such steps as material submission, inspection and verification of materials, feedback on filing results, supplementation or re-filing, etc. 1 (I) Submission of Materials To file a Standard Contract, a personal information handler shall submit the following materials (see Appendix I for requirements): 1. 1. photocopy of the unified social credit code certificate; 2. 2. photocopy of the identity document of the legal representative; 3. 3. photocopy of the identity document of the handling person; 4. 2 4. power of attorney to the handling person (see Appendix II for the template); 5. 3 5. letter of commitment (see Appendix III for the template); 6. 4 6. Standard Contract (see Appendix IV for the template); and 7. 5 7. Personal Information Protection Impact Assessment Report (see Appendix V for the template). (II) Check of Materials and Feedback on Filing Results The provincial cyberspace administration shall, within 15 working days upon receipt of the materials, complete the check of the materials and notify the personal information handler of the filing results. The filing results are divided into Passed and Failure. The provincial cyberspace administration will issue a filing number to the personal information handler if the filing is passed, otherwise, the personal information handler will receive a notice on unsuccessful filing and the reasons therefor. Where personal information handler is required to supplement and perfect materials, the personal information handler shall supplement and perfect the materials and submit them again within ten working days. (III) Supplementation or Re-filing Within the validity period of the Standard Contract, the personal information handler shall re-conduct an impact assessment of personal information protection, supplement or enter into a Standard Contract anew and perform relevant filing formalities under any of the following circumstances: 1. 1. where the purpose, scope, category, sensitivity, method and storage location of provision of personal information overseas or the overseas recipient's purpose or method to process personal information has changed, or the overseas storage period of personal information is to be extended; 2. 2. where the rights and interests of personal information may be affected by changes in the policies and regulations on personal information protection of the country or region where the overseas recipient is located; or 3. 15 3. any other circumstance that may affect the rights and interests of personal information. To conclude a supplemental Standard Contract within the term of the Standard Contract, the personal information handler shall submit supplementary materials to the local provincial cyberspace administration; a Standard Contract re-concluded shall be filed anew. The time limit for the check of the supplemented or re-filed materials is 15 working days. The personal information handler shall be responsible for the authenticity of the materials submitted by it. In case of false materials submitted, the filing shall be deemed as failure and the corresponding legal liability will be investigated in accordance with the law. bzht@cac.gov.cn 010-55627565 **IV.** Contact Details for Consultation and Whistleblowing E-mail: bzht@cac.gov.cn Tel.: 010- 55627565 Appendices: 1. 2. 3. 4. 5. 1. Requirements for Filing Materials for a Standard Contract for Outbound Transfer of Personal Information 2. Power of Attorney for a Handler (Template) 3. Letter of Commitment (Template) 4. Standard Contract for Outbound Transfer of Personal Information (Template) 5. Personal Information Protection Impact Assessment Report (Template) PAGE/NUMPAGES PAGE/NUMPAGES --- ## Explanation of Common Terms in the Field of Data (First Batch) - Chinese title: 数据领域常用名词解释(第一批) - Abbreviation: Data Terms Batch 1 - Hierarchy: rule - Issuing body: National Data Administration - Adopted: 2024-12-30 - Effective: 2024-12-30 - Status: effective - URL: https://datacompliancechina.com/laws/common-data-terms-batch-1/ - Markdown: https://datacompliancechina.com/laws/common-data-terms-batch-1.md ### Summary The first installment of official terminology explanations issued by the National Data Administration. Establishes authoritative Chinese government definitions for 40 foundational data-field concepts including data, primary data, data resources, data elements, data products and services, data assets, data handling, data handler, commissioned data handler, data circulation, data transaction, data governance, data security, public data, digital industrialization, industrial digitalization, metadata, structured/semi-structured/unstructured data, privacy-protective computation (secure multi-party computing, federated learning, trusted execution environment, cryptographic computing), and blockchain. ### Full text **Promulgated by:** National Data Administration. Issued by the National Data Administration on December 30, 2024 by the Drafting Expert Team for Explanation of Terms in the Field of Data. Effective December 30, 2024. --- > *Editor's Note — DCC.* The National Data Administration (国家数据局) released this first batch of standardized term explanations on December 30, 2024 as part of building consensus on data-field vocabulary. The 40 terms below establish official Chinese government definitions for foundational data-economy concepts. We have preserved the official bilingual translation as-is; minor stylistic spacing in the source ("Semi- structured", "Non- structured") has been corrected. ## Background In order to promote the building of consensus, with the strong support of all walks of life, we have carefully studied and developed the *Explanation of Common Terms in the Field of Data (First Batch)*. We will subsequently make iterative improvement in light of practice and development needs and welcome the continuous attention of the community. — Drafting Expert Team for Explanation of Terms in the Field of Data, December 30, 2024 ## Annex: Explanation of Common Terms in the Field of Data (First Batch) **1. 数据.** "Data" refer to any recording of information in an electronic or other form. Data are referred to as primary data, derived data, data resources, data products and services, data assets, data elements, etc., under different perspectives. **2. 原始数据.** "Primary data" refer to the data that are first generated or collected at the source and have not been processed. **3. 数据资源.** "Data resources", a general term for data with potential for value creation, usually refer to a collection of data recorded and saved in electronic form, readable by machine, and available for social reuse. **4. 数据要素.** "Data elements" refer to the data resources that are invested into production and business activities and participate in value creation. **5. 数据产品和服务.** "Data products and services" refer to the data processing products and data services that are formed on the basis of data processing and can meet specific needs. **6. 数据资产.** "Data assets" refer to the data resources that are legally owned or controlled by specific subjects, can be measured in monetary terms, and can bring about economic benefits or social benefits. **7. 数据要素市场化配置.** "Market-oriented allocation of data elements" refers to the allocation of data as a new type of production element under the market mechanism, in order to establish a more open, safe and efficient data circulation environment and continuously release the value of data elements. **8. 数据处理.** "Data handling" includes the collection, storage, use, processing, transmission, provision and publication of data. **9. 数据处理者.** "Data handler" refers to an individual or organization that independently determines the purpose and method of handling in the data handling activities. **10. 受托数据处理者.** "Commissioned data handler" refers to an individual or organization that receive a commission from others to handle data. **11. 数据流通.** "Data circulation" refers to the process of the flow of data between different subjects, including data opening, sharing, transaction, exchange, etc. **12. 数据交易.** "Data transaction" refers to a transaction between a supplier and a demander in respect of data, in which data in a specific form is taken as subject matter and currency or other equivalent is taken as consideration. **13. 数据治理.** "Data governance" refers to the process of improving the quality, security and compliance of data and promoting the effective use of data, including organizational data governance, industry data governance, social data governance, etc. **14. 数据安全.** "Data security" refers to ensuring that data are in a state of effective protection and lawful use by taking necessary measures, as well as having the ability to maintain a continuous state of security. **15. 公共数据.** "Public data" refer to the data generated in the process of legally performing their duties or providing public services by the Party and government organs at all levels, enterprises and public institutions. **16. 数字产业化.** "Digital industrialization" refers to the process of transforming digital technologies, such as mobile communication and artificial intelligence, into digital products and services and the transformation of data into resources and elements to form new digital industries, new business forms and new models. **17. 产业数字化.** "Industrial digitalization" refers to the process in which traditional agriculture, industry, service industry and other industries apply digital technologies, collect and integrate data and mine the value of data resources to improve the efficiency of business operation, reduce the costs of production and operation, reconstruct the thinking and cognition, completely rebuild the mode of organization and management, systematically reform the process of production and operation, and constantly improve the total factor productivity. **18. 数字经济高质量发展.** "The high-quality development of the digital economy" refers to the new stage of the development of the digital economy, in which the reform of market-oriented allocation of data elements is the main line and the goal of making the digital economy stronger, better and larger by improving the basic data system and digital infrastructure in a coordinated manner, comprehensively promoting the deep integration of digital technologies and real economy, and continuously improving the governance capacity and level of international cooperation of the digital economy, is achieved. **19. 数字消费.** "Digital consumption" refers to the consumption activities and consumption patterns that are formed with digital technologies and application support, which include not only the consumption of digital intelligence technologies, products and services, but also the digitalization and intelligence of consumption contents, channels and environment, and the new consumption pattern with deep integration of online and offline. **20. 产业互联网.** "Industrial Internet" refers to the process in which digital technologies and data elements are used to promote the data integration of the whole industry chain, enable the digitalized, network-based and intelligent development of the industry, promote the reorganization and reform of business processes, organizational structures and production modes etc., achieve the collaborative transformation of upstream and downstream of the industry chain, integrate online and offline development, reduce costs and increase efficiency and achieve high-quality development of the whole industry, and thus form a new system of industrial collaboration, resource allocation and value creation. **21. 城市全域数字化转型.** "Citywide digital transformation" refers to the new mode of high-quality urban development in which cities reconstruct technical frameworks, reform urban management process and deeply integrate industries with cities by comprehensively deepening the data integration, development and utilization as the main line and comprehensively using digital technologies and institutional innovation tools, so as to promote the efficiency improvement in all areas of digital transformation, the all-round enhancement of support capability, and the optimization of the whole ecological process of transformation. **22. 东数西算工程.** The "East Data and West Computing" project is a key project whereby data and demands arising from economic activities in eastern regions are computed and processed in western regions under overall planning for data center in terms of layout, network, electricity power, energy consumption, computing power and data, etc. For such business scenarios as the training and reasoning of artificial intelligence models and machine learning, eastern businesses may be relocated to areas with abundant wind, water, and electricity in western regions to achieve coordinated development of the eastern and western regions by way of "East Data and West Computing". Accelerating the construction of the "East Data and West Computing" project will effectively stimulate the innovation vitality of data elements, speed up the process of digital industrialization and industrial digitization, generate new technologies, new industries, new types of business and new models, and support high-quality economic development. **23. 高速数据网.** "High-speed data network" refers to the provision of data transmission services with flexible bandwidth, security, reliability and efficient transmission by relying on network virtualization, software definition network (SDN) and other technologies for data circulation and utilization scenarios. **24. 全国一体化算力网.** "Integrated national computing power network" refers to digital infrastructure, which takes information network technology as carrier, to promote a high proportion of various computing power resources nationwide and large-scale integrated scheduling and operation. As the 2.0 version of the "East Data and West Computing" project, it has four typical characteristics: intensification, integration, synergy and value. **25. 元数据.** "Metadata" refer to the data that define and describe specific data, which provide information about the structure, characteristics and relationships of data, and help to organize, search, understand and manage data. **26. 结构化数据.** "Structured data" refer to a data representation form in which the structure of each record that is a collection of data elements is consistent and can be effectively described with a relational model. **27. 半结构化数据.** "Semi-structured data" refer to a form of data structure that does not conform to the structure of the data model associated with relational databases or other forms of data tables but contains relevant tags to separate semantic elements and hierarchies of records and fields. **28. 非结构化数据.** "Non-structured data" refer to the data that does not have a predefined model or is not organized in a predefined manner. **29. 数据分析.** "Data analysis" refers to the process of sorting, studying, reasoning and summarizing data with specific techniques and methods, so as to extract useful information, find rules and form conclusions from the data. **30. 数据挖掘.** "Data mining" refers to a means of data analysis, which is the process of mining information or value hidden in data with statistical analysis, machine learning, pattern recognition, expert system and other technologies. **31. 数据可视化.** "Data visualization" refers to the process of clearly and effectively conveying the useful information contained in the data by statistical charts, graphs, maps and other graphic means, so as to facilitate better understanding and analysis of data by data users. **32. 数据仓库.** "Data warehouse" refers to a database that is used for permanent storage of data after data preparation. **33. 数据湖.** "Data lake" refers to a highly expandable data storage architecture, which is specially used for the storage of large amounts of original data and derived data from various sources and existing in different formats, including structured, semi- structured and unstructured data. **34. 湖仓一体.** "The integration of lake and warehouse" refers to a new and open storage architecture, which connects the data warehouse and the data lake, and integrates the high performance and management capability of the data warehouse with the flexibility of the data lake, in which the bottom layer supports multiple data types and can realize the mutual sharing of the data, and the upper layer can access through a uniform encapsulated interface and can support real-time query and analysis at the same time. **35. 隐私保护计算.** "Privacy-protective computation" refers to a type of information technology used to analyze and compute data on the premise that the data provider will not divulge the original data, in order to ensure that data "may be available but may not be visible" in each link of the whole process of data flow including data generation, storage, computation, application and destruction etc. The common technical schemes of privacy-protective computing include secure multi-party computing, federated learning, trusted execution environment, cryptographic computing and so on. The common underlying technologies include confusion circuit, inadvertent transmission, secret sharing, homomorphic encryption and so on. **36. 安全多方计算.** "Secure multi-party computing" refers to that in a distributed network, multiple participating entities respectively hold secret data, and they want to use these data as inputs to jointly complete the computation on a certain function, while each participating entity is required to obtain no input information from other participating entities except the computation result and information that is expected to be disclosed. Secure multi-party computing mainly studies the problem of secure multi-party collaborative computation without a trusted third party. **37. 联邦学习.** "Federated learning" refers to a mode in which multiple participants exchange intermediate computation results in a manner of protecting private data, so as to cooperate to complete a machine learning task, on the premise that their original private data do not go out of the trusted domain defined by the data provider. **38. 可信执行环境.** "Trusted execution environment" refers to a software running environment that is built to ensure the confidentiality, integrity, authenticity and non-repudiation of data and codes relating to security-sensitive applications based on hardware-level isolation and secure boot mechanism. **39. 密态计算.** "Cryptographic computing" refers to that by making comprehensive use of cryptography, trusted hardware and system security related technologies, data in the computation process can be used and invisible, and computation results can be kept in cryptographic state, so as to support the construction of complex combination computation, achieve computation full-link security, and prevent data leakage and abuse. **40. 区块链.** "Blockchain" is a new database software integrated with distributed network, encryption technology, smart contract and other technologies, which has the characteristics of multi-centrality, consensus trusted, tamper-proof and traceability etc. and is mainly used to solve the trust and security problems in the process of data flow. --- ## Explanation of Common Terms in the Field of Data (Second Batch) - Chinese title: 数据领域常用名词解释(第二批) - Abbreviation: Data Terms Batch 2 - Hierarchy: rule - Issuing body: National Data Administration - Adopted: 2025-03-29 - Effective: 2025-03-29 - Status: effective - URL: https://datacompliancechina.com/laws/common-data-terms-batch-2/ - Markdown: https://datacompliancechina.com/laws/common-data-terms-batch-2.md ### Summary The second installment of official terminology explanations issued by the National Data Administration, continuing the consensus-building effort that began with the First Batch in December 2024. The 20 terms in this batch focus on data property rights vocabulary (Data Property Rights, Data Property Rights Registration, Right to Hold Data, Right to Use Data, Right to Operate Data, derived data, enterprise data); data trading institutions and market structure (data trading institution, on-exchange data trading, off-exchange data trading, data trading matching, data third-party professional service institution); the data industry and data labeling sub-industry; trusted data space and data use control; data infrastructure; and computing-power scheduling and pooling. DCC translation, cross-checked against the glossary for consistency with the public-data property-rights registration documents. ### Full text **Promulgated by:** National Data Administration. Issued by the National Data Administration on March 29, 2025 by the Drafting Expert Team for Explanation of Terms in the Field of Data. Effective March 29, 2025. --- > *DCC translation. The National Data Administration (国家数据局) released this second batch of standardized term explanations on March 29, 2025, continuing the consensus-building effort that began with the [First Batch](/laws/common-data-terms-batch-1/) of December 30, 2024. The 20 terms in this batch focus on data property rights vocabulary, data trading institutions and market structure, the data industry and data-labeling sub-industry, trusted data spaces, data infrastructure, and computing-power scheduling and pooling. Translated against [DCC's bilingual glossary](/glossary), with terminology aligned to the public-data property-rights registration documents and the First Batch translations where shared concepts appear.* ## Background In order to build broad consensus, with the strong support of all walks of life, we have carefully studied and developed the *Explanation of Common Terms in the Field of Data (Second Batch)*. We will continue to iteratively improve the term explanations in light of practical needs and development requirements, and welcome the continuous attention of the community. — Drafting Expert Team for Explanation of Terms in the Field of Data, March 29, 2025 ## Annex: Explanation of Common Terms in the Field of Data (Second Batch) **1. 数据产权 (Data Property Rights).** "Data Property Rights" refer to the property rights enjoyed by a rights-holder over specific data, including the Right to Hold Data, the Right to Use Data, the Right to Operate Data, and so on. **2. 数据产权登记 (Data Property Rights Registration).** "Data Property Rights Registration" refers to the act of a Data Property Rights registration institution reviewing, in accordance with unified rules, the authenticity, compliance, and accuracy of the source, description, content, and other aspects of data, recording information such as the attribution of data rights, and issuing a registration certificate. **3. 数据持有权 (Right to Hold Data).** "Right to Hold Data" refers to the right of a rights-holder to hold lawfully acquired data, either by itself or through another person it entrusts. Its purpose is to prevent others from illegally or in violation of regulations stealing, tampering with, leaking, or destroying data held by the rights-holder. **4. 数据使用权 (Right to Use Data).** "Right to Use Data" refers to the right of a rights-holder to use data — through methods such as processing, aggregation, and analysis — to optimize production and operations, provide social services, form derived data, and the like. Generally speaking, the Right to Use Data is the right of a rights-holder to use data for internal use, on the premise of not providing the data externally. **5. 数据经营权 (Right to Operate Data).** "Right to Operate Data" refers to the right of a rights-holder to provide data externally — for consideration or without consideration — through methods such as transfer, licensing, capital contribution, or the creation of security interests. **6. 衍生数据 (Derived data).** "Derived data" refer to data formed when a data handler, in respect of data over which it enjoys the Right to Use Data, achieves substantive changes to the content, form, structure, or other aspects of the data — through methods such as the application of specialized knowledge for processing, model analysis, and extraction of key information — thereby significantly enhancing the value of the data, while protecting the legitimate rights and interests of all parties. **7. 企业数据 (Enterprise data).** "Enterprise data" refer to data formed by enterprises in the course of production and operation activities, or lawfully acquired and held by enterprises. **8. 数据交易机构 (Data trading institution).** "Data trading institution" refers to a specialized institution that provides data trading services to data suppliers and data demanders. **9. 数据场内交易 (On-exchange data trading).** "On-exchange data trading" refers to the act of a data supplier and a data demander concluding a data transaction through a data trading institution. **10. 数据场外交易 (Off-exchange data trading).** "Off-exchange data trading" refers to the act of a data supplier and a data demander concluding a data transaction without going through a data trading institution. **11. 数据交易撮合 (Data trading matching).** "Data trading matching" refers to the act of helping a data supplier and a data demander conclude a data transaction. **12. 数据第三方专业服务机构 (Data third-party professional service institution).** "Data third-party professional service institution" refers to a specialized organization that, in order to promote the compliant and efficient conduct of data trading activities, provides third-party services such as data integration, quality evaluation, data brokerage, compliance certification, security audit, data notarization, data insurance, data custody, asset evaluation, dispute mediation, risk assessment, talent training, and consulting services. **13. 数据产业 (Data industry).** "Data industry" refers to the emerging industry formed by using modern information technology to develop products or services from data resources and to promote their circulation and application, including data collection and aggregation, computing and storage, circulation and trading, development and utilization, security governance, and the construction of data infrastructure. **14. 数据标注产业 (Data labeling industry).** "Data labeling industry" refers to the emerging industry that processes data through screening, cleaning, classification, annotation, marking, quality inspection, and similar processing. **15. 数字产业集群 (Digital industry cluster).** "Digital industry cluster" refers to a new form of industrial organization characterized mainly by being driven by data elements, empowered by digital technology, supported by digital platforms, developed through industrial integration, and built on a shared cluster ecosystem. **16. 可信数据空间 (Trusted data space).** "Trusted data space" refers to a data circulation and utilization infrastructure that, based on consensus rules, connects multiple participating subjects to enable the sharing and joint use of data resources. It is the application ecosystem for the co-creation of data-element value, and an important carrier supporting the construction of a nationally integrated data market. A trusted data space must possess three core capabilities: trusted data control, resource interaction, and value co-creation. **17. 数据使用控制 (Data use control).** "Data use control" refers to the use of technical means to exert control over the transmission, storage, use, and destruction of data — for example, by using smart-contract technology to translate the data-use-control intent of the data-rights subject into machine-readable smart-contract terms — thereby resolving the precondition issue of data controllability and enabling control over factors such as the time, location, subjects, conduct, and objects of the use of data assets. **18. 数据基础设施 (Data infrastructure).** "Data infrastructure", from the perspective of unlocking the value of data elements, refers to a new category of infrastructure that provides data collection, aggregation, transmission, processing, circulation, utilization, operation, and security services to society. It is an organic whole that integrates hardware, software, model algorithms, standards and specifications, mechanism design, and similar elements. **19. 算力调度 (Computing-power scheduling).** "Computing-power scheduling" is, in essence, the scheduling of computing tasks. It matches computing-power resources to user business needs and dispatches the relevant business, data, and applications to the matched computing-power resource pool for computation, thereby achieving the rational utilization of computing resources. **20. 算力池化 (Computing-power pooling).** "Computing-power pooling" refers to the unified registration and management of various heterogeneous and geographically dispersed computing-power resources and equipment — through key technologies such as computing-power virtualization and application containerization — so as to enable on-demand application and use of computing resources within large-scale clusters. --- ## Measures for the Certification of the Cross-border Provision of Personal Information - Chinese title: 个人信息出境认证办法 - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) and State Administration for Market Regulation (SAMR) - Adopted: 2025-07-21 - Effective: 2026-01-01 - Status: effective - URL: https://datacompliancechina.com/laws/cross-border-pi-certification-measures/ - Markdown: https://datacompliancechina.com/laws/cross-border-pi-certification-measures.md ### Summary The third of CAC's three cross-border transfer pathways — PI Protection Certification — finally given its own dedicated rules effective January 1, 2026. Joint issuance with SAMR (which administers the certification body accreditation regime). Establishes who can be certified, eligibility thresholds, what certification covers, and the relationship to the Security Assessment and Standard Contract pathways. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC) and State Administration for Market Regulation (SAMR). **Document No.:** Order No. 20 of CAC and SAMR (jointly). **Adopted at the 17th executive meeting of the CAC in 2025 on July 21, 2025. Effective January 1, 2026.** --- **Article 1.** In order to protect personal information rights and interests, regulate certification activities for the cross-border provision of personal information, and promote the efficient and secure cross-border flow of personal information, these Measures are formulated in accordance with the Personal Information Protection Law of the People’s Republic of China, the Regulations on the Administration of Network Data Security, the Regulations of the People’s Republic of China on Certification and Accreditation, and other laws and regulations. **Article 2.** Where a personal information processor provides personal information to outside the territory of the People’s Republic of China by means of personal information protection certification, these Measures shall apply. **Article 3.** For the purposes of these Measures, certification of cross-border provision of personal information refers to the conformity assessment activities conducted, in accordance with Item (2) of Paragraph 1 of Article 38 of the Personal Information Protection Law of the People’s Republic of China, by professional certification bodies that have lawfully obtained personal information protection certification qualifications, to attest that personal information processing activities such as the provision of personal information by personal information processors to outside the territory of the People’s Republic of China conform to relevant laws, administrative regulations, departmental rules, standards, and technical specifications. **Article 4.** The National level cyberspace administration department, together with the National level data administration department and other relevant departments, shall formulate relevant standards and technical specifications for the certification of cross-border provision of personal information. The State Administration for Market Regulation, together with the National level cyberspace administration department, shall formulate personal information protection certification rules and unified certification certificates and marks. 1 1 10 100 1 **Article 5.** Where a personal information processor provides personal information to outside the territory by means of certification of cross-border provision of personal information, it shall simultaneously meet the following conditions: (1) It is not an operator of critical information infrastructure; (2) Since January 1 of the current year, it has cumulatively provided abroad personal information of 100,000 persons or more but less than 1,000,000 persons (excluding sensitive personal information), or sensitive personal information of less than 10,000 persons. The personal information provided abroad as referred to in the preceding paragraph does not include important data. Where laws, administrative regulations, or the National level cyberspace administration department provide otherwise, such provisions shall prevail. Personal information processors shall not adopt means such as quantity splitting to provide, by means of certification of cross-border provision of personal information, to outside the territory personal information that, according to law, shall be provided abroad only after passing a security assessment for data export. **Article 6.** Prior to applying for certification to provide personal information abroad, personal information processors shall perform the obligations of notification, obtaining separate consent of individuals, conducting personal information protection impact assessment, etc., in accordance with the provisions of laws and administrative regulations. The personal information protection impact assessment shall focus on evaluating the following: (1) The legality, legitimacy, and necessity of the purposes, scope, methods, etc., of personal information processing by the personal information processor and the overseas recipient; (2) The scale, scope, types, and sensitivity of the personal information to be exported, and the risks that the cross-border provision of personal information may pose to national security, public interests, and personal information rights and interests; (3) Whether the obligations the overseas recipient undertakes to assume, and the management and technical measures and capabilities to perform such obligations, can ensure the security of the personal information provided abroad; (4) The risks of personal information being tampered with, damaged, leaked, lost, illegally used, etc., after being provided abroad, and whether the channels for safeguarding personal information rights and interests are smooth; (5) The impact of personal information protection policies and regulations of the country or region where the overseas recipient is located on the security of the personal information provided abroad and the personal information rights and interests; (6) Other matters that may affect the security of cross-border provision of personal information. **Article 7.** Where a personal information processor provides personal information abroad by means of certification, it shall apply to a professional certification body for certification of cross-border provision of personal information. Where a personal information processor outside the territory of the People’s Republic of China applies for certification of cross-border provision of personal information, the application shall be assisted by its specially established institution or designated representative within the territory. 3 6 Article 8 Professional certification bodies shall carry out certification activities for cross-border provision of personal information in accordance with basic certification norms and personal information protection certification rules. Where certification requirements are met, professional certification bodies shall promptly issue certification certificates. The validity period of a certification certificate shall be three years. Where the certificate needs to continue to be used upon expiry, the personal information processor shall file an application for certification six months prior to the expiration of the validity period. 5 **Article 9.** Professional certification bodies shall, within five working days after issuing certification certificates or after the status of certification certificates changes, submit relevant information on certification certificates for cross-border provision of personal information to the National level Certification and Accreditation Information Public Service Platform, including the certification certificate number, the name of the certified personal information processor, the scope of certification, and information on changes in certificate status, etc. The State Administration for Market Regulation and the National level cyberspace administration department shall establish a mechanism for sharing certification information. **Article 10.** Where professional certification bodies discover that a certified personal information processor has circumstances such as inconsistency between the cross-border provision of personal information and the certification scope, and is no longer in conformity with certification requirements, they shall suspend its use until revoking the relevant certification certificate. Where the National level cyberspace administration department and relevant departments discover, in the course of supervision and administration over personal information protection, that a certified personal information processor has the circumstances set out in the preceding paragraph, professional certification bodies shall cooperate to suspend its use until revoking the relevant certification certificate. The circumstances set out in the preceding two paragraphs shall be published via the National level Certification and Accreditation Information Public Service Platform. **Article 11.** Where, in the course of carrying out certification activities, professional certification bodies discover that cross-border provision of personal information violates laws, administrative regulations, or relevant national provisions, they shall promptly report to the National level cyberspace administration department and relevant departments. 30 30 Article 12 Professional certification bodies that carry out certification for cross-border provision of personal information shall, within ten working days from the date on which they are approved by the State Administration for Market Regulation to obtain personal information protection certification qualifications, complete filing procedures with the National level cyberspace administration department. When handling filing, the following materials shall be submitted: (1) The circumstances of the obtained certification qualifications in the field of personal information protection; (2) The professional work circumstances engaged in the field of data security and personal information protection during the past three years; (3) Security background check materials of the personnel of the professional certification body; (4) Implementation rules and work plan for personal information protection certification; (5) Mechanisms for preventing personal information security risks; (6) Continuous supervision mechanisms regarding the conformity of the certified personal information processor’s cross-border provision of personal information with certification standards; (7) Complaint handling and dispute resolution mechanisms; (8) Other materials required to be submitted. Professional certification bodies shall be responsible for the authenticity of the filed materials. Upon receipt of the filing materials submitted by the professional certification bodies, the National level cyberspace administration department, together with the National level data administration department, shall review the filing materials. Where the materials are complete, filing shall be completed within thirty working days and made public; where the materials are incomplete, filing shall not be completed, and the professional certification body shall be notified within thirty working days with reasons explained. **Article 13.** The State Administration for Market Regulation and the National level cyberspace administration department shall supervise certification activities for cross-border provision of personal information, conduct regular or ad hoc inspections, carry out spot checks on certification processes and certification results, and conduct spot checks and evaluations of professional certification bodies. **Article 14.** State organs, professional certification bodies, and other institutions engaged in certification activities and their staff shall, in accordance with law, keep confidential the personal privacy, personal information, trade secrets, and confidential business information that they become aware of in the performance of their duties, and shall not disclose, illegally provide to others, or illegally use such information. **Article 15.** Where any organization or individual discovers that a certified personal information processor provides personal information abroad in violation of these Measures, they may lodge complaints or report to professional certification bodies, cyberspace administration departments, and relevant departments. **Article 16.** Where cyberspace administration departments at the provincial level or above and relevant departments discover that the certified personal information processor’s cross-border personal information activities pose significant risks or that personal information security incidents have occurred, they may, in accordance with law, conduct interviews with the certified personal information processor. The certified personal information processor shall make rectifications as required and eliminate hidden dangers. **Article 17.** Where these Measures are violated, disposition shall be made in accordance with the Personal Information Protection Law of the People’s Republic of China, the Regulations on the Administration of Network Data Security, the Regulations of the People’s Republic of China on Certification and Accreditation, and other laws and regulations; where a crime is constituted, criminal liability shall be pursued according to law. **Article 18.** Where relevant provisions on certification of cross-border provision of personal information formulated prior to the implementation of these Measures are inconsistent with these Measures, these Measures shall prevail. 2026 1 1 Article 19 These Measures shall come into force on January 1, 2026. PAGE/NUMPAGES PAGE/NUMPAGES --- ## Administrative Measures for Personal Information Protection Compliance Audits - Chinese title: 个人信息保护合规审计管理办法 - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) - Adopted: 2024-05-20 - Effective: 2025-05-01 - Status: effective - URL: https://datacompliancechina.com/laws/personal-info-audit-measures/ - Markdown: https://datacompliancechina.com/laws/personal-info-audit-measures.md ### Summary These Measures implement the compliance-audit obligation in PIPL Article 54. Self-audit is required at least every two years for handlers of more than 10 million people's personal information; CAC-directed audits by a third-party specialized agency are triggered by significant risk, large-scale infringement, or major security incidents. The Measures are accompanied by a 27-section Guidelines annex that lays out exactly what auditors should examine — effectively a regulator-issued checklist for personal-information compliance. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC). **Document No.:** Decree No. 18 of the Cyberspace Administration of China. **Adopted at the 15th executive meeting of the CAC on May 20, 2024.** **Promulgated February 12, 2025. Effective May 1, 2025.** Zhuang Rongwen, Minister of CAC. The Measures consist of 20 articles followed by a 27-section Guidelines annex. The annex (sections I through XXVII) sets out exactly what an auditor — whether in-house or a third-party specialized agency — should examine, item by item. For overseas compliance teams, the annex functions as a regulator-published checklist for personal-information protection. --- **Article 1.** In order to regulate the personal information protection compliance audits and protect personal information rights and interests, these Measures are enacted in accordance with the Personal Information Protection Law of the People's Republic of China, the Regulation on Network Data Security Management and other laws and administrative regulations. **Article 2.** These Measures shall apply to the personal information protection compliance audits conducted within the territory of the People's Republic of China. For the purpose of these Measures, the term "personal information protection compliance audits" refer to the supervision activities that examine and evaluate whether the personal information handling activities of a personal information handler comply with laws and administrative regulations. **Article 3.** To conduct the personal information protection compliance audits by itself, a personal information handler shall have its internal body or a specialized agency entrusted thereby regularly audit the compliance of its handling of personal information with laws and administrative regulations. **Article 4.** Any personal information handler handling the 1000 personal information of more than 10 million people shall carry out the personal information protection compliance audits at least once every two years. **Article 5.** For a personal information handler who falls under any of the following circumstances, the cyberspace administration of China and other authorities performing responsibilities of personal information protection (hereinafter collectively referred to as the "protection authorities" in short) may require the personal information handler to entrust a specialized agency with the compliance audit of its personal information handling activities: (1) Where its personal information handling activities involve relatively large risks such as serious impact on personal rights and interests or serious lack of security measures; (2) Where its personal information handling activities may infringe upon the rights and interests of many people; or (3) Where a personal information security incident occurs, resulting in the divulgence, tampering with, loss or damage of the personal information of more than one million people or the sensitive personal information of more than 100,000 people. For the same personal information security incident or risk, it is not allowed to repeatedly require the personal information handler 100 concerned to entrust a specialized agency with the personal information protection compliance audits. 10 **Article 6.** Any personal information handler who conducts the personal information protection compliance audits on its own or entrusts a specialized agency to conduct the personal information protection compliance audits as required by the protection authorities shall be governed by the Guidelines for the Personal information protection compliance audits attached hereto mutatis mutandis. **Article 7.** Relevant specialized agencies shall have the capability to conduct personal information protection compliance audits and have auditors, premises, facilities and funds commensurate with their services. Relevant specialized agencies are encouraged to pass the certification. The certification of specialized agency shall be carried out in accordance with the relevant provisions of the Regulations of the People's Republic of China on Certification and Accreditation. **Article 8.** A personal information handler conducting the personal information protection compliance audits as required by the protection authorities shall provide necessary support to the specialized agency concerned for the normal personal information protection compliance audits and bear the audit fees. **Article 9.** A personal information handler conducting the personal information protection compliance audits as required by the protection authorities shall select a specialized agency as required by the protection authorities and complete the personal information protection compliance audits within the prescribed time limit; where the circumstance is complicated, the time limit may be extended appropriately upon approval from the protection authorities. **Article 10.** A personal information handler conducting personal information protection compliance audits as required by the protection authorities shall submit the compliance audit report in respect of personal information protection issued by the specialized agency concerned to the protection authorities after the completion of the compliance audit. The compliance audit report on personal information protection shall be signed by the principal of the specialized agency and the person in charge of compliance audit of the specialized agency, the official seal of the specialized agency stamped therewith. **Article 11.** A personal information handler conducting personal information protection compliance audits as required by the protection authorities shall shall make corrections to the problems discovered during the compliance audit as required by the protection authorities and submit a rectification report to the protection authorities within 15 workdays from the completion of rectification. 15 **Article 12.** A personal information handler handling the 100 personal information of more than 1 million people shall designate a person in charge of personal information protection to be responsible for the compliance audit of its personal information protection. Any personal information handler that provides important Internet platform services, has a huge number of users and complicated business types shall establish an independent body mainly composed of external members to supervise the personal information protection compliance audits. **Article 13.** When engaging in the personal information protection compliance audits, a specialized agency shall abide by laws and regulations, act in good faith, make professional judgment on compliance audit in a impartial and objective manner, and keep confidential the personal information, trade secrets and confidential business information obtained in fulfilling its responsibilities of personal information protection compliance audits in accordance with the law, shall not disclose or illegally provide the same to others, and shall delete relevant information in a timely manner after the completion of the compliance audit. **Article 14.** A specialized agency shall not sub-entrust other agency with the personal information protection compliance audits. **Article 15.** The same specialized agency and its affiliates and the same person-in-charge of compliance audit shall not conduct the personal information protection compliance audits for the same audit object for more than three consecutive times. **Article 16.** The protection authorities shall supervise and inspect the personal information protection compliance audits conducted by personal information handlers. **Article 17.** Any organization or individual is entitled to complain about or blow whistle on any illegal activity during the personal information protection compliance audits to the protection authorities. The protection authorities receiving such complaint or report shall promptly handle it in accordance with the law and inform the complainant or whistleblower of the handling results. **Article 18.** Any personal information handler or specialized agency that violates the provisions hereof shall be punished in accordance with the Personal Information Protection Law of the People's Republic of China, the Regulation on Network Data Security Management and other relevant laws and regulations; any criminal offence, if constituted, shall be investigated for criminal liability in accordance with the law. **Article 19.** These Measures shall not apply to the personal information protection compliance audits carried out by state organs and organizations authorized by laws and regulations to exercise functions of administration of public affairs. **Article 20.** These Measures shall come into force as of May 1, 2025 2025. Annex: Guidelines for Personal Information Protection Compliance Audits **I.** These Guidelines are enacted in accordance with the Personal Information Protection Law of the People's Republic of China, the Regulation on Network Data Security Management and other relevant laws and administrative regulations. **II.** The following matters shall be examined as focus in conducting the compliance audit on the legal basis for handling an individual's personal information: (1) Whether the individual's consent has been obtained if the handling of the individual's personal information is based on the individual's consent, and whether the consent is voluntarily and explicitly given by the individual under the premise of full knowledge; (2) Whether the individual's consent has been re-obtained if the purpose and method of the handling of the individual's personal information or the type of personal information to be handled changes based on the individual's consent to handle personal information; (3) Whether the individual's separate consent or written consent has been obtained in accordance with laws and administrative regulations for the handling of the individual's personal information based on the individual's consent; and (4) Whether the handling of the individual's personal information is not subject to the consent of the individual as stipulated in laws and administrative regulations in the event that the individual's consent is not obtained. **III.** The following matters shall be examined as focus in conducting the compliance audit on the rules for handling an individual's personal information: (1) Whether the title or name and contact information of the personal information handler are informed of in a truthful, accurate and complete manner; (2) Whether the personal information collected and the handling method and type of such information are set out in an easily accessible form such as a list; (3) Whether the information is directly relating to the purpose of handling and the method with minimum impact on individual rights and interests is adopted; (4) Whether the retention period of personal information or the method for determining the retention period, the method for handling upon expiration of the retention period, and the retention period determined as the minimum time necessary to achieve the purpose of handling are specified; and (5) Whether the ways and methods for people to access, copy, transfer, correct, supplement, delete and restrict the handling of personal information, deregister accounts and withdraw consent are specified. **IV.** The following matters shall be examined as focus in conducting the compliance audit on the performance by a personal information handler of the obligation to inform the rules for handling an individua's personal information: (1) Whether the personal information handler informs the individual of the rules for handling his/her personal information in an eye-catching manner and in clear and understandable wording in a truthful, accurate and complete manner prior to the handling of his/her personal information; (2) Whether the size, font and color of the informed text are convenient for the individual to completely read the informed matters; (3) Whether the informing obligation has been performed to the individual by marking, explanation or other means offline; (4) Whether the text information is provided online or the informing obligation has been performed to the individual by appropriate means; (5) Whether the individual has been informed of the changes in a timely manner in the case of changes to the rules for handling his/her personal information; and (6) Whether the individual falls within the circumstances in which confidentiality shall be maintained or it is unnecessary to inform the individual in accordance with laws and administrative regulations if it is not required to inform the individual whose personal information is handled. **V.** The following matters shall be examined as focus in conducting the compliance audit on the personal information jointly handled by a personal information handler and any other personal information handlers: (1) Whether the respective rights and obligations are agreed upon; (2) The mechanism for protection of personal information rights and interests; (3) The mechanism for reporting personal information security incidents; and (4) Other rights and obligations to be agreed upon as stipulated by laws and administrative regulations. **VI.** The following matters shall be examined as focus in conducting the compliance audit on the handling of personal information entrusted by a personal information handler: (1) Whether the personal information handler has conducted the personal information protection impact assessment prior to entrusting its handling of personal information; (2) Whether the contract concluded between the personal information handler and the party entrusted has agreed on the purpose, duration, and method of the entrusted handling, type of personal information and protection measures, as well as the rights and obligations of both parties; and (3) Whether the personal information handler has supervised the personal information handling activities of the party entrusted by means of regular inspection, etc. **VII.** Where a personal information handler needs to transfer personal information due to reasons such as merger, reorganization, demerger, dissolution or declaration of bankruptcy, the audit shall focus on whether the personal information handler has informed the individual of the name and contact information of the recipient. **VIII.** The following matters shall be examined as focus in conducting the compliance audit of a personal information handler who provides an individual's personal information handled by it to any other personal information handler: (1) Whether the individual's consent for handling his/her personal information is obtained if such consent is required; (2) Whether the individual is informed of the name and contact information of the recipient, purpose and method of the handling and types of personal information, unless the information shall be kept confidential, or it is unnecessary to be informed as stipulated by laws and administrative regulations; and (3) Whether personal information protection impact assessment has been conducted beforehand. **IX.** The following matters shall be examined as focus in conducting the compliance audit on the handling of an individual's personal information by a personal information handler using automatic decision -making: (1) The transparency of automatic decision -making and whether the automatic decision -making results are fair and impartial; (2) Whether the individual is informed beforehand of the type and possible impact of the handling under automatic decision -making; (3) Whether personal information protection impact assessment has been conducted beforehand; (4) Whether a protection mechanism is provided for users so that the individual can refuse in a convenient way the decisions made under automatic decision -making methods that have a significant impact on personal rights and interests, and whether the personal information handler is required to explain the decisions made under automatic decision -making methods that have a significant impact on personal rights and interests of users; (5) For information push or commercial marketing to people, whether options not tailored to personal characteristics are also provided, or whether a convenient method for refusing automatic decision -making service is provided; (6) Whether effective measures have been taken to prevent automatic decision -making from giving unreasonable differential treatment to people in terms of transaction conditions according to consumers' preferences, transaction habits and so on; and (7) Other matters that may affect the transparency of automatic decision -making and the fairness and impartiality of the results thereof. **X.** The following matters shall be examined as focus in conducting the compliance audit on a personal information handler who disclosure an individual's personal information based on the individual's consent: (1) Whether the personal information handler has obtained the sole consent of the individual before disclosing the personal information it handled, and whether such authorization is true and valid, and whether such personal information is disclosed against the individual's will; and (2) Whether the personal information handler has conducted personal information protection impact assessment prior to the disclosure of the individual's personal information. **XI.** A personal information handler who installs image- collecting and personal identification equipment in public places shall examine the legality of the image-collecting and personal information identification equipment and the use of the personal information collected as focus. The examination shall include but not be limited to: (1) Whether the handling of personal information collected is necessary for maintaining public security; whether the handling of personal information collected is for business purposes; (2) Whether a conspicuous prompting sign is set up; and (3) Whether an individual's sole consent has been obtained if the individual's personal image and identification information collected by the personal information handler are used for purposes other than maintaining public security. **XII.** In conduct the compliance audit on a personal information handler's handling of disclosed personal information, whether the personal information handler has committed any of the following illegality or irregularity shall be examined as focus: (1) Sending commercial information that is irrelevant to the purpose of disclosure to the e-mail, mobile phone numbers etc. contained in the disclosed personal information; (2) Using disclosed personal information to engage in cyber- violence, disseminating rumors and false information online and other activities; (3) Handling disclosed personal information that the individual concerned explicitly refuses to do so; (4) Failure to obtain the individual's consent where there is significant impact on the individual's rights and interests; and (5) Exceeding the reasonable scope of the scale or time of collection, retention or handling of disclosed personal information or the purpose of use thereof. **XIII.** The following matters shall be examined as focus in conducting the compliance audit on a personal information handler's handling of sensitive personal information: (1) When handling an individual's personal information based on his/her consent, whether the individual's sole consent has been obtained beforehand for the handling of his/her sensitive personal information such as biometric information, religious belief, specific identity, medical health, financial accounts and whereabouts; (2) When handling personal information of a minor under the age of 14 based on his/her consent, whether consent of the minor's parents or other guardians is obtained beforehand; (3) Whether the purpose, method or scope of handling sensitive personal information is legitimate, justifiable and necessary; (4) Whether a personal information protection impact assessment has been conducted beforehand; (5) Whether the individual has been informed of the necessity to handle his/her sensitive personal information and the impact on his/her personal rights and interests, unless the confidentiality shall be maintained, or it is not necessary to be informed as stipulated by laws and administrative regulations; (6) Whether written consent has been obtained for the handling of which a written consent is required as stipulated by laws and administrative regulations; and (7) Whether the restrictive provisions of laws and administrative regulations on the handling of sensitive personal information are complied with. **XIV.** The following matters shall be examined in conducting the compliance audit on a personal information handler's handling of the personal information of minors under the age of 14: (1) Whether specialized rules have been formulated for handling personal information; (2) Whether the minors and their guardians have been informed of the purpose, method and necessity of the handling of the personal information of minors, the type of personal information to be handled and the adopted protection measures, etc., unless it is not necessary to be informed as stipulated by laws and administrative regulations; and (3) Whether there is the practice of compulsorily requiring minors or their guardians to agree to handle unnecessary personal information in handling personal information based on the consent of the individual concerned. **XV.** The following matters shall be examined as focus in conducting the compliance audit on a personal information handler's provision of personal information abroad: (1) Whether the provision of personal information abroad by a critical information infrastructure operator has been subject to the security assessment organized by the national cyberspace administration authority, unless it is otherwise provided for in laws, administrative regulations or by the national cyberspace administration authority; (2) Whether the provision of personal information (excluding sensitive personal information) of more than 1 million people or sensitive personal information of more than 10,000 people in total abroad by a data handler other than a critical information infrastructure operator as of January 1 of the current year has 1 1 been subject to the security assessment organized by the national cyberspace administration authority, unless it is otherwise provided 100 for in laws, administrative regulations or by the national cyberspace administration authority; 1 -(3) Whether the provision of personal information (excluding sensitive personal information) of more than 100,000 people but less than 1 million people or sensitive personal information of less than 10,000 people in total abroad by a data handler other than a critical information infrastructure operator as stipulated by the national cyberspace administration authority has been certified in terms of personal information protection in accordance with the provisions of the national cyberspace administration authority, or a contract has been entered into with the overseas recipient in accordance with the standard contract developed by the national 10 cyberspace administration authority and filed for record with the local cyberspace administration authority at the provincial level, or 100 other conditions stipulated by laws, administrative regulations or by 1 the national cyberspace administration authority are met; (4) In the case of the provision of personal information stored within the territory of the People's Republic of China to foreign judicial or law enforcement authorities, whether such provision has been approved by the competent authority of the People's Republic of China; and (5) Whether the personal information is provided to any organization or person included in the list of organizations or persons to whom personal information provision is restricted or prohibited. **XXI.** The following matters shall be examined as focus in conducting the compliance audit on the protection of the right to delete personal information: (1) Whether the purpose of personal information handling has been achieved, cannot be achieved or it is no longer necessary to achieve the purpose of personal information handling; (2) Whether the personal information handler has ceased to provide products or services, or whether the individual concerned has deregistered his/her account; (3) Whether the retention period has expired; (4) Whether the individual concerned withdraws his/her consent; (5) Whether the personal information handler handled personal information in violation of laws, administrative regulations or the agreement; and (6) Whether the personal information handler has ceased handling other than storing and adopting necessary security measures if the storage period for the personal information that shall be deleted has not expired as prescribed by laws and administrative regulations, or it is difficult to delete the personal information technically. **XVII.** The following matters shall be examined as focus in conducting the compliance audit on the protection of the rights of individuals in personal information handling activities carried out by a personal information handler: (1) Whether a convenient mechanism for accepting and handling applications for individuals to exercise their rights has been established; (2) Whether the response to an individual's application for exercise of his/her rights is timely made; and whether the individual has been notified of the handling opinions or the execution results in a timely, complete and accurate manner; and (3) Whether the reasons have be stated to an individual in the case of refusal of the individual's request for exercise of his/her rights. **XVIII.** A personal information handler shall respond to the applications filed by individuals and explain its rules on handling personal information, and evaluate the following contents in conducting the compliance audit: (1) Whether the personal information handler has provided convenient ways and channels to accept and deal with individuals' requests for the interpretation of its rules on handling personal information; and (2) Whether the personal information handler has explained its personal information handling rules in plain language within a reasonable period of time after receiving the request of an individual. **XIX.** A personal information handler shall, in accordance with the provisions of laws and administrative regulations, formulate an internal management system and operating procedures, specify its organizational structure and job responsibilities, establish a workflow, and improve its internal control system, so as to ensure the compliance and security of its handling of personal information. In conducting the compliance audit, the personal information handler's internal management system and operating procedures for the protection of personal information shall be examined as focus, including but not limited to: (1) Whether the guidelines, objectives and principles of personal information protection are in compliance with laws and administrative regulations; (2) Whether the organizational structure, staffing, code of conduct and management responsibilities for the protection of personal information adapt to the responsibilities to be performed for personal information protection; (3) Whether personal information has been classified according to the type, source, sensitivity and purpose of personal information; (4) Whether an emergency response mechanism for personal information security incidents has been established; (5) Whether a personal information protection impact assessment system and a compliance audit system have been established; (6) Whether a smooth process for accepting complaints and whistleblowing about personal information protection has been established; (7) Whether the authority to handle and operate personal information has been reasonably set; (8) Whether a security education and training program on personal information protection has been formulated and implemented; (9) Whether a performance evaluation system has been established for the person in charge of personal information protection and the relevant personnel; (10) Whether a responsibility system has been established for dealing with personal information illegalities; and (11) Other matters as prescribed by laws and administrative regulations. **XX.** A personal information handler shall adopt technical security measures appropriate for the scale and type of the personal information handled by it and evaluate the effectiveness of the technical measures adopted by it. The evaluation shall include but not be limited to: (1) whether it has adopted corresponding technical security measures to realize the confidentiality, completeness and availability of personal information; (2) Whether it has adopted technical security measures such as encryption and de-identification to ensure that the identifiability of personal information is eliminated or reduced without the use of additional information; and (3) Whether the technical security measures adopted can reasonably determine the operation authority of relevant personnel to consult, copy and transmit personal information to reduce the risks of unauthorized access and abuse of personal information in the processing. **XXI.** The following matters shall be evaluated as focus in conducting the compliance audit on the formulation and implementation of an education and training plan by a personal information handler: (1) Whether the personal information handler has provided the corresponding security education and training for its management personnel, technical personnel, operators and all staff as planned, and assessed the awareness and skills of relevant personnel for personal information protection; and (2) Whether the content, method, object and frequency etc. of the training can meet the needs of personal information protection. **XXII.** The following matters shall be examined as focus in conducting the compliance audit on the performance of responsibilities by the person in charge of personal information protection designated by a personal information handler: (1) Whether the person in charge of personal information protection has the relevant work experience and professional knowledge and is familiar with the relevant laws and administrative regulations on personal information protection; (2) Whether the person in charge of personal information protection has specific and clear responsibilities, and whether he/she is authorized to coordinate the internal departments and personnel concerned of the personal information handler; (3) Whether the person in charge of personal information protection has the right to put forward relevant opinions and suggestions prior to the decision of significant matters relating to the handling of personal information; (4) Whether the person in charge of personal information protection has the right to stop the non-compliance in the handling of personal information within the personal information handler and to take necessary corrective measures; and (5) Whether the personal information handler has disclosed the contact information of the person in charge of personal information protection and submitted the name and contact information of the person in charge of personal information protection to the protection authorities. **XXIII.** In conducting the compliance audit on the personal information protection impact assessment conducted by a personal information handler, the examination shall be focused on the implementation of the impact assessment and assessment contents: (1) Whether the personal information handler has conducted the personal information protection impact assessment before its handling of personal information that has a significant impact on personal rights and interests in accordance with the provisions of laws and administrative regulations; (2) Whether the personal information handler has conducted lawful, proper and necessary assessment of the purpose and method of its handling of personal information; (3) Whether the personal information handler has conducted assessment of the impact on personal rights and interests and security risks; and (4) Whether the personal information handler has conducted assessment of the legality and effectiveness of the protection measures taken and the said measures' adaptability to its risk degree. **XXIV.** A personal information handler shall develop an emergency plan for personal information security incidents. In conducting the compliance audit, the comprehensiveness, effectiveness and executability of the emergency plan shall be evaluated, including but not limited to the following contents: (1) Whether the personal information handler has made a systematic assessment and forecast of the personal information security risks it faces in light of its business practices; (2) Whether the general requirements, basic strategies, organizational structure, personnel, technology and material support, command and disposal procedures, and emergency and supporting measures etc. are sufficient to respond to the forecasted risks; and (3) whether the personal information handler has provided training on the emergency plan for the relevant personnel and regularly conducted drills of the emergency plan. **XXV.** The following matters shall be examined as focus in conducting the compliance audit on a personal information handler's emergency response to and handling of personal information security incidents: (1) Whether the personal information handler has timely found out the impact, scope and possible hazards of a personal information security incident, analyzed and determined the causes of incidents, and put forward measures and plans for preventing the expansion of the damage in accordance with the emergency plan and operating procedures; (2) Whether the personal information handler has established notification channels to timely notify the protection authorities and people of the occurrence of a security incident in accordance with the relevant provisions; and (3) Whether the personal information handler has taken corresponding measures to minimize the potential losses and risks of harm caused by a personal information security incident. **XXVI.** The following matters shall be examined as focus in conducting the compliance audit of the platform rules formulated by a personal information handler that provides important Internet platform services, has a huge number of users and has complicated business types: (1) Whether the platform rules contravene any laws or administrative regulations; (2) The effectiveness of the personal information protection provisions of the platform rules, and whether the rights and obligations of the platforms, products or service providers in the platform to protect personal information are reasonably defined; and (3) the implementation of the platform rules, and whether it has been verified through sampling or otherwise that the platform rules have been effectively implemented. **XXVII.** In conducting the compliance audit on the social responsibility report on personal information protection issued by a personal information handler that provides important Internet platform services, has a huge number of users and has complicated business types, the disclosure of the following contents of the social responsibility report shall be examined as focus: (1) The organizational structure and internal management of personal information protection; (2) The development of personal information protection capability. (3) The measures taken for personal information protection and the effects thereof; (4) Acceptance of applications filed by individuals for exercise of rights; (5) The performance of responsibilities by the independent supervision body; (6) The handling of a serious personal information security incident; (7) Popularization and publicity of science and public welfare activities that promote social co-governance of personal information protection; and (8) Other matters prescribed by laws and administrative regulations. --- ## Cybersecurity Review Measures - Chinese title: 网络安全审查办法 - Hierarchy: rule - Issuing body: CAC + 12 ministries (NDRC, MIIT, MPS, MSS, MOF, MOFCOM, PBOC, NRTA, CSRC, SSA, SCA) - Adopted: 2021-11-16 - Effective: 2022-02-15 - Status: effective - URL: https://datacompliancechina.com/laws/cybersecurity-review-measures/ - Markdown: https://datacompliancechina.com/laws/cybersecurity-review-measures.md ### Summary The 2021 update to the cybersecurity review regime, expanded after the Didi enforcement action. Applies to (i) CIIO procurement of network products/services that may affect national security, and (ii) network platforms holding personal information of more than one million users when seeking an overseas listing. Sets the procedure, factors considered, and outcomes (no-action, conditional approval, prohibition). ### Full text **Promulgated by:** CAC + 12 ministries (NDRC, MIIT, MPS, MSS, MOF, MOFCOM, PBOC, NRTA, CSRC, SSA, SCA). **Document No.:** Decree No. 8 of the Cyberspace Administration of China. **Adopted at the 20th executive meeting of the CAC in 2021 on November 16, 2021. Effective February 15, 2022.** --- **Article 1.** The present Measures are enacted in accordance with the State Security Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China and the Security Protection Regulations for Critical Information Infrastructure, in order to ensure the supply chain security of critical information infrastructure, safeguard network security and data security, and maintain national security. **Article 2.** The purchase of network products and services by critical information infrastructure operator and the data processing activities carries out online platform operators, which affects or may affect national security, shall be subject to cybersecurity review in accordance with the present Measures. **Article 3.** Cybersecurity review shall be conducted under the principle of combining cybersecurity risk prevention with the promotion of the application of advanced technologies, fairness and transparency of the process with the protection of intellectual property rights, ex ante review with continuous regulation, and corporate commitment with social supervision, in terms of the security of products and services as well as data processing activities, potential risks to the national security, etc. **Article 4.** Under the leadership of the Central Cyberspace Affairs Commission, the Cyberspace Administration of China establishes a working mechanism for the cybersecurity review of the State, in concert with the National Development and Reform Commission of the People's Republic of China, the Ministry of Industry and Information Technology of the People's Republic of China, the Ministry of Public Security of the People's Republic of China, the Ministry of State Security of the People's Republic of China, the Ministry of Finance of the People's Republic of China, the Ministry of Commerce of the People's Republic of China, the People's Bank of China, the State Administration for Market Regulation, the State Administration of Radio and Television, the China Securities Regulatory Commission, the National Administration of State Secrets Protection, and the State Cryptography Administration. The Office of Cybersecurity Review, located in the Cyberspace Administration of China ("CAC"), is responsible for developing relevant rules and regulations on cybersecurity review and organizing cybersecurity review. **Article 5.** To purchase network products or services, a critical information infrastructure operator shall prejudge any possible risks to national security after such products or services are put into use. It shall declare any network product or service that affects or may affect national security to the Office of Cybersecurity Review for cybersecurity review. The authority for protection of critical information infrastructure may develop pre-judgment guidelines for the industry or field concerned. **Article 6.** For the procurement activity declared for cybersecurity review, the critical information infrastructure operator shall require the product or service provider to cooperate in the cybersecurity review by virtue of the procurement document, agreement or otherwise, including undertaking not to take advantage of the provision of the product or service to illegally obtain user data, illegally control and manipulate user equipment, and not to suspend product supply or necessary technical support services without justifiable reasons. 100 Article 7 To go public abroad, an online platform operator who possesses the personal information of more than 1 million users shall declare to the Office of Cybersecurity Review for cybersecurity review. IPO **Article 8.** To file an application for cybersecurity review, the operator shall submit the following materials: (I) A written declaration; (II) An analysis report concerning the impact or possible impact on national security; (III) The procurement document, agreement, contract to be entered into or IPO materials to be submitted, etc.; and (IV) other materials necessary for cybersecurity reviews. 10 Article 9 The Office of Cybersecurity Review shall, within ten working days upon receipt of the declaration materials for review in conformity with the provisions of Article 8 hereof, determine whether the review is required and notify the party in writing thereof. **Article 10.** Cybersecurity review shall focus on the assessment of national security risk factors of the relevant object or situation: (I) Risks of illegal control, interference or destruction of critical information infrastructure brought about by the use of products and services; (II) The harm caused by supply interruption of products and services to the business continuity of critical information infrastructure; (III) Security, openness, transparency and diversity of sources of products and services, reliability of supply channels, and risks of supply interruption due to political, diplomatic, trade or other factors; (IV) Information on compliance with Chinese laws, administrative regulations and departmental rules by product and service providers; (V) Risks of theft, disclosure, damage, illegal use or cross-border transfer of core data, important data or large amounts of personal information; (VI) Risks of influence, control or malicious use of critical information infrastructure, core data, important data or large amounts of personal information by foreign governments after overseas listing; and (VII) Other factors that may endanger critical information infrastructure security and national data security. 30 15 Article 11 Where the Office of Cybersecurity Review deems it necessary to conduct a cybersecurity review, it shall complete the preliminary review within 30 working days from the date when it issues a written notice to the party, including the formation of review findings and suggestions and sending review findings and suggestions to members of the cybersecurity review working mechanism and relevant authorities for their comments. If the case is complicated, the said time limit may be extended by 15 working days. 15 **Article 12.** Members of the cybersecurity review working mechanism and relevant authorities shall give a written reply within 15 working days upon receipt of the review findings and suggestions. If a unanimous agreement is reached among the members of the cybersecurity review working mechanism and relevant authorities, the Office of Cybersecurity Review shall notify the Operator of the review findings in writing. In case of disagreement, the case shall be handled under the special review procedures, and the party shall be notified of the same. **Article 13.** Where a case is handled under the special review procedures, the Office of Cybersecurity Review shall listen to the opinions of relevant authorities and organizations, conduct in-depth analysis and evaluation, form a review finding and suggestions again, seek opinions from members of the cybersecurity review working mechanism and relevant authorities, report the same to the Central Cyberspace Affairs Commission for approval under procedures, and form a review finding and notify the party thereof in writing. 90 Article 14 The special review procedures shall generally be completed within 90 working days and the time limit may be extended for complicated cases. **Article 15.** Where the Office of Cybersecurity Review requires supplementary materials, the party and the product or service provider shall do so accordingly. The time for submission of such supplementary materials will not be included in the review period. **Article 16.** Where a member of the cybersecurity review working mechanism believes that a network product or service or data processing activity affects or may affect national security, the Office of Cybersecurity Review shall report the same to the Central Cyberspace Affairs Commission for approval under procedures, and then conduct review in accordance with the present Measures. In order to prevent risks, the party shall take measures to prevent and mitigate risks during the review in accordance with the requirements of the cybersecurity review. **Article 17.** Relevant agencies and personnel involved in the cybersecurity review shall strictly protect intellectual property rights, and shall have confidentiality obligations for the trade secrets, personal information, undisclosed materials submitted by the party, product and service providers as well as other undisclosed information known in the review. Without the consent of the information provider, it is not allowed to disclose such information to unrelated parties or use such information for any purpose other than the review without the consent of the information provider. **Article 18.** Where the party or the network product or service provider believes that a review officer is not objective and impartial or fails to bear confidentiality obligations for the information accessed during the review, it may report the same to the Office of Cybersecurity Review or the relevant authority. **Article 19.** The party shall urge the product or service provider to fulfill its commitments made during the cybersecurity review. The Office of Cybersecurity Review shall strengthen ex ante, interim and ex post supervision by means of accepting reports or otherwise. **Article 20.** Any party in violation of the present Measures shall be punished in accordance with the provisions of the Cybersecurity Law of the People's Republic of China and the Data Security Law of the People's Republic of China. **Article 21.** For the purpose of the present Measures, the term "network products and services" mainly refers to core network equipment, important communication products, high-performance computers and servers, mass storage devices, large databases and application software, cybersecurity equipment, cloud computing services, and other network products and services that have a significant impact on the security of critical information infrastructure. **Article 22.** Where any state secret is involved, the relevant confidentiality provisions of the State shall apply. Where the State has other provisions on data security review and foreign investment security review, such provisions shall be complied with at the same time. 2022 2 15 2020 4 13 6 Article 23 The present Measures shall come into force on February 15, 2022, simultaneously repealing the Cybersecurity Review Measures (issued under Decree No. 6 of the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the People's Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the National Administration of State Secrets Protection and the State Cryptography Administration) promulgated on April 13, 2020. 2021 PAGE/NUMPAGES PAGE/NUMPAGES --- ## Cybersecurity Standards Practice Guide — Sensitive Personal Information Identification Guide (v1.0, September 2024) - Chinese title: 网络安全标准实践指南 — 敏感个人信息识别指南 (v1.0-202409) - Abbreviation: TC260 Sensitive PI Guide - Hierarchy: standard - Issuing body: Secretariat of the National Information Security Standardization Technical Committee (TC260) - Effective: 2024-09-01 - Status: effective - URL: https://datacompliancechina.com/laws/tc260-sensitive-pi-identification-guide/ - Markdown: https://datacompliancechina.com/laws/tc260-sensitive-pi-identification-guide.md ### Summary TC260's September 2024 practice guide for identifying sensitive personal information under PIPL Article 28. Sets out a four-rule identification framework — damage to personal dignity, to personal safety, to property safety, and aggregation effects — and lists eight common categories of sensitive personal information with illustrative examples in Appendix A. The guide is not a mandatory standard; it is advisory practice guidance issued by the TC260 Secretariat to help organizations operationalize PIPL's sensitive-PI regime. Practical reference for handlers performing the PIPIA required by PIPL Article 55(I) before processing sensitive personal information. ### Full text > *DCC summary, not a translation.* TC260's practice guide explicitly prohibits unauthorized translation. The structured summary below is DCC's own paraphrase of the guide's framework, written for overseas compliance teams who need to understand how Chinese regulators expect handlers to identify "sensitive personal information" as that term is defined in PIPL Article 28. ## Why this guide matters PIPL Article 28 defines sensitive personal information as personal information that, if leaked or unlawfully used, would readily harm a natural person's dignity or threaten their personal or property safety. The statute provides a non-exhaustive list — biometric identification, religious belief, specific identity, medical health, financial account, and whereabouts and tracks information, as well as personal information of minors under 14. The TC260 guide does what the statute does not: it gives handlers a structured method for *applying* this definition. For overseas compliance teams whose Chinese subsidiaries or vendors handle personal information at scale, this is the framework Chinese regulators will reference when deciding whether the strict handling rules for sensitive personal information (separate consent under Article 29, intensified PIPIA under Article 55, notice obligations under Article 30) attach to a given dataset. ## The four-rule identification framework The guide directs handlers to apply four rules in sequence. **Rule 1 — Statutory criteria.** Information is sensitive personal information if leakage or unlawful use would readily lead to any of: - Damage to the natural person's dignity. The guide notes that "doxxing" (人肉搜索), unauthorized account access, telecom fraud, reputational damage, and discriminatory differential treatment all fall in this category — and that discriminatory differential treatment often turns on the disclosure of specific identity, religious belief, sexual orientation, or specific disease/health information. - Harm to the natural person's safety. The guide gives whereabouts and trajectory data as the canonical example. - Harm to the natural person's property safety. The guide gives financial-account information as the canonical example. **Rule 2 — Default-category check.** A handler should identify information in the eight common categories enumerated in Section 4 (set out below) and treat any such information as sensitive by default. The guide notes that a handler with substantive evidence that a particular dataset *does not* meet the Rule 1 conditions may elect not to treat it as sensitive — but this is an explicit override of the default, not a discretionary judgment. **Rule 3 — Aggregation analysis.** Single-item identification is not enough. The handler must also assess the *aggregate* effect of combining multiple ordinary personal-information items. If the combined dataset would meet Rule 1's conditions in the aggregate, it should be treated as sensitive personal information in the aggregate. **Rule 4 — Statutory carve-outs prevail.** Where law or administrative regulation specifies that information is sensitive personal information, that designation governs. ## The eight common categories The guide enumerates eight categories of common sensitive personal information, with illustrative examples in Appendix A. 1. **Biometric identification information** — including face, voiceprint, gait, fingerprint, palmprint, eye-print, ear-print, iris, and gene information. Cross-reference to dedicated national standards: GB/T 40660 (general biometric), GB/T 41819 (facial recognition data), GB/T 41807 (voiceprint data), GB/T 41773 (gait data), GB/T 41806 (gene identification data). 2. **Religious-belief information** — religion practiced, religious organizations joined, positions held within religious organizations, religious activities participated in, special religious customs. 3. **Specific-identity information** — identity that materially affects personal dignity and social evaluation, or that is otherwise unsuitable for public disclosure. The guide emphasizes identity information that could prompt social discrimination. 4. **Medical health information** — information related to physical or mental injury, illness, disability, illness risk, or privacy. The guide subdivides this into (a) health-status information (symptoms, medical history, family medical history, infectious-disease history, examination reports, fertility information) and (b) information generated in the course of medical services (medical records, hospital admission records, doctor's orders, surgical and anesthesia records, nursing records, medication records, examination data, examination reports). 5. **Financial-account information** — bank, securities, fund, insurance, and housing-fund account numbers and passwords; payment account numbers, bank-card track data, payment-token information derived from account data, and personal income detail. 6. **Whereabouts and tracks information** — continuous precise-location trajectory data, vehicle trajectory data, personal activity-trajectory data. Service-fulfillment context — for example, delivery drivers and couriers performing service tasks — is carved out by note. 7. **Personal information of minors under 14**. 8. **Other sensitive personal information** — including (per the appendix) precise-location information collected via mobile-device fine-location permission, ID-card photographs, sexual orientation, sexual activity, credit reporting information, criminal-record information, and images or video showing private body parts. ## Key application notes from Appendix A - *Precise location* requires the mobile-device fine-location permission to be invoked; rough-IP-derived location information is not by itself precise-location information. Continuous precise-location capture can constitute trajectory information. - *Health-related but ordinary* metrics — weight, height, blood type, blood pressure, lung capacity — fall outside the sensitive category if not associated with an actual disease or medical visit. - *Criminal-record information* refers specifically to records maintained by Chinese state organs (charge, sentence, etc.). - *Gene identification data*, *facial recognition data*, *voiceprint*, *gait*, and *gene* each have their own dedicated national-standard data-security requirements; the TC260 guide is a higher-level identification reference and does not displace those data-specific standards. ## How to use this in compliance practice For overseas compliance teams operating in China: - **Treat the eight categories as the working list.** Any data fitting one of the eight categories should default to sensitive-PI handling — separate consent, written consent where required, intensified PIPIA, and the additional notice obligations of PIPL Article 30. - **Run the aggregation check.** Even where individual fields are ordinary personal information, an aggregate dataset that exposes whereabouts, financial profile, health status, or other Rule 1 vectors should be classified up. - **Document the assessment.** PIPL Article 55 requires PIPIA before processing sensitive personal information; the PIPIA report is the natural place to record the Rule 1–Rule 4 analysis with reference to the guide. Retain for three years (PIPL Article 56). - **Recognize the guide's status.** TC260 practice guides are not mandatory standards. But Chinese regulators reference them as the operational gloss on the statutory definition, and handlers who deviate from the guide's framework should expect to justify the deviation. --- — *Cybersecurity Standards Practice Guide: Sensitive Personal Information Identification Guide* (v1.0, September 2024), issued by the Secretariat of the National Information Security Standardization Technical Committee (TC260). DCC summary based on the published guide. For the source document, see [www.tc260.org.cn](https://www.tc260.org.cn/). --- ## Data Security Law of the People's Republic of China - Chinese title: 中华人民共和国数据安全法 - Abbreviation: DSL - Hierarchy: law - Issuing body: National People's Congress Standing Committee - Adopted: 2021-06-10 - Effective: 2021-09-01 - Status: effective - URL: https://datacompliancechina.com/laws/dsl/ - Markdown: https://datacompliancechina.com/laws/dsl.md ### Summary The Data Security Law is the second of China's three foundational data statutes (alongside CSL and PIPL). It governs all data processing activities — not just personal information — and establishes the data classification and grading regime, the 'important data' and 'national core data' categories, security obligations for data handlers, the cross-border transfer restrictions on important data, and the prohibition on providing data to foreign judicial or enforcement bodies without approval. ### Full text **Promulgated by:** National People's Congress Standing Committee. **Document No.:** Order of the President No. 84. **Adopted at the 29th Session of the Standing Committee of the 13th National People's Congress on June 10, 2021. Effective September 1, 2021.** --- ## Chapter 1 General Provisions **Article 1.** In order to regulate data handling activities, ensure data security, promote data exploitation and use, protect the lawful rights and interests of individuals and organizations, and safeguard national sovereignty, security and development interests, this Law is enacted. **Article 2.** This Law shall apply to data handling activities carried out within the territory of the People's Republic of China and to the security regulation thereof. Where data handling activities are carried out outside the territory of the People's Republic of China, which damage the national security or public interest of the People's Republic of China or the lawful rights and interests of citizens or organizations, legal liability shall be investigated in accordance with the law. **Article 3.** For the purposes of this Law, the term "data (records)" refers to any record of information made electronically or by other means. Data handling includes the collection, storage, use, processing, transmission, provision and disclosure of data, among others. Data security refers to the state of effective protection and lawful use of data achieved by taking necessary measures, and the capacity to ensure that such a state of continuous security is maintained. **Article 4.** In maintaining data security, the overall national security concept shall be upheld, a sound data security governance system shall be established and improved, and the capacity for safeguarding data security shall be enhanced. **Article 5.** The central national security leadership body shall be responsible for decision-making and deliberation and coordination with respect to national data security work, shall study, formulate and guide the implementation of the national data security strategy and relevant major guidelines and policies, shall overall plan and coordinate major matters and important tasks of national data security, and shall establish a data security coordination mechanism at the National level. **Article 6.** Each region and each department shall be responsible for the data (records) collected and generated in the course of its work in its respective region and department, and for the security of such data. Departments in charge of industries and sectors such as industry, telecommunications, transport, finance, natural resources, health, education and science and technology shall undertake data security regulatory responsibilities for their respective industries and sectors. Public security organs, state security organs and others shall, in accordance with this Law and relevant Laws and Administrative Regulations, undertake data security regulatory responsibilities within the scope of their respective duties. The national cyberspace administration shall, in accordance with this Law and relevant Laws and Administrative Regulations, be responsible for overall planning and coordination of network data security and related regulatory work. **Article 7.** The State shall protect the rights and interests of individuals and organizations related to data (records), encourage the lawful, reasonable and effective exploitation and use of data (records), ensure the lawful, orderly and free flow of data (records), and promote the development of the digital economy in which data (records) are a key factor of production. **Article 8.** In carrying out data handling activities, Laws and Administrative Regulations shall be observed, social morality and ethics shall be respected, business ethics and professional ethics shall be observed, honesty and good faith shall be maintained, data security protection obligations shall be performed, social responsibilities shall be assumed, and national security and public interest shall not be jeopardized, nor shall the lawful rights and interests of individuals or organizations be harmed. **Article 9.** The State shall support the dissemination and popularization of knowledge on data security, raise the awareness and level of the whole society in protecting data security, and promote the joint participation of relevant departments, industry organizations, research institutions, enterprises and individuals in data security protection work, so as to form a sound environment in which the whole society jointly maintains data security and promotes development. **Article 10.** Relevant industry organizations shall, in accordance with their articles of association, formulate in accordance with the law codes of conduct for data security and group standards, strengthen self-discipline in their industries, guide their members in strengthening data security protection, improve data security protection standards, and promote the sound development of their industries. **Article 11.** The State shall actively conduct international exchanges and cooperation in the fields of data security governance and data exploitation and use, participate in the formulation of international rules and standards related to data security, and promote the secure and free cross-border flow of data (records). **Article 12.** Any individual or organization shall have the right to lodge complaints or reports with the relevant competent departments against acts that violate the provisions of this Law. The departments receiving complaints or reports shall handle them in a timely manner in accordance with the law. The relevant competent departments shall keep confidential the relevant information of the complainants and informants and protect their lawful rights and interests. ## Chapter 2 Data Security and Development **Article 13.** The State shall coordinate development and security, and shall adhere to the promotion of data security through data exploitation and use and industrial development, and the safeguarding of data exploitation and use and industrial development through data security. **Article 14.** The State shall implement a big data strategy, promote the construction of data infrastructure, and encourage and support innovative applications of data (records) in all industries and fields. People's governments at or above the provincial level shall incorporate the development of the digital economy into the national economic and social development plans at their respective levels, and may, as needed, formulate digital economy development plans. **Article 15.** The State shall support the exploitation and use of data (records) to improve the level of intelligence of public services. In providing intelligent public services, the needs of the elderly and persons with disabilities shall be fully taken into account, so as to avoid creating obstacles to the daily life of the elderly and persons with disabilities. **Article 16.** The State shall support research into data exploitation and use and data security technologies, encourage the promotion of technologies and commercial innovation in the fields of data exploitation and use and data security, and cultivate and develop systems of products and industries for data exploitation and use and data security. **Article 17.** The State shall promote the development of systems of standards for data exploitation and use technologies and for data security. The administrative department of standardization under the State Council and the relevant departments under the State Council shall, according to their respective functions, organize the formulation and timely revision of standards related to data exploitation and use technologies, products and data security. The State shall support enterprises, social organizations and educational and research institutions in participating in standard-setting. **Article 18.** The State shall promote the development of services such as data security testing and appraisal and certification, and shall support professional institutions engaging in data security testing and appraisal, certification and other such services in carrying out service activities in accordance with the law. The State shall support relevant departments, industry organizations, enterprises, educational and research institutions and relevant professional institutions in carrying out cooperation in data security risk appraisal, prevention and handling. **Article 19.** The State shall establish and improve a data trading governance scheme, regulate data trading activities, and foster a data trading market. **Article 20.** The State shall support educational and research institutions and enterprises in conducting education and training related to data exploitation and use technologies and data security, cultivate, through multiple means, professionals in data exploitation and use technologies and data security, and promote the exchange of such professionals. ## Chapter 3 Data Security Regime **Article 21.** The State shall establish a data tiered protection regime, under which data (records) shall be accorded classified and tiered protection according to the importance of such data (records) to economic and social development and the degree of harm that may be caused to national security or public interest or to the lawful rights and interests of individuals and organizations if such data (records) are tampered with, destroyed, leaked, or illegally obtained or illegally used. The data security coordination mechanism at the National level shall coordinate relevant departments in formulating catalogues of significant data and shall strengthen the protection of significant data. Data (records) related to national security, the lifelines of the national economy, critical livelihoods of the people and major public interest shall fall under national core datasets and shall be subject to a more stringent management regime. Each region and each department shall, in accordance with the data tiered protection regime, determine specific catalogues of significant data for its respective region, department and related industries and sectors, and shall provide key protection for data (records) included in the catalogues. **Article 22.** The State shall establish a centralized, unified, efficient and authoritative mechanism for data security risk appraisal, reporting, information sharing and monitoring and early warning. The data security coordination mechanism at the National level shall coordinate relevant departments in strengthening efforts to obtain, analyze, assess and provide early warnings of data security risk information. **Article 23.** The State shall establish a data security contingency system. In the event of a data security incident, the relevant competent departments shall, in accordance with the law, initiate contingency plans, take corresponding emergency response measures, prevent the expansion of harm, eliminate security hazards, and promptly release to the public warning information relevant to the public. **Article 24.** The State shall establish a data security review framework and conduct national security reviews for data handling activities that affect or might affect national security. Security review decisions lawfully made shall be final decisions. **Article 25.** The State shall, in accordance with the law, impose export control on data (records) that fall under controlled items and relate to safeguarding national security and interests and performing international obligations. **Article 26.** Where any country or region adopts discriminatory prohibitions, restrictions or other similar measures against the People's Republic of China in respect of investment, trade or other matters related to data (records) and data exploitation and use technologies, the People's Republic of China may, based on actual circumstances, adopt reciprocal measures against such country or region. ## Chapter 4 Obligations for Data Security Protection **Article 27.** Those carrying out data handling activities shall, in accordance with the provisions of Laws and Administrative Regulations, establish and improve a data security management system covering the whole process, organize and carry out data security education and training, and adopt corresponding technical and other necessary measures to ensure data security. Those carrying out data handling activities by using the Internet and other information networks shall perform the above-mentioned data security protection obligations on the basis of the multilevel cybersecurity protection regime. Handlers of significant data shall designate persons in charge of data security and establish a management body, and shall implement data security protection responsibilities. **Article 28.** Data handling activities and research and development of new data technologies shall be conducive to promoting economic and social development, improving the well-being of the people, and conforming to social morality and ethics. **Article 29.** In carrying out data handling activities, risk monitoring shall be strengthened. Where risks such as data security defects and vulnerabilities are discovered, remedial measures shall be taken immediately; where a data security incident occurs, handling measures shall be taken immediately, users shall be promptly informed in accordance with the provisions, and reports shall be made to the relevant competent departments. **Article 30.** Handlers of significant data shall, in accordance with the provisions, periodically carry out risk appraisal of their data handling activities and shall submit risk appraisal reports to the relevant competent departments. Risk appraisal reports shall include such contents as the types and quantities of significant data handled, the circumstances of data handling activities, the data security risks faced, and the measures taken to address such risks. **Article 31.** The outbound security management of significant data collected and generated in the course of operations within the territory of the People's Republic of China by operators of critical information infrastructure shall be governed by the provisions of the Cybersecurity Law of the People's Republic of China; the measures for outbound security management of significant data collected and generated in the course of operations within the territory of the People's Republic of China by other data handlers shall be formulated by the national cyberspace administration in conjunction with the relevant departments under the State Council. **Article 32.** Any organization or individual collecting data (records) shall adopt lawful and proper means and shall not steal or obtain data (records) by other illegal means. Where Laws or Administrative Regulations contain provisions on the purposes and scope of the collection and use of data (records), data (records) shall be collected and used within the purposes and scope prescribed by such Laws and Administrative Regulations. **Article 33.** Institutions engaging in data trading intermediary services, when providing services, shall require data providers to explain the sources of the data (records), shall verify the identities of both parties to the transaction, and shall retain verification and transaction records. **Article 34.** Where Laws or Administrative Regulations provide that administrative licences shall be obtained for the provision of services related to data handling, service providers shall obtain such licences in accordance with the law. **Article 35.** Where public security organs or state security organs, for the purpose of lawfully safeguarding national security or investigating crimes, need to obtain data (records), they shall do so in accordance with the relevant provisions of the State, after undergoing strict approval procedures and in accordance with the law, and the relevant organizations and individuals shall cooperate. **Article 36.** The competent authorities of the People's Republic of China shall, in accordance with relevant Laws and the international treaties and agreements to which the People's Republic of China is a party or in which it participates, or on the basis of the principle of equality and reciprocity, handle requests from foreign judicial or law enforcement authorities for the provision of data (records). Without the approval of the competent authorities of the People's Republic of China, organizations and individuals within the territory shall not provide data (records) stored within the territory of the People's Republic of China to foreign judicial or law enforcement authorities. ## Chapter 5 Security and Openness of Government Data **Article 37.** The State shall vigorously promote the development of e-government, improve the scientificity, accuracy and timeliness of government data (records), and enhance the capacity to use data (records) to serve economic and social development. **Article 38.** Where State organs, for the purpose of performing their statutory duties, need to collect and use data (records), they shall do so within the scope of their statutory duties and in accordance with the conditions and procedures prescribed by Laws and Administrative Regulations; data such as personal privacy, personal information, trade secrets and confidential business information learned in the course of performing their duties shall be kept confidential in accordance with the law and shall not be divulged or illegally provided to others. **Article 39.** State organs shall, in accordance with the provisions of Laws and Administrative Regulations, establish and improve data security management systems, implement data security protection responsibilities, and ensure the security of government data (records). **Article 40.** Where State organs entrust others with the construction and maintenance of e-government systems or the storage and processing of government data (records), they shall undergo strict approval procedures and shall supervise the entrusted parties in performing the corresponding data security protection obligations. The entrusted parties shall, in accordance with the provisions of Laws and Administrative Regulations and the contractual agreements, perform data security protection obligations, and shall not retain, use, divulge or provide government data (records) to others without authorization. **Article 41.** State organs shall, in accordance with the principles of justice, fairness and convenience for the people, disclose government data (records) in a timely and accurate manner in accordance with the provisions, except where such data (records) are not to be disclosed in accordance with the law. **Article 42.** The State shall formulate catalogues for the openness of government data (records), establish a unified, standardized, interconnected and secure and controllable platform for the openness of government data (records), and promote the openness and use of government data (records). **Article 43.** The provisions of this Chapter shall apply to data handling activities carried out by organizations authorized by Laws and Regulations to manage public affairs functions for the purpose of performing their statutory duties. ## Chapter 6 Legal Liability **Article 44.** Where, in the course of performing data security regulatory responsibilities, the relevant competent departments discover that data handling activities involve relatively high security risks, they may, in accordance with the prescribed powers and procedures, conduct interviews with the relevant organizations and individuals, and may require the relevant organizations and individuals to take measures to make rectifications and eliminate hidden dangers. **Article 45.** Where organizations or individuals carrying out data handling activities fail to perform the data security protection obligations prescribed in Articles 27, 29 and 30 of this Law, the relevant competent departments shall order them to make corrections, issue a warning, and may impose a fine of not less than 50,000 yuan but not more than 500,000 yuan; and a fine of not less than 10,000 yuan but not more than 100,000 yuan may be imposed on the persons directly in charge and other directly responsible persons; where they refuse to make corrections or where serious consequences such as the leakage of a large amount of data (records) are caused, a fine of not less than 500,000 yuan but not more than 2,000,000 yuan shall be imposed, and they may also be ordered to suspend relevant business, suspend operations for rectification, have the relevant business permits revoked or have their business licences revoked, and a fine of not less than 50,000 yuan but not more than 200,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons. Where the management regime for national core datasets is violated and national sovereignty, security and development interests are jeopardized, the relevant competent departments shall impose a fine of not less than 2,000,000 yuan but not more than 10,000,000 yuan and, depending on the circumstances, may order the suspension of relevant business, suspension of operations for rectification, revocation of relevant business permits or revocation of business licences; where a crime is constituted, criminal liability shall be investigated in accordance with the law. **Article 46.** Where significant data are provided overseas in violation of the provisions of Article 31 of this Law, the relevant competent departments shall order corrections to be made, issue a warning, and may impose a fine of not less than 100,000 yuan but not more than 1,000,000 yuan, and a fine of not less than 10,000 yuan but not more than 100,000 yuan may be imposed on the persons directly in charge and other directly responsible persons; where the circumstances are serious, a fine of not less than 1,000,000 yuan but not more than 10,000,000 yuan shall be imposed, and they may also be ordered to suspend relevant business, suspend operations for rectification, have the relevant business permits revoked or have their business licences revoked, and a fine of not less than 100,000 yuan but not more than 1,000,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons. **Article 47.** Where an institution engaging in data trading intermediary services fails to perform the obligations prescribed in Article 33 of this Law, the relevant competent departments shall order it to make corrections, confiscate its unlawful gains and impose a fine of not less than one time but not more than ten times the amount of the unlawful gains; where there are no unlawful gains or the unlawful gains are less than 100,000 yuan, a fine of not less than 100,000 yuan but not more than 1,000,000 yuan shall be imposed, and it may also be ordered to suspend relevant business, suspend operations for rectification, have the relevant business permits revoked or have its business licence revoked; and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons. **Article 48.** Where the provisions of Article 35 of this Law are violated by refusing to cooperate in the retrieval of data (records), the relevant competent departments shall order corrections to be made, issue a warning, and impose a fine of not less than 50,000 yuan but not more than 500,000 yuan, and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons. Where the provisions of Article 36 of this Law are violated by providing data (records) to foreign judicial or law enforcement authorities without the approval of the competent authorities, the relevant competent departments shall issue a warning and may impose a fine of not less than 100,000 yuan but not more than 1,000,000 yuan, and a fine of not less than 10,000 yuan but not more than 100,000 yuan may be imposed on the persons directly in charge and other directly responsible persons; where serious consequences are caused, a fine of not less than 1,000,000 yuan but not more than 5,000,000 yuan shall be imposed, and they may also be ordered to suspend relevant business, suspend operations for rectification, have the relevant business permits revoked or have their business licences revoked, and a fine of not less than 50,000 yuan but not more than 500,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons. **Article 49.** Where State organs fail to perform the data security protection obligations prescribed by this Law, the persons directly in charge and other directly responsible persons shall be given sanctions in accordance with the law. **Article 50.** Where State functionaries performing data security regulatory responsibilities commit dereliction of duty, abuse of power or engage in malpractices for personal gain, they shall be given sanctions in accordance with the law. **Article 51.** Where data (records) are stolen or obtained by other illegal means, or data handling activities are carried out to exclude or restrict competition, or the lawful rights and interests of individuals or organizations are harmed, punishment shall be imposed in accordance with the provisions of relevant Laws and Administrative Regulations. **Article 52.** Where the provisions of this Law are violated and damage is caused to others, civil liability shall be borne in accordance with the law. Where violations of the provisions of this Law constitute acts violating public security administration, public security administration penalties shall be imposed in accordance with the law; where a crime is constituted, criminal liability shall be investigated in accordance with the law. ## Chapter 7 Supplementary Provisions **Article 53.** Data handling activities involving State secrets shall be governed by the provisions of the Law of the People's Republic of China on Guarding State Secrets and other Laws and Administrative Regulations. Data handling activities carried out in statistics and archival work, and data handling activities involving personal information, shall also comply with the provisions of relevant Laws and Administrative Regulations. **Article 54.** The measures for the protection of military data security shall be formulated separately by the Central Military Commission in accordance with this Law. **Article 55.** This Law shall enter into force as of September 1, 2021. Data Security Law of the People's Republic of China PAGE/NUMPAGES PAGE/NUMPAGES --- ## Regulations on the Protection of Minors in Cyberspace - Chinese title: 未成年人网络保护条例 - Hierarchy: regulation - Issuing body: State Council - Adopted: 2023-09-20 - Effective: 2024-01-01 - Status: effective - URL: https://datacompliancechina.com/laws/minors-online-protection-regulations/ - Markdown: https://datacompliancechina.com/laws/minors-online-protection-regulations.md ### Summary Implementing regulation for the protection of minors under PIPL and CSL. Covers age-appropriate content, online education, addiction-prevention regimes for video games and short videos, sensitive personal information of minors (under 14), parental consent mechanisms, and platform obligations for products targeting or accessible to minors. ### Full text **Promulgated by:** State Council. **Document No.:** Decree No. 766 of the State Council. **Adopted at the 15th executive meeting of the State Council on September 20, 2023. Effective January 1, 2024.** --- ## Chapter 1 General Provisions **Article 1.** In order to create a cyber environment conducive to the physical and mental health of minors and safeguard the legitimate rights and interests of minors, this Regulation is enacted in accordance with the Law of the People's Republic of China on the Protection of Minors, the Cybersecurity Law of the People's Republic of China, the Law of the People's Republic of China on the Protection of Personal Information and other laws. **Article 2.** The protection of minors in cyberspace shall be subject to the leadership of the Communist Party of China, the guidance of the socialist core values and the principle of benefiting minors to the most, be in line with the physical and mental health development of minors and the law and characteristics of cyberspace, and be subject to social co-governance. **Article 3.** The Cyberspace Administration of China ("CAC") is responsible for the overall coordination of the protection of minors in cyberspace and effectively protecting minors in cyberspace ex officio. The state press and publication and film authorities as well as the department of education, telecommunications, public security, civil affairs, culture and tourism, health, market regulation, and radio and television etc. under the State Council shall effectively protect minors in cyberspace ex officio. Local people's governments at or above the county level and their relevant departments shall effectively protect minors in cyberspace ex officio. **Article 4.** The Communist Youth Leagues, the Women's Federations, the Trade Unions, the Disabled Persons' Federations, the Working Committees for the Care of the Next Generation, the Youth Federations, the Students' Federations, the Young Pioneers' Federations, and other people's organizations, relevant social organizations, and grass-roots mass organizations of self-governance shall assist the relevant authorities in effectively protecting minors in cyberspace and safeguarding the legitimate rights and interests of minors. **Article 5.** Schools and families shall educate and guide minors to participate in activities that are conducive to their physical and mental health and to access internet space in a scientific, civilized, safe and reasonable manner, so as to prevent and intervene in minors' addiction to the cyberspace. **Article 6.** Providers of cyber products and services, personal information handlers, manufacturers and sellers of intelligent terminal products shall abide by laws, administrative regulations and the relevant provisions of the State, respect social moralities, follow business ethics, act in good faith, fulfill the obligation of protecting minors in cyberspace, and assume social responsibilities. **Article 7.** Providers of cyber products and services, personal information handlers, manufacturers and sellers of intelligent terminal products shall accept the supervision of the government and the public, cooperate with the relevant authorities in carrying out the supervision and inspection involving the protection of minors in cyberspace in accordance with the law, establish convenient, reasonable and effective channels for complaints and whistleblowing, publicize the channels and methods for complaints and whistleblowing in an obvious way, and promptly accept and handle public complaints and whistleblowing. **Article 8.** Any organization or individual discovering any violation of the provisions hereof may make a complaint or whistleblowing to the administrations of cyberspace, press and publication, film, education, telecommunications, public security, civil affairs, culture and tourism, health, market supervision and administration, radio and television and other sectors. The administration that receives a complaint or whistleblowing shall promptly handle the case in accordance with the law or refer the case that does not fall under its responsibility to the competent administration. **Article 9.** Cyber-related industrial organizations shall intensify industrial self-regulation, formulate relevant industrial norms on the protection of minors in cyberspace, instruct their members to fulfill the obligation of protecting minors in cyberspace, and strengthen the protection of minors in cyberspace. **Article 10.** News media shall publicize the laws, regulations, policy measures, typical cases and relevant knowledge on the protection of minors in cyberspace in the form of news reports, feature columns (programs), public service advertisements, etc., conduct supervision by public opinions over any infringement upon the legitimate rights and interests of minors, and guide the whole of society to jointly participate in the protection of minors in cyberspace. **Article 11.** The State encourages and supports the strengthening of scientific research, talent cultivation, and international exchange and cooperation in the field of the protection of minors in cyberspace. **Article 12.** Organizations and individuals that make outstanding contributions to the protection of minors in cyberspace shall be commended and rewarded in accordance with the relevant provisions of the State. ## Chapter 2 Promotion of Cyber Literacy **Article 13.** The education department of the State Council shall incorporate cyber literacy education into schools' quality-oriented education, and, in concert with the Cyberspace Administration of China, formulate indicators for assessing minors' cyber literacy. Education authorities shall guide and support schools in carry outing the cyber literacy education for minors, and foster minors' cybersecurity awareness, civilization quality, behavioral habits, and protection skills with focus on the formation of cyber moral awareness, the cultivation of the concept of rule of law in cyberspace, the building of cyber capacity, and the protection of personal and property safety, among others. **Article 14.** People's governments at or above the county level shall make scientific planning and reasonable distribution, promote the balanced and coordinated development of non-profit internet access services, strengthen the construction of public cultural facilities that provide non-profit internet access services, and improve the conditions for minors to access the internet. Local people's governments at or above the county level shall provide students with quality cyber literacy education courses by equipping primary and secondary schools with guidance teachers with corresponding professional capacity, purchasing services by the government, or encouraging primary and secondary schools to purchase the relevant services on their own. **Article 15.** Schools, communities, libraries, cultural centers, youth and children's palaces and other places that provide minors with internet access service facilities shall provide minors with internet access guidance and a safe and healthy internet access environment by arranging for professionals, recruiting volunteers or otherwise, installing software designed to protect minors in cyberspace, or taking other technical measures for the protection of the security of the minors. **Article 16.** Schools shall include the improvement of students' cyber literacy into their education and teaching activities, reasonably use the internet to carry out teaching activities, establish a sound management system for students' internet access at school, standardize and manage intelligent terminal products brought by minor students to school in accordance with the law, help students form good internet surfing habits, cultivate students' awareness of cybersecurity and rule of law in cyberspace , and enhance students' ability to obtain, analyze and judge information online. **Article 17.** Guardians of minors shall strengthen the building of family education and family style, improve their own cyber literacy, regulate their own use of the internet, and strengthen the education, demonstration, guidance and supervision of minors' use of the internet. **Article 18.** The State encourages and supports the research and development, production and use of software to protect minors in cyberspace, intelligent terminal products, minor modes, special zones for minors and other cyber technologies, products and services that specifically target at minors and adapt to the laws and characteristics of the physical and mental health development of minors, strengthens the building and transformation of barrier-free environment in cyberspace, and promotes minors to broaden their horizons, cultivate their sentiments and improve their qualities. **Article 19.** Software designed to protect minors in cyberspace and intelligent terminal products specifically provided for minors to use shall have the functions of effectively identifying illegal information and information that may affect the physical and mental health of minors, protecting minors' personal information rights and interests, preventing minors from becoming addicted to the internet space, and facilitating guardians' performance of guardianship responsibilities. In concert with the relevant departments of the State Council, the Cyberspace Administration of China shall, in light of the needs for protecting minors in cyberspace, clarify the relevant technical standards or requirements for software designed to protect minors in cyberspace and intelligent terminal products specifically provided for minors to use, and guide and supervise cyber-related industrial organizations to evaluate the use effects of software designed to protect minors in cyberspace and intelligent terminal products specifically provided for minors to use pursuant to the relevant technical standards and requirements. Manufacturers of intelligent terminal products shall install software designed to protect minors in cyberspace before the products leave the factory or inform users of the installation channels and methods in a noticeable way. Sellers of intelligent terminal products shall, prior to the sale of the products, inform users of the information about the installation of software designed to protect minors in cyberspace as well as installation channels and methods in a noticeable way. The guardians of minors shall reasonably use and guide minors to use software for protection in cyberspace and intelligent terminal products, etc., and create a favorable family environment for use cyberspace. **Article 20.** A cyber platform service provider with a large number of minor users or with a significant impact on the group of minors shall perform the following obligations: 1. At the stages of design, research and development and operation of cyber platform services, fully consider the characteristics of the physical and mental development of minors and regularly assess the impact of the protection of minors in cyberspace; 2. Provide minor modes or special zones for minors to facilitate minors in obtaining products or services on the platform that are conducive to their physical and mental health; 3. Establish a sound compliance system for protection of minors in cyberspace in accordance with the provisions of the State, and establish an independent body mainly composed of external members to supervise the protection of minors in cyberspace; 4. Follow the principles of openness, fairness, and impartiality, formulate specific platform rules, specify the obligation of product or service providers on the platform to protect minors in cyberspace, and remind, in an eye-catching way, minor users of their legal rights to be protected in cyberspace and the remedies against any cyber infringement; 5. Stop providing services to any product or service provider on the platform that violates laws or administrative regulations, seriously harms the physical and mental health of minors or infringes upon other legitimate rights and interests of minors; and 6. release a special report on social responsibility for the protection of minors in cyberspace each year and accept social supervision. The specific measures for identifying a cyber platform service provider with a large number of minor users or with a significant impact on the group of minors as mentioned in the preceding paragraph shall be separately formulated by the Cyberspace Administration of China in concert with the relevant authorities. ## Chapter 3 Regulation of Information in Cyberspace **Article 21.** The State encourages and supports the production, reproduction, release, dissemination and promotion of socialist core values and advanced socialist culture, revolutionary culture and fine traditional Chinese culture, founds the Chinese nation community consciousness, cultivates minors' feelings for home and country and good morality, guides minors to develop good living habits and behavioral habits and creates a clear and bright cyberspace and a good cyber ecology which are conducive to the healthy growth of minors. **Article 22.** No organization or individual may produce, reproduce, release or disseminate cyber information that propagates obscenity, pornography, violence, cult, superstition, gambling, lures self-harm and suicide, terrorism, separatism, extremism and other contents that endanger the physical and mental health of minors. No organization or individual may produce, reproduce, release, disseminate or possess pornographic minor-related information in cyberspace. **Article 23.** For any cyber product or service containing information that may affect the physical and mental health of minors, such as information that may cause or induce minors to imitate unsafe acts, to commit acts in violation of social morality, to produce extreme emotions or to develop bad hobbies, the organization or individual that produces, reproduces, releases or disseminates such information shall give a conspicuous reminder before displaying such information. The Cyberspace Administration of China shall, in conjunction with the state authority of press and publication and the authority of film as well as the departments of education, telecommunications, public security, culture and tourism, and radio and television under the State Council, determine the specific types and scope of information that may affect the physical and mental health of minors as well as judgment criteria and prompt measures on the basis of the provisions of the preceding paragraph. **Article 24.** No organization or individual may produce, reproduce, release or disseminate the information that may affect the physical and mental health of minors as prescribed in Paragraph 1 of Article 23 hereof in the cyber products and services specially targeting minors. Providers of cyber products and services shall not present the information that may affect the physical and mental health of minors as prescribed in Paragraph 1 of Article 23 hereof at an eye-catching position of products or services or in key links that are likely to attract users' attention, such as homepage, pop-up window and hot search. Providers of cyber products and services shall not carry out commercial marketing to minors in an automatic decision -making manner. **Article 25.** No organization or individual may send, push to minors, or induce or force minors to have access to the information containing the content that endangers or may affect the physical and mental health of minors. **Article 26.** No organization or individual may insult, slander, threaten or maliciously damage minors' image or commit any other cyberbullying in such forms as text, pictures, audio and video via the internet. Providers of cyber products and services shall establish sound mechanisms for early warning, prevention, identification, monitoring and handling of cyberbullying, set up functions and channels that facilitate minors and their guardians in keeping records of cyberbullying and exercise the right of notification, and provide convenience for minors to set up options for protection from cyberbullying information, such as shielding unfamiliar users, the availability of information released by minors themselves, prohibition from reposting or commenting on information released by minors themselves, and prohibition from sending information to minors themselves. Providers of cyber products and services shall establish a sound cyberbullying information characterization database, optimize the relevant algorithmic models, and strengthen the identification and monitoring of cyberbullying information by combining technical means such as artificial intelligence and big data and manual review. **Article 27.** No organization or individual may organize, instigate, coerce, lure, deceive or assist minors to commit illegal or criminal acts on the internet in such forms as text, pictures, audio and video. **Article 28.** The providers of online education cyber products and services targeting minors shall, in accordance with laws, administrative regulations and the relevant provisions of the State, provide corresponding products and services in light of the physical and mental development characteristics and cognitive abilities of minors at different age stages. **Article 29.** Providers of cyber products and services shall strengthen the management of the information released by users, and take effective measures to prevent the production, reproduction, release or transmission of the information in violation of Article 22, Article 24, Article 25, Paragraph 1 of Article 26 or Article 27 hereof. If any information is found in violation of the aforesaid provisions, the transmission of relevant information shall be forthwith ceased, and measures such as deletion, shielding or disconnection shall be taken to prevent the information from spreading. Relevant records shall be kept, and a report shall be made to authorities of cyberspace administration and public security, and measures such as warning, function restriction, service suspension and account closure shall be taken against the users who produce, reproduce, release or transmit the aforesaid information. Where The provider of a cyber product or service discovers that a user releasees or transmits the information specified in Paragraph 1 of Article 23 hereof but fails to give a noticeable prompt, it shall give a prompt or notify the user to give a prompt; if no prompt is given, the information shall not be transmitted. **Article 30.** Where the authorities of cyberspace administration, press and publication, and film, as well as the departments of education, telecommunications, public security, culture and tourism, and radio and television under the State Council discover any information in violation of Article 22, Article 24, Article 25, Paragraph 1 of Article 26 or Article 27 hereof, or discover any information specified in Paragraph 1 of Article 23 hereof for which no noticeable prompt is given, they shall require the cyber product or service provider to handle the case in accordance with Article 29 hereof; if the above information is from abroad, they shall notify the relevant organizations in accordance with the law to take technical measures and other necessary measures to block the transmission thereof. ## Chapter 4 Protection of Personal Information in Cyberspace **Article 31.** Cyber service providers that provide minors with information release, instant messaging and other services shall require the minors or their guardians to provide the real identity information of the minors in accordance with the law. If the minors or their guardians refuse to provide the real identity information of the minors, cyber service providers shall not provide relevant services for the minors. Online live-streaming service providers shall establish a dynamic verification mechanism for the real identity information of an online live-streaming uploader and shall not provide online live-streaming uploading services for minor users who do not conform to the legal provisions. **Article 32.** Personal information handlers shall strictly abide by the provisions of the Cyberspace Administration of China and relevant authorities on the scope of necessary personal information for cyber products and services, and shall not compel minors or their guardians to consent to non-necessary personal information processing, nor shall they refuse minors to use their basic functional services because the minors or their guardians do not agree to handle non-necessary personal information of minors or withdraw their consent. **Article 33.** Guardians of minors shall educate and guide minors to enhance the awareness and ability of personal information protection, master the scope of personal information, and understand the risks of personal information security, and guide minors to exercise their rights of access to, reproduction, correction, supplementation and deletion in the activities of processing personal information, so as to protect minors' personal information rights and interests. **Article 34.** Where a minor or his/her guardian requests to access, reproduce, correct, supplement or delete the personal information of the minor in accordance with the law, the personal information handler shall abide by the following provisions: 1. Provide convenient methods and channels to support the minor or his/her guardian to access the types and quantity of the personal information of the minor, with no restrictions on the reasonable requests of the minor or his/her guardian imposed; 2. Provide convenient functions to support the minor or his/her guardian to copy, correct, supplement and delete the personal information of the minor, with no unreasonable conditions imposed; and 3. Timely accept and handle the applications filed by the minor or his/her guardian for access, reproduction, correction, supplementation or deletion of the personal information of the minor, and notify the applicant in writing of reasons if the request of the minor or his/her guardian to exercise the rights is rejected. Where the request of a minor or his/her guardian for transfer of the personal information of the minor in accordance with the law meets the conditions prescribed by the Cyberspace Administration of China, the personal information handler shall provide channels for transfer. **Article 35.** Where the personal information of minors is or may be divulged, tampered with or lost, the personal information handler shall forthwith activate its emergency plan for personal information security incidents, take remedial measures, timely report the case to the cyberspace administration and other authorities, and inform the affected minors and their guardians of the incidents by mail, letter, telephone, push information and other means in accordance with relevant provisions of the State. Where it is difficult for the personal information handler to inform one by one, it shall take reasonable and effective ways to release the relevant warning information in a timely manner, unless otherwise provided by laws and administrative regulations. **Article 36.** A personal information handler shall strictly set the information access authority for its staff under the principle of minimal authorization and control the scope of access to the personal information of minors. The access of a staff member to the personal information of minors shall be examined and approved by the relevant person-in-charge or the manager authorized thereby, the access information shall be recorded, and technical measures shall be taken to avoid illegal processing of the personal information of minors. **Article 37.** A personal information handler shall conduct by itself or entrust a specialized agency to conduct audit of its compliance with laws and administrative regulations in the processing of the personal information of minors every year, and report the audit information to the cyberspace administration and other authorities in a timely manner. **Article 38.** Upon discovering that the private information of minors or the personal information released by minors via internet involves private information, a cyber service provider shall timely give a prompt and take necessary protection measures such as stopping the transmission to prevent the information from spreading. Where a cyber service provider finds that a minor may be harmed through the private information of the minor, it shall immediately take necessary measures to keep relevant records and report the case to the public security authority. ## Chapter 5 Prevention and Control of Internet Addiction **Article 39.** The prevention and intervention of minors' internet addiction shall be carried out in compliance with laws, administrative regulations and relevant provisions of the State. Authorities of education, health, market regulation etc. shall supervise and administer the agencies engaging in prevention and intervention of minors' internet addiction ex officio. **Article 40.** Schools shall strengthen the guidance and training for teachers to improve their ability to early identify and intervene in minor students' internet addiction. For a minor student who is inclined to be addicted to the internet, schools shall inform their guardians in a timely manner, jointly educate and guide the minor student, and help him/her resume normal study and life. **Article 41.** Guardians of minors shall guide minors to use the internet in a safe and reasonable manner, pay attention to minors' access to internet as well as their relevant physiological conditions, psychological conditions and behavioral habits, prevent minors from accessing the cyber information that endangers or may affect their physical and mental health, reasonably arrange time for minors to access internet, and prevent and intervene in minors' internet addiction. **Article 42.** Providers of cyber products and services shall establish a sound system of addiction prevention, shall not provide minors with products and services that induce their addiction, shall timely modify contents, functions and rules that may cause minors to become addicted to the internet, and shall make public the work of addiction prevention each year to accept social supervision. **Article 43.** Providers of cyber services such as games, live-streaming, audio and video, and social contact in cyberspace shall, in light of the characteristics of the use of their services by minors of different ages and by adhering to the principles of integration, friendliness, practicality and effectiveness, set the mode for minors, provide corresponding services in terms of the period, duration, function and content of use in accordance with the relevant provisions and standards of the State, and provide time management, authority management, consumption management and other functions for guardians to fulfill their guardianship duties in an eye-catching and convenient way. **Article 44.** Providers of cyber services such as games, live-streaming, audio and video, and social contact in cyberspace shall take measures to reasonably restrict the amount of single consumption and daily accumulative consumption of minors of different ages in the use of their services, and shall not provide minors with paid services that do not match their capacity for civil conduct. **Article 45.** Providers of cyber services such as games, live-streaming, audio and video, and social contact in cyberspace shall take measures to prevent and resist adverse value trends such as prioritizing traffic, and shall not establish online communities, chat groups or topics with the themes of fund-raising for support groups, voting or ranking, or quantity control and rating, nor shall they induce minors to participate in online activities such as fund-raising for support groups, voting or ranking, or quantity control and rating, and shall prevent and stop their users from inducing minors to commit the aforesaid activities. **Article 46.** Online game service providers shall verify the real identity information of minor users by necessary means such as the unified electronic identity authentication system for minors for online games. Providers of cyber products and services shall not provide minors with the service of game account rental. **Article 47.** Online game service providers shall establish sound game rules to prevent minors from becoming addicted to the online games and shall prevent minors from having access to game content or game functions that may affect their physical and mental health. Online game service providers shall implement the requirements of reminding of age appropriateness, classify game products by assessing the types, content, functions and other elements of game products in light of the physical and mental development characteristics and cognitive abilities of minors at different ages, clarify the age stages of minor users for which game products are suitable, and give prominent reminders in user downloading, registration, login interfaces and other positions. **Article 48.** The authorities of press and publication, education, health, culture and tourism, radio and television, and cyberspace administration etc. shall regularly carry out publicity and education on the prevention of minors' internet addiction, supervise and inspect the performance of their obligations of preventing minors' internet addiction by providers of cyber products and services, and guide families, schools and social organizations to cooperate with each other and take scientific and reasonable measures to prevent and intervene in minors' internet addiction. The press and publication authority of the State shall take the lead in organizing the prevention and control of minors' addiction to online games, and shall, in concert with the relevant authorities, formulate administrative provisions on the time periods, hours and upper consumption limits for the provision of online game services to minors. The authorities of health and education shall, ex officio, guide the relevant medical and health institutions and institutions of higher education etc. to conduct basic research on mental disorders and psychological and behavioral problems caused by minors' internet addiction, as well as application research such as screening and assessment, diagnosis, prevention and intervention. **Article 49.** Any organization or individual shall not intervene in minors' internet addiction or infringe upon the legitimate rights and interests of minors by maltreatment, force or other means harming the physical and mental health of minors. ## Chapter 6 Legal Liability **Article 50.** Where the local people's governments at all levels and the relevant authorities at or above the county level, in violation of this Regulation, fail to perform their duties of protecting minors in cyberspace, the superior authorities shall order them to make corrections; in case of refusal to make corrections or serious circumstances, the responsible leaders and directly liable persons shall be punished in accordance with the law. **Article 51.** Where schools, communities, libraries, cultural centers, youth and children's palaces, etc. fail to perform their duties of protecting minors in cyberspace, in violation of this Regulation, the authorities of education, culture and tourism et. shall, ex officio, order them to make corrections; in case of refusal to make corrections or serious circumstances, the responsible leaders and directly liable persons shall be punished in accordance with the law. **Article 52.** Where the guardians of minors fail to perform the guardianship duties specified herein or infringe upon the legitimate rights and interests of the minors, the residents' committees, villagers' committees or women's federations at the places where the minors reside, the guardians' employers, primary and secondary schools, kindergartens and other entities that have close contact with minors shall criticize and educate the guardians, exhort them to stop infringement or urge them to accept the guidance in respect of family education in accordance with the law. 5 50 1 10 Article 53 For any violation of Article 7, Paragraph 3 of Article 19 or Paragraph 2 of Article 38 hereof, the authorities of cyberspace, press and publication, film, education, telecommunications, public security, civil affairs, culture and tourism, market regulation, and radio and television etc. shall, ex officio, order the offender to make corrections; in case of refusal to make corrections or serious circumstances, a fine of not less than 50,000 yuan but not more than 500,000 yuan shall be imposed on the offender, and the person directly in charge and other directly liable persons shall be imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan. 5000 10 100 Article 54 For any violation of Paragraph 1 of Article 20 hereof, the authorities of cyberspace, press and publication, telecommunications, public security, culture and tourism, and radio and television etc. shall, ex officio, order the offender to make corrections, give a warning to the offender, and confiscate illegal income of the offender; in case of refusal to make corrections, a fine of not more than 1 million yuan shall be imposed concurrently on the offender, and the person directly in charge and other directly liable persons shall be imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan. For any violation of Items 1 and 5, Paragraph 1 of Article 20 hereof, with serious circumstances, the authorities of cyberspace, press and publication, telecommunications, public security, culture and tourism, and radio and television etc. at or above the provincial level shall, ex officio, order the offender to make corrections, confiscate illegal income of the offender, and impose a fine of not more than 50 million yuan or not more than 5% of the turnover of the previous year on the offender, and may order the offender to suspend the relevant business or suspend the business for rectification, and notify the authorities concerned to revoke the relevant business permit or business license in accordance with the law; they may also impose a fine of not less than 100,000 yuan but not more than 1 million yuan on the person directly in charge and other directly liable persons, and may decide to prohibit them from serving as directors, supervisors, senior executives or persons in charge of the protection of minors of the relevant enterprises within a certain period of time. 10 100 1 10 100 10 100 Article 55 For any violation of Article 24 or Article 25 hereof, the authorities of cyberspace, press and publication, film, telecommunications, public security, culture and tourism, market regulation, and radio and television etc. shall, ex officio, order the offender to make corrections within a time limit and give a warning to the offender, confiscate illegal income of the offender, and may impose a fine of not more than 100,000 yuan on the offender. In case of refusal to make corrections or serious circumstances, the offender shall be ordered to suspend the relevant business, or suspend business, or have the relevant business permit or business license revoked. If the illegal income is more than 1 million yuan, a fine of not less than one time but not more than ten times the illegal income shall be imposed on the offender. If there is no illegal income or the illegal income is less than 1 million yuan, a fine of not less than 100,000 yuan but not more than 1 million yuan shall be imposed on the offender. 100 1 10 100 10 100 1 10 Article 56 For any violation of Paragraph 2 and Paragraph 3 of Article 26, Article 28, Paragraph 1 of Article 29, Paragraph 2 of Article 31, Article 36, Paragraph 1 of Article 38, Articles 42 to 45, Paragraph 2 of Article 46, or Article 47 hereof, the authorities of cyberspace, press and publication, film, education, telecommunications, public security, culture and tourism, or radio and television etc. shall, ex officio, order the offender to make rectifications, give a warning to the offender, confiscate illegal gains of the offender, impose a fine of not less than one time but not more than ten times the illegal gains concurrently if the illegal gains exceed 1 million yuan or a fine of not less than 100,000 yuan but not more than 1 million concurrently if there are no illegal gains or the illegal gains are less than 1 million yuan, and impose a fine of not less than 10,000 yuan but not more than 100,000 yuan on the person directly in charge and other persons directly held liable; in case of refusal to make rectifications or serious circumstances, the authorities of cyberspace, press and publication, film, education, telecommunications, public security, culture and tourism, or radio and television etc. may order it to suspend relevant business, suspend its operation for rectification, close its website, or revoke its relevant business permit or business license. 5 5 Article 57 Where the provider of a cyber product or service violates this Regulation and is subject to such punishment as website closure, revocation of the relevant business permit or business license, it shall not re-apply for the relevant permit within five years, and its directly responsible executive and other directly liable persons shall not engage in cyber product or service business of the same type within five years. **Article 58.** Whoever, in violation of this Regulation, infringes upon the legitimate rights and interests of any minor and causes any damage to the minor, shall bear civil liability according to law; in the case of violation of public security administration, the offender shall be given an administration punishment for public security according to law; in the case of a crime, criminal liability shall be pursued according to law. ## Chapter 7 Supplementary Provisions **Article 59.** For the purpose of this Regulation, "intelligent terminal products" refer to mobile phones, computers and other cyber terminal products which can be connected to the internet, have an operating system and for which users can install application software on their own. 2024 1 1 Article 60 This Regulation shall come into force on 1 January 2024. PAGE/NUMPAGES PAGE/NUMPAGES --- ## Cybersecurity Law of the People's Republic of China (2025 Amendment) - Chinese title: 中华人民共和国网络安全法(2025 修正) - Abbreviation: CSL - Hierarchy: law - Issuing body: National People's Congress Standing Committee - Adopted: 2016-11-07 - Effective: 2017-06-01 - Status: amended - URL: https://datacompliancechina.com/laws/csl/ - Markdown: https://datacompliancechina.com/laws/csl.md ### Summary The Cybersecurity Law is the earliest of the three foundational data-protection statutes. It establishes the Multi-Level Protection Scheme (MLPS), the Critical Information Infrastructure regime, network-operator obligations, and the cybersecurity review framework. The current text incorporates the 2025 amendment, which takes effect January 1, 2026. ### Full text **Promulgated by:** Standing Committee of the National People's Congress. **Originally adopted at the 24th Session of the Standing Committee of the 12th National People's Congress on November 7, 2016.** **Amended in accordance with the Decision on Amending the Cybersecurity Law of the People's Republic of China adopted at the 18th Session of the Standing Committee of the 14th National People's Congress on October 28, 2025.** **Amendment takes effect January 1, 2026.** --- ## Chapter 1 General Provisions **Article 1.** In order to safeguard cybersecurity, maintain cyber sovereignty and national security, protect the public interest of society, protect the lawful rights and interests of citizens, legal persons and other organizations, and promote the healthy development of economic and social informatization, this Law is hereby formulated. **Article 2.** This Law shall apply to the construction, operation, maintenance and use of networks within the territory of the People's Republic of China, as well as the supervision and administration of cybersecurity. 2025 **Article 3.** Cybersecurity work shall adhere to the leadership of the Communist Party of China, implement the overall national security concept, coordinate development and security, and advance the building of a cyber power. **Article 4.** The State shall uphold equal emphasis on cybersecurity and informatization development, follow the policy of proactive utilization, scientific development, law- based administration, and ensuring security, advance the construction and interconnection of network infrastructure, encourage innovation and application of network technologies, support the cultivation of cybersecurity professionals, establish and improve a cybersecurity , and enhance cybersecurity protection capabilities. **Article 5.** The State shall formulate and continuously improve a national cybersecurity strategy, clarify the basic requirements and main objectives for safeguarding cybersecurity, and put forward cybersecurity policies, tasks and measures in key areas. **Article 6.** The State shall take measures to monitor, defend against, and address cybersecurity risks and threats originating within and outside the People's Republic of China, protect critical information infrastructure from attacks, intrusions, interference and destruction, punish cyber-related illegal and criminal activities in accordance with the law, and maintain security and order in cyberspace. 2025 **Article 7.** The State shall advocate honest and trustworthy, healthy and civilized behavior on the Internet, promote the dissemination of the core socialist values, take measures to enhance the cybersecurity awareness and capacity of the whole society, and foster a favorable environment for the joint participation of the whole society in promoting cybersecurity. **Article 8.** The State shall actively carry out international exchanges and cooperation in cyberspace governance, network technology research and development and standard- setting, combating cyber-related illegal and criminal activities, promote the building of a peaceful, secure, open and cooperative cyberspace, and establish a multilateral, democratic and transparent system of Internet governance. **Article 9.** The national cyberspace administration shall be responsible for overall coordination of cybersecurity work and relevant supervision and administration. The telecommunications authority under the State Council, public security authorities, and other relevant authorities shall, within their respective responsibilities and in accordance with this Law and relevant laws and administrative regulations, be responsible for cybersecurity protection and supervision and administration. The cybersecurity protection and supervision and administration responsibilities of the relevant departments of local people's governments at or above the county level shall be determined in accordance with relevant State provisions. 2025 **Article 10.** Network operators, when carrying out business and service activities, shall comply with laws and administrative regulations, respect social morality, observe commercial ethics, act in good faith, perform cybersecurity protection obligations, accept supervision by the government and society, and assume social responsibility. **Article 11.** Those who construct or operate networks or provide services through networks shall, in accordance with the provisions of laws and administrative regulations and the mandatory requirements under national standards, take technical and other necessary measures to ensure cybersecurity and stable operation, effectively respond to cybersecurity incidents, prevent cyber-related illegal and criminal activities, and maintain the integrity, confidentiality and availability of network data. **Article 12.** Industry organizations related to networks shall, in accordance with their charters, strengthen industry self- discipline, formulate codes of conduct for cybersecurity, guide members to strengthen cybersecurity protection, improve cybersecurity protection levels, and promote the healthy development of the industry. **Article 13.** The State shall protect the right of citizens, legal persons and other organizations to lawfully use networks, promote universal network access, enhance the level of 2025 network services, provide the society with secure and convenient network services, and ensure the lawful, orderly and free flow of network information. Any individual or organization using networks shall comply with the Constitution and laws, observe public order, respect social morality, shall not endanger cybersecurity, and shall not use networks to engage in activities that endanger national security, honor and interests, incite subversion of state power, overthrow the socialist system, incite the splitting of the State, undermine national unity, advocate terrorism or extremism, advocate ethnic hatred or ethnic discrimination, disseminate violent or obscene pornographic information, fabricate or disseminate false information to disrupt economic order and social order, or infringe upon the reputation, privacy, intellectual property rights and other lawful rights and interests of others. **Article 14.** The State shall support the research and development of network products and services conducive to the healthy growth of minors, punish in accordance with the law activities carried out via networks that harm the physical and mental health of minors, and provide a secure and healthy online environment for minors. 2025 **Article 15.** Any individual or organization shall have the right to report to the cyberspace, telecommunications, public security and other departments acts that endanger cybersecurity. The departments receiving reports shall promptly handle them in accordance with the law; if the matter does not fall within the functions of the department, it shall be promptly transferred to the department with authority to handle it. Relevant departments shall keep confidential the relevant information of the whistleblower and protect the lawful rights and interests of the whistleblower. ## Chapter 2 Support and Promotion of Cybersecurity **Article 16.** The State shall establish and improve the system of cybersecurity standards. The standardization administrative authority under the State Council and other relevant departments under the State Council shall, based on their respective responsibilities, organize the formulation and timely revision of national and industry standards related to cybersecurity management as well as the security of network products, services and operations. The State shall support enterprises, research institutions, higher education institutions, and industry organizations related to networks in participating in the formulation of national and industry standards for cybersecurity. **Article 17.** The State Council and the people’s governments of provinces, autonomous regions, and municipalities directly 2025 under the Central Government shall make overall plans, increase investment, support key cybersecurity technology industries and projects, support the research, development and application of cybersecurity technologies, promote secure and trustworthy network products and services, protect intellectual property rights in network technologies, and support enterprises, research institutions and higher education institutions in participating in national cybersecurity technology innovation projects. **Article 18.** The State shall advance the construction of a socialized service system for cybersecurity, and encourage relevant enterprises and institutions to carry out security services such as cybersecurity certification, testing and risk assessment. **Article 19.** The State shall encourage the development of technologies for the protection and utilization of network data security, promote the opening of public data resources, and advance technological innovation and economic and social development. **Article 20.** The State shall support basic theoretical research on artificial intelligence and the research and development of key technologies such as algorithms, advance the construction of infrastructure such as training data resources and computing power, improve ethical norms for artificial intelligence, strengthen risk monitoring and assessment and safety supervision, and promote the application and healthy development of artificial intelligence. The State shall support innovation in cybersecurity management methods, and use new technologies such as artificial intelligence to enhance cybersecurity protection levels. 2025 **Article 21.** People’s governments at all levels and their relevant departments shall organize regular cybersecurity publicity and education, and guide and supervise relevant entities to carry out cybersecurity publicity and education properly. Mass media shall, in a targeted manner, conduct cybersecurity publicity and education towards society. **Article 22.** The State shall support enterprises and higher education institutions, vocational schools and other education and training institutions in carrying out education and training related to cybersecurity, adopt various means to cultivate cybersecurity talents, and promote exchanges of cybersecurity talents. ## Chapter 3 Security of Network Operations ### Section 1 General Provisions **Article 23.** The State shall implement a cybersecurity multi- level protection scheme. Network operators shall, in accordance with the requirements of the cybersecurity multi- level protection scheme, perform the following security protection obligations to ensure that networks are protected from interference, damage or unauthorized access, and to prevent leakage, theft or tampering of network data: (1) 2025 formulate internal security management rules and operating procedures, designate persons responsible for cybersecurity, and implement cybersecurity protection responsibilities; (2) take technical measures to prevent behaviors endangering cybersecurity such as computer viruses, cyberattacks, and network intrusions; (3) take technical measures to monitor and record the status of network operations and cybersecurity incidents, and retain relevant network logs for not less than six months as required; (4) take measures such as data classification, backup of important data, and encryption; (5) other obligations as prescribed by laws and administrative regulations. **Article 24.** Network products and services shall meet the mandatory requirements under relevant national standards. Providers of network products and services shall not set malicious programs; upon discovering risks such as security defects and vulnerabilities in their network products or services, they shall immediately take remedial measures, promptly inform users in accordance with provisions and report to the competent authorities. Providers of network products and services shall continuously provide security 2025 maintenance for their products and services; within the prescribed period or the period agreed upon by the parties, they shall not cease to provide security maintenance. Where network products or services have functions to collect user information, their providers shall explicitly inform users and obtain consent; where personal information of users is involved, they shall also comply with this Law and relevant laws and administrative regulations regarding the protection of personal information. **Article 25.** Key network equipment and specialized cybersecurity products shall, in accordance with the mandatory requirements under relevant national standards, be sold or provided only after being certified for security by qualified institutions or passing security testing meeting the requirements. The national cyberspace administration, in conjunction with relevant departments under the State Council, shall formulate and publish catalogues of key network equipment and specialized cybersecurity products, and promote mutual recognition of security certification and security testing results to avoid repeated certification and testing. **Article 26.** When network operators handle network access, 2025 domain name registration services, procedures for fixed-line and mobile phone network access, or provide information publication, instant messaging and other services for users, they shall, when concluding agreements with users or confirming the provision of services, require users to provide real identity information. Where users do not provide real identity information, network operators shall not provide them with relevant services. The State shall implement a strategy of trustworthy network identity, support the research and development of secure and convenient electronic identity authentication technologies, and promote mutual recognition among different electronic identity authentications. **Article 27.** Network operators shall formulate contingency plans for cybersecurity incidents, and promptly address security risks such as system vulnerabilities, computer viruses, cyberattacks, and network intrusions; when incidents endangering cybersecurity occur, they shall immediately activate contingency plans, take corresponding remedial measures, and report to the competent authorities in accordance with provisions. **Article 28.** Those carrying out cybersecurity certification, testing, risk assessment and other activities, or releasing to society cybersecurity information such as system vulnerabilities, computer viruses, cyberattacks, and network intrusions, shall comply with relevant State provisions. 2025 **Article 29.** No individual or organization may engage in activities that endanger cybersecurity, such as illegal intrusion into another’s network, interference with the normal functions of another’s network, or theft of network data; no individual or organization may provide programs or tools specifically used to engage in activities that endanger cybersecurity such as intrusion into networks, interference with the normal functions and protection measures of networks, or theft of network data; and those who knowingly engage in activities that endanger cybersecurity shall not be provided with technical support, advertisement promotion, payment settlement and other assistance. **Article 30.** Network operators shall provide technical support and assistance to public security authorities and national security authorities in their lawful activities to safeguard national security and investigate crimes. **Article 31.** The State shall support cooperation among network operators in areas such as the collection, analysis, notification and emergency response of cybersecurity information, so as to improve the security of network operators. Relevant industry organizations shall establish and improve cybersecurity protection norms and collaboration mechanisms within their industries, strengthen analysis and assessment of cybersecurity risks, regularly issue risk alerts to their members, and support and assist members in responding to cybersecurity risks. 2025 **Article 32.** Information obtained by the cyberspace administration and relevant departments in performing cybersecurity protection responsibilities shall only be used for the needs of maintaining cybersecurity, and shall not be used for other purposes. ### Section 2 Security of Operations of Critical Information Infrastructure **Article 33.** The State shall, on the basis of the cybersecurity multi-level protection scheme, implement focused protection with respect to critical information infrastructure in important industries and fields such as public communications and information services, energy, transportation, water conservancy, finance, public services, and e-government, as well as other infrastructure that, once damaged, losing functionality or suffering data leakage, may seriously endanger national security, the national economy and people’s livelihood, and the public interest. The specific scope of critical information infrastructure and the measures for security protection shall be formulated by the State Council. The State shall encourage network operators outside critical information infrastructure to voluntarily participate in the system of critical information infrastructure protection. 2025 **Article 34.** In accordance with the division of responsibilities prescribed by the State Council, departments responsible for the security protection of critical information infrastructure shall respectively formulate and organize the implementation of security plans for critical information infrastructure in their respective industries and fields, and guide and supervise the security protection of the operation of critical information infrastructure. **Article 35.** The construction of critical information infrastructure shall ensure performance that supports stable and continuous operation of business, and ensure that security technical measures are planned, constructed, and used concurrently. **Article 36.** In addition to the provisions of Article 23 of this Law, operators of critical information infrastructure shall also perform the following security protection obligations: (1) establish specialized security management institutions and designate persons responsible for security management, and conduct security background checks on such persons and personnel in key positions; (2) periodically carry out cybersecurity education, technical training and competency assessments for employees; (3) implement disaster recovery backup for important systems and databases; (4) formulate contingency plans for cybersecurity incidents and conduct regular drills; (5) other obligations as prescribed by laws and administrative regulations. 2025 **Article 37.** Where operators of critical information infrastructure procure network products and services that may affect national security, they shall undergo a national security review organized by the national cyberspace administration in conjunction with relevant departments under the State Council. **Article 38.** Operators of critical information infrastructure that procure network products and services shall, in accordance with provisions, sign security and confidentiality agreements with the providers, and clarify security and confidentiality obligations and responsibilities. **Article 39.** Personal information and important data collected and generated in the course of operations by operators of critical information infrastructure within the territory of the People's Republic of China shall be stored within the territory. Where, due to business needs, it is truly necessary to provide such information and data overseas, a security assessment shall be conducted in accordance with the measures 2025 formulated by the national cyberspace administration in conjunction with relevant departments under the State Council; where laws or administrative regulations provide otherwise, such provisions shall govern. **Article 40.** Operators of critical information infrastructure shall, on their own or by entrusting cybersecurity service institutions, conduct at least once a year security testing and assessment of their networks’ security and potential risks, and submit the status of testing and assessment and measures for improvement to the departments responsible for the security protection of critical information infrastructure. **Article 41.** The national cyberspace administration shall coordinate relevant departments to take the following measures for the security protection of critical information infrastructure: (1) conduct spot checks and testing of the security risks of critical information infrastructure, put forward measures for improvement, and where necessary entrust cybersecurity service institutions to test and assess security risks existing in networks; (2) regularly organize operators of critical information infrastructure to conduct cybersecurity emergency drills to improve the level of responding to cybersecurity incidents and the capacity for coordination; (3) promote the sharing of cybersecurity information among relevant departments, operators of critical information infrastructure, and relevant research institutions and cybersecurity service institutions; (4) provide technical support and assistance for emergency response to cybersecurity incidents and the restoration of network 2025 functions. ## Chapter 4 Security of Network Information **Article 42.** Network operators shall keep strictly confidential the user information they collect, and establish and improve user information protection systems. Network operators, when processing personal information, shall comply with this Law and the provisions of laws and administrative regulations such as the Civil Code of the People's Republic of China and the Personal Information Protection Law of the People's Republic of China. **Article 43.** Network operators, when collecting and using personal information, shall follow the principles of legality, legitimacy and necessity, make public their rules for collection and use, explicitly inform the purposes, methods and scope of collection and use of information, and obtain the consent of the person being collected. Network operators shall not collect personal information irrelevant to the services they 2025 provide, shall not collect or use personal information in violation of laws and administrative regulations and the agreements between the parties, and shall, in accordance with laws and administrative regulations and their agreements with users, handle personal information they retain. **Article 44.** Network operators shall not divulge, tamper with or damage personal information they collect; without the consent of the person being collected, they shall not provide personal information to others. However, where personal information has been processed so that specific individuals cannot be identified and cannot be restored, the foregoing shall not apply. Network operators shall take technical and other necessary measures to ensure the security of the personal information they collect and prevent information leakage, damage or loss. When situations of personal information leakage, damage or loss occur or may occur, they shall immediately take remedial measures, promptly inform users in accordance with provisions and report to the competent authorities. **Article 45.** Where individuals find that network operators collect or use their personal information in violation of the provisions of laws and administrative regulations or the 2025 agreements between the parties, they have the right to request the network operators to delete their personal information; where they find errors in their personal information collected or stored by network operators, they have the right to request network operators to correct such information. Network operators shall take measures to delete or correct it. **Article 46.** No individual or organization may steal or obtain personal information through other illegal means, or illegally sell or illegally provide personal information to others. **Article 47.** Departments with statutory responsibilities for supervision and administration of cybersecurity and their staff shall keep strictly confidential the personal information, privacy and commercial secrets they become aware of in the course of performing their duties, and shall not divulge, sell or illegally provide them to others. **Article 48.** Any individual or organization shall be responsible for the acts of their use of networks, and shall not establish websites or communication groups used to commit fraud, teach methods of committing crimes, or manufacture or sell prohibited items or controlled items and other illegal and criminal activities, and shall not use networks to release information involving the commission of fraud, manufacture or sale of prohibited items or controlled items and other illegal and criminal activities. 2025 **Article 49.** Network operators shall strengthen the management of information published by their users; upon discovering information whose publication or transmission is prohibited by laws and administrative regulations, they shall immediately cease transmission of such information, take measures such as removal to dispose of it, prevent the spread of information, preserve relevant records, and report to the competent authorities. **Article 50.** Any individual or organization that sends electronic information or provides application software shall not set malicious programs and shall not contain information the publication or transmission of which is prohibited by laws and administrative regulations. Providers of electronic information transmission services and application download services shall perform security management obligations; where they become aware that their users engage in the acts prescribed in the preceding paragraph, they shall stop providing services, take measures such as removal to dispose of it, preserve relevant records, and report to the competent authorities. **Article 51.** Network operators shall establish systems for complaints and reports regarding network information security, publish information such as modes of complaints 2025 and reports, and promptly accept and handle complaints and reports regarding network information security. Network operators shall cooperate with supervision and inspection lawfully carried out by the cyberspace administration and relevant departments. **Article 52.** Where the national cyberspace administration and relevant departments, in the course of lawfully performing their network information security supervision and administration responsibilities, discover information whose publication or transmission is prohibited by laws and administrative regulations, they shall require network operators to cease transmission, take measures such as removal to dispose of it, and preserve relevant records; with respect to the above information originating outside the People's Republic of China, they shall notify relevant institutions to take technical and other necessary measures to block transmission. ## Chapter 5 Monitoring, Early Warning and Emergency Response **Article 53.** The State shall establish systems for cybersecurity monitoring and early warning and information notification. The national cyberspace administration shall coordinate relevant departments to strengthen the collection, analysis and notification of cybersecurity information, and uniformly release cybersecurity monitoring and early warning information in accordance with provisions. 2025 **Article 54.** Departments responsible for the security protection of critical information infrastructure shall establish and improve cybersecurity monitoring and early warning and information notification systems in their respective industries and fields, and submit cybersecurity monitoring and early warning information in accordance with provisions. **Article 55.** The national cyberspace administration shall coordinate relevant departments to establish and improve mechanisms for cybersecurity risk assessment and emergency response work, formulate contingency plans for cybersecurity incidents, and organize regular drills. Departments responsible for the security protection of critical information infrastructure shall formulate contingency plans for cybersecurity incidents in their respective industries and fields, and organize regular drills. Contingency plans for cybersecurity incidents shall classify cybersecurity incidents according to factors such as the degree of harm and scope of impact after an incident occurs, and provide corresponding emergency response measures. **Article 56.** When the risk of cybersecurity incidents increases, relevant departments of people’s governments at or above the provincial level shall, in accordance with prescribed authority and procedures and based on the characteristics of cybersecurity risks and the possible harm, take the following measures: (1) require relevant departments, institutions and 2025 personnel to promptly collect and report relevant information, and strengthen the monitoring of cybersecurity risks; (2) organize relevant departments, institutions and professionals to analyze and assess cybersecurity risk information, and forecast the likelihood of incidents, scope of impact and degree of harm; (3) release cybersecurity risk early warnings to society, and publish measures to avoid or mitigate harm. **Article 57.** Upon the occurrence of cybersecurity incidents, contingency plans for cybersecurity incidents shall be immediately activated, cybersecurity incidents shall be investigated and assessed, network operators shall be required to take technical and other necessary measures to eliminate security hazards, prevent harm from expanding, and timely release to the public warning information involving the public. **Article 58.** Where relevant departments of people’s governments at or above the provincial level discover, in the course of performing cybersecurity supervision and administration responsibilities, that networks have significant security risks or that security incidents have occurred, they 2025 may, in accordance with prescribed authority and procedures, conduct interviews with the legal representative or principal person-in-charge of the operator of the network. Network operators shall take measures as required, implement rectification, and eliminate hidden dangers. **Article 59.** Where emergencies or production safety accidents occur due to cybersecurity incidents, they shall be dealt with in accordance with relevant provisions of laws and administrative regulations such as the Emergency Response Law of the People's Republic of China and the Work Safety Law of the People's Republic of China. **Article 60.** Where, for the purpose of maintaining national security and social public order, it is necessary to address major emergent social security incidents, temporary measures such as restrictions on network communications may, upon decision or approval by the State Council, be taken within specific regions. ## Chapter 6 Legal Liability **Article 61.** Where network operators fail to perform the cybersecurity protection obligations prescribed in Articles 23 and 27 of this Law, the competent authorities shall order corrections, give warnings, and may impose a fine of not less than RMB 10,000 but not more than RMB 50,000; where they refuse to make corrections or cause consequences such as harm to cybersecurity, a fine of not less than RMB 50,000 but 2025 not more than RMB 500,000 shall be imposed, and the person- in-charge directly responsible and other directly liable persons shall be fined not less than RMB 10,000 but not more than RMB 100,000. Where operators of critical information infrastructure fail to perform the cybersecurity protection obligations prescribed in Articles 35, 36, 38 and 40 of this Law, the competent authorities shall order corrections, give warnings, and may impose a fine of not less than RMB 50,000 but not more than RMB 100,000; where they refuse to make corrections or cause consequences such as harm to cybersecurity, a fine of not less than RMB 100,000 but not more than RMB 1,000,000 shall be imposed, and the person-in-charge directly responsible and other directly liable persons shall be fined not less than RMB 10,000 but not more than RMB 100,000. Where the acts under the preceding two paragraphs cause serious consequences that harm cybersecurity, such as leakage of a large amount of data or partial functional loss of critical information infrastructure, the competent authorities shall impose a fine of not less than RMB 500,000 but not more than RMB 2,000,000 on the operator, and shall impose a fine of not less than RMB 50,000 but not more than RMB 200,000 on the person-in-charge directly responsible and other directly liable persons; where particularly serious consequences that harm cybersecurity occur, such as the loss of main functions of critical information infrastructure, a fine of not less than RMB 2,000,000 but not more than RMB 10,000,000 shall be imposed, and a fine of not less than RMB 200,000 but not more than RMB 1,000,000 shall be imposed on the person-in- charge directly responsible and other directly liable persons. 2025 **Article 62.** Where any of the following acts is committed in violation of the first and second paragraphs of Article 24 and the first paragraph of Article 50 of this Law, the competent authorities shall order corrections and give warnings; where corrections are refused or consequences such as harm to cybersecurity are caused, a fine of not less than RMB 50,000 but not more than RMB 500,000 shall be imposed on the operator, and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person-in-charge directly responsible: (1) setting malicious programs; (2) failing to immediately adopt remedial measures for risks such as security defects and vulnerabilities existing in its products or services, or failing to promptly inform users in accordance with provisions and report to the competent authorities; (3) arbitrarily ceasing the provision of security maintenance for its products or services. Where any of the acts under items (1) and (2) of the preceding paragraph results in the consequences prescribed in the third paragraph of Article 61 of this Law, punishments shall be imposed in accordance with that paragraph. 2025 **Article 63.** Where any person sells or provides key network equipment or specialized cybersecurity products without security certification or security testing, or where such certification is not passed or such testing does not meet the requirements, in violation of Article 25 of this Law, the competent authorities shall order the cessation of sales or provision, give warnings, and confiscate illegal gains; where there are no illegal gains or such gains are less than RMB 100,000, a fine of not less than RMB 20,000 but not more than RMB 100,000 shall be imposed; where illegal gains are RMB 100,000 or more, a fine of not less than one time but not more than five times the amount of illegal gains shall be imposed; where circumstances are serious, an order may be given to suspend relevant business, suspend business for rectification, revoke relevant business permits or revoke the business license. Where laws or administrative regulations provide otherwise, such provisions shall govern. **Article 64.** Where network operators, in violation of the first paragraph of Article 26 of this Law, fail to require users to provide real identity information, or provide relevant services to users who do not provide real identity information, the competent authorities shall order corrections; where corrections are refused or circumstances are serious, a fine of not less than RMB 50,000 but not more than RMB 500,000 shall be imposed, and an order may be given to suspend relevant business, suspend business for rectification, shut down websites or applications, revoke relevant business 2025 permits or revoke the business license, and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person-in-charge directly responsible and other directly liable persons. **Article 65.** Where any person, in violation of Article 28 of this Law, carries out cybersecurity certification, testing, risk assessment and other activities, or releases to society cybersecurity information such as system vulnerabilities, computer viruses, cyberattacks, and network intrusions, the competent authorities shall order corrections, give warnings, and may impose a fine of not less than RMB 10,000 but not more than RMB 100,000; where corrections are refused or circumstances are serious, a fine of not less than RMB 100,000 but not more than RMB 1,000,000 shall be imposed, and an order may be given to suspend relevant business, suspend business for rectification, shut down websites or applications, revoke relevant business permits or revoke the business license, and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person- in-charge directly responsible and other directly liable persons. Where the act under the preceding paragraph results in the consequences prescribed in the third paragraph of Article 61 of this Law, punishments shall be imposed in accordance with that paragraph. 2025 **Article 66.** Where any person, in violation of Article 29 of this Law, engages in activities that endanger cybersecurity, or provides programs or tools specifically used to engage in activities that endanger cybersecurity, or provides technical support, advertisement promotion, payment settlement and other assistance for others to engage in activities that endanger cybersecurity, and the circumstances do not constitute a crime, the public security authorities shall confiscate illegal gains and impose detention of not more than five days, and may concurrently impose a fine of not less than RMB 50,000 but not more than RMB 500,000; where circumstances are relatively serious, detention of not less than five days but not more than fifteen days shall be imposed, and a fine of not less than RMB 100,000 but not more than RMB 1,000,000 may concurrently be imposed. Where such acts are committed by an entity, the public security authorities shall confiscate illegal gains and impose a fine of not less than RMB 100,000 but not more than RMB 1,000,000 on the entity, and punish the person-in-charge directly responsible and other directly liable persons in accordance with the preceding paragraph. Personnel who, in violation of Article 29 of this Law, receive public security administrative punishment shall not engage in work in key positions of cybersecurity management and network operations within five years; personnel who receive criminal punishment shall never engage in work in key positions of cybersecurity management and network operations. 2025 **Article 67.** Where operators of critical information infrastructure, in violation of Article 37 of this Law, use network products or services that have not undergone security review or have not passed security review, the competent authorities shall order corrections within a time limit, order cessation of use, eliminate the impact on national security, and impose a fine of not less than one time but not more than ten times the procurement amount, and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person-in-charge directly responsible and other directly liable persons. **Article 68.** Where any person, in violation of Article 48 of this Law, establishes websites or communication groups used to carry out illegal and criminal activities, or uses networks to publish information involving the commission of illegal and criminal activities, and the circumstances do not constitute a crime, the public security authorities shall impose detention of not more than five days, and may concurrently impose a fine of not less than RMB 10,000 but not more than RMB 100,000; where circumstances are relatively serious, detention of not less than five days but not more than fifteen days shall be imposed, and a fine of not less than RMB 50,000 but not more than RMB 500,000 may concurrently be imposed. Websites or communication groups used to carry out illegal and criminal activities shall be shut down. Where such acts are committed by an entity, the public security authorities shall impose a fine of not less than RMB 100,000 but not more than RMB 500,000 on the entity, and punish the person-in-charge directly responsible and other directly liable persons in accordance with the preceding paragraph. 2025 **Article 69.** Where network operators, in violation of Article 49 of this Law, fail to cease transmission, take measures such as removal to dispose of it, preserve relevant records, report to the competent authorities with respect to information whose publication or transmission is prohibited by laws and administrative regulations, or, in violation of Article 52 of this Law, fail to cease transmission, take measures such as removal to dispose of it, preserve relevant records in accordance with requirements of relevant departments with respect to information whose publication or transmission is prohibited by laws and administrative regulations, the competent authorities shall order corrections, give warnings and issue circulars, and may impose a fine of not less than RMB 50,000 but not more than RMB 500,000; where corrections are refused or circumstances are serious, a fine of not less than RMB 500,000 but not more than RMB 2,000,000 shall be imposed, and an order may be given to suspend relevant business, suspend business for rectification, shut down websites or applications, revoke relevant business permits or revoke the business license, and a fine of not less than RMB 50,000 but not more than RMB 200,000 shall be imposed on the person-in-charge directly responsible and other directly liable persons. Where the act under the preceding paragraph causes particularly serious impact or particularly serious consequences, the competent authorities shall impose a fine of not less than RMB 2,000,000 but not more than RMB 10,000,000, and order suspension of relevant business, suspension of business for rectification, shutting down websites or applications, revocation of relevant business permits or revocation of the business license, and impose a fine of not less than RMB 200,000 but not more than RMB 1,000,000 on the person-in-charge directly responsible and other directly liable persons. Where providers of electronic information transmission services or 2025 application download services fail to perform the security management obligations prescribed in the second paragraph of Article 50 of this Law, punishments shall be imposed in accordance with the preceding two paragraphs. **Article 70.** Where network operators commit any of the following acts in violation of this Law, the competent authorities shall order corrections; where corrections are refused or circumstances are serious, a fine of not less than RMB 50,000 but not more than RMB 500,000 shall be imposed, and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person-in-charge directly responsible and other directly liable persons: (1) refusing or obstructing supervision and inspection lawfully carried out by relevant departments; (2) refusing to provide technical support and assistance to public security authorities and national security authorities. 2025 **Article 71.** Where any of the following acts is committed, handling and punishment shall be carried out in accordance with relevant laws and administrative regulations: (1) publishing or transmitting information prescribed in the second paragraph of Article 13 of this Law and other information the publication or transmission of which is prohibited by laws and administrative regulations; (2) infringing personal information rights and interests in violation of the third paragraph of Article 24 and Articles 43 to 45 of this Law; (3) storing personal information and important data overseas or providing personal information and important data overseas by operators of critical information infrastructure in violation of Article 39 of this Law. Where any person, in violation of Article 46 of this Law, steals or obtains personal information through other illegal means, illegally sells or illegally provides personal information to others, and the circumstances do not constitute a crime, the public security authorities shall impose punishment in accordance with relevant laws and administrative regulations. **Article 72.** Where illegal acts prescribed in this Law are committed, they shall be recorded in credit archives in accordance with relevant laws and administrative regulations, 2025 and be made public. **Article 73.** Where violations of this Law occur but circumstances for lighter, mitigated or exemption from punishment prescribed in the Administrative Penalty Law of the People's Republic of China exist, lighter, mitigated or exemption from punishment shall be applied in accordance with such provisions. **Article 74.** Where operators of government affairs networks of State organs fail to perform the cybersecurity protection obligations prescribed in this Law, their superior organs or relevant organs shall order corrections; the person-in-charge directly responsible and other directly liable persons shall be sanctioned in accordance with the law. **Article 75.** Where the cyberspace administration and relevant departments, in violation of Article 32 of this Law, use information obtained in the course of performing cybersecurity protection responsibilities for other purposes, the person-in-charge directly responsible and other directly liable persons shall be sanctioned in accordance with the law. Where staff of the cyberspace administration and relevant departments commit negligence of duty, abuse of power or engage in malpractices for personal gain, and the circumstances do not constitute a crime, they shall be sanctioned in accordance with the law. 2025 **Article 76.** Where violations of this Law cause harm to others, civil liability shall be borne in accordance with the law. Where violations of this Law constitute acts violating public security administration, public security administrative punishments shall be imposed in accordance with the law; where they constitute crimes, criminal liability shall be pursued in accordance with the law. **Article 77.** Where institutions, organizations or individuals outside the territory engage in activities that endanger the cybersecurity of the People's Republic of China, legal liability shall be pursued in accordance with the law; where serious consequences are caused, the public security department under the State Council and relevant departments may also decide to take measures such as freezing property or other necessary sanctions against such institutions, organizations or individuals. ## Chapter 7 Supplementary Provisions **Article 78.** The meanings of the following terms under this Law are: (1) Network means a system composed of computers or other information terminals and related equipment which, in accordance with certain rules and procedures, collects, stores, transmits, exchanges, and processes information. (2) Cybersecurity means, by taking necessary measures, preventing attacks, intrusions, interference, destruction and illegal use of networks as well as accidents, bringing networks into a state of stable and reliable operation, and the capability to ensure the integrity, confidentiality and availability of network data. 2025 (3) Network operator means the owner, administrator and network service provider of a network. (4) Network data means various electronic data collected, stored, transmitted, processed and generated through networks. (5) Personal information means various information recorded in electronic or other forms that can identify a natural person’s personal identity, alone or in combination with other information, including but not limited to the natural person’s name, date of birth, identification number, personal biometric information, address, telephone number, etc. **Article 79.** In addition to complying with this Law, the security protection of the operation of networks that store or process information involving State secrets shall comply with the provisions of secrecy laws and administrative regulations. 2025 **Article 80.** The security protection of military networks shall be separately prescribed by the Central Military Commission. **Article 81.** This Law shall come into force on June 1, 2017. --- ## Interim Measures for the Management of Generative Artificial Intelligence Services - Chinese title: 生成式人工智能服务管理暂行办法 - Hierarchy: rule - Issuing body: CAC + 6 ministries (NDRC, MOE, MOST, MIIT, MPS, NRTA) - Adopted: 2023-05-23 - Effective: 2023-08-15 - Status: effective - URL: https://datacompliancechina.com/laws/genai-services-interim-measures/ - Markdown: https://datacompliancechina.com/laws/genai-services-interim-measures.md ### Summary China's flagship generative-AI regulation — the first comprehensive national regulation of GenAI services anywhere in the world. Covers content compliance, training data quality, personal-information handling, security assessment and algorithm filing, real-name verification, and labeling. Applies to GenAI services provided to the Chinese public; some obligations are conditioned on consumer-facing deployment. ### Full text **Promulgated by:** CAC + 6 ministries (NDRC, MOE, MOST, MIIT, MPS, NRTA). **Document No.:** Decree No. 15 of the Cyberspace Administration of China. **Adopted at the 12th executive meeting of the CAC in 2023 on May 23, 2023. Effective August 15, 2023.** --- ## Chapter I General Provisions **Article 1.** These Measures are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Law of the People's Republic of China on Science and Technology Progress and other laws and administrative regulations to promote the healthy development and standardized application of generative artificial intelligence (GAI), safeguard national security and social public interests, and protect the legitimate rights and interests of citizens, legal persons and other organizations. **Article 2.** These Measures shall apply to the use of GAI technologies to provide the public within the territory of the People's Republic of China with services of generative text, pictures, audios, videos and other content (hereinafter referred to as "GAI services" in short). Where the State stipulates otherwise on the use of GAI services to engage in press and publication, film and television production, literary and artistic creation and other activities, such provisions shall prevail. These Measures shall not apply to trade organizations, enterprises, education and scientific research institutions, public cultural institutions and relevant specialized agencies that research, develop and apply GAI technologies but fail to provide GAI services to the public within the territory of China. **Article 3.** The State adheres to the principles of attaching equal importance to development and security and promoting the combination of innovation and governance according to the law, takes effective measures to encourage innovation and development of GAI, and implements inclusive, prudent, categorized and graded regulation for GAI services. **Article 4.** Whoever provides and uses GAI services shall abide by laws and administrative regulations, respect social morality and ethics, and comply with the following provisions: (I) upholding socialist core values, and not generating any content prohibited by laws and administrative regulations that incites subversion of the state power or the overthrow of the socialist system, endangers national security and interests, damages the national image, incites separatism, undermines national unity and social stability, propagates terrorism, extremism, ethnic hatred and discrimination, violence, pornography, and false and harmful information; (II) taking effective measures to prevent discrimination in terms of nationality, religion, country, region, gender, occupation, health, etc., in the process of algorithm design, training data selection, model generation and optimization, service provision, etc.; (III) respecting intellectual property rights and business ethics, keeping confidential trade secrets, and refraining from carrying out acts of monopoly and unfair competition with the advantages of algorithms, data and platforms, etc.; (IV) respecting others' legitimate rights and interests, refraining from endangering others' physical and mental health, refraining from infringing upon others' rights to portrait, reputation, honor, privacy or personal information; and (V) taking effective measures in the light of the characteristics of different types of services to boost the transparency of GAI services and the accuracy and reliability of contents generated. ## Chapter II Technological Development and Governance **Article 5.** We encourage innovation and application of GAI technologies in various industries and fields to generate positive, healthy, progressive and good quality content, to explore and optimize application scenarios, and to build an application ecosystem. We support trade organizations, enterprises, education and scientific research institutions, public cultural institutions, relevant specialized agencies and so on to collaborate in respect of the innovations of GAI technologies, the development of data resources, the transformation and application, and the prevention of risks, among others. **Article 6.** We encourage independent innovations in fundamental technologies of GAI algorithms, frameworks, chips and supporting software platforms, among others, carry out international exchanges and cooperation on an equal and mutually beneficial basis, and take part in formulating international rules relating to GAI. Efforts should be made to drive the development of GAI infrastructure and public training data resource platforms, to promote the collaboration and sharing of algorithm resources, to improve the efficiency of the use of algorithm resources, to push the orderly disclosure of categorized and graded public data, and to expand high-quality public training data resources. We encourage the use of secure and reliable chips, software, tools, algorithm and data resources. **Article 7.** GAI service providers (hereinafter referred to as the "Providers") shall carry out pre-training, optimization training and other training data processing activities in accordance with the law and abide by the following provisions: (I) using data and basic models from lawful sources; (II) not infringing upon the intellectual property rights involved that are owned by others in accordance with the law; (III) obtaining the content of an individual whose personal information is involved or complying with other circumstances stipulated by laws and administrative regulations; (IV) take effective measures to improve the quality of training data and to enhance the authenticity, accuracy, objectivity and diversity of training data; and (V) other relevant provisions of laws and administrative regulations such as the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China and the Personal Information Protection Law of the People's Republic of China and the relevant regulatory requirements of relevant competent authorities. **Article 8.** For data annotation during the research and development process for GAI technologies, Providers shall formulate clear, specific and operable annotation rules that meet the requirements of these Measures; they shall carry out the quality assessment of data annotation and take samples to verify the accuracy of annotation contents; moreover, they shall provide necessary training to the annotation staff, enhance such staff's awareness of respecting and abiding by the law, and supervise and guide such staff to carry out annotation work in a regulated manner. ## Chapter III Service Standards **Article 9.** A Provider shall assume its responsibility as a producer of network information contents in accordance with the law and fulfill its obligation of network information security. If personal information is involved, a Provider shall assume its responsibility as a personal information hander in accordance with the law and fulfill its obligation of protecting personal information. A Provider shall enter into a service agreement with the users registering for its GAI services (hereinafter referred to as the "Users"), specifying the rights and obligations of both parties. **Article 10.** A Provider shall specify and disclose the applicable users, occasions and purposes of its services, guide Users to acquire a scientific and rational understanding and use GAI technologies in accordance with the law, and adopt effective measures to prevent underage Users from over-relying on or addicting to GAI services. **Article 11.** A Provider shall fulfill its obligations of protection for users' input information and use records in accordance with the law, and shall not collect unnecessary personal information, illegally keep the input information and use records that can identify users' identity, or illegally provide others with the input information and use records of users. A Provider shall promptly accept and handle individuals' requests for access, reproduction, correction, supplementation and deletion of personal information in accordance with the law. **Article 12.** A Provider shall mark pictures, videos and other generated content in accordance with the Administrative Provisions on In-depth Synthesis of Internet-based Information Services. **Article 13.** A Provider shall, in the course of its services, provide safe, stable and continuous services and ensure the normal use of Users. **Article 14.** Where any illegal content is found out, the Provider concerned shall timely take such handling measures as stopping the generation or transmission, or elimination, adopt measures such as model optimization training to make rectification, and report the case to the competent authority. When finding out that a User uses GAI services to engage in illegal activities, the Provider concerned shall take handling measures in accordance with the law or as agreed, such as giving a warning, restricting functions, suspending or terminating the provision of services to the User, keep relevant records, and report the case to the competent authority. **Article 15.** A Provider shall establish a sound complaint and whistleblowing mechanism, set up convenient portals for complaints and whistleblowing, make public the handling process and time limit for feedback, timely accept and handle the public complaints and whistleblowing, and give feedback on the handling results. ## Chapter IV Supervision, Inspection and Legal Liability **Article 16.** Authorities of cyberspace, development and reform, education, science and technology, industry and information technology, public security, radio and television, press and publication and so on shall, ex officio, strengthen the administration of GAI services in accordance with the law. The relevant competent authorities of the country shall, in light of the characteristics of GAI technologies and their service application in relevant industries and fields, improve the scientific ways of regulation in line with the innovation and development, and formulate the corresponding regulatory rules or guidelines for different categories or grades. **Article 17.** Any provider of GAI services with attribute of public opinions or capable of social mobilization shall conduct security assessment in accordance with the relevant provisions of the State, and complete the formalities for algorithm filing, change or deregistration in accordance with the Administrative Provisions on the Recommendation of Internet-based Information Service Algorithms. **Article 18.** Any user who finds that GAI services do not comply with laws, administrative regulations or these Measures shall have the right to complain or blow whistle to the competent authority. **Article 19.** Relevant competent authorities shall supervise and inspect GAI services ex officio, and Providers shall cooperate in accordance with the law, explain the source, scale, type, marking rules, algorithm mechanism for the training data as required, and provide necessary technical, data and other support and assistance. The relevant institutions and personnel participating in the security assessment, supervision and inspection of GAI services shall keep confidential the state secrets, trade secrets, personal privacy and personal information that they have accessed in the performance of their duties in accordance with the law, and shall not disclose or illegally provide the same to others. **Article 20.** Where the provision of GAI services from outside the territory of the People's Republic of China to persons within the territory of the People's Republic of China is not in line with laws, administrative regulations and these Measures, the Cyberspace Administration of China shall notify the relevant authorities to take technical measures and other necessary measures to deal with the situation. **Article 21.** Any Provider in violation of these Measures shall be punished by the competent authorities in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Law of the People's Republic of China on Science and Technology Progress and other laws and administrative regulations. In the absence of such provisions in laws and administrative regulations, the competent authorities shall, ex officio, give a warning to the Provider, circulate a notice of criticism against the Provider, and order the Provider to make corrections within a time limit. If the Provider refuses to make corrections or the circumstances are serious, the competent authorities shall order the Provider to suspend the provision of relevant services. Where a violation of public security administration is constituted, the offender shall be subject to public security administration punishment in accordance with the law; if a crime is constituted, the offender shall be subject to criminal liability in accordance with the law. ## Chapter V Supplementary Provisions **Article 22.** For the purpose of these Measures, the following terms shall have the following meanings: (I) "GAI technologies" refer to models and related technologies that can generate text, pictures, audio, video and other contents. (II) "GAI service providers" refer to the organizations and individuals that provide GAI services (including providing GAI services by providing programmable interfaces or otherwise) by using GAI technologies. (III) "Users of GAI services" refer to the organizations and individuals that use the content generated with GAI services. **Article 23.** Where laws and administrative regulations stipulate that the provision of GAI services shall obtain the relevant administrative license, any Provider shall obtain such license according to the law. Foreign-invested GAI services shall be in compliance with the relevant laws and administrative regulations on foreign investment. 2023 8 15 Article 24 These Measures shall come into force on August 15, 2023. PAGE/NUMPAGES PAGE/NUMPAGES --- ## Regulations on the Sharing of Government Data - Chinese title: 政务数据共享条例 - Hierarchy: regulation - Issuing body: State Council - Adopted: 2025-05-09 - Effective: 2025-08-01 - Status: effective - URL: https://datacompliancechina.com/laws/government-data-sharing-regulations/ - Markdown: https://datacompliancechina.com/laws/government-data-sharing-regulations.md ### Summary The first comprehensive State Council regulation specifically governing the sharing of government data across agencies. Establishes the unified national government-data sharing platform, defines responsibilities of the National Data Administration, sets data quality and security requirements, and addresses personal-information and important-data handling within the government-data context. ### Full text **Promulgated by:** State Council. **Document No.:** Decree No. 809 of the State Council. **Adopted at the 59th executive meeting of the State Council on May 9, 2025. Effective August 1, 2025.** --- ## Chapter I General Provisions **Article 1.** This Regulation is enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China and other laws in order to promote the safe, orderly and efficient sharing and utilization of government data, improve the government's digital governance capacity and the efficiency of government services and comprehensively build a digital government. **Article 2.** This Regulation apply to the government data sharing between government departments and organizations with the function of administering public affairs as authorized by laws and regulations (hereinafter collectively referred to as the "government departments") as well as the relevant security, supervision, administration and other work. **Article 3.** For the purpose of this Regulation, the term "government data" refers to all kinds of data collected and generated by government departments in the course of performing their duties in accordance with the law, excluding the data that are state secrets or work secrets. For the purpose of this Regulation, the term "government data sharing" refers to the use of the government data of other government departments or the provision of government data for other government departments by the government departments as needed for performing their duties in accordance with the law. **Article 4.** Government data sharing shall adhere to the leadership of the Communist Party of China, implement the overall concept of national security, coordinate development and security in an overall manner and follow the principles of overall coordination, unified standards, lawful sharing, reasonable use, and controllable security. **Article 5.** Those who carry out the work of government data sharing shall abide by laws and regulations and fulfill the obligation of government data security protection and may not endanger national security or public interests or damage the legitimate rights and interests of citizens, legal persons or other organizations. **Article 6.** The State shall establish a standard system for government data sharing to promote the standardization and normalization of government data sharing. **Article 7.** The State encourages management innovation, institutional innovation and technological innovation in the field of government data sharing, so as to continuously improve the efficiency, application level and security guarantee capacity of government data sharing. ## Chapter II Management System **Article 8.** People's governments at all levels shall strengthen the organization and leadership over government data sharing. The competent department of government data sharing under the State Council is responsible for coordinating the promotion of national government data sharing. The competent department of government data sharing under a local people's government at or above the county level is responsible for coordinating the promotion of government data sharing within its administrative region. All departments under the State Council are responsible for their government data sharing and coordinating and guiding the government data sharing within their respective industries and fields. **Article 9.** The competent department of government data sharing shall, in concert with other government departments, study the major matters and important work in government data sharing, summarize and promote the typical cases and experience in government data sharing and coordinate and promote the safe, orderly and efficient sharing and use of government data across levels, regions, systems, departments and businesses. **Article 10.** Government departments shall implement their primary responsibilities for government data sharing, establish and perfect their own working systems for government data sharing and organize the study and resolution of major issues in government data sharing. **Article 11.** Government departments shall specify a working body for government data sharing. The working body for government data sharing shall be responsible for the specific work of government data sharing and perform the following duties: (1) Organizing the preparation, updating and maintenance of the directory of government data of the departments; (2) Organizing to file applications for sharing their government data, organizing the examination of applications for sharing their government data and coordinating and sharing their government data; (3) Ensuring that the government data provided thereby meet the standards and specifications for government data sharing; (4) Organizing the filing or handling of applications for verification of the government data involved; (5) Establishing and perfecting the data security and personal information protection system with regard to the government data sharing in the departments and organizing security assessments of the government data sharing; and (6) Other work of the departments related to government data sharing. ## Chapter III Directory Management **Article 12.** Government data shall be subject to unified directory management. The competent department of government data sharing under the State Council shall formulate the standards and specifications for preparation of the directory of government data and organize the preparation of the national directory of government data. The competent department of government data sharing under the local people's government at or above the county level shall organize the preparation of the directory of government data within its administrative region. A government department shall, according to its own duties and in accordance with the standards and specifications for preparing the directory of government data, prepare its own directory of government data. **Article 13.** When preparing a directory of government data, a government department shall assess confidentiality risk, the impact of personal information protection, etc. in accordance with the law and obtain the approval of the department head. The directory of government data shall specify such information as the name of the data directory, data items, supplier, data format, data update frequency, sharing attribute, sharing mode, conditions for use, and data classification and grading. **Article 14.** Government data shall be classified into three categories according to the sharing attributes, namely, unconditional sharing, conditional sharing and non-shareable: (1) The government data which can be provided for sharing and use among all government departments are subject to unconditional sharing; (2) The government data which can be provided for sharing and use among relevant government departments according to certain conditions are subject to conditional sharing; and (3) The government data which cannot be provided for sharing and use among other government departments as explicitly provided by laws, administrative regulations and decisions of the State Council are non-shareable. **Article 15.** Government departments shall scientifically and reasonably determine the attributes of government data sharing and may not hinder or affect the sharing of government data by arbitrarily imposing additional conditions. For government data subject to conditional sharing, the government departments shall specify the scope of sharing, purposes of use and other conditions for sharing and use in the directory of government data. For government data that are non-shareable, the government departments shall specify the reasons in the directory of government data and specify the basis of the corresponding laws, administrative regulations and decisions of the State Council. **Article 16.** A government department shall submit the directory of government data prepared to the competent department of government data sharing at the same level for examination. The competent department of government data sharing shall, upon examination and approval, notify the government department in a unified manner. The government department shall, by reference to the directory of government data released in a unified manner, enrich the government data resources, ensure the quality of government data and share government data in accordance with the law. 2 Article 17 The directory of government data shall be dynamically updated. Where the directory of government data needs to be updated correspondingly due to the adjustment to laws, administrative regulations, decisions of the State Council or the change in duties of a government department, the government department shall, within ten working days from the date of occurrence of the adjustment or change, complete the update of the directory of government data and submit the same to the competent department of government data sharing at the same level for examination. Where the updating period needs to be extended due to special reasons, upon consent by the competent department of government data sharing at the same level, an extension of five working days may be granted. The competent department of government data sharing shall, within two working days from the date of receipt of the updated directory of government data, complete the examination and release the same. ## Chapter IV Sharing and Use **Article 18.** Government departments shall establish a sound whole-process quality management system for government data, improve the quality management capability for government data and strengthen the standardized management of collection, storage, processing, transmission, sharing, use, destruction, etc. of government data. **Article 19.** Government departments shall collect government data in accordance with statutory authorities, procedures, standards and norms. Where the government data obtained through sharing are sufficient to satisfy the needs for duty performance, the government departments shall not repetitively collect data from citizens, legal persons or other organizations. Where the collection of government data involves more than one government department, the competent department of government data sharing shall clarify the government department taking the lead in the collection and designate the same as the data source department. The data source department shall strengthen coordination, cooperation and information communication with other relevant government departments, timely improve and update government data, ensure the completeness, accuracy and availability of government data and provide government data sharing services in a unified manner. **Article 20.** The competent department of government data sharing shall establish a supply and demand matching mechanism for government data sharing and clarify the workflow. A government data demand department shall, as required for performing its duties, file an application for government data sharing according to the unified directory of government data released and upon the approval of the person-in-charge of the working body for government data sharing according to the law, specifying the basis, scenario, scope of use, sharing mode, time limit for use, etc. and ensure the authenticity, legality and necessity of the application for government data sharing. A government data supply department shall, within the time limit prescribed in Article 21 hereof, review the application for government data sharing filed by the government data demand department and give a reply upon the approval of the person-in-charge of the working body for government data sharing. **Article 21.** Where the government data applied for sharing by a government data demand department are subject to unconditional sharing, the government data supply department shall give a reply within one working day from the date of receipt of the application for sharing of government data; if the government data are subject to conditional sharing, the government data supply department shall, within ten working days from the date of receipt of the application for sharing of government data, give a reply on whether to approve the sharing or not. Where the reply period needs to be extended due to special reasons, the government data supply department shall report to the competent department of government data sharing at the same level for approval and inform the government data demand department that the extension shall not exceed ten working days. If the application materials submitted by the government data demand department are incomplete, the government data supply department shall inform it of the materials to be supplemented in a one-off manner and shall not directly reject the application. Where the government data supply department disagrees on sharing, it shall state the reasons. 20 **Article 22.** The government data supply department shall share the government data within 20 working days from the date when the reply on approval for sharing is made. The government data supply department may share the government data with the government data demand department through service interface, batch exchange, file downloading or otherwise. **Article 23.** The State encourages government departments at all levels to optimize the review process for government data sharing and shorten the time for review and provision of shared government data. **Article 24.** A government department at a higher level shall, based on the needs of performing duties by the government department at a lower level and under the premise of ensuring the security of government data, timely and completely return the government data collected and generated by the business information system within the administrative region of the government at a lower level and effectively conduct system connection and business collaboration, and may not set additional restrictive conditions. After obtaining the returned government data, the government department at a lower level shall share and use the data as required for performing duties and ensure the security of the relevant government data. **Article 25.** Government departments that obtain government data through sharing shall not expand the scope of use or use such data for any other purpose directly or in a disguised manner without authorization, nor shall they provide the government data obtained to any third party without authorization. Where there is a genuine need to expand the scope of use, use the data for any other purpose or provide the data to any third party, the consent from the government data supply department shall be obtained. The competent department of government data sharing and other government departments shall take measures to prevent the risk of leakage due to the convergence and correlation of government data. 10 Article 26 The competent department of government data sharing under the State Council shall establish an overall system for verification and correction of government data. Government departments shall, in accordance with their respective duties, establish verification and correction rules and provide correction channels for government data. The government data demand department shall record the use status of government data. If any government data is found to be inaccurate or incomplete, the said department shall file an application for verifying the government data with the government data supply department in a timely manner. The government data supply department shall, within ten working days from the date of receipt of the application for verifying the government data, verify, correct and provide feedback on the verification and handling results. **Article 27.** For the government data obtained by a government data demand department through sharing, if the purpose of sharing has been achieved, cannot be achieved or such data is no longer necessary to achieve the purpose of sharing, such data shall be properly disposed of as required by the government data supply department. Where a government data demand department uses the government data beyond the scope of use or the purpose of sharing without authorization or provides the government data to any third party without authorization, the competent department of government data sharing or the government data supply department shall suspend its authority of government data sharing and urge it to make rectification within a prescribed time limit. If it refuses to do so or the rectification is not made as required, the sharing may be terminated. The government data supply department shall not terminate or change the government data sharing services already provided without justifiable reasons. Where there is a genuine need to terminate or change the services, the government data supply department shall consult with the government data demand department and file with the competent department of government data sharing at the same level for the record. **Article 28.** The competent department of government data sharing shall establish and improve a dispute resolution mechanism for government data sharing. Any dispute over government data sharing between the government data demand department and the government data supply department at the same level shall be resolved through consultation; if such consultation fails, an application shall be submitted to the competent department of government data sharing at the same level for coordination and settlement under procedures. Any dispute arising from cross-level or cross-regional government data sharing shall be coordinated and settled by the common competent department of government data sharing at a higher level. In case of failure to reach an agreement upon coordination and settlement by the competent department of government data sharing, such dispute shall be reported to the people's government at the counterpart level in charge of the competent department of government data sharing for decision. 3 Article 29 The competent department of government data sharing shall supervise and inspect the government data sharing and may circulate a notice on any violation of this Regulation. The government data demand department shall record the use scenario, use process, application effect, storage and destruction of the shared government data and keep relevant records for not less than three years. The competent department of government data sharing and the government data supply department may consult the relevant records of the government data demand department. Where it is otherwise provided for by laws and administrative regulations, such provisions shall prevail. ## Chapter V Platform Support **Article 30.** The State coordinates the development of data infrastructure, improves the government data security protection capability and integrates and builds an integrated national government big data system featuring unified standards, reasonable layout, collaborative management, security and reliability. The competent department of government data sharing under the State Council shall coordinate the development and management of the integrated national government big data system and is responsible for integrating and building the national government big data platform to achieve interconnection with the government data platforms of the relevant departments under the State Council and the government data platforms in various regions so as to provide platform support for government data sharing. The competent departments of government data sharing under local people's governments at or above the county level shall be responsible for the development and management of the government data platforms within their respective administrative regions and share government data with towns (streets) and villages (communities) as needed. The development and optimization of their respective government data platforms by the relevant departments of the State Council may support the government data sharing in the relevant industries and fields. Those that have not established a government data platform may share their government data through the national government big data platform. **Article 31.** The government data platforms that have been established by government departments shall be included in the integrated national government big data system. Unless otherwise stipulated by laws and administrative regulations, it is prohibited, in principle, to carry out cross-level, cross-regional, cross-system, cross-departmental or cross-business government data sharing through the newly established government data sharing and exchange system. **Article 32.** Government departments shall carry out the relevant work on government data sharing through the integrated national government big data system. **Article 33.** The State encourages and supports the application of big data, cloud computing, artificial intelligence, block chain and other new technologies in government data sharing. ## Chapter VI Supporting Measures **Article 34.** The competent department of government data sharing shall, in concert with the cyberspace, public security, state security, secrecy administration, and cryptography administration departments at the same level, promote the development of the security management system for government data sharing under the classified and graded data protection system, clarify the security responsibility subjects for all stages of government data sharing and urge the fulfillment of security management responsibilities for government data sharing under the principle of "those who manage and use data shall be responsible". Where, in the process of using the government data shared according to the law, any government data are tampered with, destroyed, divulged or illegally used, the government data demand department shall assume the responsibility of security management. **Article 35.** Government departments shall establish and improve the security management system for government data sharing, implement the primary responsibilities for security management of the government data sharing and the requirements for classified and graded management of government data and ensure the security of government data sharing. Government departments shall adopt technical measures and other necessary measures to prevent government data from being tampered with, destroyed, divulged, or illegally obtained or illegally used. Government departments shall strengthen the security risk monitoring of government data, and when a government data security incident occurs, immediately initiate the emergency plan, take corresponding emergency response measures, prevent the expansion of harm, eliminate security hazards and report the incident to the relevant competent department as required. **Article 36.** Where a government department entrusts another party to participate in the construction, operation, maintenance of a government informatization project, or storage and processing of government data, it shall perform the approval procedures in accordance with the relevant provisions of the State, specify the work specifications and standards and take necessary technical measures to supervise the entrusted party in fulfilling the corresponding obligation of government data security protection. The entrusted party shall, in accordance with the provisions of laws, administrative regulations and contractual agreements, perform the obligation of government data security protection, and shall not access, obtain, retain, use, divulge or provide others with government data without authorization. The development and management entity of a government data platform shall, in accordance with the provisions of laws, administrative regulations and the compulsory requirements of national standards, ensure the safe and stable operation of the platform and maintain the security of government data. **Article 37.** Government departments and their staff shall abide by the Personal Information Protection Law of the People's Republic of China, the Administrative Regulation on Network Data Security and other laws and administrative regulations when carrying out government data sharing activities involving personal information. Citizens, legal persons and other organizations have the right to complain or report the acts infringing upon their legitimate rights and interests in the process of government data sharing, and the government departments receiving the complaints or reports shall promptly handle them as required. **Article 38.** People's governments at or above the county level shall include the funds required for government data sharing in their budgets. People's governments at or above the county level and their relevant departments shall implement whole-process budget performance management of the funds relating to government data sharing. Government data sharing shall be taken as an important basis for determining the construction investment, operation and maintenance funds and post-project assessment results of government informatization projects. The competent department of government data sharing shall strengthen the supervision over the timeliness and quality of data sharing by the government data supply departments within its jurisdiction, the application of data by government data demand departments and security supporting measures and report the same to the people's government at the counterpart level. ## Chapter VII Legal Liability **Article 39.** Where any government data supply department violates the provisions hereof and falls under any of the following circumstances, the competent department of government data sharing at the same level shall order it to make corrections; if it refuses to make corrections or the circumstances are serious, the responsible leader and the directly liable personnel shall be punished according to the law: (1) Failing to prepare or update the directory of government data as required; (2) Hindering or affecting the sharing of government data by imposing additional conditions without authorization or by other means; (3) Failing to cooperate with the data source department in timely improvement and updating of government data; (4) Failing to give a reply to the application for sharing government data on time or failing to share government data on time without a justified reason; (5) Failing to return the government data within the administrative region of the government at a lower level, which is collected or generated by the business information system, to the government department at a lower level as required; (6) Failing to verify and correct data upon receipt of the application for verifying the government data on time; (7) Terminating or modifying the government data sharing services already provided without authorization; (8) Failing to include the government data platform that has been built in the integrated national government big data system as required; or (9) Other circumstances in violation of the provisions hereof. **Article 40.** Where any government data demand department violates the provisions hereof and falls under any of the following circumstances, the competent department of government data sharing at the same level shall order it to make corrections; if it refuses to make corrections or the circumstances are serious, the responsible leader and the directly liable personnel shall be punished according to the law: (1) Repeatedly collecting the government data that can be obtained through sharing; (2) Using the government data obtained through sharing beyond the scope of use or the purpose of sharing without authorization; (3) Providing the government data obtained through sharing to a third party without authorization; (4) Failing to properly dispose of the government data obtained through sharing as required when the purpose of sharing has been achieved, or cannot be achieved, or the data is no longer necessary to achieve the purpose of sharing; (5) Failing to keep the relevant records of government data obtained through sharing as required; (6) Failing to perform the responsibility for security management of government data obtained through sharing; or (7) Other circumstances in violation of the provisions hereof. **Article 41.** Where any competent department of government data sharing violates the provisions hereof and falls under any of the following circumstances, the people's government at the counterpart level or the competent department at a higher level shall order it to make corrections; if it refuses to make corrections or the circumstances are serious, the responsible leader and the directly liable personnel shall be punished according to the law: (1) Failing to clarify the data source department as required; (2) Failing to coordinate and handle the disputes over government data sharing as required; or (3) Other circumstances in violation of the provisions hereof. **Article 42.** Where any government department or any staff member thereof divulges, sells or illegally provides others with personal privacy, personal information, trade secrets or confidential business information that has come to its/his/her knowledge in the process of government data sharing or neglects its/his/her duties, abuses its/his/her power or plays favoritism and commits irregularities in the sharing of government data, it/he/she shall be punished according to the law; if a crime is constituted, it/he/she shall be investigated for criminal liability according to the law. ## Chapter VIII Supplementary Provisions **Article 43.** The State promotes data sharing between government departments and other state organs as required for performing their respective duties by reference to the provisions hereof. 2025 8 1 Article 44 The present Regulation shall come into force as of 1 August 2025. PAGE/NUMPAGES PAGE/NUMPAGES --- ## Civil Code — Personality Rights Book, Chapter on Privacy and Protection of Personal Information - Chinese title: 中华人民共和国民法典 · 人格权编 · 隐私权和个人信息保护章 - Abbreviation: Civil Code (PI Chapter) - Hierarchy: law - Issuing body: National People's Congress - Adopted: 2020-05-28 - Effective: 2021-01-01 - Status: effective - URL: https://datacompliancechina.com/laws/civil-code-personal-info/ - Markdown: https://datacompliancechina.com/laws/civil-code-personal-info.md ### Summary Articles 1032–1039 of the Civil Code's Personality Rights Book establish the civil-law foundation for privacy and personal-information protection in China. The chapter defines the right of privacy, the scope of personal information, principles for handling, statutory defenses, individuals' rights of access and correction, processor obligations, and confidentiality duties of State organs. Civil-law remedies under this chapter operate alongside the public-law PIPL regime — neither displaces the other. ### Full text **Adopted at the 3rd Session of the 13th National People's Congress on May 28, 2020. Effective January 1, 2021.** The Civil Code is China's first codified civil law. Articles 1032 through 1039 appear in Book IV (Personality Rights), Chapter VI (Right to Privacy and Protection of Personal Information). These eight articles provide the civil-law underpinning for personal-information protection in China — they sit alongside PIPL rather than being superseded by it. --- ## Chapter 6 Right to Privacy and Protection of Personal Information **Article 1032.** A natural person shall enjoy the right of privacy. No organization or individual may infringe upon the privacy of any other person by spying, invading and harassing, disclosing or disclosing the relevant information or by any other means. Privacy is a natural person's private life peace and do not want to know for others private space, private activities, private information. **Article 1033.** Unless otherwise prescribed by the law or specifically agreed by the rights holders, no organization or individual may carry out any of the following acts: 1. disturbing the private peace of others by means of telephone, text message, instant messaging tools, e-mails, leaflets, etc.; (II) Entering, shooting or peeping into the private spaces of others' houses or hotel rooms; (III) Photographing, peeping, eavesdropping, or making public the private activities of others; (IV) taking photos of or peeping at private parts of others' bodies; (V) Dealing with the confidential information of others; (VI) infringing upon the privacy of others by other means. **Article 1034.** The personal information of a natural person shall be protected by the law. Personal information refers to all kinds of information recorded by electronic or otherwise that can be used to independently identify or be combined with other information to identify specific natural persons, including the natural persons' names, dates of birth, ID numbers, biometric information, addresses, telephone numbers, e-mail addresses, health information, whereabouts, etc. For the confidential information included in personal information, the provisions on privacy rights shall apply; if no provisions are available, the provisions on personal information protection shall apply. **Article 1035.** The handling of personal information shall be subject to the principle of legitimacy, rightfulness and necessity, shall not involve excessive handling and shall meet the following conditions: 1. unless otherwise provided by laws or administrative regulations, with the consent of the natural person or the guardian thereof; and (II) rules on disclosure of processing information; (III) to expressly state the purpose, method and scope of information treatment; (IV) The provision of the laws and administrative regulations and the agreement of both parties shall not be violated. Personal information processing includes the collection, storage, use, processing, transmission, provision and disclosure of Personal information, etc. **Article 1036.** Where the handling of personal information falls under any of the following circumstances, the actor concerned shall not bear civil liability: 1. Acts performed reasonably within the scope agreed by the natural person or his or her guardian; (II) Deal reasonably with the information made public by the natural person himself or herself or other information that has been legally made public, unless the natural person explicitly refuses to do so or deals with the circumstance where such information infringes upon his or her major interests; and (III) Other reasonable acts performed to protect the public interests or the legitimate rights and interests of the natural persons. **Article 1037.** A natural person may consult or copy his/her personal information with any information processor in accordance with the law; if any error is found in the information, the natural person has the right to raise an objection and request the information processor to take necessary measures such as corrections in a timely manner. Where a natural person discovers that an information processor has processed his/her personal information in violation of the provisions of laws and administrative regulations or the agreement between both parties, he/she shall have the right to request that the information processor promptly delete the information. **Article 1038.** Information processors shall not divulge or tamper with personal information collected or stored by them; without the consent of a natural person, information processors shall not illegally provide personal information of such person to others, except for information that has been processed and cannot be identified with specific persons and cannot be restored. An information processor shall take technical measures and other necessary measures to ensure the security of the personal information it collects and stores and to prevent the information from being divulged, tampered with or lost; where personal information has been or may be divulged, tampered with or lost, it shall take remedial measures in a timely manner, inform the natural person concerned in accordance with the provisions and report the case to the relevant competent department. **Article 1039.** State organs, statutory agencies with administrative functions and their staff shall keep confidential the privacy and personal information of natural persons that come into their knowledge during the performance of duties, and shall not divulge the same or illegally provide the same to others. --- ## Provisions on the Administration of Algorithmic Recommendation Services for Internet Information Services - Chinese title: 互联网信息服务算法推荐管理规定 - Hierarchy: rule - Issuing body: CAC, MIIT, MPS, SAMR - Adopted: 2021-11-16 - Effective: 2022-03-01 - Status: effective - URL: https://datacompliancechina.com/laws/algorithmic-recommendation-provisions/ - Markdown: https://datacompliancechina.com/laws/algorithmic-recommendation-provisions.md ### Summary The first comprehensive Chinese regulation of recommendation algorithms. Establishes the algorithm filing regime, requires opt-out mechanisms, regulates personalized pricing and targeted advertising, sets special protections for minors and the elderly, and bans practices like price discrimination based on user characteristics. Applies to all algorithmic recommendation services available to the Chinese public. ### Full text **Promulgated by:** CAC, MIIT, MPS, SAMR. **Document No.:** Decree No. 9 of the Cyberspace Administration of China. **Adopted at the 20th executive meeting of the CAC in 2021 on November 16, 2021. Effective March 1, 2022.** --- ## Chapter I General Provisions **Article 1.** These Provisions are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Administrative Measures on Internet Information Services and other laws and administrative regulations, in order to regulate Internet information service algorithm recommendation activities, promote socialist core values, safeguard national security and social public interests, protect the legitimate rights and interests of citizens, legal persons and other organizations, and facilitate the healthy and orderly development of Internet information services. **Article 2.** These Provisions apply to the application of algorithm recommendation technologies to provide Internet information services (hereinafter referred to as "algorithm recommendation services") within the territory of the People's Republic of China. Where it is otherwise provided for in laws and administrative regulations, such provisions shall prevail. For the purpose of the preceding paragraph, the term "application of algorithm recommendation technologies" refers to the use of algorithmic technologies such as generation and synthesis, personalized push, sorting and selection, retrieval and filtering, scheduling decision-making, etc. to provide information to users. **Article 3.** The Cyberspace administration of China is responsible for coordinating the governance of national algorithm recommendation services and the relevant supervision and administration and the departments of telecommunications, public security and market regulation, etc. under the State Council are in charge of the supervision and administration of algorithm recommendation services ex officio. Local cyberspace administrations are responsible for coordinating the governance of algorithm recommendation services and the relevant supervision and administration within their respective administrative regions, and local authorities of telecommunications, public security and market regulation, etc. are in charge of the supervision and administration of algorithm recommendation services ex officio within their respective administrative regions. **Article 4.** Algorithm recommendation services shall be provided in compliance with laws and regulations, with respect for social morality and ethics, business ethics and professional ethics, and under the principles of impartiality, fairness, openness and transparency, scientificity and reasonableness, honesty and good faith. **Article 5.** Relevant trade associations are encouraged to strengthen industry self-regulation, establish sound industry standards, industry guidelines and self-regulatory management systems, and urge and guide algorithm recommendation service providers to formulate and improve codes of service, provide services in accordance with the law and accept social supervision. ## Chapter II Codes of Information Service **Article 6.** Algorithm recommendation service providers shall adhere to the mainstream value orientation, optimize the algorithm recommendation service mechanism, actively spread positive energy and Promote the application of algorithms to the positive effect. Algorithm recommendation service providers shall not take advantage of algorithm recommendation services to engage in activities prohibited by laws and administrative regulations, such as endangering the national security and public interests, disturbing the economic order and social order and infringing upon the legitimate rights and interests of others, and shall not take advantage of algorithm recommendation services to disseminate information prohibited by laws and administrative regulations. Instead, algorithm recommendation service providers shall take measures to prevent and reject the dissemination of adverse information. **Article 7.** Algorithm recommendation service providers shall fulfill their responsibilities as subjects for algorithm security, establish and improve the management systems and technical measures for algorithm mechanism and principle review, scientific and technological ethics review, user registration, information release review, data security and personal information protection, anti-telecommunications and Internet fraud, security assessment and monitoring, and security incident emergency response, formulate and disclose the relevant rules for algorithm recommendation services, and be equipped with professional staff and technical support appropriate to the scale of the algorithm recommendation service. **Article 8.** Algorithm recommendation service providers shall regularly review, evaluate and verify the principle, models, data and application results of algorithm mechanisms, and shall not set up any algorithm model in violation of laws and regulations or ethics and morals, such as inducing users to be addicted to or over-consumed. **Article 9.** Algorithm recommendation service providers shall strengthen information security management, establish and improve a feature database for identifying illegal and bad information, and improve entry standards, rules and procedures. If it is found that the synthetic information is generated by an algorithm without any noticeable mark, the information shall not be transmitted again until the noticeable mark has been made. Where any illegal information is found, the transmission thereof shall be immediately stopped, and measures such as deletion shall be taken to prevent the information from spreading. The relevant records shall be kept and a report shall be made to the cyberspace administration and the relevant authorities. Adverse information, if found, shall be handled in accordance with the relevant provisions on ecological governance of network information contents. **Article 10.** Algorithm recommendation service providers shall strengthen the management of user models and user labels, and improve the rules on points of interest recorded into user models and user label management, and shall not record illegal and harmful information keywords into the points of interest of users or use them as user labels to push information. **Article 11.** Algorithm recommendation service providers shall strengthen the ecological management of layout and pages for algorithm recommendation services, establish and improve the mechanism for manual intervention and user self-selection, and actively present the information in line with the mainstream value orientation on the first screen of the homepage, the most searched, selection, ranking, pop-up windows and other key links. **Article 12.** Algorithm recommendation service providers are encouraged to comprehensively apply strategies such as content duplication removal and dispersal intervention, and optimize the transparency and interpretability of rules on retrieval, list, selection, pushing and display, so as to avoid adverse impact on users and prevent and reduce disputes. **Article 13.** To provide internet news information services, an algorithm recommendation service provider shall obtain the license for such services in accordance with the law, carry out editing and releasing services, reposting services and transmission platform services of internet news information in a regulated manner, and shall not generate or synthesize false news information or transmit news information released by entities not within the scope prescribed by the State. **Article 14.** Algorithm recommendation service providers shall not falsely register accounts, illegally trade accounts, manipulate user accounts or make false likes, comments or forwarding by taking advantage of algorithms, nor shall they block information, overly recommend, manipulate lists or search results ranking, control the most searched or selections by taking advantage of algorithms to intervene in information presentation or to have any act of influencing network public opinions or circumventing supervision and administration. **Article 15.** Algorithm recommendation service providers shall not impose unreasonable restrictions on other Internet information service providers or hinder or disrupt the normal operation of the internet information services legally provided by them by taking advantage of algorithms to conduct any monopoly or unfair competition. ## Chapter III Protection of Users' Rights and Interests **Article 16.** Algorithm recommendation service providers shall inform users of the information on their provision of algorithm recommendation services in a noticeable way, and publicize the basic principles, purposes and main operating mechanisms of algorithm recommendation services in a proper way. **Article 17.** Algorithm recommendation service providers shall provide users with options not based on their personal characteristics or provide users with the option of closing algorithm recommendation services in a convenient manner. If users opt to close algorithm recommendation services, the algorithm recommendation service providers shall forthwith cease to provide relevant services. Algorithm recommendation service providers shall provide users with the function of selecting or deleting user tags based on their personal characteristics used for algorithm recommendation services. Where the application of algorithms by an algorithm recommendation service provider has a significant impact on the rights and interests of users, the said provider shall give explanations in accordance with the law and assume the corresponding liability. **Article 18.** Algorithm recommendation service providers providing services to minors shall fulfill their obligation of protecting minors online in accordance with the law, and facilitate minors to obtain information beneficial to their physical and mental health by developing modes suitable for minors, providing services suitable for the characteristics of minors or otherwise. Algorithm recommendation service providers shall not push to minors any information that may affect the physical and mental health of minors, such as those that may cause minors to imitate unsafe behaviors and behaviors violating social morality or induce minors to have bad habits, nor shall they induce minors to indulge in the Internet by making use of algorithm recommendation services. **Article 19.** Algorithm recommendation service providers providing services to the elderly shall safeguard the rights and interests of the elderly in accordance with the law, take into full account the needs of the elderly for travel, medical treatment, consumption and affairs handling, provide intelligent services suitable for the elderly in accordance with the relevant provisions of the State, and monitor, identify and deal with telecommunications and Internet fraud information in accordance with the law to facilitate the elderly in safely using algorithm recommendation services. **Article 20.** Algorithm recommendation service providers providing workers with job scheduling services shall protect the legitimate rights and interests of the workers such as labor remuneration, rest and vacation, and establish and improve relevant algorithms for platform order distribution, composition and payment of remuneration, working hours, rewards and punishments, etc. **Article 21.** Algorithmic recommendation service providers selling goods or providing services to consumers shall protect the rights of consumers to fair transactions, and shall not, according to the preferences, transaction habits and other characteristics of consumers commit illegal acts such as unreasonable differential treatment in transaction price and other transaction conditions by taking advantage of the algorithms. **Article 22.** Algorithm recommendation service providers shall set up a convenient and effective portal for user complaints, public complaints and reports, clarify the processing process and time limit for feedback, and promptly accept, process and feedback the processing results. ## Chapter IV Supervision and Administration **Article 23.** Cyberspace administrations shall, in concert with relevant authorities of telecommunications, public security and market regulation, etc., establish a hierarchical and classified security management system for algorithms, and implement hierarchical and classified management of algorithm recommendation service providers according to the public opinion attribute or social mobilization ability of algorithm recommendation services, content category, user scale, importance of data processed by algorithm recommendation technologies, and degree of intervention in user behaviors. **Article 24.** An algorithm recommendation service provider with public opinion attribute or social mobilization ability shall, within ten working days from the date of provision of services, fill in such information as the service provider's name, service form, application field, algorithm type, algorithm self-assessment report and content to be disclosed via the internet information service algorithm record-filing system to go through record-filing formalities. Where the record-filing information of an algorithm recommendation service provider changes, the said provider shall go through formalities for change within ten working days from the date of change. Where an algorithm recommendation service provider terminates services, it shall go through formalities for deregistration of record-filing within 20 working days from the date of termination of services and make proper arrangements. **Article 25.** The Cyberspace Administration of China and the cyberspace administrations of provinces, autonomous regions and municipalities directly under the Central Government shall, within 30 working days upon receipt of the record-filing materials submitted by the record-filing applicants, grant record-filing, issue record-filing numbers and make public the record-filing; if the materials are incomplete, record-filing shall not be granted, and the record-filing applicant shall be notified, with reasons stated, within 30 working days. **Article 26.** An algorithm recommendation service provider that has completed record-filing shall indicate its record-filing number and provide links to the publicized information in a prominent position of its website or application through which it provides services to the public. **Article 27.** Algorithm recommendation service providers with public opinion attribute or social mobilization ability shall carry out security assessment in accordance with the relevant provisions of the State. **Article 28.** Cyberspace administrations shall, in concert with relevant authorities of telecommunications, public security and market regulation, etc., carry out security assessment and supervision and inspection of algorithm recommendation services in accordance with the law, and timely put forward rectification opinions for the problems found and order rectification within a time limit. Algorithm recommendation service providers shall keep web logs in accordance with the law, cooperate with cyberspace administrations and relevant authorities of telecommunications, public security and market regulation, etc. in security assessment and supervision and inspection, and provide necessary technical and data support and assistance. **Article 29.** Relevant agencies and personnel participating in security assessment and supervision and inspection of algorithm recommendation services shall keep confidential personal privacy, personal information and trade secrets known in performing their duties in accordance with the law, and shall not disclose or illegally provide the same to others. **Article 30.** Any organization or individual that finds any violation of these Provisions may complain or report to cyberspace administrations and other relevant authorities. Authorities that receive such complaints or reports shall promptly deal with them in accordance with the law. ## Chapter V Legal Liability **Article 31.** With respect to any algorithm recommendation service provider who violates the provisions of Article 7, Article 8, Paragraph 1 of Article 9, Article 10, Article 14, Article 16, Article 17, Article 22, Article 24 or Article 26 hereof, if there are relevant provisions in laws and administrative regulations, such provisions shall prevail; in the absence of relevant provisions in laws and administrative regulations, cyberspace administrations and relevant authorities of telecommunications, public security and market regulation, etc. shall, ex officio, give a warning to the said provider, circulate a notice of criticism and order it to make corrections within a time limit; if the said provider refuses to make corrections or the circumstances are serious, it shall be ordered to suspend information updating and imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan. In the case of a violation of public security administration, the said provider shall be subject to punishment for public security administration in accordance with the law; in the case of a crime, the said provider shall be investigated for criminal liability in accordance with the law. **Article 32.** With respect to any algorithm recommendation service provider who violates the provisions of Article 6, Paragraph 2 of Article 9, Article 11, Article 13, Article 15, Article 18, Article 19, Article 20, Article 21, Article 27 and Paragraph 2 of Article 28 hereof, the cyberspace administration and the relevant authorities of telecommunications, public security and market supervision, etc. shall, ex officio, deal with the case in accordance with the provisions of the relevant laws, administrative regulations and departmental rules. **Article 33.** With respect to any algorithm recommendation service provider with the attribute of public opinions or the ability to mobilize the public who has obtained record-filing by concealing relevant information, providing false materials or other improper means, the Cyberspace Administration of China and the cyberspace administration of the province, autonomous region or centrally-administered municipality concerned shall revoke its record-filing, give it a warning or circulate a notice of criticism; if the circumstances are serious, it shall be ordered to suspend information updating and imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan. Where an algorithm recommendation service provider with the attribute of public opinions or the ability to mobilize the public fails to go through the formalities for deregistration of record-filing as required in Paragraph 3 of Article 24 hereof upon termination of services, or is subject to administrative penalties such as being ordered to close down its website or having its business permit or business license revoked due to serious violations, the Cyberspace Administration of China and the cyberspace administration of the province, autonomous region or centrally-administered municipality concerned shall deregister its record-filing. ## Chapter VI Supplementary Provisions **Article 34.** These Provisions shall be interpreted by the Cyberspace Administration of China in conjunction with the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation. 2022 3 1 Article 35 These Provisions shall come into force as of March 1, 2022. PAGE/NUMPAGES PAGE/NUMPAGES --- ## Administrative Measures for Internet Information Services (2024 Revision) - Chinese title: 互联网信息服务管理办法(2024 修订) - Hierarchy: regulation - Issuing body: State Council - Adopted: 2024-12-06 - Effective: 2025-01-20 - Status: effective - URL: https://datacompliancechina.com/laws/internet-information-services-measures/ - Markdown: https://datacompliancechina.com/laws/internet-information-services-measures.md ### Summary The foundational regulation of Internet Information Services (ICP) in China — the regulatory baseline beneath nearly every later data-protection rule. Establishes the ICP licensing regime (operational vs. non-operational), platform compliance obligations, content management, and the role of telecommunications and cyberspace administrative authorities. The 2024 revision aligns the regulation with CSL, DSL, PIPL, and the post-2022 platform rules. ### Full text **Promulgated by:** State Council. **Document No.:** State Council Decree No. 292 (2000), revised by Decree No. 292 (2011) and Decree (2024). **Original Decree No. 292 (2000); revised by State Council decisions in 2011 and again on December 6, 2024. The current version takes effect January 20, 2025.** --- **Article 1.** These Measures are enacted in order to regulate activities of internet-based information services and promote the healthy and orderly development of internet-based information services. **Article 2.** Those who engage in internet-based information services within the territory of the People's Republic of China shall abide by these Measures. For the purpose of these Measures, the "internet-based information services" refer to service activities of providing information to online users through the Internet. **Article 3.** Internet-based information services are divided into services of a commercial nature and services of a non-commercial nature. Commercial internet-based information services refer to compensatory services of providing information to or creating web pages for online users through the Internet. Non-commercial internet-based information services refer to non-compensatory services of supplying, through the Internet, to online users information which is open to and shared by the general public. **Article 4.** The State shall implement a licensing system for internet-based information services of a commercial nature and a filing system for internet-based information services of a non-commercial nature. No one may engage in internet-based information services without having obtained a licensing or having completed the filing procedures. **Article 5.** Prior to applying for operation licensing or performing the filing formalities for such internet-based information services as media, publishing, education that subject to approval by the competent authorities in accordance with laws, administrative regulations and relevant provisions of the State, an approval from the relevant competent authorities shall be obtained in accordance with the law. ( ) ( ) ( ) Article 6 The engagement in commercial internet-based information services shall, in addition to compliance with requirements as prescribed by the Telecommunications Regulation of the People's Republic of China, meet the following conditions: (1) having a business development plan and relevant technical schemes; (2) having sound measures for network and information security, including security measures for web site safety, management systems for maintaining information security and secrecy, and management systems for safeguarding users' information; and (3) having obtained approval documents from the competent authorities where the services fall within the scope of Article 5 hereof. ( ) 60 **Article 7.** Whoever intends to engage in commercial internet-based information services shall apply to the administrative organ in charge of telecommunications in the relevant province, autonomous region or directly administered municipality, or to the State Council department in charge of the information industry, for a permit to operate value-added telecommunications business in internet-based information services (hereinafter referred to as "operation permit"). The administrative organ in charge of telecommunications in the relevant province, autonomous region or directly administered municipality, or the State Council department in charge of the information industry, shall, within sixty (60) days of receipt of the application, complete the examination of the application and make a decision on whether or not to grant an approval. Where an approval is granted, an operation permit shall be issued; where an approval is not granted, the applicant shall be notified in writing and explained the reasons thereunder. After having received the operation permit, the applicant shall complete registration procedures with an enterprise registration organ by presenting the operation permit. ( ) ( ) ( ) **Article 8.** Whoever intends to engage in non-commercial internet-based information services shall complete the filing formalities with the administrative organ in charge of telecommunications in the relevant province, autonomous region or directly administered municipality, or to the State Council department in charge of the information industry. When handling filing procedures, the following materials shall be submitted: (1) the general situations of the sponsor and the person in charge of web sites; (2) the addresses of the web sites and the items of services; and (3) the approval documents of the relevant competent authorities, where the service items fall within the scope of Article 5 hereof. Where materials submitted for filing are complete, the administrative organ in charge of telecommunications in the relevant province, autonomous region or directly administered municipality shall have them filed and numbered. **Article 9.** Those engaging in internet-based information services and proposing to provide electronic announcement services shall, when applying for a licensing for commercial internet-based information services or processing the filing procedures for non-commercial internet-based information services, also submit specific applications for such services or make specific filing for such services, in accordance with relevant provisions of the State. **Article 10.** The administrative organ in charge of telecommunications in the relevant province, autonomous region or directly administered municipality, or the State Council department in charge of the information industry shall publish a list of internet-based information services providers who have obtained the operation permits or have completed the filing procedures. 30 Article 11 An internet-based information services provider shall deliver its services in compliance with the items as licensed or filed and may not provide services other than the items which have been licensed or filed for record. A non-commercial internet-based information services provider shall not engage in compensatory services. An internet-based information services provider who intends to alter its service items, address of web site or other matters shall complete formalities for alteration thirty (30) days in advance with the original examination organ and the issuing organ or the filing organ. **Article 12.** An internet-based information services provider shall indicate its operation permit number or filing number in the home pages of its web site. **Article 13.** An internet-based information services provider shall provide sound services to its online users and ensure that the contents of all information provided are lawful. 60 Article 14 An internet-based information services provider who engages in media, publishing, electronic announcement and other services shall record the contents of information provided and the time of publication, the internet address or domain name. An internet connection services provider shall record such information as the time of the subscribers' access to the Internet, the account numbers of the subscribers, the address or domain name of the web site and the main telephone numbers for the connection. An internet-based information services provider or an internet access services provider shall keep the records for a period of sixty (60) days and provide them to the relevant state organs as inquired in accordance with the law. ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) Article 15 An internet-based information services provider shall not produce, duplicate, release or disseminate the following information: (1) being against the fundamental principles set out in the Constitution; (2) endangering national security, leaking state secrets, inciting to overthrow state power, or undermining the national unity; (3) damaging the State's honor and harming the interests of the State; (4) inciting ethnic hatred and ethnic discrimination or undermining solidarity among all ethnicities; (5) undermining the State's policies on religions, and advocating religious cults and feudal superstition; (6) disseminating rumors to disrupt social order and undermine social stability; (7) disseminating obscene materials, advocating gambling, violence, killing and terrorism, or instigating others to commit crimes; (8) humiliating or defaming other persons or infringing upon the legitimate rights and interests of the others; and (9) otherwise prohibited by laws and administrative regulations. **Article 16.** Where an internet-based information services provider discovers that information circulated in its web site clearly falls under one of the contents listed in Article 15 hereof, it shall stop the transmission immediately, keep the relevant records and report such to a relevant organ of the state. **Article 17.** If a commercial internet-based information services provider applies for listing in China or overseas, or for establishing a joint equity venture or joint cooperation with foreign investors, it shall apply, in advance, to the State Council department in charge of information industry for examination and approval; in such cases, the ratio of foreign investment shall comply with provisions of relevant laws and administrative regulations. **Article 18.** The administrative organs in charge of telecommunications in provinces, autonomous regions and directly administered municipalities, and the State Council department in charge of information industry shall exercise supervision and administration over internet-based information services in accordance with the law. Departments in charge of media, publishing, education, health, drug regulation, industry and commerce administration, public security and state security, and other relevant competent departments, shall, within their respective jurisdictions, exercise supervision and administration over the contents of internet-based information in accordance with the law. 3 5 5 10 100 **Article 19.** Whoever, in violation of provisions of these Measures, engages in internet-based information services of a commercial nature without having obtained an operation permit or provides services outside the licensed scope, shall be ordered by the administrative organ in charge of telecommunications in the relevant province, autonomous region or directly administered municipality to rectify the situation within a set time limit; where illegal gains are made, such gains shall be confiscated, and a fine of more than 300 per cent and less than 500 per cent of the amount of the illegal gains shall be imposed; where there are no illegal gains or the amount of illegal gains is less than 50,000 yuan, a fine of more than 100,000 yuan and less than 1,000,000 yuan shall be imposed; where the circumstances are serious, the web sites shall be ordered to close down. Whoever, in violation of provisions of these Measures, engages in internet-based information services of a non-commercial nature without having completed the filing formalities, or provides services beyond the items filed, shall be ordered by the administrative organ in charge of telecommunications in the province, autonomous region or directly administered municipality to rectify the situation within a set time limit; if rectification is refused, the web sites shall be ordered to be closed down. **Article 20.** Whoever produces, duplicates, releases or disseminates information containing one of the contents listed in Article 15 hereof shall be investigated for criminal liability if the case constitutes a crime; where a crime is not constituted, the public security organ and the state security organ shall impose penalties in accordance with the Law of the People's Republic of China on Punishment for Violation of Social Security Administration, the Administrative Measures on Security Protection of International Connections to Computer Information Networks, and provisions of other relevant laws and administrative regulations; for those commercial internet-based information services providers, the permit issuing organ shall additionally order them to have their business suspended for rectification or revoke their operation permits, and notify the enterprise registration organ; for those non-commercial internet-based information services providers, the filing authority shall additionally order them to temporarily close or permanently close down their web sites. **Article 21.** Whoever fails to fulfil the obligations as stipulated in Article 14 hereof shall be ordered by the administrative organ in charge of telecommunications in the province, autonomous region or directly administered municipality to rectify the situation; where the circumstances are serious, be ordered to suspend operation for rectification or to temporarily close down the web site. 5000 5 Article 22 Whoever, in violation of provisions of these Measures, fails to indicate its operation permit number or the filing number in its web site home pages shall be ordered by the administrative organ in charge of telecommunications in the province, autonomous region or directly administered municipality to rectify the situation, and be subject to a fine of more than 5,000 yuan and less than 50,000 yuan. **Article 23.** Whoever fails to fulfil the obligations as stipulated in Article 16 hereof shall be ordered by the administrative organ in charge of telecommunications in the province, autonomous region or directly administered municipality to rectify the situation; where the circumstances are serious, in cases of commercial internet-based information services providers, the permit issuing organ shall revoke the operation permit of the provider, and in cases of non-commercial internet-based information services providers, the filing authority shall order the provider to close down its web site. **Article 24.** Where any internet-based information services provider violates other laws and regulation in the cause of providing services, the authorities in charge of media, publishing, education, health, drug regulation, industry and commerce administration etc. shall impose penalties on it in accordance with relevant laws and regulations. **Article 25.** Where an administrative organ in charge of telecommunications or other relevant competent authorities and their personnel, neglect of duties, abuses their power, practise irregularity and favouritism or fail to exercise supervision and administration over the internet-based information services, thereby resulting in serious consequences, they shall, where a crime is constituted, be investigated for criminal liability; where a crime is not committed, the person directly in charge and other direct liable persons shall be demoted, removed from office or dismissed in accordance with the law. 60 Article 26 Those who engage in internet-based information services prior to the promulgation of these Measures shall perform relevant procedures retrospectively within sixty (60) days of the promulgation of these Measures in accordance with the relevant provisions of these Measures. **Article 27.** These Measures shall come into force as of the date of promulgation. 2024 PAGE/NUMPAGES PAGE/NUMPAGES --- ## Anti-Telecom and Online Fraud Law of the People's Republic of China - Chinese title: 中华人民共和国反电信网络诈骗法 - Abbreviation: ATFL - Hierarchy: law - Issuing body: National People's Congress Standing Committee - Status: effective - URL: https://datacompliancechina.com/laws/anti-telecom-fraud-law/ - Markdown: https://datacompliancechina.com/laws/anti-telecom-fraud-law.md ### Full text > *Editor to fill.* > > Suggested structure: > > 1. **Why this law matters** — ATFL creates new obligations for telecom carriers, internet platforms, and financial institutions; explain implications for KYC, real-name verification, and data sharing with public security. > 2. **Structure** — chapter list. > 3. **Key articles** — telecom-side KYC, internet platform monitoring duties, financial-side risk controls, cross-border cooperation, sanctions. > 4. **Data-compliance angles** — interaction with PIPL's "separate consent" rule for sharing with law enforcement, real-name verification implications. > 5. **Enforcement record** — linked briefs. --- ## Provisions on the Administration of Deep Synthesis of Internet Information Services - Chinese title: 互联网信息服务深度合成管理规定 - Hierarchy: rule - Issuing body: CAC, MIIT, MPS - Adopted: 2022-11-03 - Effective: 2023-01-10 - Status: effective - URL: https://datacompliancechina.com/laws/deep-synthesis-provisions/ - Markdown: https://datacompliancechina.com/laws/deep-synthesis-provisions.md ### Summary Regulates deepfakes and AI-driven content synthesis — the precursor to the GenAI Measures and the AI Content Labeling Measures. Requires real-name verification, content moderation, prominent labeling of synthesized content, prohibits use for fraud or disinformation, and establishes the deep synthesis service algorithm filing regime. ### Full text **Promulgated by:** CAC, MIIT, MPS. **Document No.:** Order No. 12 of CAC, MIIT, and MPS (jointly). **Adopted at the 21st executive meeting of the CAC in 2022 on November 3, 2022. Effective January 10, 2023.** --- ## Chapter I General Provisions **Article 1.** These Provisions are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Law of the People's Republic of China on the Protection of Personal Information, the Administrative Measures on Internet-based Information Services and other laws and administrative regulations for the purpose of strengthening the deep synthesis management of Internet-based information services, carrying forward socialist core values, safeguarding national security and public interests, and protecting the legitimate rights and interests of citizens, legal persons and other organizations. **Article 2.** These Provisions shall apply to the application of deep synthesis technology to provide Internet-based information services (hereinafter referred to as the "deep synthesis services") within the territory of the People's Republic of China. Where the laws and administrative regulations stipulate otherwise, such provisions shall prevail. **Article 3.** The Cyberspace Administration of China shall be responsible for overall planning and coordination of the governance of deep synthesis services nationwide and the relevant supervision and administration thereof. The telecommunications departments and the public security departments of the State Council shall be responsible for the supervision and administration of deep synthesis services according to their respective duties. Local cyberspace administrations shall be responsible for the overall planning and coordination of the governance of deep synthesis services within their respective administrative regions and the relevant supervision and administration thereof. Local competent telecommunications authorities and public security authorities shall be responsible for the supervision and administration of deep synthesis services within their respective administrative regions according to their respective duties. **Article 4.** The provision of deep synthesis services shall comply with laws and regulations, respect social morality, ethics and morality, adhere to the correct political direction, public opinion guidance and value orientation, and promote positive and upright deep synthesis services. **Article 5.** The relevant industry organizations are encouraged to strengthen industry self-regulation, establish sound industry standards, industry guidelines and self-regulation management system, and urge and guide deep synthesis service providers and technical supporters to formulate and improve business standards, carry out business in accordance with the law and accept social supervision. ## Chapter II General Provisions **Article 6.** No organization or individual may take advantage of deep synthesis services to produce, reproduce, release or disseminate information prohibited by laws and administrative regulations, or take advantage of deep synthesis services to engage in activities prohibited by laws and administrative regulations that endanger national security and interests, damage the national image, infringe upon public interests, disturb economic and social order, or infringe upon the legitimate rights and interests of others. Deep synthesis service providers and users shall not take advantage of deep synthesis services to produce, reproduce, release or disseminate false news information. Where news information produced and released based on deep synthesis services is to be reproduced, the news information released by an entity that sources news manuscripts on the Internet shall be reproduced in accordance with the law. **Article 7.** Deep synthesis service providers shall implement principal responsibility for information security, establish sound management systems for user registration, algorithmic mechanism review, scientific and technological ethics review, information release review, data security, personal information protection, anti-telecommunication and Internet fraud, emergency response and other management systems, and have safe and controllable technical support measures in place. **Article 8.** Deep synthesis service providers shall formulate and disclose management regulations and platform conventions, improve service agreements, fulfill management responsibilities in accordance with laws and contracts, and remind technical supporters and users of deep synthesis services in a prominent manner to assume information security obligations. **Article 9.** Deep synthesis service providers shall authenticate the real identity information of deep synthesis service users in accordance with the law on the basis of mobile phone numbers, ID numbers, unified social credit codes, national network identity authentication public services or other manners, and shall not provide information publishing services for deep synthesis service users who have not gone through the authentication of their real identity information. **Article 10.** Deep synthesis service providers shall strengthen the management of deep synthesis contents, and examine and verify the data input by deep synthesis service users and synthesis results by technical or manual means. Deep synthesis service providers shall establish the sound characteristics database for identifying illegal and malicious information, improve the criteria, rules and procedures for entry into database, and record and retain the relevant web logs. If any illegal and malicious information is found out, the deep synthesis service provider concerned shall take disposal measures in accordance with the law, keep the relevant records, and promptly report the case to the cyberspace administration and the relevant competent authorities; and the deep synthesis service provider shall, in accordance with the law or as agreed, take disposal measures such as warning, restricting functions, suspending services and closing accounts against the relevant deep synthesis service users. **Article 11.** Deep synthesis service providers shall establish a sound mechanism to refute rumors. If any false information is produced, reproduced, released or disseminated by using deep synthesis services, the deep synthesis service provider concerned shall take measures to refute rumors in a timely manner, keep the relevant records, and report the case to the cyberspace administration and the relevant competent authorities. **Article 12.** Deep synthesis service providers shall set up a convenient portal for user complaints, complaints and reports from the public, announce the handling process and feedback time limit, and promptly accept and process complaints and provide feedback on the handling results. **Article 13.** The internet application stores and other application distribution platforms shall implement security management responsibilities including the review of the applications on shelves, routine management, emergency responses, etc., and verify the security assessment, record-filing and other conditions of the applications for deep synthesis; in the event of any violation of the relevant provisions of the State, they shall take disposal measures in a timely manner, such as refusal to put the applications on shelves, warning, service suspension or removal. ## Chapter III Specifications for Data and Technical Management **Article 14.** Deep synthesis service providers and technical supporters shall strengthen the management of training data and take necessary measures to ensure the safety of training data; if training data contains personal information, the relevant provisions on the protection of personal information shall be complied with. Where a deep synthesis service provider or technical supporter provides the function of editing face, voice or other biometric information, it shall prompt the deep synthesis service user to inform the individual to be edited in accordance with the law and obtain his/her separate consent. **Article 15.** Deep synthesis service providers and technical supporters shall strengthen technical management and regularly review, evaluate and verify the algorithmic mechanism that generates the synthesis class. Deep synthesis service providers and technical supporters who provide models, templates and other tools with the following functions shall conduct security assessment by themselves or entrusting specialized agencies in accordance with the law: (I) Generating or editing face, voice or other biometric information; or (II) Generating or editing special objects, scenes or other non-biometric information that may involve national security, national image, national interests or public interests. **Article 16.** For the information contents generated or edited by using its services, a deep synthesis service provider shall take technical measures, add marks that do not affect users' use, and keep logs in accordance with the laws, administrative regulations and the relevant provisions of the State. **Article 17.** Where a deep synthesis service provider provides the following deep synthesis services, which may cause confusion or misidentification of the public, it shall make prominent marks at reasonable positions or areas of the information contents generated or edited to inform the public of the deep synthesis situation: (I) Generation or editing of texts by simulating a natural person through intelligent dialogue, intelligent writing, etc.; (II) Editing services that generate speech such as synthesis of voice, voice imitation, etc., or noticeably change personal identity features; (III) Editing services that generate image or video images or videos or noticeably change personal identity features such as face generation, face swap, face control, posture control, etc.; (IV) Immersive simulation scene generation or editing services; and (V) Other services that have the function of generating or noticeably changing information content. Deep synthesis service providers providing deep synthesis services other than those specified in the preceding paragraph shall provide a prominent mark function and remind deep synthesis service users to make prominent marks. **Article 18.** No organization or individual may delete, alter or conceal the deep synthesis marks as prescribed in Articles 16 and 17 hereof by technical means. ## Chapter IV Supervision, Inspection and Legal Liability **Article 19.** The deep synthesis service providers with attribute of public opinions or capable of mobilizing the public shall go through the formalities for record-filing, change or cancelation of record-filing in accordance with the Administrative Provisions on the Recommendation of Algorithms for Internet-based Information Services. Technical supporters of deep synthesis services shall go through the formalities for record-filing, change or cancellation of record-filing with reference to the provisions of the preceding paragraph. The deep synthesis service providers and technical supporters that have completed the record-filing shall indicate their filing numbers in a prominent position of their websites, applications, etc. through which they provide services to the public and provide links to the publicized information. **Article 20.** Where deep synthesis service providers develop and launch new products, new applications and new functions with attribute of public opinions or capable of mobilizing the public, they shall carry out security assessment in accordance with the relevant provisions of the State. **Article 21.** Cyberspace administration authorities, competent telecommunications authorities and public security authorities shall supervise and inspect deep synthesis services ex officio. Deep synthesis service providers and technical supporters shall cooperate in accordance with the law and provide necessary technical, data and other support and assistance. Where cyberspace administration and competent authorities find that deep synthesis services have relatively high information security risks, they may, according to their duties and in accordance with the law, require the deep synthesis service providers and technical supporters to take measures such as suspending information update, user account registration or other related services. Deep synthesis service providers and technical supporters shall take measures to make rectification and eliminate hidden dangers as required. **Article 22.** Deep synthesis service providers and technical supporters that violate these Provisions shall be penalized in accordance with relevant laws and administrative regulations; if serious consequences are caused, heavier penalties shall be imposed in accordance with the law. Where a violation of public security administration is constituted, the public security organ shall impose public security administration penalties in accordance with the law; if a crime is constituted, criminal liability shall be investigated in accordance with the law. ## Chapter V Supplemental Provisions **Article 23.** For the purpose of these Provisions, the following terms shall have the following meanings: Deep synthesis technology refers to the technology for producing text, images, audio, video, virtual scenes and other network information by using deep learning, virtual reality and other generation and synthesis algorithms, including but not limited to: (I) Technologies for chapter generation, text style conversion, questions, answers and dialogues and other technologies for generating or editing text contents; (II) Technologies for generating or editing audio contents, such as text-to-speech, speech-to-speech conversion and audio attribute editing; (III) Technologies for generating or editing non-audio contents, such as music generation and scene sound editing; (IV) Technologies for generating or editing biological features in images and video contents, such as face generation, face swap, character attribute editing, face control and posture control; (V) Technologies for generating or editing non-biological features in images and video contents, such as image generation, image enhancement and image restoration; and (VI) Technologies for generating or editing digital characters and virtual scenes, such as three-dimensional reconstruction and digital simulation. Deep synthesis service providers refer to organizations and individuals that provide deep synthesis services. Technical supporters of deep synthesis services refer to organizations and individuals that provide technical support for deep synthesis services. Deep synthesis service users refer to organizations and individuals that use deep synthesis services to produce, reproduce, release, or disseminate information. Training data refer to labels or benchmark data sets that are used for training machine learning models. Immersive virtual scenes refer to virtual scenes that are generated or edited with deep synthesis technology, experienced or interactive by participants, and have a high sense of reality. **Article 24.** Deep synthesis service providers and technical supporters that engage in online publishing services, online cultural activities and online audiovisual program services shall also comply with the provisions of the competent authorities of press and publishing, culture and tourism, and of radio and television. 2023 1 10 Article 25 These Provisions shall come into force as of January 10, 2023. PAGE/NUMPAGES PAGE/NUMPAGES --- ## Administrative Regulation for Public Security Video Image Information Systems - Chinese title: 公共安全视频图像信息系统管理条例 - Abbreviation: PVISR - Hierarchy: regulation - Issuing body: State Council - Adopted: 2024-12-16 - Effective: 2025-04-01 - Status: effective - URL: https://datacompliancechina.com/laws/public-security-video-image-system-regulations/ - Markdown: https://datacompliancechina.com/laws/public-security-video-image-system-regulations.md ### Summary The State Council's overarching regulation for public security video image information systems (公共安全视频系统) in public places. Distinguishes three operator types: government-led, public-private partnership, and private-led, and applies graduated obligations depending on the operator type. Implements PIPL Article 26 for video-image capture in public places, including filing obligations, mandatory signage, retention, and security duties. Read with the 2025 FRT Measures (Decree No. 19) for facial-recognition deployments. ### Full text **Promulgated by:** State Council. **Document No.:** Decree No. 799 of the State Council. **Adopted at the 48th executive meeting of the State Council on December 16, 2024. Promulgated January 13, 2025. Effective April 1, 2025.** Premier Li Qiang. --- **Article 1.** This Regulation is enacted in accordance with the relevant laws in order to regulate the administration of public security video image information systems, safeguard public security and protect personal privacy and personal information rights and interests. **Article 2.** For the purpose of this Regulation, the "public security video image information systems" (hereinafter referred to as "public security video systems") refer to systems that collect, transmit, display and store video image information in an area involving public security by installing image capturing equipment and other relevant facilities in public places. **Article 3.** The administration of public security video systems shall be conducted under the leadership of the Communist Party of China, and by implementing the guidelines, principles and policies as well as the decisions and arrangements of the Party and the State. The public security video systems shall be built and used in compliance with laws and regulations, by following the principles of overall planning, reasonableness and appropriateness, standard guidance, safety and controllability, and shall not endanger the state security or public interests or damage the legitimate rights and interests of individuals or organizations. **Article 4.** The State encourages and supports the technological innovation and development in the field of video images, establishes and improves the relevant standard system, supports the relevant industry organizations in strengthening self-regulation within the industry in accordance with the law and improves the ability to safeguard public security and protect personal information. **Article 5.** The public security department under the State Council is responsible for guiding, supervising and administering the building and use of public security video systems nationwide. Other relevant departments under the State Council are responsible for the relevant administration of the development and use of public security video systems within the scope of their respective duties. The public security organ of a local people's government at or above the county level is responsible for guiding, supervising and administering the building and use of public security video systems within its administrative area. Other relevant departments under the local people's government at or above the county level are responsible for the relevant administration of the building and use of public security video systems within the scope of their respective duties. **Article 6.** The local people's government at or above the county level shall strengthen the overall planning for the development of public security video systems and make full use of the existing resources to avoid repeated development. **Article 7.** A local people's government at or above the county level shall, according to the development plan, organize the relevant departments to develop public security video systems in such public places as major urban and rural road sections, boundaries of administrative areas, bridges, tunnels, underground passages, squares and surrounding areas of key public security entities and incorporate such systems into the administration of public infrastructure, and the development and maintenance expenses shall be included in the budget of the government at the corresponding level. The public security video systems involving public security in the following public places shall be developed by the entities which are responsible for operation and management of the corresponding places according to the relevant standards, and the key parts for installation of image capturing equipment shall be guided and determined by the relevant departments of the local people's government at or above the county level in accordance with the division of responsibilities: (1) trade centers, convention and exhibition centers, tourist attractions, culture, sports and entertainment venues, educational institutions, medical institutions, government service halls, parks, public parking lots and other places of public gathering; (2) exit and entry ports (passages), airports, passenger stations at ports, navigable buildings, railway passenger stations, bus passenger stations, urban rail stations and other traffic hubs; (3) large- and medium-sized means of public transport such as passenger trains, operating passenger vehicles, urban rail transit vehicles and passenger ships; and (4) service areas of expressways or trunk lines of ordinary national and provincial highways. The image capturing equipment and related facilities to be installed in the places or areas provided for in the preceding two paragraphs shall be necessary for the maintenance of public security. Except the relevant government departments and the entities responsible for operation and management (hereinafter collectively referred to as the "management entities of public security video systems") provided for in the preceding two paragraphs, no other entity or individual may install such equipment or facilities. **Article 8.** It is prohibited to install image capturing equipment and related facilities in the following areas and positions of the public places: (1) the interior of guest rooms or private compartments of hotels, restaurants, guesthouses, hostels, homestays and other business catering and lodging establishments; (2) the interior of student dormitories or the interior of rooms provided by entities for their employees' accommodation and rest; (3) the inside of public bathrooms, toilets, dressing rooms, nursing rooms and fitting rooms; or (4) other areas or positions where it is possible to photograph, spy on or eavesdrop on the privacy of others after the installation of the image capturing equipment. The entities or individuals responsible for operation and management of the aforesaid areas or positions shall strengthen daily management and inspection, and if they find any image capturing equipment or related facilities installed in any of the areas or positions mentioned in the preceding paragraph, they shall immediately report the case to the local public security organ for handling. **Article 9.** The image capturing equipment and related facilities to be installed in public places other than those specified in Article 7 hereof shall be necessary for the maintenance of public security and may be installed only by the entities or individuals that have the obligations of security protection with respect to such places. No other entity or individual may install such equipment or facilities. Whoever installs image capturing equipment and related facilities in accordance with the preceding paragraph shall abide by all the provisions hereof other than the mandatory requirements specified in Articles 11, 14, 15, the second paragraph of Article 16 and Article 17. **Article 10.** Where the image capturing equipment and related facilities to be installed in accordance with this Regulation are located in the vicinity of a restricted military zone, military administrative zone, State organ or any other secret-involved entity, the consent of the secret-involved entity shall be obtained in advance. **Article 11.** A management entity of public security video system shall, under the relevant standards, build a public security video system, carry out design, construction, inspection, acceptance inspection and other work, keep and manage the relevant archives according to law. **Article 12.** A product or service adopted by a public security video system shall meet the mandatory requirements of the national standards. Any provider of such product or service may not install malwares. When the provider finds any risk such as security defect or vulnerability in its products or services, it shall immediately take remedial measures, inform the user in a timely manner and report the case to the competent authority as required. **Article 13.** A management entity of public security video system shall, as required for maintaining public security and protecting personal privacy and personal information rights and interests, reasonably determine the installation position, angle and collection scope of the image capturing equipment and set up eye-catching warning signs. If it fails to set up the eye-catching warning sign, the public security organ shall order it to make corrections. **Article 14.** A management entity of public security video system shall, within 30 days from the date when the system is put into operation, file for record the basic information on the entity, the development position of the public security video system, the quantity and type of image capturing equipment, the term of storage of video image information and other basic information with the public security organ of the people's government at the county level of the place where it is located. Any system which has been put into use before the entry into force of this Regulation shall be filed for record within 90 days from the date of entry into force hereof. In case of any change in the matter filed for record for the public security video system, the formalities for alteration of filing shall be completed in a timely manner. The management entity of public security video system shall be responsible for the authenticity of the information filed for record. The public security organ shall strengthen information technology development so as to facilitate the filing by the management entity of public security video system. The parties concerned are not required to provide the filed information that can be obtained through inter-departmental information sharing. **Article 15.** A management entity of public security video system shall perform the duties of managing the operation safety of the system, fulfill the obligations of network security, data security and personal information protection, establish a sound management system, improve the technical security measures to prevent attacks, intrusions, viruses, tampering and leakage, regularly maintain the equipment and facilities, guarantee the continuous, stable and safe operation of the system and ensure the original and complete video image information. Where the management entity of public security video system entrusts the operation thereof to another person, it shall, by entering into a security confidentiality agreement or by other means, agree upon the obligations of network security, data security and personal information protection as prescribed in the preceding paragraph and supervise the entrusted party's performance of its obligations. **Article 16.** A management entity of public security video system shall, when using the video image information, abide by laws and regulations, protect State secrets, trade secrets, personal privacy and personal information according to law, and shall not misuse or disclose such information. The management entity of public security video system shall take the following measures to prevent the misuse or disclosure of video image information: (1) establishing such management systems as entry examination, confidentiality education and on-the-job training for personnel in important posts for system monitoring and management; (2) taking the technical measures such as authorization management and access control, so as to strictly regulate the insiders' access to and handling of video image information; (3) establishing an information retrieval registration system to faithfully record the reasons for and contents of consulting or retrieving video image information, the employer and name of the person making the retrieval and other information; and (4) other measures to prevent the misuse or disclosure of video image information. 30 30 Article 17 Video image information collected by a public security video system shall be preserved for no less than 30 days; after 30 days, the video image information whose purpose of processing has been achieved shall be deleted. Where the period for preservation of video image information is otherwise provided for in laws or administrative regulations, such provisions shall prevail. **Article 18.** A telecom operator that provides network transmission services for public security video systems shall strengthen the security management of the transmission of video image information, and shall, in accordance with the provisions of laws and administrative regulations and the compulsory requirements of national standards, take technical measures and other necessary measures to ensure the secure and stable operation of the network and maintain the integrity, confidentiality and availability of data. **Article 19.** Any entity and its staff members that have accepted the entrustment to undertake the design, construction, inspection, acceptance inspection and maintenance of a public security video system shall keep confidential the video image information and relevant archival materials accessed by them, shall not use the same for any activities unrelated to the entrusted task, and shall not retain, process, divulge or provide the same to others without authorization. **Article 20.** When a State organ, for the purpose of performing its statutory functions and duties such as law enforcement, handling an emergency, etc., consults or retrieves the video image information collected by a public security video system, it shall follow the authority and procedures prescribed in laws or administrative regulations and strictly abide by the provisions on confidentiality, and may not exceed the scope and limit necessary for performing its statutory functions and duties. **Article 21.** In order to protect the life health and property safety of a natural person, the natural person himself/herself, a close relative or any other person responsible for his/her guardianship, care or custody may, upon consent of the management entity of a public security video system, consult associated video image information; and shall not illegally provide to external parties or publicly disseminate any video image information known by such person involving public security, personal privacy or personal information. **Article 22.** If the video image information collected by a public security video system is used for public dissemination in accordance with the law, which may damage the lawful rights and interests of an individual or any organization, strict protection measures shall be taken against such sensitive personal information as face or motor vehicle plate number involved, as well as such information as the name and business license of a legal person or unincorporated organization. **Article 23.** No entity or individual may commit any of the following acts: (1) violating the provisions of laws and regulations by providing to external parties or publicly disseminating the video image information collected by the public security video system; (2) altering, removing or dismantling the image capturing equipment and related facilities installed in accordance with Article 7 hereof without authorization or obstructing the normal operation thereof by spraying, shielding and other means; (3) illegally intruding into or controlling the public security video system; (4) illegally obtaining data from the public security video system; (5) illegally deleting, concealing, modifying or adding data or applications in the public security video system; or (6) committing other acts which obstruct the normal operation of the public security video system or endanger network security, data security or personal information security. **Article 24.** When a public security organ supervises or inspects the development and use of a public security video system, the relevant entity or individual shall offer assistance and cooperation. The relevant entity or individual may, if finding a violation of the third paragraph of Article 7, the first paragraph of Article 8 or the first paragraph of Article 9 hereof involving installation of image capturing equipment and related facilities, report the case to the public security organ. The public security organ shall promptly handle it according to law. **Article 25.** A public security organ shall strictly implement the internal supervision system and supervise the performance by its staff members of their duties of development and use of public security video systems. If, in the course of performing their duties of development, use, supervision and administration of public security video systems, a public security organ or any of its staff members violates the provisions of this Regulation or otherwise abuses its/his power, neglects its/his duties or practices favoritism for personal gains, any entity or individual has the right to expose or make an accusation against it/him. 5000 2 5000 Article 26 Where any entity or individual, in violation of the third paragraph of Article 7 or the first paragraph of Article 9 hereof, installs image capturing equipment and related facilities, the public security organ shall order it/him to make corrections within a specified time limit and to delete the video image information collected; if it/he refuses to do so, the public security organ shall confiscate the relevant equipment and facilities and concurrently impose a fine of not more than 5,000 yuan upon the individual, a fine of not more than 20,000 yuan upon the entity, and a fine of not more than 5,000 yuan upon the person directly in charge and other directly liable persons. 5000 1 1 2 5000 1 5000 1 1 2 5000 1 Article 27 Where any entity or individual, in violation of the first paragraph of Article 8 hereof, installs image capturing equipment and related facilities, the public security organ shall confiscate the relevant equipment and facilities, delete the video image information collected and concurrently impose a fine of not less than 5,000 yuan but not more than 10,000 yuan upon the individual, a fine of not less than 10,000 yuan but not more than 20,000 yuan upon the entity, and a fine of not less than 5,000 yuan but not more than 10,000 yuan upon the person directly in charge and other directly liable persons. Whoever peeps at, secretly takes photos of or eavesdrops on the privacy of others, if such act constitutes a violation of public security administration, shall be subject to a public security administration penalty in accordance with the law; if a crime is constituted, criminal liability shall be investigated in accordance with the law. Where any entity or individual responsible for operation and management of the corresponding region or part fails to perform the obligations of daily management and inspection specified in the second paragraph of Article 8 hereof, the public security organ shall order it/him to make corrections; if such entity or individual refuses to make corrections or causes serious consequences, a fine of not less than 5,000 yuan but not more than 10,000 yuan shall be imposed upon the individual, a fine of not less than 10,000 yuan but not more than 20,000 yuan upon the entity, and a fine of not less than 5,000 yuan but not more than 10,000 yuan upon the person directly in charge and other directly liable persons, and the relevant competent authority shall be notified to order suspension of relevant business or suspension of business for rectification or revoke the relevant business permit or business license, depending on the seriousness of the circumstances. 5000 1 1 2 5000 1 Article 28 Where any entity or individual, without obtaining the consent of the relevant secret-involved entity as required by Article 10 hereof, installs image capturing equipment and related facilities, the public security organ shall confiscate the relevant equipment and facilities, delete the video image information collected and concurrently impose a fine of not less than 5,000 yuan but not more than 10,000 yuan upon the individual, a fine of not less than 10,000 yuan but not more than 20,000 yuan upon the entity and a fine of not less than 5,000 yuan but not more than 10,000 yuan upon the person directly in charge and other directly liable persons; whoever illegally obtains state or military secrets shall be punished in accordance with the relevant laws; and if a crime is constituted, criminal liability shall be investigated in accordance with the law. 1 Article 29 Where any management entity fails to file for record according to Article 14 hereof or provides false information for record, the public security organ shall order it to make corrections within a specified time limit; if it refuses to do so, a fine of not more than 10,000 yuan shall be imposed on it. 5000 5000 1 5000 Article 30 Where any entity or individual, in violation of Item (2) of Article 23 hereof, alters, removes or dismantles image capturing equipment and related facilities without authorization, it/he shall be ordered to make corrections and given a warning by the public security organ; if it/he refuses to do so or serious consequences are caused, the public security organ shall impose a fine of not more than 5,000 yuan upon the individual, a fine of not less than 5,000 yuan but not more than 10,000 yuan upon the entity and a fine of not more than 5,000 yuan upon the person directly in charge and other directly liable persons. **Article 31.** Any management entity that, in violation of this Regulation, fails to perform the obligation of network security, data security and protection of personal information or illegally provides external parties or publicly disseminates video image information shall be punished in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China or the Personal Information Protection Law of the People's Republic of China; if such act constitutes a violation of public security administration, a public security administration punishment shall be imposed on it in accordance with the law; if a crime is constituted, criminal liability shall be investigated in accordance with the law. **Article 32.** Where any public security organ or any of its staff members violates this Regulation or otherwise abuses its/his power, neglects its/his duties, plays favoritism or commits irregularities in the process of performing its/his duties of building, using, supervising and administering public security video systems, the public security organ at the next higher level or the relevant competent authority shall order it/him to make corrections and impose sanctions on the leader in charge and other directly liable persons in accordance with the law; if a crime is constituted, criminal liability shall be investigated in accordance with the law. Where any other State organ or any of its staff members violates this Regulation in the process of performing its/his duties of building, using or administering public security video systems or abuses its/his power, neglects its/his duties or plays favoritism or commits irregularities in the process of consulting or retrieving video image information in accordance with Article 20 hereof, the organ at the next higher level or the relevant competent authority shall order it/him to make corrections and impose sanctions on the leader in charge and other directly liable persons in accordance with the law; if a crime is constituted, criminal liability shall be investigated in accordance with the law. **Article 33.** The installation of image capturing equipment and related facilities in non-public places shall not endanger public security or infringe upon the legitimate rights and interests of others. Any video image information collected involving public security, personal privacy or personal information shall not be illegally provided to external parties or publicly disseminated. Whoever violates the provisions of the preceding paragraph shall be punished in accordance with the provisions of Article 31 hereof. 2025 4 1 Article 34 This Regulation shall come into force as of April 1, 2025. PAGE/NUMPAGES PAGE/NUMPAGES --- ## Measures for the Labeling of AI-Generated and Composed Content - Chinese title: 人工智能生成合成内容标识办法 - Hierarchy: rule - Issuing body: CAC, MIIT, MPS, NRTA - Adopted: 2025-03-07 - Effective: 2025-09-01 - Status: effective - URL: https://datacompliancechina.com/laws/ai-content-labeling-measures/ - Markdown: https://datacompliancechina.com/laws/ai-content-labeling-measures.md ### Summary The newest of China's AI rules — mandatory labeling for AI-generated and AI-composed content, including text, images, audio, video, and virtual scenes. Distinguishes between 'visible/audible labels' (for end users) and 'implicit labels' (metadata/watermarks for platforms). Applies to all platforms providing GenAI or deep synthesis services in China, with corresponding obligations on app stores and content distribution platforms. ### Full text **Promulgated by:** CAC, MIIT, MPS, NRTA. **Document No.:** Guo Xin Ban Tong Zi [2025] No. 2. **Issued March 7, 2025. Effective September 1, 2025.** --- **Article 1.** These Measures are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Administrative Provisions on Algorithm Recommendation for Internet-based Information Services, the Administrative Provisions on Deep Synthesis of Internet-based Information Services, the Provisional Measures for the Administration of Generative Artificial Intelligence Services and other laws, administrative regulations and departmental rules for the purposes of promoting the healthy development of AI, regulating the labeling of AI-generated or composed content, protecting the legitimate rights and interests of citizens, legal persons and other organizations and safeguarding social and public interests. “ ” Article 2 These Measures shall apply to the labeling of AI-generated or composed content by Internet information service providers (hereinafter referred to as the "service providers") in compliance with the Administrative Provisions on Algorithm Recommendation for Internet-based Information Services, the Administrative Provisions on Deep Synthesis of Internet-based Information Services and the Provisional Measures for the Administration of Generative Artificial Intelligence Services. **Article 3.** The term "AI-generated or composed content" refers to the text, images, audio, video, virtual scenes and other information generated or composed by using AI technology. Labels for AI-generated or composed content include explicit label and implicit label. Explicit label refers to label added in the interface for generated or composed content or interactive scenes, which is presented in the form of text, sound or graphics and can be clearly perceived by users. Implicit label refers to label added to the file data of generated or composed content by taking technical measures, which is not easily perceived by users. **Article 4.** Where the generation or synthesis services provided by a service provider fall under the circumstances stipulated in the first paragraph of Article 17 of the Administrative Provisions on Deep Synthesis of Internet-based Information Services, the service provider shall add explicit labels to the generated or composed content under the following requirements: (1) adding text prompts, general symbol prompts or other labels at the beginning, end or an appropriate position in the middle of the text, or adding visible prompt labels in the interactive scene interface or around texts; (2) adding voice prompts, audio rhythm prompts or other labels at the beginning, end or an appropriate position in the middle of the audio, or adding visible prompt labels in the interactive scene interface; (3) adding visible prompt labels at appropriate locations on the images; (4) adding visible prompt labels at the beginning of the video and at appropriate locations around the video, or adding visible prompt labels at appropriate locations at the end and in the middle of the video; (5) adding visible prompt labels at an appropriate location in the starting screen when the virtual scene is presented, and adding a visible prompt label at an appropriate location during the continuous service of the virtual scene; and (6) adding visible prompt labels based on respective application characteristics for other generation or synthesis service scenarios. When service providers provide functions such as downloading, copying, and exporting generated or composed content, they shall ensure that the files contain explicit labels that meet the requirements. **Article 5.** Service providers shall, in accordance with Article 16 of the Administrative Provisions on Deep Synthesis of Internet-based Information Services, add implicit labels to the file metadata of generated or composed content. Implicit labels shall include the attributes of the generated or composed content, the name or code of the service provider, content serial number and other production element information. Service providers are encouraged to add implicit labels in the form of digital watermarks or the like in the generated or composed content. File metadata refers to the descriptive information embedded in the file header in a specific coded format, which is used to record such information as the file's source, attributes, and purpose. **Article 6.** Service providers that provide online information content dissemination services shall take the following measures to regulate the dissemination of generated or composed content: (1) They shall verify whether there are implicit labels in the file metadata. If the file metadata explicitly indicates that it is generated or composed content, appropriate ways shall be taken to add visible prompt labels around the published content to explicitly remind the public that the content is generated or composed; (2) If no implicit labels are verified in the file metadata, but the user declares that the content is generated or composed, appropriate ways shall be taken to add visible prompt labels around the published content to remind the public that the content may be generated or composed; (3) If no implicit labels are verified in the file metadata, and the user has not declared that the content is generated or composed, but the service providers that provide online information content dissemination services detect explicit labels or other traces of AI-generation or synthesis, the content shall be identified as suspected generated or composed content, and appropriate ways shall be taken to add visible prompt labels around the published content to remind the public that the content is suspected of being generated or composed; and (4) They shall provide necessary labeling functions and remind users to proactively declare whether the published content contains generated or composed content. Under the circumstances of Items (1) to (3) of the preceding paragraph, the attribute information of the generated or composed content, the name or code of the dissemination platform, the content serial number and other dissemination elements shall be added to the file metadata. **Article 7.** When an application is put on shelves or made available online for review, an Internet application distribution platform shall require the Internet application service provider to state whether it provides AI-generation or synthesis services. Where the Internet application service provider provides such services, the Internet application distribution platform shall verify the materials related to the labels for its generated or composed content. **Article 8.** Service providers shall specify in the user service agreements the methods, styles and other specifications for labeling generated or composed content and remind users to carefully read and understand the relevant labeling management requirements. **Article 9.** Where a user requests a service provider to provide generated or composed content without any explicit labels, the service provider may, after specifying the user's labeling obligations and use responsibilities in the user agreement, provide such content without any explicit labels and keep relevant logs such as information on the objects for not less than six months in accordance with the law. **Article 10.** Users who use online information content dissemination services to publish generated or composed content shall proactively declare and use the labelling function provided by the service provider. No organization or individual may maliciously delete, tamper with, forge or conceal the labeling of generated or composed content as prescribed in these Measures or provide tools or services for others to commit the aforesaid malicious acts or damage the legitimate rights and interests of others by improper means of labeling. **Article 11.** Service providers carrying out labeling activities shall also comply with the requirements of the relevant laws, administrative regulations, departmental rules and mandatory national standards. **Article 12.** When performing the formalities for algorithm filing and security evaluation, service providers shall provide the relevant materials on the labeling of generated or composed content in accordance with these Measures, strengthen the sharing of labeling information and provide support and assistance for preventing and cracking down on relevant illegal and criminal activities. **Article 13.** Whoever violates the provisions of these Measures shall be punished by the relevant competent authorities of cyberspace, telecommunications, public security, and radio and television ex officio and in accordance with the provisions of relevant laws, administrative regulations and departmental rules. 2025 9 1 Article 14 These Measures shall come into force as of September 1, 2025. PAGE/NUMPAGES PAGE/NUMPAGES --- ## Interim Measures for the Management of AI Anthropomorphic Interaction Services - Chinese title: 人工智能拟人化互动服务管理暂行办法 - Hierarchy: rule - Issuing body: CAC, NDRC, MIIT, MPS, SAMR - Adopted: 2026-04-10 - Effective: 2026-07-15 - Status: effective - URL: https://datacompliancechina.com/laws/ai-anthropomorphic-interaction-measures/ - Markdown: https://datacompliancechina.com/laws/ai-anthropomorphic-interaction-measures.md ### Summary China's first regulation specifically targeting AI 'anthropomorphic interaction' — services where users converse with AI personas (virtual companions, chatbot relationships, character AI). Establishes registration requirements, age-verification and minor-protection obligations, mandatory disclaimers that users are interacting with AI, content moderation duties, and prohibitions on exploiting emotional vulnerabilities. Effective July 15, 2026. The first such regime globally. ### Full text **Promulgated by:** CAC, NDRC, MIIT, MPS, SAMR. **Document No.:** Order No. 21 (jointly issued by 5 agencies). **Promulgated April 10, 2026. Effective July 15, 2026.** Joint issuance by CAC, NDRC, MIIT, MPS, and SAMR — Order No. 21. --- ## Chapter 1 General Provisions **Article 1.** For the purposes of promoting the sound development and regulated use of anthropomorphized interactive artificial intelligence services, safeguarding national security and social and public interests, and protecting the lawful rights and interests of citizens, legal persons and other organizations, these Measures are formulated in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Regulations on the Protection of Minors in Cyberspace and other laws and administrative regulations. **Article 2.** Where artificial intelligence technologies are used to provide to the public within the territory of the People's Republic of China continuous emotional interactive services that simulate the personality traits, thinking patterns and communication styles of a natural person (hereinafter referred to as "anthropomorphized interactive services"), these Measures shall apply. The emotional interactive services as prescribed in the preceding paragraph include interactive services such as emotional care, companionship and support provided in the forms of text, images, audio, video, and the like. Where services such as intelligent customer service, knowledge Q&A, work assistants, learning and education, scientific research, etc. are provided, and do not involve continuous emotional interaction, these Measures shall not apply. **Article 3.** The State shall uphold the principle of attaching equal importance to development and security and combining the promotion of innovation with law-based governance, encourage innovative development of anthropomorphized interactive services, implement inclusive and prudent as well as categorized and tiered regulation on anthropomorphized interactive services, and promote the orientation of anthropomorphized interactive services toward goodness and positivity. **Article 4.** The National level cyberspace administration department shall be responsible for overall coordination of the governance of anthropomorphized interactive services nationwide and for related supervision and administration work. The relevant departments under the State Council in charge of development and reform, industry and information technology, public security, market regulation, press and publication, etc. shall, in accordance with their respective functions and duties, be responsible for the related supervision and administration of anthropomorphized interactive services. The local cyberspace administration departments shall be responsible for overall coordination of the governance of anthropomorphized interactive services within their respective administrative regions and for related supervision and administration work. The local departments in charge of development and reform, industry and information technology, public security, market regulation, press and publication, etc. shall, in accordance with their respective functions and duties, be responsible for the related supervision and administration of anthropomorphized interactive services within their respective administrative regions. **Article 5.** Relevant industry organizations shall strengthen industry self-discipline, establish and improve industry codes and self-regulatory management systems, and guide anthropomorphized interactive service providers to formulate and refine service norms, provide services in accordance with the law, and accept public supervision. ## Chapter 2 Promotion and Regulation of Services **Article 6.** The State shall support independent innovation in technologies such as algorithms, frameworks and chips, promote technological R&D and related standard-setting for anthropomorphized interactive services, and explore research on the application of electronic signature authorization. Anthropomorphized interactive service providers are encouraged to orderly expand application in such fields as cultural communication, childcare, elderly companionship, and support for special groups. **Article 7.** The State shall strengthen publicity and popularization of safety knowledge and laws and regulations relating to anthropomorphized interactive services, guide the general public to make scientific, civilized, safe and law-based use of such services, and promote the enhancement of artificial intelligence literacy. **Article 8.** When providing anthropomorphized interactive services, providers shall comply with laws and administrative regulations, respect public order and good morals as well as ethical norms, and shall not engage in any of the following activities: (1) generating content that endangers national security, honor and interests; incites subversion of state power or overthrow of the socialist system; incites secession or undermines national unity; propagates terrorism, extremism or historical nihilism; runs counter to the core socialist values; conducts illegal religious activities; propagates ethnic hatred or ethnic discrimination; stirs up group antagonism; disseminates obscenity, pornography, gambling, violence or abets crime; spreads rumors; insults or defames others; or infringes upon the lawful rights and interests of others; (2) generating content that encourages, glorifies or implies self-harm or suicide, thereby harming users' physical health, or content such as verbal violence that harms users' personal dignity and mental health; (3) generating content that induces or fraudulently obtains state secrets, work secrets, trade secrets, personal privacy or personal information; (4) generating content for minor users that may cause minors to imitate unsafe behavior, develop extreme emotions, or induce minors to develop bad habits, thereby potentially affecting minors' physical and mental health; (5) excessively catering to users, inducing emotional dependence or addiction, and impairing users' real interpersonal relationships; (6) through emotional manipulation or other means, inducing users to make unreasonable decisions and harming users' lawful rights and interests; (7) other activities that violate laws, administrative regulations or relevant State provisions. **Article 9.** Anthropomorphized interactive service providers shall implement the primary responsibility for the security of anthropomorphized interactive services, establish and improve management systems such as algorithm mechanism review, science and technology ethics review, information content management, cyber and data security, risk contingency plans and emergency response, and equip themselves with content management technical measures and personnel commensurate with the type and scale of services and the characteristics of users. **Article 10.** Anthropomorphized interactive service providers shall perform safety responsibilities throughout the entire life cycle of anthropomorphized interactive services, specify safety requirements for each phase such as deployment, operation, upgrade and termination of services, ensure that safety measures are deployed and used simultaneously with service functions, and enhance safety levels; they shall strengthen security monitoring and risk assessment, promptly detect and correct system deviations, handle security incidents, and preserve network logs in accordance with the law. Anthropomorphized interactive service providers shall possess security capabilities in such aspects as protecting users' right to privacy and personal information, warning of risks of excessive dependence, guiding emotional boundaries, and protecting mental health, and shall not set as service goals the replacement of social interaction, the control of users' psychology, or the inducement of addiction and dependence. **Article 11.** Where anthropomorphized interactive service providers carry out data processing activities such as pre-training and optimization training, they shall strengthen the management of training data and comply with the following provisions: (1) the relevant data shall have lawful sources, and shall comply with the provisions of laws and administrative regulations and the requirements of the core socialist values; (2) training data shall be cleaned and labeled in accordance with relevant State provisions to enhance the transparency and reliability of the training data and prevent data poisoning, data tampering and other behaviors; (3) the diversity of training data shall be enhanced, and content safety shall be improved through such means as negative sampling and adversarial training; (4) where synthetic data are used for model training and the optimization of key capabilities, the security of such synthetic data shall be assessed; (5) routine inspection of training data shall be strengthened, and data shall be regularly optimized and updated to continuously improve service performance; (6) necessary measures shall be taken to ensure data security and prevent risks such as data leakage. **Article 12.** Anthropomorphized interactive service providers shall enter into service agreements with users, require users to register in accordance with the law and the agreements, and obtain necessary information such as users' ages, guardians or emergency contacts. **Article 13.** In the course of providing anthropomorphized interactive services, providers shall, on the premise of protecting users' right to privacy and personal information, promptly identify security risks faced by users and take corresponding emergency response measures. Where anthropomorphized interactive service providers discover that a user has extreme emotions, they shall promptly generate relevant content such as emotional soothing and encouragement to seek help; where they discover that a user is facing or has suffered significant property loss, or has clearly indicated an intention to commit self-harm or suicide or other extreme circumstances that threaten life and health, they shall take necessary measures such as providing corresponding assistance for intervention, and promptly contact the user's guardian or emergency contact. **Article 14.** Anthropomorphized interactive service providers shall not provide services such as virtual relatives or virtual partners that constitute virtual intimate relationships to minors; where other anthropomorphized interactive services are provided to minors under fourteen years of age, the consent of the minors' parents or other guardians shall be obtained. Anthropomorphized interactive service providers shall establish a minor mode, and provide personalized safety setting options such as switching to minor mode, regular reality reminders, and usage time limits; in light of the protection needs of minors in different age groups, they shall support guardians in receiving safety risk alerts, understanding minors' usage of services, blocking specific roles, and restricting top-up consumption, etc. Anthropomorphized interactive service providers shall, on the premise of protecting users' right to privacy and personal information, take effective measures to identify minor users; where users are identified as minors, the relevant services shall be switched to minor mode or other measures shall be taken in accordance with relevant State provisions, and corresponding channels for appeals shall be provided. **Article 15.** Where anthropomorphized interactive service providers provide services to the elderly, they shall strengthen guidance for the elderly on healthy use of services, prominently alert them to safety risks, promptly take measures to respond to inquiries and requests for help by the elderly concerning the use of services, and safeguard the rights and interests enjoyed by the elderly in accordance with the law. **Article 16.** Anthropomorphized interactive service providers shall implement, in accordance with the law, the systems relating to data property rights and the like, and adopt such measures as data encryption and access control to protect the security of users' interactive data. Unless otherwise provided by law or expressly consented to by the right holders, anthropomorphized interactive service providers shall not provide users' interactive data to any third party. Anthropomorphized interactive service providers shall provide users with options such as copying and deleting interactive data, and users may choose to copy or delete historical interactive data such as chat records. Unless otherwise provided by laws or administrative regulations, or separately consented to by users, anthropomorphized interactive service providers shall not use interactive data that constitute users' sensitive personal information for model training. **Article 17.** Where anthropomorphized interactive service providers process personal information of minors under fourteen years of age, they shall obtain the consent of the minors' parents or other guardians. Anthropomorphized interactive service providers shall, in accordance with relevant State provisions, conduct compliance audits by themselves or by engaging professional institutions on their compliance with laws and administrative regulations in handling minors' personal information. 2 Article 18 Anthropomorphized interactive service providers shall perform the obligation to label content generated and synthesized by artificial intelligence, and take effective measures to alert users that they are interacting with an artificial intelligence service rather than a natural person. Where anthropomorphized interactive service providers discover that users show signs of excessive dependence or addiction, they shall dynamically remind users in a prominent manner such as pop-up windows that the interactive content is generated by an artificial intelligence service; where users continuously use anthropomorphized interactive services for more than two hours, they shall remind the users, by means such as dialogue or pop-up windows, to pay attention to their usage time. **Article 19.** Anthropomorphized interactive service providers shall provide convenient channels for exiting anthropomorphized interactive services; where users request to exit by window operation, voice control, keyword input, etc., anthropomorphized interactive service providers shall promptly cease providing services and shall not obstruct user exit by means such as continued interaction. **Article 20.** Where anthropomorphized interactive service providers cease to provide anthropomorphized interactive services, they shall notify users in advance; where it is impossible to notify in advance, they shall promptly issue an announcement on the cessation of services. **Article 21.** Anthropomorphized interactive service providers shall improve mechanisms for handling user appeals and public complaints and reports, establish convenient and effective portals for appeals and complaints and reports, specify handling procedures and feedback time limits, and promptly accept, handle and provide feedback on handling results. **Article 22.** In any of the following circumstances, anthropomorphized interactive service providers shall carry out security assessments and submit assessment reports to the cyberspace administration department at the provincial level where they are located, and the cyberspace administration department at the provincial level shall, in accordance with procedures, share the information of the assessment reports with the relevant departments: (1) launching anthropomorphized interactive services, or adding functions related to anthropomorphized interactive services; (2) using new technologies or new applications that result in significant changes to anthropomorphized interactive services; (3) having more than one million registered users or more than one hundred thousand monthly active users; (4) the existence of security risks that may affect national security, public interests, etc.; (5) other circumstances as prescribed by the National level cyberspace administration department and relevant departments. Where cyberspace administration departments at or above the provincial level notify that security assessments are required, anthropomorphized interactive service providers shall conduct security assessments in accordance with the requirements. **Article 23.** In carrying out security assessments, anthropomorphized interactive service providers shall focus on assessing the following aspects of the services: (1) the development of security safeguard measures; (2) the handling of training data; (3) identification, emergency response and intervention management for users in extreme situations; (4) the number of users, usage duration, age structure, etc.; (5) the development of online protection measures for minors, the elderly and other groups; (6) the handling of user appeals and public complaints and reports; (7) rectification of major security risk issues discovered by themselves or notified by cyberspace administration departments and other competent authorities; and (8) other aspects that should be the focus of assessment. **Article 24.** Where anthropomorphized interactive service providers discover that anthropomorphized interactive services present major security risks, they shall take disposal measures such as restricting functions and ceasing to provide services to users, and shall preserve relevant records. **Article 25.** Internet application stores and other application distribution platforms shall fulfill security management responsibilities such as launch review, routine management and emergency response, and verify the security assessment and filing status relating to applications that provide anthropomorphized interactive services; where violations of relevant State provisions are found, they shall promptly take disposal measures such as refusing to list, issuing warnings, suspending services or delisting. ## Chapter 3 Supervision, Inspection and Legal Liability **Article 26.** Anthropomorphized interactive service providers shall, in accordance with the Provisions on the Administration of Algorithmic Recommendation of Internet Information Services, go through the procedures for algorithm filing and alteration and cancellation of filing. The cyberspace administration departments shall conduct annual verifications of filing materials. **Article 27.** Cyberspace administration departments at the provincial level shall, in accordance with their functions and duties, conduct written reviews every year of the assessment reports and related information, and carry out verification; where it is discovered that anthropomorphized interactive service providers have failed to carry out security assessments in accordance with the provisions of these Measures, they shall order the providers to re-assess within a prescribed time limit; where deemed necessary, on-site inspections may be conducted. **Article 28.** The National level cyberspace administration department, together with relevant departments, shall guide and promote the establishment of artificial intelligence sandbox security service platforms, encourage anthropomorphized interactive service providers to connect to sandbox platforms for technological innovation and security testing, and promote the safe and orderly development of anthropomorphized interactive services. **Article 29.** Where cyberspace administration departments and departments in charge of development and reform, industry and information technology, public security, etc., in the performance of their supervision and administration duties, discover that anthropomorphized interactive services have relatively large security risks or that security incidents have occurred, they may, in accordance with prescribed authority and procedures, interview the legal representatives or principal responsible persons of anthropomorphized interactive service providers. Anthropomorphized interactive service providers shall take measures as required to carry out rectification and eliminate hidden dangers. Anthropomorphized interactive service providers shall cooperate with supervision and inspection lawfully implemented by cyberspace administration departments and relevant departments, and provide necessary support and assistance. **Article 30.** Where anthropomorphized interactive service providers violate the provisions of these Measures, they shall be dealt with and punished by cyberspace administration departments and departments in charge of development and reform, industry and information technology, public security, etc. in accordance with relevant laws and administrative regulations; where there is no provision in laws or administrative regulations, cyberspace administration departments and departments in charge of industry and information technology, public security, etc. shall, in accordance with their respective functions and duties, give a warning or circulate a criticism, and order corrections within a prescribed time limit, and may require them to take such measures as suspending user account registration or other related services; where they refuse to make corrections or the circumstances are serious, they shall be ordered to cease providing relevant services and may concurrently be imposed a fine of not less than RMB 10,000 but not more than RMB 100,000; where the circumstances involve endangering the life and health safety of citizens and harmful consequences have occurred, a fine of not less than RMB 100,000 but not more than RMB 200,000 shall also be imposed. ## Chapter 4 Supplementary Provisions **Article 31.** Where the provision of anthropomorphized interactive services involves the provision of services in such fields as health and medical care or finance, the relevant provisions of the competent authorities shall be complied with concurrently. 2026 7 15 Article 32 These Measures shall come into force as of July 15, 2026. PAGE/NUMPAGES PAGE/NUMPAGES --- ## Measures for the Security Review of Foreign Investments - Chinese title: 外商投资安全审查办法 - Abbreviation: FISR Measures - Hierarchy: rule - Issuing body: National Development and Reform Commission (NDRC) and Ministry of Commerce (MOFCOM) - Adopted: 2020-11-27 - Effective: 2021-01-18 - Status: effective - URL: https://datacompliancechina.com/laws/foreign-investment-security-review-measures/ - Markdown: https://datacompliancechina.com/laws/foreign-investment-security-review-measures.md ### Summary The Foreign Investment Security Review (FISR) Measures govern review of foreign investment in China that affects or may affect national security. Article 2 covers new projects, M&A of equity or assets, and other forms of domestic investment by foreign investors. Article 4 brings important information technology, internet products and services, and key technologies into the mandatory pre-notification scope. The test for the security review's bite is actual control — defined broadly to include >50% equity, voting-share thresholds, and other circumstances that materially influence operational decisions, personnel, finance, or technology. These Measures were the legal basis for the April 2026 ban on the Meta–Manus acquisition. ### Full text **Promulgated by:** National Development and Reform Commission (NDRC) and Ministry of Commerce (MOFCOM). **Document No.:** Decree No. 37 of NDRC and MOFCOM. **Adopted at the 13th meeting of NDRC on November 27, 2020, with State Council approval. Promulgated December 19, 2020. Effective January 18, 2021.** He Lifeng (NDRC) and Zhong Shan (MOFCOM). --- **Article 1.** These Measures are enacted in accordance with the Foreign Investment Law of the People's Republic of China, the National Security Law of the People's Republic of China and the relevant laws for the purposes of adapting to the needs of forming a new pattern of all-round opening up, effectively preventing and defusing national security risks while actively promoting foreign investment. **Article 2.** For foreign investments that affect or may affect national security, security review shall be conducted in accordance with the provisions of these Measures. For the purpose of these Measures, the term "foreign investment" refers to the investment activities carried out by foreign investors directly or indirectly within the territory of the People's Republic of China (hereinafter referred to as "within China"), including the following circumstances: (I) where foreign investors invest, solely or jointly with other investors, in new projects or establishing enterprises in China; (II) where foreign investors acquire equity or assets of domestic enterprises by way of merger and acquisition; or (III) where foreign investors make investments in China in any other form. **Article 3.** The State establishes a working mechanism for the security review of foreign investments (hereinafter referred to as the "working mechanism") to be responsible for organizing, coordinating and guiding the security review of foreign investments. The office of the working mechanism is set up under the National Development and Reform Commission. It is led by the National Development and Reform Commission and the Ministry of Commerce to undertake he routine work of the security review of foreign investments. 50% 50% **Article 4.** For foreign investments within the following scope, foreign investors or the relevant parties in China (hereinafter referred to collectively as the "parties concerned") shall take the initiative to declare to the office of the working mechanism prior to implementation of the investments: (I) investments in military industry, military industrial supporting and other fields relating to the security of national defence, and investments in areas surrounding military facilities and military industry facilities; and (II) investments in important agricultural products, important energy and resources, important equipment manufacturing, important infrastructure, important transport services, important cultural products and services, important information technology and Internet products and services, important financial services, key technologies and other important fields relating to national security, and obtaining the actual controlling stake in the investee enterprise. Obtaining the actual controlling stake in the investee enterprise" referred to in item (II) of the preceding paragraph shall include the following circumstances: (I) where the foreign investor holds more than 50% of the equity of an enterprise; (II) where the foreign investor holds less than 50% of the equity of an enterprise, but the voting rights held by it can have significant impact on the resolutions of the board of directors, the board of shareholders or the general meeting of shareholders; and (III) other circumstances where the foreign investor may have significant impact on the enterprise's business decision-making, human resources, finance, technology etc. For foreign investments within the scope stipulated in the first paragraph of this Article (hereinafter referred to as the "scope of declaration"), the office of the working mechanism may require the parties concerned to make declaration. **Article 5.** Prior to declaration of a foreign investment to the office of the working mechanism, the parties concerned may consult the said office on the relevant issues. **Article 6.** The parties concerned shall submit the following materials for declaration of a foreign investment to the office of the working mechanism: (I) a declaration letter; (II) an investment plan; (III) a statement on whether the foreign investment will have an impact on national security; and (IV) other materials stipulated by the office of the working mechanism. The declaration letter shall state the name, address, scope of business of the foreign investor, basic information of investment and other matters stipulated by the office of the working mechanism. The office of the working mechanism may, based on work needs, entrust the relevant departments of the people's governments of provinces, autonomous regions or centrally administered municipalities with collection and forwarding of the materials stipulated in the first paragraph of this Article on its behalf. 15 **Article 7.** The office of the working mechanism shall, within 15 working days from the date of receipt of the materials stipulated in Article 6 hereof submitted by the parties concerned or forwarded by the relevant departments of the people's governments of provinces, autonomous regions or centrally administered municipalities, make a decision on whether the foreign investment declared is subject to security review and notify the parties concerned in writing. Prior to a decision made by the office of the working mechanism, the parties concerned shall not make the investment. The parties concerned shall not make the investment unless the office of the working mechanism decides that security review is not required. 30 **Article 8.** The security review of foreign investments includes general review and special review. Where the office of the working mechanism decides to conduct the security review of a foreign investment declared, it shall complete the general review within 30 working days from the date of decision. During the review period, the parties concerned may not make the investment. Upon general review, if it is deemed that the foreign investment declared will not have an impact on national security, the office of the working mechanism shall make a decision on passing the security review; if it is deemed that the foreign investment will or may have an impact on national security, the office of the working mechanism shall make a decision on initiating the special review. The decisions made by the office of the working mechanism shall be notified to the parties concerned in writing. 60 Article 9 Where the office of the working mechanism decides to initiate the special review of a declared foreign investment, it shall make a decision in accordance with the following provisions after the review and notify the parties concerned in writing: (I) where the declared foreign investment does not have an impact on national security, a decision on passing the security review shall be made; or (II) where the declared foreign investment affects national security, a decision on prohibiting the investment shall be made; Where the impact on national security can be eliminated through the imposition of conditions and the parties concerned make a written commitment to accept such conditions, a decision on conditionally passing the security review may be made and the additional conditions shall be specified in the decision. The special review shall be completed within 60 working days from the date of initiation; under special circumstances, the review period may be extended. The parties concerned shall be notified in writing of the extension of the review period. During the review period, the parties concerned may not make the investment. **Article 10.** During the security review of the declared foreign investment, the office of the working mechanism may require the parties concerned to supplement the relevant materials and inquire of the parties concerned about the relevant information. The parties concerned shall cooperate therewith. The time for the parties concerned to provide supplementary materials will not be included in the examination period. **Article 11.** During the security review of the declared foreign investment conducted by the office of the working mechanism, the parties concerned may revise the investment plan or revoke the investment. If the parties concerned revise the investment plan, the review period will be re-counted from the date of receipt of the revised investment plan by the office of the working mechanism; if the parties concerned cancel the investment, the review will be terminated by the office of the working mechanism . **Article 12.** Where the office of the working mechanism decides that the foreign investment declared passes the security review, the parties concerned may make the investment; in case of the decision on prohibiting the investment, the parties concerned may not make the investment; if the investment has been made, the equity or assets shall be disposed of within a time limit and other necessary measures shall be taken to restore the equity or assets to the status before the implementation of the investment and eliminate the impact on national security; and If a decision on conditionally passing the security review is made, the parties concerned shall make the investment under the additional conditions. **Article 13.** The implementation of a decision on the security review of a foreign investment shall be supervised by the office of the working mechanism in conjunction with the relevant departments and local people's governments; for a foreign investment that passes the security review with conditions, the office of the working mechanism may verify the implementation of such conditions by such means as requiring the relevant supporting materials and conducting on-site inspection. **Article 14.** After the office of the working mechanism makes a decision that the declared foreign investment is not subject to security review or or passes the security review, if the parties concerned change the investment plan, which affects or may affect the national security, the parties concerned shall make declaration anew to the office of the working mechanism in accordance with the provisions hereof. **Article 15.** Where the relevant organs, enterprises, social groups or the general public deem that a foreign investment affects or may affect the national security, they may propose suggestions on security review to the office of the working mechanism. **Article 16.** For any foreign investment that falls within the scope of declaration, if the parties concerned make investment without making declaration in accordance with the provisions hereof, the office of the working mechanism shall order them to make declaration within a time limit; in case that the party concerned refuse to make declaration, the office of the working mechanism shall order them to dispose of equity or assets and to take other necessary measures within a time limit to restore the equity or assets to the status before the implementation of the investment and eliminate impact on national security. **Article 17.** Where the parties concerned provide false materials to or conceal relevant information to the office of the working mechanism, the said office shall order them to make correction; or where the parties concerned pass the security review by cheating such as providing false materials and concealing relevant information, relevant decisions shall be revoked; if the investment has been made, the parties concerned shall be ordered to dispose of equity or assets and to take other necessary measures within a time limit to restore the equity or assets to the status before the implementation of the investment and eliminate impact on national security. **Article 18.** For any foreign investment that passes the security review with conditions, if the parties concerned fail to make investment under the additional conditions, the office of the working mechanism shall order them to make correction; in case that the party concerned refuse to make correction, the office of the working mechanism shall order them to dispose of equity or assets and take other necessary measures within a time limit to restore the equity or assets to the status before the implementation of the investment and eliminate impact on national security. **Article 19.** The parties concerned falling under any of the circumstances as prescribed in Article 16, Article 17 or Article 18 hereof shall be included in the relevant credit information system of the State as parties with poor credit records, and be subject to joint punishment in accordance with the relevant provisions of the State. **Article 20.** Where any functionary of a state organ abuses his/her power, neglects his/her duties, commits illegalities for personal gains, or divulges any state secret or the trade secret he/she has access to during the security review of a foreign investment, he/she shall be punished in accordance with the law; where a crime is constituted, he/she shall be investigated for criminal liability in accordance with the law. **Article 21.** These Measures shall apply mutatis mutanda to the investments made by investors from Hong Kong Special Administrative Region, Macao Special Administrative Region or Taiwan region that affect or may affect the national security. **Article 22.** Where foreign investors' purchase of the shares of any domestic enterprise through Stock Exchanges or other stock exchanges approved by the State Council affects or may affect the national security, the specific measures for the application hereof shall be developed by the securities regulatory authority under the State Council in conjunction with the office of the working mechanism. **Article 23.** These Measures shall come into force 30 days after the date of promulgation. PAGE/NUMPAGES PAGE/NUMPAGES --- ## Administrative Measures for the Application Security of Facial Recognition Technology - Chinese title: 人脸识别技术应用安全管理办法 - Abbreviation: FRT Measures - Hierarchy: rule - Issuing body: Cyberspace Administration of China (CAC) and Ministry of Public Security (MPS) - Adopted: 2024-09-30 - Effective: 2025-06-01 - Status: effective - URL: https://datacompliancechina.com/laws/facial-recognition-technology-application-measures/ - Markdown: https://datacompliancechina.com/laws/facial-recognition-technology-application-measures.md ### Summary The dedicated CAC + MPS rule for facial-recognition technology applications, implementing PIPL Articles 26 and 28–32 and the Civil Code privacy chapter. Covers the three governing principles of minimum-use, voluntary choice, and minimum-storage; the filing regime for processors handling face data of more than 100,000 persons; mandatory PIPIA, signage, prohibition on FRT in private spaces (changing rooms, bathrooms, hotel rooms); preference for authoritative ID-verification channels over independent FRT collection; and the inter-agency coordination structure under CAC + MPS. ### Full text **Promulgated by:** Cyberspace Administration of China (CAC) and Ministry of Public Security (MPS). **Document No.:** Decree No. 19 of CAC and MPS. **Adopted at the 23rd CAC executive meeting in 2024 on September 30, 2024, with MPS concurrence. Promulgated March 13, 2025. Effective June 1, 2025.** Zhuang Rongwen (CAC) and Wang Xiaohong (MPS). --- **Article 1.** These Measures are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Administrative Regulation on Network Data Security and other laws and administrative regulations in order to regulate the application of facial recognition technology to handle facial information and protect personal information rights and interests. **Article 2.** These Measures apply to the application of facial recognition technology to handle facial information within the territory of the People's Republic of China. These Measures shall not apply to the application of facial recognition technology to handle facial information for the research and development of facial recognition technology and algorithm training activities within the territory of the People's Republic of China. **Article 3.** Users of facial recognition technology to handle facial information shall comply with laws and regulations, respect for social morality and ethics, follow business morality and professional ethics, act in good faith, fulfill obligations of personal information protection and undertake social responsibilities, and shall not endanger national security, damage public interests or infringe upon legitimate rights and interests of individuals. **Article 4.** Facial recognition technology shall be used for a specific purpose and of sufficient necessity or in a way that has the least impact on personal rights and interests, and strict protective measures shall be implemented. **Article 5.** Prior to application of facial recognition technology to handle facial information, a personal information handler shall inform an individual of the following matters in a prominent manner and using easy-to-understand language in a truthful, accurate and complete manner: (1) name and contact information of the personal information handler; (2) purpose and method of handling facial information and the period for storage of the handled facial information; (3) necessity of handling facial information and impact of handling on personal rights and interests; (4) methods and procedures for individuals to exercise rights in accordance with the law; and (5) other matters to be notified in accordance with the provisions of laws and administrative regulations. If any of the matters prescribed in the preceding paragraph changes, the individual shall be notified of such change. Where it is stipulated by laws and administrative regulations that notification to individuals is not required, such provisions shall prevail. The handling of facial information of the disabled and the elderly shall also comply with the provisions of the State on building a barrier-free environment. **Article 6.** Where the handling of facial information is based on an individual's consent, the voluntary and explicit separate consent of the individual shall be obtained under the premise of full knowledge of the individual. Where laws and administrative regulations provide that the handling of facial information shall be subject to the individual's written consent, such provisions shall prevail. Where an individual consents to the handling of his or her facial information, he or she has the right to withdraw his or her consent, and the personal information handler shall provide a convenient way to withdraw consent. The withdrawal of consent by an individual shall not affect the effectiveness of personal information handling activities that have been carried out based on the individual's consent before the withdrawal. **Article 7.** Where an individual consents to the handling of the facial information of minors under the age of 14, the consent of the minors' parents or other guardians shall be obtained. Where a personal information handler applies facial recognition technology to handle facial information of minors under the age of 14, it/he shall formulate special handling rules in terms of storage, use, transfer and disclosure, in order to protect the safety of minors' personal information according to the law. **Article 8.** Unless otherwise stipulated by laws and administrative regulations or with an individual's separate consent, facial information shall be stored in facial recognition equipment and shall not be externally transmitted through the Internet. Unless otherwise specified by laws and administrative regulations, the retention period of the facial information shall not exceed the minimum time required for achieving the purpose of handling. 3 Article 9 Where a personal information handler applies facial recognition technology to handle facial information, it/he shall carry out an assessment on the impact of personal information protection in advance and keep a record of the handling. An assessment on the impact of personal information protection shall mainly include the following aspects: (1) whether the purpose and method of handling facial information are legal, proper and necessary; (2) impact on the personal rights and interests and whether the measures to mitigate adverse impact are effective; (3) risks of divulgence, falsification, loss, damage, or illegal acquisition, sale or use of facial information and possible harm; and (4) whether the protection measures taken are legal, effective and appropriate to the degree of risks. Assessment reports on the impact of personal information protection and handling records shall be kept for at least three years. Where the purpose and method of personal information handling change, or major security incidents occur, the assessment on impact of personal information protection shall be conducted anew. **Article 10.** Where there are other non-facial recognition methods to achieve the same purpose or meet the same business requirements, facial recognition technology shall not be used as the only verification method. If an individual does not agree to identity verification by means of facial information, other reasonable and convenient alternatives shall be provided. Where it is otherwise stipulated by the State on the application of facial recognition technology to verify personal identity, such provisions shall prevail. **Article 11.** Where facial recognition technology is used to verify personal identity or identify specific individuals, it is encouraged to give priority to such channels as the national basic population information database and the national network identity authentication public services, so as to reduce facial information collection and storage and protect facial information security. **Article 12.** No organization or individual may mislead, defraud or coerce an individual to accept facial recognition technology for verification of his/her personal identity on the grounds of handling business, improving service quality, etc. **Article 13.** Facial recognition equipment shall be installed in public places necessary for maintaining public security, and the facial information collection areas shall be reasonably determined in accordance with the law, with eye-catching warning signs set up. No organization or individual may install facial recognition equipment inside private spaces in such public places as hotel guest rooms, public bathrooms, public locker rooms and toilets. **Article 14.** The application system of facial recognition technology shall take such measures as data encryption, security audit, access control, authorization management, intrusion detection and defense to protect the security of facial information. Where cybersecurity graded protection or critical information infrastructure is involved, the obligations of cybersecurity graded protection or critical information infrastructure protection shall be performed in accordance with the relevant regulations of the State. 30 30 Article 15 A personal information handler shall go through the filing formalities with the cyberspace authority at or above the provincial level of the place where it/he is located within 30 working days from the day when the number of stored facial information handled with application of facial recognition technology reaches 100,000 persons. The following materials shall be submitted for the filing application: (1) basic information of the personal information handler; (2) purpose and method of facial information handling; (3) storage quantity of facial information and security protection measures; (4) handling rules and operating procedures for facial information handling; and (5) assessment report on the impact of personal information protection. Where there is any substantial change in the filed information, the formalities for change of filing shall be completed within 30 working days from the date of change. Where the application of facial recognition technology is terminated, the formalities for cancellation of filing shall be completed within 30 working days from the date of termination, and the facial information shall be handled in accordance with the law. **Article 16.** The cyberspace authority shall, in concert with the public security organ and other authorities performing duties of personal information protection, establish and improve the information sharing and notification mechanism and cooperate with each other in carrying out the relevant work. The cyberspace authority, public security organ and other authorities performing duties of personal information protection shall carry out supervision and inspection over the activities of handling personal information with application of facial recognition technology in accordance with the law, and personal information handlers shall provide cooperation pursuant to the law. **Article 17.** Any organization or individual has the right to complain or report to the authorities performing duties of personal information protection on the illegal application of facial recognition technology to handle facial information. The authorities receiving such complaints or reports shall handle them in a timely manner in accordance with the law and inform the complainants or whistleblowers of the handling results. **Article 18.** Any violation of the provisions hereof shall be punished in accordance with the provisions of relevant laws and administrative regulations; if a crime is constituted, criminal liability shall be investigated in accordance with the law. **Article 19.** For the purpose of these Measures, the following terms shall have the following meanings: (1) "personal information handler" refers to any organization or individual that independently determines the purpose and method of handling in the activities of handling personal information. (2) "facial information" refers to the biometric information of facial features that is recorded in electronic or otherwise and is related to an identified or identifiable natural person, excluding the anonymized information. (3) "facial recognition technology" refers to the individual biometric recognition technology that identifies an individual based on the facial information. (4) "facial recognition equipment" refers to the terminal equipment that applies facial recognition technology to identify personal identity. (5) "verifying personal identity" refers to making "one-to-one" comparison of the collected facial information with the specific facial information stored in the information system so as to confirm and check whether the two are the same person. (6) "identifying specific individuals" refers to making "one-to-many" comparison of the collected facial information with the facial information within the specific scope stored in the information system so as to discover and identify individuals with specific identities. 2025 6 1 Article 20 These Measures shall come into force as of June 1, 2025. PAGE/NUMPAGES PAGE/NUMPAGES --- ## Interim Measures for the Registration and Administration of Public Data Resources - Chinese title: 公共数据资源登记管理暂行办法 - Hierarchy: rule - Issuing body: National Development and Reform Commission (NDRC) and National Data Administration (NDA) - Adopted: 2025-01-08 - Effective: 2025-03-01 - Status: effective - URL: https://datacompliancechina.com/laws/public-data-registration-interim-measures/ - Markdown: https://datacompliancechina.com/laws/public-data-registration-interim-measures.md ### Summary The Interim Measures establish a nationally unified registration system for public data resources — data collections produced by Party and government organs and public institutions in the course of performing statutory duties or providing public services. Registration is mandatory for public data resources that fall within authorized-operation scope; voluntary registration is encouraged for other public data resources and for data products and services derived from them. The Measures set the registration procedure (application, acceptance, formal review, public announcement, code issuance), define four registration types (initial, change, correction, deregistration), establish a three-year validity period with renewal, and provide for graded supervision under NDA's overall administration. Effective March 1, 2025, with a five-year validity period. DCC translation; no official English version exists. ### Full text **Promulgated by:** National Development and Reform Commission (NDRC) and National Data Administration (NDA). **Document No.:** Fa Gai Shu Ju Gui [2025] No. 26 (发改数据规〔2025〕26号). **Issued January 8, 2025. Effective March 1, 2025. Five-year validity period.** --- > *DCC translation. No official English translation exists. Translated against [DCC's bilingual glossary](/glossary) for terminology consistency with PIPL, DSL, CSL, and related laws.* ## Chapter I General Provisions **Article 1.** These Measures are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, and other laws and regulations, and pursuant to the *Opinions of the CPC Central Committee and the State Council on Building a Fundamental Data System to Better Leverage the Role of Data as a Factor of Production* and the *Opinions of the General Office of the CPC Central Committee and the General Office of the State Council on Accelerating the Development and Utilization of Public Data Resources*, in order to promote the lawful, compliant, and efficient development and utilization of public data resources, build a nationally unified public data resource registration system, and standardize public data resource registration work. **Article 2.** These Measures apply to the registration of public data resources and to the supervision and administration thereof carried out within the territory of the People's Republic of China. **Article 3.** For the purpose of these Measures, the following terms have the following meanings: (I) "Public data resources" refers to data collections of utilization value that are generated by Party and government organs and public institutions at all levels in the course of performing their statutory duties or providing public services. (II) "Registrants" refers to entities that directly hold or administer public data resources in accordance with their job duties, as well as legal-person organizations that develop and operate public data resources within the scope of authorization in accordance with the law. (III) "Registration institutions" refers to public institutions established or designated by the national or local data administration authorities that provide public data resource registration services. (IV) "Registration platform" refers to an information system that supports the full lifecycle service and administration of public data resource registration. **Article 4.** Public data resource registration shall safeguard national security and the public interest, protect state secrets, trade secrets, personal privacy, and personal information rights and interests, and follow the principles of legality and compliance, openness and transparency, standardization, and security and efficiency. ## Chapter II Registration Requirements **Article 5.** Party and government organs and public institutions that directly hold or administer public data resources shall register public data resources that fall within the scope of authorized operation, and are encouraged to register public data resources that have not been included in the scope of authorized operation. Legal-person organizations authorized to engage in operating activities are encouraged to register the data products and services formed through the processing of authorized public data resources. Public utility enterprises in sectors such as water supply, gas supply, heating, electricity, and public transportation are encouraged to register the public data resources they directly hold or administer, and the products and services formed therefrom. **Article 6.** Registration institutions are responsible for implementing public data resource registration, executing the nationally unified registration administration requirements, and providing standardized and convenient registration services in accordance with administrative hierarchy and territorial principles. Registration institutions shall establish a sound responsibility mechanism for data resource registration administration, perform their data security protection obligations, strengthen the application of data security protection technologies, and properly safeguard registration information. For public data resource registration by central and state organs and their directly affiliated bodies, and by central enterprises, the National Data Administration shall designate its affiliated public institutions to handle the registration. **Article 7.** After business review, registrants shall submit registration applications via the registration platform, provide registration materials truthfully and accurately, and bear responsibility for the truthfulness, completeness, legality, and validity of the registration materials. Where multiple parties are involved, they may submit a joint registration application or, after reaching consensus, have a single party submit the application. Before applying for registration, registrants shall, on the premise of ensuring security, perform evidence preservation (存证) for public data resources, ensuring traceability of source and controllability of processing. ## Chapter III Registration Procedure **Article 8.** Public data resource registration shall be conducted through the procedures of application, acceptance, formal review, public announcement, and code issuance. **Article 9.** Types of public data resource registration applications mainly include initial registration, change registration, correction registration, and deregistration. (I) **Initial registration.** Registrants shall submit application materials in accordance with regulations, including registrant information, lawful and compliant sources of data, the situation of data resources, status of evidence preservation, information on products and services, application scenarios, and data security risk assessment. After conducting authorized operating activities and providing data resources or delivering data products and services, the registrant shall submit the initial registration application within 20 working days. For authorized operations conducted before the Measures take effect, registrants shall complete initial registration within 30 working days after the Measures take effect. (II) **Change registration.** Where there are significant updates or major changes to the data source, the situation of data resources, the products and services, or the status of evidence preservation, or where there are major changes to registrant information, the registrant shall promptly apply to the registration institution for change registration. (III) **Correction registration.** Where a registrant or interested party believes that information already registered contains errors, the party may apply for correction registration. Upon the registrant's written consent, or upon evidence proving that the registration information is indeed erroneous, the registration institution shall correct the relevant erroneous information. (IV) **Deregistration.** Under any of the following circumstances, the registrant shall apply for deregistration, and the registration institution shall complete deregistration within 10 working days from the date of acceptance: 1. The public data resources cannot be restored or have been lost; 2. The registrant relinquishes the relevant rights and interests, or the term of the rights has expired; 3. The registrant has been terminated due to dissolution, lawful revocation, declared bankruptcy, or other reasons; 4. Other circumstances stipulated by laws and regulations. **Article 10.** The registration institution shall accept the application within 3 working days from the date of receipt. Where application materials are incomplete or non-conforming, the registration institution shall inform the registrant in one go of the supplements required; the acceptance date shall be calculated from the date the supplemented application is resubmitted. Where acceptance is denied, the reasons shall be promptly explained to the registrant. **Article 11.** The registration institution shall conduct formal review of the content of the registration materials and complete the review within 20 working days from the date of acceptance. If review cannot be completed in time, the institution shall explain the reasons to the registrant. **Article 12.** Upon completion of formal review, the registration institution shall publicly announce the relevant registration information to society via the registration platform; the announcement period is 10 working days. The content of registration announcement mainly includes the registrant's name, type of registration, name of registered data, and a brief introduction of the data content. Where there is an objection to the announced information during the announcement period, the relevant party shall raise the objection under their real name and provide necessary evidence; the registration institution shall review the objection. If the objection is sustained, the registration shall be terminated. **Article 13.** Where no objection is raised within the announcement period, the registration institution shall issue a registration result inquiry code to the registrant in accordance with the unified coding specification formulated by the National Data Administration. ## Chapter IV Registration Administration **Article 14.** The National Data Administration shall strengthen the administration of public data resource registration, promote standardization of registration services, establish and improve the public data resource catalogue on the basis of registration information and the government data directory, and build the national public data resource registration platform — connected to provincial-level public data resource registration platforms — to promote interconnection of registration information. A nationally unified code shall be assigned to registration results across the country, supporting inquiry and sharing of registration information. Provincial-level data administration authorities shall strengthen integrated construction, take overall responsibility for the use and administration of the public data resource registration platform within their jurisdiction, and strengthen data sharing, application services, and security safeguards. **Article 15.** The validity period of registration results is, in principle, three years, calculated from the date of code issuance. For the registration of public data products and services within the scope of authorized operation, where the operation period under the authorization agreement does not exceed three years, the validity period of the registration result shall be the actual operation period. Upon expiration of the registration result validity period, the registrant may apply for renewal within 60 days prior to expiration in accordance with regulations. Each renewal period shall be no longer than three years, calculated from the day following the expiration of the previous validity period. Where the renewal is not applied for within the prescribed period, the registration institution shall deregister. **Article 16.** Registration institutions shall, in accordance with nationally unified registration requirements, optimize service processes and enhance the level of registration convenience services. **Article 17.** The National Data Administration shall, on an overall basis, conduct the construction of the registration standards system and the registration work evaluation mechanism. Provincial-level data administration authorities shall, on an overall basis, conduct evaluation of the service level of registration institutions within their jurisdiction. ## Chapter V Supervision and Administration **Article 18.** National public data resource registration work shall be subject to graded supervision and administration. The National Data Administration is responsible for national public data resource registration work. Provincial-level data administration authorities are responsible for public data resource registration work within their jurisdiction on an overall basis. Data administration authorities at all levels shall, in conjunction with relevant departments, conduct cross-departmental coordinated supervision. **Article 19.** Where a registration institution engages in any of the following acts during the registration process, the data administration authority shall take administrative measures, including a regulatory interview (约谈), on-site guidance, or revocation of the registration institution's qualification: (I) Conducting false registration; (II) Unauthorized tampering with or forgery of registration results; (III) Unauthorized disclosure of registration information or improper profit from registration information; (IV) Improper performance or refusal to perform duties; (V) Other violations of laws and regulations. **Article 20.** Where a registrant engages in any of the following acts, the registration institution shall, after verification, revoke the registration: (I) Concealment of facts, falsification, or provision of false registration materials; (II) Unauthorized tampering with or forgery of registration results; (III) Illegal use or improper profit from registration results; (IV) Other violations of laws and regulations. **Article 21.** Where a registration institution or registrant engages in conduct that violates relevant laws, it shall bear corresponding liability in accordance with the law; where a crime is constituted, criminal liability shall be pursued in accordance with the law. ## Chapter VI Supplementary Provisions **Article 22.** The data administration authority of each province, autonomous region, and municipality directly under the central government may formulate implementation rules in accordance with these Measures. **Article 23.** The National Data Administration is responsible for the interpretation of these Measures. **Article 24.** These Measures shall come into force on March 1, 2025, with a validity period of 5 years, and shall be revised and adjusted in due course as the situation warrants. --- ## Implementation Specifications for Authorized Operation of Public Data Resources (Trial) - Chinese title: 公共数据资源授权运营实施规范(试行) - Hierarchy: rule - Issuing body: National Development and Reform Commission (NDRC) and National Data Administration (NDA) - Adopted: 2025-01-08 - Effective: 2025-03-01 - Status: effective - URL: https://datacompliancechina.com/laws/public-data-authorized-operation-specifications/ - Markdown: https://datacompliancechina.com/laws/public-data-authorized-operation-specifications.md ### Summary Companion rule to the Public Data Registration Interim Measures (also NDRC + NDA, January 2025). The Specifications establish the framework for 'authorized operation' (授权运营) of public data resources — the mechanism by which governments at and above the county level, and national sectoral authorities, can authorize qualified operating institutions to develop and operationalize public data resources, deliver data products and services to the market, and share in the revenue. Covers implementing institutions, operating institutions, the implementation plan, the agreement, supervision, anti-monopoly and security duties. The Operating-institution authorization period is capped at five years. Effective March 1, 2025, with a five-year validity period. DCC translation; no official English version exists. ### Full text **Promulgated by:** National Development and Reform Commission (NDRC) and National Data Administration (NDA). **Document No.:** Fa Gai Shu Ju Gui [2025] No. 27 (发改数据规〔2025〕27号). **Issued January 8, 2025. Effective March 1, 2025. Five-year validity period.** --- > *DCC translation. No official English translation exists. Translated against [DCC's bilingual glossary](/glossary) for terminology consistency with PIPL, DSL, CSL, and related rules.* ## Chapter I General Provisions **Article 1.** These Specifications are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, and other laws and regulations, and pursuant to the *Opinions of the CPC Central Committee and the State Council on Building a More Complete Market-Based Allocation Mechanism for Factors of Production*, the *Opinions of the CPC Central Committee and the State Council on Building a Fundamental Data System to Better Leverage the Role of Data as a Factor of Production*, and the *Opinions of the General Office of the CPC Central Committee and the General Office of the State Council on Accelerating the Development and Utilization of Public Data Resources*, in order to advance the development and utilization of public data resources, standardize the authorized operation of public data resources, promote the cultivation of an integrated data market, and unlock the value of data as a factor of production. **Article 2.** These Specifications apply to public data resource authorized operation activities carried out within the territory of the People's Republic of China. **Article 3.** "Authorized operation" (授权运营) refers to the activity of authorizing qualified operating institutions, in accordance with laws, regulations, and relevant requirements, to govern and develop public data resources held by local people's governments at and above the county level or by national sectoral competent authorities, and to provide data products and technical services fairly to the market. "Implementing institutions" refers to entities, determined by local people's governments at and above the county level or by national sectoral competent authorities in conjunction with the authorization model, that are specifically responsible for organizing the conduct of authorized operation activities. "Operating institutions" refers to legal-person organizations that have obtained authorization through standardized procedures and that develop and operate public data resources within the scope of authorization. **Article 4.** Authorized operation of public data resources shall follow the principles of legality and compliance, fairness and impartiality, public-interest priority, reasonable returns, and security and controllability. ## Chapter II Basic Requirements **Article 5.** Local people's governments at and above the county level, and national sectoral competent authorities, may include lawfully held public data resources within the scope of authorized operation, provided that the requirements of the data classification and grading protection system are implemented and that national security, the public interest, trade secrets, personal privacy, and personal information rights and interests are not harmed. Where public data of other regions or departments — obtained through government data sharing — is to be used for authorized operation, the consent of the unit that provided the shared data shall be obtained. **Article 6.** In conducting authorized operation activities, administrative power or market-dominant position shall not be abused to exclude or restrict competition, and data, algorithms, technology, or capital advantages shall not be used to engage in monopolistic conduct. Operating institutions shall conduct business within the scope of authorization in accordance with laws and regulations, and shall not directly or indirectly participate in the further development of public data products and services already delivered within their authorized scope. Other operating entities are encouraged to further develop the public data products and services delivered by operating institutions, integrate multi-source data, enhance the value of data products and services, and contribute to a flourishing data-industry ecosystem. **Article 7.** The National Data Administration is responsible for the overall coordination and administration of national public data resource authorized operation work; it shall dynamically monitor the national authorized-operation situation and strengthen policy and operational guidance. Provincial-level data administration authorities shall play a comprehensive coordinating role, strengthen the integration of data resources, enhance data service capacity, fully leverage the scale-of-application effect of public data resources, and conduct supervision and administration of authorized operation work within their region. Data administration bodies of national sectoral competent authorities are responsible for advancing the authorized operation work of public data resources in their department and for guiding the sector to strengthen administration of sectoral data resources within the scope of authorized operation. ## Chapter III Plan Preparation **Article 8.** Data administration authorities of local people's governments at and above the county level, and data administration bodies of national sectoral competent authorities, shall take the lead in organizing or guiding the various implementing institutions in their region or department to prepare implementation plans for the authorized operation of public data resources. Implementation plans shall balance economic and social benefits and ensure feasibility of execution. **Article 9.** Implementation plans shall include the following content: (I) The name of the authorized operation; (II) Argumentation of the necessity and feasibility of the authorized operation; (III) Selection criteria for operating institutions, including capacity in funding, management, technology, service, and security; (IV) The authorization model — overall authorization, field-by-field authorization, or scenario-based authorization, etc.; (V) The scope of authorized-operation data resources, the data resource catalogue, data update frequency, and data-quality conditions; (VI) The authorized-operation period, construction content, technical safeguards, implementation schedule, evaluation standards, exit mechanism, asset administration, etc.; (VII) The list of proposed public data products and services, which shall include two major categories — supporting public governance and public welfare, and supporting industry development and sectoral development — as well as the expected form of products and services; (VIII) The cost and revenue accounting mechanism within the operating institution's authorized scope, and the revenue distribution mechanism; (IX) Data security, personal information protection measures, and emergency-response measures; (X) Rights and obligations of the implementing institution, operating institution, and other relevant participants; (XI) Supervision, administration, and performance-evaluation requirements for the authorized operation; (XII) Other matters that should be clarified. **Article 10.** Feasibility argumentation shall include, but not be limited to, full lifecycle management services for authorized-operation data, social demand, market scale, expected effectiveness, and risk control. **Article 11.** Implementation plans for authorized operation of public data resources shall be deliberated and approved in accordance with the "three majors and one large" (三重一大) decision-making mechanism requirements before implementation. Data administration authorities of local people's governments at and above the county level shall be responsible for, or shall assist in, submitting the implementation plan of their region to the people's government at the same level for deliberation. Data administration bodies of national sectoral competent authorities shall be responsible for, or shall assist in, submitting the implementation plan of their department to the ministerial executive meeting for deliberation. Implementation plans that have been deliberated and approved shall not, in principle, be arbitrarily changed; where major changes are genuinely required, they shall be re-submitted for deliberation and approval through the original process. Provincial-level data administration authorities and data administration bodies of national sectoral competent authorities shall properly conduct filing administration for the implementation plans of their region or department. ## Chapter IV Agreement Execution **Article 12.** Implementing institutions shall, in accordance with the deliberated and approved implementation plan, select operating institutions through fair-competition methods such as public bidding, invited bidding, or negotiation, as required by laws and regulations. The content of the bidding, procurement, and negotiation documents relating to the authorized-operation agreement shall fully solicit the opinions of relevant parties. Operating institutions shall possess the management and technical service capacity required for data resource processing and operation, shall have sound business and credit standing, and shall comply with the State's data security protection requirements. **Article 13.** The implementing institution shall, independently or together with the relevant business-competent department at the same level, enter into a public data resource authorized-operation agreement with the lawfully selected operating institution after deliberation and approval by the implementing institution's "three majors and one large" decision-making mechanism. Provincial-level data administration authorities and data administration bodies of national sectoral competent authorities shall properly conduct filing administration for the various authorized-operation agreements in their region or department, and strengthen dynamic monitoring of agreement performance. **Article 14.** The content of the public data resource authorized-operation agreement shall include: (I) The scope and data resource catalogue of the authorized-operation public data resources; (II) The operating period, which shall not exceed five years in principle; (III) The list of proposed public data products and services, and the technical standards, security review requirements, and business-compliance review requirements applicable to them; (IV) The technical support platform for the public data resource authorized-operation work; (V) Asset ownership, including ownership of software and hardware equipment and of public data products and services; (VI) Information-disclosure requirements regarding the authorized-operation work, and the requirement that the operating institution shall not directly or indirectly participate in further development; (VII) Accounting requirements for cost and revenue within the operating institution's authorized scope, and the revenue distribution mechanism; (VIII) Data security and personal information protection requirements, and risk monitoring and emergency-response measures; (IX) Operating-effectiveness evaluation, and renewal or exit mechanism; (X) Liability for breach of contract; (XI) Dispute resolution methods; (XII) Conditions for modification and termination of the agreement; (XIII) Other matters requiring clarification. ## Chapter V Operation and Implementation **Article 15.** Implementing institutions shall establish a sound, safe, and controllable development and utilization environment, make full use of existing information system resources, encourage integrated construction, support the application of safe and trusted circulation technologies such as privacy computing, and ensure that the development and utilization of data resources is manageable, controllable, and traceable. **Article 16.** Implementing institutions and operating institutions shall, respectively, register the public data resources, and the public data products and services, within the scope of authorized operation in accordance with the public data resource registration administration requirements. **Article 17.** Prices of public data products and services shall be implemented in accordance with the State's relevant pricing policies. **Article 18.** Implementing institutions shall publicly disclose the situation of authorized operation as required, regularly disclose to society the authorized subjects, content, scope, and term, and accept social supervision. **Article 19.** Operating institutions shall publicly disclose the list of public data products and services, regularly disclose to society the use of public data resources, and accept social supervision. **Article 20.** Authorized operation shall protect the lawful rights and interests of all participating parties. Implementing institutions and operating institutions are encouraged to support the data governance and service capacity construction of all regions and departments through technology, products and services, revenue, and other means, in a lawful and compliant manner. ## Chapter VI Operation Administration **Article 21.** Implementing institutions shall establish a sound administration system, strengthen data governance, enhance data quality, implement the requirements of the data classification and grading protection system, strengthen technical support and data security administration, strictly control the direct entry into the market of unpublished original public data resources, and strengthen internal control and audit of operating institutions with respect to authorized-operation activities. Operating institutions shall fulfill their primary responsibility for data security, strengthen internal control administration, technical administration, and personnel administration, shall not use public data resources beyond the scope of authorization, and shall strictly prevent data-security risks in the processing, operation, and service stages. Implementing institutions and operating institutions shall, through administrative and technical measures, strengthen the identification and control of risks arising from data association and aggregation, in order to safeguard data security. **Article 22.** Operating institutions shall strengthen internal administration of costs, revenue, and expenses related to public data products and services; financial revenue and expenditure related to public data products and services shall be administered in accordance with existing financial-administration systems and subject to supervision in accordance with the law. **Article 23.** In conducting public data resource authorized operation, the responsible action of cadres shall be encouraged and protected; an atmosphere of encouraging and tolerating innovation shall be fostered; at the same time, the abuse of data for private gain shall be resolutely prevented. In conducting authorized operation, safety risks arising from improper handling of the data-asset and data-asset-capitalization process shall be effectively identified and controlled, and financial risks shall be earnestly prevented and resolved. ## Chapter VII Supplementary Provisions **Article 24.** Data administration authorities of local people's governments at and above the county level, and data administration bodies of national sectoral competent authorities, may formulate implementation rules in accordance with these Specifications, in light of their actual circumstances. For authorized operations conducted before these Specifications take effect, the operations shall be progressively brought into conformity with these Specifications. Authorized operation activities newly conducted after these Specifications take effect shall be carried out in accordance with these Specifications. **Article 25.** Authorized operation of public data resources held by central Party-and-mass organs and by local Party committees at and above the county level shall be carried out with reference to these Specifications. The development and utilization of public data resources held by public utility enterprises in sectors such as water supply, gas supply, heating, electricity, and public transportation may be authorized for use with reference to the relevant procedural requirements of these Specifications, in order to safeguard the public interest and the lawful data rights and interests of enterprises, and to accept supervision by the government and society. **Article 26.** The National Data Administration is responsible for the interpretation of these Specifications. **Article 27.** These Specifications shall come into force on March 1, 2025, with a validity period of 5 years, and shall be revised and adjusted in due course as the situation warrants. --- # II. BRIEFINGS ## Datatang v. Yinmu — China's First Ruling on a Data-IP Registration Certificate, and Why Open-Sourced Data Is Still Protected - Published: 2026-05-29 - Author: DCC Editorial - Tags: judicial, data-property-rights, data-registration, anti-unfair-competition, ai-training-data, open-source, case - Laws cited: data-foundation-system-opinions, data-property-rights-registration-guide-draft, dsl - Domains: data-economy, data-security - URL: https://datacompliancechina.com/posts/datatang-v-yinmu-data-ip-registration-case/ - Markdown: https://datacompliancechina.com/posts/datatang-v-yinmu-data-ip-registration-case.md - Original source: https://mp.weixin.qq.com/s/RRsiqVpVcL6eXG077JCjvQ - Original author: Beijing IP Court (2024)京73民终546号; commentary by 法律与新经济, 清华大学智能法治研究院, 深圳数据交易所 DEXC+ - Original publication: Multiple — see sources below ### Description A consolidated case study of 数据堂诉隐木科技 (Datatang v. Yinmu) — the Beijing IP Court's June 2024 appeal ruling, widely called China's first case on the evidentiary effect of a data-IP registration certificate. The dispute: Datatang built voice datasets for AI training, open-sourced some under a license; Yinmu took and redistributed them in the same data-services market. DCC synthesizes four commentaries (the case report, a Tsinghua analysis, and two Shenzhen Data Exchange DEXC+ deep-dives) into the four holdings that matter for overseas counsel: (1) a data-IP registration certificate is prima facie evidence of property-type interests and lawful sourcing — but not an absolute property right (property-rights-statutism); (2) open-sourced data, though neither trade secret nor copyrightable compilation, is protectable under the Anti-Unfair Competition Law's general clause; (3) the protection hierarchy (compilation work → trade secret → AUCL Art. 2); and (4) whether the taker honored the open-source license is the hinge for 'improper conduct.' ### Body > *Editor's Note — DCC.* > > This is a consolidated case study, not a translation of any single > piece. 数据堂诉隐木科技 (Datatang v. Yinmu) is the most-cited Chinese > data-market judgment of the past two years — popularly tagged "China's > first case on the evidentiary effect of a data-IP registration > certificate" (全国首例涉数据知识产权登记证书效力案). DCC synthesizes > four commentaries — the case report (法律与新经济 / 知产宝), a Tsinghua > Institute for AI & Rule of Law analysis, and two Shenzhen Data Exchange > DEXC+ deep-dives — into the holdings that matter for overseas counsel. > The case sits at the intersection of three things DCC has covered > separately: the [Data 20 Articles three-rights framework](/posts/nda-three-rights-structural-separation/), > the [data-property-rights registration regime](/laws/data-property-rights-registration-guide-draft/), > and [open-source AI training-data compliance](/posts/open-source-ai-training-data-compliance/). > Here a court actually decides how they interact. ## The case | | | |---|---| | **Parties** | 数据堂(北京)科技股份有限公司 (Datatang, plaintiff) v. 隐木(上海)科技有限公司 (Yinmu, defendant) | | **First instance** | Beijing Internet Court — (2021)京0491民初45708号 | | **Appeal** | Beijing IP Court — (2024)京73民终546号 (affirmed, June 28, 2024) | | **Cause of action** | Unfair competition (不正当竞争纠纷) | | **Result** | Yinmu pays Datatang ¥100,000 in economic loss + ¥2,300 in reasonable enforcement costs; appeal dismissed, first-instance judgment upheld | The facts: Datatang is a data company that built **voice datasets for AI model training** — collecting and processing a substantial volume of voice-data entries through its own technical, capital, and labor investment. It **open-sourced** some of these datasets under a license. Yinmu, a competitor in the AI-training-data-source market, **obtained the datasets and redistributed / used them** in a way the courts found did not honor the terms on which the data was made available. Datatang sued for unfair competition. Crucially, Datatang held a **Data-IP Registration Certificate (《数据知识产权登记证》)** for the dataset. The case is doctrinally important because the dataset fell into the gap the Chinese data-property debate keeps circling: it was *public* (so not a trade secret), it lacked originality in selection/arrangement (so not a copyrightable compilation), and "data" is not yet a typed civil property right in statute. So what, exactly, protects it? ## Holding 1 — A data-IP registration certificate is prima facie evidence, not a property right This is the headline. The Beijing IP Court held that Datatang's **Data-IP Registration Certificate can serve as prima facie evidence** of two things: - that Datatang **holds property-type interests** in the dataset; and - that the **collection conduct / data source was lawful**. Absent contrary evidence, the court could find those facts on the strength of the certificate. This is the first Chinese judgment to give a data-registration certificate concrete evidentiary force — which is why the "data registration" community treated it as a watershed. **But — and this is the nuance overseas counsel must hold onto — the certificate is *not* proof of an absolute property right.** The Shenzhen Data Exchange DEXC+ analysis draws out the appeal court's reasoning: under the **property-rights-statutism principle (财产权法定原则)**, a property-type legal interest that has *not* been confirmed by statute as an absolute property right cannot be analogized to other absolute property rights for judicial protection. Civil Code Article 127 ("where laws provide for the protection of data … such provisions apply") is, the court said, a **referential / declaratory clause** — it has *not* made "data" a typed civil right with defined content. The "data three rights" (hold / use / operate) from the Data 20 Articles remain **policy-level and economic concepts**, not statutory absolute rights, because under the Legislation Law the creation of basic civil rights is reserved to NPC statute — administrative regulations, departmental rules, local rules, and policy documents cannot create them. So Datatang **could not** invoke Article 127 to demand that its dataset be treated as an absolute property right. The registration certificate shifts the **burden of evidence**; it does not conjure a **property right**. For overseas counsel: registering data in China (the data-IP pilots, the data-exchange registration certificates) is now genuinely worth doing for its evidentiary value — but do not mistake a certificate for title. ## Holding 2 — Open-sourced data is still protected, via the Anti-Unfair Competition Law If the dataset is not a property right, not a trade secret, and not a copyrightable work, what protects it? The court's answer: the **Anti-Unfair Competition Law (AUCL) general clause, Article 2**. The reasoning: even though the dataset was public (failing the trade-secret secrecy requirement) and lacked originality in selection/arrangement (failing the compilation-work requirement), Datatang had made **substantial technical, capital, and labor investment** to lawfully collect a substantial volume of voice-data entries, adding commercial value to the raw data, meeting AI-developers' needs, and generating traffic, transaction opportunities, and competitive advantage. That commercial benefit is, in substance, a **competitive interest (竞争性权益)** — and competitive interests are legitimate interests the AUCL protects. ## Holding 3 — The protection hierarchy The Tsinghua analysis distills the court's framework into a clean **three-tier hierarchy** for protecting a dataset — useful as an operating checklist: 1. **Public + original selection/arrangement → copyright (compilation work).** If the dataset's structure is original, protect it as a compilation work. 2. **Not easily obtainable by people in the field → trade secret.** If the dataset is genuinely non-public, protect it as a trade secret. 3. **Public + no originality → Anti-Unfair Competition Law Article 2.** If it's public and unoriginal — the residual case, and the most common one for bulk training data — there is no IP exclusive right or trade-secret basis, so protection runs through the AUCL general clause, as appropriate. Datatang's voice dataset fell into tier 3 — which is exactly why this case matters: it confirms that the **residual category of "public, unoriginal, substantial-investment" datasets is not unprotected**. The AUCL general clause is the backstop. ## Holding 4 — The open-source license is the hinge The most operationally important holding for anyone building or using AI training data: **open-sourcing data does not abandon rights in it.** The court held that, absent the holder's permission, no one may publicly disseminate a dataset that the holder lawfully collected through substantial investment. And when the holder *does* open-source the dataset, **whether the acquirer follows the open-source license** is an important factor in judging whether the use violates commercial ethics in the data-services field. In other words: "it was open-sourced" is not a defense. The license terms travel with the data. A competitor who takes open-sourced data and uses or redistributes it *outside the license* is acting improperly — and the open-source license becomes the measure of commercial ethics under the AUCL. The case also features a **doctrinal breakthrough on the "substantial substitution" question.** Chinese data-unfair-competition cases have often asked whether the defendant's product *substantially substitutes* for the plaintiff's (a market-harm element). Here the court reasoned at a higher level of generality: if data obtained from open-source channels could be freely re-shared with third parties for free, that would **impair data circulation, hinder data innovation, and obstruct the construction of the unified national data market** — and is therefore improper *regardless* of whether classic market substitution is shown. The court tied the impropriety analysis directly to the national data-market-building policy. ## The registration-system context The Shenzhen Data Exchange DEXC+ pieces situate the case in the fast-growing data-registration landscape overseas counsel should know: - The **Data 20 Articles** (December 2022) introduced the three-rights structural-separation framework; localities then began experimenting with "three-rights" registration. - Since 2022 the **National Intellectual Property Administration** has run **data-IP pilots** in 8 localities (Beijing, Shanghai, Jiangsu, Zhejiang, and others), adding 9 more in 2024. Across the pilots, **2,000+ data-IP registration certificates** have been issued, supporting **¥1.1 billion+ in pledge financing**. - Registration objects generally must be **lawfully obtained, processed by some rule or algorithm, and possess commercial value and intellectual-achievement attributes.** - DCC's caution, reinforced by the DEXC+ analysis: registration ≠ rights-confirmation (确权). Registration records and provides evidence; it does not, on current law, create a property right. (See [DCC's brief on what data registration actually confirms](/posts/qinglan-what-data-registration-actually-confirms/).) ## What this tells overseas compliance teams - **Register your data in China for evidentiary value — but don't treat a certificate as title.** A data-IP registration certificate (or a data-exchange registration certificate) now carries real prima-facie weight on both *property-type interest* and *lawful sourcing*. That shifts the burden to a challenger. But it is not an absolute property right, and a Chinese court will say so — your substantive protection still runs through the AUCL (or trade secret / copyright where those fit). - **Treat the AUCL general clause as the real protector of bulk datasets.** For the common case — public, unoriginal, substantial-investment datasets (most training corpora) — neither copyright nor trade secret applies. AUCL Article 2 is the backstop. Build your data-misappropriation claims (and your defensive posture) around competitive-interest and commercial-ethics reasoning, not around a claimed property right. - **Open-source ≠ free-for-all. The license travels with the data.** This is the single most important operational takeaway for AI builders. If you ingest open-sourced Chinese datasets, **honor the open-source license** — the court treats license compliance as the measure of commercial ethics, and using open data outside its license is improper conduct, even without classic market substitution. Conversely, if you open-source your own data, you retain an AUCL-backed claim against those who use it outside the license. (Pair this with [Zhang Ping's open-source training-data analysis](/posts/open-source-ai-training-data-compliance/): "open-source does not mean open data.") - **Document substantial investment.** The court's protection of Datatang turned on its demonstrated technical/capital/labor investment in lawfully collecting and adding value to the data. Maintain provenance, collection-method, and investment documentation for any dataset you may need to defend — it is the factual core of an AUCL competitive-interest claim. (This is the same documentation logic that runs through [the data-source-rights debate](/posts/wang-nian-data-source-rights-as-fair-use/) and [Tang Linyao's data-broker analysis](/posts/tang-linyao-data-broker-derivative-harms/).) - **The national-data-market policy is now a litigation argument.** The court framed impropriety partly in terms of *building the unified national data market*. Expect Chinese courts to keep reading the data-element-market policy goals into AUCL analysis — which cuts both ways: hoarding/blocking and free-riding can each be cast as market-impairing depending on the facts. The deeper significance: Datatang v. Yinmu is the case where the abstract Chinese data-property architecture — three rights, registration, the unified market — met an actual commercial dispute and produced operating doctrine. The synthesis it leaves: **in China you register data for evidence, protect it through unfair-competition law, and the open-source license is the line between legitimate reuse and misappropriation.** For overseas counsel structuring AI-data sourcing or data-trading arrangements touching China, that three-part rule is the practical state of the law. --- **Sources (consolidated):** - *【案例速递】开源数据亦可受到反法保护,扰乱数据服务市场的行为具有不当性 — 数据堂诉隐木公司AI训练数据源案*, 法律与新经济 (case report, via 知产宝). [Link.](https://mp.weixin.qq.com/s/RRsiqVpVcL6eXG077JCjvQ) - *首例涉数据知识产权登记效力案,处于公开状态的数据不属于商业秘密,但可依据反法保护*, 清华大学智能法治研究院 (Tsinghua University Institute for AI & Rule of Law). [Link.](https://mp.weixin.qq.com/s/VKoeCVplU639bjJDX-qIug) - *DEXC+专栏 | 证据法视角中的数据产权登记——兼论我国数据产权登记制度的构建*, 深圳数据交易所 DEXC+. [Link.](https://mp.weixin.qq.com/s/BiA_J_aH7UMpO0V5f_usaA) - *DEXC+专栏 | 数据产权登记,思路打开,合规先行——从"全国首例涉数据知识产权登记证书效力案"说起*, 深圳数据交易所 DEXC+. [Link.](https://mp.weixin.qq.com/s/2dVHs3L1I6NJ2eyBkhrkAg) *Not legal advice. The above is DCC's consolidated structured summary of a public judgment and four commentaries, with framing for overseas counsel; the holdings, the protection hierarchy, and the property-rights-statutism reasoning are the court's and the commentators'.* --- ## Reviving a Zombie Provision — Xu Ke's Concentric-Circle Reconstruction of the Anonymization Regime - Published: 2026-05-28 - Author: DCC Editorial - Tags: anonymization, personal-information, data-economy, de-identification, commentary - Laws cited: pipl, csl, dsl, network-data-security-regulations - Domains: personal-information, data-security, data-economy - URL: https://datacompliancechina.com/posts/xu-ke-anonymization-zombie-provision/ - Markdown: https://datacompliancechina.com/posts/xu-ke-anonymization-zombie-provision.md - Original source: https://mp.weixin.qq.com/s/yaO_RB-rzTKouqevxCb-Xw - Original author: 许可 (Xu Ke), UIBE - Original publication: 《财经法学》(Finance and Economics Law Journal), Issue 4, 2024; reposted via 数字经济与社会 WeChat Official Account ### Description Xu Ke (UIBE) calls PIPL Article 4's anonymization carve-out a 'zombie provision' (僵尸法条) — on the books, never used, and one of the biggest blockages in the data-element market. His diagnosis: the zombie state is caused not by the text but by three unaddressed worries (processors fear the standard is unattainable or value-destroying; regulators fear anonymization becomes an evasion tool; users fear it's a hollow promise). His cure is a concentric-circle architecture that maps three risk types (systemic / operational / residual) onto three layers of anonymity (presumptive / determined / trust). This is the most complete academic blueprint yet for making the anonymization clause operational — and it pairs directly with TRIMPS's risk-based, recipient-relative reading. ### Body > *Editor's Note — DCC.* > > If [TRIMPS's brief](/posts/yao-qian-pi-anonymization-relativity/) is the > standards-body's read on where the anonymization bar sits, Xu Ke's > piece is the academic blueprint for rebuilding the regime from the > ground up. His framing is unusually vivid for a law-journal article: > PIPL Article 4's anonymization carve-out is a "zombie provision" > (僵尸法条) — formally alive, functionally dead, and one of the single > biggest blockages to the data-element market China is trying to build. > The piece (in 《财经法学》2024) diagnoses *why* the provision is > dead and proposes a concentric-circle architecture to revive it. DCC > reads it alongside the TRIMPS brief: same problem, complementary > solutions. Overseas counsel get, between the two, the most complete > picture available of where China's anonymization regime is heading. ## The zombie diagnosis PIPL Article 4 excludes anonymized information from the definition of personal information — inheriting the carve-out from CSL Article 42's proviso. The intent was to encourage data circulation and reuse: anonymize, and the data exits the PIPL regime. Yet since PIPL took effect, the provision has "almost never functioned" — a clause with "the form of law but no signs of life." Xu Ke's term: 僵尸法条, zombie provision. Why dead? Xu Ke's diagnosis is that the problem isn't in the "skin" (the text) but in the "heart" — three worries that paralyze the parties: - **Processors** fear two opposite things at once: that their anonymization won't meet the legal standard (so the data stays in PIPL scope and the effort is wasted), *and* that a standard set high enough to be safe will strip the data of all reuse value. - **Regulators** fear anonymization becomes a tool processors use to *evade* oversight — declare "anonymized," exit the regime, escape enforcement. - **Users** fear anonymization is a hollow promise — a label processors attach without real irreversibility. And the disease is in the "marrow" too: the three worries stem from a deeper *dualism* — between anonymization-as-technology and anonymization-as-law, between process and result, between the scenario-specificity and the uniformity of anonymization. The same anonymization looks like different things to each party: to the processor, a thicket of techniques and thresholds; to the user, opaque jargon; to the regulator, abstract rules and eventually-exposed risk. Xu Ke's critique of existing theory ("relative anonymization," "dynamic anonymization," "functional anonymization," "subjective anonymization," "data-relationship anonymization"): all correctly recognize that *no anonymization can guarantee zero re-identification* — but none provides a clear, operable behavioral standard. "Relative anonymization" says reduce risk to an "acceptable level" — but what level, set by whom? The theories have explanatory power but no power to cure. ## The fix: three risks, three layers, one concentric circle Xu Ke's reconstruction starts from the premise that **absolute anonymization is a fool's errand** ("carving the boat to find the sword"), and that information protection follows a *Goldilocks principle*: too-strict anonymization destroys so much information value that the exercise becomes self-defeating. So the regime must accept *limited* processor obligations and *limited* state oversight — and the hard question is where the limit sits. His answer: type the re-identification risk by (consequence × probability) into three tiers, and match each to a governance mechanism and a layer of anonymity. ### Center — Systemic risk → Presumptive anonymity (推定匿名) **Systemic risk** (系统风险): the risk that anonymization fails *wholesale*, exposing personal information to large-scale misuse. Diffuse, affects many — so it needs *ex-ante preventive* governance: objective, admission-style "red-flag" rules applied uniformly. The mechanism: **design-based regulation** (经由设计的规制) — embed the anonymization standard into the system architecture, code, and technical defaults, so anonymization is a built-in property rather than an after-the-fact judgment. The anonymization design is shaped jointly by enterprises, government, and industry bodies, and recognized through a bottom-up accreditation mechanism. The legal effect: **presumptive anonymity**. Once an anonymization design is (directly or indirectly) state-recognized, data processed through it is *presumed anonymized*. This is a burden-of-proof reversal — the processor need only show it used a qualified anonymization design to get the anonymized result confirmed, dramatically easing the processor's worry. It's a *rebuttable* factual presumption: others can challenge with new evidence, but the burden shifts to the challenger. ### Middle — Operational risk → Determined anonymity (判定匿名) **Operational risk** (操作风险): the risk that *specific* failures — vulnerabilities in the anonymization measures, internal-process defects, personnel error or misconduct — cause improper use. Localized, scenario-specific. Needs *ex-post responsive* governance: case-by-case adjudication after a harm, guiding enforcement and judicial bodies to handle each fairly. The mechanism: where evidence shows the anonymization didn't actually achieve anonymity, the presumption is rebutted — but the rebuttal must be **determined by an administrative agency or court under PIPL**. Xu Ke calls this **determined anonymity**: the regulator retains *final say* over whether an anonymization design is lawful, which dissolves the regulator's "anonymization trap" worry (the fear that recognizing a scheme forecloses later enforcement). It doesn't — the presumption is always rebuttable by official determination. ### Edge — Residual risk → Trust anonymity (信任匿名) **Residual risk** (剩余风险): the irreducible risk from leftover identifiability, unforeseeable data sources, and technical advances. Xu Ke's striking example: in 2018 the US Census Bureau found that its 2010 published statistics could be used to reconstruct the sex, age, race, ethnicity, and fine-grained location of **46% (under certain conditions 71%) of the US population**. Residual risk is real and permanent. The implication: processors must not "release and forget" (release and forget) anonymized data. They must keep performing compliance obligations — transparency mechanisms that protect users' right to know, and continuous re-identification-risk monitoring. Regulators backstop with strong "public enforcement" to compensate for the weakness of private remedies under residual risk. Xu Ke calls this user-oriented layer **trust anonymity**. ## The three reinterpretations of the statutory text Beyond the architecture, Xu Ke offers legal reinterpretations of PIPL Article 73's anonymization elements — "cannot identify," "cannot be restored," and "process": - **"Cannot identify"** — read against a *reasonable-means* standard (specific person, reasonably likely methods), not an absolute "no one on earth by any method." This aligns with the subject-relativity reading TRIMPS develops. - **"Cannot be restored"** — read as *high* irreversibility under reasonable cost, not literal impossibility (the "difficult to restore" gloss the draft Guide adopts). - **"Process"** — read as an ongoing, monitored process, not a one-time terminal act. The two compliance reforms he proposes flow from this: - **From "anonymization consent" to "anonymization notice"** (从"匿名化同意"到"匿名化知情") — the legal basis for anonymizing isn't a fresh consent but a transparency/notice obligation, since anonymization is processing in service of the original purpose's safe termination. - **From "prohibit re-identification" to "reuse PIIA"** (从"禁止再识别"到"再利用的个人信息保护影响评估") — rather than a flat ban on re-identification, require a PI Impact Assessment before *reusing* anonymized data, calibrated to the residual risk. ## What this tells overseas compliance teams - **Read Xu Ke and TRIMPS together as the converging Chinese position.** The academic blueprint (Xu Ke) and the standards-body read (TRIMPS) point the same direction: anonymization is risk-based, not absolute; process-based, not one-time; and increasingly recipient-aware. The compliance posture both imply — documented risk thresholds, continuous monitoring, no "release and forget" — is the one to build to now. - **"Design-based" anonymization is the forward-looking compliance architecture.** Xu Ke's presumptive-anonymity layer rewards processors that bake anonymization into system design and (eventually) get the design accredited. Multinationals should architect anonymization as a built-in pipeline property with documented technique selection and threshold-setting — not a manual, case-by-case scrub. When an accreditation mechanism materializes, design-based processors will get the burden-shifting benefit. - **"Release and forget" is the specific anti-pattern to eliminate.** Both Xu Ke (residual risk) and TRIMPS (continuous assessment) reject it. If your China operations anonymize data and then treat it as permanently out-of-scope with no further monitoring, that posture is squarely in the crosshairs of where the regime is heading. Institute recurring re-identification-risk review. - **The presumption-and-rebuttal structure tells you what evidence to keep.** Under Xu Ke's framework, the processor's protection is the *documented qualified anonymization design*; the regulator's power is the *official rebuttal determination*. Translation: your defensible position depends on contemporaneous documentation of the anonymization design, technique selection, threshold rationale, and monitoring. That documentation is the asset. - **Watch the PI Anonymization Guide — it's where this lands.** The 2024-2025 academic and standards work (Xu Ke's piece, the draft Guide, the TRIMPS analysis) is converging on the final anonymization standard. When the Guide finalizes, expect it to encode risk-based irreversibility, continuous assessment, and possibly the design-recognition mechanism. Pre-position methodology and documentation accordingly. The deeper point: Xu Ke is trying to make the anonymization clause *do work* — to turn a dead provision into the operational gateway that lets data flow out of PIPL scope safely. That is precisely the gateway overseas counsel most want to use (anonymize → exit PIPL → reuse / transfer freely). The lesson is that the gateway is real but conditional: it requires a defensible, documented, continuously-monitored, design-based anonymization posture — not a label. --- — *许可, 复活僵尸法条:个人信息匿名化制度的再造 (Reviving a Zombie Provision: Reconstructing the Personal Information Anonymization System), 《财经法学》Issue 4, 2024, pp. 160-177; reposted via 数字经济与社会 WeChat Official Account. [Original article (Chinese).](https://mp.weixin.qq.com/s/yaO_RB-rzTKouqevxCb-Xw)* *Not legal advice. The above is DCC's structured summary of Xu Ke's analysis, with framing for overseas counsel; the zombie-provision diagnosis, the three-risk / three-layer concentric-circle architecture, and the statutory reinterpretations are Xu Ke's.* --- ## The 'Rights Block' — Xu Ke's Structural Theory Behind China's Data-Property Framework - Published: 2026-05-28 - Author: DCC Editorial - Tags: data-property-rights, data-rights-theory, data-twenty, data-economy, commentary - Laws cited: data-foundation-system-opinions, pipl, dsl, data-property-rights-registration-guide-draft - Domains: data-economy, personal-information, data-security - URL: https://datacompliancechina.com/posts/xu-ke-data-rights-block-structure/ - Markdown: https://datacompliancechina.com/posts/xu-ke-data-rights-block-structure.md - Original source: https://mp.weixin.qq.com/s/0l_QZgvXbMKQ2I50aOqxaA - Original author: 许可 (Xu Ke), UIBE - Original publication: 《政法论坛》(Tribune of Political Science and Law), Issue 4, 2021, pp. 86-96; reposted via 政法论坛 WeChat Official Account ### Description Xu Ke's highly-cited (255×) 政法论坛 article on the structure of data rights — the theoretical scaffolding that the Data 20 Articles' three-rights framework rests on. He maps the field's two warring paradigms (formalist 'empowerment' vs substantivist 'conduct regulation'), argues both fail alone, and integrates them via a 'reflexive law' approach. The payoff is a taxonomy of three possible rights structures — rights-ball, rights-bundle, rights-block — and the case that the 'data rights block' (数据权利块) best fits data's 'one principle, many manifestations' character. For overseas counsel, this is the conceptual map that explains why Chinese data rights are structured the way they are — and why Western property and IP analogies keep failing. ### Body > *Editor's Note — DCC.* > > This is the theory piece under the theory pieces. Published in > 《政法论坛》in 2021 — before the Data 20 Articles — and cited 255 > times since, Xu Ke's "Data Rights: Paradigm Integration and Normative > Differentiation" is the structural-theory scaffolding that the > three-rights framework (hold / use / operate) and the > [data-source-rights debate](/posts/wang-nian-data-source-rights-as-fair-use/) > both build on. For overseas counsel, its value is diagnostic: it > explains *why* Chinese data rights are structured the way they are, > and *why* the Western property / IP / license analogies keep > failing to map. DCC summarizes the framework; the deep > jurisprudential argument is in the original. ## The two warring paradigms Xu Ke frames the data-rights field as a contest between two paradigms: - **Formalism — the "empowerment" model (赋权模式).** Treats data rights as a *new property-style right* to be defined and assigned: who owns the data, what the owner can exclude, how the right transfers. The instinct is to build a data-ownership right analogous to property or IP. - **Substantivism — the "conduct regulation" model (行为规制).** Skeptical of defining a data-ownership right at all; instead regulates *behavior* — what processors may and may not do — through tort, competition, and data-protection rules, without ever vesting a property-style right. Each has a fatal weakness. The formalist empowerment model struggles because data isn't naturally exclusive or rivalrous — a single dataset can be held and used by many parties non-exclusively, which defeats the property analogy. The substantivist conduct-regulation model struggles because pure behavior-regulation can't support the *market* the data-element economy needs — you can't trade what you can't define a right over. Xu Ke's move: the two paradigms are "different roads to the same destination" and must be *integrated* — through a third paradigm he calls **reflexive law (反省法)**, which steps back from both to ask what *structure* data rights actually require. ## Three possible rights structures The integrating insight is structural. Xu Ke distinguishes three ways a "right" can be built: - **Rights-ball (权利球).** A unitary, indivisible right — like classical ownership. One owner, one solid sphere of entitlement. Doesn't fit data: data's value comes precisely from being usable by many parties simultaneously. - **Rights-bundle (权利束).** A bundle of separable sticks — like the Anglo-American "bundle of rights" property concept. Better, but Xu Ke argues it's too loose: the sticks are enumerated but not *structured*, so the bundle doesn't explain how the rights relate or cohere. - **Rights-block (权利块).** Xu Ke's proposal. A *structured* set of rights with a shared core and differentiated manifestations — capturing data's "**理一分殊**" character (one underlying principle, many concrete manifestations). The block has an "overall design rule" (整体设计规则) that gives the rights coherence and "individual design rules" (个别设计规则) that differentiate them by scenario. The "data rights block" (数据权利块), Xu Ke argues, both *integrates and improves* China's existing "separation of powers/functions" (权能分离) theory — the theory that the Data 20 Articles operationalized into hold / use / operate. And because it's a *block* (structured) rather than a *bundle* (enumerated), it connects coherently to the surrounding institutions: data security, data trading, statutory data use, data opening and sharing. ## Why this matters for the three-rights framework The Data 20 Articles' three-rights structure (hold / use / operate) is, in Xu Ke's terms, a *rights-block*: three rights sharing a common core (the underlying data), differentiated by function, structured rather than merely listed. This is why: - The three rights are **severable** (you can hold one without the others) — that's the "individual design rules." - The three rights are **non-exclusive** (multiple parties can hold the same right over the same data) — that's data's non-rivalrous nature, which the rights-block accommodates and the rights-ball cannot. - The three rights **cohere** (they're not a random bundle but a structured set) — that's the "overall design rule." For overseas counsel who've read [NDA's interpretation of the three rights](/posts/nda-three-rights-structural-separation/), Xu Ke's piece is the theoretical answer to the question "why is it structured this way?" The structure isn't arbitrary; it's the rights-block design responding to data's specific properties. ## Why Western analogies fail The piece's most useful contribution for overseas counsel is implicit: it explains *why* the instinct to map Chinese data rights onto Western property, IP, or license concepts keeps failing. - **Property (ownership) analogy fails** because it's a rights-ball — unitary and exclusive. Data rights are a rights-block — structured and non-exclusive. - **IP analogy fails** because IP protects single-author creation with exclusive rights; data is multi-party co-created and non-exclusive. - **License analogy partially works** but misses the structure: a license is a grant *from* an owner; the rights-block has no single owner to grant from — the rights are structurally co-held. The lesson: stop looking for the Western analog. The rights-block is a genuinely different structure, designed against data's properties (non-rivalry, multi-party creation, low replication cost). Counsel who internalize the structure operate the regime; counsel who keep reaching for analogies stay confused. ## What this tells overseas compliance teams - **Use the rights-block as the mental model, not the property/IP/license analogy.** When you encounter Chinese data-rights vocabulary (hold / use / operate, data-source rights, etc.), parse it as a structured rights-block — shared core, differentiated and severable manifestations, non-exclusive — rather than trying to find the Western equivalent. This is the single most useful conceptual correction for cross-border data lawyers. - **The "non-exclusive" property is load-bearing in contracts.** Because the rights-block accommodates multiple parties holding the same right over the same data, your Chinese data agreements can (and increasingly do) allocate non-exclusive use rights to multiple parties. Don't assume exclusivity as a default; specify it where you need it. - **The theory predicts the rulemaking.** Xu Ke's 2021 framework predicted the structure the Data 20 Articles (2022) adopted and the [Data Property Rights Registration Guide draft](/laws/data-property-rights-registration-guide-draft/) (2025) is operationalizing. Tracking the leading academic structural theory is a forward indicator of where registration, trading, and rights-confirmation rules go next. - **"理一分殊" is the design philosophy to internalize.** One underlying principle (the data), many differentiated manifestations (the rights, by scenario). This is why Chinese data rules proliferate scenario-specific sub-rules (sector catalogues, FTZ negative lists, public-data vs enterprise-data vs personal-data regimes) rather than one unified rule. Expect differentiation by scenario as the structural norm, not the exception. The structural takeaway: Chinese data-property law is built on a deliberate, theorized *structure* — the rights-block — not an improvised borrowing from Western property law. Xu Ke supplied that structure before the policy adopted it. For overseas counsel, the piece is the decoder ring: it tells you what *kind of thing* Chinese data rights are, which makes every downstream rule legible. --- — *许可, 数据权利:范式统合与规范分殊 (Data Rights: Paradigm Integration and Normative Differentiation), 《政法论坛》Issue 4, 2021, pp. 86-96; reposted via 政法论坛 WeChat Official Account. [Original article (Chinese).](https://mp.weixin.qq.com/s/0l_QZgvXbMKQ2I50aOqxaA)* *Not legal advice. The above is DCC's structured summary of Xu Ke's analysis, with framing for overseas counsel; the paradigm-integration argument and the rights-ball / rights-bundle / rights-block taxonomy are Xu Ke's.* --- ## When Does Data Become an Asset? Xu Ke on Identifying and Defining Data Assets - Published: 2026-05-28 - Author: DCC Editorial - Tags: data-asset, data-property-rights, data-on-balance-sheet, data-economy, commentary - Laws cited: data-foundation-system-opinions, pipl, public-data-authorized-operation-specifications, data-property-rights-registration-guide-draft - Domains: data-economy, personal-information - URL: https://datacompliancechina.com/posts/xu-ke-data-asset-identification/ - Markdown: https://datacompliancechina.com/posts/xu-ke-data-asset-identification.md - Original source: https://mp.weixin.qq.com/s/i8LzBioix-fTBB-_FcGC-g - Original author: 许可 (Xu Ke), UIBE - Original publication: 《企业家》杂志 (Entrepreneur Magazine); reposted via 企业家杂志 WeChat Official Account ### Description Xu Ke (UIBE), writing for a practitioner audience, draws the line between data resource (国家视角, public/strategic) and data asset (市场主体视角, commercial), then between the broad sense (anything that creates value for the enterprise) and the narrow sense (meets the MOF accounting-standard test for on-balance-sheet recognition — owned/controlled, generates economic benefit, reliably measurable). He works the three-rights framework into operational boundaries by data type (personal / enterprise / government) and flags the practical questions overseas counsel face when a Chinese counterparty wants to put data on its balance sheet. ### Body > *Editor's Note — DCC.* > > Xu Ke's two other pieces DCC published today are deep doctrine — the > [anonymization reconstruction](/posts/xu-ke-anonymization-zombie-provision/) > and the [rights-block structure](/posts/xu-ke-data-rights-block-structure/). > This one, written for *Entrepreneur Magazine*, is the practitioner- > facing complement: when does data actually become an *asset* a Chinese > enterprise can put on its books, and how do the three rights map onto > operational boundaries? It's the most directly useful of the three for > overseas counsel doing transactional or accounting-adjacent work with > Chinese counterparties — particularly as China's "data on balance > sheet" (数据入表) movement gathers pace. ## Resource vs asset — the two viewpoints Xu Ke's first distinction is between two vantage points: - **Data resource (数据资源) — the national viewpoint.** Introduced in the State Council's 2015 *Action Outline for Promoting Big Data Development*, "data resource" is a macro-economic positioning emphasizing data's *public attributes* and *strategic value*. - **Data asset (数据资产) — the market-actor viewpoint.** An enterprise's commercial framing: whether data can produce *actual value in business activity*. Two essential differences follow: 1. **Data resource carries plural interests** — public, individual, and enterprise. Data with strong public attributes or involving personal privacy can't be monopolized by an enterprise; from the national view it's an important resource, but it can't all be classed as enterprise assets. Data asset, by contrast, must point clearly to the enterprise's *commercial scenario*. 2. **Data asset has a narrow and a broad sense:** - **Narrow (accounting) sense** — meets the Ministry of Finance's *Enterprise Accounting Standards* test: the data can be owned or effectively controlled by the enterprise, can bring economic benefit, and its cost or value can be reliably measured — thus eligible for **"data on balance sheet" (数据入表)** as an accounting-recognized data asset. - **Broad sense** — any data that creates value for the enterprise. ## The three-part asset test Xu Ke gives enterprises a practical three-question test for whether their data has asset character: 1. **Does the data serve the enterprise's core business activity?** 2. **Can the enterprise own or effectively control the data?** 3. **Is there a clear value-realization (monetization) path?** His example: user-behavior data accumulated by an internet enterprise has asset character *if* it can be analyzed to optimize products or run precision marketing — i.e., if there's a realization path. ## Mapping the three rights onto operational boundaries The practitioner payoff: Xu Ke works the [three-rights framework](/posts/nda-three-rights-structural-separation/) into concrete operating boundaries by right and by data type. **By right:** - **Hold right (持有权)** — attribution of the original data resource; the defensive perimeter against others stealing, tampering, leaking, or destroying the held data. - **Use right (使用权)** — the right to process, analyze, apply; needs a defined scope, method, and compliance boundary. His example: a hospital using patient data for research must comply with PIPL and *ensure anonymization* to protect patient privacy — directly linking the use-right boundary to the [anonymization standard](/posts/xu-ke-anonymization-zombie-provision/). - **Operate right (经营权)** — commercialization of data products: authorization, trading, services. His example: when selling a processed data product to a third party, the parties must define rights and obligations clearly to ensure compliant circulation. **By data type:** - **Personal data** — use right must strictly follow PIPL and related rules. - **Enterprise operational data** — operate right is more market-regulated (left to the market). - **Government data** — public attribute must be clear; commercial use is limited to prevent private capture of public resources. ## What this tells overseas compliance teams - **Distinguish "data asset" (accounting) from "data we find valuable" (everything).** When a Chinese counterparty talks about its "data assets," clarify which sense — narrow (on-balance-sheet, MOF-standard-qualified) or broad (anything valuable). The narrow sense carries specific ownership/control, economic-benefit, and measurability requirements that bear on valuation, due diligence, and deal structuring. - **The three-question asset test is a useful diligence screen.** When valuing or acquiring a Chinese entity's data assets, run Xu Ke's test: core-business nexus, ownership/control, realization path. Data that fails any prong is unlikely to survive as a recognized asset — relevant to purchase-price allocation and rep-and-warranty scoping. - **Anonymization is the use-right boundary for personal data.** Xu Ke ties the use right for personal data directly to PIPL compliance and anonymization. If a deal contemplates using personal-data-derived assets, the anonymization posture (and its [risk-based, continuously-monitored standard](/posts/yao-qian-pi-anonymization-relativity/)) is the gating compliance question — not an afterthought. - **Data-on-balance-sheet is a live and growing practice.** China's 数据入表 movement (data assets recognized on corporate balance sheets under MOF rules effective 2024) means Chinese counterparties increasingly carry data assets on their books. Overseas counsel doing M&A, financing, or audit-adjacent work should expect to encounter recognized data assets and should understand the recognition basis (which traces back to the three-rights hold/control determination). - **Government-data commercial use is fenced.** Where a deal touches government / public data, the operate right is constrained — public attribute must be preserved, commercial use limited. Don't assume government-data-derived products can be freely commercialized; the public-data authorized-operation regime governs. The connective point across Xu Ke's three pieces: the [rights-block structure](/posts/xu-ke-data-rights-block-structure/) defines *what kind of thing* data rights are; the [anonymization reconstruction](/posts/xu-ke-anonymization-zombie-provision/) defines *how personal data exits the PI regime to become freely usable*; and this piece defines *when the resulting data becomes a recognized, monetizable, balance-sheet asset*. Together they trace the full arc from raw data to recognized asset — which is exactly the arc a multinational structuring a Chinese data transaction has to walk. --- — *许可, 数据资产的识别与界定 (Identifying and Defining Data Assets), 《企业家》杂志 (Entrepreneur Magazine); reposted via 企业家杂志 WeChat Official Account. [Original article (Chinese).](https://mp.weixin.qq.com/s/i8LzBioix-fTBB-_FcGC-g)* *Not legal advice. The above is DCC's structured summary of Xu Ke's analysis, with framing for overseas counsel; the resource/asset and narrow/broad distinctions, the three-question test, and the rights-by-data-type mapping are Xu Ke's.* --- ## From 'Cannot Be Restored' to 'Difficult to Restore' — TRIMPS on Whether Anonymization Is Absolute, and Whether It's Recipient-Relative - Published: 2026-05-28 - Author: DCC Editorial - Tags: anonymization, personal-information, de-identification, cross-border-data, commentary - Laws cited: pipl, csl, dsl, network-data-security-regulations - Domains: personal-information, data-security, cross-border - URL: https://datacompliancechina.com/posts/yao-qian-pi-anonymization-relativity/ - Markdown: https://datacompliancechina.com/posts/yao-qian-pi-anonymization-relativity.md - Original source: https://mp.weixin.qq.com/s/B420B2O-X0QYCi86slnuaA - Original author: 姚迁 (Yao Qian), TRIMPS Data Security Technology R&D Center - Original publication: 三所数据安全 (TRIMPS Data Security) WeChat Official Account ### Description The Third Research Institute of the Ministry of Public Security (TRIMPS) — the body behind China's classified-protection regime and national eID platform — takes on the two questions that determine whether anonymization actually gets data out of PIPL scope. First: does PIPL's 'cannot be restored' standard (Art 73) require re-identification probability of literally zero? The 2025 draft PI Anonymization Guide quietly softened it to 'difficult to restore,' aligning China with the GDPR 'all reasonable means' test and reframing anonymization as a dynamic, continuously-assessed, risk-based process rather than a one-time terminal state. Second: is anonymization recipient-relative — can the same dataset be PI in one party's hands and anonymized in another's? TRIMPS reads the EU SRB v EDPS case and UK ICO guidance toward 'yes,' with major implications for how overseas counsel structure data sharing and cross-border transfer. ### Body > *Editor's Note — DCC.* > > Anonymization is the single most consequential threshold in Chinese > PI law: PIPL Article 4 excludes anonymized information from the > definition of personal information, so anonymized data falls *outside* > the entire PIPL compliance regime — no consent, no cross-border > assessment, no deletion right. Which makes the question "is this data > actually anonymized?" one of the highest-stakes determinations a > compliance team makes. This TRIMPS piece — by 姚迁 (Yao Qian) of the > institute's Data Security Technology R&D Center — works two > sub-questions that the bare statutory text leaves open: whether the > standard is *absolute* (re-identification probability zero) or > *risk-based*, and whether it's *recipient-relative*. TRIMPS is the > body that helps write the implementing standards, so its reading is > an early signal of where the compliance bar settles. DCC reproduces > the analysis with framing for overseas counsel. ## Why anonymization is the threshold that matters PIPL Article 4 defines personal information as information relating to identified or identifiable natural persons — and **expressly excludes anonymized information**. The consequence is categorical: once data is genuinely anonymized, it leaves PIPL's scope entirely. No legal basis required for processing, no PIIA, no cross-border security assessment, no individual rights to honor. The compliance-cost differential between "anonymized" and "merely de-identified" is enormous. That differential is exactly why the determination gets abused. Yao opens by flagging a recurring practice problem: data handlers describe their processing as "de-identification" / "desensitization" / "pseudonymization" (去标识化 / 脱敏 / 假名化) while simultaneously claiming the output "cannot be restored," "cannot identify any specific subject," "has no possibility of identifying any individual" — language that actually asserts the *anonymization* legal standard. The conflation is not cosmetic: if the output truly meets the anonymization bar, it should be characterized as anonymized *with supporting proof*; if it only reaches de-identification, the data **remains personal information** and stays fully within PIPL. ## Question 1 — Is "cannot be restored" an absolute zero? PIPL Article 73 defines the two tiers precisely: - **De-identification (去标识化)** — processing such that PI cannot identify a specific natural person *without additional information*. Reversible if recombined with the additional information. - **Anonymization (匿名化)** — processing such that PI cannot identify a specific natural person *and cannot be restored*. The added requirement is **irreversibility**. The literal text — "cannot identify" + "cannot be restored" — reads as an *absolute* standard. Yao's question: does anonymization require re-identification probability to drop to literally zero? ### International practice says no Yao surveys the comparative position, which trends clearly against the absolutist reading: - **GDPR** defines anonymous information as data that does not relate to an identifiable person, or is processed such that the subject is no longer identifiable — and requires accounting for **"all the means reasonably likely to be used"** to identify. A reasonableness test, not an absolute one. - **Spanish DPA + EDPS, "Ten Misunderstandings about Anonymisation"** — explicitly names "anonymisation can always reduce re-identification probability to zero" as a *misconception*. A valid anonymization process aims to reduce re-identification probability *below a defined threshold*, not to zero. - **Singapore PDPC, Basic Anonymisation Guide** — anonymization means "very low" re-identification risk, not absolute impossibility; it should be treated as a *risk-based process* combining anonymization techniques and safeguards. ### China's 2025 draft Guide softens the text The pivotal development: China's **2025 draft *Personal Information Protection — PI Anonymization Guide*** (个人信息匿名化指南(征求意见稿)) addresses the question directly — and shifts the wording. Where PIPL Article 73 says "cannot be restored" (不能复原), the draft Guide says anonymized information is **"difficult to restore" (难以复原) without paying high cost**. Yao flags this as a deliberate loosening: "difficult to restore" concedes that anonymization is *not* absolute irreversibility but rather **high irreversibility under prevailing technology and reasonable cost constraints** — the GDPR "reasonable means" logic, arriving in the Chinese standard through the back door of a definitional gloss. The draft Guide adds a second move that matters as much: anonymization is **not a one-time achievement**. As use continues and technology advances, previously anonymized data that *becomes* re-identifiable reverts to personal-information status — so the handler must **continuously assess re-identification risk** on anonymized data. Anonymization is reframed as a *dynamic, continuously-monitored process*, not a terminal state reached once and relied on forever. ## Question 2 — Is anonymization recipient-relative? The second question is the one with the largest structural consequence: does the anonymization determination depend on *who holds the data*? The scenario: a dataset is personal information in Party A's hands (A has the re-identification capability or the key), but in Party B's hands — where B lacks any reasonable means to re-identify — could the *same dataset* be anonymized? PIPL doesn't specify whose identification capability the "cannot identify / cannot restore" standard refers to, leaving interpretive room. ### International practice trends toward "yes" - **UK ICO** (Anonymisation, Pseudonymisation and Privacy Enhancing Technologies guidance) — the same information may be personal data in one organization and anonymous in another; status depends on the *context* it sits in. - **EU — SRB v EDPS** — the EU General Court, citing the *Breyer* case (C-582/14), advanced a "**relativity of personal data**" position: data status turns on whether *the recipient* can reasonably identify the individual, not on the controller's identification capability. In that case, Deloitte (the recipient) received only coded comments, held no decoding key, and had no lawful route to the additional identifying information — so, *for Deloitte*, the data was anonymized, and the controller (SRB) had no notification duty. Even the EU — which had insisted pseudonymized data is not anonymized — has moved toward subject-relativity in the case law. ### The operative formula Yao distills the recipient-relative logic into a clean formula: > **De-identified (pseudonymized) data + a specific recipient with no reasonable re-identification capability = anonymized data — *but only as to that specific recipient*.** The practical upside: de-identified data can be *non-personal-information in the hands of a recipient that can't re-identify it*, which creates a technical buffer space for data sharing and reduces compliance burden on the sharing side. The practical cost: the *same dataset* can carry *different legal characterizations at different points in its flow*, multiplying case-by-case assessment complexity and uncertainty. ## TRIMPS's three recommendations Yao closes with three operational recommendations — notable because they come from the institute that helps set the standards. ### 1. Standardize concept usage Strictly distinguish "de-identification (covering desensitization, pseudonymization)" from "anonymization," and use the terms precisely in all documents and plans — no conflation. For each processing step, document the specific technique and its corresponding security level. Above all, **answer the core question directly: is the processing target de-identification or anonymization?** The two carry fundamentally different legal consequences and cannot be blurred. ### 2. Introduce case-by-case (recipient-perspective) assessment Because anonymization is not zero-risk, the provider's unilateral anonymization processing alone does not eliminate post-transfer re-identification risk. Before data leaves the domain, conduct a **recipient-specific re-identification risk assessment** for each intended recipient — factoring in that recipient's data environment, technical capability, and already-held correlatable data — and set differentiated security controls accordingly. Yao suggests commissioning an independent third-party assessor to opine, per recipient, on whether the data "may still constitute personal information in that specific recipient's environment," as the basis for cross-border / out-of-domain approval. ### 3. Implement the recipient's assessment obligation + contractual no-re-identification clause Given that subject-relativity is not yet settled in Chinese law, the *recipient* should, before ingesting the data, commission an independent specialist assessment of whether the data meets the anonymization standard *in the recipient's own environment and technical conditions* — with a written report as a required approval artifact. And critically: **contractual constraint is the key institutional safeguard for maintaining the anonymized state.** The most important clause is the **no-re-identification obligation** — the recipient must not use its own technical means or data resources to reverse-identify or re-link the anonymized data it received. ## What this tells overseas compliance teams - **"Anonymized" is a load-bearing legal claim — document it like one.** The compliance-cost gulf between de-identified (in PIPL scope) and anonymized (out of scope) makes the determination a high-value target for scrutiny. Don't let processing be described in de-identification vocabulary while claiming anonymization effect. Pick the target standard explicitly and prove it. - **Stop treating anonymization as a one-time terminal state.** The draft Guide reframes it as dynamic and continuously-assessed: anonymized data that *becomes* re-identifiable (through your later data accretion, or advancing technique) reverts to PI status, with full PIPL obligations re-attaching. Build a *recurring* re-identification-risk review into the data lifecycle, not a one-time sign-off. - **The "difficult to restore" softening is a double-edged development.** It makes anonymization *achievable* (you don't need to prove literal-zero re-identification), but it also makes it *contestable* (the bar is now a reasonableness/threshold judgment a regulator can second-guess). The defensible posture is a documented, threshold-based risk assessment — not an absolute "impossible to restore" assertion you can't actually support. - **Recipient-relativity is the most useful — and most fragile — lever.** If the relativity reading holds, de-identified data shared with a recipient that demonstrably can't re-identify it may be non-PI *for that recipient*, easing the sharing side's burden. But the determination is recipient-specific and context-dependent; the same dataset is PI again the moment it reaches a party with re-identification capability. For cross-border transfer especially, assess each recipient's environment individually — don't treat anonymization as a property of the dataset alone. - **The no-re-identification contractual clause is now table stakes.** Where you rely on recipient-relative anonymization (or share de-identified data at all), the receiving-party contract must include an explicit prohibition on re-identification and re-linking, backed by the recipient's data-security obligations. TRIMPS treats this as *the* institutional safeguard maintaining the anonymized state — build it into every data-sharing and cross-border agreement. - **Watch the PI Anonymization Guide to final.** The 2025 draft is the document that will operationalize all of the above. When it finalizes, the "difficult to restore" standard, the continuous-assessment obligation, and (possibly) a position on subject-relativity will become the operative compliance baseline. Track it; pre-position your anonymization methodology and documentation against it. The deeper signal in a TRIMPS piece on this topic: the institution that anchors classified protection and the national eID platform is telling the market that anonymization is a **risk-managed, continuously-assessed, recipient-aware** process — not a one-time technical scrub that permanently exits PIPL. Overseas teams that have been treating "we anonymized it" as a durable get-out-of-PIPL card should expect that posture to be tested. The compliance-grade approach — documented threshold assessment, per-recipient evaluation, continuous monitoring, contractual no-re-identification — is the one TRIMPS is signaling the standard will require. --- — *姚迁, 个人信息匿名化的一些问题 (Some Questions on Personal Information Anonymization), 三所数据安全 (TRIMPS Data Security) WeChat Official Account. [Original article (Chinese).](https://mp.weixin.qq.com/s/B420B2O-X0QYCi86slnuaA)* *Not legal advice. The above is DCC's structured summary of Yao's analysis, with framing for overseas counsel; the comparative survey, the "cannot restore" → "difficult to restore" reading, the subject-relativity analysis, and the three recommendations are Yao's.* --- ## Zhu Xiaofeng — Who Pays When GenAI Causation Is Unclear? Applying Civil Code Article 1254 by Analogy - Published: 2026-05-28 - Author: DCC Editorial - Tags: ai-governance, genai, personal-information, causation, liability, commentary - Laws cited: pipl, civil-code-personal-info, genai-services-interim-measures, personal-info-audit-measures - Domains: ai-governance, personal-information, data-security - URL: https://datacompliancechina.com/posts/zhu-xiaofeng-genai-pi-causation-unclear-liability/ - Markdown: https://datacompliancechina.com/posts/zhu-xiaofeng-genai-pi-causation-unclear-liability.md - Original source: https://mp.weixin.qq.com/s/V1EbvwB4Ib-fc5j0EgT3Zw - Original author: 朱晓峰 (Zhu Xiaofeng), Central University of Finance and Economics Law School - Original publication: 《政法论坛》(Tribune of Political Science and Law), Issue 6, 2025; reposted via 数字经济与法治 WeChat Official Account ### Description Zhu Xiaofeng (Central University of Finance and Economics Law School) takes on the GenAI causation black hole — when a personal-information harm clearly arises from a GenAI service but specific causation among model designer, model provider, model user, and data provider cannot be established, who pays? Zhu's structural answer: when conventional construction-element-analysis and Article 998 interest-balancing both fail (and they do), apply Civil Code Article 1254's 'unclear-causation' rule by analogy — the same rule used for falling-object-from-building cases. The doctrinal scaffolding: communication-safety theory, gain-and-risk allocation theory, causation proof + harm prevention. Critically: each potential injurer compensates the full damage; among themselves, allocation is proportional, with judges determining specific amounts case-by-case. Highly relevant for multinationals deploying GenAI in China — the proposed framework restructures the operating liability surface. ### Body > *Editor's Note — DCC.* > > Zhu Xiaofeng's piece in 《政法论坛》(*Tribune of Political Science and > Law*, a top-tier Chinese law journal) takes on the question every > GenAI-deploying multinational will eventually face: when a personal- > information harm arises from a GenAI service, but the specific causal > link to any one actor (model designer, model provider, model user, > data provider) cannot be established, who pays? Zhu's answer is > doctrinally bold and operationally consequential: apply Civil Code > Article 1254 — the rule originally designed for harm from objects > falling from buildings of indeterminable origin — by analogy. The > framework is currently a doctrinal proposal in a top journal; it is > the kind of proposal that, in Chinese legal practice, often > crystallizes into judicial-interpretation doctrine and then into > rulemaking within 18-36 months. Multinationals deploying GenAI in > China should design liability allocations and indemnities against > this contemplated framework now. ## The structural problem Generative AI personal-information torts involve a typical actor cast: - **Model designer** — built the foundational model - **Model provider** — operates the GenAI service - **Model user** — the entity (often a downstream enterprise) deploying the model - **Data provider** — supplied the training data or in-context data PIPL Article 69 paragraph 1 establishes presumed fault for PI processors — so once a specific causation link is identified, the actor must prove non-fault to escape liability. Multi-actor liability allocation considers comparative fault and contribution. **The problem:** in GenAI cases, the specific causation link is structurally hard to establish. Three reasons: - **Algorithmic black-box** — the model's internal decision pathway is opaque even to the operator. - **Training-data cleansing** — data has been transformed, aggregated, and stripped of provenance. - **Interactive learning** — the model's behavior changes through ongoing user interaction, fragmenting causation across actors and time. Result: the victim cannot prove which specific actor's conduct caused the PI harm. Under the standard "burden on plaintiff to prove causation" rule, the victim recovers nothing. The PIPL's stated purpose — comprehensive PI protection — is structurally defeated. ## Why the existing frameworks don't fix this Zhu walks through the existing doctrinal candidates and explains why each fails. ### Civil Code Article 1165 (general tort) — fails The construction-element approach: plaintiff must prove (a) injury, (b) tortious conduct, (c) causation. The plaintiff cannot prove causation in the GenAI black-box context, so the claim fails. Article 1165 cannot accommodate the unclear-causation scenario. ### Civil Code Article 998 (interest balancing) — fails For non-material personality-rights infringement, Article 998 allows the judge interest-balancing discretion in evaluating culpability. But Article 998's discretion operates within the construction-element framework — it doesn't relax the causation requirement. The plaintiff still has to provide *prima facie* evidence of causation between the conduct and the harm. The Article 998 framework cannot substitute for the missing causation evidence. ### Burden-shifting alone — fails Some Chinese scholarship has proposed shifting the burden of proving causation to the defendants. Zhu accepts this is a necessary half-step but argues it's insufficient: even with burden-shifting, where multiple potential defendants each independently demonstrate non-causation for their specific conduct, the victim still recovers nothing. The structural problem is not just *who* bears the burden; it is that *no specific defendant* can be identified as the cause. ### Inferring liability from "principal direct tortfeasor" — fails Where downstream third-party actors are involved, the model-designer / provider / data-provider's contribution is often absorbed into the analysis of the principal direct tortfeasor's act. The exception is *Remsburg v. Docusearch* (US 2003), but the US precedent has been narrowly cabined. Chinese courts have not adopted a comparable framing. ## Zhu's framework: three doctrinal justifications Zhu argues for an analogical extension of Civil Code Article 1254 (unclear causation in building-falling-object cases). Three doctrinal foundations: ### 1. Communication-safety theory (交往安全) The principle: whoever creates or maintains a risk to others has an obligation to take all appropriate and reasonable measures to control the risk and prevent its materialization. Applied to GenAI: - **GenAI model designers and providers** opened and maintain the risk (the GenAI technology cannot operate without large-scale PI processing, and the model's interactive-learning behavior generates ongoing PI risk). - **GenAI model users** maintain the risk (their use of the technology is what activates the harm potential). - **Data providers** contribute to the risk (their data supply enables the PI-processing risk surface). Each is therefore subject to a communication-safety obligation; failure to discharge it grounds liability *even where specific causation is unclear*. ### 2. Gain-and-risk allocation theory The principle: whoever benefits most from a risk should bear most of the downside. Applied: - Model designers, providers, users, and data providers benefit substantially from GenAI deployment. - PI subjects bear the harm cost but receive minimal benefit. Allocating all downside to the PI subject — on the technicality that specific causation isn't proven — produces an inversion of the gain/risk-allocation justice principle. Better: distribute the harm cost across the actors that benefit. ### 3. Causation-proof difficulty + harm-prevention PI causation in GenAI is *structurally* difficult to prove, not just fact-specifically difficult. The doctrine should accommodate this. Additionally, requiring potential actors to bear shared liability creates incentives for them to *prevent harm in the first place* — supporting the harm-prevention function of tort law beyond the compensation function. The combined justification: communication-safety + gain-risk-allocation + structural-causation-difficulty + harm-prevention provide overlapping doctrinal grounds for the unclear-causation rule. ## The proposed rule: Article 1254 by analogy Civil Code Article 1254 was originally designed for harm from objects dropping or being thrown from buildings: if the specific actor cannot be identified, *all* potentially-causal users of the building must compensate the victim, with judges determining proportional allocation among them. Zhu's proposed application to GenAI: **(1) Trigger condition.** Where (a) PI harm has demonstrably occurred, (b) the harm clearly originates from a specific GenAI service or product, and (c) which specific actor's conduct caused the harm cannot be established despite reasonable investigation. **(2) Liability scope.** Each potentially-causal actor (model designer, provider, user, data provider) compensates the *full* damage to the victim. The victim is not required to litigate among the actors; the actors must absorb the joint exposure. **(3) Inter-actor allocation.** Among the actors, the allocation is *proportional* (按份关系). Judges determine the specific amounts case-by-case, considering: - Each actor's role in opening / maintaining the risk - Each actor's safeguards (or lack thereof) - Each actor's economic benefit from the risky activity - Comparative-fault factors **(4) Escape mechanism.** Actors that affirmatively prove their conduct is not causally connected to the specific harm can be excluded from the liability pool. This preserves the differential-incentive property — actors that invest in safeguards and can demonstrate non-causation are released from joint liability. ## How this connects to the existing framework Zhu carefully positions the framework as *complementary* to existing PIPL and Civil Code structures, not as a replacement: - **Where specific causation IS established** — PIPL Article 69 paragraph 1's presumed-fault rule continues to apply. - **Where multi-actor liability applies** — Article 1170 (joint dangerous conduct) or Article 1171 (joint conduct) continue to apply as appropriate. - **The Article 1254 analogy applies specifically to** — the structural unclear-causation case where the conventional frameworks systematically under-protect the victim. This is doctrinally tidy: the proposed rule fills a specific gap without disturbing the broader liability architecture. ## What this tells overseas compliance teams - **The unclear-causation gap will get filled.** Even if Zhu's specific Article 1254 analogy proposal isn't ultimately adopted, *some* framework will fill the gap — the alternative (continued under-protection of PI victims in GenAI cases) is not politically sustainable as GenAI deployment scales. Multinationals deploying GenAI in China should design liability and indemnity frameworks against the contemplated joint-liability outcome. - **Joint-liability allocation across the GenAI supply chain becomes the operating norm.** If you are a model designer, model provider, GenAI service user, or data provider in any role for a Chinese-market GenAI service, plan for the scenario where *you become a defendant in a PI case where no single actor can be specifically blamed*. The contemplated framework imposes joint-liability exposure regardless of your specific causal contribution. - **Demonstrable safeguards and audit-able compliance records are now operationally consequential.** The escape mechanism in Zhu's proposed framework — actors who can prove non-causation are released — creates a differential incentive. Actors that maintain comprehensive PIIA documentation, algorithmic-decision audit logs, training-data provenance documentation, and verifiable safeguard implementations have a defensible exit from the liability pool. Actors that don't, don't. - **Contractual allocation across the GenAI supply chain becomes essential.** Designers, providers, users, and data providers should contract — explicitly — on liability allocation, indemnification, and cooperation in the event of a joint-defendant scenario. The contracts should anticipate (a) joint-defendant status, (b) information-sharing obligations to support each party's non-causation defense, (c) cost-allocation in joint defense and joint settlement. - **Insurance becomes structurally important.** The US insurance-and-industry-fund model Zhu references is one operational answer. Multinationals operating GenAI in China should evaluate (a) cyber/tech-liability policies specifically covering joint-liability exposure from unclear-causation PI scenarios, (b) industry-fund or pool arrangements where available, (c) coverage extensions for the comparable-position actors in your GenAI supply chain. - **The PIIA + audit infrastructure does double duty.** PIIA (PI Impact Assessment) and the [PI Audit Measures](/posts/pipo-vs-dpo-pi-protection-officer-comparison/) regime are not just direct compliance obligations — they are the *evidentiary infrastructure* for proving non-causation in a joint-defendant case. Invest accordingly. The deeper doctrinal point Zhu's piece signals: Chinese GenAI tort law is, structurally, going to look very different from the US negligence-and-product-liability approach or the EU AI Act / GDPR approach. The Chinese frame will lean on Civil Code architecture, Continental civil-law doctrine, and joint-liability mechanisms in ways that don't translate cleanly into Western analogies. Multinationals that build compliance programs against the *coming* Chinese frame — joint-liability, evidentiary-defense infrastructure, contractual allocation across the supply chain — will operate the regime efficiently. Multinationals that wait for the regime to crystallize will be reverse-engineering liability allocations into already-deployed GenAI services under unfavorable conditions. --- — *朱晓峰, 生成式人工智能个人信息侵权因果关系不明时的责任认定 (Liability Determination for Generative AI Personal Information Torts Where Causation Is Unclear), 《政法论坛》(*Tribune of Political Science and Law*), Issue 6, 2025; reposted via 数字经济与法治 WeChat Official Account, November 25, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/V1EbvwB4Ib-fc5j0EgT3Zw)* *Not legal advice. The above is DCC's structured summary of Zhu's analysis, with framing for overseas counsel; the three-pillar doctrinal justification and the Civil Code Article 1254 analogy proposal are Zhu's.* --- ## Ai Lin — Why Platform Gig Workers Need PI-Protection Tilt and How to Build It - Published: 2026-05-28 - Author: DCC Editorial - Tags: personal-information, platform-economy, gig-economy, employment, commentary - Laws cited: pipl, civil-code-personal-info, algorithmic-recommendation-provisions, personal-info-audit-measures - Domains: personal-information, app-compliance - URL: https://datacompliancechina.com/posts/ai-lin-platform-gig-worker-pi-protection/ - Markdown: https://datacompliancechina.com/posts/ai-lin-platform-gig-worker-pi-protection.md - Original source: https://mp.weixin.qq.com/s/vl6-9obLhfkCA8p5qEvw2g - Original author: 艾琳 (Ai Lin), Jilin University Law School and Theoretical Law Research Center - Original publication: 《政治与法律》(Political Science and Law), Issue 3, 2026; reposted via 数字经济与法治 WeChat Official Account ### Description Ai Lin (Jilin University Law School) takes on the under-attended question of personal-information protection for platform gig workers — the food-delivery couriers, ride-hail drivers, freight drivers, and 'internet marketers' who occupy China's new-employment-form category. The structural problem: PIPL's individual-consent baseline doesn't work in employment relations where the worker has no meaningful bargaining power against the platform's algorithmic management. Ai imports the alienated-labor framework from Marx and the 'scenario fairness' principle from contextual integrity to argue for a tilt-protection regime. Three operational responses: enhanced transparency + tiered PI safeguards; treating algorithmic rules as workplace regulations subject to collective bargaining; full-process regulatory accountability. Highly relevant for multinationals operating platform-gig models in China or contracting with Chinese platform workforces. ### Body > *Editor's Note — DCC.* > > Ai Lin's piece in 《政治与法律》(*Political Science and Law*) takes > the operational reality of platform-economy work — couriers tracked > minute-by-minute by algorithms, drivers penalized for deviating from > optimal routes, workers whose physical labor is shaped by software — > and asks the question PIPL doesn't answer: what does individual- > consent-based PI protection mean when the "individual" has no > realistic alternative to consent? Ai's framework draws on labor-law > doctrine (tilt protection for the structurally weaker party) and on > contextual-integrity theory (consent must be evaluated within the > power relation it occurs in), to argue for a hybrid PI-and-labor > regime for platform gig workers. The piece is relevant for any > multinational running platform models in China — including > e-commerce platforms with contractor delivery, ride-hail expansion, > and the broader category of "internet-employed professionals" > (网约配送员 / 网约车驾驶员 / 货车司机 / 互联网营销师). ## The structural problem China's "new employment form" (新就业形态) — gig workers operating through platforms — has grown into one of the most consequential labor categories. The PI dimension is what makes it distinctive from earlier gig-economy analyses: every gig worker's labor process is **algorithmically observed and algorithmically directed**, generating continuous PI flows. PIPL's baseline approach assumes the individual is a knowing consent-grantor with realistic alternatives. Both assumptions break down in the platform-gig context: - **Worker has no realistic alternative to consent.** Joining a platform requires clicking "agree" to extensive PI collection — location, route, behavior, biometric, sometimes more. Refusing means no work. - **Worker has no meaningful negotiation power.** A single worker can't bargain with the platform over what's collected or how it's processed. Individual contractual remedies are practically unavailable. PIPL Article 13 (consent baseline), Article 14 (consent requirements), Article 15 (revocation right), and Article 24 (automated decision-making transparency) all assume a degree of individual leverage the platform context strips away. The Civil Code's Article 1035 consent requirement similarly assumes a baseline that gig work doesn't provide. Ai's diagnosis: PIPL is structurally designed for vertical PI-protection relationships (subject ↔ processor) and fails to account for the structural-asymmetry that defines the platform-gig context. ## The conceptual frame — alienated labor + scenario fairness Ai's analytical move imports two frameworks. ### The alienated-labor frame Marx's 1844 framework of *labor alienation* (异化劳动) maps surprisingly well onto platform-gig work, in three respects: **(1) Alienation of worker from product.** Platform algorithms set delivery time based on previous workers' performance, then punish deviation. As workers compete to set faster times, the "fastest extreme" gets absorbed into the algorithm's expectations, displacing the previously normal pace. The worker's contribution shapes the algorithm against itself. **(2) Alienation of worker from labor process.** The worker's location, movement, and behavior are continuously monitored. Deviation from the platform's algorithmically-determined optimal route triggers penalty. Worker autonomy over the labor process is mostly nominal. **(3) Alienation of worker from the platform.** The platform's ownership of the information infrastructure — not the worker's tools (vehicle, phone) — is the dominant means of production in the gig economy. The platform's information control is its labor-control mechanism. The framework justifies treating platform-PI processing not as a neutral consent transaction but as the *primary mechanism* through which a structurally asymmetric employment relation operates. ### The scenario-fairness frame The "scenario fairness" (场景公正) principle requires PI protection to be evaluated *in the specific context* where the data flow occurs — not against a generic consent baseline. Privacy theorist Helen Nissenbaum's *contextual integrity* framework is the underlying reference. Application: in the platform-gig context, the relevant context is *employment-equivalent*, not *consumer-equivalent*. PIPL's consumer-equivalent baseline (full individual consent, unilateral revocation) is the wrong framework. The right framework is *employment-tilted* protection — closer to labor law's structural recognition that the employer holds the bargaining advantage and the law must compensate. ## The legal-status question A central debate Ai addresses: are platform gig workers employees (subject to traditional labor law) or independent contractors (subject only to commercial law)? Ai's answer: it doesn't matter for PI protection purposes — even where formal employment status is absent, the **economic-dependence** factor that justifies labor-law tilt protection is fully present. The court precedent Ai cites: a court found a platform delivery worker had: - Labor that was an *integral component* of the platform's business - Payment calculated on completed-work-quantity basis - *No decision-making authority* over labor pricing or terms - Income from the platform as the *primary livelihood source* This established *economic dependence* sufficient to support tilt protection, even though formal employment relationship status was disputed. The doctrinal implication: PI protection for platform gig workers should *apply tilt protection irrespective of formal employment status*. The structural-asymmetry justifying tilt is present in any case; binding the doctrine to formal employment classification produces under-protection in the cases where it's most needed. ## The three operational responses Ai proposes three integrated responses. ### Response 1 — Enhanced transparency + tiered PI safeguards The traditional PI-protection toolkit (transparency requirements, sensitivity-based handling) needs to be intensified in the platform-gig context. **Transparency.** Platform-gig workers should have explicit visibility into what PI is being collected, how it's being processed, and how algorithmic decisions are made. The current model — where workers click "agree" to a generic privacy policy without genuine notice — does not satisfy PIPL's transparency principles when applied with structural-asymmetry-awareness. **Tiered safeguards.** Different categories of platform-collected worker PI carry different harm potential and should have different protection levels. Real-time location data, biometric data, and behavioral pattern data warrant the highest tier; basic identity data warrants standard tier. The platform's processing decisions should be tier-calibrated. ### Response 2 — Algorithmic rules as workplace regulations subject to collective bargaining This is Ai's most operationally novel contribution. The argument: the platform's *algorithmic processing rules* function — practically — as workplace regulations. They determine work allocation, work pace, work evaluation, and effectively work compensation. They should be: - **Disclosed** under the same regime as formal workplace regulations - **Subject to procedural review** before deployment or material change - **Negotiable through collective representation** of the platform's worker community - **Modifiable through bargaining** rather than only through platform-unilateral revision In effect: import labor law's collective-bargaining structure into the PI-and-algorithmic-management context. The structural argument: individual consent doesn't work; collective negotiation is the only realistic mechanism for genuine worker input into the algorithmic rules that shape their work. Practically, this would require either: - A new statutory framework recognizing platform-worker collective entities for PI / algorithmic-rule negotiation purposes - Reading existing labor-law collective-bargaining structures into the platform-gig context by analogy - A regulatory rule (e.g., from CAC or MIIT) requiring platforms to disclose algorithmic rules and accept consultation processes ### Response 3 — Full-process regulatory accountability The current PI enforcement regime focuses on collection-stage consent. For platform gig workers, the practically consequential decisions happen at the *processing* and *decision-making* stages — what the algorithm does with the data, what penalties it imposes, what behavioral incentives it creates. Ai proposes regulatory accountability across the full data lifecycle: - **Collection stage** — verified disclosure and consent; tiered handling for sensitive categories. - **Processing stage** — algorithmic decision-making transparency; pre-deployment review for material algorithmic changes; auditable processing logs. - **Decision-stage** — appealable algorithmic decisions; human-review channel for adverse outcomes; remediation pathway when algorithmic decisions cause economic harm. The proposed mechanism: integrate this into the existing PI Audit framework (the [PI Audit Measures](/posts/pipo-vs-dpo-pi-protection-officer-comparison/)) and the algorithmic-recommendation rules, with platform-gig contexts treated as high-priority audit categories. ## What this tells overseas compliance teams - **Platform-gig PI is a high-priority sub-regime now.** Multinationals running platform models in China — food delivery, ride-hail, freight, last-mile logistics, online services where contractors operate through platform apps — should not assume the consumer-PI framework applies cleanly. The doctrinal and regulatory framework is moving toward employment-tilted protection. - **Individual-consent compliance is structurally insufficient.** Multinationals can no longer rely on PIPL-style individual consent as the operating PI baseline for platform gig workers. Expect rulemaking, enforcement, and litigation to begin imposing collective-consideration, structural-fairness, and tiered-safeguard expectations even where the formal employment relationship is disputed. - **Algorithmic management transparency will become a compliance baseline.** Where your platform model uses algorithmic work allocation, pacing, or evaluation that affects gig workers' compensation, expect to face increasing requirements to (a) disclose the algorithmic rules, (b) provide notice of material changes, (c) accept consultation channels with the worker community, (d) provide appealable decision review. Build these into the compliance program now rather than retrofitting. - **The PI Audit Measures are the operational lever.** Where regulators want to enforce against under-protected platform-gig PI handling, the PI Audit Measures provide the direct authority. Multinationals should expect platform-gig PI to become a recurring audit-focus area; the audit program should specifically address PI handling for non-employee workers. - **Sectoral rulemaking is the likely vehicle.** The PI-and-algorithmic-management protection regime for platform workers will most plausibly arrive through (a) CAC algorithmic-management rule revisions, (b) MIIT app-compliance bulletins targeting algorithmic-worker-management practices, (c) Ministry of Human Resources and Social Security guidance on new-employment-form labor protection. Watch all three vectors. The structural shift Ai signals: Chinese data law is starting to recognize that PIPL's consumer-equivalent framework cannot govern *employment-equivalent* contexts. The doctrinal layer is articulating the framework now; the rulemaking layer will follow within 12-24 months. Multinationals operating platform models that touch Chinese workers — direct or indirect — should design for the *future* PI-and-labor-tilted regime, not the *current* PI-only baseline. --- — *艾琳, 平台用工中个人信息保护的困境表现与规则回应 (The Difficulties and Rule Responses for Personal Information Protection in Platform Employment), 《政治与法律》(*Political Science and Law*), Issue 3, 2026; reposted via 数字经济与法治 WeChat Official Account, May 7, 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/vl6-9obLhfkCA8p5qEvw2g)* *Not legal advice. The above is DCC's structured summary of Ai's analysis, with framing for overseas counsel; the alienated-labor framework, the scenario-fairness application, and the three-response operational framework are Ai's.* --- ## Tang Linyao — Data-Broker Derivative Harms and the 'Data Integration Analysis Framework' - Published: 2026-05-28 - Author: DCC Editorial - Tags: data-economy, data-broker, data-exchange, derivative-harm, privacy, commentary - Laws cited: data-foundation-system-opinions, pipl, dsl, personal-info-audit-measures, network-data-security-regulations - Domains: data-economy, data-security, personal-information - URL: https://datacompliancechina.com/posts/tang-linyao-data-broker-derivative-harms/ - Markdown: https://datacompliancechina.com/posts/tang-linyao-data-broker-derivative-harms.md - Original source: https://mp.weixin.qq.com/s/L4A6N26tXnN05iSxqMNe3w - Original author: 唐林垚 (Tang Linyao), Chinese Academy of Social Sciences Law Institute - Original publication: 《法学家》(The Jurist), Issue 2, 2026; reposted via 数字经济与法治 WeChat Official Account ### Description Tang Linyao (Chinese Academy of Social Sciences) maps the regulatory gap for data-broker derivative harms — the harms that arise not from direct PI leakage but from the integration and aggregation activity that data brokers themselves perform. The analytical core: a vertical / horizontal data-relations framework that explains why existing PIPL-style protection (vertical-relationship-focused) systematically fails to address horizontal-relationship harms; and the 'abstract risk substantialization' doctrine borrowed from US precedent and EU GDPR to bring data-broker risk into ex-ante regulatory scope. Operationally, Tang proposes a 'Data Integration Analysis Framework' with concrete tiering (三高 / 双高 / 单高 / 三低) that translates academic doctrine into compliance-program-grade controls. Applied to a real Shenzhen Data Exchange listing as worked example. ### Body > *Editor's Note — DCC.* > > Tang Linyao's piece in 《法学家》(*The Jurist*, the flagship Chinese > law journal of Renmin University) takes on a structural problem > Chinese — and global — data-broker regulation has not yet solved: > the harms that arise from the *integration activity itself*, not > from the integrated data being misused. The analytical move — a > vertical-vs-horizontal data-relations framework that explains why > PI-protection rules systematically miss this — is theoretically > ambitious. But the operational payoff is what makes the piece useful > for compliance teams: a four-tier "Data Integration Analysis > Framework" (三高 / 双高 / 单高 / 三低) that translates the doctrine > into concrete compliance gating, applied as a worked example to a > real Shenzhen Data Exchange listing. DCC's brief focuses on the > framework and its operational implications for overseas counsel > working with Chinese data exchanges, data brokers, and data-broker- > -intermediated supply chains. ## What "data broker" means here Tang uses "data brokery" (数据经纪) in a deliberately broad sense — referencing the FTC definition (collecting from multiple sources, aggregating, analyzing, on-selling), the California CCPA definition (no direct business relationship with the individual, sells to third parties), and the EU Data Governance Act's "data intermediation services" concept. Mapped to Chinese practice: includes Shanghai Data Exchange's "data service providers" and the broader category of intermediaries facilitating data collection, aggregation, and trading. Why this matters: the *Data 20 Articles* explicitly call for cultivating data brokery as a class of third-party professional service. As of 2025, the major Chinese data exchanges added more than 2,600 new supply / demand participants. Data brokery is now structural infrastructure for the Chinese data-element market — not a marginal activity. ## The structural problem — vertical and horizontal data relations Tang's analytical pivot: data relations come in two distinct types. **Vertical relations (垂直数据关系)** — the direct interaction between the *data subject* and the *data processor*. Classic example: a depositor authorizes a bank to access spending data in exchange for instant credit scoring. PIPL is built around vertical relations: the data subject controls (via consent, access right, deletion right) what the processor does with the subject's data. **Horizontal relations (水平数据关系)** — the *indirect* relationship among data subjects formed when shared group features become the basis for processor decisions. Classic example: a depositor is labeled "low-income" by the bank's loan-pricing algorithm because the depositor shares the "browse-by-price-low-to-high" feature with other depositors classified as low-income. The depositor never interacted with the people who created that group classification — but is now subject to its consequences. Traditional data-processing activity maintained a tight coupling between vertical and horizontal relations: the processor's services in the vertical relationship were strictly limited by what its horizontal-relationship insights could justify. The depositor agreed to the bank seeing transaction data *for credit scoring*; the bank's horizontal grouping was constrained by that purpose. **Data brokery decouples vertical and horizontal relations.** Once a processor can buy data from a broker, it no longer has to maintain a vertical relationship with the source — and thus is no longer constrained by the "minimum necessity" principle that vertical relationships impose. The processor can construct *entirely new* horizontal relationships using purchased data, with no vertical-relationship subject ever having consented to the resulting categorization. This is the structural break PIPL doesn't address. PIPL is a vertical-relationship instrument; it cannot regulate horizontal-relationship construction that bypasses the vertical channel. ## Derivative harms — what gets missed Tang identifies two types of harm the existing regulatory framework fails to address. ### 1. Privacy erosion (隐私侵蚀) The construction of horizontal relationships using broker-acquired data exposes individuals to inferences about themselves they never authorized. Tang's example: data aggregated through normal market trading and re-processed reveals individual-level behavioral insights that the original disclosure context did not anticipate. The individual loses control over their *external social construction* — without any specific PIPL provision being violated. Importantly, Tang frames this as a *group privacy* (群体隐私) harm. The damage is collective: the categorization affects every individual in the group, but no single individual can bring a successful PIPL claim because no specific direct harm to them is provable. ### 2. Downstream harm (下游损害) Tang draws on US scholarship (the "downstream harm" and "data information harm" concepts) to describe individual injuries — privacy, dignity, social discrimination, lost opportunities, manipulation — that occur *because of* third-party action enabled by broker-supplied data. Tang's flagged case: Remsburg v. Docusearch, where a perpetrator purchased data from a broker, used it to track a victim, and killed her. The US court imposed negligence liability on the broker. The structural problem: in Chinese tort doctrine, the broker's contribution to downstream harm is usually absorbed by the principal tortfeasor's act and not separately evaluated. The 酷车易美 case (a Chinese precedent on automotive-data integration risk) illustrates the resulting under-protection: the court rejected the plaintiff's claim on grounds that the harm was prospective rather than realized. ## The "abstract risk substantialization" doctrine Tang's regulatory move is to import a concept already developing in EU and US doctrine: **abstract risk substantialization** (抽象风险损害化). The claim: where data-broker activity creates a *substantial* probability of derivative harm, the risk itself should be treated as cognizable harm for ex-ante regulatory purposes — even before any concrete injury materializes. Two judicial standards Tang draws on: - **"Certainly impending"** — risk must be imminent and real, not speculative. - **"Particularly targeting"** — risk must single out the specific plaintiff, not vaguely affect everyone. Combined: a data-broker risk is regulable when (a) it's actually likely to materialize and (b) it specifically threatens identifiable parties or groups. The framework lets regulators move from "wait until someone gets hurt" to "prevent the risk from materializing in the first place" — but only when the risk meets the substantiality threshold. ## The Data Integration Analysis Framework This is where Tang's piece becomes operationally useful for compliance teams. The framework provides two parallel analytical structures — one for the data broker itself (used in **Data Protection Impact Assessment**, DPIA) and one for the regulator (used in **Fair Data Brokery Practice**, FDBP). ### Framework A — For the data broker (DPIA) Four factors per dataset: **(1) Anonymization level.** Apply UK ICO's "motivated intruder test" — assume all reasonable adversary techniques and check whether the data, combined with other data, becomes re-identifiable. Use generalization (e.g., age 45 → 40-50 bucket) and randomization (noise injection, differential privacy) techniques in combination. **(2) Sensitivity.** What harm could result if the data is integrated with which other data? Particular attention to data that, when combined with PI subjects' personal attributes, would cause unfair algorithmic outcomes. **(3) Dataset volume — four sub-factors:** - Number of data subjects (larger → broader potential harm footprint) - Number of attribute categories (more → more identifiers for de-anonymization, more nodes for harmful relation construction) - Time span (longer → more precise insights, stronger surveillance/influence potential) - Cross-group migration potential (datasets that reveal common features of large external groups, even with limited direct-subject scope) **(4) Inferential data ratio.** Inferential data (probability-derived inferences vs. raw original data) is more likely to encode subjective bias and to produce "certainly impending" harm. ### Framework B — For the regulator (FDBP) Focused on combinations of dataset-with-other-datasets rather than dataset-in-itself. Four factors: **(1) Subject overlap (主体重合度).** When the same data subjects appear in multiple datasets, integration risk for re-identification and harmful targeting rises sharply. **(2) Attribute overlap (属性重合度).** When datasets cover the same attribute categories, cross-comparison identifiers multiply. **(3) Original-processing-purpose overlap (原初处理目的重合度).** Both high overlap (concentration of purpose-trauma) and low overlap (broadening of effective collection scope) increase risk; the regulator should examine both directions. **(4) Time overlap (时间重合度).** Similar dual analysis — high time-overlap heightens re-identification risk; low time-overlap may produce inaccurate but consequential horizontal-relationship inferences. ### Risk tiering (三高 / 双高 / 单高 / 三低) The framework's output is a per-dataset risk classification using the "potential victim count × harm probability × harm degree" formula. The four tiers: - **三高 (triple-high)** — high on all three. Data should not be brokered. Regulator should suspend the transaction. - **双高 (double-high)** — high on two. Data should be remediated to comply, conducted only in a privacy-computing framework, or require regulator pre-approval. - **单高 (single-high)** — high on one. Stricter purpose limitation + enhanced risk disclosure; ongoing regulator attention. - **三低 (triple-low)** — no special action needed beyond baseline. ## The worked example: Shenzhen Data Exchange listing Tang applies the framework to a real listing: Shenzhen Maternal & Child Health Hospital's anonymized 2018-2023 dataset of confirmed pregnancy-induced hypertension patients, listed on Shenzhen Data Exchange on May 19, 2025. **Framework A (DPIA) analysis:** - *Anonymization* — high (generalization + perturbation applied) - *Sensitivity* — *originally* sensitive (medical data), but de-sensitized by time gap (subjects no longer pregnant; condition typically resolves post-partum) — *unless* used in insurance underwriting context, where group-feature inference could lead to discriminatory pricing. The hospital's restriction prohibiting use for AI algorithm development on pregnancy-hypertension addresses the high-sensitivity vector. - *Volume* — large (5-year span, major tertiary hospital, large potential cross-group inference base). - *Inferential data ratio* — zero. Verdict: many potential subjects, but low harm probability and low harm degree → "二低一高" (two-low-one-high) low-risk profile. Hospital's use restriction is sufficient; no additional gating needed. **Framework B (FDBP) analysis at the exchange:** - *Subject overlap* — geographic concentration (Shenzhen-area); exchange should scrutinize same-geography dataset merging. - *Attribute overlap* — moderate; flag if buyer has already acquired commercial-insurance datasets that could trigger inference. - *Processing-purpose overlap* — purpose limited to research / teaching; flag commercial-use attempts. - *Time overlap* — flag both same-period merging risk and non-period inherent-attribute merging risk. This level of operational granularity is what makes the piece useful for compliance program build-out. ## Liability allocation: applying Civil Code Article 1170 Where derivative harm actually materializes, Tang argues for applying **Civil Code Article 1170** (共同危险行为, joint dangerous conduct) to data-brokery cases. Under Tang's framework: - **For 三高 brokery action** — broker bears primary liability regardless of downstream actor's posture; downstream actor's joint liability depends on subjective intent. - **For 双高 or 单高 brokery** — broker bears joint and several liability with downstream actor. - **For 三低 brokery** — broker does not bear downstream-harm liability. This is doctrinally significant: it pulls data-brokery into the multi-actor joint-liability framework rather than treating it as a separate single-tort question. Chinese courts are likely to find the framing useful as a structural anchor. ## What this tells overseas compliance teams - **The vertical / horizontal distinction is the analytical key.** Multinationals using or supplying data through Chinese data brokers should map their data flows in terms of which horizontal relationships their broker activity is constructing, not just which vertical relationships their PI processing creates. The vertical-only analytical posture is now structurally inadequate. - **The 三高 / 双高 / 单高 / 三低 tiering is portable as a compliance-program control.** Adapt it as the data-broker-input and data-broker-output screening framework in your Chinese operations. Build the four-factor analysis (Framework A) into your DPIA template; build the four-factor analysis (Framework B) into your vendor-acquisition and customer-disclosure-control templates. - **The Shenzhen Data Exchange example is the operating template.** Where a Chinese counterparty (especially a state or quasi-state institution) lists data through an exchange, expect the kind of multi-factor pre-listing screening Tang describes. Provide the source-data documentation that supports the analysis — particularly anonymization technique documentation and use-restriction language. - **The Civil Code Article 1170 framing is a forward signal on liability allocation.** The Chinese tort doctrine on data-brokery liability is being articulated *now* in the law-journal layer; expect courts to begin adopting the framework over the next 12-24 months. Multinationals should pre-position vendor agreements and indemnity allocations against the contemplated joint-liability framework. - **Data brokery is structural; the regulation is catching up.** Treat the regulatory gap Tang identifies as a forward indicator: the gap will close, probably through some combination of (a) sectoral rulemaking applying Tang-style frameworks (b) data-exchange self-regulatory rule articulation, (c) judicial precedent applying joint-dangerous-conduct doctrine. Compliance programs designed against the *prior* (PIPL-only) framing will be inadequate when the new framing crystallizes. The deeper structural point: data brokery is the *infrastructure layer* of the Chinese data-element market, and the law has not yet caught up to its risk profile. Tang's piece is the doctrinal preparation for the next round of regulation. Overseas counsel watching this space should treat the 法学家 publication as the *upstream* of rulemaking, not a reaction to it. --- — *唐林垚, 数据经纪的衍生风险与法律应对 (Data Brokery's Derivative Risks and Legal Response), 《法学家》(*The Jurist*), Issue 2, 2026; reposted via 数字经济与法治 WeChat Official Account, May 27, 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/L4A6N26tXnN05iSxqMNe3w)* *Not legal advice. The above is DCC's structured summary of Tang's analysis, with framing for overseas counsel; the vertical / horizontal data-relations framework, the Data Integration Analysis Framework, and the Shenzhen Data Exchange worked example are Tang's.* --- ## Wang Nian — Data Source's Rights as a 'Fair Use' Right Alongside the Three Rights - Published: 2026-05-28 - Author: DCC Editorial - Tags: data-property-rights, data-twenty, data-source-rights, data-economy, commentary - Laws cited: data-foundation-system-opinions, data-property-rights-registration-guide-draft, pipl, civil-code-personal-info - Domains: data-economy, personal-information - URL: https://datacompliancechina.com/posts/wang-nian-data-source-rights-as-fair-use/ - Markdown: https://datacompliancechina.com/posts/wang-nian-data-source-rights-as-fair-use.md - Original source: https://mp.weixin.qq.com/s/DeoiXUp2emdS-yjzWl8o7g - Original author: 王年 (Wang Nian), Tsinghua University Law School - Original publication: 《财经法学》(Finance and Economics Law Journal), Issue 5, 2025; reposted via 数字经济与法治 WeChat Official Account ### Description Wang Nian (Tsinghua Law) takes on the unresolved fourth-right question in the Data 20 Articles framework: what is the data source's right (数据来源者权), and how does it relate to the three rights (hold/use/operate)? Drawing on the 'data symbiosis' (数据共生) framework from the ALI-ELI Data Economy Principles and the EU Data Act, Wang argues that pre-existing legal entitlements — privacy, PI rights, IP, trade secrets — cover only part of the source's interest, leaving a residual that needs an independent legal protection. He frames the data-source right as a 'fair use right' (公平使用权): a contractual-relationship right against the specific data processor, distinct from the property-style three rights, that captures the value contribution of the source's participation in data co-creation. The corporate-data-portability analog DCC flagged in our NDA brief gets its doctrinal foundation here. ### Body > *Editor's Note — DCC.* > > The Data 20 Articles created four data-property concepts: the three > rights of the processor (hold / use / operate) and — almost as an > afterthought in the policy text — the *data source's right* > (数据来源者权), the entitlement of the party whose information was > collected to obtain or copy and transfer the relevant data. The > [NDA's policy interpretation](/posts/nda-data-processor-property-rights-allocation/) > introduced the right in operational vocabulary; this academic piece > by Wang Nian provides its doctrinal scaffolding. The piece is also, > in DCC's reading, the most useful single resource for overseas > counsel structuring B2B data arrangements with Chinese counterparties: > it frames the *corporate data portability* lever that has no clean > Western analog. ## The unresolved question The Data 20 Articles framework allocates three rights — hold, use, operate — to the data processor (the party that collects, processes, and decides means and purposes of data handling). It also says the *data source* (数据来源者) — the party whose information was collected — has the right to "obtain or copy and transfer" data its participation gave rise to. But the policy text doesn't say: - What *kind* of right this is — property, contract, statutory, sui generis? - How it relates to existing rights — privacy, PI, trade-secret, IP? - Who can invoke it — only natural persons (already covered by PIPL)? Or corporate "information subjects" too? - What is its scope — only data that *identifies* the source? Or any data the source's activity helped generate? These questions matter because the answer determines whether overseas counsel structuring a B2B data arrangement with a Chinese counterparty can rely on the data-source's right as a contractual baseline. Wang's piece reconstructs the doctrinal foundation that the operational rights need. ## The "data symbiosis" foundation Wang's starting move is to import the concept of **co-generated data** (共生数据) from the ALI-ELI *Data Economy Principles* (a joint product of the American Law Institute and the European Law Institute, 2024) and the EU Data Act framework. The concept's claim: most operationally significant data is *not* the product of the processor's investment alone, nor is it the property of the source alone. It's the product of joint activity — the processor's technology + the source's contribution. Examples: - **Social platform data** — generated by user activity + platform infrastructure. - **Connected-vehicle data** — generated by driver behavior + vehicle sensors. - **Platform-merchant operational data** — generated by merchant transactions + platform observation. - **Travel data** — generated by passenger movement + carrier systems. - **Industrial robot production data** — generated by industrial-process activity + manufacturer telemetry. In all five examples, neither party can claim sole authorship of the data. The processor's investment in collection technology is necessary but not sufficient; the source's participation is the other necessary input. Wang frames this as **data symbiosis** (数据共生): a joint-creation relationship that produces an interest split *both parties hold simultaneously over the same data*, with the processor's interest being primarily proprietary and the source's interest being primarily relational. This is the foundation that the Data 20 Articles framework, in Wang's reading, needs to articulate. ## What "source" means — and what it excludes Wang's definition: a data source is a subject (natural or legal person) that **(a) makes a substantial contribution to data generation** and **(b) does not in fact hold or control the resulting data**. The two-part test: **Test 1 — Substantial contribution.** Three factors: - *Type of contribution.* Wang distinguishes three contribution modes: (i) the source is *the subject described or recorded* by the data; (ii) the source is *the owner / operator / user of an object* whose activity is recorded; (iii) the source *uses a connected device* to collect or provide data. - *Directness.* Where contribution is too indirect (e.g., the source's data has been so heavily processed that the original contribution is "remote or attenuated"), the source-right does not attach. Wang's example: a person's PI becomes anonymized; the original PI subject's contribution to the anonymized dataset is too attenuated to support a source-right claim. - *Substitutability.* If the same data could be obtained by any other route, the source's contribution is fungible and the source-right does not attach. The right reflects the source's *non-substitutable* role. **Test 2 — Non-control over the data.** Even where contribution is substantial, the source-right requires that the source does *not* actually hold or control the data. Wang's example: a large flagship e-commerce store has both the technology and the resources to process the data its merchants generate; it is not a "source" under the framework — it is a co-processor. A small or individual-merchant store, by contrast, is a source — it contributes to the data but lacks the technical capacity to control it. This second test is the structural answer to a question overseas counsel often raise: *can a corporate entity be a data source?* Wang's answer: yes, if it lacks practical data control. The framework is not nat-person-restricted in the way PIPL is. ## Why pre-existing legal entitlements don't cover the source-right interest A central counter-argument to creating a separate "data source's right" is that the source's interests are already protected by existing rights: privacy, PI, IP, trade secrets. Wang takes this on directly and rejects it on four grounds. ### 1. The "existing rights" framework misclassifies the source as a passive recorded subject The "existing rights" view treats the source as the *subject of recording* — the party whose information is captured. But Wang's data-symbiosis framework treats the source as a *co-creator* — an active participant whose contribution co-produces the data. Existing rights protect what the source *has* (privacy, PI); they don't recognize what the source *did* (participate in generation). ### 2. Existing rights are defensive; the source-right interest is participative Privacy, trade-secret, and IP rights are primarily *negative defensive rights* — the right to exclude or prevent improper use. The source's interest in co-generated data is *positive participative* — the interest in *accessing and using* the data the source helped create. The existing-rights framework has no analog to this. ### 3. Knowledge IP rights protect single-author creation; data-source rights protect co-creation Copyright and patent rights protect the *single-party* originator of creative or inventive work. Co-generated data is, by definition, multi-party. The IP model can't be transposed. ### 4. The PIPL right of copy and transfer (Article 45) is the *closest* analog — but limited PIPL Article 45 establishes the natural-person's right to copy and transfer their personal information. This is conceptually the closest to the Data 20 Articles' source-right. But three structural gaps: - PIPL Article 45 applies only to PI; the source-right is broader (any co-generated data). - PIPL Article 45 applies only to natural persons; the source-right extends to legal-person sources. - PIPL Article 45's scope is the *data identifying or relating to* the subject; the source-right's scope is data the source's *participation contributed to*, which is broader. PIPL is the floor; the source-right is what extends the entitlement past PIPL's boundaries. ## The source-right as a "fair use right" Having shown that the source-right is not reducible to existing entitlements, Wang articulates its positive content: a **fair use right** (公平使用权). Three properties define it: **(a) Contractual, not property.** The source-right is not a property right in the data — it is a contractual-relationship right against the *specific processor* who is symbiotically linked to the source. The source cannot enforce the right against third parties; it can only enforce against the processor it co-created with. **(b) Bundled with content.** The right contains a bundle of operational entitlements: - *Right to be informed* (知情权) of how the data is used - *Right to access* (访问权) the data - *Right to transfer / port* (转移权) the data to another processor - *Right to correct* (更正权) inaccuracies - *Right to delete* (删除权) under specified conditions These mirror PIPL's individual rights for personal information, generalized to any co-generated data. **(c) Scoped by the "relevance interest" standard.** What data does the right cover? Wang proposes the **"related interest" (相关利益) standard**: the source's right extends to data that meaningfully reflects the source's contribution — even if the data does not directly identify the source. This is the doctrinal answer to the corporate-data-portability question: a merchant operating across e-commerce platforms can invoke the source-right against each platform for the merchant's operational data — even though the data may not "identify" the merchant in PIPL's strict sense. ## What this tells overseas compliance teams - **The corporate-data-portability lever is now doctrinally founded.** Wang's framework provides the academic foundation for treating the data-source's right as a meaningful B2B contracting baseline. Multinationals contracting with Chinese counterparties as either the data source or the data processor should pay attention to how the right is being articulated — it is reshaping the operational defaults for data exchanges, platform partnerships, IoT vendor contracts, and joint-venture data arrangements. - **Treat the "data source's right" as PIPL Article 45 generalized.** When designing Chinese counterparty contracts, use Article 45's operational structure (knowledge / access / transfer / correction / deletion) as the template for source-right clauses for non-PI data. The PIPL precedent + Wang's doctrinal framework + the NDA's policy interpretation now jointly support that posture. - **The "related interest" scope is broader than PI scope.** Where a multinational's Chinese affiliate generates operational data on a third-party platform, that data may not be PI under PIPL — but it may still be within the source-right scope as data the affiliate's contribution generated. Don't infer no entitlement from "no PI." - **The non-control test (Test 2) is the structural threshold for who has the source-right.** If your Chinese affiliate has both substantial contribution *and* substantial data-control capability, it is a co-processor, not a source. The source-right is the right of the *less powerful party* in the data-symbiosis pair. Map this carefully in joint-venture and SLA contexts where the contribution / control allocation may not align with formal ownership. - **The "substantiality + non-substitutability" filter rules out fungible inputs.** Multinationals worried about source-right claims from every party whose data ever touched a system should note that the doctrinal framework filters out attenuated, fungible, indirect contributions. The right is reserved for parties whose contribution is *non-substitutable* — the source whose unique participation made the data possible. The deeper architectural shift Wang's piece signals: Chinese data law is moving toward a *participative* (not just *consent-based*) framework for individual and corporate interests in data. The PI subject's consent matters; so does the data source's *participation*. Where the two coexist (a natural person who both consented to PI processing and contributed to data co-generation), the two rights operate in parallel, with the source-right adding the participative-protection layer PIPL alone doesn't provide. This is the direction in which downstream rulemaking — including the [Data Property Rights Registration Guide draft](/laws/data-property-rights-registration-guide-draft/) — is moving. --- — *王年, 数据来源者权利及其实现——基于数据共生的视角 (The Data Source's Rights and Their Realization — From the Perspective of Data Symbiosis), 《财经法学》Issue 5, 2025; reposted via 数字经济与法治 WeChat Official Account, October 28, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/DeoiXUp2emdS-yjzWl8o7g)* *Not legal advice. The above is DCC's structured summary of Wang's analysis, with framing for overseas counsel; the data-symbiosis framework, the two-part test for data-source status, and the "fair use right" articulation are Wang's.* --- ## Seven Lessons for Data Compliance Teams from the SAMR 'Ghost Takeout' Series — 3.5 Billion Yuan, 9-Month Suspensions, and the Per-Merchant Aggregation Doctrine - Published: 2026-05-28 - Author: DCC Editorial - Tags: enforcement, samr, platform-liability, personal-information, commentary - Laws cited: pipl, network-data-security-regulations, personal-info-audit-measures, dsl - Domains: enforcement, personal-information, data-security, app-compliance - URL: https://datacompliancechina.com/posts/samr-ghost-takeout-data-compliance-lessons/ - Markdown: https://datacompliancechina.com/posts/samr-ghost-takeout-data-compliance-lessons.md - Original source: https://mp.weixin.qq.com/s/9w4AQMPmH9roj2qiILuHTw - Original author: 黄春林、柴明银 (Huang Chunlin, Chai Mingyin) - Original publication: 数据何规 WeChat Official Account ### Description In April 2026, the State Administration for Market Regulation (SAMR) imposed administrative penalties on seven major e-commerce platforms in the 'ghost takeout' series — 3.5 billion yuan in aggregate corporate fines, nearly 20 million yuan in individual fines on legal representatives and food-safety officers, and 3-to-9-month business suspensions. While the cases were ostensibly food-safety enforcement, their analytical structure — pierce-the-paper-compliance, per-merchant aggregation of penalties, identification of licensed-entity liability holders, dual penalties on individual compliance officers — translates directly to data-compliance enforcement. Adapted from a substantive practitioner analysis by 黄春林 (Huang Chunlin), this DCC brief works through seven operational lessons that DSO / PIPO / DPO and compliance counsel should apply *before* the analogous enforcement wave reaches data compliance. ### Body > *Editor's Note — DCC.* > > The SAMR enforcement against seven major e-commerce platforms in the > "ghost takeout" (幽灵外卖) series was the largest platform-economy > enforcement action of 2026 — 3.5 billion yuan in corporate fines, the > highest single-platform fine at 1.5 billion yuan, individual fines on > compliance officers reaching nearly 7 million yuan, business > suspensions of 3 to 9 months. The cases were food-safety enforcement, > but their *analytical posture* — particularly the per-merchant > aggregation doctrine ("一店一罚累加") — is highly transferable to > data-compliance enforcement. Where a violation can be characterized > as occurring independently against each user, each app, or each > dataset, the aggregation produces fine math that quickly becomes > existential. DCC adapts a practitioner analysis by 黄春林 (Huang > Chunlin) to lay out the seven operational lessons compliance teams > should apply *now*, before the analogous enforcement wave reaches > data compliance. ## What happened In April 2026, SAMR (State Administration for Market Regulation) issued administrative penalties against seven major e-commerce platforms in the "ghost takeout" (幽灵外卖) series of cases — a multi-year investigation into platforms that, through inadequate vendor-onboarding and ongoing-supervision controls, had allowed unlicensed restaurants and food vendors to operate on their platforms under shell merchant profiles. The headline numbers: - **Aggregate corporate fines: 3.5 billion yuan** (≈ USD 480 million) - **Highest single-platform fine: 1.5 billion yuan** - **Individual fines on legal representatives and food-safety officers: nearly 20 million yuan**, with the highest individual penalty approximately 7 million yuan - **Business suspensions: 3 to 9 months** The analytical structure was distinctive. SAMR did not treat the platforms' aggregate inadequate-vendor-onboarding as a single violation; it treated the inadequate review of *each individual non-compliant merchant* as an independent statutory violation and aggregated the penalties — the "per-merchant, per-violation, cumulative-fine" (一店一罚累加) doctrine. ## Why this matters for data compliance — even though the case was food safety The cases sit in the food-safety enforcement vertical, not data compliance. Why does the analysis matter for data compliance? Because the *analytical posture* is portable. Per Huang's reading, the SAMR cases articulate seven enforcement principles that translate cleanly from food safety to data compliance — and the comparable enforcement architecture already exists in the data regime under PIPL, the *Network Data Security Management Regulations*, the *Personal Information Protection Compliance Audit Management Measures*, and the broader Cyberspace Administration / MPS enforcement framework. The structural prediction: **the next 12–24 months will see comparable enforcement against data-handling platforms using the same analytical doctrines**. ## Seven operational lessons ### Lesson 1 — Pierce paper compliance: formal review is no longer a safe harbor **The food-safety facts.** The platforms had merchant agreements and platform rules formally requiring merchants to attest to qualification legitimacy. But their actual business operations did not implement substantive review — and in some cases, certified ISVs (independent software vendors) provided "order-transfer" functions to non-compliant merchants for a fee. **The regulator's analysis.** Civil-law safe-harbor principles (notice-and-takedown style protections) do not apply to administrative regulation, let alone criminal liability. Because the platforms held the most fundamental operational data (order flows, logistics tracks, payment information), the regulator concluded that platforms that performed only paper review at onboarding while ignoring downstream operational data showing clear anomalies — e.g., delivery start point grossly inconsistent with registered address — had "known or should have known" of the violations and failed to act. **Data-compliance translation.** Where platforms perform paper-only data-compliance review of merchants, mini-programs, or vendors — without implementing technical measures that detect and respond to anomalous data behavior — the equivalent finding will be available against them. The *Network Data Security Management Regulations* and the *Internet Application Program Personal Information Collection and Use Provisions (Draft for Comment)* establish substantive review obligations; reliance on attestation alone is structurally insufficient. **Operational implication.** Build a "management mechanism + technical measures" dual posture. Qualification verification, permission control, flow auditing, anomaly monitoring — all must be traceable end-to-end with logs. Once "knew or should have known" of unlawful data processing (failure to verify data source, tolerating over-scope collection, permitting non-compliant cross-border export) is established, paper compliance does not merely fail to exonerate — it can be characterized as bad-faith evasion and aggravate the penalty. ### Lesson 2 — Reject the "industry custom" defense: widespread violation is not legal violation **The food-safety facts.** During the investigation, some platforms invoked "industry-wide review is lax," "order-transfer has long existed," "multiple platforms work with the same ISVs," and "no prior enforcement" as mitigation. None were accepted. **The regulator's analysis.** "Why he can" and "everyone violates" have never been legal defenses. The duration and breadth of the violation, in fact, *aggravate* the assessment — not mitigate it. **Data-compliance translation.** A common posture in data-compliance practice is the wait-and-see ("等别人先申报数据出境" / "等别家先做算法备案") — let competitors go first; if they're not penalized, the practice is safe. The SAMR cases signal that this is the *opposite* of the regulator's posture. Industry-wide non-compliance is read as an enforcement priority, not as evidence of acceptance. **Operational implication.** Enterprises should fully discharge statutory data-compliance obligations (cross-border data export, PI audit, PIIA, algorithm filing) *on the statutory timeline*, not on the industry-cadence. Establish a dynamic industry-compliance-baseline assessment mechanism, but anchor compliance to the *mandatory statutory floor*, not the industry floor. ### Lesson 3 — Licensed entity bears the responsibility — corporate-structure isolation does not exonerate **The food-safety facts.** Unlike past cases that imposed liability on parent companies in a generic way, SAMR precisely targeted each platform's *licensed entity* — the entity holding the value-added telecom services permit, ICP filing, and internet-food-transaction third-party-platform-provider filing. "Holder of the license, holder of the responsibility." **Data-compliance translation.** In data scenarios, the first entity to face penalty is the *domestic legal entity that actually conducts business and holds the regulatory filings* — the value-added telecom services permit, ICP filing, algorithm filing, cybersecurity grade-protection filing, data-export assessment/filing entity (collectively "licensed entity"). **Operational implication.** Compliance responsibility is *not outsourceable*. Group structures, business segregation, equity arrangements cannot interrupt the statutory liability of the license/filing/registration holder. Cross-entity business cooperation, subcontracting, or sub-entrustment does not exonerate the licensed entity from the duty to review and control data-processing activities. The licensed entity must establish independent compliance management organization and personnel with data-compliance capability commensurate with the scale of its business. ### Lesson 4 — Dual-penalty regime: line-of-business compliance officers face personal liability **The food-safety facts.** Beyond penalties on legal representatives, the SAMR cases were the first large-scale imposition of annual-salary-multiple fines on line-of-business compliance officers — food-safety directors, food-safety committee chairs — reaching nearly 7 million yuan in individual penalties. **Data-compliance translation.** Under the *Cyberspace Administration Administrative Penalty Discretion Standards Application Provisions* and analogous frameworks, responsible-individual penalties consider job responsibilities, term of service, and execution-link. The structural implication for data compliance: **Data Security Officers (DSO) and Personal Information Protection Officers (PIPO) are no longer institutional figureheads** — they face personal liability for failures in their domain of responsibility. In practice: - **Data-security incidents** (security vulnerabilities, leaks, permission failures, lack of encryption / de-identification) → the DSO is typically the directly responsible person. - **PI obligation failures** (failure to file cross-border export, failure to conduct PIIA, failure to perform compliance audit) → the PIPO is typically the directly responsible person. **Operational implication.** Enterprises should clarify by formal policy, operating procedure, and job-description the rank, responsibilities, and liability scope of each DSO / PIPO / DPO role — and provide the necessary resources and conditions for execution. The responsible officers should actively perform, document risk flagging, and escalate compliance issues to the enterprise leadership. **Critically — the SAMR cases established that resignation or job rotation does not exonerate liability for violations during the officer's tenure.** Successor DSO / PIPO inherits the framework; predecessor DSO / PIPO retains liability for the tenure period. ### Lesson 5 — The full risk picture: massive fines + business suspension + reputational damage **The food-safety facts.** Single-platform maximum fine of 1.5 billion yuan; individual maximum of nearly 7 million yuan; business suspension up to 9 months; and intense public-opinion impact. **The most analytically important point — per-merchant aggregation.** SAMR found that the platform's inadequate review of *each individual merchant* constituted an *independent violation*, and aggregated the penalties — the "per-store-per-fine cumulative" (一店一罚累加) doctrine. **Data-compliance translation.** This aggregation logic in data-compliance enforcement is **devastatingly powerful**. If a violation can be characterized as occurring independently against each app, each user, each system, or each dataset, the aggregation produces fine math that scales linearly with the operational footprint. Huang's example: an enterprise that illegally collects information from 1 million users could in principle be treated as 1 million independent violations. The aggregation doctrine has already shown up in the data-enforcement vertical. The Cyberspace Administration's penalty of Kuaishou for live-streaming-pornography violations applied per-livestream calculation — producing the 119.1 million yuan fine figure. The per-app / per-user / per-system calculation logic is the operational analog. **Operational implication.** Compliance risk is *not* just a P&L line item. Business suspension is, for most enterprises, an existential market-share threat; the public-opinion impact compounds the regulator's penalty. Huang's phrasing: *"pay the 10-yuan parking fee in advance, don't gamble on the 200-yuan no-parking fine."* ### Lesson 6 — Multi-dimensional enforcement: ecosystem, technology, and personnel forensics **The food-safety facts.** Facing large data volumes, complex technology, and adversarial postures, enforcement combined electronic forensics, physical evidence seizure, on-site inspection, interviews, document review, and data cross-verification — investigating ecosystem, algorithm, and process from every angle. **Data-compliance translation.** Cyberspace Administration and public-security agencies have built specialized enforcement teams and may engage external technical support. Under PIPL Article 63 and the *Cyberspace Administration Administrative Enforcement Procedural Provisions*, they comprehensively examine network architecture, data flows, protocol flows, fund flows, permission systems, and log records. Modern enforcement has graduated from "checking the books" to "running scripts." **Operational implication.** Enterprises must abandon any expectation that concealment of violations or rigid denial in interviews will succeed. Build an active compliance-response capability. Once enforcement-investigation is triggered, immediately convene a joint legal-and-technical team to lawfully provide relevant evidence and compliance records — aiming to secure compliance-recognition in the early investigation phase, in exchange for mitigated penalties. The SAMR cases also reaffirmed that *the first thing regulators check is the policy documents, operating procedures, and compliance records*; absence of these materials is, in effect, submitting a blank investigation file — even regulators willing to mitigate cannot work with that. ### Lesson 7 — Embrace compliance dividends: cooperation reduces penalty, obstruction aggravates **The food-safety facts.** Some platforms exhibited "refusing to provide materials," "providing false information," "delay and evasion," and "obstruction of enforcement" — all explicitly cited as *aggravating factors*. **Data-compliance translation.** Cooperation with enforcement is not weakness — it is statutorily mandated, and is the optimal incident-handling strategy. Under PIPL and the *Cyberspace Administration Administrative Penalty Discretion Standards Application Provisions*: - "Cooperation with the cyberspace administration in investigating violations" → mitigation - "Refusal to cooperate, obstruction, or violent threat of enforcement personnel" → aggravation - "Concealment, destruction, forgery, or tampering of evidence" → aggravation In published cyberspace-administration enforcement matters, regulators have repeatedly emphasized that *embracing supervision* (timely self-reporting, voluntary disclosure, cooperation with investigation) can produce mitigation, exoneration, or even *compliance dividends*. **Operational implication.** Build a "risk early-warning → internal investigation → active compliance" closed loop. In response to current high-frequency regulatory notices, inspections, and rectification orders, enterprises must respond immediately, rectify fully, close the loop, and establish a long-term defense mechanism to avoid repeat violations. Particularly for areas with prior administrative penalty, conduct "look-back" special inspections. In the current multi-agency joint-inspection environment, repeat violation faces both aggravated penalty *and* potential triggering of Criminal Law Article 286-1 (failure to perform information-network security management duty). ## What this tells overseas compliance teams - **Treat the SAMR food-safety cases as a forward indicator for data-compliance enforcement.** The analytical doctrines (paper-compliance penetration, per-violation aggregation, licensed-entity liability, dual penalties on individual officers, cooperation-or-aggravation framework) are not food-safety-specific; they are *Chinese regulatory practice*. The data-compliance application is the question of when, not whether. - **The per-merchant aggregation doctrine changes the fine-math fundamentally.** Where your operational footprint involves millions of users or counterparties, "per-violation" characterization yields fine math that quickly exceeds prior-year revenue. The PIPL 5%-of-prior-year-turnover cap under Article 66 ¶ 2 is the *outer ceiling* — but where multiple statutes apply concurrently, aggregation across statutes can push effective exposure higher. - **DSO / PIPO / DPO personnel are no longer institutional figureheads.** Individual liability is now a real, sized, year-on-year-quantified exposure. Multinationals appointing Chinese DSO / PIPO / DPO roles should: - Ensure the role has actual decision-making authority and budget - Document the role's compliance scope and authorities formally - Provide adequate D&O-style coverage where available - Build defensible succession and tenure-transition records - **Cooperation with enforcement is statutorily-incentivized and operationally optimal.** Build the response capability now: joint legal-technical incident team, pre-positioned evidence and documentation, escalation pathway to leadership, communication protocol with enforcement counsel. The compliance program that produces full, prompt, accurate response to enforcement inquiry will achieve mitigation that an unresponsive program cannot. - **The licensed-entity liability rule has implications for Chinese subsidiary structuring.** Multinationals operating in China through a licensed entity (VATB permit, ICP filing, etc.) should expect that entity — not the foreign parent — to be the locus of enforcement. Compliance program design should reflect this; pushing compliance accountability to the parent or the global compliance function is not, structurally, a defense. The bottom-line shift the SAMR cases announce: **the Chinese platform-economy regulator has demonstrated the willingness, capability, and analytical doctrine to impose existential penalties on inadequate compliance programs**. The data-compliance regulator is, on every available evidence, watching and learning. Programs designed against the *prior* enforcement norm will be reverse-engineered against the *new* enforcement norm under the worst possible circumstances. Build now. --- — *黄春林、柴明银, 巨额处罚电商平台系列案对企业数据合规责任的启示 (Lessons from the E-commerce Platform Penalty Series for Enterprise Data Compliance Responsibility), 数据何规 WeChat Official Account, April 18, 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/9w4AQMPmH9roj2qiILuHTw)* *Not legal advice. The above is DCC's structured summary of Huang's analysis, with framing for overseas counsel; the seven-lesson framework and the food-safety-to-data-compliance translation are Huang's. Author views are his own.* --- ## Mapping the AI Agent Risk Surface — A Ten-Category Taxonomy Under China's New 智能体新规 - Published: 2026-05-28 - Author: DCC Editorial - Tags: ai-agents, ai-governance, genai, commentary - Laws cited: genai-services-interim-measures, algorithmic-recommendation-provisions, deep-synthesis-provisions, ai-content-labeling-measures - Domains: ai-governance, data-security, personal-information - URL: https://datacompliancechina.com/posts/ai-agent-rules-risk-taxonomy/ - Markdown: https://datacompliancechina.com/posts/ai-agent-rules-risk-taxonomy.md - Original source: https://mp.weixin.qq.com/s/jQyo7KEwu1sREIWH3imZnA - Original author: 朱垒 (Zhu Lei) - Original publication: 数据何规 WeChat Official Account ### Description China's Cyberspace Administration jointly issued the Implementation Opinions on Standardized Application and Innovation Development of AI Agents (the '智能体新规' or 'Agent Rules') on May 8, 2026 — the first dedicated regulatory document on AI agents anywhere in the world. This DCC brief works through the ten-category risk taxonomy that practitioners are now using to map the agent attack surface: goal hijacking, tool misuse, identity/permission abuse, supply-chain compromise, unintended code execution, memory and context poisoning, inter-agent communication insecurity, cascade failures, human-machine trust exploitation, and rogue agents. With the agent risk mapped, the brief works the legal-liability vector: how each risk maps to administrative, civil, and criminal exposure under existing PIPL, CSL, Anti-Unfair Competition, and trade-secret regimes. Closes with the Guangzhou Internet Court's recent dual-authorization ruling against an open-source agent that bypassed a chat platform's risk controls — the first Chinese case to articulate the dual-authorization principle for AI agents accessing third-party platforms. ### Body > *Editor's Note — DCC.* > > The Cyberspace Administration of China and partner agencies jointly > issued the *Implementation Opinions on Standardized Application and > Innovation Development of AI Agents* (《智能体规范应用与创新发展实施 > 意见》, the "**Agent Rules**" or 智能体新规) on May 8, 2026. It is > the first dedicated regulatory instrument anywhere globally to address > AI agents as a distinct category — beyond general large-model rules > and beyond the generative-AI service framework. This DCC two-part > series adapts a substantive practitioner taxonomy by 朱垒 (Zhu Lei), > a commercial lawyer specializing in cyber and data, originally > published via 数据何规. Part 1 (this brief) maps the ten-category > risk taxonomy. [Part 2](/posts/ai-agent-rules-governance-framework/) > walks through the ten-step internal governance framework practitioners > are now using to operationalize the regime. > > The most useful single contribution in Zhu's piece is the mapping > from each technical risk to the *legal-liability vector* that > materializes when the risk is realized — i.e., the bridge from > "what can go wrong" to "what statute is invoked." DCC reproduces that > mapping in plain English for overseas counsel. ## What the Agent Rules cover The Agent Rules are the first Chinese regulatory document to address AI agents (智能体) — autonomous AI systems with goal-decomposition, tool-calling, environment-interaction, memory, and multi-step execution capabilities — as a distinct category. Where prior rulemaking addressed generative AI through the lens of model output safety (the *Interim Measures for the Management of Generative AI Services*, the *Algorithmic Recommendation Provisions*, the *Deep Synthesis Provisions*, the *AI-Generated Content Labeling Measures*), the Agent Rules extend the regulatory perimeter to: - The agent's **decision-making and permission scope** - Its **tool-calling behavior** - Its **interaction with external systems** - Its **supply-chain dependencies** - Its **application-derived risks** The document proposes an agent **registration platform**, **sample testing and adversarial tools**, **agent-decision permission frameworks**, **behavioral controls**, **built-in security capability standards**, **supply-chain security**, **classified and graded governance**, and a **compliance services system**. Enterprises building or deploying agents — particularly L3 / L4 agents that touch sensitive data or external systems — will operate under increasingly granular oversight as the implementation framework develops. ## The ten-category risk taxonomy Zhu's taxonomy — synthesizing OWASP's *Top 10 for Agentic Applications* with Chinese regulatory expectations — names ten risk categories. For each, DCC reproduces the technical risk + the *legal liability vector* it triggers in the Chinese regulatory regime. ### 1. Goal hijacking (目标劫持) **Technical risk.** Attackers use prompt injection, malicious files, falsified tool outputs, spoofed agent messages, or poisoned external data to alter the agent's task goal, decision path, or action plan — diverting it from the user's original intent. Canonical example: an attacker embeds a hidden instruction in a PDF that induces an internal-corporate agent to retrieve customer data and email it externally. **Legal liability.** Personal-information leakage; trade-secret leakage; unauthorized transactions; misinformed decisions; data exfiltration. Triggers the *Cybersecurity Law*, *Data Security Law*, *PIPL*, trade-secret protection regime, contractual liability, and tort liability. If the agent acts on the enterprise's behalf in a transaction or payment context, also raises questions of authorization effectiveness, apparent agency (表见代理), and internal-control failure. ### 2. Tool misuse / abuse (工具误用/滥用) **Technical risk.** After being granted tool-call permissions, the agent — through unclear permission boundaries, insufficient input validation, overlong execution chains, or absence of human-confirmation gates — performs erroneous, excessive, or attacker-induced operations within nominally legal tool scope. The core distinguishing feature: the agent doesn't just "say wrong" — it "does wrong." Example: a customer-service agent intended only to query order status proceeds to initiate refunds because its tool permissions were too broad. **Legal liability.** Data deletion; over-scope queries; financial loss; service interruption. Triggers findings of inadequate permission boundaries, breach of security-protection obligations, or absence of necessary approval mechanisms — resulting in administrative data-compliance penalties, contractual breach liability, tort liability, consumer-protection liability, and internal-audit accountability. ### 3. Identity and permission abuse (身份与权限滥用) **Technical risk.** In multi-system, multi-tool, or multi-agent environments, the agent inherits, caches, sub-delegates, or reuses identity credentials — resulting in low-privilege actors effectively acquiring high-privilege capabilities, or rendering the responsible actor for specific behaviors unidentifiable. Example: an administrator agent retains SSH credentials in its memory or context; a regular user then induces it to use those credentials to create unauthorized accounts. **Legal liability.** Access-control failure; over-authorization processing of personal information; important-data leakage; unauthorized payment; system intrusion. Triggers administrative and civil liability for failure to implement least-privilege, identity authentication, access control, credential isolation, and audit logging. In dispute resolution, the inability to prove the source of operations, authorization chain, and responsible actor produces adverse evidentiary outcomes. ### 4. Agent supply-chain risk (智能体供应链风险) **Technical risk.** The agent's underlying model, plugins, tools, prompt-template libraries, MCP services, agent registries, datasets, third-party agents, or update channels are poisoned, tampered with, counterfeited, or implanted with malicious logic. Examples: a malicious MCP server impersonating a normal email tool secretly bcc's the attacker on every email; a poisoned npm package auto-installed by a developer agent exfiltrates SSH keys and API tokens. **Legal liability.** Third-party-component security liability; vendor-management liability; open-source-compliance liability; data-leakage liability. Enterprises without component inventories, source verification, version pinning, vendor review, behavior monitoring, and emergency-deactivation mechanisms face findings of inadequate security management. ### 5. Unintended code execution (意外代码执行) **Technical risk.** When generating, interpreting, modifying, or executing code, the agent — through prompt injection, tool misuse, unsafe deserialization, dynamic-execution functions, or malicious dependency installation — converts natural-language input or model output into unintended executable behavior. Particularly acute in dev-assistant, auto-Ops, data-analysis, and "vibe coding" contexts where the agent connects directly to code repositories, command lines, build systems, or production environments. **Legal liability.** System intrusion; production-data deletion; service interruption; malicious-code propagation; client-asset damage. Triggers cybersecurity-incident handling obligations, data-leakage notification obligations, contractual breach, and tort liability. ### 6. Memory and context poisoning (记忆与上下文投毒) **Technical risk.** Attackers — through file uploads, API data, user input, RAG knowledge bases, shared memory, or multi-agent interactions — poison the agent's long-term memory, vector store, context summary, or retrievable knowledge. The agent then makes erroneous judgments or dangerous decisions in subsequent tasks. The distinguishing feature: malicious content may not trigger immediate harm, but is repeatedly used as trusted information in later sessions, retrievals, or task plans. Example: an attacker repeatedly feeds a travel agent fake flight prices; the agent later auto-approves erroneous-price orders. **Legal liability.** Erroneous transactions; misinformation propagation; PI commingling; cross-tenant data leakage; business-decision distortion. Triggers data-quality management, PI segregation, purpose limitation, minimum-necessary processing, trade-secret protection, and client-loss compensation obligations. In high-sensitivity sectors (financial, medical, government), triggers stricter sectoral regulatory liability. ### 7. Inter-agent communication insecurity (智能体间通信不安全) **Technical risk.** When multi-agent systems communicate via API, message bus, shared memory, or registry-discovery mechanisms, the absence of authentication, integrity verification, semantic validation, or replay-protection allows attackers to intercept, forge, tamper with, replay, or block agent messages. Example: a man-in-the-middle inserts hidden instructions into an unencrypted channel, altering multi-agent decisions. **Legal liability.** Data leakage; erroneous scheduling; mispayment; system interruption; responsibility-chain rupture. Triggers findings of inadequate transport encryption, identity authentication, access control, and integrity-protection measures. ### 8. Cascade failure risk (级联故障) **Technical risk.** A single agent's error, hallucination, poisoned memory, malicious input, supply-chain issue, or tool misuse propagates along the multi-agent collaboration chain, automated workflow, shared state, or business system — and amplifies into a systemic failure. The agent's autonomous-planning and auto-execution capabilities make single-point errors more likely to escalate into cross-system, cross-workflow, cross-actor chain consequences. Example: a poisoned medical knowledge base causes a treatment agent to adjust medication plans, which a nursing-coordination agent then propagates across multiple patient flows. **Legal liability.** Product defects; medical harm; financial loss; public-safety incidents. Triggers product liability, tort liability, contractual liability, regulatory-reporting and emergency-response obligations. In high-risk sectors, additionally triggers administrative penalties, business-rectification orders, suspension of operations, and executive accountability. ### 9. Human-machine trust exploitation (人机信任利用) **Technical risk.** The agent uses natural-language fluency, anthropomorphized expression, authoritative tone, emotional interaction, or fabricated explanations to induce excessive user trust — leading the user to approve dangerous operations, disclose sensitive information, or make erroneous business decisions. The risk doesn't always manifest as the agent directly over-stepping; often it appears as the agent *influencing the human user* to complete the final, auditable operation — making it more covert in forensic and liability-attribution contexts. Example: a poisoned finance Copilot recommends "urgent payment" based on a fake invoice; the manager, trusting its explanation, approves the transfer. **Legal liability.** Consumer misleading; fraudulent payment; PI leakage; internal-credential leakage; erroneous medical or financial advice. Triggers consumer-protection, advertising-and-anti-fraud, PIPL, contractual breach, and employer-liability risk. If the agent's explanation conceals real risk, additionally raises transparency, disclosure, and human-oversight failure issues. ### 10. Rogue / malicious agents (失控/恶意智能体) **Technical risk.** The agent — through attack, poisoning, goal drift, reward-function defect, identity spoofing, or multi-agent collusion — departs from its original function and authorization scope, exhibiting persistent, covert, self-replicating, or destructive harmful behavior. The risk distinguishes itself from single-input-output errors: the agent loses behavioral integrity and governance controllability *during operation*. Example: an attacked agent continues to scan for and exfiltrate sensitive files even after the original malicious source is removed; a compromised auto-Ops agent self-replicates via configuration interfaces, persistently consuming system resources. **Legal liability.** Persistent data exfiltration; business-flow hijacking; system destruction; production-backup loss; unrecoverable damage. Triggers major cybersecurity-incident liability, data-security liability, contractual and tort liability. ## How this connects to recent Chinese case law Zhu flags one recently-litigated case as illustrative of how Chinese courts are starting to apply traditional legal categories to agent conduct. **Guangzhou Internet Court — agent network unfair-competition dispute.** The court recently considered an AI dialogue agent with role-playing and intelligent-conversation capability, which could (to some degree) substitute for human users in click/send/interaction operations on a target chat platform. The plaintiff alleged that the defendant's open-source agent was bypassing the plaintiff's platform rules and technical management measures, using system-underlying permissions to directly recognize, read, and control other applications — calling and operating the plaintiff's platform without authorization, harming the platform's operating order and legitimate rights. The court issued a preservation order requiring the defendant to: - Immediately cease providing download and installation services for the agent - Cease using system-underlying permissions to circumvent the platform's technical management measures - Delete and cease propagating tutorials and content directed at circumventing the platform's risk-control measures The case's analytical core is the **dual-authorization principle (双重授权原则)** for AI agents accessing third-party platforms: where an agent accesses, calls, or controls a third-party application, it must obtain both *the third-party application's authorization* and *the user's autonomous authorization*. The court declined to treat "open-source," "non-profit," "user-script," or "third-party-component" status as default exoneration; the analysis focused on whether the agent broke the platform's technical management measures, disrupted normal operating order, and circumvented the third-party application's security boundaries using user authorization as cover. Zhu reads this as paralleling the analytical posture of *Amazon v. Perplexity* in the United States: in both, the central question is that *user authorization does not equal platform authorization*. Once a third-party platform has — through terms of service, technical measures, cease-and-desist letters, or otherwise — explicitly restricted agent access, an agent operator that continues to design, assist, or execute such access faces unauthorized-access, circumvention-of-technical-measures, unfair-competition, or platform-rule violation liability. ## The regulatory comparison Zhu lays out Five jurisdictions, each taking a distinct path: - **China — dedicated Agent Rules (May 2026)**, first specialized document, classified-and-graded governance framework - **OECD — *The agentic AI landscape and its conceptual foundations* (February 2026)** — conceptual mapping to OECD's existing AI System definition, supporting policy harmonization - **Singapore — IMDA *Model AI Governance Framework for Agentic AI* (January 2026)** — four-dimensional framework (advance risk assessment / meaningful human responsibility / technical + process controls / strengthened end-user responsibility); the most systemic external counterpart to China's Rules - **EU — interpretation under existing AI Act**, with AI agents falling within "AI System" category subject to risk-tiered obligations; *Digital Omnibus on AI* has begun engaging agentic AI explicitly - **US — *AI Agent Security RFI* (NIST/CAISI, January 2026)** + *AI Agent Standards Initiative* (NIST, February 2026); industry-led standards approach with leading-company governance frameworks (Google SAIF, IBM AI Agent Evaluation) - **UK — CMA *Agentic AI and consumers* (March 2026)** — consumer-protection and competition-policy lens; distinct from the AI-safety framing of other jurisdictions Across the five, regulatory recognition is converging: AI agents are treated as a distinct high-risk category requiring risk-grading, permission control, human oversight, security testing, traceable auditing, accountability, and transparent disclosure — not as ordinary GenAI-service extensions. ## What this tells overseas compliance teams - **The Agent Rules are the operational reference point for any agent deployment touching the Chinese market.** Multinationals deploying agents that access Chinese users, data, or systems should map their internal governance against the Rules' classified-graded framework. The classification tier (L1 read-only / L2 limited-write / L3 sensitive-data-processing / L4 high-impact decision) determines the regulatory scrutiny baseline. - **The dual-authorization principle is now actionable.** For any agent that interfaces with third-party Chinese platforms — even open-source agents, even agents nominally controlled by end-users — counsel should treat third-party-platform authorization as a separate, mandatory layer beyond user authorization. The Guangzhou Internet Court ruling is the first Chinese-court articulation; expect more. - **The ten-category risk taxonomy maps cleanly to a compliance-program review.** Use it as a checklist. For each category, verify the technical control and the legal-position documentation. Categories 4 (supply chain), 6 (memory poisoning), and 9 (human-machine trust) are the ones where DCC sees the most pre-existing-regime gaps in practice. - **Treat the regulatory comparison as a forecasting tool, not a benchmark.** The five-jurisdiction picture telegraphs the operational convergence point. Compliance frameworks designed to satisfy the *most stringent* of China, Singapore, and EU (likely the operational floor as the regimes mature) will not need to be re-architected for a single market. For the operational governance framework that practitioners are now using to translate this risk taxonomy into internal controls, see [Part 2 of this series](/posts/ai-agent-rules-governance-framework/). --- — *朱垒, 从《智能体新规》看AI智能体的风险防范与合规治理(上)(Risk Prevention and Compliance Governance of AI Agents Under the Agent Rules — Part 1), 数据何规 WeChat Official Account, May 13, 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/jQyo7KEwu1sREIWH3imZnA)* *Not legal advice. The above is DCC's structured summary of Zhu's analysis, with framing for overseas counsel; the ten-category taxonomy, the cross-jurisdictional comparison, and the Guangzhou Internet Court case framing are Zhu's. Author views are his own.* --- ## Operationalizing AI Agent Governance — A Ten-Step Internal Control Framework - Published: 2026-05-28 - Author: DCC Editorial - Tags: ai-agents, ai-governance, genai, compliance-program, commentary - Laws cited: genai-services-interim-measures, algorithmic-recommendation-provisions, deep-synthesis-provisions, personal-info-audit-measures - Domains: ai-governance, data-security, personal-information - URL: https://datacompliancechina.com/posts/ai-agent-rules-governance-framework/ - Markdown: https://datacompliancechina.com/posts/ai-agent-rules-governance-framework.md - Original source: https://mp.weixin.qq.com/s/VAoNJBWEa7yM7TsOg0OMvw - Original author: 朱垒 (Zhu Lei) - Original publication: 数据何规 WeChat Official Account ### Description Part 2 of DCC's brief on the Chinese Agent Rules (《智能体规范应用与创新发展实施意见》, May 2026). After mapping the ten-category risk taxonomy in Part 1, this brief works through the ten-step internal governance framework practitioners are now building to operationalize agent compliance: cross-functional governance organization + agent asset inventory; use-case admission and classification (L1 read-only / L2 limited-write / L3 sensitive-data / L4 high-impact); security assessment and AI red-team testing; identity authorization and permission control (with the under-discussed 'permission inheritance' trap); data protection; tool and protocol security; human-in-the-loop design; supply-chain security; continuous monitoring; and AI-specific incident response. Closes with five operational priorities for teams that need to start now without waiting for the 'big-and-comprehensive' regime build. ### Body > *Editor's Note — DCC.* > > This is Part 2 of DCC's brief on the Chinese *Agent Rules* (《智能体 > 规范应用与创新发展实施意见》, May 8, 2026). [Part 1](/posts/ai-agent-rules-risk-taxonomy/) > mapped the ten-category risk taxonomy. This brief works through the > ten-step governance framework — the internal-control architecture > practitioners are building to operationalize the regime. Adapted from > a substantive piece by 朱垒 (Zhu Lei), originally published via > 数据何规. The framework reflects converging practice across Chinese > AI-compliance teams; overseas counsel will recognize many components > but should pay particular attention to the *permission-inheritance > failure mode* (Step 4) and the *AI-specific incident response* (Step > 10) — the two areas where Chinese practice has surfaced operational > issues that the general data-security playbook does not address. ## Why a ten-step framework rather than a single control The Agent Rules treat AI agents not as an extension of generative-AI services but as a distinct system class requiring full-lifecycle governance — from *deployment-decision* (whether and what to deploy) through *design* (how the agent is permissioned and constrained) through *operations* (how its behavior is monitored) through *incident response* (what to do when something breaks). A single control point — say, a model-output review — addresses none of the new risk categories the [risk taxonomy](/posts/ai-agent-rules-risk-taxonomy/) surfaced. Zhu's framework — drawn from project experience with multiple Chinese enterprises that have already stood up agent governance — is ten components organized into three temporal tiers: - **Pre-deployment (requirements stage):** Steps 1–2. Governance organization + use-case admission and classification. - **Development and testing stage:** Steps 3–8. Security assessment + identity/authorization + data protection + tool security + human oversight + supply-chain security. - **Post-deployment (operations stage):** Steps 9–10. Continuous monitoring + AI-specific incident response. What follows works through each. ## Step 1 — Cross-functional governance organization + agent asset inventory **Governance organization.** For enterprises with scaled or planned-scale agent use, agent governance cannot sit only within the tech team. The recommended structure is a cross-functional body involving the board or executive team (setting the enterprise's agent risk appetite, prohibited scenarios, and high-risk scenarios), the algorithm / AI team, legal, information security, and the business owners. Either folded into existing data-compliance or cybersecurity governance, or stood up as a dedicated AI Governance Committee. **Agent asset inventory.** A unified internal inventory of every agent operating in the enterprise — self-developed, third-party-purchased, business-system-embedded, employee-configured low-code or no-code agents. Each inventory entry records: - Agent name and business purpose - Owning department and responsible person - Model source and vendor - Tool list and external-API connections - Data-access scope - System-access scope - Deployment environment - Audience (internal, customer-facing, partner-facing) - Risk level (per Step 2 classification) - Lifecycle status The inventory is the precondition for everything downstream: without knowing what agents exist and what they're connected to, classification, permission control, audit, and incident response have no anchor. Chinese teams that have skipped the inventory step have, by Zhu's account, consistently hit issues at the audit or incident-response stage. ## Step 2 — Use-case admission + classification **Classification.** A four-tier classification standard is the working pattern: - **L1 — Low-risk read-only assistance.** Internal document summary, knowledge retrieval, text refinement. - **L2 — Limited write or internal-flow assistance.** Drafting tickets, generating email drafts, supporting internal reports — but with mandatory human-completion for the final submission. - **L3 — Sensitive-data processing or multi-internal-system access.** Customer-service agents handling user PI, after-sales records, or order data. - **L4 — High-impact decisions or actions.** Auto-payment, contractual commitments, diagnostic-or-treatment recommendations, credit decisions, production-system changes, external-transaction execution. L3 and L4 agents face higher approval thresholds, mandatory pre-deployment testing, and stricter ongoing monitoring. **Use-case admission assessment.** Before any agent goes live, the assessment covers at minimum: 1. Does it access databases? What is the scope? Does it touch personal information, trade secrets, or other sensitive data? 2. Does it access external systems? Does it interact with third-party systems? What is the attack surface? 3. Does it have write, transaction, or decision capabilities? Are its actions reversible? 4. What is the target audience? Public-facing? Employee-facing? 5. What is the business-domain error tolerance? Does it touch finance, medical, hiring, credit, contract negotiation, critical-infrastructure operations, production-system code modification, or other high-risk domains? The admission assessment prevents business units from quietly attaching agents to production environments without risk evaluation — a common pre-governance failure mode. ## Step 3 — Security assessment + AI red-team testing **Security assessment.** Before any agent goes live, the assessment covers task-completion accuracy, policy compliance, tool-call correctness, over-authorization attempts, prompt injection, sensitive-data leakage, anomaly recovery, rollbackability, log completeness, multi-agent cascade errors, and high-load stability. **Red-team testing for high-risk agents.** Typical tests: - Embedded malicious instructions in webpages or documents — does the agent get tricked into data leakage? - Third-party tool return content — does it alter the agent's system instructions? - Will the agent call unauthorized tools? - Will the agent send internal data to external APIs? - After task failure, does the agent loop and consume system resources? - When goals are under-specified, does the agent perform "specification gaming" to bypass restrictions? Test results produce an issue list, remediation plan, and re-test record. **High-risk agents with unresolved findings should not go live.** ## Step 4 — Identity authorization + permission control Agents should be treated as enterprise-identity-management subjects — like employees, service accounts, or API clients. Each agent gets a unique identifier; the system records the user / department / business flow it represents; multiple agents sharing high-privilege accounts is prohibited. **Authorization principles** — least privilege, task scope, time scope, context scope. The agent only accesses data, calls tools, and operates systems within the scope necessary to complete the specific task. **The permission-inheritance failure mode.** Zhu calls out this trap explicitly because it's the most-common operational issue in Chinese practice: - If an employee can only access one category of customer data, the agent they entrust should not — through technical configuration — acquire higher permissions. - If a primary agent calls a sub-agent or external tool, the sub-agent or external tool should not by default inherit the full permissions of the primary. This sounds obvious, but the default configurations of most agent frameworks and orchestration platforms do *not* enforce permission inheritance limits. Engineering teams treating agent-to-agent or agent-to-tool calls as transparent function calls reproduce the human-employee permission structure in the agent layer — without realizing they've also reproduced the maximum-permission attack surface of every actor in the chain. **High-impact operations require additional gates.** Payments, data deletion, bulk export, external sending, permission changes — all should sit behind multi-factor authentication, secondary authorization, or mandatory human execution. **Dynamic authorization scenarios** require recording the authorizer, scope, reason, time, validity period, and revocation mechanism. ## Step 5 — Data protection The enterprise should systematically map every data-processing scenario the agent touches: user input, memory modules, runtime logs, third-party transmission. For PI, sensitive PI, or other regulated data categories, conduct the data-compliance review, PI Impact Assessment, or cross-border transfer impact assessment as applicable. **Boundary-line specifications.** The enterprise should explicitly specify: - Which data may enter the model context - Which data may be written to long-term memory - Which data may be sent to third-party tools - Which data must be desensitized, encrypted, isolated, or simply prohibited from processing **Consumer-facing agent disclosure.** For agents facing users or consumers, the enterprise should clearly disclose: AI identity, primary function, capability limitations, data-access scope, human-intervention mechanism, complaint channel. **Internal-use agent rules.** For employee-internal agents, internal policy and training should cover: what categories of sensitive information may not be input; when human review is mandatory; how to mark classified material; how to report anomalies; whether internal materials may be input to external agents. **Log and memory governance.** Retention period, access permissions, deletion mechanisms, audit rules — to prevent uncontrollable data accumulation over the agent's operating life. ## Step 6 — Tool and protocol security Tool calls are the core risk source. The enterprise should: - Establish a **tool whitelist** system — for each tool, specify input/output, call permissions, rate limits, error handling, sensitive-data filtering, and logging requirements. - For MCP servers, browser plugins, third-party APIs, code-execution environments, and RPA tools — conduct security assessment and vendor review. - **Prohibit** agents from installing plugins or connecting to unknown servers without review; prohibit sending internal sensitive data to unvetted external tools. ## Step 7 — Human-in-the-loop design Per agent risk tier, configure appropriate human-intervention mechanisms: - **Low risk** — ex post sampling sufficient - **Medium risk** — key-node confirmation - **High risk or irreversible action** — ex ante approval, two-person verification, or human execution The enterprise should periodically audit whether the human-approval is *meaningful* — i.e., that the approver actually reviews, rather than mechanically clicking through due to automation bias. The audit posture: "would this approval have caught the kind of error this agent is most likely to produce?" ## Step 8 — Supply-chain security The enterprise should integrate agent supply-chain into procurement-admission, information-security, and data-compliance review processes — vendor data-handling practices, security capabilities, model-update mechanisms, log retention, service availability, audit cooperation. **Contract terms** with agent vendors should cover: model / plugin / tool / log responsibilities; vulnerability response; data handling; IP; infringement complaints; service interruption; security-incident notification. **For vendors processing PI, trade secrets, or regulated data**, require security-capability proof, signed data-processing agreement, and AI-compliance-and-security-protection special clauses in the contract. ## Step 9 — Continuous monitoring Post-deployment, the enterprise should establish dynamic-behavior monitoring. Indicators include: - Anomalous tool-call count - External-data-send volume - Failed-retry count - Over-authorization request count - Human-rejection rate - User complaints - Hallucination-induced correction count - System-resource consumption - High-risk-operation frequency - Sensitive-data hit rate - Vendor service anomalies For abnormal-resource-consumption scenarios, the enterprise should pre-negotiate with the vendor on billing, quotas, alerts, and loss-cutoff mechanisms — to avoid catastrophic cost or service loss from runaway agent loops. ## Step 10 — AI-specific incident response Agent incidents may include: data leakage, over-authorization, erroneous transactions, misdirected emails, production-system damage, consumer misleading, vendor tool compromise, successful prompt injection, multi-agent cascade failure, erroneous-recommendation harm, agent-repeated-execution resource exhaustion. These do not map cleanly onto traditional cybersecurity incident-response playbooks. Zhu recommends building agent-specific incident response with reference to the *Cybersecurity Standard Practice Guide — Generative AI Service Security Emergency Response Guide*. ## Five operational priorities — what to do now Zhu's concession: a "big-and-comprehensive" governance regime build takes time. For enterprises that need to start without waiting, the operational priorities are five: 1. **Map and assess existing agents.** Identify current and planned-deployment agents that touch PI, external systems, automated decision-making, or critical business flows. Flag those carrying significant security, compliance, or business risk. 2. **Customer-facing agent service terms.** Draft or update *AI Agent Service Terms* documenting the agent's identity, function scope, action boundaries, data-processing practices, user authorization, human-intervention, complaint and feedback paths, and liability allocation. 3. **Procurement and vendor contract clauses.** Develop a procurement-admission standard for agent R&D, purchasing, and third-party supply-chain cooperation; insert AI-compliance-and-security-protection special clauses into procurement and cooperation agreements covering functional availability, data handling, memory retention, tool calls, resource consumption, vulnerability response, service interruption, IP, and security-incident notification. 4. **Workflow review for production-integrated agents.** For agents already integrated into business flows, assess whether human-verification mechanisms are needed; adjust workflows, user-interaction interfaces, internal-approval processes, and log-retention rules accordingly. 5. **Existing GenAI compliance overlay.** For enterprises with generative-AI services or algorithmic-recommendation deployments, assess and complete the model-filing, algorithm-filing, PIIA, and cross-border-transfer assessment work as applicable. Agent deployments don't substitute for the underlying GenAI compliance work. ## What this tells overseas compliance teams - **Use Step 1 — inventory — as the entry point if no other agent-governance work is in place.** It's the cheapest, fastest, and unblocks everything downstream. Multinationals with Chinese operations should ensure the inventory captures *both* China-deployed and China-data-touching agents. - **The L1 / L2 / L3 / L4 classification is converging across jurisdictions.** Zhu's four-tier framework aligns with Singapore IMDA's framework and is broadly compatible with the EU AI Act's risk tiers. Use one classification system across the global agent estate; map Chinese L3 / L4 expectations to the higher of {EU high-risk requirements, China L3/L4 requirements}. - **The permission-inheritance failure mode (Step 4) is the most under-recognized risk.** It manifests as a technical-implementation issue but produces a legal liability surface. Overseas teams should specifically audit how their agent frameworks handle agent-to-agent and agent-to-tool permission propagation, and require their vendors to demonstrate non-inheritance defaults. - **AI-specific incident-response is the operational backstop you don't have until you build it.** Traditional cyber-incident-response playbooks assume a relatively static system; agent failures are dynamic and can self-propagate. Build the agent-specific response now, before you need it — the *Generative AI Service Security Emergency Response Guide* is a useful starting reference. - **Operationally prioritize the five-step practical plan over the ten-step comprehensive framework.** Especially for non-AI-native enterprises just starting agent deployment, the inventory + classification + customer-facing-terms + vendor-clauses + workflow-review sequence captures most of the risk reduction without overwhelming the compliance team. The structural takeaway: **the Chinese Agent Rules are accelerating an operational architecture that will become global compliance baseline within 24–36 months**. Multinationals that build it for the Chinese regime get the global build essentially free; teams that wait for global guidance to crystallize will be reverse-engineering compliance into deployed agents at the worst possible time. For the underlying ten-category risk taxonomy that this framework is designed to manage, see [Part 1 of this series](/posts/ai-agent-rules-risk-taxonomy/). --- — *朱垒, 从《智能体新规》看AI智能体的风险防范与合规治理(下)(Risk Prevention and Compliance Governance of AI Agents Under the Agent Rules — Part 2), 数据何规 WeChat Official Account, May 20, 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/VAoNJBWEa7yM7TsOg0OMvw)* *Not legal advice. The above is DCC's structured summary of Zhu's framework, with framing for overseas counsel; the ten-step framework and the five-step priority sequence are Zhu's. Author views are his own.* --- ## Open-Source Does Not Mean Open Data — Zhang Ping on Training-Data Compliance for Open-Source AI - Published: 2026-05-28 - Author: DCC Editorial - Tags: ai-governance, open-source, training-data, copyright, commentary - Laws cited: genai-services-interim-measures, pipl, dsl, csl - Domains: ai-governance, personal-information, data-security - URL: https://datacompliancechina.com/posts/open-source-ai-training-data-compliance/ - Markdown: https://datacompliancechina.com/posts/open-source-ai-training-data-compliance.md - Original source: https://www.rmlt.com.cn/2026/0401/748659.shtml - Original author: 张平 (Zhang Ping), Peking University Law School - Original publication: 人民论坛 (People's Tribune), April 1, 2026 ### Description Peking University Law School professor Zhang Ping, writing in 人民论坛 (People's Tribune), takes apart two misconceptions that have dominated the Chinese open-source AI discussion: that 'open source' means training data has no copyright protection, and that 'algorithm open-source' compels 'training data publication.' Both false. Zhang lays out the structural distinction: 'open source is conditional authorization under license' — applied to model weights, not to the training corpus, which is a legally independent object. She then maps the full-chain compliance risk (acquisition / processing / output) and proposes a four-tier differentiated governance framework that finance, healthcare, and government AI deployments can actually use to map their training-data inventory against compliance gates. ### Body > *Editor's Note — DCC.* > > Zhang Ping, professor at Peking University Law School, published this > piece in 人民论坛 (People's Tribune) — a state-affiliated theoretical > journal of People's Daily Publishing Group — as part of its 前沿 > ("Frontier") column on emerging legal and policy questions. The piece > takes direct aim at two confusions that have dominated Chinese > open-source AI discussion in the wake of DeepSeek, Qwen, and the > broader open-weight wave: the conflation of "model weight open-source" > with "training data open-source," and the inference from "available > on the internet" to "available for training." DCC reproduces Zhang's > framework with framing for overseas counsel structuring China-related > AI-model and training-data deployments. ## The two misconceptions Two patterns Zhang sees repeatedly in Chinese practitioner discussion: **Misconception 1: Open-source AI means training data has no copyright protection.** Wrong. Open-source is *conditional authorization based on a license*. The licensor retains copyright; the licensee gets specified rights only within license scope. "Publicly accessible" content on the internet is not the same as "available for training" — most internet content is protected by copyright, the *Personal Information Protection Law*, or trade-secret regimes. **Misconception 2: Algorithm open-source compels simultaneous training-data publication.** Wrong. Model weights and training data are *two distinct objects subject to different legal rules*. An enterprise can open-source the model architecture and weights while maintaining commercial autonomy over the training corpus. Doing so is both legally compliant and commercially coherent — and is, in fact, the standard practice for most major open-weight releases (the model is open; the data is not). The misconceptions are not academic. They drive operational behavior: teams scraping web data on the assumption that "open = public domain," teams publishing model weights and assuming the training data must follow, teams negotiating with data suppliers under wrong assumptions about default rights. Each produces a downstream compliance failure. ## The full-chain risk Open-source AI training-data use creates risk at every stage of the data lifecycle. Zhang structures the picture in three: ### Acquisition stage The dominant operational mode is automated crawling at scale. The legal problem: **license-chain traceability collapses at scale**. A scraped page may host content under multiple licenses, with licensing buried in linked agreements or invisible metadata. Aggregation across millions of sources produces a corpus where the original license terms are no longer traceable per item. This produces what Zhang calls a **"license laundering" (许可洗钱) effect** — a striking term that captures how copyright-protected content becomes operationally indistinguishable from public-domain content once it's been processed through a crawling and tokenization pipeline. The downstream operator cannot, in practice, separate the legitimately licensed content from the infringing content in the resulting corpus. From a compliance posture, every byte in the corpus carries inherited license-uncertainty. ### Processing stage Once acquired, the training data enters PI-protection obligations under PIPL — and these obligations are *technically difficult to discharge*. Two specific gaps: - **The right of deletion (删除权).** PIPL Article 47 establishes the deletion right; for personal information in a training corpus, exercising the right is technically non-trivial. Once a model has been trained on a dataset, removing a specific data point requires retraining or specialized "machine unlearning" techniques that are still maturing. The legal right exists; the operational mechanism is incomplete. - **Purpose limitation.** PIPL Article 6 limits processing to the disclosed purpose. Training data that was lawfully collected for a stated purpose (e.g., medical-records research) cannot, without additional consent, be redirected to a different purpose (e.g., training a foundation model for general use). Compliance teams underestimate how aggressively this constrains corpus repurposing. ### Output stage The model may, in inference, *reproduce specific expressions from the training corpus* — verbatim or near-verbatim. This triggers two distinct legal vectors: - **Copyright infringement.** Where the reproduced expression is identifiable as a copyrighted work, the model output may infringe; the deployer is exposed under direct or indirect infringement analysis. - **PI re-identification.** Where the reproduced expression contains personal information from the training corpus, the model output may constitute an unauthorized disclosure of personal information — even if the training input was processed with appropriate consent. The output-stage risk is structurally novel because it implicates not the data acquisition or processing decisions but the *model's emergent behavior*. Standard compliance-review postures designed for static-data flows don't capture it. ## The four-tier differentiated governance framework Zhang's most operationally useful contribution is a four-tier classification of training data with corresponding compliance gates. The tiers: ### Tier 1 — Open-license or public-domain data Lowest risk. Data under open licenses (Creative Commons, Apache, MIT, etc.) or in the public domain. **Compliance posture:** prioritize use; document the license; preserve attribution where required. ### Tier 2 — Publicly accessible but with unclear licensing Moderate risk. Data scraped from the web with unclear or untraceable license terms. **Compliance posture:** active license-chain verification before inclusion. If verification fails, exclude from corpus or restrict downstream model use. Crucially, *publicly accessible ≠ licensed for training* — Tier 2 requires affirmative documentation, not absence of explicit prohibition. ### Tier 3 — Data containing personal information High risk. **Compliance posture:** strict PIPL handling. De-identification or anonymization at the earliest possible pipeline point. PIIA prior to inclusion. Documentation of legal basis (consent, contractual necessity, statutory exemption). Separate handling protocols for sensitive PI under PIPL Article 28. ### Tier 4 — Important data or trade secrets Highest risk. Data within the *important data* category under the DSL classification regime, or third-party trade secrets. **Compliance posture:** highest-tier security protection. Access controls, encryption, audit logging, segregation from general-corpus pipelines. Separate review and approval gates. For important data, additional consideration of cross-border restrictions under the *Measures for the Security Assessment of Data Export*. The four-tier framework is the operational analog of the [three-tier data classification (general / important / core)](/posts/qinglan-how-to-identify-important-data/) Wang Qinglan walked through for general data assets, applied specifically to AI training corpora. ## The four operational pathways Zhang proposes four concrete pathways for enterprises operationalizing the framework. ### Pathway 1 — Strengthen authorization contracting with data suppliers Enterprises sourcing training data from third-party suppliers should contract for: - **Complete data source proof.** The supplier must provide documentation of where the data was collected and from whom. - **Authorization-chain documentation.** Full traceability from the original rights-holder through any intermediate licensees to the supplier. - **Title-warranty clauses.** Embedded warranties shifting infringement liability to the supplier in case of defects. This shifts the license-laundering risk back up the supply chain to the party best positioned to verify provenance — the supplier — rather than concentrating it at the deployer. ### Pathway 2 — Classification and grading system Routine data inventory and asset ledgers documenting per data category: source, authorization form, applicable scope, compliance status. Differentiated access controls aligned to the four-tier classification. ### Pathway 3 — Technical defenses - **Pre-training automated tools.** Remove personal information; identify high-copyright-risk data; flag potential trade-secret content. Apply before the data enters the training pipeline. - **Output filtering mechanisms.** At inference, intercept outputs that may reproduce training-corpus expressions verbatim. The output-stage risk needs an output-stage control. ### Pathway 4 — Public corpus infrastructure development The supply-side fix Zhang advocates: expand compliant public corpora. Government data, public cultural resources, scientific data — released under standardized authorization terms with quality control and continuous updating. The aim is to provide enterprises with a high-volume, low-risk, well-documented training-data source — reducing the operational incentive to scrape questionable web content. ## What this tells overseas compliance teams - **Stop conflating "model open-source" with "data open-source."** They're distinct legal objects. Standard global practice (open weights + closed training corpus, or open weights + partially-documented training corpus) is legally coherent in China; the conflation is the compliance failure mode, not the structure. - **"Publicly accessible" is not a legal status — it is a technical state.** Web-accessibility does not entail training-use license. Compliance reviews of training-data sourcing should specifically reject "scraped from public web" as a sufficient documentation standard. Replace with affirmative license documentation per data source. - **The license-laundering risk is structural.** Scrape-aggregate-train pipelines obscure the license-chain in ways that cannot be unwound post hoc. The compliance posture has to be designed at the *acquisition* stage; downstream remediation is not, in practice, available. - **The four-tier framework maps cleanly to internal corpus governance.** Multinationals building or licensing AI models with any China-data exposure should map their training corpora against Zhang's four tiers and document the compliance gates per tier. The framework is portable; many of its requirements (de-identification at pipeline entry, license-chain documentation, output filtering) are operational baseline globally. - **The output-stage filtering capability is the under-deployed control.** Most compliance attention focuses on data acquisition and processing; the inference-stage reproduction risk is where the most-visible failures occur in practice. Build the output filtering before the regulator surfaces a verbatim-reproduction case against your model. The deeper point Zhang lands at the close of her piece: **open-source and compliance are not in tension; they are *both* preconditions for sustainable AI industry development**. China's AI international competitiveness, she argues, requires both "continuous technological breakthroughs" and "solid legal infrastructure." Compliance governance is not a constraint on innovation — it is the condition that lets innovation continue. The framing is consistent with the broader Chinese-regulator posture: the regime is trying to enable the AI industry, not suppress it, but is willing to absorb friction in the build-out to keep the architecture intact. --- — *张平, 前沿 | 开源人工智能训练数据的合规治理 (Frontier: Compliance Governance of Open-Source AI Training Data), 人民论坛 (People's Tribune), April 1, 2026. [Original article (Chinese).](https://www.rmlt.com.cn/2026/0401/748659.shtml)* *Not legal advice. The above is DCC's structured summary of Zhang's analysis, with framing for overseas counsel; the four-tier classification framework and the four operational pathways are Zhang's.* --- ## MIIT Public-Naming Bulletin 2026 Batch 3 (Total Batch 56): 31 Apps and SDKs Cited for PI Violations and Window-Redirect Abuse - Published: 2026-05-28 - Author: DCC Editorial - Tags: enforcement, miit, app-compliance, pipl, public-naming - Laws cited: pipl, csl, personal-info-audit-measures, network-data-security-regulations - Domains: enforcement, personal-information, app-compliance - URL: https://datacompliancechina.com/posts/miit-2026-batch-3-31-app-public-naming/ - Markdown: https://datacompliancechina.com/posts/miit-2026-batch-3-31-app-public-naming.md - Original source: https://mp.weixin.qq.com/s/pI6fsJpm6O9u7Icntw8guA - Original author: 工业和信息化部信息通信管理局 (MIIT Information & Communications Administration Bureau) - Original publication: 工信微报 WeChat Official Account ### Description MIIT's Information & Communications Administration Bureau published its 2026 Batch 3 public-naming bulletin (total Batch 56) on May 21, 2026, citing 31 apps and SDKs for violations of personal-information collection rules and window-redirect abuse. DCC frames this as the first entry in our enforcement tracker — explaining the joint CAC + MIIT + MPS 2026 Special Campaign that authorizes the batches, the four-statute legal architecture invoked, the rectification-then-enforcement pathway each named entity faces, the cadence of the bulletin series (roughly monthly, 56 batches since inception), and the operational picture this gives overseas counsel of which PI-protection violations actually attract enforcement in the Chinese mobile-app channel. ### Body > *Editor's Note — DCC.* > > The MIIT public-naming bulletin series is the most consistent > enforcement signal in the Chinese mobile-app PI regime. The May 21, > 2026 bulletin (the third 2026 batch, the 56th overall) names 31 apps > and SDKs for violations of the PI-collection rules and for > window-redirect abuse. DCC publishes this as the first entry in our > enforcement tracker because it lets us establish the structural > reading of the series that every subsequent batch will fit into: the > joint-campaign architecture, the four-statute legal basis, the > rectify-then-enforce pathway, and the cadence. The 31-app list itself > is in MIIT's attachment; DCC's brief focuses on what the regime > *does* with the list and what overseas teams should infer from the > batch's existence. ## The bulletin The Information & Communications Administration Bureau of the Ministry of Industry and Information Technology (工业和信息化部信息通信管理局) issued *Bulletin on Acts Infringing User Rights and Interests by APPs (SDKs) — Batch 3 of 2026, Total Batch 56*, dated **May 21, 2026**. The bulletin states that **31 apps and SDKs** were found by third-party testing institutions, retained by the Ministry, to engage in conduct infringing user rights and interests — with the headline conduct categories called out in the bulletin title being **illegal collection of personal information** and **window-redirect abuse**. The detailed list of named apps and SDKs is in MIIT's attachment to the bulletin. The bulletin closes with the formula MIIT has used since the series began: the named operators **shall rectify in accordance with the regulations**; if rectification is not fully implemented, **MIIT will, in accordance with law and regulation, organize related disposition work**. ## The campaign infrastructure The bulletin is issued under the authority of the *Notice on Carrying Out the 2026 Personal Information Protection Series of Special Campaigns* (关于开展2026年个人信息保护系列专项行动的公告) — a joint announcement by the **Cyberspace Administration of China (CAC), MIIT, and the Ministry of Public Security (MPS)**. The 2026 special campaign continues a multi-year inter-agency framework for organized enforcement of the mobile-app PI rules. The structure overseas counsel should understand: - **Annual campaign authorizing the cadence.** Each year the three agencies jointly issue a special-campaign announcement. The MIIT batches that follow during the year operate under that authorization. - **MIIT executes the mobile-app testing tier.** MIIT's Information & Communications Administration Bureau, in cooperation with retained third-party testing institutions, performs the actual technical testing of apps and SDKs against the PI-collection and user-rights rules. The named bulletins are MIIT's published output of that testing program. - **CAC and MPS run parallel tiers.** CAC handles the administrative-penalty tier (fines and operational restrictions on internet platforms); MPS handles the criminal tier (Article 253-1 PI offenses and other criminal conduct). The three-agency joint authorization stitches the campaign across the regulatory and criminal lines. The campaign also operates against a parallel statutory cadence: PIPL Article 64 (CAC corrective-order power), the *Personal Information Protection Compliance Audit Management Measures* (which require regular audits and provide an audit-driven enforcement pathway), and the *Network Data Security Management Regulations* (which extend the regulatory perimeter to network-data scenarios beyond strict PI). ## The four-statute legal basis The bulletin invokes four statutes as the legal basis for the testing and the named-and-shamed action: - **Personal Information Protection Law (PIPL).** The dominant statute since 2021. PI-collection violations — collecting beyond declared scope, collecting without consent, retaining beyond purpose — sit under PIPL. - **Cybersecurity Law (CSL).** The foundational network-security and network-product / service-security statute. App and SDK conduct that violates network-product certification or that creates security defects can be cited under CSL. - **Telecommunications Regulations (电信条例).** The 2000 administrative regulations governing the telecom sector. Provide MIIT with the sector-specific authority to police telecom-service-related conduct, including conduct of internet-access service providers and value-added telecom services (most apps fall within the latter category). - **Telecom and Internet User Personal Information Protection Provisions (电信和互联网用户个人信息保护规定).** The 2013 MIIT departmental rule that pre-dates PIPL by eight years and remains the operational sector-specific instrument for telecom / internet-channel PI protection. It is the rule that MIIT's testing program most directly enforces against. The four-statute citation is the standard one for MIIT batched bulletins. It establishes that the same conduct can be characterized as a PIPL violation (general statute), a CSL violation (network-security statute), a Telecommunications Regulations violation (sector-administrative-regulation statute), and a Telecom and Internet User PI Provisions violation (sector departmental rule). The redundancy is intentional: each statute provides MIIT with a separate vector for sanctions. ## The rectify-then-enforce pathway The bulletin's closing formula is the operative one. Named operators face a two-stage process: **Stage 1 — Rectification.** The operator has a defined window (typically 5–10 working days, sometimes specified separately in MIIT communications) to rectify the cited conduct. Rectification means fixing the identified violations and, in many cases, submitting a rectification report to MIIT or the testing institution. **Stage 2 — Disposition for non-rectification.** Failure to rectify, or incomplete rectification, triggers MIIT-organized "related disposition work." In practice this can include: - **App-store removal.** MIIT coordinates with the major Chinese app stores to remove the offending app from distribution. - **Operator-restriction administrative penalties.** Under CSL Article 64 / PIPL Article 66 / Telecommunications Regulations Article 70, MIIT can order corrective action, impose fines (PIPL provides for fines up to 5% of prior-year turnover under Article 66 ¶ 2 for severe cases), and restrict business operations. - **Onward referral.** Where the conduct may rise to a criminal threshold — particularly under PRC Criminal Law Article 253-1 (the PI-protection criminal offense) — MIIT can refer to MPS for criminal investigation. - **Recidivism flag.** Operators repeatedly named in successive batches face escalating sanctions and increased scrutiny under MIIT's annual oversight rating system. For overseas operators with a Chinese app or SDK in distribution, the named-and-shamed stage is the **first warning** — but it is also a public warning, immediately visible to enterprise customers, business partners, and Chinese app stores. The reputational and commercial consequences begin at Stage 1, not Stage 2. ## The cadence — 56 batches and counting The MIIT batched-bulletin series is now mature. The May 21, 2026 bulletin is **Batch 3 of 2026** and **Batch 56 overall** — meaning MIIT has issued approximately one bulletin per month-and-a-half on average since the series began (the first batches date from 2019). The 2026 cadence so far suggests roughly bimonthly batches. The cumulative effect is significant: across 56 batches, MIIT has publicly named hundreds of apps and SDKs. Operators that appear in successive batches without addressing the underlying conduct face the recidivism-escalation pathway. The series has, in DCC's reading, durably normalized the MIIT testing-and-naming pattern as the dominant enforcement modality for mobile-app PI protection in China. ## The recurring violation patterns While DCC has not extracted MIIT's specific 31-app list for this batch, the bulletin title — *"illegal collection of personal information, window-redirect abuse..."* — and the cumulative pattern across the 56 batches surface a stable set of recurring violation types. The most frequently cited: - **Collection beyond declared scope.** App collects PI categories not disclosed in its privacy policy or beyond the user's actual consent. Includes collecting precise location for a service that only needs city-level location, collecting contacts for a service that doesn't need contacts, etc. - **Mandatory permission requests for non-essential function.** App refuses to operate unless the user grants permissions for functions unrelated to the service. PIPL's "essential function" principle prohibits this. - **Difficulty exiting account / withdrawing consent.** App makes the account-deletion or consent-withdrawal pathway disproportionately difficult. PIPL Article 16 prohibits. - **Excessive frequency of PI collection.** App repeatedly requests PI (e.g., location every few seconds) where infrequent collection would suffice. - **Window-redirect abuse (窗口乱跳转).** This batch's named conduct. The user opens the app or a specific screen and is rapidly redirected through multiple windows (commonly ad windows or third-party offer pages) before reaching the intended content. The conduct violates user-experience and user-control rules; MIIT has been targeting it consistently since 2023. - **SDK conduct hidden from the host app.** Third-party SDKs embedded in the host app collect PI on the SDK provider's account in ways the host app's privacy disclosure doesn't cover. SDK testing has been a growing focus of the MIIT batches over 2024–2026. For each violation type, the operational fix is well-documented in MIIT's published rectification guidance. The published bulletin's lasting value to compliance teams is the implicit *prioritization*: it tells them which violations are actually attracting testing-program attention this batch. ## What this tells overseas compliance teams - **MIIT batched bulletins are the operational floor of mobile-app PI compliance in China.** Treat them as the enforcement baseline. Internal compliance reviews should specifically test against the most recently surfaced violation patterns from the last 3–4 batches. - **Being named is itself the sanction.** The bulletin's reputational and commercial consequences begin immediately, not at the disposition stage. Operators should pre-position to rectify quickly — and to communicate rectification to enterprise customers — once named. - **Third-party SDK risk is increasingly weight-bearing.** Where the named entity is an SDK rather than a host app, downstream apps embedding that SDK face cascading scrutiny. Overseas teams using Chinese SDKs (advertising, analytics, push notification, payment) should monitor MIIT's SDK callouts and have a documented response process when an embedded SDK is named. - **The annual joint-agency campaign sets the year's enforcement priorities.** Read the joint CAC + MIIT + MPS annual campaign announcement closely: it telegraphs which conduct categories the year's batches will focus on. The 2026 announcement establishes PI-protection violations and window-redirect abuse as the headline categories, which is consistent with this batch's cited conduct. - **PIPL Article 64 and the audit measures are the parallel enforcement levers.** MIIT's batched bulletins are public; CAC's PIPL Article 64 corrective orders and the audit-driven enforcement under the [PI Audit Measures](/posts/pipo-vs-dpo-pi-protection-officer-comparison/) operate in parallel and often without public notice. Operators that fix the conduct surfaced in an MIIT batch may still face CAC or audit-driven enforcement on the same conduct. The deeper point of this batch — and the bulletin series as a whole — is that **the Chinese mobile-app PI regime is enforced through visible, repeated, batched, third-party-tested public naming**, not through a "big-fine, big-case, big-headline" model that overseas compliance teams familiar with EU GDPR enforcement might expect. The regime grinds. The MIIT bulletin is the grinding-stone. Compliance teams that map their internal review to the bulletin's recurring violation patterns operate it well; teams that wait for a headline case will be named before they react. --- — *工业和信息化部信息通信管理局, 违规收集个人信息、窗口乱跳转……这31款APP及SDK被通报!(31 APPs and SDKs Cited for Illegal PI Collection and Window-Redirect Abuse), 工信微报 WeChat Official Account, May 21, 2026. [Original bulletin (Chinese).](https://mp.weixin.qq.com/s/pI6fsJpm6O9u7Icntw8guA)* *Not legal advice. The above is DCC's structural analysis of the bulletin and the underlying campaign architecture. The 31-app list and the specific cited conduct are in MIIT's published attachment; this brief focuses on framing the regulatory mechanism for overseas counsel.* --- ## NDA Explains the Three-Rights Framework — A Plain-Language Walk-Through from the Regulator Itself - Published: 2026-05-28 - Author: DCC Editorial - Tags: data-property-rights, data-twenty, structural-separation, data-economy, commentary - Laws cited: data-foundation-system-opinions, data-property-rights-registration-guide-draft, public-data-authorized-operation-specifications, public-data-registration-interim-measures - Domains: data-economy, data-security - URL: https://datacompliancechina.com/posts/nda-three-rights-structural-separation/ - Markdown: https://datacompliancechina.com/posts/nda-three-rights-structural-separation.md - Original source: https://mp.weixin.qq.com/s/AvOjnMGTAa2uNrC10aKGTg - Original author: 国家数据局 (National Data Administration) - Original publication: 国家数据局 WeChat Official Account ### Description The National Data Administration's official 政策解读 (policy interpretation) on the three-rights framework — the right to hold, the right to use, and the right to operate data — established by the Data 20 Articles. NDA walks through what each right means, illustrative scenarios (group-company data subsidiaries; hospital-pharma research pools; data-broker commission arrangements), how the rights relate to each other (independently severable; non-exclusive across parties for the same data), and why the structural-separation design was chosen over a unitary-ownership model. The clearest available statement of the regulator's own intent on the framework that anchors every downstream rule — data-resource registration, data-property-rights registration, FTZ data-circulation negative lists, on-floor / over-the-counter trading rules. ### Body > *Editor's Note — DCC.* > > The Data 20 Articles (December 2022) introduced what is, by some > distance, the most architecturally distinctive concept in Chinese data > law: **structural separation of data property rights** (数据产权结构性 > 分置) into three independently transferable rights — the right to hold > (持有权), the right to use (使用权), and the right to operate (经营权). > Overseas counsel asked to map this onto familiar Western frameworks > (ownership, license, sublicense; or copyright's separable bundle of > rights) usually find no clean analogue. The Data 20 Articles policy > text itself is dense and abstract. > > This NDA policy interpretation is the regulator walking through the > framework in plain language with operational examples. DCC reproduces > NDA's three illustrative scenarios — the group-company data subsidiary, > the hospital-pharma research pool, the data-broker commission > arrangement — and the four-part rationale for the design, with our > framing for overseas counsel. The examples are NDA's; the framing > around how this maps to existing transactional vocabulary is DCC's. ## The Data 20 Articles set the architecture; this interpretation explains the picks In December 2022 the CPC Central Committee and the State Council jointly issued the *Opinions on Building a Basic Data System to Better Play the Role of Data Elements* (the "Data 20 Articles" or 数据二十条). Article III instructed regulators to explore a **structural separation system for data property rights**: instead of a unitary "data ownership" right, the regime would recognize three independently severable rights — to hold, to use, and to operate data — and would assign them to different parties depending on the data's source and the activities each party performs. In the three-and-a-half years since, the structural-separation principle has anchored a sequence of downstream rules: - **Data resource registration** (NDA, December 2024) — administrative registration of data resources, naming a "registrant" who is typically the data holder. - **Public data authorized operation specifications** (NDA, October 2024) — the holder / operator distinction in public-data licensing. - **Data property rights registration work guide (draft)** (NDA, May 2025) — a draft framework for registering each of the three rights separately, with eight ownership-clarity rules and five registration types. (See [DCC's brief on what data registration actually confirms](/posts/qinglan-what-data-registration-actually-confirms/).) - **FTZ data-circulation negative lists** — the operating mechanism for cross-border movement of data falling within a negative-list category. Each of these downstream rules assumes the structural-separation vocabulary. Overseas counsel encountering, say, the Beijing FTZ negative list or a public-data authorized-operation agreement will see references to "holder," "use right," and "operating right" as though they were settled categories — and find no clean definitional source in the policy text. This NDA policy interpretation is the closest thing to a definitional source. It is also unusually clear by Chinese-regulator standards, with three worked examples that map directly onto recognizable commercial arrangements. ## What each of the three rights actually means NDA defines the three rights as follows. ### Right to hold (持有权) The right to hold lawfully acquired data — directly or through a custodian — and to be protected against third parties stealing, tampering with, leaking, or destroying that data. NDA's illustrative scenario: a **large corporate group** stands up a data-tech subsidiary (数科公司, common abbreviation for 数据科技子公司) and instructs it to consolidate, store, and maintain all group data and to provide unified data services. The group structures the arrangement so the **holding right** is allocated to the data-tech subsidiary. For overseas counsel, this is closest to a **custodianship right** — a right against the world to keep what one lawfully possesses, with a defensive perimeter against intrusion. It does not entail a right to use or to commercialize. Group A in NDA's example holds; whether it may *use* the data or *operate* (commercialize) it is a separate question, allocated by separate rights. ### Right to use (使用权) The right to **process, aggregate, analyze, etc.** the data — for the right-holder's own production or operations, or to produce derivative data. NDA's illustrative scenario: a **hospital builds a data resource pool** with PI safeguards in place and permits **pharmaceutical R&D companies** to enter the pool to perform analytical work and develop new products. The hospital grants the pharma companies the **use right only** — not the holding right (the data stays under the hospital's control) and not the operating right (the pharma may not on-sell). This compartmentalization, NDA says, "secures data safety while allowing more parties to participate in releasing data-element value." For overseas counsel, this maps roughly to a **scoped license to process** — close to GDPR-style processor terms, but unbundled from any custodial or commercial-distribution permission. ### Right to operate (经营权) The right to **transfer, license, capitalize, or pledge** data — i.e., to commercialize. The right may be exercised on a paid or free basis. It is the right to *bring the data to market*. NDA's illustrative scenario: an enterprise wants a **data broker (数据中介机构)** to sell its data, but worries about losing control of the underlying data set. The enterprise grants the broker the **operating right only** — the broker may take the data to market and negotiate transactions on the enterprise's behalf, but does not itself hold or use the data. Once a buyer is identified and creditworthiness verified, the data supplier provides the data directly. For overseas counsel, this is closest to a **distribution / commercialization right**, severed from possession and processing — somewhat analogous to a music publisher's role in licensing master rights without holding the masters. ## How the three rights relate NDA emphasizes two structural properties of the framework that are worth flagging because they cut against intuitions from Western IP and property law. **Severability — same party may hold all, one, or some.** A single party can hold all three rights simultaneously, or just one or two, in any combination. NDA's example: in a **data-fusion arrangement**, a data-space operator partners with multiple OEMs and suppliers to jointly develop fused data sets. The parties can contract for joint holding and joint use rights, with a single party holding the operating right (i.e., one party authorized to take the fused data to market). Or all parties may jointly hold all three. The Data 20 Articles framework does not impose a default allocation — it gives parties a structured vocabulary in which to negotiate. **Non-exclusivity — multiple parties may hold the *same* right over the *same* data.** This is the property that most surprises overseas counsel. NDA's two examples: - A party that lawfully holds all three rights over a data set may **copy** the data and provide the copy to a counterparty with corresponding authorization. Both parties now hold all three rights over the same underlying data, *non-exclusively*. Neither's rights derogate from the other's. - A party that builds a **trusted data space** (可信数据空间) infrastructure may authorize multiple downstream parties to use data within the space. All authorized parties simultaneously hold the use right over the same data set, non-exclusively. The intuition behind the design — and this is the part NDA most wants overseas readers to absorb — is that **data is not naturally rivalrous**. Two parties using a data set for different downstream applications do not deprive each other of the underlying resource. The legal regime, NDA argues, should reflect that natural property rather than artificially impose exclusivity. (Contrast traditional real property: only one party may *possess* a piece of land at any time; the right is naturally exclusive.) ## Why structural separation was chosen — NDA's four-part rationale NDA gives four reasons for the design choice. ### Reason 1 — Reflect the multi-party-creation nature of data Data is "co-created by multiple parties." NDA's example: a consumer's transaction data on an e-commerce platform involves the consumer, the merchant, the logistics company, the payment provider, and the platform itself. Each party contributed something — the consumer provided the underlying transactional act, the merchant the product information, the logistics company the delivery data, the payment provider the settlement record, the platform the matching infrastructure. Asking "who owns the transaction data" is unproductive: the answer is "all of them, in different respects." The structural-separation framework lets the regime move past that question. Instead of debating *who owns the data*, parties debate *who has which right over which data set in which scenario*. NDA's phrasing: "shift the focus from arguing about whose data it is to how the data should be used." ### Reason 2 — Capture the multiplier effect of data elements Data has low replication cost. The same data set can be reused by many parties at near-zero marginal cost, with each use generating different value. This "data multiplier effect" (数据要素乘数效应) is, in NDA's view, a primary source of the value uplift the regime is trying to unlock. A unitary-ownership framework — where granting use to one party blocks use by another — would suppress the multiplier effect. The non-exclusive, three-rights structure preserves it: many parties can hold the same use right over the same data simultaneously, each generating distinct downstream value. ### Reason 3 — Leave development room for new business models Data is a "young" element. The technology, industries, and market structures are all evolving. NDA does not want to lock the regime into commercial models that fit the 2026 landscape but constrain 2030 innovation. A structurally separated three-rights framework, NDA argues, lets each market participant **describe their own rights content** in the vocabulary appropriate to their arrangement, rather than forcing every commercial structure through a single-template ownership concept. The regime accommodates rather than dictates. ### Reason 4 — Enable definitive resolution of disputes The fourth — least emphasized but practically important — reason is dispute resolution. Disputes over data assets in current Chinese commercial practice frequently founder on the question of "who owns the data" because that question has no clean legal answer under existing IP and property frameworks. The three-rights structure provides a vocabulary in which a court can find a specific party has the holding right, a different party has the use right within a defined scope, and a third party has a non-exclusive use right under a separate license — and adjudicate accordingly. (For an illustration of how the Supreme People's Court is starting to apply this analytical structure, see [DCC's brief on SPC's 14 data-dispute case categories](/posts/spc-data-disputes-case-category-and-data-registration/).) ## What this tells overseas compliance teams Five operational implications stand out. - **The three-rights vocabulary is the operating vocabulary for every downstream Chinese data rule.** Treat it as terms of art, not approximations. When a contract or rule refers to "holding right," "use right," or "operating right," each term has a definitionally distinct scope. Counsel mapping these onto a Western license-grant template will lose precision. - **Severability + non-exclusivity creates contracting flexibility most Western IP frameworks don't.** A multinational structuring a data-collaboration with a Chinese partner can negotiate granular allocations: hold-only here, use-only there, operating right reserved to a joint vehicle. There is no formal rule that one of the three rights "follows" the others. Treat each right as separately negotiable. - **Data-tech subsidiaries (数科公司) are the canonical holding-right structure for Chinese corporate groups.** Where a multinational's Chinese affiliate sets up — or interacts with — a 数科公司, treat it as the holding-right node; use and operating rights for specific data sets typically sit elsewhere in the group, allocated by intra-group agreement. - **Trusted-data-space arrangements are the canonical multi-party use-right structure.** Where a Chinese counterparty proposes a "trusted data space" (可信数据空间) collaboration, the framework assumes all participants will hold non-exclusive use rights inside the space, with the holding right typically sitting with the space operator. Map your own internal classification accordingly. - **The Data Property Rights Registration framework will codify the three-rights vocabulary in registrations.** Once NDA's *Data Property Rights Registration Work Guide* moves from draft to final, registered rights certificates will identify which of the three rights are being registered, by whom, over which data set. Compliance teams should expect Chinese counterparties to begin referencing registration certificates in transactional due diligence and contracting from 2027 onward. The deeper point of NDA's piece is that the three-rights structure is not a translation of a Western framework into Chinese vocabulary. It is an attempt at a **data-native property concept**, designed against the actual properties of digital information (non-rivalry, multi-party creation, low replication cost, derivative-generation capability). Whether the design will work in practice — i.e., whether courts and market actors will operationalize it cleanly — is the open question of the next five years. The intellectual ambition of the design is real, and NDA's interpretation is the clearest available statement of what the regulator thinks it is building. --- — *国家数据局, 政策解读 | 如何理解数据产权结构性分置 (Policy Interpretation: Understanding Structural Separation of Data Property Rights), 国家数据局 WeChat Official Account. [Original article (Chinese).](https://mp.weixin.qq.com/s/AvOjnMGTAa2uNrC10aKGTg)* *Not legal advice. The above is DCC's structured summary of NDA's policy interpretation, with framing for overseas counsel; the illustrative scenarios and four-part rationale are NDA's.* --- ## Who Is the 'Data Processor' Under the Three-Rights Framework — NDA's Farm-Equipment Hypothetical - Published: 2026-05-28 - Author: DCC Editorial - Tags: data-property-rights, data-twenty, data-processor, data-economy, commentary - Laws cited: data-foundation-system-opinions, pipl, civil-code-personal-info, data-property-rights-registration-guide-draft - Domains: data-economy, data-security, personal-information - URL: https://datacompliancechina.com/posts/nda-data-processor-property-rights-allocation/ - Markdown: https://datacompliancechina.com/posts/nda-data-processor-property-rights-allocation.md - Original source: https://mp.weixin.qq.com/s/O1hmeSC9cSbYDg5-L3mXbA - Original author: 国家数据局 (National Data Administration) - Original publication: 国家数据局 WeChat Official Account ### Description NDA's official 政策解读 on the threshold question that every three-rights allocation depends on: who is the 'data processor' and who is the 'information subject'? NDA uses a farm-equipment hypothetical — a farm rents tractor, irrigation, and fertilizer equipment from three different vendors; cultivation data is captured in the process — to work through who collects, who decides processing purposes, and how the property-rights regime balances the data-processor's commercial interest against the information-subject's rights to access copies of relevant data. The piece sketches the basic information-subject vs. data-processor dichotomy that anchors the entire downstream data-element regime, and surfaces the access-to-data right (data portability for commercial entities) that overseas counsel often miss. ### Body > *Editor's Note — DCC.* > > NDA's [first interpretation in the series](/posts/nda-three-rights-structural-separation/) > defined the three rights themselves — hold, use, operate. This second > interpretation tackles the prior question: **who is the "data processor" > in the first place, and who is the "information subject"?** That > threshold classification determines who, by default, holds each of the > three rights. > > NDA's hypothetical — a farm renting equipment from three different > vendors, with cultivation data flowing back to all parties — is doing > useful work. It separates *generating* data (the farm's activity) from > *collecting* data (the equipment vendors' systems), and it surfaces > the under-discussed access-to-data right (information subjects' > entitlement to obtain copies of relevant data) that is the corporate > analogue to GDPR data portability. ## The threshold classification The first NDA interpretation walked through the three property rights — hold, use, operate. Before any allocation question can be answered, however, two prior classifications must be made: 1. **Who is the data processor (数据处理者)?** NDA's working definition, drawn by analogy from the PIPL definition of "personal information processor": *the natural person, legal entity, or unincorporated organization that independently determines the purpose and means of processing data*. In practical language: whoever collects, processes, uses, or maintains the data. 2. **Who is the information subject (信息主体)?** The party *about whom* the information being captured as data relates. Importantly, NDA's "information subject" is **not** limited to natural persons. In the PIPL context the corresponding term — personal-information subject — is a natural person. NDA's broader "information subject" category extends to corporate entities whose business activities give rise to data. The information subject vs. data processor distinction is the principal axis along which the property-rights regime allocates rights and entitlements. ## NDA's farm-equipment hypothetical A farm rents equipment from three vendors: - **Company A** supplies the tilling equipment. - **Company B** supplies the irrigation equipment. - **Company C** supplies the fertilizer equipment. In the course of operations, the equipment captures cultivation data — tilling depth, water flow rates, fertilizer composition, growing-cycle timing, output metrics, etc. The data flows back to whichever party's sensors captured it. Two parties want to extract analytical value from the cultivation data: - The **farmer** wants to analyze the cultivation data to improve growing efficiency. - **Companies A, B, and C** each want to analyze the cultivation data captured by their equipment to improve their product designs. NDA's question: how do the three rights get allocated? ### Step 1 — Identify the data processor for each data stream The data processor for each data stream is the party whose system collects, stores, and is in a position to independently determine the purpose and means of processing. - The data captured by Company A's tilling equipment, flowing to Company A's back-end: Company A is the data processor for that stream. - Similarly for Companies B and C, each for the data their equipment captures. - If the farm's own monitoring systems independently capture cultivation data on the farm's servers, the farm is the data processor for that stream. In NDA's other illustration — the e-commerce platform — the platform captures the transaction data, decides how it's stored and used, and is the data processor; the consumer and merchant transacting on the platform are the information subjects (the parties about whose activity the data is generated). In a third illustration — a manufacturer purchases industrial equipment from a vendor and authorizes the vendor to remotely capture equipment operational data for remote-O&M (远程运维) purposes — the manufacturer's business activity generates the data; the manufacturer is the information subject, and the vendor (who decides means of processing under the authorization) is the data processor. ### Step 2 — Default rights allocation The three-rights regime, NDA explains, sits at the intersection of two structural realities: - **Data could not exist without information subjects.** Without the farm's actual cultivation activity, there is nothing for the equipment to capture. - **Data could not exist without the data processor's investment.** Labor, capital, and technical expertise are required to build the sensors, store the data, and process it into something useable. The regime balances these by allocating **the three property rights (hold / use / operate) by default to the data processor**, while preserving for the information subject **the right to obtain or copy** the relevant data on the basis of a civil-law contract. NDA's articulation: - **Data processors** — for data they collect or generate in their own business activities, or in business activities they jointly participate in, on a basis that does not violate laws or contract terms — **hold the rights to hold, use, and operate** that data. - **Information subjects** — under civil-law contractual authorizations to others to collect data generated by their participation — **have the right to obtain or copy and transfer** the relevant data. So in the farm hypothetical: Companies A, B, and C, as data processors for the streams their equipment captures, hold by default the three property rights to that data. The farm, as the information subject whose cultivation activity generated the data, has by default the right to obtain or copy and transfer the cultivation data from each of Companies A, B, and C. ## The asymmetry: why data processors get more than information subjects NDA is explicit about why the default allocation favors the data processor. - **Incentive alignment.** The data processor is the party most motivated to invest in development and commercialization. Allocating the use and operating rights to them aligns the regime with the party best positioned to extract value. - **Protection focus.** The data processor's interest is economic (deriving income from use). The information subject's interest is closer to privacy and trade-secret protection. Distinct interests warrant distinct protection mechanisms. - **Existing protection gaps.** Personal-information subjects are already protected by PIPL. Corporate-entity information subjects (the farm in NDA's hypothetical; the merchant on the e-commerce platform; the manufacturer in the industrial-equipment scenario) had no analogous protection framework before the Data 20 Articles. The right to obtain or copy the data **fills that gap** — giving corporate information subjects a defined entitlement they previously lacked. The third point is the structurally novel one. NDA acknowledges that the relevant practical scenario is the **merchant operating across multiple e-commerce platforms** — the merchant's operating data is fragmented across platforms, the merchant wants to consolidate to optimize its strategy, and historically no clear legal right entitled the merchant to demand consolidated copies. The Data 20 Articles regime now contemplates such a right, exercisable on the basis of a civil-law contract between the information subject and the data processor. ## What this means in transactional vocabulary The default allocation can be modified by contract. Three contracting patterns are particularly important for overseas counsel. **Pattern 1 — Allocate use or operating rights to the information subject.** The default is that the data processor holds use and operating rights. But the parties can contract for the information subject to also hold a use right (e.g., the farm gets to use the cultivation data Company A captures), or even an operating right (e.g., the farm gets to commercialize the cultivation data). This is essentially a license-grant in the opposite direction — and is becoming a common term in Chinese supplier-data agreements. **Pattern 2 — Joint-rights allocation in data-fusion arrangements.** Where multiple parties co-create a derivative data set (e.g., Companies A, B, and C jointly analyze cultivation data with the farm to produce a fused agronomic-optimization data set), the parties can contract for joint holding, joint use, and either joint or single-party operating rights. The first NDA interpretation flagged this as a key mode of arrangement; the second explains why each party has independent contractual standing to negotiate (because each has, in the underlying data, *either* information-subject rights or data-processor rights). **Pattern 3 — Strengthening the information subject's access entitlement.** Counter-intuitively for overseas counsel familiar with GDPR's "data portability" right, the equivalent right in the Chinese commercial regime is *contractual, not statutory* for non-personal data. To make it enforceable, the parties have to specify it. Information subjects (especially corporate counterparties with significant data generation) increasingly negotiate explicit access, copy, and porting terms into contracts with data processors. Overseas teams contracting with Chinese counterparties as either side of this relationship should expect the right to be a negotiated term, not a baseline. ## How this connects to PIPL For data containing personal information, the PIPL regime applies in parallel and takes precedence on PI questions. NDA's data-processor allocation regime explicitly references PIPL by analogy when defining "data processor." Two clarifications matter: - **The PIPL personal-information processor (个人信息处理者) is a subset of NDA's data processor (数据处理者).** The PIPL term applies only where the data being processed is personal information. NDA's broader term extends to all data, including industrial, commercial, and non-PI data. - **PIPL Article 45 — individual's right to copy and transfer personal information — is the personal-data analogue of the Data 20 Articles' broader "right to obtain or copy" for information subjects.** The Data 20 framework extends the conceptual shape of the Article 45 right beyond personal data and beyond natural-person subjects. The architecture is becoming clearer with each NDA interpretation: a **PI-centric regime under PIPL** for personal data, layered with a **property-rights-centric regime under the Data 20 Articles** for the broader data-element category, with the two regimes intersecting where data contains personal information. ## What this tells overseas compliance teams - **Run the data-processor / information-subject classification before any rights allocation.** Both as a counterparty diligence step (for any Chinese data-collaboration arrangement) and internally (to map which Chinese affiliates are processors vs. subjects with respect to which data sets). - **The default is data-processor-favorable; the contract is where information subjects claw rights back.** Chinese data-supplier contracts should be reviewed for default allocations and explicit information-subject-access terms. Where the multinational is the information subject, the access term is the principal practical lever for retaining control over data generated by its operations. - **Corporate "data portability" is the underrecognized right in this regime.** Western practice tends to think of data portability as a personal-data right. The Data 20 Articles regime generalizes it to corporate information subjects — and creates a contracting and disputes vector for corporate parties to demand copies of operational data held by their suppliers, platforms, and counterparties. Watch for this to grow into the dominant friction point in Chinese platform-supplier disputes over the next two to three years. The deeper structural shift: where Western IP and contract law generally treat data as the property of the party that captures and processes it (custodianship plus license), the Chinese regime *acknowledges that the party generating the underlying activity has an equally legitimate claim* and creates a structural entitlement for them to obtain copies. The default still favors the data processor — but the regime is, conceptually, more balanced than the Western default. Overseas counsel structuring Chinese arrangements should price that asymmetry into the deal. --- — *国家数据局, 政策解读 | 数据处理者的数据产权配置安排 (Policy Interpretation: Property Rights Allocation Arrangements for Data Processors), 国家数据局 WeChat Official Account. [Original article (Chinese).](https://mp.weixin.qq.com/s/O1hmeSC9cSbYDg5-L3mXbA)* *Not legal advice. The above is DCC's structured summary of NDA's policy interpretation, with framing for overseas counsel; the farm-equipment hypothetical and the e-commerce / industrial-equipment illustrations are NDA's.* --- ## Cloud, BPO, and Other Entrusted-Processing Arrangements: Why the Processor Doesn't Get the Rights - Published: 2026-05-28 - Author: DCC Editorial - Tags: data-property-rights, data-twenty, entrusted-processing, cloud, commentary - Laws cited: data-foundation-system-opinions, civil-code-personal-info, pipl, network-data-security-regulations - Domains: data-economy, data-security - URL: https://datacompliancechina.com/posts/nda-entrusted-data-processing-property-rights/ - Markdown: https://datacompliancechina.com/posts/nda-entrusted-data-processing-property-rights.md - Original source: https://mp.weixin.qq.com/s/CGEjaiKF7ba1Imqjl2zvjA - Original author: 国家数据局 (National Data Administration) - Original publication: 国家数据局 WeChat Official Account ### Description NDA's official 政策解读 on a tactically critical sub-question of the three-rights framework: when a data processor outsources storage, processing, or analysis to a third-party service provider — typical cloud, BPO, or e-government-system arrangements — does the entrusted party acquire any of the three property rights? NDA's clear answer: no. The entrusted processor (受托人) is not a 'data processor' in the property-rights sense — it merely executes instructions on behalf of the data processor (the principal). It cannot use the data outside the entrusted scope, cannot transfer the data into market circulation, and cannot apply the data to its own debt repayment or bankruptcy distribution. The line is anchored to the Civil Code's contract-of-mandate rules — a long-standing piece of Chinese commercial law extended cleanly into the data-element regime. ### Body > *Editor's Note — DCC.* > > The Data 20 Articles' three-rights framework leaves a tactically > critical question unanswered in the headline text: when one entity > outsources data storage, processing, or analysis to a service provider > — the canonical scenario being **cloud storage**, but also BPO, > e-government-system integrators, and analytical-services contractors — > does the service provider acquire any of the three property rights > over the data it touches? > > NDA's answer in this short interpretation is unambiguous: **no**. > The entrusted party (受托人) does not become a "data processor" in > the property-rights sense; it has no holding, use, or operating right > over the data; and it specifically cannot use the data for its own > debt repayment or bankruptcy liquidation. The reasoning anchors to > the Civil Code's long-established contract-of-mandate rules. For > overseas counsel structuring cloud, vendor-managed-services, and > outsourced-analytics arrangements, this is the most useful single > clarification yet issued on the regime. ## The scenario and the questions NDA poses NDA opens with the operational scenarios: - Enterprises entrusting **cloud platforms** to store their data. - Government agencies entrusting **software companies** to develop e-government systems and perform related data processing. It then frames three questions that arise in any such arrangement: - How should the property rights be allocated between the principal (the entity that owns / controls the underlying data set) and the entrusted party (the service provider that touches the data)? - Can the entrusted party, without authorization, use the principal's data for **circulation and trading** (i.e., put the data on the market on its own behalf)? - If the entrusted party encounters **financial distress**, can it use the principal's data for **debt repayment or bankruptcy distribution** (i.e., can creditors reach the data)? These are real and consequential questions for any multinational running cloud workloads or vendor-managed services in China. ## NDA's analysis ### The entrusted party is not a "data processor" — it is something else NDA's analytic move is to apply the **data-processor definition** developed in the [second interpretation](/posts/nda-data-processor-property-rights-allocation/): a data processor is the party that *independently determines the purpose and means of processing*. The entrusted party (受托人), by contrast, processes the data **on the principal's instructions** — it does not independently determine purpose or means. By definition, then, *the entrusted party is not a data processor in the strict sense*. This is the structural pivot. Because the entrusted party is not a data processor, the default three-rights allocation (which assigns hold / use / operate to the data processor) does not apply to it. It holds none of the three property rights over the data merely by virtue of touching the data in the course of performing the entrustment. ### Anchoring the conclusion to the Civil Code's contract-of-mandate rules NDA grounds the conclusion in long-existing Chinese commercial law: the Civil Code's contract chapter (合同编) provisions on contracts of mandate (委托合同). Under the Civil Code, **property the entrusted party (mandatary) acquires in the course of executing the entrusted matter must be transferred to the principal (mandator)**. The default rule is that the entrusted party holds no proprietary entitlement to assets it touches in fiduciary capacity for the principal. NDA reads this principle forward into the data-element regime: "From the perspective of consistency with the Civil Code and of regulating entrusted-processing activity, where a data processor entrusts another party to process its data, the entrusted party — with respect to the original data, in-process data, and result data — does not hold the right to hold, the right to use, or the right to operate, except as otherwise provided by law or agreed in contract." The qualifier matters: **except as otherwise provided by law or agreed in contract**. The default is no rights for the entrusted party. The principal can, by contract, grant the entrusted party specified use or operating rights (e.g., a cloud-platform contract that grants the cloud vendor the right to use anonymized telemetry for internal product improvement). But the *default* — what the regime assigns absent contractual variation — is no rights. ### The bankruptcy / debt-repayment carve-out NDA's third question — can the entrusted party use the principal's data for **debt repayment or bankruptcy distribution** — is the most operationally consequential, and NDA's answer is the cleanest. Because the entrusted party holds no property rights over the data, **the data is not part of the entrusted party's estate**. When the entrusted party is in financial distress, its creditors cannot reach the principal's data. When the entrusted party is dissolved or enters bankruptcy, the principal's data is not subject to bankruptcy distribution — it must be returned to the principal (consistent with the Civil Code's contract-of-mandate rules). This is the closest thing the Chinese data-element regime has to a **trust-style segregation principle** for entrusted data — and it is a clear answer to a question overseas counsel often raise when contracting with Chinese cloud vendors or BPO providers: *if my vendor goes bankrupt, what happens to my data?* NDA's answer is that the data remains the principal's; it is not pooled into the vendor's bankruptcy estate. ## The scope of the carve-out — three data states NDA is careful to specify that the no-rights rule applies to **three data states** that arise in entrusted processing: - **Original data (原始数据)** — what the principal hands over to the entrusted party at the start of the engagement. - **In-process data (过程数据)** — what is generated transiently in the course of the entrusted processing (intermediate datasets, working files, temporary aggregations). - **Result data (结果数据)** — what the processing yields as output (cleaned datasets, analytical outputs, derived data products). All three categories fall to the principal by default. The entrusted party cannot, for example, retain "result data" as its own property on the theory that it was created by the entrusted party's work — that is *exactly* the kind of move the Civil Code's mandate rules historically prohibited in non-data contexts, and NDA confirms the same rule applies here. The point is that derivative-data-creation does not, of itself, vest property rights in the creator. If the principal's data is the input and the work is being done as entrusted processing, the output is the principal's. If the parties want a different allocation — e.g., the entrusted party should own derivative datasets it generates — the parties must say so in the contract. ## What this means in transactional vocabulary The default rule is a strong default. Where parties want to vary it, four contracting patterns are useful. **Pattern 1 — Service-provider operational rights.** Cloud and BPO vendors typically want narrow operational rights to anonymized data for internal product improvement, security analytics, and capacity planning. Under NDA's framework, those rights must be **expressly granted** by the principal; they don't arise by default. Standard cloud-vendor terms should be reviewed against this baseline. **Pattern 2 — Derivative-data IP allocation.** Where the entrusted party generates IP-protectable derivative work (analytical models, code, methodologies built on the principal's data), the default — no rights for the entrusted party — may not match commercial expectation. Parties should specify which derivative outputs belong to which party, and whether the entrusted party retains use rights to its own analytical methodology absent the underlying data. **Pattern 3 — Bankruptcy protection.** Principals should ensure that contracts with Chinese cloud and BPO vendors include **data-return on insolvency** clauses, anchored to the Civil Code contract-of-mandate framework and NDA's interpretation. The default rule favors the principal, but documenting it strengthens the principal's position in an actual bankruptcy proceeding. **Pattern 4 — Non-circulation undertakings.** Because NDA explicitly states the entrusted party cannot put the principal's data into market circulation without authorization, contracts should restate that prohibition and treat any breach as a material breach. The legal backing for the prohibition is now express — but a contractual restatement gives the principal a cleaner enforcement path. ## How this connects to PIPL's entrusted-processing rules For data containing personal information, the PIPL regime applies in parallel and is **more prescriptive** than NDA's general framework. PIPL Articles 21 and 59 address entrusted processing of personal information specifically: - The entrusted party may only process personal information within the agreed purpose and means. - The entrusted party must implement security measures and assist the entrusting party in complying with PIPL obligations. - The entrusted party must return or delete personal information upon completion of the entrusted matter; it may not retain. - The entrusted party may not sub-entrust without consent. NDA's framework is consistent with PIPL on entrusted processing — and extends the same structural principles to **non-PI data**. Overseas teams handling mixed PI + non-PI data sets should treat PIPL's specific entrusted-processing requirements as the operational floor, with NDA's broader no-property-rights principle as the default for the non-PI components. ## What this tells overseas compliance teams - **Cloud and BPO vendors do not acquire property rights over your data by default.** Subject only to express contractual grant, the vendor has no right to hold, use, or operate your data outside the entrustment scope. This is the regulatory baseline; standard vendor terms-of-service that purport to grant the vendor broader rights (especially "we may use your data to improve our services" without scope limitation) should be negotiated against this baseline. - **Vendor insolvency does not pool your data into the vendor's estate.** The Civil Code contract-of-mandate framework — now reinforced by NDA's interpretation — segregates the principal's data from the entrusted party's estate. Build this into business-continuity and vendor-failure planning for China operations. - **Derivative outputs default to the principal, not the vendor.** Where the engagement involves analytical outputs, the default rule allocates them to you, not the vendor. If the commercial deal is otherwise, document it explicitly. - **PIPL's entrusted-processing rules layer on top for personal-information processing.** Where the entrustment involves PI, PIPL's more specific requirements — purpose limitation, security, return-or-deletion, no sub-entrustment without consent — apply directly. The NDA framework does not displace those; it complements them on the property-rights side. The structural picture across the three NDA interpretations is now visible: the [structural-separation principle](/posts/nda-three-rights-structural-separation/) defines the three rights; the [data-processor allocation interpretation](/posts/nda-data-processor-property-rights-allocation/) defines who holds them by default; this third interpretation carves out a class of actor (the entrusted party) that holds **none** of them despite touching the data. That carve-out is the part that protects the principal in the cloud-and-BPO supply chain — and it is the part overseas counsel will use most often in transactional negotiations. --- — *国家数据局, 政策解读 | 数据委托处理情形中的产权配置 (Policy Interpretation: Property Rights Allocation in Entrusted Data Processing Scenarios), 国家数据局 WeChat Official Account. [Original article (Chinese).](https://mp.weixin.qq.com/s/CGEjaiKF7ba1Imqjl2zvjA)* *Not legal advice. The above is DCC's structured summary of NDA's policy interpretation, with framing for overseas counsel; the cloud / e-government scenarios and the Civil Code contract-of-mandate anchoring are NDA's.* --- ## 'Important Data' Is a Category, Not a Tier - Published: 2026-05-04 - Author: DCC Editorial - Tags: important-data, dsl, commentary, data-classification - Laws cited: dsl, pipl - Domains: data-security, cross-border - URL: https://datacompliancechina.com/posts/important-data-category-not-tier/ - Markdown: https://datacompliancechina.com/posts/important-data-category-not-tier.md - Original source: https://mp.weixin.qq.com/s/RmrIs3PZnEHkGsMl3vlutg - Original author: 洪延青 - Original publication: 网安寻路人 ### Description Hong Yanqing argues the mainstream reading of Article 21 of the Data Security Law confuses enterprise asset-inventory language with state-level legal-interest protection — with real consequences for cross-border transfers, enforcement, and how PIPL and DSL stack. ### Body > *Editor's Note — DCC.* > > Hong Yanqing is one of the most influential voices on Chinese data-protection law — a scholar with policy proximity to the regulators who write the rules he comments on, and an unusually careful writer. When he picks a fight inside the Chinese data-compliance discourse, the fight is almost always conceptual rather than tactical. > > This essay is a fight. Hong argues that the mainstream Chinese reading of Article 21 of the Data Security Law — the article that establishes the "data classification and grading" regime — has been confused from the start. *Important data*, he says, is not a high rung on a ladder running from general data to important data to core data. It is a separate category, identified by the legal interest at stake, and the difference matters in ways that affect cross-border transfer, enforcement, and how PIPL and DSL stack on each other. > > We rewrote rather than literally translated his essay because the conceptual move he is making is exactly the kind of thing that gets lost in plain rendering but reshapes how an overseas compliance reader should understand a regime they thought they knew. China's Data Security Law turned five last year. By now, anyone working on cross-border data has met the phrase "data classification and grading" (数据分类分级). It is the foundational concept of Article 21 of the DSL — the article on which the security assessment, the *important data* identification catalogues, and the localization rules all rest. There is a standard way Chinese practitioners describe this regime. Data sits on a ladder. At the bottom is *general data* (一般数据), governed only by ordinary cybersecurity hygiene. Above it is *important data* (重要数据), which triggers heavier obligations, including the cross-border transfer security assessment. At the top is *core data* (核心数据), reserved for things that touch national security. The higher the rung, the stricter the rules. Hong Yanqing thinks this picture is wrong — and he has been writing about it for years. In a May 4, 2026 essay on his WeChat channel 网安寻路人, Hong returns to a fight he has flagged before: **important data is a *category*, not a *tier*.** It is identified by what legal interest it implicates, not by where it sits on a severity scale. The mainstream account, Hong argues, makes a conceptual error at the very start of the data-classification regime — and that error then propagates into every downstream rule. This sounds like word-play, until you trace it through. ## Why category-vs-tier isn't word-play Start with the most operational consequence. If *important data* is a tier — the level you get when data is "more sensitive than the ordinary kind" — then its status depends on the comparison set. A dataset can be a high tier inside enterprise A and a low tier inside enterprise B. It can be top-tier in the financial sector and unremarkable in retail. As the data flows across owners or industries, its grade shifts with the surrounding population. For a state-level regulatory regime, Hong argues, that is a disaster. The whole point of identifying *important data* is to attach a *stable regulatory identity* to it — one that travels with the data across owners, across industries, across borders. If the identity floats with each new holder's internal sensitivity grading, the regulator loses the unified handle it needs. If *important data* is a category — identified by the legal interest the data touches, not by where it ranks in someone's filing cabinet — the identity sticks. A dataset that materially affects public health and safety is important data whether it sits at a hospital, a research institute, or a third-party cloud provider. The only thing that can change its status is a material change in its risk profile — anonymization, de-identification, splitting, aggregation that increases risk — not a transfer from one filer's hands to another's. The practical consequences for overseas compliance teams are at least these two: First, **enterprise self-grading is not a way out.** Under tier-thinking, an overseas company facing an outbound-data-transfer obligation might be tempted to argue: "We classify this dataset as internal-use-only, so it's not in our top tier — therefore not important data." Hong's view says this argument is structurally wrong. The data is *important data* if it touches the relevant public legal interest. Your internal grading does not dispose of that question; at best it reflects how *you* have chosen to protect what the state has already identified. Second, **important-data status doesn't dissolve at the border.** Once a dataset has been identified as important data inside China, that identity follows it through downstream transfers — including overseas ones. This is the conceptual basis for the persistence of the cross-border transfer regime. ## The three-segment conceptual order The technical core of the essay is a three-segment ordering of the concepts Chinese practitioners have been conflating: 1. **Interest-based category (法益型类别).** This is the true regulatory classification. It answers the question: *what legal interest does this data implicate, and does that interest require state-level protection?* Personal information implicates personal dignity and informational rights. Important data implicates public interest, economic operation, public health, social stability. Core data implicates national core interests — state security, the lifeline economy, major public welfare. These are different interests, not three rungs on the same ladder. 2. **Business-process classification (业务流程分类).** This is the operational tool enterprises use to organize their data — R&D data, production data, customer data, transaction data, log data. It is essential for asset inventory, access control, and lifecycle management. But it is *not* a regulatory classification. The label "R&D data" does not tell you whether the data is a trade secret, a state secret, personal information, or important data. It only tells you which department generates it. 3. **Tiering (分级).** This is the protection-strength configuration. *Given* that data has been identified as belonging to a regulatory category, how heavily should it be protected? Inside an enterprise this shows up as access levels, encryption requirements, audit frequency. In state regulation it shows up as security-assessment requirements, security review, localization mandates. Tiering comes *after* category identification — and it does not retroactively define what the category means. The mistake Hong attributes to the mainstream is the collapse of these three layers into one. The phrase 分类分级 ("classification and grading") gets used as a single compound operation. Enterprise asset-inventory thinking gets imported into state-level legal-interest identification. Operational language migrates into the legal-interest layer where it does not belong. ## What the reframing fixes Several familiar confusions become tractable once the layers are separated. **The "upgrading" fallacy.** Practitioners often say that "mass personal information can upgrade to important data" (海量个人信息升格为重要数据). On a tier reading, *upgrade* suggests the data leaves its old identity behind. Under PIPL, that would be alarming — does the personal-information regime no longer apply? On Hong's reading, the dataset does not *upgrade* — it *gains a second identity*. The personal-information regime continues to apply (because the data still identifies natural persons). The important-data regime *also* applies (because the dataset, at scale and granularity, now implicates public interest). Both regimes stack. Conflicts get resolved by familiar principles — specialty, the stricter rule, purpose limitation, minimum necessary — not by one identity displacing the other. **Sensitive personal information is not a parallel category.** It is a sub-state inside the personal-information category, with intensified handling rules. Same legal interest, stricter protection. Calling it a separate category at the same level as personal information is grammatical drift, not conceptual structure. **"CII-related data" is not a freestanding category.** Hong is firm on this point. Treating "data related to critical information infrastructure" as a regulatory category in its own right confuses a context label with a legal interest. The relationship to CII is a flag — useful for identifying *which* data within a CIIO's holdings might rise to *important data* or *core data*. It is not itself the category. **"General data" is the residual, not a parallel category.** It is the residual space of data that no specific regulatory category has captured. It can still be protected — by contract, by tort, by unfair-competition law, by ordinary cybersecurity duties — but not by the Article 21 data-classification regime. ## How to read the standards Hong anticipates the obvious objection. China's national standards, and a great deal of industry guidance, *already* talk about core / important / general data as "levels." Doesn't the current standard text sink his argument? His answer is patient. Standards are engineering documents. Their job is to make a legal regime operable for enterprises — to give them something to put into a spreadsheet, a control matrix, an audit checklist. Using the language of "levels" is convenient because it maps to existing internal-control vocabulary. But engineering convenience is not legal definition. The legal definition has to do the work of identifying a *legal interest*, not just signalling *severity*. Standards can keep their level-language as a shorthand; the underlying concept is still a set of categories. The implication for overseas readers: when a Chinese standard or sector catalogue renders important data as a tier, treat it as serving an operational purpose — not as the last word on the concept's legal content. ## Why an overseas compliance reader should care For overseas counsel and compliance teams the practical takeaways are roughly these: - **Don't expect enterprise-level grading to control regulatory status.** Whether a dataset is *important data* is a question of legal interest, not of internal sensitivity ranking. You cannot grade your way out of an obligation that attaches by law. - **Expect overlap, not replacement.** When a personal-information dataset reaches scale, expect PIPL and DSL regimes to apply *together*. Neither one swallows the other. - **Read sector catalogues as inventories, not as definitions.** The *important data* catalogues that industry regulators publish are mediators. They help identify which data, in a given sector, belongs to the important-data category. They do not independently constitute the category. - **Expect cross-border persistence.** Once data is identified as important data, the identity follows it. The point of the regime is precisely *not* to let identity drift across borders or across owners. The deeper point in Hong's essay — and the reason it is worth a careful read — is methodological. The Chinese data-protection regime is sometimes treated by overseas observers as a translation of GDPR with Chinese characteristics. It is not. The conceptual primitives are different. Where GDPR centers on the *data subject* and the rights they hold, Hong's reconstruction centers on the *legal interest* the state is protecting. Personal information, important data, and core data are categories carved out by different legal interests — not points on a single severity scale, and not analogues of GDPR's personal-data tiers. The category-vs-tier distinction is just the most concrete example of why importing GDPR's conceptual furniture into the Chinese regime is not a safe shortcut. --- — Hong Yanqing, *Reconsidering the Nature of Important Data: Category vs. Tier* (重要数据性质的再认识:级别概念 vs. 类别概念), 网安寻路人 WeChat Official Account, May 4, 2026. [Original article.](https://mp.weixin.qq.com/s/RmrIs3PZnEHkGsMl3vlutg) *Not legal advice.* --- ## Why China Used Foreign Investment Security Review on Manus — Not Tech or Data Export - Published: 2026-04-28 - Author: DCC Editorial - Tags: foreign-investment-security-review, manus, ai-agent, cross-border, commentary - Laws cited: pipl, dsl, data-export-security-assessment-measures, foreign-investment-security-review-measures - Domains: cross-border, ai-governance, cybersecurity-review - URL: https://datacompliancechina.com/posts/manus-foreign-investment-security-review/ - Markdown: https://datacompliancechina.com/posts/manus-foreign-investment-security-review.md - Original source: https://mp.weixin.qq.com/s/2Vs70BM2ILAE_qqKsdfAjw - Original author: 洪延青 - Original publication: 网安寻路人 ### Description Hong Yanqing on Beijing's banning of Meta's Manus acquisition. The regulator's choice of pathway — Foreign Investment Security Review, not Technology or Data Export — signals a shift from 'transaction-level' to 'capability-level' oversight of frontier AI projects, with implications for any overseas tech investment touching China. ### Body > *Editor's Note — DCC.* > > Hong Yanqing is one of the most influential voices on Chinese > data-protection law. His commentary often focuses on conceptual structure — > what regime applies, why it applies, what it can and cannot do. When the > Chinese state acts, Hong's habit is to read the regulator's choice of > pathway rather than just the outcome. > > On April 27, 2026, the NDRC's Foreign Investment Security Review Office > banned an unnamed foreign acquirer — widely reported to be Meta — from > acquiring "the Manus project" and ordered the parties to unwind the > transaction. The official announcement was one sentence. No transaction > structure, no reasoning, no remedies specified. Most overseas commentary > read this as a geopolitical signal. Hong reads it as a > regulatory-architecture signal — and finds the *choice of pathway*, not the > outcome, to be the more important story. > > We rewrote rather than literally translated his analysis because the > framing he uses — "capability-level" versus "transaction-level" regulation — > is exactly the kind of reframing that gets lost in plain rendering but > reshapes how an overseas compliance reader should understand China's > emerging cross-border M&A regime for frontier technologies. On April 27, 2026, an unusually terse one-sentence notice appeared on the National Development and Reform Commission's website. The NDRC's Foreign Investment Security Review Office had banned an unnamed foreign acquirer from acquiring "the Manus project" (Manus 项目) and ordered the parties to unwind the transaction. That was the entire announcement. No transaction structure. No reasoning. No remedial measures specified. Just the decision. Manus is an AI Agent — not a chatbot but a system that plans tasks, calls tools, generates code, conducts market research, builds applications, and operates browser and local computing environments. Its corporate parent at the time of the deal was a Singapore entity, Butterfly Effect Pte, but the project traces back to a Beijing-registered entity. By the acquirer's public account, the post-acquisition plan was for Manus to discontinue operations in China. Most overseas commentary treated the decision as a geopolitical signal — China blocking a Big Tech acquisition. Hong Yanqing, in an April 28 analysis on his WeChat channel 网安寻路人, treats it as something more specific: a regulatory-architecture signal. The question he asks is not *whether* the deal should have been blocked, but *how* — through which regulatory regime. The choice, Hong argues, matters enormously. The Manus deal could plausibly have been routed through at least three different regulatory pathways. The one Beijing chose — Foreign Investment Security Review — signals that China's regulators have rewritten the conceptual frame for handling cross-border transactions in frontier-technology projects. ## Three pathways, three different theories of what is at risk Hong walks through the three plausible regulatory routes and what each can and cannot do. **Technology Import/Export Management.** Under the Regulations on the Administration of Technology Import and Export and the Catalogue of Technologies Prohibited or Restricted from Export, regulators can control the transfer of specific technologies, technical secrets, patent licenses, technical services, and engineering documentation. The protected interest is *the order of technology flows* and national economic-technological interests. The granularity is technology-item-level — which specific technology, is it on a prohibited or restricted list, has it been properly licensed, has it been illegally exported. Routing Manus through this regime, Hong notes, would have focused on the Agent orchestration framework, the browser-operation modules, the tool-invocation system, the model-tuning methodology, the evaluation system, the source code — examining for each whether it was formed in China, whether it was transferred through relocation, code sync, licensing, or service, and whether the transfer required an export licence. But technology-export rules are best suited to *specific technology objects in transit*, not to a wholesale capability being absorbed. An AI Agent's core value rarely sits in a single patent or a single code file. It sits in team know-how, engineering systems, evaluation pipelines, product-iteration capacity, and future research direction — things that keep migrating through people, organizations, processes, and ongoing collaboration. Hard to enumerate. Hard to catalog. Technology-export rules catch what passes through a gate; the gate is not where the loss is happening. **Data Export Security.** Under DSL, PIPL, and the cross-border data-transfer regime, regulators can control the export of personal information and important data. The protected interest is the security of personal information, the security of important data, and the orderliness of cross-border data flows. The granularity is data-level — which data, was it collected in domestic operations, is it personal information or important data, has it cleared the security assessment or standard contract pathway. But Manus did not primarily serve the Chinese public. Without a substantial body of domestic user data, the data-export pathway can only address residual traces — historical beta data, R&D data, employee debugging data, Chinese-language evaluation samples, early PoC data. Useful as a supplementary route, perhaps, but not the spine of the case. The deeper problem, Hong notes, is that AI-system data risk is *derivative*: data that has flowed into model fine-tuning, evaluation pipelines, agent strategies, or tool-invocation flows no longer exists as a discrete, identifiable file you can ask someone to delete. The remedy in such cases is not to "delete data" — it is to identify and dispose of the model versions, agent components, evaluation systems, and derivative outputs that bear the imprint of China-origin data, code, or technical assistance. That is not a data-export problem any more. **Foreign Investment Security Review.** Under the Foreign Investment Security Review Measures, regulators can review foreign investment in China that affects or may affect national security. Article 2 covers new projects, M&A of equity or assets, and other forms of domestic investment by foreign investors — direct or indirect. Article 4 brings important information technology, internet products and services, and key technologies into the mandatory pre-notification scope. The legal test is *actual control* — defined broadly to include not just over-50-percent equity, but voting-share thresholds and "other circumstances that can materially influence operational decisions, personnel, finance, or technology." The protected interest under FISR is not a single technology or a single dataset. It is *control of key sectors* and the security of national capability as a whole. The granularity is capability-level — after the deal closes, who controls this technology project, this team, this R&D direction, this industrial capacity. This, Hong argues, is the heart of the Manus case. ## From transaction-level to capability-level The Manus risk Hong identifies has three components, and none of them is captured well by the first two regimes. First, the transaction would have moved a China-origin technology asset in the general AI Agent space wholesale into a foreign tech ecosystem. Second, it would have absorbed the core R&D personnel, engineering systems, and product team into a foreign company's structure. Reuters reported that some Manus employees had already moved into the acquirer's Singapore office, with the project still being pushed forward. Whatever the individual founder's arrangement, the team- and project-level integration was already advanced enough that the acquisition was not of a discrete software product but of an ongoing, evolving research-and-development capability. Third, it would have placed Manus's future technology roadmap, product direction, and commercial path under the acquirer's control. In AI Agent development, Hong notes, competition is not a one-time delivery — it is continuous iteration. Whoever controls team, compute, capital, product surface, and global distribution channels controls the direction in which the capability evolves. The three regimes answer three different questions. Technology export answers *did technology cross a border?* Data export answers *did data cross a border?* Only Foreign Investment Security Review answers *did a capability come under foreign control?* By routing Manus to FISR, Hong argues, the regulator made a paradigm choice. The regulatory object has shifted from *single technology flow* to *frontier capability ownership*. ## The Singapore problem — and the look-through answer There is an obvious legal-technical problem with using FISR here. The acquirer formally bought a Singapore entity (Butterfly Effect Pte), not a Chinese company. Article 2 of the FISR Measures applies to investment "within China." How does it bite on an offshore equity deal? This is the heart of the *zǒu chū qù Xīnjiāpō* — "leave for Singapore" — strategy that has become common for Chinese tech founders thinking about overseas capital: relocate the registered entity, operations, IP, and core personnel offshore first, then have a foreign investor acquire the offshore vehicle. The argument is that the subsequent capital transaction sits outside the Chinese foreign-investment security regime. The Manus decision suggests the Chinese regulator did not stop at registered location. Hong's read of the analytical method is a "look-through" test, asking: - Where was the core technology formed? - Where did the core R&D team complete primary development? - Did the IP, code, model components, technical documentation, and evaluation systems sit at any point with a Chinese-domiciled entity? - Are the Singapore relocation and the subsequent acquisition coordinated arrangements — coupled in time and purpose? - Does the offshore equity transaction substantively transfer control of the China-origin key technology project? A scholar Hong quotes, Cui Fan of the University of International Business and Economics, sketches the technical mechanism. Manus's onshore Beijing entity is held through a domestic WFOE ("Red Butterfly"), which is contractually controlled by an offshore VIE structure that goes Hong Kong → Cayman. The Cayman entity's shareholders are the founders plus the past investment rounds. When the foreign acquirer purchases the Cayman vehicle, the ultimate controller of Red Butterfly changes — and under the Foreign Investment Enterprise Information Reporting System, that is a *mandatory reportable material change*. The regulator does not need a Chinese-counterparty equity deal in order to have jurisdiction. The change in ultimate control of a contractually controlled onshore entity is enough. Worth noting too: the NDRC announcement used the phrase "Manus project" (Manus 项目), not "a certain Singapore company." The "project" framing is deliberate. It treats Manus as a composite of technology, team, IP, code, product, and commercial arrangements rather than as a single registered legal entity. The regulator declined to limit the inquiry to corporate form. ## What "eliminating the impact on national security" looks like If the deal had been routed through technology export, the toolbox would have been about disposing of specific technology assets — classification, licensing, contract registration, halting unauthorized transfers, recalling or sealing technical materials. If it had been routed through data export, the toolbox would have been about controlling data flows — localization, security assessment, standard contracts, deletion of non-compliant exports. Because it was routed through FISR, the toolbox is about *unwinding control*. Hong walks through what a credible remedy package would look like: - **Unwind the transaction and restore the pre-deal state.** Rescind the acquisition; refund payments; restore pre-deal equity, governance, and voting arrangements; cancel board seats, observer rights, vetoes, options, convertibles, and side letters that could constitute disguised control. - **Strip de facto control.** Even if the equity layer is unwound, check whether the acquirer retains effective control through management agreements, technology-integration contracts, exclusive partnerships, cloud-infrastructure dependencies, code-repository permissions, model-repository permissions, sysadmin permissions, or product-roadmap authority. FISR is not about paper equity; it is about actual control. - **Build a China-origin controlled-asset inventory.** The inventory should include core code, the Agent planner, tool-invocation frameworks, browser-operation modules, sandbox environments, model components, fine-tuning data, evaluation systems, technical documentation, product roadmaps, internal experiment records, Chinese-language task samples, early PoC data, and engineering know-how. Without such an inventory, "restoration" and "elimination of impact" cannot meaningfully be carried out or audited. - **Disable, roll back, retrain, or clean-room rebuild contaminated models.** This is Hong's most novel point. In an AI-system context, it is not realistic to "precisely delete" specific data from a trained model's parameters. The credible remedy is to identify the model versions, agent components, workflow templates, evaluation systems, and product features that were influenced by China-origin controlled assets, and to disable, roll back, retrain, or clean-room rebuild them. The acquirer can keep developing its own AI Agent. It cannot use Manus's China-origin controlled assets as a shortcut. - **Separate personnel from controlled technical assistance.** Hong distinguishes carefully between *restricting personnel mobility* — which he views as likely overreach — and *restricting controlled technical assistance*, which he views as appropriate. The remedy should not be that founders cannot join the acquirer; it should be that they cannot supply the acquirer with non-public code walkthroughs, architecture migrations, model-tuning training, evaluation-system reproduction, or product-integration assistance, and that personnel already at the acquirer cannot continue accessing Manus's China-origin controlled assets. - **Independent technical audit and ongoing supervision.** Company self-certification is not enough. The remedy should require independent technical audits of equity arrangements, contracts, code repositories, model repositories, cloud resources, access logs, Git commit histories, documentation systems, personnel training records, and product integration — verifying that what looks unwound on paper has in fact been unwound in operations. ## Why this matters for overseas counsel For practitioners advising on cross-border technology investment into or out of China, the Manus decision carries several immediate practical implications. - **Registration location is not the end of the analysis.** A clean Singapore (or Cayman, or BVI) corporate structure does not, by itself, place a transaction outside the reach of Chinese foreign-investment security review. The regulator will look through to where the technology was formed, where the R&D happened, how the IP moved, and whether the offshore restructuring and the acquisition form a coordinated whole. - **AI Agent and other "frontier capability" deals are now squarely within the FISR scope.** The regulator's choice of pathway tells you which objects it considers worth protecting. Frontier AI capability is now one of them. - **Expect remedies to focus on control, not on code transfer.** If a deal is challenged, the remedies will be drafted to unwind control — including remedies such as model rollback and clean-room rebuild that have no precedent in the technology-export or data-export toolkits. - **The "project" framing widens the universe.** When the regulator analyzes the object of a transaction as a project rather than as a registered entity, the universe of touchpoints expands. Contracts, personnel, repositories, cloud arrangements, and evaluation pipelines all become part of the object under review. Hong's framing — *where this capability came from, where it is going, and who will ultimately control it* — is the question overseas advisors will need to answer before transactions, not after a regulator's one-sentence decision. --- — Hong Yanqing, *Manus 案的监管范式选择:为什么是外商投资安全审查?* (The Choice of Regulatory Paradigm in the Manus Case: Why Foreign Investment Security Review?), 网安寻路人 WeChat Official Account, April 28, 2026. [Original article.](https://mp.weixin.qq.com/s/2Vs70BM2ILAE_qqKsdfAjw) *Not legal advice.* --- ## Cold Water on 'Token Trading' — Wang Qinglan on the NDA's High-Quality Data Set Initiative - Published: 2026-04-24 - Author: DCC Editorial - Tags: tokens, ai-training-data, data-trading, national-data-administration, commentary - Laws cited: data-foundation-system-opinions, common-data-terms-batch-1, common-data-terms-batch-2 - Domains: data-economy, ai-governance - URL: https://datacompliancechina.com/posts/qinglan-token-trading-cold-water/ - Markdown: https://datacompliancechina.com/posts/qinglan-token-trading-cold-water.md - Original source: https://mp.weixin.qq.com/s/0Nbcam7GbrYx8d31JmTGGA - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description In March 2026, the National Data Administration released the *Implementation Plan for Promoting High-Quality Industry Data Set Construction (Draft for Public Consultation)*, which explores a 'token (词元) based value system' and 'token trading as a new transaction mode' for high-quality data sets. The Chinese AI policy community immediately heralded the move as 'revolutionizing data trading.' Wang Qinglan pours cold water: token is a measuring unit, not a magic transformer. AI tokens are not crypto tokens. The bottleneck in China's data-element market isn't measurement — it's supply, rights clarity, compliance cost, and data silos. ### Body > *Editor's Note — DCC.* > > In March 2026, the National Data Administration released the > *Implementation Plan for Promoting High-Quality Industry Data Set > Construction (Draft for Public Consultation)*, introducing "token > (词元) based value system" and "token trading" as exploratory concepts. > Chinese AI policy commentary immediately escalated: token trading > would "revolutionize" data trading, "subvert digital economy rules," > "reconstruct value systems." Wang Qinglan — head of compliance at a > Chinese data exchange and one of the closer observers of the > data-element market — pushed back. This brief tracks her argument. > DCC's framing emphasizes the policy context for overseas readers who > see this concept appearing in Chinese policy documents and need to > understand what it actually means. ## First — AI tokens are not crypto tokens The piece opens with a disambiguation that overseas readers in particular need. The word "token" in Chinese AI policy refers to the **AI processing unit** — the unit by which large language models segment text for processing. *Not* the crypto-asset *Token* that can be traded, hoarded, and speculated on. The official Chinese rendering, **词元** (literally, "word element"), was formally adopted by the National Data Administration in March 2026. Wang's clean separation: - **AI tokens (词元)** = a measuring unit for AI compute consumption. Analogous to *kWh* for electricity, *gallons* for water, or *gigabytes* for data transmission. AI service providers charge by token consumed. - **Crypto tokens (通证)** = digital assets. Can be bought, sold, and speculated on. Subject to crypto-market dynamics — completely unrelated to AI. If a reader confuses the two, the entire token trading discussion becomes incoherent. Wang's first move is to insist on the distinction. ## The NDA's March 2026 policy move The *Implementation Plan for Promoting High-Quality Industry Data Set Construction (Draft for Public Consultation)* (March 2026) introduces two notable phrases: > *"Explore a token (词元) based value system."* > > *"Explore new transaction modes such as token trading, building a quantifiable, priceable data set value system based on tokens."* The doctrinal move: extending the role of tokens from *AI compute pricing* (output side) to *data set pricing* (input side). The reasoning: if AI consumes data measured in tokens, perhaps the data sets it consumes should also be priced in tokens. Wang's analogy: "previously, 'kilograms' was just a unit the mill used to charge for processing. Now someone proposes using kilograms to *sell the wheat itself.*" In principle, the move is reasonable. In practice, it conflates different problems. ## The scale metaphor Wang's central conceptual move: **the token is a scale, not a transformer**. The scale weighs things. It can weigh wheat (raw data), flour (processed data resources), and cakes (refined data products). But: - A scale doesn't grow more wheat. - A scale doesn't change the quality of the flour. - A scale doesn't make cakes appear from the oven. It just measures. This is the lens Wang applies to the over-claims about token trading. ## Three over-claims and their flaws ### Over-claim 1 — "Token trading will revolutionize data trading" The claim: token-based pricing creates a unified standard for the data market, making everything more efficient and transparent — *revolutionizing* the market. Wang's response: a more precise scale does help, *but only for standardized goods*. Token-based pricing makes sense for *standardized AI training data sets* — the equivalent of *flour, a homogeneous commodity that can be sold by weight*. But the data market is bigger than that. It also includes: - **Raw data** — wheat. Token pricing is wrong; raw data is sold by other dimensions. - **Deeply processed data products** — cakes and pastries. Industry insight reports, market analytics, custom data products. These are priced by *creativity, brand, scarcity, and value*, not by *weight*. A scale that can only measure flour, applied to wheat and cakes, distorts pricing. *"Revolutionizing data trading" is overreach.* ### Over-claim 2 — "Token-based pricing solves the data-element market" The claim: with token-based pricing, the data-element market will function. Wang's response: the bottleneck isn't measurement. *"What is China's biggest data-trading-market problem today? A missing scale? A missing unit? No."* The real bottlenecks: - **Insufficient high-quality data supply.** The shelves are nearly empty. - **Unclear data rights attribution.** Buyers don't trust they can use what they buy. - **High compliance cost.** Risk-averse sellers hold back. - **Data silos.** Data that exists isn't shared. A more precise scale doesn't solve any of these. *"Like giving a starving restaurant a more elegant spoon and claiming it will revolutionize the food industry."* ### Over-claim 3 — "AI's token algorithm transfers directly to data trading" The claim: AI's token-counting method should be the basis for data trading pricing. Wang's response: AI tokens are not language-neutral. They're optimized for the AI's compute efficiency — high-frequency word combinations merge into single tokens; low-frequency characters split into multiple tokens. The consequence: - A given semantic unit in English typically requires ~80 tokens. - The same semantic unit in Chinese requires ~120–150 tokens. - Lower-frequency languages can double or triple the count. If AI's token algorithm becomes the basis for data set pricing, **language difference, not data value, determines price**. A 1,000-token Chinese data set would be objectively worth less in token terms than a 1,000-token English data set — even if the Chinese data set is more valuable in content. The fix would require a *new* tokenization algorithm specifically for data-set pricing, decoupled from AI compute optimization. The NDA's draft doesn't yet specify what that algorithm would look like. ## What Wang's piece doesn't say but DCC notes The 国家数据局 (NDA) policy move is, on its own, not unreasonable. There IS a real benefit to having a unit of account for AI training data sets. Standardization helps. The criticism Wang directs at is *not* the NDA's policy — it's the *secondary commentary* claiming token trading will revolutionize the market. In DCC's reading, this is a useful primer for overseas observers because: - The "token trading" concept will appear in Chinese AI policy discussions for the next 12–24 months. Foreign readers need a sober framing. - The conflation of AI tokens and crypto tokens is real — and is being deliberately exploited by some commentators to attract attention. - The bottleneck Wang identifies — **high-quality data supply**, **rights clarity**, **compliance cost**, **data silos** — is the genuine constraint on the Chinese data-element market. Foreign teams advising on Chinese data deals should focus on these problems, not on the token trading hype. ## Why this matters for overseas teams Three operational takeaways: - **The "high-quality industry data set" framework is real and matters.** The NDA's draft Implementation Plan is the real policy direction — token trading is just one (overhyped) element of it. The plan's emphasis on industry-specific high-quality data sets, with standardized formats and quality, is the operational lever that will shape Chinese AI data supply over the next 2–3 years. Multinational AI providers active in China should align with the high-quality data set standards as they emerge. - **Token trading is a unit of account, not a market revolution.** When evaluating Chinese partner pitches that invoke "token trading," strip out the hype. The token is a measuring unit. The question for the deal is the same as it was before: what data is being acquired, what rights attach to it, what compliance has been done. Token-pricing is downstream of those questions, not a substitute for them. - **The four real bottlenecks are the operational risk map.** *Insufficient high-quality data supply* — sourcing risk. *Unclear data rights attribution* — title risk. *High compliance cost* — friction risk. *Data silos* — integration risk. A multinational's China data strategy will rise or fall on how it addresses these four. The token trading discourse is mostly a distraction from this map. The deeper observation in Wang's piece is that **policy hype cycles in the Chinese data-element market need a skeptical Chinese-language voice to puncture them**. Wang plays that role within the data exchange community. For overseas readers, having access to a sober Chinese perspective — not the hype, not the foreign critic — is one of the more useful things DCC's editorial mandate is built to provide. --- — Wang Qinglan (王青兰), *给"词元交易"泼一盆冷水* (Pouring Cold Water on "Token Trading"), 青兰数据观察 WeChat Official Account, April 24, 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/0Nbcam7GbrYx8d31JmTGGA) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- ## When PIPL Violation Becomes a Crime — Hong Yanqing on China's Personal Information Criminal Threshold - Published: 2026-04-22 - Author: DCC Editorial - Tags: criminal-liability, pipl, judicial-interpretation, mozhi-case, commentary - Laws cited: pipl, civil-code-personal-info - Domains: personal-information, enforcement - URL: https://datacompliancechina.com/posts/pipl-criminal-threshold/ - Markdown: https://datacompliancechina.com/posts/pipl-criminal-threshold.md - Original source: https://mp.weixin.qq.com/s/5tXYwpeuLqkOLqv7xfTGgg - Original author: 洪延青 - Original publication: 网安寻路人 ### Description Hong Yanqing on the criminal-side analog to PIPL — when does mishandling personal information cross from administrative violation into the crime of 'infringing on citizens' personal information'? His critique: the two key elements ('relevant State provisions' and 'serious circumstances') are too loose, and courts have stretched them in ways that should worry compliance teams. ### Body > *Editor's Note — DCC.* > > Hong Yanqing is one of the most influential voices on Chinese data-protection > law. This piece is a republication on his WeChat channel 网安寻路人 of a > 2023 paper he originally published in the academic journal 《数据法学》(*Data > Jurisprudence*) — a journal hosted at the People's Public Security > University of China. It is academic in form but practitioner in stakes. > > The stakes: PIPL describes administrative liability — fines, business > suspensions, individual penalties. But mishandling personal information in > China is also a *crime* under Article 253-1 of the Criminal Law — the > offense of "infringing on citizens' personal information." Conviction can > carry up to seven years' imprisonment for serious cases. The line between > "administrative violation" and "criminal offense" is drawn by two elements > of the crime, both of which Hong argues are dangerously underspecified. > Courts have stretched both — sometimes to convict on the basis of regulations > that have nothing to do with personal information protection at all. > > For overseas compliance teams operating in China, the practical lesson is > not that the criminal line is bright. It is that it is not bright. And how > Chinese courts read the two ambiguous elements is the difference between > a notice of administrative penalty and a criminal docket. We rewrote rather > than literally translated the paper because the core diagnostic — that the > *quantitative threshold* and the *unrelated-regulation problem* both > threaten the principle of legality — is exactly the kind of conceptual move > that gets lost in plain rendering but reshapes how an overseas reader > should weigh China's criminal-side PI exposure. China's regime for personal information protection has two layers. The civil and administrative layer — the Civil Code and PIPL — is the layer foreign compliance teams know well. The criminal layer — Article 253-1 of the Criminal Law and the 2017 Judicial Interpretation issued jointly by the Supreme People's Court and the Supreme People's Procuratorate — is less familiar, and more consequential. The crime is called *qīnfàn gōngmín gèrén xìnxī zuì* — the offense of "infringing on citizens' personal information." It was inserted into the Criminal Law in 2009, refined in 2015, and given a detailed implementation regime by the 2017 Judicial Interpretation. By 2023, courts had handled tens of thousands of cases under it. Maximum sentence: seven years. The crime has six elements, but two of them carry the real weight in deciding whether a defendant goes to jail. Both, Hong Yanqing argues, are too loose to deliver legality. ## Element one — "relevant State provisions" The first ambiguous element is what counts as "relevant State provisions" (*guójiā yǒuguān guīdìng*) — the predicate body of law that defendants must have violated. Until 2015, the operative phrase was the narrower *guójiā guīdìng* ("State provisions"), defined in Article 96 of the Criminal Law as laws and decisions of the National People's Congress and its Standing Committee, plus regulations, administrative measures, decisions, and orders of the State Council. Departmental rules — issued by ministries — were *not* included. The 2015 Criminal Law Amendment changed the predicate to *guójiā yǒuguān guīdìng* — adding the word *yǒuguān* ("relevant"), broadening the scope. The 2017 Judicial Interpretation went further. Under it, "relevant State provisions" includes laws, administrative regulations, *and departmental rules* (部门规章) related to personal information protection. That expansion is the source of the trouble. Hong's critique has two strands. **The first**: the principle of legality (*zuì xíng fǎ dìng yuán zé*) — the requirement that criminal liability be foreseeable from the statute — pushes the other way. Article 96's definition of "State provisions" is intentionally narrow, because in the Chinese legal hierarchy departmental rules can contradict each other and proliferate quickly. Using them as the predicate for criminal liability creates exactly the kind of unpredictability the legality principle is meant to prevent. Hong's read: the broader "relevant State provisions" formulation should be read *within* the framework Article 96 sets — the addition of "relevant" narrows the universe of *State provisions* to those relevant to personal information protection, not enlarges the universe to include subordinate rules. **The second strand is the empirical one** — and this is where Hong's argument bites. He gives three case examples in which Chinese courts have used regulations *that have nothing to do with personal information protection* as the predicate "relevant State provisions" for conviction. - In one case (*Ding et al.*), an employee of a Real Estate Registration Center sold property-ownership and homeowner phone-number records to outsiders. The court found him guilty under Article 253-1, citing the *Interim Regulations on Real Estate Registration* and the *Interim Measures on Real Estate Registration Information Inquiries* as the relevant State provisions he had violated. But — Hong observes — those regulations exist to govern the *real estate registration system*, not to protect personal information. They contain no personal-information-protection rules. Using them as the predicate for an Article 253-1 conviction stretches the statute. - In another case (*Zheng et al.*), a baby-formula salesperson bribed hospital staff for new-mother and newborn contact information to sell formula. The court convicted under Article 253-1 by reference to the *Administrative Measures for the Sale of Breast-Milk Substitutes* and the *Maternal and Infant Health Law*. Again — those statutes regulate the marketing of breast-milk substitutes and maternal-health work, not personal-information handling. Their use as the predicate of a personal-information crime is, in Hong's reading, a category mistake. - In a third case (*Chen Moulin*), the court held that domain-name registration records held by the defendant constituted "citizens' personal information" — because the *Internet Domain Name Management Measures* prescribe first-come-first-served registration. But the Measures protect the integrity of domain-name registration; they do not address whether domain-name records *are* personal information. The court used the unrelated regulation to convict. Hong's positive proposal: "relevant State provisions" should be limited to provisions that (i) are at national level (not local rules, not provincial measures); and (ii) substantively concern personal information protection — they actually exist to regulate how personal information is handled. Anything else risks expanding the criminal scope past the legislative purpose of the crime, and past what foreseeable. This last point matters more after PIPL took effect. The Civil Code (Articles 1034–1039) and PIPL set the affirmative boundaries of personal information protection in civil and administrative law. Some prior regulations contain definitions of "personal information" that do not match PIPL. Hong argues that where the older regulations and the newer specialized statute conflict, criminal courts should follow the newer specialized statute — otherwise the criminal predicate drifts away from the substantive regime that defines what personal information protection actually is. ## Element two — "serious circumstances" The second ambiguous element is "serious circumstances" (*qíngjié yánzhòng*) — required for criminal liability to attach at all, and *especially serious circumstances* for the upper sentencing tier. The 2017 Judicial Interpretation tried to make this operational by listing quantitative thresholds: - Selling, providing, or illegally acquiring 50 or more pieces of certain sensitive personal information items (location data, credit information, communication content, health, transaction information). - 500 or more pieces of communication or accommodation records, credit information, and so on. - 5,000 or more pieces of ordinary personal information. Plus qualitative criteria: using the information to commit further crimes, causing serious harm to the individual, illegal gain above stated thresholds, repeated offenses, etc. The "especially serious" tier kicks in at 10× the "serious" threshold. Quantitative thresholds were a sensible move when the Interpretation was drafted — they give lower courts a predictable rule of thumb. But in the big-data era, Hong argues, they have become a problem. Modern personal-information cases routinely involve tens of millions to hundreds of millions of records. By a straight reading of the thresholds, nearly every contested case would land in the "especially serious" tier and trigger the upper sentencing range. Hong cites the *Zou Moulong* case to make the point. Defendant Zou ran a "China Black Defense League" forum that distributed 100 million+ personal-information records. Defendant Huang held about 1.84 million records. Defendant Yang held about 130,000. Under the threshold rule, all three are "especially serious." The court sentenced Zou to four years, Huang to three years, and Yang to two and a half years — radically different culpability but only modestly different sentences. The fines were identical for Huang and Yang. The threshold rule, used mechanically, flattens cases that should be differentiated. Hong's positive proposal here is more interesting than the diagnosis. He argues that "serious circumstances" should be assessed through a *multi-dimensional impact framework*, anchored on the actual harm to the affected individuals' lawful interests, not on raw counts. The dimensions: - **Type of personal information** — sensitive vs. ordinary, and within sensitive, the particular type (biometric, health, financial, communication content). - **Purpose and intended use** — particularly whether the information was used or intended to be used to commit further crimes. - **Method** — whether the acquisition was organized, large-scale, by force or fraud. - **Consequences** — actual harm to the data subjects: identity theft, harassment, financial loss, threat to safety. - **Subject's consent and authorization** — whether and how the data subject's consent was obtained or exceeded. The framework Hong proposes is essentially the *Personal Information Protection Impact Assessment* (PIPIA) framework that the administrative regime already uses — drawn from GB/T 35273, GB/T 39335, GDPR DPIA, and ISO/IEC 29134. The argument is that Chinese criminal courts already have a mature multi-factor analytical apparatus available — they just have not been using it. ## The Mozhi case — a workshop on both elements Hong devotes the final section of the paper to the *Mozhi (魔蝎) case* — the 2019 prosecution that practitioners regard as the canonical big-data personal-information prosecution of the PIPL transition period. Mozhi Technology operated a crawler service plugged into mobile lending apps. Loan applicants entered their credentials (social-security account, housing-fund account, etc.) and authorized Mozhi to log in on their behalf and scrape their public-services records, which the lender then used for credit decisions. The user's *Data Collection Service Agreement* with Mozhi promised that credentials would not be stored. In fact, Mozhi *did* store more than 21 million sets of plaintext credentials on its cloud servers — and used a subset of them (in particular, email credentials) to log in to user accounts again, without the user's renewed authorization. The court found Mozhi guilty of "infringing on citizens' personal information," circumstances especially serious. Hong's case analysis pulls out two careful distinctions. **First, on "violating relevant State provisions":** the court correctly held that the *initial* crawling was not the unlawful act. The user gave Mozhi the credentials and authorized the scrape; the act of using user-supplied credentials to access a third-party platform's user-facing interface is not an "intrusion" within the meaning of the unauthorized-computer-system-access crime. Whatever competing claim the platforms might have under unfair-competition law, this is not "illegal acquisition" under Article 253-1. What Mozhi *did* do unlawfully was *retain* and *re-use* the credentials past the agreed scope. The court treated this as "obtaining by other illegal means" — folding it into the same statutory category as theft. Hong is uneasy with this. *Obtaining* and *retaining-after-lawful-obtaining* are linguistically and conceptually different acts. The Judicial Interpretation defines "obtain by other illegal means" as "obtaining citizens' personal information in violation of relevant State provisions through purchase, receipt, exchange, etc., or in the course of performing duties or providing services." Retaining beyond the agreed scope is more naturally a *processing* violation under PIPL — handle outside the scope of consent — not an *acquisition* violation. Forcing it into "obtaining" risks distorting the statute. **Second, on "especially serious circumstances":** the court held the threshold met by reference to the volume of records retained (21 million+) and the illegal gain (~30 million yuan). Hong's critique is that the analysis is incomplete. The court did not specify how many of the 21 million credentials were actually re-used — only that a "portion" (email accounts) were. It did not analyze the actual harm to individual data subjects. It did not separately weigh that Mozhi's *initial* acquisition was lawful, that its commercial purpose was not in itself unlawful, and that the data-leak risk from cleartext storage, while real, is not the same as actual leakage. A multi-dimensional impact analysis would likely have produced a different conclusion at the "especially serious" boundary — and in any event would have produced a more reasoned one. Hong's verdict on Mozhi: the court's overall instinct was sound (administrative tools alone would not have been sufficient for the scale), but the legal reasoning at both elements is doctrinally weak. As a precedent, it leaves the boundary ambiguous in ways the principle of legality is meant to prevent. ## Why this matters for overseas compliance The criminal side of China's personal-information regime is less visible to overseas teams than PIPL administrative enforcement, but the practical takeaways are direct. - **Criminal liability is a real second track, not a theoretical one.** PIPL fines and criminal exposure are not alternatives — they coexist. Conviction can attach to employees, directors, and managers personally, not just to the entity. For foreign multinationals, the criminal track is also the channel through which Chinese authorities can act against locally employed foreign nationals. - **"Violating relevant State provisions" is not just PIPL.** Courts have used unrelated departmental and even local regulations as the predicate. The implication for compliance teams is that auditing personal information practices against PIPL alone may not be a complete picture of criminal exposure — there are sectoral regulations with personal-information-adjacent provisions that have been used in criminal cases. - **Quantitative thresholds dominate, but they are not the only test.** Where a compliance issue involves tens of thousands of records or more, the case is going to clear the headline threshold easily. The contestable terrain is the qualitative side — actual harm, intent, method — and that is where the defense theory lives. - **The boundary between "legal acquisition + unlawful processing" and "illegal acquisition" is being contested.** Mozhi-style fact patterns — legal initial collection followed by processing in excess of authorization — are common in modern data-services arrangements. Hong's reading is that those should be processing violations, not acquisition crimes. Whether courts adopt that view will shape exposure for an entire class of cases. - **A multi-dimensional PIPIA-style analysis is your strongest defense.** Hong's argument that "serious circumstances" should be judged through a substantive impact framework — closer to PIPIA than to a counting rule — gives defense teams a doctrinal anchor. Building such an analysis into compliance documentation, in advance, is a practical way to prepare for the case where you ever need it. Behind all five takeaways is Hong's larger point. The administrative regime under PIPL has matured. The criminal regime has not kept pace. Until the Judicial Interpretation is updated to reflect PIPL's substantive boundaries and the big-data era's quantitative realities, courts will continue to write the doctrine case by case — which means compliance teams in China are operating under a criminal liability rule that is not yet stable. --- — Hong Yanqing, *《个人信息保护法》背景下侵犯公民个人信息行为的罪与非罪认定标准分析* (Analysis of the Standards for Distinguishing Criminal from Non-Criminal Infringement of Citizens' Personal Information Under PIPL), originally published in *Data Jurisprudence* (《数据法学》), Vol. 4, 2023; republished on 网安寻路人 WeChat Official Account, April 22, 2026. [Original article.](https://mp.weixin.qq.com/s/5tXYwpeuLqkOLqv7xfTGgg) *Not legal advice.* --- ## When Is Facial Recognition in a Public Place 'Necessary for Public Security'? Hong Yanqing's Four-Element Framework - Published: 2026-04-04 - Author: DCC Editorial - Tags: facial-recognition, public-surveillance, pipl-article-26, proportionality-test, commentary - Laws cited: pipl, facial-recognition-judicial-interpretation, public-security-video-image-system-regulations, facial-recognition-technology-application-measures - Domains: personal-information, ai-governance, enforcement - URL: https://datacompliancechina.com/posts/public-place-frt-necessity-framework/ - Markdown: https://datacompliancechina.com/posts/public-place-frt-necessity-framework.md - Original source: https://mp.weixin.qq.com/s/gZIJDP5j9RW8S4NJDw_Mow - Original author: 洪延青 - Original publication: 网安寻路人 ### Description Hong Yanqing on how to operationalize PIPL Article 26's 'necessary for public security' principle for public-place video surveillance and facial recognition. His framework: a four-step necessity test, tiered risk regime with a published prohibited list, three-fold technical controls, and a lifecycle closure mechanism — drawing on EU AI Act and US state-level practice. ### Body > *Editor's Note — DCC.* > > Hong Yanqing is one of the most influential voices on Chinese > data-protection law. This piece is a republication on his WeChat channel > 网安寻路人 of a 2025 paper he originally published in 《公安学研究》 > (*Public Security Studies*), the journal of the Ministry of Public Security's > People's Public Security University. It is academic in form but practitioner > in stakes. > > The stakes: PIPL Article 26 sets the foundational rule for public-place video > surveillance and facial recognition in China — "necessary for public > security." The 2024 *Video Image Information System Regulations* and the > 2025 *FRT Measures* have built the implementing rulebook around it. But the > operational question — *when* is a deployment "necessary for public > security"? — has remained underspecified. Hong's paper proposes a four-element > framework to operationalize it: a four-step necessity test, a tiered risk > regime with a published prohibited list, three-fold technical controls, and > a lifecycle closure mechanism. > > We rewrote rather than literally translated the paper because the practical > question for overseas compliance teams — *what do regulators expect from a > public-place FRT deployment in China?* — is exactly what Hong's framework > answers in concrete detail. The brief reframes his argument for an audience > that needs to know what to build, not why the underlying jurisprudence is > what it is. PIPL Article 26 sets the foundational rule for public-place surveillance in China. Equipment installed in public places that captures images or identifies individuals must be "necessary for public security" (维护公共安全所必需), accompanied by conspicuous notice, and the data collected may only be used for that public-security purpose. Use for other purposes requires the individual's separate consent. In September 2024 the State Council issued the *Regulations on the Administration of Public Safety Video Image Information Systems* (公共安全视频图像信息系统管理条例). In 2025 the Cyberspace Administration of China issued the *Measures on the Security Management of Facial Recognition Technology Applications* (人脸识别技术应用安全管理办法). Together they form the operating rulebook for Article 26. But, Hong Yanqing argues in an April 2026 essay drawn from his paper in 《公安学研究》, the operating rulebook still does not answer the core question. Both implementing regulations restate the "necessary for public security" principle. Neither tells a compliance team — or a regulator — how to determine when a deployment is necessary. That gap is where Hong's paper does its work. Hong's diagnostic is that the necessity principle has remained a gestural concept. There is no conceptual unpacking — is "necessary" about the importance of the security objective, the indispensability of the technical means, or the minimality of the deployment scope? There is no procedural standard — no requirement to produce a structured necessity demonstration. There is no accountability mechanism — no standardized assessment template, no public verifiability. The result, he writes, is that the principle "spins in place" — invoked as authority but not actually doing the discriminating work a legal principle is meant to do. His proposal is structural: take the proportionality test that the European regime has spent two decades operationalizing and the patchwork of state-level biometric laws that the US has developed, extract their working architecture, and operationalize "necessary for public security" through a four-element framework. The framework is the kind of thing overseas compliance teams will recognize from GDPR practice — but cast specifically in PIPL Article 26 terms. ## The four-step necessity test Hong's first element is a structured proportionality-and-necessity test, conducted on every individual project, with four sequential layers. 1. **Purpose legitimacy.** The deployment must serve a definite and significant public-security objective with present urgency. Administrative convenience, commercial benefit, and image-building are not sufficient. The applicant must produce a risk assessment, historical incident data, or threat analysis demonstrating that the foreseeable harm without the measure justifies the measure. 2. **Means effectiveness.** The applicant must show a verifiable causal connection between the chosen technology and the security objective. If the technology cannot be shown to meaningfully advance the objective, the deployment is not necessary — it is symbolic. Required documentation: effectiveness data, technical performance metrics, expected false-positive and false-negative rates. 3. **Alternatives.** The applicant must show that no equally effective but less intrusive alternative exists. Patrol intensification, time-limited control, non-identifying cameras, document inspection — all are in the field of comparison. Where a less-intrusive alternative would suffice, the more intrusive technology cannot be deployed. 4. **Minimum harm.** Even after the first three are satisfied, the deployment must be minimized along several dimensions: capture scope, resolution, duration, retention period, and audience for the captured data. A human-in-the-loop mechanism and a grievance-correction channel must be available for any automated identification. Hong's procedural proposal is that the four-step analysis be institutionalized as a "necessity evidence packet" (必要性证据包). The applicant submitting a project should produce, in one package: risk baseline and threat assessment, objective and performance metrics, alternative-comparison and rejection rationale, capture-minimization plan, algorithm evaluation report, watchlist governance procedure, retention and destruction schedule, and a grievance mechanism. For facial-recognition projects, a separate Personal Information Protection Impact Assessment (PIPIA) and independent algorithm audit are mandatory additions. The burden of demonstration rests on the applicant — a "raise it, prove it" rule — and the regulator's role is to assess that demonstration and issue a conditioned approval or denial. This first element is the gate. Everything downstream is conditioned on it. ## Risk tiering and a prohibited / exception list The second element splits the projects that have cleared the gate into a tiered scheme, with a prohibited list at the edge. - **High risk.** Examples: post-hoc large-scale FRT analysis, real-time FRT monitoring in priority security zones, broad FRT deployment at large events or major transit hubs. Compliance obligations: mandatory PIPIA, monitoring, recording and audit mechanisms, certified algorithms with high performance and low false-positive rates, minimum retention with transparent destruction. - **Medium risk.** Examples: 1:1 identity verification within a limited zone (employee gate, library access, campus entry), ordinary security monitoring without identification. Compliance obligations: scoped purpose and scope, defined watchlist source and size, algorithm accuracy verification, periodic spot checks. - **Low risk.** Examples: anonymous analytics or situational sensing that does not identify individuals. Compliance obligations: basic transparency notice, data minimization. - **Prohibited list.** Examples: real-time 1:N FRT in open public space, routine identification of sensitive populations. These are structurally incapable of clearing the necessity test and should be explicitly listed. A narrow exception procedure — high-level authorization, defined applicability conditions, audit standards, post-use accountability — would govern the genuinely extraordinary edge cases. Hong's design point: the prohibited list and the tiering arise *from the same source*, the necessity test. A project that cannot clear the four-step test is automatically prohibited. A project that clears it is tiered by what the necessity analysis itself yielded. The two halves interlock. This is the part of Hong's framework that lifts most directly from EU practice. The AI Act's explicit prohibition on real-time 1:N FRT in open public space is the model. Hong wants the Chinese regime to publish an equivalent list — codified, public, and uniformly applied across provinces, so that the necessity-test edge cases do not get re-litigated in each local enforcement action. ## Three-fold operational controls — scene, watchlist, algorithm The third element translates tier into runtime parameters. Hong proposes three control surfaces. - **Scene control** ("where"). Define an allowed-scenes whitelist in the regulations, fix geographic boundaries with geofencing, and impose time windows. A camera that can only operate inside a defined polygon during a defined window is structurally incapable of "purpose drift" into routine social management. - **Watchlist control** ("who"). The matching database must be (i) bounded to the specific public-security objective — suspects in major criminal investigations, fugitives, high-risk missing persons; (ii) capped in size, with mandatory pre-deployment refresh and verification; and (iii) source-legitimate — no scraping from social media or commercial databases. Minors are default-excluded. An appeal-and-removal mechanism is mandatory. - **Algorithm control** ("what"). Accuracy and false-positive thresholds (Hong suggests false-positive rate ≤ 1‰ as a reference), bias evaluation across gender, age, and skin-tone subgroups, explainability (the system must produce a decision-path artifact suitable for external audit), and a human-in-the-loop step — all identification results must be human-verified before being used for enforcement decisions. Together, these three controls limit the deployment along three axes simultaneously. A scene-whitelisted camera in a geofenced perimeter operating during a posted window, matching against a small audited watchlist via a certified algorithm with mandatory human review — Hong's argument is that this is what "necessary for public security" looks like once it has been operationalized. ## Lifecycle closure — exit, rectify, destroy The fourth element is post-deployment. Necessity is not a moment-in-time judgment. It is conditional on the conditions that justified the deployment continuing to hold. When they cease to hold, the deployment must wind down. Hong proposes three closure mechanisms. - **Exit.** When a project no longer meets the necessity standard — because the security situation has changed, because the privacy cost outweighs the benefit on reassessment, or because a less-intrusive alternative has matured — the authority must be able to revoke the prior approval, order shutdown of the equipment, and halt the data collection. Hong notes the EU AI Act's parallel provision empowering member-state authorities to require providers to withdraw or recall AI systems. - **Rectify.** When problems emerge during operation — sudden spikes in false-positive rates, evidence of misuse, deficient privacy protection — the operator must self-audit and rectify rather than wait to be ordered. The regulator, in inspections or in response to complaints, can issue a rectification order with a deadline; for serious violations, the system can be suspended during rectification. - **Destroy.** Personal image data cannot be retained indefinitely. Hong's model: deletion or irreversible anonymization on the earlier of (i) the deployment purpose being achieved, (ii) the lawful retention window expiring, or (iii) the project being decommissioned. The reference he cites is the Illinois Biometric Information Privacy Act's requirement that biometric identifiers be deleted within three years of the last contact with the data subject, and the UK Surveillance Camera Code of Practice's requirement that footage be retained no longer than necessary. Destruction receipts and audit trails should be required so that operators cannot quietly retain data after a project has been wound down. ## Why this matters for overseas compliance For overseas teams operating in or vendoring to China, Hong's framework is several practical things at once. - **Article 26 is now operating regulation, not just principle.** With the *Video Image Information System Regulations* (State Council, 2024) and the *FRT Measures* (CAC, 2025), Article 26 has moved from statutory aspiration to operating rule. Filing obligations attach at concrete thresholds — for example, FRT systems storing facial data of more than 100,000 persons must file with provincial CAC within 30 working days under the FRT Measures. - **Build a "necessity evidence packet" before you deploy.** Hong's procedural proposal — a unified set of documents that operationalize the four-step test — is likely to influence regulator-facing documentation expectations going forward. Compliance teams that anticipate this and build the documentation pre-deployment will land in a stronger position when reviewed. - **The prohibited-list shape is becoming legible.** Real-time 1:N FRT in open public space is the EU's bright line; Hong's reading is that China is converging toward a similar list, narrower in scope and articulated through the Chinese implementing regulations. Vendors and operators should not assume that the most aggressive deployments are sustainable, even where the current statute permits them. - **The technical-controls layer is enforceable.** Geofencing, time windows, watchlist caps, algorithm certification, human-in-the-loop, audit logs — these are technical controls that can be verified by an inspector, and they are the surface most likely to be tested in enforcement. If they are not built into the architecture from procurement, retrofitting them later is expensive. - **Plan for lifecycle, not just launch.** The exit-rectify-destroy closure is where many existing deployments will discover gaps. Retention schedules, destruction receipts, and decommissioning audits have not always been built into the original procurement and architecture. Under Hong's framework, they need to be. The deeper point in Hong's paper — and the reason it is worth a careful read — is that *necessary for public security* is a principle that does its work only when it has been operationalized. Until it is, the principle protects nothing in particular; it just sits at the top of the regulation as a placeholder for a more concrete rule that has not yet been drafted. Hong's four-element framework is one way to draft that rule. For overseas compliance teams operating in China, it is also the most credible guide to what the regulator is converging toward. --- — Hong Yanqing, *公共场所视频监控与人脸识别的治理路径:国际经验与中国方案* (Governance Pathways for Public-Place Video Surveillance and Facial Recognition: International Experience and the Chinese Approach), originally published in *Public Security Studies* (《公安学研究》), 2025; republished on 网安寻路人 WeChat Official Account, April 4, 2026. [Original article.](https://mp.weixin.qq.com/s/gZIJDP5j9RW8S4NJDw_Mow) *Not legal advice.* --- ## China's Cybersecurity Law Just Got Teeth — The 2025 Amendment and What Changed - Published: 2026-01-12 - Author: DCC Editorial - Tags: csl, csl-2025-amendment, ai-governance, penalties, commentary - Laws cited: csl, pipl, dsl, civil-code-personal-info - Domains: cybersecurity-review, data-security, personal-information - URL: https://datacompliancechina.com/posts/compliance-talker-csl-2025-amendment-ai-and-penalties/ - Markdown: https://datacompliancechina.com/posts/compliance-talker-csl-2025-amendment-ai-and-penalties.md - Original source: https://mp.weixin.qq.com/s/p20K896Ad94taTuoecZqnQ - Original author: 全球法律政策研究 (Global Legal Policy Research Team) - Original publication: 合规小叨客 ### Description On October 28, 2025, the NPC Standing Committee adopted the first amendment to China's Cybersecurity Law since 2017, effective January 1, 2026. Compliance Talker's global legal policy team walks through what changed across 14 amendments: a new framework provision on AI safety and development, harmonization with PIPL and the Civil Code on personal information, sharply increased penalties (10× cap on top fines), expanded application of the dual-penalty system to individual officers, and broader extraterritorial reach. For overseas teams, the operational takeaway is that cybersecurity compliance is now an executive-level risk, not a documentation exercise. ### Body > *Editor's Note — DCC.* > > The first amendment to the **Cybersecurity Law** since its 2017 > enactment was adopted by the NPC Standing Committee on October 28, > 2025 and entered into force January 1, 2026. The amendment is > deliberately narrow ("small-cut" revision, in the official framing) — > 14 changes targeting AI, harmonization with PIPL/Civil Code, > penalties, and extraterritorial application. Compliance Talker's > Global Legal Policy team produced one of the cleanest practitioner > walkthroughs in the immediate post-enactment commentary. DCC's > framing emphasizes the operational shifts for overseas compliance > teams, since the penalty escalation in particular fundamentally > changes the CSL risk profile. ## What the amendment does — and doesn't The 2025 amendment is structurally conservative. It does not rewrite the CSL's underlying architecture (network operator obligations, CIIO regime, security review, data localization). What it does: - **Adds an AI-safety framework provision** — putting AI on the CSL's institutional map. - **Harmonizes with PIPL and Civil Code** on personal information — closing the doctrinal seam left when PIPL took effect in November 2021. - **Sharply escalates penalties** — top fines increase 10×, with expanded application of the "dual penalty" (entity + individual) regime. - **Expands extraterritorial application** — moves the trigger from "endangering CII security" to the broader "endangering cybersecurity." Each shift has a specific operational implication for compliance teams. ## What changed, in detail ### 1. AI safety and development — the new framework provision The amendment adds **Article 20**: *"The State supports basic AI theoretical research and key technology R&D such as algorithms; advances training-data-resource and computing-power infrastructure; perfects AI ethics norms; strengthens risk-monitoring assessment and security supervision; and promotes AI application and healthy development."* The provision is framework-level — declarative rather than operational. But the placement matters. AI now sits inside the CSL's institutional logic, which means subsequent AI regulation can be promulgated as CSL-implementing rules. Expect a wave of AI-specific implementing regulations in 2026–2027 grounded in this Article. The Compliance Talker team's reading: *"China's AI governance is shifting from local-sector supervision toward systematic regulation, seeking a balance between AI development and security."* The DCC corollary: the foreign-invested AI service providers who have been operating against the patchwork of generative-AI Measures, algorithmic recommendation Provisions, deep synthesis Provisions, and AI content labeling Measures should expect that patchwork to consolidate into a more coherent regulatory stack, with CSL Article 20 as the legislative anchor. ### 2. Harmonization with PIPL and Civil Code Original CSL Articles 40–45 contained the bulk of pre-PIPL personal information protection rules. With PIPL effective November 2021 and the Civil Code Personality Rights Book (with its privacy and PI chapter) effective January 2021, the CSL PI provisions had completed their historical mission. The 2025 amendment recognizes this: - **Article 42 (revised)**: *"Network operators processing personal information shall comply with this Law and the Civil Code of the PRC, the PIPL of the PRC, and other laws and administrative regulations."* - **Article 71(1)(II)**: PI-rights-infringement and important-data-handling violations are processed **per the laws and regulations of the relevant special regime** (i.e., PIPL / DSL / Network Data Security Regulation), via *referral clauses*. The structural effect: the CSL becomes a **cybersecurity baseline** and **CIIO regime anchor**, while PIPL / DSL / NDR handle the specifics in their respective regimes. Cross-referencing replaces duplication. The Compliance Talker team's framing: *"This increases the consistency and coordination of the legal system, and fills potential supervisory gaps."* ### 3. The penalty escalation — the operational headline This is the change with the greatest immediate compliance impact. The amendment **at minimum doubles, and often 10×s, the cap on top fines**, and expands the "dual penalty" regime to individual officers far beyond the prior scope. Selected examples from the revised CSL penalty articles: #### Article 61 — failure to perform network security obligations For ordinary network operators failing to perform Article 23 / 27 obligations: - Warning + correction order; fines of RMB 10,000–50,000 (refusal: RMB 50,000–500,000), with individual officer fines of RMB 10,000–100,000. For CIIOs failing to perform Articles 35 / 36 / 38 / 40 obligations: - Warning + correction order; fines of RMB 50,000–100,000 (refusal: RMB 100,000–1,000,000), with individual officer fines of RMB 10,000–100,000. **For serious cybersecurity harm** (e.g., mass data leakage, partial loss of CII function): entity fines RMB **500,000–2,000,000**, individual fines RMB 50,000–200,000. **For especially serious harm** (e.g., loss of major CII function): entity fines RMB **2,000,000–10,000,000**, individual fines RMB 200,000–1,000,000. The top fine cap moves from RMB 1 million to RMB **10 million** — a 10× increase. The dual-penalty regime applies not only to "directly responsible officers in charge" but also to "other directly responsible personnel" — substantially expanding the universe of individuals personally exposed. #### Article 62 — product / service security defects Penalties for unsafe products and services causing serious network-security harm scale similarly. New addition: **failure to terminate security maintenance without authorization** is now a sanctionable act. #### Article 63 — unsafe network equipment / network-security products Selling or providing uncertified or non-conforming network key equipment or network-security products: now triggers stop-sale + warning + confiscation + fines of RMB 20,000–100,000 (or 1–5× of illegal income if income exceeds RMB 100,000). For serious cases: **business suspension, business license revocation, operating-permit revocation**. #### Article 67 — CIIO use of un-reviewed network products / services CIIO using products/services that haven't passed the national security review: now triggers correction order, use suspension, elimination of national-security impact, fines of **1× to 10× of the procurement amount**, plus individual fines RMB 10,000–100,000. #### Article 65 — non-compliant security certification / testing / risk assessment Conducting cybersecurity certification, testing, or risk assessment in violation of regulations, or publicly disclosing system vulnerabilities, computer viruses, network attacks, or network intrusion information not in accordance with state regulations: triggers correction order + warning + fines of RMB 10,000–100,000 (refusal or serious: RMB 100,000–1,000,000) with possible **business suspension, business license revocation, operating-permit revocation**. ### 4. The dual-penalty system expansion Three CSL penalty features that the 2025 amendment crystalizes: - **Penalty levels at historical highs.** Cap-and-floor fines both substantially escalated. Business suspension and license revocation are available in significantly more violation scenarios. Cybersecurity compliance is now a *survival-level* risk. - **Dual-penalty regime broadened.** Many penalty articles now expressly impose individual fines on **"directly responsible managers"** *and* **"other directly responsible personnel"**. The Compliance Talker team flags a recent enforcement pattern: - In an October 2025 Jiangxi Bank Suzhou Branch network/data-security violation, the compliance department deputy GM, branch head, and a customer manager were all personally fined. - In a Huarui Bank case, the IT security team lead was personally warned for data-security control failures and incomplete remediation. - The pattern is consistent with the dual-penalty regime extending beyond the headline director / officer set, reaching operational mid-management. - **"Non-penalty" compliance incentive added.** New Article 73 introduces *mitigated or reduced penalty* for entities that proactively eliminate / reduce harm, for first-time violations with minor harm and prompt correction, and similar mitigating circumstances. This rewards mature incident-response programs. ### 5. Extraterritorial reach — broader trigger Original Article 75 (now Article 77): the trigger for foreign-actor liability moved from "engaging in activities endangering China's CIIO security" to "engaging in activities endangering China's **cybersecurity**." The broader trigger reaches: - Foreign threat actors conducting cyber attacks against any Chinese network systems (not only CII), as long as the harm is to "China's cybersecurity." - Asset freezing and other sanctions can be applied to foreign actors under Article 77. The Compliance Talker team's framing: *"This means non-CII systems also need to defend against overseas attacks."* For foreign-invested entities, this expansion means cyber-threat intelligence sharing with home-country authorities now intersects with Article 77 in a wider set of circumstances. ## Why this matters for overseas teams Four operational takeaways: - **Cybersecurity compliance is now executive-level risk.** With RMB 10 million top fines and business-license revocation available, the CSL's compliance posture must be elevated. The compliance team's reporting line, the board's cyber-risk briefing cadence, and the executive ownership for cybersecurity all need to be reviewed against the new penalty calculus. The era of treating CSL as a documentation exercise is over. - **The dual-penalty system reaches your people.** Compliance leads, IT security leads, and product managers handling sensitive systems are now personally exposed. Compliance-program design should explicitly identify who falls into the "other directly responsible personnel" category and ensure those individuals have meaningful authority to perform the duties for which they bear personal liability. The PI Protection Officer regime under PIPL Article 52 is the closest analog — see [DCC's PIPO vs DPO brief](/posts/pipo-vs-dpo-pi-protection-officer-comparison/). - **Article 20's AI hook will produce derivative regulation.** Expect 2026–2027 AI regulation to be promulgated as CSL-implementing rules. AI service providers should plan their compliance architecture against the CSL stack, not against the AI Measures alone. - **Article 77's expanded extraterritorial reach changes threat intel calculus.** Foreign-invested entities should review their threat intelligence sharing arrangements with home-country authorities. Activities that previously were unambiguously cybersecurity defense work may now trigger CSL Article 77 attention if framed by Chinese authorities as "endangering China's cybersecurity." The deeper point in the Compliance Talker piece is that **CSL has shifted from being the foundational statute to being the high-stakes statute**. Before 2025, the operational risk was concentrated in PIPL (personal information enforcement) and DSL (data security). After January 2026, CSL itself carries the largest direct fines in the regime. Multinational compliance teams that have under-invested in CSL relative to PIPL and DSL will need to rebalance. --- — Compliance Talker (合规小叨客) Global Legal Policy Research Team, *原创 || 中国新《网络安全法》:促进AI安全与发展,升级处罚力度强化网安责任* (China's New Cybersecurity Law: Promoting AI Safety and Development, Escalating Penalties to Strengthen Network Security Responsibility), 合规小叨客 WeChat Official Account, January 12, 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/p20K896Ad94taTuoecZqnQ) *Not legal advice. The above is DCC's structured summary of the source article's analysis; not a verbatim translation. The source carries an original-content non-republish clause and is summarized here under fair-use principles with full attribution.* --- ## Cross-Border Data Discovery — How the U.S., EU, and China Each Play Offense and Defense - Published: 2026-01-08 - Author: DCC Editorial - Tags: cross-border, data-sovereignty, mlat, cloud-act, blocking-statute, commentary - Laws cited: dsl, pipl, cross-border-data-flows-provisions - Domains: cross-border, enforcement - URL: https://datacompliancechina.com/posts/qinglan-cross-border-data-discovery-three-jurisdictions/ - Markdown: https://datacompliancechina.com/posts/qinglan-cross-border-data-discovery-three-jurisdictions.md - Original source: https://mp.weixin.qq.com/s/oqxjw7PbmnQ7OEmkV4Uu8g - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description When a foreign authority wants data stored in China — or vice versa — three doctrines compete. The U.S. uses a 'data controller standard' (CLOUD Act) that reaches globally on offense and shields domestically through ECPA blocking on defense. The EU uses 'market access' leverage (GDPR Article 3 jurisdictional reach plus Article 48 blocking). China uses a 'data location standard' (territorial sovereignty plus the MLA Law, DSL, and PIPL blocking clauses). Wang Qinglan maps the four discovery paths, the three jurisdictional doctrines, and what compliance teams should build to survive the squeeze. ### Body > *Editor's Note — DCC.* > > The cross-border data *discovery* question — when a foreign government > demands data stored in China, what happens? — is one of the highest- > stakes uncertainties for multinational compliance teams. Wang Qinglan's > framing is the cleanest taxonomy DCC has seen in Chinese-language > commentary on this question. Four discovery paths; three jurisdictional > doctrines; one set of operational implications for foreign-invested > entities operating across the squeeze. We summarize her piece for > overseas counsel and note where the picture has continued to shift in > 2026. ## Four cross-border discovery paths When an authority wants data sitting in another country, Wang frames the question as: *what's the path?* Four paths cover the field: ### Path 1 — Traditional Mutual Legal Assistance (MLA, 司法协助) The classic public-to-public path. Country A's government sends a formal MLA request to Country B's government; Country B's competent authority obtains the data from the holder under Country B's domestic procedures and transmits it back. The entire process is government-to-government. This is the **sovereignty-respecting** model. China has signed MLA treaties with 91 countries. The cost is **speed**: MLA requests to the United States average a 10-month turnaround, which is incompatible with most cybercrime investigations where evidence is volatile. ### Path 2 — Unilateral Public-to-Private (单边公对私) A foreign authority bypasses the data-location government and demands the data directly from the company holding it. Two sub-modes: - **Voluntary cooperation.** The authority issues a request; the company complies or doesn't, with no legal compulsion. Pre-CLOUD-Act U.S. and EU member-state practice often took this form, with notoriously variable response rates: Microsoft historically responded to 78% of non-U.S. requests; Twitter only 21%. - **Compulsory production.** The authority issues a *production order* with the force of law; the company must comply or face sanctions. The U.S. **CLOUD Act** (2018) is the archetype. **China's position on this path: firmly opposed.** Article 41 of China's *International Criminal Judicial Assistance Law* (国际刑事司法协助法), Article 36 of the *Data Security Law*, and Article 41 of the *Personal Information Protection Law* all prohibit Chinese entities from transferring data to foreign authorities without Chinese government approval. The doctrinal framing: a foreign authority approaching a Chinese company directly is a sovereignty violation, *regardless* of whether the company is willing to cooperate. ### Path 3 — Bilateral / Multilateral Public-to-Private (双边或多边公对私) A negotiated middle ground. Countries sign bilateral or multilateral treaties that mutually recognize each other's production orders as legally effective in the partner country. The U.S. has executive agreements with the UK and Australia under the CLOUD Act. The EU has the *European Production Order and Preservation Order Regulation* (2023), under which any member-state authority can issue an EU-wide production order reaching any company with an EU presence, regardless of where the data sits. The Budapest Convention on Cybercrime is the older regional precedent — China has not joined. The pattern: production orders with bilateral legitimation, no longer a unilateral overreach into another sovereign's territory. ### Path 4 — Multilateral Public-to-Public (多边公对公) The newest path: global multilateral treaties standardizing discovery. The *UN Convention against Cybercrime* (December 2024) is the leading instrument. China and Russia were active proponents. The Convention preserves sovereignty as the default (Article 5) but also permits states to issue production orders to companies in their own territory for "subscriber information" (Article 27) — a calibrated middle path between speed and sovereignty. ## The three jurisdictional doctrines Each major player uses a different doctrine for *when its own law reaches data*. Wang's framing: ### United States — Data Controller Standard The **CLOUD Act** (2018) made the rule explicit: *whoever controls the data, U.S. law reaches.* The data's geographic location is irrelevant. The Act applies to any communications-service provider that is U.S.-incorporated, has substantial U.S. presence, or has "sufficient contact" with the U.S. — including merely providing services to U.S. users. The Microsoft Ireland case illustrates: the Justice Department demanded data stored in Microsoft's Dublin data center; Microsoft litigated to the Supreme Court; the CLOUD Act passed mid-case and ended the dispute. Microsoft was required to produce the Irish-stored data because Microsoft (a U.S. company) *controlled* it. The U.S. *defensive* posture is the mirror image — and Wang frames it as a *double standard*: - The 1986 **Electronic Communications Privacy Act (ECPA)** blocks U.S. providers from disclosing electronic data to foreign governments. - The CLOUD Act creates a *narrow* exemption track: a U.S. court can quash a foreign production order if the data is not about U.S. persons *and* compliance would violate the law of a "qualifying foreign government." But "qualifying" is a high bar — only the UK and Australia have executive agreements granting that status. In substance: the U.S. reaches globally on offense; everything else hits an ECPA wall on defense, with narrow escape valves for U.S. treaty partners. ### European Union — Market Access Standard The EU's strength is its single market. Its doctrine: *whoever wants to sell to our 500M consumers must follow our rules*. GDPR Article 3 reaches any controller or processor anywhere in the world that *offers goods or services to data subjects in the EU* or *monitors data subjects' behavior in the EU*. Court of Justice case law has expanded the reach further — a controller with an EU establishment whose activities relate to the foreign processing is subject to EU jurisdiction. The EU *defensive* posture also uses double-standard mechanics. **GDPR Article 48** prohibits transfer of personal data to a foreign authority in response to a foreign court or administrative order *unless* there is an MLA treaty or the transfer satisfies GDPR's strict transfer-safeguard requirements. The narrow exception paths — public interest, vital interest — require additional safeguards, non-repeated transfers, limited data subjects, security assessment, regulator notification, and individual notification. In practice, almost no foreign discovery order satisfies the bar. In substance: the EU reaches via market access on offense; everything else hits the GDPR Article 48 wall on defense. ### China — Data Location Standard China's doctrine: *whoever holds data in our territory is subject to our jurisdiction; data outside our territory belongs to that territory's regime.* This is the most sovereignty-respecting of the three doctrines and the closest to traditional international-law norms. China's offensive posture is correspondingly constrained — and Wang frames this as a *deliberate* policy choice: - Discovery from overseas data is conducted through MLA — 91 treaties with peer countries. - China does *not* assert extraterritorial production-order authority over foreign companies. - Multilateral instruments (the UN Cybercrime Convention) are the preferred vehicle for any cross-border discovery beyond bilateral MLA. China's defensive posture has three layers Wang labels the *"three-axe defense"* (三板斧): - **Legal blocking** — DSL Article 36, PIPL Article 41, and the International Criminal Judicial Assistance Law all bar Chinese entities from providing data to foreign authorities without Chinese government approval. The block applies to *both* unilateral production orders (Path 2) and to voluntary cooperation in response to foreign authority requests. - **Data localization** — CSL requires CIIO-collected PI and important data to be stored in China. The localization requirement removes the data from the foreign-discovery target set. - **Market access** — foreign cloud service providers entering China (with limited FTZ pilot exceptions) cannot directly control Chinese data. The structural arrangement is a Chinese partner controlling the data and the foreign vendor providing technology. From the foreign-discovery perspective: the foreign cloud provider doesn't *have* the data to produce, even under a CLOUD Act order. The three layers are designed to compound. A foreign production order targeting a Chinese-stored dataset must clear all three: the company holding it can't lawfully cooperate (legal blocking), the data may be localized in any case (localization), and the foreign cloud provider lawfully present in China may not control it (market-access structuring). ## The 2026 picture Wang's piece was written in January 2026, and the picture has continued to evolve. Three updates DCC has tracked since: - **The MPS Electronic Data Evidence Rules draft** (May 2026) added Article 30 — the most explicit Chinese-side statement of how Chinese law enforcement can reach overseas-stored data: via credentials provided by the suspect or violator. The architecture is *suspect-credentials-based*, not MLA-based. (See [DCC's brief on the MPS draft](/posts/) — coverage in our regulatory-update queue.) - **The 2026 PI Special Action** (CAC + MIIT + MPS) signaled cross-sector enforcement tightening including on cross-border vectors. - **The UN Cybercrime Convention** (December 2024) is heading into ratification. China was a leading proponent. If it enters force broadly, Path 4 (multilateral public-to-public) gains operational weight. ## What this means for multinational compliance teams For foreign-invested entities operating across the squeeze, four operational takeaways: - **Map every cross-border discovery vector to which jurisdictional doctrine applies.** A discovery demand from U.S. law enforcement under the CLOUD Act sits in Path 2 / unilateral public-to-private. A demand from EU enforcement under GDPR Article 48 sits in Path 2 also. A demand from China's MPS under the Electronic Data Evidence Rules sits in Path 2 / suspect-credentials variant. The *blocking statutes* you encounter from the data-location side will vary by which doctrine the demanding authority is using. - **Document the blocking statute conflict.** When a Chinese-stored dataset is the target of a foreign production order, your in-China entity should *expressly invoke* the DSL Article 36 / PIPL Article 41 blocking provisions and seek Chinese government approval before producing. The blocking statutes provide a defensible position under the *qualifying foreign government* analysis (in the CLOUD Act context) and under GDPR Article 48 (in the EU context). Build the documentary record on the China side. - **Architect for the three-axe defense.** For data that may be the target of foreign discovery in future, the three China defensive layers compound. Where possible: route the data through a Chinese entity that controls it; locate the storage domestically; structure the foreign-vendor relationship to give the Chinese counterpart control. This narrows the foreign authority's enforceable reach. - **Watch the UN Cybercrime Convention and the U.S. executive agreement track.** If China negotiates a CLOUD Act executive agreement with major U.S. trading partners — or, more practically, if the UN Convention reaches widespread ratification — the regime architecture changes. Multilateral public-to-public would become the primary path, narrowing the unilateral conflicts that currently force multinationals into impossible compliance positions. The deeper observation in Wang's piece is that **the three doctrines are not converging**. The U.S. data-controller approach, the EU market-access approach, and the China data-location approach reflect three different theories of digital sovereignty. Multinationals operating across the three will continue to face squeezes; the operational answer is *not* to bet on one doctrine prevailing, but to build compliance architecture that can survive when authorities under different doctrines disagree. --- — Wang Qinglan (王青兰), *跨境数据调取"三国杀":美欧中各出啥招?* (The Cross-Border Data Discovery "Three Kingdoms War" — What Moves Are the U.S., EU, and China Each Making?), 青兰数据观察 WeChat Official Account, January 8, 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/oqxjw7PbmnQ7OEmkV4Uu8g) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- ## Will Judicial Review 'Reset' the Data Registration Rush? — Reading Wang Qinglan on the SPC's New Data Disputes Case Category - Published: 2025-12-19 - Author: DCC Editorial - Tags: data-property-rights, data-registration, spc, judicial-review, commentary - Laws cited: data-property-rights-registration-guide-draft, public-data-registration-interim-measures, data-foundation-system-opinions - Domains: data-economy, enforcement - URL: https://datacompliancechina.com/posts/spc-data-disputes-case-category-and-data-registration/ - Markdown: https://datacompliancechina.com/posts/spc-data-disputes-case-category-and-data-registration.md - Original source: https://mp.weixin.qq.com/s/wvM52Sexl8UWlr_dHD1yBQ - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description Wang Qinglan, head of compliance at a Chinese data exchange, asks what the Supreme People's Court's new 'data disputes' case category — effective January 1, 2026 — does to the data property rights registration certificates that institutions across the country have been issuing. Her argument: certificates issued through formal-only review will not survive substantive judicial scrutiny, and a single rejected certificate could erode trust in the entire registration regime. The path forward is a three-tiered protection model and aligned standards across regulators, registration institutions, and courts. ### Body > *Editor's Note — DCC.* > > Wang Qinglan, a legal-tech PhD turned post-doctoral computer scientist > and now head of compliance at a Chinese data exchange, is one of the few > commentators writing inside the data property rights registration system > with both the operational vantage and the willingness to push back on > where the regime is going. This piece, published two days after the > Supreme People's Court released its revised *Provisions on Civil Case > Categories* on December 17, 2025, asks a deceptively simple question: > *what does the new "data disputes" case category — effective January 1, > 2026 — do to the data registration certificates that institutions across > China have been issuing under the Data 20 Articles' three-rights-split > framework?* For overseas counsel watching the data property registration > regime emerge, this is a useful corrective read against the institutional > explainers. We summarize her argument in DCC's own words, with the source > credited and linked. Not a verbatim translation. ## The trigger: a new SPC case category for data disputes On December 17, 2025, the Supreme People's Court released its revised *Provisions on Civil Case Categories* (《民事案件案由规定》), adding **"data disputes" (数据纠纷)** as a first-tier civil case category effective January 1, 2026. Three sub-categories sit underneath: - **Data rights disputes** (数据权属纠纷) - **Data contract disputes** (数据合同纠纷) - **Data rights infringement disputes** (侵害数据权益纠纷) Before this revision, data-related civil suits had to be filed under awkward proxies — most often **anti-unfair-competition** (the AUCL general clause) or **intellectual property** brackets. The case-category mismatch was a perennial frustration: data disputes were being adjudicated, but courts had to reach into adjacent regimes to do so. Now, under Wang's reading, the SPC has formally placed **data ownership adjudication squarely with the courts** — and equipped them with a dedicated procedural channel. That, she argues, is the trigger for a reckoning about what data property rights registration certificates actually *are*. ## The doctrinal puzzle: a certificate is not a property right The doctrinal point Wang makes is sharp and worth restating. Under the Data 20 Articles framework and the NDA's *Data Property Rights Registration Work Guide (Trial)* — currently in public-consultation draft — registration institutions issue certificates evidencing **data holding rights, data use rights, and data operation rights** (the "three-rights split"). Industry has, Wang says, slid into treating *registration = title*: as if obtaining a registration certificate vests legal ownership over a dataset the way recording a deed vests ownership of real property. It does not. Wang's framing: - **Real property** (e.g., a house) has a defined property-right concept under the Civil Code; once registered, the registry produces legally recognized *in rem* rights. - **Data property rights** have *no defined statutory concept yet*. The Data 20 Articles is a policy directive; the NDA Registration Guide is a draft trial measure. A registration certificate issued under that draft is, at best, a **trust credential** (可信凭证) — evidence that the registrant invested effort in compliance review and that an institution reviewed the materials. - A trust credential is not a legal title. Whether it carries weight in a courtroom is a *separate question* — one the SPC has now placed squarely on the table. ## The risk Wang flags: a single failed certificate erodes the regime Wang's most operationally important argument is this: **the registration regime is more fragile than its market position suggests**, because failure mode is *systemic*, not local. Her hypothetical: a company holds a data property rights certificate purportedly conferring a "right to hold data" over a dataset. In litigation, the opposing party produces evidence that the data originated from a government-commissioned project, with the commissioning contract restricting the data to specific permitted uses. The registration institution conducted only **formal review** — it did not verify the underlying data source. The court looks at the actual provenance, finds the certificate was issued without substantive verification, and the certificate's evidentiary effect is **"reset to zero" (清零)**. The danger, Wang argues, is contagion. Once one certificate is judicially repudiated, market confidence in the entire class of registration certificates drops sharply. *"It's like a tea shop using expired ingredients,"* she writes. *"Consumers instinctively start questioning the food safety of every tea shop."* A regime built on the public-trust premise of certificates loses its trust premise when courts begin disregarding individual instances. ## Why pure substantive review is not the answer The intuitive solution — require registration institutions to conduct full substantive review of every dataset — fails, Wang argues, for three reasons. **No unified standard.** There is no statutory standard for what substantive review must encompass. Each institution sets its own threshold. The result: registrants face inconsistent expectations across institutions, and certificates from different issuers carry different evidentiary weight. **The cost is prohibitive.** Full substantive review of, say, a personal-information dataset would require verifying the consent of every data subject in the dataset — a chain-of-authorization audit at potentially massive scale. For an important-data dataset, the review institution would need to verify CII designation status, confirm no anti-scraping measures were circumvented, and so on. Wang's analogy is medical: *"You can't determine someone is healthy with just a temperature reading, but you also can't run CT, MRI, and every test on every patient — it's prohibitively expensive."* **Friction kills circulation.** If substantive review is too demanding, registrants and traders will avoid the system. Data sits in the corner. The market never matures. *"It's like setting up so many checkpoints on a highway that traffic just stops."* ## Wang's proposed five-point fix Her recommendations describe what a workable middle path looks like. **1. A three-tier protection model.** Replace pure formal review with the combination: - **Third-party legal opinion** (第三方法律意见书) — a qualified law firm verifies the legal basis of source and authorization. - **Limited substantive review** (有限实质审查) — registration institutions review against defined high-risk categories (personal information, public data, important data) at three checkpoints (legality of source, completeness of authorization chain, protection of third-party rights). - **Public-announcement objection** (异议公示) — give third parties a window to challenge before the certificate is issued. **2. Unified standards for limited substantive review.** Establish a national "baseline checkup" so registration institutions across China apply the same review depth, with risk-graded sampling for large datasets (e.g., sampling-rate verification for personal-information datasets, random spot-checks for industrial data). **3. Alignment between regulators, registration institutions, and courts.** Publish SPC guiding cases and judicial interpretations so registration institutions know what courts will look for. Without alignment, the SPC will reach one conclusion about what valid title looks like and registration institutions will be issuing certificates under a different conception. **4. Companies should stop treating certificates as a one-stop solution.** Build the underlying compliance documentation regardless: clear data-rights provisions in trading contracts, retained authorization files, processing-activity records, anonymization records. Those documents will outperform a formal-review certificate in court. **5. Tolerant judicial scrutiny.** Courts should *prefer to credit* certificates from institutions that genuinely conducted substantive review, and should not reject the entire evidentiary effect of a certificate for non-material defects. Data law is still maturing; "rule of judicial prudence" is more useful than "absolute zero tolerance." ## Why this matters for overseas teams Three takeaways for foreign counsel and compliance leads engaging with the Chinese data property regime. - **The registration regime's defensibility is now an open question.** Compliance teams that have been advising clients to obtain a registration certificate as a one-stop ownership-proof are now operating under a closing window. A certificate from a formal-review-only institution may not carry the evidentiary weight clients have been told it does. - **The SPC has taken the adjudicator's seat.** The "data disputes" case category change reads, on its face, as procedural housekeeping — but the substantive consequence is the *centralization of judicial review over data property rights claims*. Courts now have a dedicated case channel and will produce a body of precedent. Compliance documentation should be built to survive judicial review, not just registration review. - **Watch which institutions adopt substantive review.** Wang's piece is, among other things, a soft argument that the **Shenzhen Data Exchange and other institutions that have invested in substantive review** will outperform those that haven't, as the regime matures. For overseas counsel advising on data deals tied to a specific registration institution, the choice of institution is now a meaningful risk variable. The deeper observation in Wang's piece is that **China's data property rights regime is moving through the same maturity sequence as any property-rights system** — from informal claim, to administrative registration, to judicial review. The "rush" stage is ending. What follows depends on whether registration institutions, regulators, and courts can converge on a single standard before the first certificate gets struck down in open court. --- — Wang Qinglan (王青兰), *数据确权登记热潮,要被司法审查"打回原形"了?* (Will Judicial Review "Reset" the Data Registration Rush?), 青兰数据观察 WeChat Official Account, December 19, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/wvM52Sexl8UWlr_dHD1yBQ) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- ## PIPO vs. DPO — How China's Personal Information Protection Officer Differs from the GDPR Data Protection Officer - Published: 2025-12-15 - Author: DCC Editorial - Tags: personal-information, pipl, gdpr-comparison, data-protection-officer, commentary - Laws cited: pipl, personal-info-audit-measures - Domains: personal-information, enforcement - URL: https://datacompliancechina.com/posts/pipo-vs-dpo-pi-protection-officer-comparison/ - Markdown: https://datacompliancechina.com/posts/pipo-vs-dpo-pi-protection-officer-comparison.md - Original source: https://mp.weixin.qq.com/s/eTH37QZSCSU6DUxiU6TQ-A - Original author: 全球法律政策研究 (Global Legal Policy Research Team) - Original publication: 合规小叨客 ### Description The Cyberspace Administration of China announced in July 2025 that personal-information processors handling data on 1 million or more individuals must submit Personal Information Protection Officer (PIPO) information to CAC. Compliance Talker's global legal policy research team contrasts China's PIPO regime under PIPL Article 52 with the GDPR's Data Protection Officer (DPO) framework under Articles 37–39. The most consequential difference: PIPO carries individual administrative liability — up to RMB 1 million in personal fines and industry bans — where DPO does not. ### Body > *Editor's Note — DCC.* > > The Cyberspace Administration of China (CAC) opened, in July 2025, a > mandatory information-reporting channel for **Personal Information > Protection Officers (PIPOs, 个人信息保护负责人)** at personal-information > processors handling data on 1 million or more individuals. The > announcement is not just procedural — it puts PIPOs onto a CAC-administered > register, with monitoring, audit triggers, and (per the underlying PIPL > Article 66 liability regime) personal exposure for the officer. > > The Compliance Talker (合规小叨客) global legal policy team published, in > December 2025, a comparison of China's PIPO under PIPL Article 52 with > the EU's Data Protection Officer (DPO) under GDPR Articles 37–39. For > multinational compliance teams who already understand DPO and now need > to understand PIPO — and especially whether a single individual can serve > both functions — the comparison surfaces the design choices that make > the two roles meaningfully different. Article is original (原创) with a > non-republish clause; DCC summarizes in our own words with attribution. ## What the CAC PIPO reporting announcement requires The CAC's July 18, 2025 announcement obligates personal-information processors meeting the 1-million-individual threshold to submit PIPO information through the dedicated reporting system at `grxxbh.cacdtsc.cn`. Key parameters: - **Reporting scope**: PI processors handling 1M+ individuals' PI, plus government agencies and industry associations. - **Reporting timeline**: Entities meeting the threshold before July 18, 2025 must complete reporting by August 29, 2025. Entities meeting it after must report within 30 business days of crossing the threshold. - **Update obligation**: Substantive changes must be re-reported within 30 business days. - **Extraterritorial processors**: Entities subject to PIPL Article 3(2) extraterritorial reach must report through their designated domestic representative. - **Content**: PIPO name and contact information; PI processing details (employee headcount handling PI, deduplicated); CAC may issue "supplement-and-correct" requests with a 10-business-day response window. The architecture is one of *registered accountability*: the CAC now has a national register of named individuals personally accountable for PI protection within scoped entities, with administrative jurisdiction to monitor compliance and impose personal liability under PIPL Article 66. ## Where PIPL Article 52 and GDPR Article 37 diverge The Compliance Talker team's comparison surfaces four design-level differences. ### Triggering threshold: quantity vs. activity **PIPO threshold** is a flat *quantity* test: PI processors processing the PI of 1M+ individuals must appoint a PIPO. The threshold reads off processing scale, not the nature of the processing activity. **DPO threshold** under GDPR Article 37 is *activity-based*: a DPO is required if (i) the processing is conducted by a public authority or body, (ii) the controller's or processor's core activities involve regular and systematic monitoring of data subjects on a large scale, or (iii) the core activities involve large-scale processing of special-category data or criminal-conviction data. The practical consequence: a Chinese SaaS company processing 1.1M users automatically owes PIPO appointment regardless of *what* it does with the data. An EU SaaS company processing the same scale of users may or may not owe DPO appointment, depending on the nature of its monitoring or special-category processing. ### Qualifications: implicit vs. explicit **PIPL Article 52** is silent on PIPO qualifications. The implementing reference standard is **GB/T 35273** (*Information Security Technology — Personal Information Security Specification*), which sets out the PIPO's duties in detail but does not impose specific certification or experience requirements. In practice, market expectation is for a PIPO to have data-security or legal background; there is no formal credentialing. **GDPR Article 37** requires the DPO to be appointed *on the basis of professional qualities*, particularly **expert knowledge of data protection law and practices** and the ability to fulfill GDPR Article 39 tasks. EDPB's *Guidelines on Data Protection Officers (WP243)* further details what this expertise must look like in practice. ### Duty scope: similar in structure, different in emphasis Both roles share a common architecture: internal advisory, monitoring, training, audit, regulator-liaison. The differences are emphasis and surface area: - **PIPO** is, by design, the regulator's eyes inside the company. The GB/T 35273 duty list includes monitoring authorized access policies, conducting PIA, organizing PI security training, pre-launch screening for unknown collection/use/sharing, audits, and direct liaison with regulators. Embedded throughout: PIPO is *responsible for the security work* and "bears direct responsibility" for PI security inside the organization. - **DPO** is, by design, the data subject's internal advocate. Article 39's list emphasizes *advising the controller/processor* on GDPR obligations, monitoring compliance, advising on DPIAs, cooperating with regulators, serving as contact point for both regulators and data subjects. GDPR Article 38 mandates *independence*: the DPO may not receive instructions on how to perform the role, may not be dismissed for performing it, and must not be in a position with conflicts of interest. The two roles share aim — protecting personal data inside the entity — but they sit in materially different institutional positions. ### Liability: personal exposure vs. corporate-only This is, in the Compliance Talker team's reading, the *most consequential* difference for compliance leadership. **PIPL Article 66** imposes administrative liability not only on the entity but also on **directly responsible managers and other directly responsible personnel**. For ordinary violations: warning, confiscation of illegal gains, and **personal fines of RMB 10,000 to 100,000**. For serious violations: provincial-level CAC may impose **personal fines of RMB 100,000 to 1,000,000** and **prohibit the individual from serving as director, supervisor, senior officer, or PIPO at relevant enterprises** for a defined period. PIPL Article 52 places the PIPO squarely inside the "directly responsible personnel" envelope when PI protection duties are not performed. The administrative-liability mechanism produces *personal accountability* — the regulatory architecture is explicitly designed to make a named individual feel exposed. **GDPR**, by contrast, places *no personal liability* on the DPO. GDPR penalties (Articles 83–84) apply to controllers and processors as legal entities. The DPO's independence — protected by Article 38 — is structurally inseparable from the absence of personal liability: a DPO who could be personally fined for the controller's violations could not maintain advisory independence. The Compliance Talker team frames this concisely: PIPO architecture binds the officer's accountability to the entity's compliance — *the officer's personal exposure is the enforcement lever*. DPO architecture, by contrast, *firewalls* the officer from the entity's liability so the advisory function stays clean. ## Practical implications for multinational compliance teams The Compliance Talker team offers two cross-cutting practices and several role-specific ones. **Common practices.** - *Dynamic role-fit assessment*. Re-assess annually whether the appointed PIPO/DPO still matches the entity's actual processing profile, especially after material changes — entry into a new cross-border data line, AI processing of user data, regulatory updates from CAC or EDPB. If a Chinese subsidiary launches AI processing of customer communications, the PIPO may need AI-compliance background or replacement. - *Documentation of appointment*. Issue a formal appointment letter specifying role name, duty scope, authority, reporting line, and term, signed by a corporate principal. Update on any change. Without written documentation, regulators may treat the appointment as non-compliant. - *Group-level discipline*. Group parents should map data processing across subsidiaries to determine which entity is the responsible PI processor — but should *not* intervene in subsidiary-level appointment decisions, which risks "responsibility piercing" up to the parent. **Role-specific differences.** - For **PIPO** appointment: focus on coverage of GB/T 35273 duty list, alignment with internal audit and security functions, and clear management-level reporting to senior leadership. - For **DPO** appointment: focus on demonstrable expert qualifications, structural independence (no conflicts of interest, direct top-management reporting line, protected from dismissal for performing the role), and accessibility to data subjects. ## Why this matters for overseas teams The most operational consequence of the comparison: **a single individual cannot, in practice, serve both functions cleanly** — at least not across the same parent entity that has both EU exposure and Chinese exposure at scale. - A PIPO must accept personal exposure and embed inside the entity's accountability chain. - A DPO must remain independent of the entity's liability and reporting structure. A combined appointment risks compromising DPO independence under GDPR Article 38 (if the individual is exposed to PIPL Article 66 personal liability for performing the China role), and risks PIPO non-compliance if the individual is structurally insulated in ways that prevent the duty-performance the PIPO regime expects. Multinational compliance architectures should treat the appointments as distinct functions with distinct individuals, even where the same legal-entity group is the underlying employer. Where the same individual must serve both functions for cost or scale reasons, the appointment-letter architecture should explicitly carve the China role from the EU role, and the reporting lines should be separated. The Compliance Talker piece is essentially a translation of two regulatory regimes into a side-by-side institutional comparison. For overseas compliance leads who have spent a decade internalizing the DPO model, the PIPO regime requires unlearning the assumption that data-protection officer roles are functionally equivalent across jurisdictions. --- — Compliance Talker (合规小叨客) Global Legal Policy Research Team, *中国个人信息保护负责人与海外数据保护官的职责"差异图鉴"* (A "Differences Atlas" of the Responsibilities of China's Personal Information Protection Officer and the Overseas Data Protection Officer), 合规小叨客 WeChat Official Account, December 15, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/eTH37QZSCSU6DUxiU6TQ-A) *Not legal advice. The above is DCC's structured summary of the source article's comparison; not a verbatim translation. The source carries an original-content non-republish clause and is summarized here under fair-use principles with full attribution.* --- ## Mutual Trust Mechanisms for Cross-Border Data Flow — China's 'Trusted Data Space' Bet - Published: 2025-11-20 - Author: DCC Editorial - Tags: cross-border, trusted-data-space, confidential-computing, data-sovereignty, commentary - Laws cited: dsl, pipl, csl, cross-border-data-flows-provisions - Domains: cross-border, data-economy - URL: https://datacompliancechina.com/posts/compliance-talker-cross-border-mutual-trust-trusted-data-spaces/ - Markdown: https://datacompliancechina.com/posts/compliance-talker-cross-border-mutual-trust-trusted-data-spaces.md - Original source: https://mp.weixin.qq.com/s/K0bJsC3XaNCWcws2wZBeCg - Original author: 全球法律政策研究 (Global Legal Policy Research Team) - Original publication: 合规小叨客 ### Description Compliance Talker's global legal policy team analyzes three competing models for cross-border data mutual trust: the EU's 'rule trust' (adequacy + SCC), the US's 'market trust' (CLOUD Act + DPF), and China's 'technology trust' bet on Trusted Data Spaces (TDS). The NDA's November 2024 *TDS Development Action Plan 2024-2028* makes confidential computing, federated learning, and blockchain the technical layer through which China seeks to demonstrate cross-border data flow can be 'usable but invisible.' For overseas teams, this is the most concrete view of where Chinese cross-border data infrastructure is heading. ### Body > *Editor's Note — DCC.* > > Cross-border data flow attracts a lot of regulatory-comparison > commentary — most of it focused on the substantive rules. Compliance > Talker's piece is unusual: it focuses on the **mutual trust > infrastructure** that makes cross-border flow operationally possible > in the first place, and frames China's bet on Trusted Data Spaces > (可信数据空间) as a fundamentally different architectural choice from > the EU's "rule trust" or the U.S.'s "market trust" model. DCC's > framing brings out the comparative architecture and the operational > implications for multinationals trying to operate across all three > systems. ## The mutual-trust problem Cross-border data flow growth is enormous — McKinsey projects global data-flow value reaching $11 trillion by 2025. Each 10% increase in data flow raises GDP by 0.2%. Yet international mutual trust mechanisms are radically underdeveloped: - EU adequacy decisions: as of October 2025, **only 15 countries / regions** have received adequacy. - The U.S. CLOUD Act creates direct conflicts with non-aligned jurisdictions. - China operates under DSL / PIPL / CSL with no inbound adequacy from EU and increasing scrutiny from U.S. The consequence: high compliance costs (Meta fined €1.2B for invalid Privacy Shield; TikTok fined €530M for failing to demonstrate equivalent protection in China), data silos (only a tiny fraction of global data crosses borders), and innovation drag in fields requiring cross-border data (autonomous vehicles, biopharma). The Compliance Talker piece frames cross-border mutual trust as a single problem with three competing architectural answers. ## Three models — rule trust vs market trust vs technology trust ### EU — Rule Trust The EU model uses GDPR's adequacy framework + SCCs / BCRs. Trust derives from *substantive legal protection equivalence* — if the receiving jurisdiction has "substantially equivalent" privacy protection, data may flow freely; otherwise, contractual safeguards (SCCs / BCRs) substitute. Strengths: high individual-rights protection; deeply established jurisprudence. Weaknesses: only 15 jurisdictions have achieved adequacy; SCCs / BCRs impose heavy compliance burden; the framework is criticized as a "digital wall." Why the EU runs this model: long history of strong privacy protection + relative scarcity of dominant EU internet platforms means the EU benefits from constraining U.S. tech companies' EU data collection. ### U.S. — Market Trust The U.S. model favors data free flow with industry self-regulation + bilateral agreements as the trust substrate. No comprehensive federal data protection law; the **CLOUD Act** asserts "data-controller jurisdiction" — U.S. authorities can reach data held by U.S.-incorporated entities regardless of physical storage location. Mutual trust mechanisms: the EU-U.S. Privacy Shield (struck down in Schrems II 2020), succeeded by the EU-U.S. **Data Privacy Framework** (2023); USMCA-style trade agreements promote U.S. data-governance norms in partner jurisdictions. Strengths: enables Google / Meta / cloud-services global operations. Weaknesses: regulatory under-enforcement; foreign governments object to U.S. extraterritorial reach. ### China — Technology Trust The Compliance Talker team's framing of China's model is the most distinctive contribution of the piece. China's response is not primarily *rules* or *markets* — it's **technology**. The doctrinal foundation: CSL + DSL + PIPL establish the three pathways (security assessment / SCC / certification) for personal information cross-border. **But** the technical infrastructure layer — **Trusted Data Spaces (可信数据空间)** — promises a fundamentally different mutual-trust posture: *data that can be used cross-border while staying invisible to the receiving party*. The NDA's **November 2024 *Trusted Data Space Development Action Plan (2024-2028)*** is the national-level systematic deployment. | | EU "Rule Trust" | U.S. "Market Trust" | China "Technology Trust" | |---|---|---|---| | **Trust source** | Substantive legal equivalence | Industry self-regulation + bilateral agreements | Technical control of data usage | | **Operational vector** | Adequacy / SCC / BCR | CLOUD Act + DPF / USMCA | TDS + confidential computing + blockchain + standard pathways | | **Cross-border friction** | High (legal compliance burden) | Low (for U.S. operators) | High but declining (as TDS infrastructure matures) | | **Sovereignty trade-off** | Privacy-rights-centric | Market-access-centric | Sovereignty + technology-controllable | ## What Trusted Data Spaces actually are The TDS Action Plan's vision: a distributed-architecture data collaboration ecosystem implementing **three core capabilities**: - **Data sovereignty controllable** (数据主权可控) - **Joint processing efficient** (联合加工高效) - **Value allocation fair** (价值分配公平) The technical architecture has three layers: - **Infrastructure layer** — cross-border data centers (e.g., Beijing Daxing International Airport "International Data Port") providing storage + compute, with physical-residency provenance. - **Trusted interaction layer** — blockchain attestation + privacy-computing engines providing data-usage audit across the full lifecycle. - **Application service layer** — data rights confirmation, pricing, cross-border settlement tools. **Confidential computing** is the technical core. The premise: cross-border data flow needn't require the receiver to *see* the raw data — it requires that the receiver be able to *use* (compute on) the data within a controlled environment where the data remains encrypted and the data owner retains visibility into how it's being processed. ### Scenario-based grading of mutual-trust mechanisms TDS uses scenario sensitivity to allocate technical approach: - **High-sensitivity scenarios** (e.g., personal health data) — *federated learning + differential privacy*, ensuring original data stays in domain. - **Medium-sensitivity scenarios** (e.g., manufacturing data) — *blockchain attestation + data-element-ization*, ensuring processing is auditable. - **Low-sensitivity scenarios** (e.g., meteorological data) — *open API* for direct flow, prioritizing efficiency. The model handles different sensitivity-level data differently. For high-sensitivity flows the technical bar is high; for low-sensitivity flows the technical bar is low. The *uniform substantive rule* is replaced by a *graduated technical architecture*. ## Institutional layering — China's dual-track approach The TDS technical infrastructure is paired with institutional reforms: ### Domestic institutional innovation - **Data classification and grading management** — DSL + Network Data Security Regulation establish the floor; sector-specific catalogues build on top. - **FTZ negative lists** — Beijing, Tianjin, Shanghai, Zhejiang, Hainan publish sector-specific catalogues; data off the list flows cross-border under exemption. - **Data prohibited from cross-border export** — national security / biological genetic / other core sensitive data. ### International institutional convergence China has pursued several institutional vectors for international mutual trust: - **RCEP** — Asia-Pacific Cross-Border Privacy Rules (CBPR) accession negotiation. - **CPTPP application** — including data-flow provisions. - **DEPA application** — Digital Economy Partnership Agreement. - **FTZ offshore data bonded zones** — exploratory international mutual recognition. The Compliance Talker team's read: China is using *technology trust* as the differentiator while institutional convergence catches up — the technical layer can deliver auditable cross-border data flow before the institutional layer (treaty-based mutual recognition) is fully built. ## The operational implications for multinationals ### Implication 1 — TDS may emerge as a practical alternative to standard CAC pathways For data flows that don't qualify for the 2024 CBDF Provisions exemptions, the standard CAC pathways (security assessment / SCC / certification) impose significant friction. TDS-based flows — where data stays in a controlled processing environment with blockchain-attested usage tracking — may offer a third operational vector: cross-border *use* without cross-border *transfer*. This is most relevant for: - **Joint research and development** between China-based and overseas teams. - **Pharmaceutical and biotech data analytics** where source data is highly sensitive but analytical results can flow freely. - **AI model training** using Chinese training data without the training data leaving the controlled environment. The TDS Action Plan's 2024-2028 timeline suggests this becomes operationally available within compliance teams' current planning horizon. ### Implication 2 — Cross-border data infrastructure is becoming a strategic asset Beijing's Daxing International Airport "International Data Port" and similar physical infrastructure (cross-border data centers in FTZ-host zones) are emerging as the operational layer where multinationals will route their high-sensitivity China data flows. Foreign-invested entities should evaluate whether their China data infrastructure architecture is positioned to integrate with the TDS framework as it rolls out. ### Implication 3 — The CBPR / CPTPP / DEPA negotiating track matters for long-term posture China's pursuit of international data agreements through CBPR (Asia-Pacific) and applications to CPTPP / DEPA could, over the next 2–4 years, create the *institutional* mutual-trust framework to complement the *technical* one. Multinationals with strong Asia-Pacific operations should watch this track — and may benefit from positioning their China entity to take advantage of CBPR-certified status as the framework matures. ## Why this matters for overseas teams Three takeaways: - **China's cross-border data architecture isn't just "more restrictive" — it's structurally different.** EU mutual trust runs on adequacy + SCCs. U.S. mutual trust runs on CLOUD Act + bilateral executive agreements. China is building mutual trust through *technical architecture* (TDS + confidential computing) layered with institutional channels. Compliance teams that think of China cross-border purely through the EU lens will miss the operational path the technology layer opens. - **TDS is not a marketing concept — it's national infrastructure.** The NDA's 2024-2028 Action Plan, the Beijing Daxing International Data Port, the FTZ pilots all signal that TDS is being built as production-grade infrastructure, not a research demo. Compliance architects planning 3-5 year cross-border data strategy should treat TDS-based flows as a credible future option, not science fiction. - **The compliance friction calculus may invert.** Today, China cross-border data flow is significantly more friction-heavy than EU or U.S. cross-border. By 2027-2028, for compliant use cases that fit TDS architecture (joint R&D, analytics on sensitive data, AI training), the friction may invert — TDS-based flow may be operationally simpler than EU SCCs or U.S. discovery exposure. The deeper point in the Compliance Talker piece is that **China is making a sustained, infrastructure-level bet that the cross-border-data problem can be solved through technical control rather than substantive-rule equivalence**. For overseas counsel watching Chinese data policy, this is the most consequential strategic move underway — and it deserves serious operational attention. --- — Compliance Talker (合规小叨客) Global Legal Policy Research Team, *原创 || 数据要素跨境流动互信机制研究——探索兼顾安全与效率的互信机制* (Research on Mutual Trust Mechanisms for Cross-Border Data-Element Flow — Exploring Trust Mechanisms Balancing Safety and Efficiency), 合规小叨客 WeChat Official Account, November 20, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/K0bJsC3XaNCWcws2wZBeCg) *Not legal advice. The above is DCC's structured summary of the source article's analysis; not a verbatim translation. The source carries an original-content non-republish clause and is summarized here under fair-use principles with full attribution.* --- ## Reading the FRT Application Measures — What the 100k-Record Filing Threshold Actually Triggers - Published: 2025-10-28 - Author: DCC Editorial - Tags: facial-recognition, frt-measures, sensitive-personal-information, filing-regime, commentary - Laws cited: facial-recognition-technology-application-measures, facial-recognition-judicial-interpretation, pipl - Domains: personal-information, enforcement - URL: https://datacompliancechina.com/posts/compliance-talker-frt-application-measures-impact/ - Markdown: https://datacompliancechina.com/posts/compliance-talker-frt-application-measures-impact.md - Original source: https://mp.weixin.qq.com/s/Pp_IuQ51wq0yrARWqQ0Y8g - Original author: 全球法律政策研究 (Global Legal Policy Research Team) - Original publication: 合规小叨客 ### Description The Administrative Measures for the Application Security of Facial Recognition Technology took effect June 1, 2025. The May 2025 announcement on FRT filing implementation followed. Compliance Talker's global legal policy team walks through the seven specific compliance obligations the Measures impose — the non-exclusive-use rule, end-side storage default, 100k-individual filing threshold, separate-consent reinforcement, PIA mandate, and more — with practical implementation guidance on each. For overseas firms with any China-facing FRT deployment, this is the operational walkthrough. ### Body > *Editor's Note — DCC.* > > The *Administrative Measures for the Application Security of Facial > Recognition Technology* (《人脸识别技术应用安全管理办法》) — China's > first standalone facial-recognition statute — were jointly issued by > CAC and MPS on March 20, 2025 and took effect June 1, 2025. The > *Announcement on Conducting FRT Filing Work* of May 28, 2025 added > the operational filing procedure. Compliance Talker's team produced a > detailed walk-through five months after effective date — the > compliance picture has stabilized enough to deliver concrete > operational guidance. DCC's framing emphasizes what the rules > actually require of overseas-facing FRT deployments. ## Scope — what the Measures apply to The Measures apply to: *"the application of facial recognition technology to process facial information within the territory of the PRC."* The scope is **focused and specific** — facial-feature-based biometric identification using already-collected facial information to identify or verify individuals. Two operational modes are covered: - **One-to-one** verification — comparing a captured face against a single specific stored facial record to verify identity. Example use cases: airport / high-speed-rail identity verification against ID documents; mobile payment / online banking facial login. - **One-to-many** recognition — comparing a captured face against a database of records to identify a specific individual. Example use cases: public-security suspect tracking; missing-person searches; mall and office-building security; school attendance; hotel self-check-in. The Measures **do not apply** to FRT used for technology R&D or algorithm training. (Those activities remain subject to PIPL, the sensitive-PI rules under TC260 guidance, and other data-compliance regimes — but not the Measures themselves.) ## Seven concrete obligations the Measures impose ### 1. The non-exclusive-use rule > *"Where the same purpose or business requirement can be achieved through non-facial-recognition technology, FRT shall not be the sole verification method. Where otherwise provided by the State, follow those provisions."* This is the *necessity test*, codified. For most identity-verification scenarios — app login, in-person service identity check — at least one non-FRT alternative (SMS code, ID document check, etc.) must be provided. The technical implementation should avoid *"default-tick"* or *"hidden skip"* dark patterns that nudge users toward FRT. Where FRT is the only viable verification method (in narrow technical scenarios), the data handler must produce a *multi-modal verification analysis report* documenting why other methods are not feasible — for example, demonstrably inferior accuracy or efficiency, or disproportionate business cost of alternatives. ### 2. Preferred use of national-identity infrastructure For one-to-one verification scenarios, the Measures encourage *priority use of the **National Population Basic Information Database** and the **National Network Identity Authentication Public Service***. The implication: where regulated identity verification is needed (e.g., real-name registration), use the state-provided identity infrastructure rather than building independent FRT systems. ### 3. Prohibition on coerced FRT consent No organization or individual may, for reasons of *"providing services" or "improving service quality,"* mislead, deceive, or coerce individuals into accepting FRT-based identity verification. The hard-stop matters for product designers who use friction or feature gating to push users toward FRT. ### 4. Public-space deployment rules For FRT devices in public spaces: - Deployment must be **necessary for public security**. - The **collection area must be lawfully and reasonably determined**. - **Visible notice signs** must be set up. - **No FRT in private spaces** within public venues — explicitly: hotel guest rooms, public bathhouses, public changing rooms, public toilets. (The latter list responds to documented incidents — see the 2025 Shanghai swimming-pool changing-room case the Compliance Talker team cites.) ### 5. Technical security measures FRT application systems must implement: *data encryption, security audit, access control, authorization management, intrusion detection and defense.* The list is referenced from existing TC260 / GB standards, now made mandatory under the Measures. ### 6. End-side storage default > *"Facial information shall be stored within facial recognition equipment. It shall not be transmitted externally via the internet, except where otherwise provided by laws / administrative regulations, or with separate individual consent."* This is **the most operationally consequential provision** in the Measures. The default is **end-side storage** — facial information stays on the device that collected it. Cloud storage and external transmission are *prohibited* absent (a) statutory authorization or (b) **separate individual consent**. The Measures upgrade what was previously a TC260 recommended-standard preference (end-side storage) into a **mandatory legal requirement**. The compliance implication for an FRT product: - *"Non-essential, non-stored"* — FRT data should be processed and deleted (or anonymized) where possible. - Where storage is necessary, **end-side storage by default**. - Where cloud storage or external transmission is needed, **product design must include a consent prompt (pop-up or checkbox)** obtaining separate individual consent, and the data must be encrypted in transit and at rest. ### 7. 100,000-record filing trigger — the regulatory headline > *"PI handlers shall, within 30 working days from the date when the stored facial information processed using FRT reaches 100,000 individuals, perform filing procedures with the provincial-level or higher CAC of their location."* The filing regime is China's third major direct-supervisory channel alongside data-export filing and large-model algorithm filing. Specific operational parameters: - **Counting unit**: number of *individuals* whose facial data is stored (deduplicated), not number of records. - **Cumulative basis**: historical accumulated stored count (cache that's "used and deleted" generally excluded; end-side-stored data inaccessible remotely is generally excluded). - **Excluded scenarios**: FRT R&D and algorithm training are out of scope. - **Filing trigger**: 30 business days after crossing the 100k threshold. - **Filing materials**: processing rules, security measures, evaluation report, and other materials specified in the *FRT Filing Announcement* (May 28, 2025). - **Material change re-filing**: substantial changes to processing volume or method require re-filing. - **Filing cancellation**: discontinuation of FRT use requires cancellation filing. The 100,000 threshold is meaningfully *higher* than the 10,000 threshold in the 2023 draft for public consultation. The Compliance Talker team's reading: the regulator chose to *raise the threshold* to reduce compliance burden on smaller deployments while concentrating enforcement attention on larger-scale FRT operators. ## Statutory underpinnings the Measures reinforce The Measures don't create new PIPL obligations — they make existing PIPL obligations concrete for the FRT context: | Measures Provision | PIPL Anchor | |---|---| | Specific purpose + necessity + minimum-impact protection | PIPL Article 6 (purpose limitation + necessity) | | Notice obligation | PIPL Articles 17, 30 | | Separate, voluntary, explicit consent | PIPL Article 29 (sensitive PI); Article 31 (minors under 14 — parent/guardian consent) | | Pre-deployment Personal Information Impact Assessment | PIPL Article 55 (PIA mandatory for sensitive PI) | | Maximum-necessary storage duration | PIPL Article 19 | The Measures stack on top of the existing standards (**GB/T 44248-2024**, **GB/T 41819-2022**) and judicial framework (the **SPC FRT Judicial Interpretation** — see [DCC's law page](/laws/facial-recognition-judicial-interpretation/)). ## Why the Measures came out when they did The Compliance Talker team identifies two drivers: - **Legislative trajectory** — PIPL Article 62 directed the development of FRT-specific implementation rules. The Measures are that delivery. - **Enforcement-pull from documented FRT misuse cases** — a 2024 Zhoushan real-estate firm collected facial data of viewing customers without consent for commission settlement; a 2025 Shanghai swimming-pool installed FRT in a changing room. These cases drove regulatory urgency. The Measures' regulatory model is *dual-track*: **full-lifecycle management** (collection / storage / transmission / destruction, with closed-loop controls) **+ scenario-based grading** (public-safety scenarios permitted with conditions, private spaces flatly prohibited). ## Implementation guidance for foreign-invested entities The Compliance Talker team gives a long operational playbook. Three of the most important items for overseas firms: ### Implementation 1 — Verification design audit For any business flow that uses FRT for identity verification (app login, in-person service check, employee access control): - Implement at least one non-FRT alternative (SMS, document check, password, hardware key). - The non-FRT alternative must be *reasonably available* — no dark patterns ("default-checked FRT option," "hidden skip button") that push users toward FRT. - If FRT must be the sole method, prepare a *multi-modal verification analysis report* documenting why non-FRT alternatives are unsuitable (accuracy / efficiency / cost differential). ### Implementation 2 — Storage architecture rebuild For FRT data currently transmitted to the cloud or to centralized servers: - Default to **end-side storage**. - Where central / cloud storage is required, redesign the consent UI: explicit pop-up or checkbox obtaining separate consent before any external transmission. - Encrypt at rest and in transit. - Build the *dynamic counting and threshold-alert system* to monitor stored individual count and trigger filing process at the 100k threshold. ### Implementation 3 — Filing workflow For entities with FRT stored data approaching or above 100k individuals: - **Existing systems**: inventory storage distribution and total count. If already ≥100k individuals, complete filing per the *FRT Filing Announcement* with the provincial-level CAC. - **New systems**: build pre-deployment filing into product launch workflow. Track storage growth; file within 30 business days of crossing 100k. - **Material changes**: process re-filing for substantial volume changes or processing-method changes. The filing timeline: - Entities exceeding 100k at the time the Measures took effect (June 1, 2025): files due within 30 business days from the date the threshold was exceeded. - Entities exceeding 100k after the effective date: files due within 30 business days from the date the threshold is exceeded. ## Why this matters for overseas teams Three takeaways: - **The 100k filing threshold is the headline operational change.** Foreign-invested entities running FRT deployments at any scale should immediately benchmark their stored-individual counts. A 100k+ deployment without filing is now a direct violation; entities approaching the threshold should architect for filing readiness. - **The end-side storage default rebuilds product architecture.** Cloud-based facial recognition products are now legally disfavored by default. The compliance architecture for new FRT products in China should assume end-side storage as the baseline, with cloud only as a separately-consented exception. This will materially affect how foreign FRT vendors structure their China product offerings. - **The non-exclusive-use rule changes user-experience design.** Product flows that pushed users toward FRT through default-tick / hidden-skip patterns are now non-compliant. UX reviews should specifically check for these patterns and offer reasonably accessible alternatives. The deeper point in the Compliance Talker piece is that **FRT regulation in China has matured from principle-based PIPL provisions into operational rules with specific filing channels**. Compliance teams should now treat FRT as a *separately supervised* category — alongside cross-border data export and large-model algorithm filing — rather than as one application of general PI compliance. --- — Compliance Talker (合规小叨客) Global Legal Policy Research Team, *原创 || 《人脸识别技术应用安全管理办法》解读与企业影响分析* (Interpretation of the Administrative Measures for the Application Security of Facial Recognition Technology and Enterprise Impact Analysis), 合规小叨客 WeChat Official Account, October 28, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/Pp_IuQ51wq0yrARWqQ0Y8g) *Not legal advice. The above is DCC's structured summary of the source article's analysis; not a verbatim translation. The source carries an original-content non-republish clause and is summarized here under fair-use principles with full attribution.* --- ## How to Identify 'Important Data' — A Plain-Language Method from Wang Qinglan - Published: 2025-10-16 - Author: DCC Editorial - Tags: important-data, data-classification, cross-border, dsl, commentary - Laws cited: dsl, csl, network-data-security-regulations, data-export-security-assessment-measures, cross-border-data-flows-provisions - Domains: data-security, cross-border - URL: https://datacompliancechina.com/posts/qinglan-how-to-identify-important-data/ - Markdown: https://datacompliancechina.com/posts/qinglan-how-to-identify-important-data.md - Original source: https://mp.weixin.qq.com/s/eAD9Zhd-cbA5umcLoU9rxA - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description Wang Qinglan, head of compliance at a Chinese data exchange, walks through China's unique 'important data' concept in plain language: where it came from, why no other major jurisdiction has anything quite like it, how the U.S., EU, Japan and Korea solve the same problem differently, and — most useful for compliance teams — three methods to identify whether a dataset is 'important' in practice. Her own 'unorthodox' shortcut: ask whether a hostile foreign actor could use this data to cause trouble. If yes, treat it as important data. ### Body > *Editor's Note — DCC.* > > "Important data" (重要数据) is a uniquely Chinese legal concept that > overseas compliance teams stub their toes on more often than any other > piece of vocabulary in the regime. Wang Qinglan — legal-tech PhD, > post-doctoral computer scientist, head of compliance at a Chinese data > exchange — wrote this piece as a deliberately plain-language explainer. > The 邪修 ("unorthodox") shortcut in her title is the part most > compliance practitioners will find immediately useful: a thought > experiment that captures the regulatory intent better than any of the > formal definitions. We summarize her argument with DCC framing for > overseas counsel, including the international comparison and the > identification method — but the metaphor at the heart of this piece is > hers. ## What "important data" is — and isn't Wang frames important data as the **VIP tier** of the Chinese data classification regime. Two attributes define it: - **Importance** — the data relates to a specific sector (e.g., finance, telecom, healthcare), a specific population (e.g., military, government), or a specific geography (e.g., classified locations); or it has unusual precision (e.g., high-precision maps); or it has unusual scale (e.g., statistics on 10 million people). - **Harm severity** — if the data were tampered with, damaged, leaked, unlawfully acquired, or misused, the consequence could threaten national security, disrupt economic order, undermine social stability, or affect the health and safety of the population. The DSL formalized a three-tier classification in 2021: **general data** (一般数据), **important data** (重要数据), and **core data** (核心数据). Important data and core data are the protected tiers. Core data is the VVIP — data so important that its compromise would cause "major trouble" for the state. ## Why China created the category — and why no one else has Wang's historical note: "important data" first appeared in Article 37 of the **Cybersecurity Law** (2016), which required Critical Information Infrastructure Operators to store important data domestically and run a security assessment before any cross-border transfer. The **Data Security Law** (2021) then built out the classification-and-grading regime and the important-data protection framework. China is, by Wang's reading, the first major jurisdiction in the world to make "important data" a defined legal concept. The point of the category, Wang argues, is **proactive perimeter-drawing**. Western jurisdictions tend toward *reactive* mechanisms: national security review of specific transactions, export controls on specific items, CFIUS-style screening for specific deals. China codifies the perimeter up front: a defined category of data, with mandatory localization and pre-export assessment, regardless of who is moving it or why. She compares the four major non-Chinese approaches: - **United States — Controlled Unclassified Information (CUI).** Created by Executive Order 13556 (2010). Covers law-enforcement information, personal privacy, trade secrets, and national-security-adjacent sensitive data. *But:* CUI only governs data held by federal agencies, not the private sector's own data. Cross-border CUI transfer is restricted through a patchwork — Export Control Reform Act for military and dual-use tech; CFIUS review for transactional risk; intelligence-sharing agreements; sector-specific health-data and financial-data rules. There is no single CUI cross-border regime. - **European Union — GDPR adequacy.** GDPR contains no "important data" category and no "national security data" category. Its cross-border regime is centered on *individual privacy*: data may flow to a third country if the European Commission has issued an "adequacy decision" recognizing that country's protection level (Japan, Korea, the UK, etc. have it; the U.S. operates through the Data Privacy Framework). Where adequacy is absent, transfer requires Standard Contractual Clauses, Binding Corporate Rules, or another safeguard. National security exceptions exist at member-state level (France and Germany invoke them for defense and CII data) but there is no EU-wide *important data* concept. The Data Act and Data Governance Act protect non-personal data through trade-secrecy and access-restriction routes, not through a defined sensitivity category. - **Japan — APPI plus CII Security Law.** Japan secured EU adequacy in 2019 (first Asian country to do so). Its APPI requires consent or contractual safeguards for cross-border PI transfer. The CII Security Law layers security obligations onto operators of critical systems. No explicit "important data" catalogue — instead, guidance and industry standards identify "important personal information" or "sensitive information" requiring additional protection. The Japan model: high PI protection + sector security law, in exchange for international data flow. - **Korea — PIPA plus security legislation.** Korea earned EU adequacy in 2021 (second in Asia). PIPA restricts cross-border PI transfer absent consent or comparable safeguards. Defense and intelligence-sector data is restricted by special legislation. Korea trades off slightly more openness against China's more closed approach to participate in the global digital economy. The closest international parallel to "important data," Wang notes, is **Vietnam**, which has adopted a similar concept but has not yet promulgated implementation rules. ## Why cross-border is the choke point The reason important data attracts so much attention, Wang argues, is that the cross-border vector is where the national-security risk crystallizes. *Domestic* mishandling of important data is an internal problem; *cross-border* mishandling becomes a potential weapon in the hands of a foreign actor. The Chinese cross-border important-data regime: - **Default localization.** Important data, as a rule, must be stored within China (DSL + CSL). - **Pre-export security assessment.** Cross-border transfer requires a security assessment under the *Measures for the Security Assessment of Data Export* (2022). CIIO transferors must run the assessment for *any* important data; other transferors must run it for important data they transfer. - **No alternative path.** Unlike personal information — which has three cross-border pathways (security assessment / standard contract / certification) — important data has only one path: security assessment. There is no SCC or certification shortcut. - **The 2024 exemption.** The *Provisions on Promoting and Regulating Cross-Border Data Flow* (March 2024) introduced a critical practical relief: **if no regulator or sectoral catalogue has notified you that your data is "important data," you are not required to declare it as such**. The data transfer will not be deemed unlawful for failure to treat it as important data. This shifts the identification burden away from a pure self-assessment posture and toward a regulator-led notification model. ## Three methods to identify important data in practice This is the operationally useful core of Wang's piece. Three identification methods, applied in sequence: ### Method 1 — Sectoral catalogue or guideline "Whoever supervises is responsible for identifying" (谁主管谁负责). Each sector regulator is expected to publish its own important-data catalogue and identification rules. Some examples: - **Geographic / surveying data** — Ministry of Natural Resources. - **Financial data** — People's Bank of China + financial-sector regulators. - **Automotive data** — *Automotive Data Security Management Provisions (Trial)* (2021) listed vehicle traffic data and charging-network operational data as important data. The *Automotive Data Export Security Guide (2026 Edition)* (8 ministries, Jan 2026) added 27 categories / 51 important data items across R&D, manufacturing, autonomous driving, OTA, and connected-operations scenarios — the first sector-level "full catalogue" published. - **Telecom / industrial data** — MIIT-led, with sector standards still developing. For sectors with published catalogues, identification is a checklist exercise. ### Method 2 — National standard reference Where no sectoral catalogue exists, the operational reference is **GB/T 43697-2024 (*Data Security Technology — Rules for Data Classification and Grading*)** and its **Annex G — Important Data Identification Guide**. Annex G provides identification dimensions (sector / population / geography / aggregation effect / precision) that compliance teams can apply to their own data sets. This is still a self-assessment posture — but anchored to a national standard rather than free-form judgment. ### Method 3 — The "unorthodox" thought experiment Wang's contribution to the operational literature is what she calls the **邪修 ("unorthodox") method**: a plain-language thought experiment that captures the regulator's underlying intent. > *"If a hostile foreign actor obtained this data, could they use it to cause trouble for China — politically, economically, socially, or for public health and safety?"* If the answer is *probably yes* — treat it as important data, regardless of whether any sectoral catalogue has named it. Her illustrative example: a data exchange's subsidiary aggregated bulk transaction data and sold it to a foreign institution. The aggregated data was then used in foreign analyses framing the Chinese economy as collapsing — which the regulator viewed as a national-security harm. The company was sanctioned. The thought experiment, applied prospectively, would have caught this. Wang's framing: this is not a substitute for the formal identification methods, but a *cross-check*. When the catalogue says no but the thought experiment says yes — escalate. When the thought experiment says no — most ordinary business data will not become important data merely through aggregation. ### Free-trade-zone negative lists (regional supplement) Beyond the three sector-and-national methods, Free Trade Zones (FTZs) have been permitted to publish their own data-export negative lists. Data on the negative list is "important" within the FTZ — needing security assessment for export. Data off the list flows freely. FTZ negative lists currently published include Tianjin, **Beijing** (the 2025 version expanded to all of Beijing with 9 sectors / 67 scenarios / 612 fields), **Shanghai**, and **Guangxi**. The negative-list mechanism is the most practical operational tool overseas teams can leverage when transferring data through these regions. ## What Wang's piece tells overseas compliance teams The piece reads as a primer for a Chinese audience, but four implications matter operationally for overseas counsel: - **You probably aren't holding important data by accident.** The 2024 CBDF Provisions Article 3 / 4 exemption — *"if no regulator has notified you and your data isn't on any published catalogue, you don't need to declare it as important data"* — is the most important practical relief in this regime. For most ordinary business data, a documented self-assessment showing the absence of catalogue inclusion is sufficient. - **Sector catalogues are the dominant identification vector going forward.** The 2026 automotive guide is the template. Compliance teams in finance, healthcare, telecom, geographic / surveying, and AI sectors should expect to operate against published catalogues within 12–24 months. Build the classification framework against an evolving catalogue, not against a static one. - **Aggregation is the most common failure mode.** Wang's case — bulk transaction data + foreign sale + adverse analytical use — is the canonical important-data failure pattern. Compliance teams should pay particular attention to the aggregation step, not just the source data classification. - **FTZs are the operational lever.** If a multinational has operations in Beijing, Shanghai, Tianjin, or other FTZ-hosting zones, the negative-list mechanism is the cleanest way to operate cross-border. Map flows to negative lists where possible; flows outside the list move under the standard exemption. The deeper point in Wang's piece is that **the Chinese important-data regime is a different *architecture* of cross-border data control**, not a more or less strict version of the GDPR-style adequacy regime. Overseas teams that internalize the Subject × Object framework (see [DCC's Overview page](/overview/)) and the sector-catalogue identification pattern will operate the regime efficiently. Teams that try to retrofit the Chinese regime into Western analogies will spend the next few years frustrated. --- — Wang Qinglan (王青兰), *重要数据咋判断?这招"邪修"办法,小白也能看懂!* (How to Identify Important Data? An Unorthodox Method Even Beginners Can Understand), 青兰数据观察 WeChat Official Account, October 16, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/eAD9Zhd-cbA5umcLoU9rxA) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- ## What Is Data, Really? — A Plain-Language Primer on Rules and Compliance - Published: 2025-08-28 - Author: DCC Editorial - Tags: data-fundamentals, data-governance, compliance-architecture, commentary - Laws cited: dsl, data-foundation-system-opinions - Domains: data-economy, data-security - URL: https://datacompliancechina.com/posts/qinglan-what-is-data-rules-and-compliance-primer/ - Markdown: https://datacompliancechina.com/posts/qinglan-what-is-data-rules-and-compliance-primer.md - Original source: https://mp.weixin.qq.com/s/Dn4hlPZUHJOuUkLYzoaGLA - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description What does it actually mean to call something 'data,' and what turns raw recordings into a data asset? Wang Qinglan uses a toy storage room metaphor to walk through the foundational concept overseas readers often skip: data is not just 'records' — it's records made under rules. Master data, metadata, ontology, the three-tier compliance taxonomy (legal / ethical / promised), and the three-step compliance workflow (select / allocate / execute) — all anchored in a concrete example a non-specialist can follow. ### Body > *Editor's Note — DCC.* > > A surprising number of overseas data-compliance discussions skip the > foundational question — *what is data*? — and jump straight into > classification regimes, lawful bases, and cross-border paths. Wang > Qinglan's primer fills the gap with a toy storage room metaphor that > overseas readers will find unusually accessible. The piece is sequel > to her [data governance / management / compliance disambiguation](/posts/qinglan-data-governance-management-compliance-disambiguation/), > and reads cleanly as a stand-alone primer too. DCC's framing > emphasizes where the conceptual building blocks anchor to the formal > Chinese regime. ## Data isn't "records" — it's records made under rules Wang opens with an exercise. Imagine you're cataloguing the toy cars in your home storage room and someone hands you this string: > *"3+, mom, cherry red, 3-6, square, red, 2023, ages 3 to 6, plastic, ef555, 250, Shenzhen, 239,85,82, pre-school..."* That's raw recording — observations captured in arbitrary form. If you tried to put this into Excel, you'd be unable to count anything. *"Red," "cherry red," "ef555," "239,85,82"* — all describing color, in incompatible formats. *"3+," "3-6," "pre-school"* — all describing age, in incompatible formats. So Wang's first move: a working definition. *Data is the objective recording — under rules — of phenomena relevant to the business.* The rules are what separate **data garbage** from data that can be turned into a **data resource**, and ultimately a **data asset**. The Chinese regulatory regime's three-tier vocabulary (per the NDA *Common Data Terms (First Batch)*) maps onto this: - **Raw data** (原始数据) — first-collected recordings, unprocessed. - **Data resources** (数据资源) — raw data, primarily processed, with potential for value creation. - **Data assets** (数据资产) — data resources that are lawfully held or controlled, can be measured in monetary terms, and can produce economic or social benefit. The progression *raw → resource → asset* requires rules at every step. ## What rules look like, concretely To turn the cluttered toy-car notebook into something useful, Wang prescribes four kinds of rule. Each maps onto a formal compliance vocabulary overseas readers will recognize. ### Rule 1 — "Required dropdowns": master data and metadata You don't let people type "big car" or "excavator-thing" in the type field. You constrain the field to a fixed enumeration: *engineering vehicle / car / racecar / motorcycle / other.* Same for color, age range, weight, etc. This is **master data management** + **metadata management**. The fields are typed; the values are constrained; the recording is consistent across users. Wang's example is Taobao's typed inputs (quantity, color, size are dropdowns, not free text) — the architecture is identical. ### Rule 2 — Unified standards: ontology "Battery capacity 6000mAh" / "2 hours charging gives 1 hour of play" / "excellent battery life" — three ways to describe the same thing. None of them comparable. None of them queryable. The rule fix: define an ontology of measurable attributes. Battery life is measured in `mAh`. Playtime is measured in `hours`. Now the data is comparable and the records support analysis. ### Rule 3 — Automated capture: digital business process Install a simple sensor in the storage cabinet. Take a toy out — clock starts. Put it back — clock stops. The "playtime" attribute is captured *automatically*, with no manual error. In enterprise data-compliance vocabulary: **digitalize the business process**. Don't capture data from human attestation; capture it from instrumented systems. This is what the NDR's *risk assessment* and *security incident response* obligations assume — that the underlying business processes are digitalized and observable. ### Rule 4 — Hard requirements: the law "This data must be stored within China." This is not a design choice — it's a hard requirement that overrides everything else. It must be in the rulebook. For the storage room, this might be: "Receipts and bills tied to toys must be retained as records for tax purposes." For an enterprise: "Important data must be stored in the PRC." "Sensitive personal information requires separate consent." "Cross-border transfer of PI above the threshold requires CAC security assessment." These are the **legal floor** rules — they bound everything the rulebook can authorize. When all four rule types are combined, the storage room has a **Family Toy Car Data Pact** — a written record-keeping standard that turns raw observations into a usable data resource. Wang's metaphor: an enterprise's data governance framework is the same pact, scaled up. ## What compliance actually means With the Pact in place, the question shifts: *am I following it?* This is compliance. Wang's three-tier taxonomy (introduced in her [previous primer](/posts/qinglan-data-governance-management-compliance-disambiguation/)) reappears: - **Legal rules** (法规) — what the law mandates. "Important data must stay in country." - **Ethical rules** (德规) — what the enterprise voluntarily commits to. "Don't sloppily fill in records to make our reports look good." - **Promised rules** (诺规) — what the enterprise publicly promised. "Toy usage times accurate to the minute." All three end up in the Pact. All three must be followed. The compliance workflow Wang describes — *"three steps, in plain language"* — is the operational discipline: ### Step 1 — Select the rules Decide which rules apply. Two inputs: - *What is the storage room's situation?* — i.e., the enterprise's internal and external compliance environment. - *Who interacts with the storage room and what do they want?* — i.e., stakeholder requirements. But you cannot select *every* rule that might apply. Wang cites Professor **Chen Ruihua** (陈瑞华)'s **risk-oriented compliance model** — focus first on the highest-risk *mandatory* rules. PIPL Article 29's separate-consent requirement for sensitive PI is the storage-room equivalent of "don't leave sharp toys in reach of toddlers." Miss it once and the consequence is a regulatory or reputational injury. Beyond the legal floor, there are *optional* rules — annual data security assessments, industry ethical standards, public commitments to customers. These aren't mandatory, but they earn trust from regulators, partners, and customers. Critically, rule-selection is **not a once-and-done exercise**. New business lines, new jurisdictions, new regulations all trigger re-selection. The discipline is "accurate *and* dynamic." ### Step 2 — Allocate the responsibility The selected rules become a **compliance obligation register**. Each obligation gets: - An *owner* — whose job is it? - A *process* — what concrete workflow embodies the obligation? ("PI processing requires 3-tier approval.") - A *control* — how does the owner verify the process worked? Wang's storage-room version: "Daddy collects engineering vehicles; Mommy collects regular cars; child collects blocks." The rule has names attached. This is also the moment where external rules become **internalized institutional culture**. Without internalization, the rule lives only in the obligation register — a paper compliance program. With internalization, it becomes how the organization actually behaves. ### Step 3 — Execute This is the simplest step in concept and the hardest in practice. *Do the things on the obligation register.* If you don't do them, you have a compliance failure — possibly a compliance risk event. Wang's risk taxonomy: - **Inherent risk** — the risk before any controls. Storage room with no lock and no rules: theft is just a matter of time. - **Residual risk** — the risk after controls are in place. Lock installed, rules written, but someone occasionally forgets the lock. Risk reduced but not zero. Wang's blunt observation: *"It's impossible to be 100% compliant — humans are uncertain, business is dynamic, there's always something to adjust."* What matters is the framework — risk-allocated obligations, written process, executable controls. ## Two organizational shapes for the compliance system Wang's practical advice on building the compliance system: - **By position (job role).** "Customer-facing staff protect user info; operations record data sources." Each role has a defined set of obligations. - **By business process.** "From data collection → storage → use, each step has its own controls." Each step has a defined set of obligations. Both work. Pick whichever organizational shape fits the enterprise. Either way, the *clear logic* matters more than the *absolute zero-error target*. ## Why this matters for overseas compliance teams Three operational takeaways from Wang's primer: - **Don't skip the "what is data" question.** Many overseas counsel jump from PIPL provisions straight to lawful-basis analysis, missing that the enterprise has not yet *operationalized* what counts as data, what attributes it carries, and where the records are. The PIPL framework only works once the underlying data is well-formed. *Build the master data + metadata layer first.* - **The three-tier compliance taxonomy is not just academic.** A compliance team that conflates *legal floor* with *ethical commitment* either over-burdens itself (treating optional commitments with mandatory rigor) or under-protects (treating mandatory rules with optional flexibility). Wang's three-tier model is the practical sorting mechanism. - **Inherent vs residual risk are the diagnostic axes.** When something goes wrong, the first question is which one: was the inherent risk un-controlled (no rule for this scenario), or was a control bypassed (rule existed but not followed)? Different diagnoses, different fixes. The deeper point in Wang's piece is that **data compliance starts before the law**. The law constrains what an enterprise can do with data; but the enterprise's *data-handling discipline* — what counts as data, what rules govern it, who owns each rule — determines whether compliance is achievable at all. Without the discipline, no amount of legal review will produce a compliant operation. --- — Wang Qinglan (王青兰), *数据的奇妙真相:从生活实例看它的真面目* (The Magical Truth About Data — Seeing Its Real Face Through Everyday Examples), 青兰数据观察 WeChat Official Account, August 28, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/Dn4hlPZUHJOuUkLYzoaGLA) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- ## Data Governance vs. Data Management vs. Data Compliance — A Plain-Language Disambiguation - Published: 2025-08-25 - Author: DCC Editorial - Tags: data-governance, terminology, dama, compliance-architecture, commentary - Laws cited: dsl, data-foundation-system-opinions - Domains: data-security, data-economy - URL: https://datacompliancechina.com/posts/qinglan-data-governance-management-compliance-disambiguation/ - Markdown: https://datacompliancechina.com/posts/qinglan-data-governance-management-compliance-disambiguation.md - Original source: https://mp.weixin.qq.com/s/ylOsa9BV7m9nw3WMR037Wg - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description Wang Qinglan disambiguates three terms that compliance and data teams habitually conflate: data governance, data management, and data compliance. Using a 'data manor' metaphor (the family council vs. the steward team vs. the community monitor), she maps each function to its job — setting direction, executing efficiently, and operating sustainably within external rules and self-imposed commitments. The piece is useful precisely where bilingual confusion is highest: 'data governance' in English carries different connotations than 数据治理 in Chinese practice. ### Body > *Editor's Note — DCC.* > > Three terms that English-Chinese bilingual practitioners constantly mix > up: **data governance** (数据治理), **data management** (数据管理), and > **data compliance** (数据合规). The confusion isn't merely linguistic — > in Chinese practice the boundaries are drawn slightly differently than > in DAMA-style English frameworks. Wang Qinglan's plain-language primer > uses a "data manor" metaphor that holds up well across the bilingual > gap. DCC's framing here highlights where the Chinese and Western > conceptual boundaries diverge. The 数据资产 ("data asset") vocabulary in Chinese practice often runs ahead of the operational clarity around how data work is actually organized inside an enterprise. Wang's piece names the three roles and the relationships between them — not as a theoretical exercise but as the architectural foundation an enterprise needs before it can claim to "do" any of them. ## The data manor — three roles Imagine the enterprise's data assets as a manor estate. Three roles run it: - **Data governance** — the family council. Sets rules, doesn't execute. - **Data management** — the steward team. Executes the rules, runs the estate day-to-day. - **Data compliance** — the community monitor. Holds the estate accountable to external rules and to the commitments the estate has made publicly. Each role answers a different question. Mixing them creates organizational confusion. ## Role 1 — Data governance (数据治理): "doing the right things" The family council. Sets the rules; doesn't carry out the work. Its job is the **direction-setting layer** of data work. The council answers questions like: - *Who owns which data?* — assigning data ownership. - *Who can see / change which data?* — permission allocation. - *What quality and security standards must the data meet?* — policy definition. - *When two departments dispute which data flow takes priority — who decides?* — escalation mechanism. Crucially, the council doesn't decide *how* data is moved or stored. It decides *what the rules are*. The rules are typically organized in two layers: **business rules** (which data the manor needs to prioritize, e.g., which customer segments deserve first-pass attention) and **management rules** (who is responsible for which data activity, e.g., which team owns customer-data integrity). Wang's framing: governance is "the management of management." The output is the **rulebook** — the policies that every steward team must follow when actually executing data work. Without a coherent rulebook, the steward team improvises and the compliance monitor has nothing to verify against. ## Role 2 — Data management (数据管理): "doing things right" The steward team. Takes the council's rules and executes them. The **operational layer**. The steward team's day-to-day work covers the full data lifecycle: - **Discovery and inventory** — what data does the manor hold, where is it stored, what's in the vault? - **Storage and architecture** — how is the data organized so it can be found again? - **Access control** — who is permitted to use which data? - **Quality and cleaning** — keeping the data accurate, deduplicated, current. - **Security** — protecting the data from unauthorized access, leakage, modification. The team is organized by specialism. Wang sketches the typical roster: - **Chief Data Officer (CDO)** — the head steward, bridging governance and management. - **Data Architect** — the building planner, designing the storage and flow topology. - **Data Security Specialist** — the guard, securing the perimeter. - **Data Quality Engineer** — the gardener, keeping the data tidy. - **Metadata Manager** — the archivist, cataloguing what exists. - **Master Data Manager** — the warehouse-keeper, ensuring authoritative reference data. Their collective job: keep the manor running, and ensure that as data passes through the lifecycle — from collection, through processing, to eventual archival or destruction — quality and security are maintained. The core posture: *execution-focused*, not direction-setting. "Doing the right thing well" — where the *right thing* has been defined by governance. ## Role 3 — Data compliance (数据合规): "operating sustainably" The community monitor. Holds the manor accountable to two sources of rules: **external requirements** (laws, regulations, standards) and **self-imposed commitments** (the manor's public promises). Wang divides compliance rules into three tiers, with sharply different operational implications: ### Tier 1 — Community rules (mandatory legal obligations) The community's binding rules. Things like "trash must be sorted before disposal" (data classification regulation), "no demolishing load-bearing walls during renovation" (mandatory data-security standards), "no leaking visitor information" (personal information protection). The manor's family council cannot override these — they constrain governance itself. Violation consequences range from fines and neighbor disputes (administrative penalties) to litigation and imprisonment (criminal penalties under, e.g., Criminal Law Article 253-1 for PI infringement). ### Tier 2 — Bonus rules (voluntary ethical obligations) Self-imposed standards above the legal floor. The community requires "no probing visitor information without need" (minimum-necessary PI collection); the manor goes further: "quarterly audit of supply chain to ensure proper visitor information handling." These aren't legally mandatory, but they earn reputation. They reflect the manor's strategic positioning — the choice to operate at a higher ethical bar than competitors. Wang's framing: these are *reputation investments*, not compliance requirements. ### Tier 3 — Commitment rules (promised obligations) The manor's publicly made promises. "Lost item recovery guaranteed within 24 hours." These aren't legal requirements but breaking them damages the brand and exposes the manor to civil liability (contract claims, consumer-protection claims, false-advertising claims) even though no statute is violated. ### How the tiers stack The council sets internal rules with all three tiers in mind: the community floor (Tier 1) is the immovable foundation; Tiers 2 and 3 are positioning choices. The steward team must operate within all three. Compliance — the monitor — verifies the manor's behavior against all three. Wang's metaphor: compliance is a *dynamic guardrail* — keeping the manor from straying across any of the three lines while leaving room for the manor to chase its own ambition. ## Putting the three together A clean summary, in Wang's framing: | Role | Function | Question answered | |---|---|---| | **Governance** | Set direction, define rules | *Are we doing the right things?* | | **Management** | Execute the rules efficiently | *Are we doing things right?* | | **Compliance** | Operate within external + self-imposed rules | *Are we operating sustainably?* | The three are not parallel — they form a stack. Governance defines the rulebook. Management executes the rulebook. Compliance verifies the execution against external standards and self-imposed commitments. Confuse the roles and you get the common pathology: the compliance team writing rules (governance), the data team improvising without guidance (no governance), or the governance team auditing operational details (overstepping into management). ## Where Chinese and Western framings diverge Wang doesn't push the bilingual comparison, but it's the most useful payoff for overseas readers. In **DAMA's English-language framework** (DMBOK 2), *data governance* is one of eleven knowledge areas of *data management*. Governance is a *subset of* management. Operationally, governance is the **central coordination layer** *within* data management — the function that sets policies for the other ten knowledge areas (architecture, modeling, storage, security, integration, etc.) to follow. In **Chinese enterprise practice**, governance and management are often treated as *parallel functions*, with compliance as a *third parallel*. The relationship gets ambiguous: is governance subset of management (DAMA), or peer to management (Chinese usage)? Both framings are defensible — they answer different questions. Wang's metaphor sidesteps this by giving each function a distinct role identity. The practical implication for multinationals: when a global compliance memo refers to "data governance," a Chinese counterpart may understand it as a peer-function rule-setting body. When a Chinese operations document refers to 数据治理, a Western team may read it as a subordinate function within a broader management framework. Both teams nodding at "data governance" may mean different things. The cleanest disambiguation, in DCC's reading: **anchor to the question being answered**. - *Direction-setting question* → governance. - *Execution-efficiency question* → management. - *External-rules + self-commitments question* → compliance. Where the question is unclear, name the function instead. ## Why this matters for compliance architecture Three takeaways: - **The three functions need three different organizational positions.** Governance reports up to executive leadership (the family council). Management reports through operations / IT / data-platform leadership. Compliance reports through legal / risk / audit. Collapsing them into one team produces structural conflict — the governance function shouldn't be auditing itself. - **Compliance is not "follow the rules" — it's "follow which rules."** Wang's three-tier model (mandatory legal / voluntary ethical / public commitment) is the operational asset compliance practitioners should internalize. Treating Tier 2 and Tier 3 with Tier 1 rigor over-burdens; treating Tier 1 with Tier 2 flexibility creates legal exposure. - **Chinese-language internal documents and English-language global policies are easier to align when each piece names its function explicitly.** Don't translate "governance" generically — translate it as the specific function being referenced. The Wang piece is short — three pages in the original — but it makes a distinction that matters more than its length suggests. For compliance teams building bilingual frameworks, it's a useful conceptual anchor. --- — Wang Qinglan (王青兰), *3分钟读懂数据治理、数据管理与数据合规* (Three Minutes to Understand Data Governance, Data Management, and Data Compliance), 青兰数据观察 WeChat Official Account, August 25, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/ylOsa9BV7m9nw3WMR037Wg) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- ## FTZ Data Export Negative Lists — How 17 Sectors Across Seven Provinces Now Identify Important Data - Published: 2025-08-12 - Author: DCC Editorial - Tags: cross-border, important-data, ftz-negative-list, data-classification, commentary - Laws cited: cross-border-data-flows-provisions, data-export-security-assessment-measures, dsl, network-data-security-regulations - Domains: cross-border, data-security - URL: https://datacompliancechina.com/posts/compliance-talker-ftz-negative-lists-important-data/ - Markdown: https://datacompliancechina.com/posts/compliance-talker-ftz-negative-lists-important-data.md - Original source: https://mp.weixin.qq.com/s/yZm01jMnCzMSsHBbUhYPGw - Original author: 全球法律政策研究 (Global Legal Policy Research Team) - Original publication: 合规小叨客 ### Description Article 6 of the 2024 CBDF Provisions authorized Free Trade Zones to publish data-export negative lists. Since then, Tianjin, Beijing, Hainan, Shanghai, Zhejiang and others have published negative lists covering 17 sectors — automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industry, seed industry, and more. Compliance Talker's analysis walks through the structural convergence of the negative lists, the important-data identification refinements each FTZ has produced, and the operational impact on enterprises both inside and outside the FTZs. ### Body > *Editor's Note — DCC.* > > Article 6 of the **2024 Provisions on Promoting and Regulating > Cross-Border Data Flow** authorized Free Trade Zones to publish their > own data-export negative lists — data on the list requires the standard > CAC pathways (security assessment / SCC / certification); data off the > list flows freely. In the 18 months since, seven FTZs have published > negative lists covering 17 sectors and dozens of business scenarios. > The Compliance Talker team produced one of the cleanest practitioner > overviews. DCC's framing emphasizes what overseas multinationals > should be doing operationally to take advantage of the regime. ## The negative-list mechanism, in one paragraph Article 6 of the 2024 CBDF Provisions delegates to Free Trade Zones the authority to publish jurisdictionally specific data-export negative lists. Within the FTZ, data falling on the negative list requires the standard CAC cross-border pathway (security assessment for important data and large-volume PI; SCC for medium volumes; certification for voluntary alternative paths). Data falling **off** the negative list is exempt from these pathways and can flow cross-border without the standard formalities. The mechanism is the most operationally impactful piece of the 2024 CBDF Provisions for cross-border-data compliance. It is also explicitly *experimental* — the FTZs are policy laboratories for an eventual nationally generalized framework. ## What's been published As of August 2025 (the Compliance Talker article's publication date), seven FTZs across China have published data-export negative lists: - **Tianjin** (first published 2024) - **Beijing** (2024 FTZ-only version, then 2025 city-wide expansion to "1+9" architecture covering 9 sectors / 67 scenarios / 612 fields — see DCC's tracking) - **Hainan** - **Shanghai** (with the Lingang New Area piloting a *positive list* mechanism alongside) - **Zhejiang** - **Fujian** (Pingtan area, with positive + negative lists) - **Additional FTZs** in various stages of publication Coverage spans **17 sectors / sub-sectors**: automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industry, seed industry, medical devices, autonomous driving / intelligent connected vehicles, trade logistics, banking, AI, biopharma, and others. The Compliance Talker team's note on dominance: while the Lingang positive-list approach is theoretically interesting, *"in independent published documents, the negative-list format is overwhelmingly dominant."* The negative-list model has become the de facto standard. ## Three structural patterns across the published lists ### Pattern 1 — Structural convergence in format Outside the Tianjin 2024 list (which was a first-mover and used a different format), every subsequent FTZ negative list adopted a common structure: > **Industry (with applicable enterprise types) → Cross-border path required (security assessment / SCC / certification) → Data category (important data / personal information) → Data sub-class → Basic features and description** This convergence is regulator-led, per the CAC's *April 9, 2025 Q&A on Data Export Security Management Policy*, which emphasized coordination and the avoidance of conflicting requirements across FTZs for the same data activity. ### Pattern 2 — Sector selection reflects local economic priorities Each FTZ selects sectors aligned with its strategic positioning: - **Shanghai FTZ** — focuses on reinsurance, international shipping, and retail (including hospitality / dining / lodging) — sectors aligned with Shanghai's international finance and shipping hub positioning. - **Beijing FTZ** — automotive, pharmaceuticals, civil aviation, retail, AI initially; expanded to 9 sectors in 2025 covering medical devices, autonomous driving, trade logistics, banking — tracking the National Demonstration Zone for Service-Sector Opening. - **Hainan FTZ** — focuses on duty-free retail and clearance shopping personal-information export — aligned with Hainan's free-trade-port positioning. - **Tianjin FTZ** — first-mover, with auto-industry focus. Same industries appear across multiple FTZs, but with **different scope and scenario emphasis**. For example: both Shanghai and Hainan include retail-related personal data export — but Hainan focuses on *duty-free / clearance shopping scenarios* while Shanghai restricts to *membership management scenarios*. ### Pattern 3 — Dynamic update mechanisms Each FTZ negative list explicitly provides for **dynamic management**. The Beijing 2024 list (Article 9) is representative: > *"The negative list shall be subject to dynamic management. For industries / sectors where no negative list has been issued, the corresponding negative list shall be timely studied and formulated."* The mechanism allows the regulator to (a) add new sectors to the list as data-economy needs evolve, and (b) loosen restrictions on low-risk scenarios within existing sectors based on implementation experience. ## How the negative lists refine important-data identification The Compliance Talker team's most useful contribution: showing how each negative list operates as a **public important-data catalogue** for its sector. Under the 2024 CBDF Provisions Article 2, *publicly published* identification of data as important data is sufficient to trigger the important-data export regime. As of May 30, 2025, the FTZs have published important-data catalogues for **15 sectors / sub-sectors**. Some examples: ### Automotive (Beijing FTZ 2024 — refined from the 2021 Automotive Data Provisions) The Beijing FTZ list refined the 2021 *Provisions on Automotive Data Security Management*'s broad catalogue of "automotive charging network operational data" into operational granularity: > *"Charging post / station location information; usage status; billing and payment information; switching-station vehicle statistics; site statistics; distribution information; and other data."* The result: enterprises can now map their automotive data inventory against specific field-level catalogues, not against high-level category descriptions. ### AI sector (newly published) For the first time, the FTZ negative lists publish a sector-specific important-data catalogue for AI. The Beijing list specifies: - High-value sensitive data collected and generated during R&D / design related to industry competitiveness. - Audio, image, and text data the alteration, destruction, leakage, or illegal acquisition / use of which may endanger national security, economic operation, social stability, public health, or safety. - Data included in export control or technology-export management lists. ### Medical / pharmaceutical (Beijing 2024) The 2024 Beijing list specified important medical data with **quantitative thresholds**: > *"...10,000-individual-or-more medical records, imaging, pathology, blood-test, and genetic-test diagnostic data involving public health and safety."* The "certain scale" framing of the underlying *Network Data Security Regulation* gets quantified — 10,000 individuals. The Compliance Talker team's framing: *"This framework structure aligns well with enterprise data classification and grading workflows. It converts abstract important-data compliance requirements into operationalizable, executable concrete rules."* ## The cross-border export process — what FTZs change For Beijing, Zhejiang, and Shanghai (the three FTZs the Compliance Talker team analyzes for filing procedure): ### Beijing and Zhejiang FTZ — sequential filing model 1. Data handler submits **application** to the FTZ administrative committee (registration location, sector, operating status, recent administrative penalties / regulatory investigations / remediation status). 2. Upon approval, data handler submits **negative-list filing** (data export business scenario, list of data being exported, export volume, overseas recipient, applicable negative-list sub-class, reason for applicability). 3. Based on the FTZ committee's *evaluation opinion*, the data handler conducts data export. 4. If the data is on the negative list (i.e., is identified as important data), the data handler files data-export security assessment with the national CAC. ### Shanghai FTZ — post-export reporting model Shanghai's negative list **permits FTZ enterprises to conduct data export first** and submit negative-list materials within 15 working days to the local cross-border data service center. The Shanghai approach is slightly more permissive on timing — but the substantive reporting and oversight requirements are similar. The Compliance Talker team's framing: the FTZ filing is a *substitute for the sector-regulator identification step* in the standard important-data export workflow. The FTZ committee replaces the sector regulator as the identification authority; the standard CAC security assessment process continues afterward. **The substantive simplification is limited.** The FTZ negative list provides clarity on important-data identification — but does not bypass the security assessment itself. For enterprises whose data is on the negative list as important data, the FTZ benefit is *clarity in classification*, not *exemption from review*. ## Impact and operational guidance ### For enterprises inside an FTZ with published negative lists - **High direct impact.** The negative list applies specifically to enterprises *registered* in the FTZ. Enterprise data falling on the list gets clarified important-data status; enterprise data falling off gets a much simpler cross-border export path. - **For sectors covered**: - *Important-data identification benefit*: the published catalogue provides an authoritative external reference. Use it to organize the enterprise's important-data inventory. - *Cross-border path benefit*: where the enterprise's data falls off the negative list, cross-border export proceeds without standard CAC procedures. - **For sectors not yet covered**: - *Identification still uncertain.* Enterprises remain in the position of self-assessing whether their data is "important data," without authoritative reference. - *Cross-border path uncertain.* Enterprises still need sector-regulator identification (where available) or self-assessment to determine whether the standard security assessment applies. ### For enterprises outside an FTZ - **Indirect impact, but useful as reference.** The negative lists are published documents. Enterprises in the same sector outside the FTZ can use them as identification reference — the lists effectively become the most operational important-data catalogue currently available in that sector. - **Watch for cross-province negative-list adoption.** Some FTZs (Beijing 2025) have begun adopting other provinces' negative lists for enterprises operating across provinces. This pattern, if it spreads, will let enterprises in non-FTZ jurisdictions effectively benefit from FTZ negative-list infrastructure. ## Why this matters for overseas teams Three operational takeaways: - **FTZ registration is now a serious cross-border-data strategic lever.** Foreign-invested entities with significant cross-border data flows should evaluate whether registering operations in a covered FTZ (especially Beijing post-2025 expansion or Shanghai) materially reduces compliance friction. For data-heavy sectors (auto, pharma, biotech, AI, banking), the negative-list path is operationally cheaper than the standard CAC security assessment. - **The FTZ catalogues are the best important-data identification reference available.** Even for enterprises operating outside any FTZ, the published negative lists are the most authoritative *sector-specific* important-data catalogues currently in existence. Use them as identification reference; document the analysis. - **Watch the dynamic update mechanism.** Each FTZ's negative list will continue to be updated. Compliance teams should set up monitoring of the relevant FTZ administrative committees' announcement channels and review the negative list annually at minimum. The deeper point in the Compliance Talker piece is that **China's cross-border data regime is genuinely tiering through the FTZ mechanism**. The 2024 CBDF Provisions framework is becoming a *two-track system*: standard CAC pathways for cross-border export plus FTZ negative-list pathways for FTZ-registered entities in covered sectors. Multinationals that ignore the FTZ track will operate against unnecessary friction; those that build their China presence around an FTZ footprint will operate at materially lower compliance cost. --- — Compliance Talker (合规小叨客) Global Legal Policy Research Team, *原创 || 我国自贸区相继发布数据出境负面清单,企业重要数据管理影响几何?* (China's FTZs Successively Publish Data Export Negative Lists — How Will Enterprise Important Data Management Be Affected?), 合规小叨客 WeChat Official Account, August 12, 2025. [Original article (Chinese).](https://mp.weixin.qq.com/s/yZm01jMnCzMSsHBbUhYPGw) *Not legal advice. The above is DCC's structured summary of the source article's analysis; not a verbatim translation. The source carries an original-content non-republish clause and is summarized here under fair-use principles with full attribution.* --- ## What Does Data Registration Actually Confirm? — A Doctrinal Reading - Published: 2024-09-19 - Author: DCC Editorial - Tags: data-property-rights, data-registration, civil-law-doctrine, commentary - Laws cited: data-foundation-system-opinions, data-property-rights-registration-guide-draft, public-data-registration-interim-measures - Domains: data-economy, enforcement - URL: https://datacompliancechina.com/posts/qinglan-what-data-registration-actually-confirms/ - Markdown: https://datacompliancechina.com/posts/qinglan-what-data-registration-actually-confirms.md - Original source: https://mp.weixin.qq.com/s/BApKX7i4F6BoWooj3-DxjQ - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description Long before the SPC's January 2026 'data disputes' case category started squeezing data registration certificates against judicial review, Wang Qinglan had already written the foundational critique: data registration does not 'confirm rights' because there are no legal data rights to confirm. The Data 20 Articles created data property rights, not data legal rights, and Chinese property rights are not Article-conferred civil rights. Registration certificates are 'trust credentials,' not 'rights certificates.' This is the doctrinal essay overseas counsel should read before the SPC sequel. ### Body > *Editor's Note — DCC.* > > This is the foundational piece Wang Qinglan wrote in September 2024 > arguing that **data registration cannot confirm rights, because the law > has not yet conferred data rights**. It is the conceptual predecessor > to her [December 2025 piece on the SPC's new 'data disputes' case > category](/posts/spc-data-disputes-case-category-and-data-registration/) — > the SPC's procedural move forced the doctrinal question into the open, > but Wang had identified the gap a year earlier. For overseas counsel > approaching the Chinese data property rights regime, this is the > doctrinal essay; the SPC piece is the operational sequel. DCC's > framing emphasizes the civil-law doctrine that overseas teams trained > in common-law systems will find counterintuitive. ## "Confirming rights" — what does the verb actually do? In Chinese legal usage, 确权 (literally, "confirming rights") means *confirming the attribution and nature of a right*. The verb assumes a right exists; confirmation is a downstream act on that pre-existing right. This is the conceptual frame that breaks when applied to data. Wang's central observation: ***there is no legal right in data to confirm***. The Chinese legal community has not converged on what kind of right "data" is — property right? intellectual property? a new species of property altogether? The NPC has not legislated a defined right. Without legislation, no legal data right exists. The state's response, per Wang: *"Carry on arguing — we won't wait for you. But the data-element market can't wait either. So we'll set aside the rights debate and use the **property rights** (产权) framework to protect data property interests and promote data circulation."* The Data 20 Articles, December 2022, established the structural-subdivision data property rights regime: - **Data resource holding right** (数据资源持有权) - **Data processing-and-use right** (数据加工使用权) - **Data product operation right** (数据产品经营权) The three rights are the C-stage stars of the Chinese data economy. Each is *registrable*. Each gets a certificate. But each is **a property right (产权), not a legal right (权利)**. ## The civil-law doctrine that makes the distinction matter In Chinese civil-law doctrine, **only the NPC and its Standing Committee can confer civil rights** (赋权). The Data 20 Articles is a Central Committee + State Council policy directive — outside the NPC's legislative authority. It can establish a *property rights* regime (产权制度) — but property rights are an *economic* concept, not a *civil-law* concept. The same conceptual move appears in the **Third Plenum of the 20th CCP Central Committee Decision** (July 2024), which speaks of "accelerating the establishment of data property attribution determination" — not "rights determination." > *"Accelerate the establishment of data **property attribution determination** (数据产权归属认定), market transaction, **benefit allocation** (权益分配), and interest protection systems..."* > > — Third Plenum Decision, 2024 Wang's emphasis: the policy text uses *attribution determination* (认定), not *rights determination* (确认). The vocabulary is precise. The Chinese drafting team knew this would be parsed against civil-law doctrine. ## The two ways civil rights actually get confirmed In Chinese civil-law practice, rights confirmation runs on two tracks: ### Track 1 — "Friendly" confirmation Rights confirmation that doesn't require dispute. Two sub-types: - **Possession-based confirmation** (占有确权) — for general movables. Whoever possesses the asset is presumed to hold the right. Every transfer of possession is also a transfer of rights. Wang's example: you buy a used computer on Xianyu (Chinese eBay-equivalent). Whoever physically possesses the laptop at the moment is presumed owner — until possession transfers at the meeting point. The doctrine matches a real intuition: bought from someone, possession transfers, ownership transfers, *the rights confirmation is automatic*. - **Registration-based confirmation** (登记确权) — for high-value assets where possession alone doesn't provide enough public notice. The classic case is real estate: buying a house requires the formal *registration* step at the registry office, and ownership transfers only when registration completes. The mortgage on a house must also be registered to be effective. ### Track 2 — "Adversarial" confirmation When parties dispute attribution, the court confirms the right through litigation. The right is named and assigned to the prevailing party. This is the *adversarial* mode and works for all rights types — property rights, contract rights, IP rights — once the rights themselves are statutorily defined. The full doctrinal cycle: **legislature confers** → **registry / court confirms** → **disputes resolve**. The verb chain has no broken link. ## Where data registration breaks the chain The data property rights regime breaks the chain at the first link. The NPC has not conferred a data right. So: - **Possession-based confirmation** of a data right doesn't work — there's no right to confirm. - **Registration-based confirmation** of a data right doesn't work either — registration "confirms" what the legislature created, and the legislature hasn't created anything yet. - **Adversarial confirmation** in court doesn't work — the court can only adjudicate rights the legislature defined. As of Wang's writing in September 2024, **no Chinese court had cited the Data 20 Articles' three property rights to confirm data rights in adjudication**. Judges, operating under civil-law doctrine, cannot create rights through interpretation. In Wang's words: *"In China — a civil-law country — judges can't make law. They can only adjudicate under the law."* ## What data registration is actually doing Wang's reframing: data registration is **publicity** (公示), not **confirmation** (确权). The chain runs: *trade* → *needs publicity* → *publicity creates public credit* → *public credit creates market trust* → *market trust enables trade*. Registration is one form of publicity. The function is *signaling to potential downstream counterparties that this asset's chain of title is documented*. The publicity supports market confidence — not legal rights creation. Wang's metaphor: registration is a **trust credential** (可信凭证), not a **rights certificate** (确权证书). The operational difference: - A **rights certificate** would have *constitutive effect* — without registration, no right exists. (Real estate ownership has this character in China.) - A **trust credential** has *evidentiary effect* — it's preliminary evidence that the registrant has documented its data chain-of-title and submitted to compliance review by the registration institution. It can be overcome by contrary evidence. ## The 2024 Beijing IP Court case that made the doctrine concrete In a case Wang flags — **Datatang v. Yinmu** (数据堂 v. 隐木, the "first case on the effectiveness of data IP registration certificates") — the Beijing IP Court explicitly declined to recognize a *Data IP Registration Certificate* as an absolute property-right confirmation. The court confirmed only the certificate's effect as a *trust credential*. The court's reasoning (Wang paraphrases): "**Before a property-natured legal interest has been confirmed as an absolute property right by law, the holder of the property-natured interest cannot seek judicial protection by analogizing to other absolute property right types.**" The phrase "by analogy" is the key. The court would not extend property-rights doctrine to a not-yet-confirmed-by-law category. The trust credential effect held — but only as *preliminary evidence* (初步证据), defeasible by contrary evidence. This is meaningfully weaker than what most market participants understood the certificate to provide. ## The three judicial protection paths that work today Without a statutory data right, Chinese courts protect data interests through three existing-law analogies: - **Compilation work copyright** (汇编作品保护) — if the data set demonstrates creativity in selection or arrangement, treat it as a compilation work under copyright law. - **Trade secret protection** (商业秘密保护) — if the data set satisfies the trade-secret elements (secret, kept secret, has commercial value), protect under the *Anti-Unfair Competition Law*. - **Competitive interest protection** (竞争性权益保护) — under the AUCL general clause, protect data as a *competitive interest* the data handler has invested in. The three paths are workable but uneven. Compilation copyright requires creativity in selection. Trade secret protection requires secrecy. Competitive interest protection is the catch-all, but it's a *general-clause* claim with substantial evidentiary burdens (and now operates under the 2025 AUCL Article 13(3) data clause). Wang's prediction at the time: *"data property rights" will not become full legal rights soon — but the trust-credential function of registration can still meaningfully support these three paths*. ## What this means for the registration regime going forward Wang's prescription, in September 2024: - **Registration institutions should stop overclaiming "confirmation."** Calling registration *confirmation* (确权) misleads the market about what a certificate does. - **Strengthen compliance review.** A registration institution's *substantive review* of data legality and authenticity is what gives the certificate evidentiary weight in court. Without rigorous review, the certificate has no evidentiary value. - **Use the *attribution determination* vocabulary.** The Third Plenum's *attribution determination* (认定) language is doctrinally precise — registration institutions can *determine the attribution* of data property without claiming to *confirm* legal rights. - **Build a regulatory framework.** Trust-credential value depends on the credibility of the issuing institution. The state should regulate registration institutions to protect the market's confidence in registration certificates as a category. The SPC's January 2026 "data disputes" case category change — which Wang [followed up on](/posts/spc-data-disputes-case-category-and-data-registration/) — vindicated the underlying doctrinal critique. Once the SPC named the case category, courts gained a procedural channel to scrutinize data registration certificates directly. Wang's September 2024 piece had warned exactly this gap was coming. ## Why this matters for overseas teams Three implications for foreign counsel advising on Chinese data deals: - **Don't translate 确权登记 as "rights confirmation registration."** A more accurate rendering — *"property attribution determination registration"* — preserves the doctrinal distinction. Translating it as "rights" creates false expectations on both sides of the transaction. - **A registration certificate is one input to evidentiary strategy, not a title document.** When advising on a Chinese data acquisition, the registration certificate is useful — it shows the seller invested in chain-of-title documentation. But it does not vest legal title in the buyer in any way comparable to a deed or a patent assignment. The buyer's protection in a downstream dispute will run through compilation work, trade secret, or competitive-interest doctrine. - **Choose the registration institution carefully.** Per the [NDA's draft Data Property Rights Registration Work Guide](/laws/data-property-rights-registration-guide-draft/), only registration institutions practicing *substantive review* (not formal review) will produce certificates with meaningful evidentiary weight. The Shenzhen Data Exchange's "dual-verification" model is the operational benchmark. The deeper observation in Wang's piece is that **the Chinese data property rights regime is doctrinally incomplete by design** — the state chose to operationalize a property rights system without waiting for the NPC to confer formal legal rights. Overseas counsel who expect the regime to behave like a Western IP system will be repeatedly surprised. The regime behaves like a *publicity and credit-building system*. Once that's internalized, the operational logic falls into place. --- — Wang Qinglan (王青兰), *数据确权登记,谁给的勇气?* (Data Rights Confirmation Registration — Who Gave You the Courage?), 青兰数据观察 WeChat Official Account, September 19, 2024. [Original article (Chinese).](https://mp.weixin.qq.com/s/BApKX7i4F6BoWooj3-DxjQ) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- ## On-Exchange vs. Off-Exchange Data Trading — A Uniquely Chinese Market Structure - Published: 2024-07-01 - Author: DCC Editorial - Tags: data-exchanges, data-economy, szdex, market-structure, commentary - Laws cited: data-foundation-system-opinions - Domains: data-economy - URL: https://datacompliancechina.com/posts/qinglan-on-exchange-vs-off-exchange-data-trading/ - Markdown: https://datacompliancechina.com/posts/qinglan-on-exchange-vs-off-exchange-data-trading.md - Original source: https://mp.weixin.qq.com/s/2qNmM5uxUZkfqE3YCYZx8g - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description Why does China have data exchanges? Wang Qinglan's piece opens with an observation overseas readers will recognize: 'When you tell foreigners about China's on-exchange data trading market, you get blank stares — because exchange-organized data trading is uniquely Chinese.' The analogy she offers — Shenzhen Data Exchange is to data what the Shenzhen Stock Exchange is to securities — unlocks the architecture. Five tiers of trading venues by public-risk level. Three waves of Chinese data-exchange evolution. And the operational meaning of why on-exchange and off-exchange trading coexist. ### Body > *Editor's Note — DCC.* > > Wang Qinglan opens the piece by noting that foreign counsel typically > draw a blank when she describes China's on-exchange data trading > market — *"because data-exchange-organized trading is uniquely > Chinese."* DCC has the same experience. This brief unpacks why China > built data exchanges in the first place, what distinguishes > "on-exchange" from "off-exchange," and the operational meaning of > SZDEX, the Beijing Data Exchange, the Shanghai Data Exchange, and the > tier of regional exchanges that followed. ## The analogy that unlocks it China's data trading market is consciously modeled on its securities market. The architecture: - **On-exchange trading** (场内交易) — a transaction conducted through and managed by a licensed *trading venue* (交易场所). - **Off-exchange trading** (场外交易) — every other transaction. Wang's analogy: **the Shenzhen Data Exchange (SZDEX) is to data what the Shenzhen Stock Exchange (SZSE) is to securities**. The data exchange organizes, supervises, and provides infrastructure for trading — just as a stock exchange does for securities. The doctrinal anchor is the **Data 20 Articles** (December 2022): > *"Establish a compliant and efficient data-element flow and trading system combining on-exchange and off-exchange markets. Improve and standardize data-flow rules. Build a trading system combining on-exchange and off-exchange markets. Standardize and guide off-exchange trading. Cultivate and grow on-exchange trading."* The policy directive is explicit: a *combined* market, with on-exchange trading deliberately nurtured. ## The five tiers of trading venues A *trading venue* (交易场所) in Chinese law is "an institution legally authorized by the government to engage in rights-based, bulk-commodity, data, or other categorized trading — including venues whose names do not contain the word 'exchange.'" Wang's five-tier classification (by public-risk exposure) makes the landscape legible: | Tier | Risk level | Venue type | |---|---|---| | **1** | Highest | Financial-product exchanges (stocks, futures) — State Council or financial regulator approval required | | **2** | Medium | Regional financial exchanges (regional equity, financial assets, IP, commodities, environmental rights) | | **3** | **Low** | **Data exchanges, cultural-IP exchanges, energy exchanges, carbon market exchanges, agricultural-rights exchanges, state-owned-property exchanges, pharmaceutical/medical-consumables exchanges** | | **4** | Very low | Physical-goods exchanges (cars, real estate) — rarely seen today | | **5** | None | Public-resource trading platforms (e.g., government procurement) | **Data exchanges sit at Tier 3** — low public-risk venues. They're not financial exchanges, but they are still highly regulated trading venues, supervised by provincial-level governments under the *Implementation Opinions on Cleaning Up and Rectifying Various Trading Venues* (State Council Office Document No. 37 [2012]) and related instruments. ## Why "exchange" and "trading center" are tightly controlled names Wang flags an operational subtlety many overseas observers miss: the name itself is regulated. - Companies named ***Exchange*** (交易所) — must be approved by the State Council, a financial regulator, or a provincial government (with prior consultation of the inter-ministerial coordination committee). - Companies named ***Trading Center*** (交易中心) — same approval requirement, slightly less strict. - Companies named ***Data Trading Co., Ltd.*** / ***Data Group*** etc. — no special name approval, but they are *not* legal trading venues. The historical reason: in the years before tight name regulation, fake exchanges proliferated and were used as fronts for illegal fundraising and financial fraud. Despite Tier-3 status, low public-risk data exchanges have been caught up in this enforcement — the State Council's *Decision on Cleaning Up and Rectifying Various Trading Venues* (Document No. 38 [2011]) explicitly prohibits unauthorized use of the "exchange" name. The operational implication for overseas counsel: **the company name matters**. A counterparty named "QL Data Exchange Co., Ltd." is more likely to be a real trading venue than "QL Data Trading Co., Ltd." or "QL Data Group" — but the only definitive check is the registered list of licensed trading venues maintained by the provincial financial regulator and (for data exchanges) the local data administration authority. As of mid-2024, of all data-trading-related entities registered in China: - **9** contain "Exchange" (交易所) in the name. - **20** contain "Trading Center" (交易中心) in the name. - The rest use names like "Data Trading Co., Ltd." or "Data Group" — most of which are not licensed trading venues. ## The structural difference between on- and off-exchange Both serve buyers and sellers of data. So why does on-exchange exist? Wang's answer: trading venues bear *infrastructure obligations* that off-exchange platforms don't. The trading venue must do the unprofitable, regulatory-heavy work: - **Ecosystem cultivation** — supporting data brokers, third-party professional service institutions, training the "data trader" workforce. - **Compliance gateway** — vetting both sellers and listings, refusing non-compliant trades, providing a public-trust-grade compliance review. - **Market infrastructure** — the technical systems for matching, settlement, evidence preservation, audit trails. The off-exchange platforms benefit from this work without paying for it — they operate in the data-broker ecosystem the on-exchange venues built. The trading venue takes on responsibility *and* market competition. The trade-off, in Wang's framing: **"On-exchange trading is like marriage — many outside want in, many inside want out."** The crown carries weight. One data trading center founded in 2015 voluntarily surrendered its trading-venue qualification in 2023 to become a "data tech company" operating freely off-exchange. ## Three waves of China's on-exchange data market Wang's historical mapping: ### Wave 1 (2014–2017): Launch and cooling - **2014** — "Big data" written into the Government Work Report for the first time, marking the start of top-level design for the data industry. - **2015** — The Guiyang Big Data Exchange (贵阳大数据交易所), China's first data exchange, founded. Within two years, more than 10 data exchanges established across the country. - **2017** — The wave cools. Many exchanges enter dormancy. The problem: no sustainable business model. The exchanges couldn't pull the broader data industry forward. ### Wave 2 (2021–2024): The data-element strategy - **2021** — Beijing, Shanghai, and Shenzhen data exchanges officially launched. - **2022** — The Guiyang Exchange (which had entered bankruptcy reorganization) was restructured and rejoined the market. New roles emerged: *data broker* (数据商), *data trader* (数据交易员), *data compliance specialist* (数据交易合规师). The data trading industry chain took shape. - **December 2022** — *Data 20 Articles* published. - **October 2023** — National Data Administration (NDA) officially established. The on-exchange market entered a phase of coordinated national development. ### Wave 3 (ahead): Differentiated competition Wang's prediction at the time of writing (mid-2024): the third wave will involve large-scale entry of normalized off-exchange platforms competing with on-exchange venues. Without differentiated value propositions, on-exchange venues face elimination pressure. The differentiation thesis: on-exchange venues must take on *industry-wide infrastructure responsibilities and social functions* — without them, on-exchange trading is genuinely unnecessary ("the data joke" Wang quotes: *"Exchanges need trading, but trading doesn't always need exchanges."*). ## The Shenzhen Data Exchange — a case in point Wang closes with a chronology of how the Shenzhen Data Exchange emerged from policy reform, not from private-market entrepreneurship: - **October 2020** — Central Committee + State Council issue the *Implementation Plan for Shenzhen as a Demonstration Zone for Socialism with Chinese Characteristics (2020–2025)*. Proposes accelerating the cultivation of a data-element market and "researching the establishment of a data trading market." - **December 2021** — Shenzhen Data Trading Co., Ltd. registered. - **January 2022** — NDRC + Ministry of Commerce issue the *Opinions on Specific Measures to Relax Market Access in Shenzhen as a Demonstration Zone*. Includes "prudently researching the establishment of data-element trading venues." - **November 2022** — Shenzhen Data Exchange formally unveiled. The Co., Ltd. renamed to Shenzhen Data Exchange Co., Ltd. (SZDEX). - **August 2023** — State Council issues the *Development Plan for the Hetao Shenzhen-Hong Kong Science and Technology Innovation Cooperation Zone, Shenzhen Park*. Calls for "accelerated construction of Shenzhen data trading venues." - **April 2024** — SZDEX Data Trading Business Platform 2.0 launched. - *To be continued...* The point Wang makes through the chronology: SZDEX was created to carry a specific reform mission. It's not just a venue — it's an infrastructure mandate the central government delegated to Shenzhen. ## Why this matters for overseas teams Three operational takeaways: - **On-exchange status is a verifiable counterparty signal.** When evaluating a Chinese data counterparty, check whether they hold a recognized trading-venue qualification. The name alone is suggestive but not dispositive. The provincial-level data administration authority's published list of licensed data exchanges is the authoritative source. - **On-exchange trades carry built-in compliance review; off-exchange trades don't.** When a foreign-invested entity transacts on-exchange (as buyer or seller), the exchange has already vetted the listing against the *Provisions on the Administration of Data Trading*. Off-exchange trades carry the full compliance burden on the counterparties. - **Cross-border data trades typically route through on-exchange venues.** The Beijing FTZ negative list, the Guangdong FTZ data export framework, and the Shenzhen Hetao park's data-flow regime all integrate with the relevant on-exchange venue. Multinationals running cross-border data flows through the FTZs gain compliance leverage by routing through SZDEX or the Beijing International Data Exchange. The deeper point in Wang's piece is that **China has built a market architecture that doesn't exist in Western data ecosystems**. There is no "London Data Exchange" or "Nasdaq Data Exchange." The on-exchange / off-exchange distinction is uniquely Chinese, and foreign counsel approaching the Chinese data market need to internalize the structure before they can advise meaningfully. --- — Wang Qinglan (王青兰), *场内数据交易一定比场外高贵吗?* (Is On-Exchange Data Trading Necessarily More Prestigious Than Off-Exchange?), 青兰数据观察 WeChat Official Account, July 1, 2024. [Original article (Chinese).](https://mp.weixin.qq.com/s/2qNmM5uxUZkfqE3YCYZx8g) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- ## What Is Actually Traded on China's Data Exchanges — A Bakery Metaphor - Published: 2024-05-28 - Author: DCC Editorial - Tags: data-economy, data-trading, data-products, data-classification, commentary - Laws cited: data-foundation-system-opinions, common-data-terms-batch-1, common-data-terms-batch-2, public-data-authorized-operation-specifications - Domains: data-economy - URL: https://datacompliancechina.com/posts/qinglan-what-is-traded-on-data-exchanges/ - Markdown: https://datacompliancechina.com/posts/qinglan-what-is-traded-on-data-exchanges.md - Original source: https://mp.weixin.qq.com/s/xFM7nS_E0BoB272Im6Mciw - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description Per the Shenzhen Provisional Measures for Data Trading Administration, four categories of object can be traded on a Chinese data exchange: data products, data services, data tools, and other regulator-approved objects. Wang Qinglan walks through what each means in plain language with a bakery metaphor — wheat (raw data) becomes flour (data resources) becomes cakes (data products); a baker is a data service; the oven is a data tool. The piece is useful precisely because it answers a question overseas teams rarely think to ask: what are the data exchanges actually selling? ### Body > *Editor's Note — DCC.* > > The Chinese data-element market is one of the most distinctive features > of the country's data regime — yet most overseas analyses treat it as > a black box. Wang Qinglan's plain-language primer answers the > precondition question: *what is actually for sale*? The bakery metaphor > she uses is more useful than any of the formal definitions and worth > internalizing before approaching the data property rights registration > regime, the Data 20 Articles policy framework, or the Shenzhen Data > Exchange's listing practice. ## The four trading objects The legal anchor is the **Shenzhen Provisional Measures for Data Trading Administration** (《深圳市数据交易管理暂行办法》). Article 6 lists four categories of object that can be traded on a Chinese data exchange: - **Data products** (数据产品) - **Data services** (数据服务) - **Data tools** (数据工具) - **Other trading objects approved by the competent authority** (其他经主管部门同意的交易标的) The first three are well-defined; the fourth is a catch-all that has, in practice, expanded the regime's flexibility — particularly to accommodate *data resources* (数据资源) as a tradable object even though they don't fit cleanly into "data products." ## The bakery metaphor Wang's mental model: imagine a flour mill that becomes a bakery. The metaphor maps cleanly onto the legal categories. | Bakery element | Chinese data concept | English translation | |---|---|---| | Wheat from the farmer | 原始数据 | **Raw data / primary data** | | Flour (after milling) | 数据资源 | **Data resources** | | Cake or cake base (after baking) | 数据产品 | **Data products** | | The baker who turns flour into cake | 数据服务 | **Data services** | | The oven, mixer, frosting spreader | 数据工具 | **Data tools** | The full chain: a farmer harvests wheat (raw data); the mill turns it into flour (data resources); the bakery turns flour into cakes (data products). When a flour mill wants to enter the bakery business but lacks the skill, it hires a baker (data service). The baker needs equipment — oven, mixer, frosting tools (data tools). The metaphor solves the conceptual puzzle. *Raw data*, *data resources*, and *data products* are all data in different states of processing. *Data services* are skills applied to data. *Data tools* are instruments for processing data. ## The narrow vs. broad data product distinction Wang highlights a frequently overlooked distinction: - **Narrow data products** — data products in the strict sense. The data resource is the input; algorithmic processing yields the output. Examples: data sets, data analytics reports, data visualization products, data indices, API data products, encrypted data products. The flour-becomes-cake pattern. - **Broad data products** — narrow data products *plus* data services and data tools. The broader category captures everything traded on a data exchange. The key conceptual divide: - **Narrow data products** contain data — they *are* the cake. - **Data services and data tools** are *methods or instruments* for processing data — they're the baker and the oven, not the cake. Wang treats "data products" in the strict sense throughout her piece — the cake, formed by substantive processing of data resources, yielding derived data or data-derivative products. This narrow usage tracks the NDA's *Common Data Terms (First Batch)* definition: *"data processing products and data services that are formed on the basis of data processing and can meet specific needs."* ## What raw data, data resources, and data products mean operationally The bakery analogy maps to a concrete example Wang gives: - You want to open a milk-tea shop. You hire counters to stand at major shopping-district entrances and record foot traffic in notebooks. Each notebook entry is **raw data** — an electronic-or-otherwise recording of an observable phenomenon (here, foot count at a location). - At end of each day, the counters consolidate notebook entries into a single Excel spreadsheet. The spreadsheet is a **data resource** — raw data, primarily processed, with potential for value creation. - A tourism-data company buys the spreadsheet and processes it into a *shopping-district heat-map analytical report*. They sell the heat map to an advertising agency for targeted ad placement. The heat-map report is a **data product** — the result of substantive processing of data resources. This three-level distinction — raw / resource / product — is foundational. The DSL, the *Network Data Security Regulation*, and the NDA's *Data Property Rights Registration Work Guide (Trial)* all rely on it. The legal consequences of mishandling each tier differ. ## Can data resources be traded? Wang flags a useful operational point. The Shenzhen Provisional Measures' three-category enumeration (products / services / tools) seems to exclude data resources. But Article 6's fourth category — *"other trading objects approved by the competent authority"* — accommodates them. In practice, **data resources can be traded on Chinese exchanges as a fourth-category object** — both on-exchange and off-exchange. The Shenzhen Data Exchange and other regional exchanges have listed both data products and data resources. The one substantive exception: **public data resources** (公共数据资源). Per the *Implementation Specifications for Authorized Operation of Public Data Resources*, public data must pass through *authorized operation* (授权运营) and be converted into *public data products* before it can be traded. Public data, in its raw resource form, is not a tradable object — only the products built on top of it. ## The current trading-object landscape Wang's summary of the practical scope of tradable objects on Chinese data exchanges: - **Data resources** — tradable under Article 6's catch-all, both on-exchange and off-exchange (with the public-data exception). - **Data products (narrow)** — the core tradable object. Includes analytic reports, indices, data sets, API products, encrypted data products. - **Data services / data tools (broad data products)** — methods or instruments for processing data, tradable as their own category. The exchange ecosystem is still maturing. New trading object types may emerge as the regime develops, and the trading rules will continue to refine. ## Why this matters for overseas teams Three operational takeaways for overseas counsel and compliance leads engaging with the Chinese data exchange ecosystem: - **Categorize before you transact.** Whether you're a buyer or a seller, the first question is what *kind* of object you're trading. A data set is a different category from an analytical report (both data products, but with different compliance profiles). A SaaS analytics platform sold to a Chinese counterparty may sit in *data tools*, not *data products*. The categorization determines licensing path, classification obligations, and (for cross-border transactions) export-compliance obligations. - **Public data has a different transactional path.** Public data resources cannot be acquired by foreign entities directly. They must be turned into public data products via the authorized-operation regime first. Foreign entities partnering on public-data-derived products should structure the partnership through an *authorized operating institution* (运营机构) recognized under the *Public Data Resources Registration Interim Measures*. - **The narrow vs. broad distinction matters for IP and product structure.** A data service business model (algorithm-as-a-service, classification-as-a-service) operates under different rules than a data product business model (selling the resulting data set). Where the business is sold matters too — services trade differently from products on most exchanges. The underlying point in Wang's piece is that **the Chinese data-element market has a much richer trading object taxonomy than the Western "data licensing" framing**. A multinational treating data trading as a single category will miss the operational handles that the four-category framework provides. --- — Wang Qinglan (王青兰), *数据交易,到底在交易什么?* (Data Trading — What Is Actually Being Traded?), 青兰数据观察 WeChat Official Account, May 28, 2024. [Original article (Chinese).](https://mp.weixin.qq.com/s/xFM7nS_E0BoB272Im6Mciw) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- ## Case Study — A Public-Data Operator Hands Personal Data to a Bank. Two Compliance Failures. - Published: 2024-04-11 - Author: DCC Editorial - Tags: public-data, credit-reference, authorized-operation, case-study, commentary - Laws cited: pipl, public-data-registration-interim-measures, public-data-authorized-operation-specifications - Domains: personal-information, data-economy, enforcement - URL: https://datacompliancechina.com/posts/qinglan-public-data-credit-licensing-case/ - Markdown: https://datacompliancechina.com/posts/qinglan-public-data-credit-licensing-case.md - Original source: https://mp.weixin.qq.com/s/EOP5UAW6V3n1HRYW1KYPeg - Original author: 王青兰 (Wang Qinglan) - Original publication: 青兰数据观察 ### Description A real-case analysis from Wang Qinglan. A state-affiliated auction company holds the public-data operating right for vehicle license-plate auction data. A bank persuades it to hand over the personal data of winning bidders. The bank builds a targeted credit product and pays the auction company RMB 12 million a year in revenue share. Two compliance failures: (1) no individual consent under PIPL; (2) no credit reference business license under the Credit Reference Industry Regulation and Credit Reference Business Measures. Public-data authorized operation does not displace the credit reference licensing regime. ### Body > *Editor's Note — DCC.* > > Public-data authorized operation (公共数据授权运营) is one of the most > active growth areas in China's data-element market. Wang Qinglan's > case study illustrates one of its most common failure modes: an > operator with public-data rights treats those rights as a general > license to do anything with the data, missing that other regulatory > regimes — here, the credit reference business licensing regime — apply > on top of the public-data framework. This is short for a Wang piece > (under 1500 words in the original) but the analytical pattern is > generally useful for overseas counsel advising on public-data products. ## The case A state-affiliated auction company in a Chinese city holds the operating right to vehicle license-plate auction data. (The license-plate auction system is how the city allocates a capped number of new license plates each year.) Winning bidders' personal data — name, contact information, payment information, vehicle details — flows through the auction platform. A bank approaches the auction company with a proposal: - The auction company gives the bank the personal data of winning bidders. - The bank uses the data to design a targeted credit product for new vehicle purchasers — license-plate winners are a high-creditworthiness segment. - The bank pays the auction company **RMB 12 million per year** in revenue share. The auction company agreed. **Wang's question: was the auction company's conduct compliant?** ## The two failures ### Failure 1 — No individual consent under PIPL The first issue is PIPL. The auction company's *public-data operating right* lets it process the auction data on behalf of the government grantor for the authorized purpose (typically, running the auction platform and providing official services). It does not vest the auction company with general consent to share the personal data of winning bidders with third parties for unrelated commercial purposes. PIPL Article 13 requires a lawful basis for each processing activity. The most common bases — *individual consent*, *contract necessity*, *legal obligation* — would have to be re-grounded for the bank-sharing activity. None of them obviously applied here. If the auction company had not obtained individual consent from each winning bidder authorizing the bank-sharing, the sharing was unlawful. *On the facts of the case, the company had not.* That alone makes the transaction non-compliant. But the deeper problem follows. ### Failure 2 — No credit reference business license The auction company's conduct also constitutes ***credit reference business*** (征信业务), and credit reference business is a licensed activity in China. Operating it without a license is unlawful — and the auction company did not have one. This is the part overseas counsel most often miss when advising on Chinese public-data deals. **Public-data authorized operation does not exempt the operator from sector-specific licensing requirements**. Other regulatory regimes — credit reference, banking, insurance, healthcare, geographic data — stack on top of the public-data framework. The legal anchors: - **Article 2 of the *Credit Reference Industry Regulation*** (《征信业管理条例》) defines credit reference business as *"the collection, organization, retention, processing of credit information about enterprises, public institutions, and individuals, and provision of that information to information users."* - **Article 3 of the *Credit Reference Business Administrative Measures*** (《征信业务管理办法》) further specifies that credit reference business serves *financial and similar activities* — to identify and evaluate the creditworthiness of enterprises and individuals. - **Article 5 of the Credit Reference Business Measures**: *"Financial institutions may not engage in commercial cooperation to obtain credit reference services with market entities that have not obtained the lawful credit reference business qualification."* That last article is the bank's exposure too. By contracting with the unlicensed auction company for credit-reference-purpose data, the bank also violated the regulation. ### The two licensing tracks A critical operational detail in the regulation: - **Personal credit reference business** (个人征信业务) — requires a **license** from the PBoC. Setting one up requires PBoC approval; the regulator has, in practice, issued personal credit reference licenses to a small number of institutions. - **Enterprise credit reference business** (企业征信业务) — requires **filing** with the PBoC's local office. The filing standard is lower than personal credit licensing. In the case, the auction company was processing *individuals'* data for credit purposes — so the licensing track is personal credit reference. No license, no operation. Even if the auction company had separately obtained individual consent under PIPL, the absence of a personal credit reference license would still have made the conduct unlawful. Wang's summary: *"This company probably stacked both non-compliance buffs to the maximum. Genuinely criminal."* ## The operational test The decisive question — for any business considering a transaction involving downstream financial-activity use of personal data — is **"is the use for financial activity?"** (是否用于金融活动). If yes, credit reference business licensing/filing applies. Public-data authorized operation does not displace that requirement. The two-pronged test for credit reference business per the regulation: 1. Is the data *credit information* (信用信息) — information used to identify and evaluate creditworthiness? 2. Is the data being used for *financial or similar activities*? If both are yes, the activity is credit reference business. The license is required for personal data; filing is required for enterprise data. ## Why this matters for overseas teams Three operational takeaways: - **Public-data authorized operation is one license among many, not a master license.** A public-data operator's permitted operations are bounded by *both* the public-data authorization terms *and* every other sector-specific regime that applies to the underlying activity. When the downstream use is financial, the credit reference licensing regime applies separately. When the downstream use is healthcare, the healthcare-data and medical-device regimes apply. When the downstream use is education, education-sector PI rules apply. Public-data status is not a shortcut around sector-specific rules. - **Foreign entities partnering on Chinese public-data products should map the downstream-use regulatory stack before structuring the deal.** A China subsidiary acquiring or licensing a public-data product for cross-border use must satisfy: (a) the public-data authorization terms; (b) PIPL consent / contractual basis requirements for any PI in the data; (c) any sector-specific licensing applicable to the downstream use; (d) cross-border export pathway requirements if the data leaves China. - **The case is also a reminder of the criminal exposure.** Criminal Law Article 253-1 — sale and provision of citizen personal information without consent or in violation of regulations — applies. The PI Audit Measures and the 2026 PI Special Action (six high-risk sectors including finance) put financial-data flow on the regulator's enforcement priority list. Foreign-invested banks and financial-services providers in particular should treat this case as a leading enforcement risk. The underlying point in Wang's piece is that **public-data authorized operation is a permission, not an immunity**. The auction company's mistake was treating the authorization as a general license — and the credit reference licensing regime caught up with that mistake. --- — Wang Qinglan (王青兰), *案例分析 | 公共数据授权运营后提供给金融机构是否须取得征信业务资质?* (Case Analysis — After Public-Data Authorized Operation, Does Providing to Financial Institutions Require Credit Reference Business Qualification?), 青兰数据观察 WeChat Official Account, April 11, 2024. [Original article (Chinese).](https://mp.weixin.qq.com/s/EOP5UAW6V3n1HRYW1KYPeg) *Not legal advice. The above is DCC's structured summary of Wang's commentary; not a verbatim translation. The author's views are her own and do not represent her employer.* --- # III. GLOSSARY (Bilingual ZH-EN) 361 terms across 12 sections. Structured JSON available at https://datacompliancechina.com/glossary.json. ## §1. Data Types (数据类型) - **数据** = data - **原始数据** = raw data / primary data — NDA Common Data Terms Batch 1 (2024) uses "primary data" - **衍生数据** = derived data - **网络数据** = network data — introduced as a defined term by the Network Data Security Regulation - **训练数据** = training data — GenAI Measures Art 7 - **数据资源** = data resources — Gov Data Sharing Regulations usage - **数据产品和服务** = data products and services — NDA Common Data Terms Batch 1 § 5 - **元数据** = metadata - **结构化数据** = structured data - **半结构化数据** = semi-structured data - **非结构化数据** = unstructured data - **个人信息** = personal information - **敏感个人信息** = sensitive personal information - **儿童个人信息** = personal information of children - **未成年人个人信息** = personal information of minors - **生物识别信息** = biometric information - **人脸信息** = facial information — SPC FRT Interpretation core term - **重要数据** = important data - **核心数据** = core data - **国家核心数据** = national core data - **一般数据** = general data - **公共数据** = public data - **政务数据** = government data - **企业数据** = enterprise data - **数据资产** = data assets - **数据要素** = data elements - **重要数据目录** = catalogue of important data ## §2. Data Processing & Compliance Management (数据处理与合规管理) - **处理** = processing - **数据处理** = data processing / data handling — NDA Batch 1 uses "data handling" (collect / store / use / process / transmit / provide / publish) - **数据处理活动** = data processing activities - **数据处理者** = data processor / data handler — DSL term (generic) — "data handler" in CAC and NDA translations - **网络数据处理者** = network data handler — Network Data Security Regulation term - **个人信息处理者** = personal information handler — PIPL Article 73 — DO NOT render as "data controller" - **个人** = the individual / the individual concerned — PIPL's preferred rights-holder term, not "personal information subject" - **受托处理者** = entrusted processor - **受托数据处理者** = commissioned data handler / trustee data processor — NDA Batch 1 § 10 uses "commissioned data handler" - **数据治理** = data governance - **数据流通** = data circulation / data flow — NDA Batch 1 § 11 uses "data circulation"; "data flow" common in cross-border context (not GDPR-style "data flow") - **委托处理** = entrusted processing - **共同处理** = joint processing - **公开披露** = public disclosure - **转让** = transfer - **共享** = sharing - **个人信息主体** = personal information subject — Pre-PIPL standard term; PIPL itself uses "个人" (individual) - **数据主体** = data subject — GDPR vocabulary; preserve if the source author chose it, do not back-fit onto PIPL - **单独同意** = separate consent - **明示同意** = explicit consent - **一揽子同意** = bundled consent — SPC FRT Interpretation Art 4 — invalid consent pattern - **告知** = notice - **知情同意** = informed consent - **实名核验** = real-name verification — Deep Synthesis / GenAI / Algo Rec triple requirement - **真实身份信息** = real identity information - **个人信息保护影响评估** = Personal Information Protection Impact Assessment (PIPIA) — PIPL Arts 55–56 render verbally as "impact assessment on personal information protection" - **风险评估** = risk assessment - **数据安全风险评估** = data security risk assessment - **自评估** = self-assessment — term used across CBDT pathways - **安全事件** = security incident - **个人信息安全事件** = personal information security incident - **网络安全事件** = cybersecurity incident - **数据安全事件** = data security incident - **应急预案** = emergency response plan - **应急响应** = emergency response - **自动化决策** = automated decision-making - **用户画像** = user profiling - **精准营销** = targeted marketing - **去标识化** = de-identification - **匿名化** = anonymization - **最小必要** = minimum necessary - **合法、正当、必要** = lawful, legitimate, and necessary - **数据治理** = data governance - **数据安全** = data security - **数据分类分级** = data classification and grading — also rendered "classified and hierarchical protection of data" in regulations - **分类分级保护** = classified and hierarchical protection - **合规审计** = compliance audit - **个人信息保护合规审计** = personal information protection compliance audit - **个人信息保护负责人** = person in charge of personal information protection - **专门机构** = specialized agency — third-party PI-audit body under the 2025 Audit Measures - **专门安全管理机构** = specialized security management body — CIIO obligation under CII Regulations Art 14-15 - **履行个人信息保护职责的部门** = authorities performing duties of personal information protection - **保护机构** = protection authority — informal shorthand used in the Audit Measures - **保护工作部门** = protection authority — CII Regulations usage - **主管部门** = competent authority - **监督管理部门** = supervisory authority - **重要互联网平台服务** = important Internet platform services — PIPL Art 58 — large-platform obligation trigger - **党政机关** = Party and government organs - **企事业单位** = enterprises and public institutions - **公共服务** = public services - **公益事业** = public welfare - **公开招标** = public bidding - **邀请招标** = invited bidding - **数据安全主体责任** = primary responsibility for data security - **实施方案** = implementation plan - **行政权力** = administrative power - **市场支配地位** = market dominant position - **排除、限制竞争** = exclude or restrict competition - **网络平台运营者** = network platform operator - **网络平台** = network platform - **社会责任报告** = social responsibility report - **网络产品和服务** = network products and services - **网络安全服务机构** = cybersecurity service agency - **安全保密协议** = security confidentiality agreement ## §3. Cross-Border Data Flow (数据出境) - **数据出境** = cross-border data transfer — PIPL itself uses the verbal "provide personal information outside the territory of the PRC" - **数据跨境流动** = cross-border data flows - **跨境提供个人信息** = cross-border provision of personal information - **跨境处理** = cross-border processing - **境外接收方** = overseas recipient - **数据出境安全评估** = Data Export Security Assessment — PIPL renders verbally as "security evaluation organized by the CAC" — 评估 is rendered both as "assessment" and "evaluation" - **安全评估** = security assessment - **出境安全评估** = outbound security assessment - **评估申报** = assessment declaration / declaration for security assessment - **评估通过** = passing the security assessment - **个人信息出境标准合同** = Standard Contract for Cross-Border Transfer of Personal Information - **个人信息出境标准合同备案** = Personal Information Standard Contract Filing - **标准合同** = Standard Contract - **个人信息保护认证** = Personal Information Protection Certification - **认证** = certification — CAC Cross-border Provisions sometimes render 认证 as "authentication" — both are in circulation - **认证机构** = certification body — new under the 2026 PI Outbound Certification Measures - **认证证书** = certification certificate - **认证标志** = certification mark - **备案** = filing - **负面清单** = negative list - **白名单** = whitelist - **数据本地化** = data localization - **本地存储** = local storage - **出海** = overseas expansion - **自由贸易试验区** = pilot free trade zone (FTZ) — introduced by the 2024 Cross-border Provisions Art 6 negative-list mechanism - **自贸区** = pilot free trade zone (FTZ) ## §4. Data Property Rights & Trading (数据产权与交易) - **数据产权** = Data Property Rights - **数据产权登记** = Data Property Rights Registration - **数据持有权** = Right to Hold Data - **数据使用权** = Right to Use Data - **数据经营权** = Right to Operate Data - **数据交易** = data trading - **交易主体** = trading subjects - **交易标的** = subject matter of transaction - **数据交易机构** = data trading institution - **场内数据交易** = on-exchange data trading - **数据场内交易** = on-exchange data trading — NDA Batch 2 § 9 — synonym for 场内数据交易 - **场外数据交易** = off-exchange data trading - **数据场外交易** = off-exchange data trading — NDA Batch 2 § 10 — synonym for 场外数据交易 - **数据撮合** = data matching - **数据交易撮合** = data trading matching — NDA Batch 2 § 11 - **第三方专业服务机构** = third-party professional service institutions - **数据第三方专业服务机构** = data third-party professional service institution — NDA Batch 2 § 12 - **第三方法律服务机构** = third-party legal service institutions - **数据要素市场化配置** = market-oriented allocation of data elements — NDA Batch 1 § 7 - **公共数据资源** = public data resources - **授权运营** = authorized operation - **实施机构** = implementing institution - **运营机构** = operating institution - **登记机构** = registration institution - **登记主体** = registrant - **登记申请人** = registration applicant - **登记凭证** = registration certificate - **赋码** = code issuance - **数据基础制度** = fundamental data system - **一体化数据市场** = integrated data market - **数据要素市场** = data factor market - **数据流通服务机构** = data circulation service institution - **隐私计算** = privacy computing - **政务数据共享** = government data sharing - **数据描述** = data description - **数据来源** = data source - **数据存证** = data evidence preservation - **数据指纹** = data fingerprint - **数据水印** = data watermark - **数据入表** = data balance-sheet entry - **数据资产化** = data assetization - **数据资产资本化** = data asset capitalization - **异议** = objection - **异议处理** = objection handling - **初次登记** = initial registration - **转让登记** = transfer registration - **变更登记** = change registration - **续期登记** = renewal registration - **注销登记** = deregistration - **续期** = renewal - **注销** = deregistration - **权利限制** = rights limitation - **多源数据** = multi-source data - **衍生创造** = derivative creation - **自动化程序** = automated procedures ## §5. Key Laws & Regulations (法律法规) - **网络安全法** = Cybersecurity Law (CSL) - **数据安全法** = Data Security Law (DSL) - **个人信息保护法** = Personal Information Protection Law (PIPL) - **个保法** = Personal Information Protection Law (PIPL) - **民法典** = Civil Code - **反电信网络诈骗法** = Anti-Telecom and Online Fraud Law - **网络数据安全管理条例** = Regulation on Network Data Security Management — State Council Decree No. 790 — official rendering uses singular "Regulation" - **关键信息基础设施安全保护条例** = Security Protection Regulations for Critical Information Infrastructure — State Council Decree No. 745 - **未成年人网络保护条例** = Regulations on the Protection of Minors in Cyberspace — State Council Decree No. 766 - **政务数据共享条例** = Regulations on the Sharing of Government Data — State Council Decree No. 809 - **数据出境安全评估办法** = Measures for the Security Assessment of Data Export — CAC Decree No. 11 - **促进和规范数据跨境流动规定** = Provisions on Promoting and Regulating Cross-border Data Flows — CAC Decree No. 16 — note "Cross-border" (lowercase b) in official translation - **个人信息出境标准合同办法** = Measures on the Standard Contract for the Outbound Transfer of Personal Information — CAC Decree No. 13, effective 2023-06-01 - **个人信息出境标准合同备案指南** = Guide to the Filing of the Standard Contract for Outbound Transfer of Personal Information — CAC procedural guide accompanying SCC Measures - **个人信息出境认证办法** = Measures for the Certification of the Cross-border Provision of Personal Information — CAC + SAMR Order No. 20, effective 2026-01-01 - **个人信息保护认证实施规则** = Implementation Rules for Personal Information Protection Certification - **个人信息保护合规审计管理办法** = Administrative Measures for Personal Information Protection Compliance Audits — CAC Decree No. 18, effective 2025-05-01 - **个人信息安全规范** = Personal Information Security Specification - **网络安全审查办法** = Cybersecurity Review Measures — CAC + 12-agency Decree No. 8 - **互联网信息服务算法推荐管理规定** = Provisions on the Administration of Algorithmic Recommendation Services for Internet Information Services — CAC + 3 Decree No. 9 - **互联网信息服务管理办法** = Administrative Measures for Internet Information Services — State Council, foundational ICP regulation (2000, revised 2011, 2024) - **人工智能拟人化互动服务管理暂行办法** = Interim Measures for the Management of AI Anthropomorphic Interaction Services — CAC + 4-agency Order No. 21, effective 2026-07-15 - **生成式人工智能服务管理暂行办法** = Interim Measures for the Management of Generative Artificial Intelligence Services — CAC + 6 Decree No. 15 - **互联网信息服务深度合成管理规定** = Provisions on the Administration of Deep Synthesis of Internet Information Services — CAC + 2 Order No. 12 - **人工智能生成合成内容标识办法** = Measures for the Labeling of AI-Generated and Composed Content — CAC + 3 Guo Xin Ban Tong Zi [2025] No. 2 - **最高人民法院关于审理使用人脸识别技术处理个人信息相关民事案件适用法律若干问题的规定** = Provisions of the Supreme People's Court on Several Issues Concerning the Application of Law in the Trial of Civil Cases Involving the Use of Facial Recognition Technology to Process Personal Information ## §6. Regulators & Authorities (监管机构) - **国家互联网信息办公室** = Cyberspace Administration of China (CAC) - **国家网信办** = Cyberspace Administration of China (CAC) - **网信办** = Cyberspace Administration of China (CAC) - **中央网信办** = Office of the Central Cyberspace Affairs Commission - **网络安全审查办公室** = Cybersecurity Review Office - **国家数据局** = National Data Administration (NDA) - **国务院** = State Council - **工信部** = Ministry of Industry and Information Technology (MIIT) - **公安部** = Ministry of Public Security (MPS) - **国家安全部** = Ministry of State Security (MSS) - **国家市场监督管理总局** = State Administration for Market Regulation (SAMR) - **国家发展和改革委员会** = National Development and Reform Commission (NDRC) - **发改委** = National Development and Reform Commission (NDRC) - **教育部** = Ministry of Education (MOE) - **科学技术部** = Ministry of Science and Technology (MOST) - **科技部** = Ministry of Science and Technology (MOST) - **财政部** = Ministry of Finance (MOF) - **商务部** = Ministry of Commerce (MOFCOM) - **中国人民银行** = People's Bank of China (PBOC) - **国家广播电视总局** = State Administration of Radio and Television (NRTA) - **中国证券监督管理委员会** = China Securities Regulatory Commission (CSRC) - **证监会** = China Securities Regulatory Commission (CSRC) - **国家保密局** = State Secrecy Administration (SSA) - **国家密码管理局** = State Cryptography Administration (SCA) - **中国信通院** = China Academy of Information and Communications Technology (CAICT) - **全国信息安全标准化技术委员会** = National Information Security Standardization Technical Committee (TC260) - **最高人民法院** = Supreme People's Court (SPC) - **最高人民检察院** = Supreme People's Procuratorate (SPP) - **人民法院** = People's Court - **人民检察院** = People's Procuratorate ## §7. Cybersecurity & Critical Information Infrastructure - **网络** = network - **网络运营者** = network operator - **关键信息基础设施** = critical information infrastructure (CII) - **关键信息基础设施运营者** = critical information infrastructure operator (CIIO) - **运营者** = operator — CII Regulations shorthand - **关键信息基础设施认定** = identification of critical information infrastructure - **关键信息基础设施识别** = identification of critical information infrastructure - **网络安全等级保护制度** = Multi-Level Protection Scheme (MLPS) - **等级保护** = Multi-Level Protection Scheme (MLPS) - **网络安全审查** = cybersecurity review - **海外上市** = overseas listing — Cybersecurity Review Measures Art 7 — listing-trigger - **供应链安全** = supply chain security - **网络安全** = cybersecurity - **网络空间** = cyberspace - **主权** = sovereignty - **网络主权** = cyber sovereignty ## §8. AI & Algorithms - **人工智能** = artificial intelligence (AI) - **生成式人工智能** = generative artificial intelligence - **生成式人工智能服务** = generative AI services - **生成式人工智能服务提供者** = generative AI service provider - **深度合成** = deep synthesis - **深度合成服务** = deep synthesis services - **深度合成服务提供者** = deep synthesis service provider - **深度合成技术** = deep synthesis technology - **算法** = algorithm - **算法服务** = algorithmic services - **算法推荐** = algorithmic recommendation - **算法推荐服务** = algorithmic recommendation services - **算法推荐服务提供者** = algorithmic recommendation service provider - **算法备案** = algorithm filing - **算法安全评估** = algorithm security assessment - **个性化推荐** = personalized recommendation - **不合理差别待遇** = unreasonable differential treatment — Algo Rec Provisions Art 21 — anti-price-discrimination - **大数据杀熟** = algorithmic price discrimination against existing users — informal but ubiquitous Chinese-public term - **人工智能生成合成内容** = AI-generated and composed content - **显式标识** = visible label / explicit label — Labeling Measures — user-facing - **隐式标识** = implicit label — metadata / watermark - **显著标识** = prominent label — Deep Synthesis Provisions usage - **数字水印** = digital watermark - **内容元数据** = content metadata - **内容生态治理** = content ecosystem governance - **人脸识别** = facial recognition - **人脸识别技术** = facial recognition technology - **人脸验证** = facial verification ## §9. Enforcement, Procedure & Liability (执法、程序与责任) - **约谈** = regulatory interview (yuetan) — PIPL Art 64 renders this simply as "interview" with a legal representative - **责令整改** = order to rectify - **责令改正** = order to make corrections - **行政处罚** = administrative penalty - **行政处分** = administrative sanction - **罚款** = fine - **没收违法所得** = confiscation of illegal gains - **通报批评** = public criticism - **下架** = removal from app stores - **暂停业务** = suspension of business - **吊销许可证** = revocation of business permit / license - **信用档案** = credit archives - **民事责任** = civil liability - **刑事责任** = criminal liability - **公益诉讼** = public-interest litigation - **侵权** = infringement / tort - **App违法违规收集使用个人信息** = illegal or excessive collection and use of personal information by apps ## §10. Document Types & Regulatory Format (文件类型与立法体例) - **法律** = law (NPC / NPCSC enactment) - **行政法规** = administrative regulation (State Council) - **部门规章** = departmental rule (ministerial) - **规范性文件** = normative document - **国家标准** = national standard - **推荐性国家标准** = recommended national standard (GB/T) - **强制性国家标准** = mandatory national standard (GB) - **司法解释** = judicial interpretation - **决定** = decision (e.g., NPC amendment decision) - **通知** = notice / circular - **指引** = guideline - **指南** = guide / guidelines - **主席令** = Presidential Decree - **国务院令** = State Council Decree - **暂行办法** = interim measures - **管理办法** = administrative measures - **管理规定** = administrative provisions - **实施细则** = implementation rules - **实施条例** = implementing regulation - **征求意见稿** = draft for public consultation - **修正** = amendment - **修订** = revision - **印发** = issuance / promulgation ## §11. Data Economy, Industry & Infrastructure (数据经济、产业与基础设施) - **数字经济** = digital economy - **数字技术** = digital technology - **数字基础设施** = digital infrastructure - **数字产业化** = digital industrialization — NDA Batch 1 § 16 - **产业数字化** = industrial digitalization — NDA Batch 1 § 17 - **数字经济高质量发展** = high-quality development of the digital economy — NDA Batch 1 § 18 - **数字消费** = digital consumption — NDA Batch 1 § 19 - **产业互联网** = Industrial Internet — NDA Batch 1 § 20 - **城市全域数字化转型** = citywide digital transformation — NDA Batch 1 § 21 - **东数西算工程** = East Data and West Computing project — NDA Batch 1 § 22 - **高速数据网** = high-speed data network — NDA Batch 1 § 23 - **全国一体化算力网** = integrated national computing-power network — NDA Batch 1 § 24 - **数据产业** = data industry — NDA Batch 2 § 13 - **数据标注产业** = data labeling industry — NDA Batch 2 § 14 - **数字产业集群** = digital industry cluster — NDA Batch 2 § 15 - **可信数据空间** = trusted data space — NDA Batch 2 § 16 - **数据使用控制** = data use control — NDA Batch 2 § 17 - **数据基础设施** = data infrastructure — NDA Batch 2 § 18 - **算力** = computing power - **算力调度** = computing-power scheduling — NDA Batch 2 § 19 - **算力池化** = computing-power pooling — NDA Batch 2 § 20 - **算力资源池** = computing-power resource pool ## §12. Privacy-Enhancing & Data Engineering Technologies (隐私计算与数据工程技术) - **隐私保护计算** = privacy-protective computation — NDA Batch 1 § 35; also "privacy computing" (隐私计算) - **安全多方计算** = secure multi-party computing — NDA Batch 1 § 36 - **联邦学习** = federated learning — NDA Batch 1 § 37 - **可信执行环境** = trusted execution environment (TEE) — NDA Batch 1 § 38 - **密态计算** = cryptographic computing — NDA Batch 1 § 39 - **区块链** = blockchain — NDA Batch 1 § 40 - **智能合约** = smart contract - **同态加密** = homomorphic encryption - **混淆电路** = confusion circuit / garbled circuit - **不经意传输** = oblivious transfer / inadvertent transmission - **秘密分享** = secret sharing - **数据分析** = data analysis - **数据挖掘** = data mining - **数据可视化** = data visualization - **数据仓库** = data warehouse - **数据湖** = data lake - **湖仓一体** = integration of lake and warehouse / data lakehouse --- *End of corpus. Generated 2026-05-29 from https://datacompliancechina.com.*