{ "version": "1.0", "generated_at": "2026-05-29T03:51:52.505Z", "site": { "url": "https://datacompliancechina.com", "name": "Data Compliance China", "tagline": "China data law, for overseas counsel.", "description": "Built for overseas counsel and compliance teams reading China's data-compliance laws in depth. DCC translates primary regulatory sources carefully and adds editorial context on how the rules actually operate.", "author": "DCC Editorial", "language": "en" }, "counts": { "briefs": 36, "laws": 35, "accounts": 11, "domains": 11, "glossary_terms": 361, "glossary_sections": 12 }, "surfaces": { "curated_index": "https://datacompliancechina.com/llms.txt", "full_corpus": "https://datacompliancechina.com/llms-full.txt", "glossary_json": "https://datacompliancechina.com/glossary.json", "sitemap": "https://datacompliancechina.com/sitemap-index.xml", "rss": "https://datacompliancechina.com/rss.xml", "brief_markdown": "https://datacompliancechina.com/posts/.md", "law_markdown": "https://datacompliancechina.com/laws/.md" }, "briefs": [ { "slug": "datatang-v-yinmu-data-ip-registration-case", "title": "Datatang v. Yinmu — China's First Ruling on a Data-IP Registration Certificate, and Why Open-Sourced Data Is Still Protected", "url": "https://datacompliancechina.com/posts/datatang-v-yinmu-data-ip-registration-case/", "markdown_url": "https://datacompliancechina.com/posts/datatang-v-yinmu-data-ip-registration-case.md", "published": "2026-05-29T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "judicial", "data-property-rights", "data-registration", "anti-unfair-competition", "ai-training-data", "open-source", "case" ], "laws_cited": [ "data-foundation-system-opinions", "data-property-rights-registration-guide-draft", "dsl" ], "domains": [ "data-economy", "data-security" ], "account": "shenzhen-data-exchange", "description": "A consolidated case study of 数据堂诉隐木科技 (Datatang v. Yinmu) — the Beijing IP Court's June 2024 appeal ruling, widely called China's first case on the evidentiary effect of a data-IP registration certificate. The dispute: Datatang built voice datasets for AI training, open-sourced some under a license; Yinmu took and redistributed them in the same data-services market. DCC synthesizes four commentaries (the case report, a Tsinghua analysis, and two Shenzhen Data Exchange DEXC+ deep-dives) into the four holdings that matter for overseas counsel: (1) a data-IP registration certificate is prima facie evidence of property-type interests and lawful sourcing — but not an absolute property right (property-rights-statutism); (2) open-sourced data, though neither trade secret nor copyrightable compilation, is protectable under the Anti-Unfair Competition Law's general clause; (3) the protection hierarchy (compilation work → trade secret → AUCL Art. 2); and (4) whether the taker honored the open-source license is the hinge for 'improper conduct.'", "original": { "title": "数据堂诉隐木公司 AI 训练数据源案 — 全国首例涉数据知识产权登记证书效力案 (consolidated)", "author": "Beijing IP Court (2024)京73民终546号; commentary by 法律与新经济, 清华大学智能法治研究院, 深圳数据交易所 DEXC+", "publication": "Multiple — see sources below", "url": "https://mp.weixin.qq.com/s/RRsiqVpVcL6eXG077JCjvQ", "language": "zh" } }, { "slug": "xu-ke-anonymization-zombie-provision", "title": "Reviving a Zombie Provision — Xu Ke's Concentric-Circle Reconstruction of the Anonymization Regime", "url": "https://datacompliancechina.com/posts/xu-ke-anonymization-zombie-provision/", "markdown_url": "https://datacompliancechina.com/posts/xu-ke-anonymization-zombie-provision.md", "published": "2026-05-28T09:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "anonymization", "personal-information", "data-economy", "de-identification", "commentary" ], "laws_cited": [ "pipl", "csl", "dsl", "network-data-security-regulations" ], "domains": [ "personal-information", "data-security", "data-economy" ], "account": "xu-ke", "description": "Xu Ke (UIBE) calls PIPL Article 4's anonymization carve-out a 'zombie provision' (僵尸法条) — on the books, never used, and one of the biggest blockages in the data-element market. His diagnosis: the zombie state is caused not by the text but by three unaddressed worries (processors fear the standard is unattainable or value-destroying; regulators fear anonymization becomes an evasion tool; users fear it's a hollow promise). His cure is a concentric-circle architecture that maps three risk types (systemic / operational / residual) onto three layers of anonymity (presumptive / determined / trust). This is the most complete academic blueprint yet for making the anonymization clause operational — and it pairs directly with TRIMPS's risk-based, recipient-relative reading.", "original": { "title": "复活僵尸法条:个人信息匿名化制度的再造", "author": "许可 (Xu Ke), UIBE", "publication": "《财经法学》(Finance and Economics Law Journal), Issue 4, 2024; reposted via 数字经济与社会 WeChat Official Account", "url": "https://mp.weixin.qq.com/s/yaO_RB-rzTKouqevxCb-Xw", "language": "zh" } }, { "slug": "xu-ke-data-rights-block-structure", "title": "The 'Rights Block' — Xu Ke's Structural Theory Behind China's Data-Property Framework", "url": "https://datacompliancechina.com/posts/xu-ke-data-rights-block-structure/", "markdown_url": "https://datacompliancechina.com/posts/xu-ke-data-rights-block-structure.md", "published": "2026-05-28T08:30:00.000Z", "author": "DCC Editorial", "featured": false, "tags": [ "data-property-rights", "data-rights-theory", "data-twenty", "data-economy", "commentary" ], "laws_cited": [ "data-foundation-system-opinions", "pipl", "dsl", "data-property-rights-registration-guide-draft" ], "domains": [ "data-economy", "personal-information", "data-security" ], "account": "xu-ke", "description": "Xu Ke's highly-cited (255×) 政法论坛 article on the structure of data rights — the theoretical scaffolding that the Data 20 Articles' three-rights framework rests on. He maps the field's two warring paradigms (formalist 'empowerment' vs substantivist 'conduct regulation'), argues both fail alone, and integrates them via a 'reflexive law' approach. The payoff is a taxonomy of three possible rights structures — rights-ball, rights-bundle, rights-block — and the case that the 'data rights block' (数据权利块) best fits data's 'one principle, many manifestations' character. For overseas counsel, this is the conceptual map that explains why Chinese data rights are structured the way they are — and why Western property and IP analogies keep failing.", "original": { "title": "数据权利:范式统合与规范分殊", "author": "许可 (Xu Ke), UIBE", "publication": "《政法论坛》(Tribune of Political Science and Law), Issue 4, 2021, pp. 86-96; reposted via 政法论坛 WeChat Official Account", "url": "https://mp.weixin.qq.com/s/0l_QZgvXbMKQ2I50aOqxaA", "language": "zh" } }, { "slug": "xu-ke-data-asset-identification", "title": "When Does Data Become an Asset? Xu Ke on Identifying and Defining Data Assets", "url": "https://datacompliancechina.com/posts/xu-ke-data-asset-identification/", "markdown_url": "https://datacompliancechina.com/posts/xu-ke-data-asset-identification.md", "published": "2026-05-28T08:15:00.000Z", "author": "DCC Editorial", "featured": false, "tags": [ "data-asset", "data-property-rights", "data-on-balance-sheet", "data-economy", "commentary" ], "laws_cited": [ "data-foundation-system-opinions", "pipl", "public-data-authorized-operation-specifications", "data-property-rights-registration-guide-draft" ], "domains": [ "data-economy", "personal-information" ], "account": "xu-ke", "description": "Xu Ke (UIBE), writing for a practitioner audience, draws the line between data resource (国家视角, public/strategic) and data asset (市场主体视角, commercial), then between the broad sense (anything that creates value for the enterprise) and the narrow sense (meets the MOF accounting-standard test for on-balance-sheet recognition — owned/controlled, generates economic benefit, reliably measurable). He works the three-rights framework into operational boundaries by data type (personal / enterprise / government) and flags the practical questions overseas counsel face when a Chinese counterparty wants to put data on its balance sheet.", "original": { "title": "数据资产的识别与界定", "author": "许可 (Xu Ke), UIBE", "publication": "《企业家》杂志 (Entrepreneur Magazine); reposted via 企业家杂志 WeChat Official Account", "url": "https://mp.weixin.qq.com/s/i8LzBioix-fTBB-_FcGC-g", "language": "zh" } }, { "slug": "yao-qian-pi-anonymization-relativity", "title": "From 'Cannot Be Restored' to 'Difficult to Restore' — TRIMPS on Whether Anonymization Is Absolute, and Whether It's Recipient-Relative", "url": "https://datacompliancechina.com/posts/yao-qian-pi-anonymization-relativity/", "markdown_url": "https://datacompliancechina.com/posts/yao-qian-pi-anonymization-relativity.md", "published": "2026-05-28T08:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "anonymization", "personal-information", "de-identification", "cross-border-data", "commentary" ], "laws_cited": [ "pipl", "csl", "dsl", "network-data-security-regulations" ], "domains": [ "personal-information", "data-security", "cross-border" ], "account": "sansuo-data-security", "description": "The Third Research Institute of the Ministry of Public Security (TRIMPS) — the body behind China's classified-protection regime and national eID platform — takes on the two questions that determine whether anonymization actually gets data out of PIPL scope. First: does PIPL's 'cannot be restored' standard (Art 73) require re-identification probability of literally zero? The 2025 draft PI Anonymization Guide quietly softened it to 'difficult to restore,' aligning China with the GDPR 'all reasonable means' test and reframing anonymization as a dynamic, continuously-assessed, risk-based process rather than a one-time terminal state. Second: is anonymization recipient-relative — can the same dataset be PI in one party's hands and anonymized in another's? TRIMPS reads the EU SRB v EDPS case and UK ICO guidance toward 'yes,' with major implications for how overseas counsel structure data sharing and cross-border transfer.", "original": { "title": "个人信息匿名化的一些问题", "author": "姚迁 (Yao Qian), TRIMPS Data Security Technology R&D Center", "publication": "三所数据安全 (TRIMPS Data Security) WeChat Official Account", "url": "https://mp.weixin.qq.com/s/B420B2O-X0QYCi86slnuaA", "language": "zh" } }, { "slug": "zhu-xiaofeng-genai-pi-causation-unclear-liability", "title": "Zhu Xiaofeng — Who Pays When GenAI Causation Is Unclear? Applying Civil Code Article 1254 by Analogy", "url": "https://datacompliancechina.com/posts/zhu-xiaofeng-genai-pi-causation-unclear-liability/", "markdown_url": "https://datacompliancechina.com/posts/zhu-xiaofeng-genai-pi-causation-unclear-liability.md", "published": "2026-05-28T07:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "ai-governance", "genai", "personal-information", "causation", "liability", "commentary" ], "laws_cited": [ "pipl", "civil-code-personal-info", "genai-services-interim-measures", "personal-info-audit-measures" ], "domains": [ "ai-governance", "personal-information", "data-security" ], "account": "dejyfz", "description": "Zhu Xiaofeng (Central University of Finance and Economics Law School) takes on the GenAI causation black hole — when a personal-information harm clearly arises from a GenAI service but specific causation among model designer, model provider, model user, and data provider cannot be established, who pays? Zhu's structural answer: when conventional construction-element-analysis and Article 998 interest-balancing both fail (and they do), apply Civil Code Article 1254's 'unclear-causation' rule by analogy — the same rule used for falling-object-from-building cases. The doctrinal scaffolding: communication-safety theory, gain-and-risk allocation theory, causation proof + harm prevention. Critically: each potential injurer compensates the full damage; among themselves, allocation is proportional, with judges determining specific amounts case-by-case. Highly relevant for multinationals deploying GenAI in China — the proposed framework restructures the operating liability surface.", "original": { "title": "学术|朱晓峰:生成式人工智能个人信息侵权因果关系不明时的责任认定", "author": "朱晓峰 (Zhu Xiaofeng), Central University of Finance and Economics Law School", "publication": "《政法论坛》(Tribune of Political Science and Law), Issue 6, 2025; reposted via 数字经济与法治 WeChat Official Account", "url": "https://mp.weixin.qq.com/s/V1EbvwB4Ib-fc5j0EgT3Zw", "language": "zh" } }, { "slug": "ai-lin-platform-gig-worker-pi-protection", "title": "Ai Lin — Why Platform Gig Workers Need PI-Protection Tilt and How to Build It", "url": "https://datacompliancechina.com/posts/ai-lin-platform-gig-worker-pi-protection/", "markdown_url": "https://datacompliancechina.com/posts/ai-lin-platform-gig-worker-pi-protection.md", "published": "2026-05-28T06:30:00.000Z", "author": "DCC Editorial", "featured": false, "tags": [ "personal-information", "platform-economy", "gig-economy", "employment", "commentary" ], "laws_cited": [ "pipl", "civil-code-personal-info", "algorithmic-recommendation-provisions", "personal-info-audit-measures" ], "domains": [ "personal-information", "app-compliance" ], "account": "dejyfz", "description": "Ai Lin (Jilin University Law School) takes on the under-attended question of personal-information protection for platform gig workers — the food-delivery couriers, ride-hail drivers, freight drivers, and 'internet marketers' who occupy China's new-employment-form category. The structural problem: PIPL's individual-consent baseline doesn't work in employment relations where the worker has no meaningful bargaining power against the platform's algorithmic management. Ai imports the alienated-labor framework from Marx and the 'scenario fairness' principle from contextual integrity to argue for a tilt-protection regime. Three operational responses: enhanced transparency + tiered PI safeguards; treating algorithmic rules as workplace regulations subject to collective bargaining; full-process regulatory accountability. Highly relevant for multinationals operating platform-gig models in China or contracting with Chinese platform workforces.", "original": { "title": "学术|艾琳:平台用工中个人信息保护的困境表现与规则回应", "author": "艾琳 (Ai Lin), Jilin University Law School and Theoretical Law Research Center", "publication": "《政治与法律》(Political Science and Law), Issue 3, 2026; reposted via 数字经济与法治 WeChat Official Account", "url": "https://mp.weixin.qq.com/s/vl6-9obLhfkCA8p5qEvw2g", "language": "zh" } }, { "slug": "tang-linyao-data-broker-derivative-harms", "title": "Tang Linyao — Data-Broker Derivative Harms and the 'Data Integration Analysis Framework'", "url": "https://datacompliancechina.com/posts/tang-linyao-data-broker-derivative-harms/", "markdown_url": "https://datacompliancechina.com/posts/tang-linyao-data-broker-derivative-harms.md", "published": "2026-05-28T06:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "data-economy", "data-broker", "data-exchange", "derivative-harm", "privacy", "commentary" ], "laws_cited": [ "data-foundation-system-opinions", "pipl", "dsl", "personal-info-audit-measures", "network-data-security-regulations" ], "domains": [ "data-economy", "data-security", "personal-information" ], "account": "dejyfz", "description": "Tang Linyao (Chinese Academy of Social Sciences) maps the regulatory gap for data-broker derivative harms — the harms that arise not from direct PI leakage but from the integration and aggregation activity that data brokers themselves perform. The analytical core: a vertical / horizontal data-relations framework that explains why existing PIPL-style protection (vertical-relationship-focused) systematically fails to address horizontal-relationship harms; and the 'abstract risk substantialization' doctrine borrowed from US precedent and EU GDPR to bring data-broker risk into ex-ante regulatory scope. Operationally, Tang proposes a 'Data Integration Analysis Framework' with concrete tiering (三高 / 双高 / 单高 / 三低) that translates academic doctrine into compliance-program-grade controls. Applied to a real Shenzhen Data Exchange listing as worked example.", "original": { "title": "学术|唐林垚:数据经纪的衍生风险与法律应对", "author": "唐林垚 (Tang Linyao), Chinese Academy of Social Sciences Law Institute", "publication": "《法学家》(The Jurist), Issue 2, 2026; reposted via 数字经济与法治 WeChat Official Account", "url": "https://mp.weixin.qq.com/s/L4A6N26tXnN05iSxqMNe3w", "language": "zh" } }, { "slug": "wang-nian-data-source-rights-as-fair-use", "title": "Wang Nian — Data Source's Rights as a 'Fair Use' Right Alongside the Three Rights", "url": "https://datacompliancechina.com/posts/wang-nian-data-source-rights-as-fair-use/", "markdown_url": "https://datacompliancechina.com/posts/wang-nian-data-source-rights-as-fair-use.md", "published": "2026-05-28T05:30:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "data-property-rights", "data-twenty", "data-source-rights", "data-economy", "commentary" ], "laws_cited": [ "data-foundation-system-opinions", "data-property-rights-registration-guide-draft", "pipl", "civil-code-personal-info" ], "domains": [ "data-economy", "personal-information" ], "account": "dejyfz", "description": "Wang Nian (Tsinghua Law) takes on the unresolved fourth-right question in the Data 20 Articles framework: what is the data source's right (数据来源者权), and how does it relate to the three rights (hold/use/operate)? Drawing on the 'data symbiosis' (数据共生) framework from the ALI-ELI Data Economy Principles and the EU Data Act, Wang argues that pre-existing legal entitlements — privacy, PI rights, IP, trade secrets — cover only part of the source's interest, leaving a residual that needs an independent legal protection. He frames the data-source right as a 'fair use right' (公平使用权): a contractual-relationship right against the specific data processor, distinct from the property-style three rights, that captures the value contribution of the source's participation in data co-creation. The corporate-data-portability analog DCC flagged in our NDA brief gets its doctrinal foundation here.", "original": { "title": "学术|王年:数据来源者权利及其实现——基于数据共生的视角", "author": "王年 (Wang Nian), Tsinghua University Law School", "publication": "《财经法学》(Finance and Economics Law Journal), Issue 5, 2025; reposted via 数字经济与法治 WeChat Official Account", "url": "https://mp.weixin.qq.com/s/DeoiXUp2emdS-yjzWl8o7g", "language": "zh" } }, { "slug": "samr-ghost-takeout-data-compliance-lessons", "title": "Seven Lessons for Data Compliance Teams from the SAMR 'Ghost Takeout' Series — 3.5 Billion Yuan, 9-Month Suspensions, and the Per-Merchant Aggregation Doctrine", "url": "https://datacompliancechina.com/posts/samr-ghost-takeout-data-compliance-lessons/", "markdown_url": "https://datacompliancechina.com/posts/samr-ghost-takeout-data-compliance-lessons.md", "published": "2026-05-28T04:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "enforcement", "samr", "platform-liability", "personal-information", "commentary" ], "laws_cited": [ "pipl", "network-data-security-regulations", "personal-info-audit-measures", "dsl" ], "domains": [ "enforcement", "personal-information", "data-security", "app-compliance" ], "account": "data-he-gui", "description": "In April 2026, the State Administration for Market Regulation (SAMR) imposed administrative penalties on seven major e-commerce platforms in the 'ghost takeout' series — 3.5 billion yuan in aggregate corporate fines, nearly 20 million yuan in individual fines on legal representatives and food-safety officers, and 3-to-9-month business suspensions. While the cases were ostensibly food-safety enforcement, their analytical structure — pierce-the-paper-compliance, per-merchant aggregation of penalties, identification of licensed-entity liability holders, dual penalties on individual compliance officers — translates directly to data-compliance enforcement. Adapted from a substantive practitioner analysis by 黄春林 (Huang Chunlin), this DCC brief works through seven operational lessons that DSO / PIPO / DPO and compliance counsel should apply *before* the analogous enforcement wave reaches data compliance.", "original": { "title": "巨额处罚电商平台系列案对企业数据合规责任的启示", "author": "黄春林、柴明银 (Huang Chunlin, Chai Mingyin)", "publication": "数据何规 WeChat Official Account", "url": "https://mp.weixin.qq.com/s/9w4AQMPmH9roj2qiILuHTw", "language": "zh" } }, { "slug": "ai-agent-rules-risk-taxonomy", "title": "Mapping the AI Agent Risk Surface — A Ten-Category Taxonomy Under China's New 智能体新规", "url": "https://datacompliancechina.com/posts/ai-agent-rules-risk-taxonomy/", "markdown_url": "https://datacompliancechina.com/posts/ai-agent-rules-risk-taxonomy.md", "published": "2026-05-28T03:30:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "ai-agents", "ai-governance", "genai", "commentary" ], "laws_cited": [ "genai-services-interim-measures", "algorithmic-recommendation-provisions", "deep-synthesis-provisions", "ai-content-labeling-measures" ], "domains": [ "ai-governance", "data-security", "personal-information" ], "account": "data-he-gui", "description": "China's Cyberspace Administration jointly issued the Implementation Opinions on Standardized Application and Innovation Development of AI Agents (the '智能体新规' or 'Agent Rules') on May 8, 2026 — the first dedicated regulatory document on AI agents anywhere in the world. This DCC brief works through the ten-category risk taxonomy that practitioners are now using to map the agent attack surface: goal hijacking, tool misuse, identity/permission abuse, supply-chain compromise, unintended code execution, memory and context poisoning, inter-agent communication insecurity, cascade failures, human-machine trust exploitation, and rogue agents. With the agent risk mapped, the brief works the legal-liability vector: how each risk maps to administrative, civil, and criminal exposure under existing PIPL, CSL, Anti-Unfair Competition, and trade-secret regimes. Closes with the Guangzhou Internet Court's recent dual-authorization ruling against an open-source agent that bypassed a chat platform's risk controls — the first Chinese case to articulate the dual-authorization principle for AI agents accessing third-party platforms.", "original": { "title": "从《智能体新规》看AI智能体的风险防范与合规治理(上)", "author": "朱垒 (Zhu Lei)", "publication": "数据何规 WeChat Official Account", "url": "https://mp.weixin.qq.com/s/jQyo7KEwu1sREIWH3imZnA", "language": "zh" } }, { "slug": "ai-agent-rules-governance-framework", "title": "Operationalizing AI Agent Governance — A Ten-Step Internal Control Framework", "url": "https://datacompliancechina.com/posts/ai-agent-rules-governance-framework/", "markdown_url": "https://datacompliancechina.com/posts/ai-agent-rules-governance-framework.md", "published": "2026-05-28T03:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "ai-agents", "ai-governance", "genai", "compliance-program", "commentary" ], "laws_cited": [ "genai-services-interim-measures", "algorithmic-recommendation-provisions", "deep-synthesis-provisions", "personal-info-audit-measures" ], "domains": [ "ai-governance", "data-security", "personal-information" ], "account": "data-he-gui", "description": "Part 2 of DCC's brief on the Chinese Agent Rules (《智能体规范应用与创新发展实施意见》, May 2026). After mapping the ten-category risk taxonomy in Part 1, this brief works through the ten-step internal governance framework practitioners are now building to operationalize agent compliance: cross-functional governance organization + agent asset inventory; use-case admission and classification (L1 read-only / L2 limited-write / L3 sensitive-data / L4 high-impact); security assessment and AI red-team testing; identity authorization and permission control (with the under-discussed 'permission inheritance' trap); data protection; tool and protocol security; human-in-the-loop design; supply-chain security; continuous monitoring; and AI-specific incident response. Closes with five operational priorities for teams that need to start now without waiting for the 'big-and-comprehensive' regime build.", "original": { "title": "从《智能体新规》看AI智能体的风险防范与合规治理(下)", "author": "朱垒 (Zhu Lei)", "publication": "数据何规 WeChat Official Account", "url": "https://mp.weixin.qq.com/s/VAoNJBWEa7yM7TsOg0OMvw", "language": "zh" } }, { "slug": "open-source-ai-training-data-compliance", "title": "Open-Source Does Not Mean Open Data — Zhang Ping on Training-Data Compliance for Open-Source AI", "url": "https://datacompliancechina.com/posts/open-source-ai-training-data-compliance/", "markdown_url": "https://datacompliancechina.com/posts/open-source-ai-training-data-compliance.md", "published": "2026-05-28T02:30:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "ai-governance", "open-source", "training-data", "copyright", "commentary" ], "laws_cited": [ "genai-services-interim-measures", "pipl", "dsl", "csl" ], "domains": [ "ai-governance", "personal-information", "data-security" ], "account": "renmin-tribune", "description": "Peking University Law School professor Zhang Ping, writing in 人民论坛 (People's Tribune), takes apart two misconceptions that have dominated the Chinese open-source AI discussion: that 'open source' means training data has no copyright protection, and that 'algorithm open-source' compels 'training data publication.' Both false. Zhang lays out the structural distinction: 'open source is conditional authorization under license' — applied to model weights, not to the training corpus, which is a legally independent object. She then maps the full-chain compliance risk (acquisition / processing / output) and proposes a four-tier differentiated governance framework that finance, healthcare, and government AI deployments can actually use to map their training-data inventory against compliance gates.", "original": { "title": "前沿 | 开源人工智能训练数据的合规治理", "author": "张平 (Zhang Ping), Peking University Law School", "publication": "人民论坛 (People's Tribune), April 1, 2026", "url": "https://www.rmlt.com.cn/2026/0401/748659.shtml", "language": "zh" } }, { "slug": "miit-2026-batch-3-31-app-public-naming", "title": "MIIT Public-Naming Bulletin 2026 Batch 3 (Total Batch 56): 31 Apps and SDKs Cited for PI Violations and Window-Redirect Abuse", "url": "https://datacompliancechina.com/posts/miit-2026-batch-3-31-app-public-naming/", "markdown_url": "https://datacompliancechina.com/posts/miit-2026-batch-3-31-app-public-naming.md", "published": "2026-05-28T02:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "enforcement", "miit", "app-compliance", "pipl", "public-naming" ], "laws_cited": [ "pipl", "csl", "personal-info-audit-measures", "network-data-security-regulations" ], "domains": [ "enforcement", "personal-information", "app-compliance" ], "account": "miit-weibao", "description": "MIIT's Information & Communications Administration Bureau published its 2026 Batch 3 public-naming bulletin (total Batch 56) on May 21, 2026, citing 31 apps and SDKs for violations of personal-information collection rules and window-redirect abuse. DCC frames this as the first entry in our enforcement tracker — explaining the joint CAC + MIIT + MPS 2026 Special Campaign that authorizes the batches, the four-statute legal architecture invoked, the rectification-then-enforcement pathway each named entity faces, the cadence of the bulletin series (roughly monthly, 56 batches since inception), and the operational picture this gives overseas counsel of which PI-protection violations actually attract enforcement in the Chinese mobile-app channel.", "original": { "title": "违规收集个人信息、窗口乱跳转……这31款APP及SDK被通报!", "author": "工业和信息化部信息通信管理局 (MIIT Information & Communications Administration Bureau)", "publication": "工信微报 WeChat Official Account", "url": "https://mp.weixin.qq.com/s/pI6fsJpm6O9u7Icntw8guA", "language": "zh" } }, { "slug": "nda-three-rights-structural-separation", "title": "NDA Explains the Three-Rights Framework — A Plain-Language Walk-Through from the Regulator Itself", "url": "https://datacompliancechina.com/posts/nda-three-rights-structural-separation/", "markdown_url": "https://datacompliancechina.com/posts/nda-three-rights-structural-separation.md", "published": "2026-05-28T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "data-property-rights", "data-twenty", "structural-separation", "data-economy", "commentary" ], "laws_cited": [ "data-foundation-system-opinions", "data-property-rights-registration-guide-draft", "public-data-authorized-operation-specifications", "public-data-registration-interim-measures" ], "domains": [ "data-economy", "data-security" ], "account": "ndb", "description": "The National Data Administration's official 政策解读 (policy interpretation) on the three-rights framework — the right to hold, the right to use, and the right to operate data — established by the Data 20 Articles. NDA walks through what each right means, illustrative scenarios (group-company data subsidiaries; hospital-pharma research pools; data-broker commission arrangements), how the rights relate to each other (independently severable; non-exclusive across parties for the same data), and why the structural-separation design was chosen over a unitary-ownership model. The clearest available statement of the regulator's own intent on the framework that anchors every downstream rule — data-resource registration, data-property-rights registration, FTZ data-circulation negative lists, on-floor / over-the-counter trading rules.", "original": { "title": "政策解读 | 如何理解数据产权结构性分置", "author": "国家数据局 (National Data Administration)", "publication": "国家数据局 WeChat Official Account", "url": "https://mp.weixin.qq.com/s/AvOjnMGTAa2uNrC10aKGTg", "language": "zh" } }, { "slug": "nda-data-processor-property-rights-allocation", "title": "Who Is the 'Data Processor' Under the Three-Rights Framework — NDA's Farm-Equipment Hypothetical", "url": "https://datacompliancechina.com/posts/nda-data-processor-property-rights-allocation/", "markdown_url": "https://datacompliancechina.com/posts/nda-data-processor-property-rights-allocation.md", "published": "2026-05-28T00:30:00.000Z", "author": "DCC Editorial", "featured": false, "tags": [ "data-property-rights", "data-twenty", "data-processor", "data-economy", "commentary" ], "laws_cited": [ "data-foundation-system-opinions", "pipl", "civil-code-personal-info", "data-property-rights-registration-guide-draft" ], "domains": [ "data-economy", "data-security", "personal-information" ], "account": "ndb", "description": "NDA's official 政策解读 on the threshold question that every three-rights allocation depends on: who is the 'data processor' and who is the 'information subject'? NDA uses a farm-equipment hypothetical — a farm rents tractor, irrigation, and fertilizer equipment from three different vendors; cultivation data is captured in the process — to work through who collects, who decides processing purposes, and how the property-rights regime balances the data-processor's commercial interest against the information-subject's rights to access copies of relevant data. The piece sketches the basic information-subject vs. data-processor dichotomy that anchors the entire downstream data-element regime, and surfaces the access-to-data right (data portability for commercial entities) that overseas counsel often miss.", "original": { "title": "政策解读 | 数据处理者的数据产权配置安排", "author": "国家数据局 (National Data Administration)", "publication": "国家数据局 WeChat Official Account", "url": "https://mp.weixin.qq.com/s/O1hmeSC9cSbYDg5-L3mXbA", "language": "zh" } }, { "slug": "nda-entrusted-data-processing-property-rights", "title": "Cloud, BPO, and Other Entrusted-Processing Arrangements: Why the Processor Doesn't Get the Rights", "url": "https://datacompliancechina.com/posts/nda-entrusted-data-processing-property-rights/", "markdown_url": "https://datacompliancechina.com/posts/nda-entrusted-data-processing-property-rights.md", "published": "2026-05-28T00:00:00.000Z", "author": "DCC Editorial", "featured": false, "tags": [ "data-property-rights", "data-twenty", "entrusted-processing", "cloud", "commentary" ], "laws_cited": [ "data-foundation-system-opinions", "civil-code-personal-info", "pipl", "network-data-security-regulations" ], "domains": [ "data-economy", "data-security" ], "account": "ndb", "description": "NDA's official 政策解读 on a tactically critical sub-question of the three-rights framework: when a data processor outsources storage, processing, or analysis to a third-party service provider — typical cloud, BPO, or e-government-system arrangements — does the entrusted party acquire any of the three property rights? NDA's clear answer: no. The entrusted processor (受托人) is not a 'data processor' in the property-rights sense — it merely executes instructions on behalf of the data processor (the principal). It cannot use the data outside the entrusted scope, cannot transfer the data into market circulation, and cannot apply the data to its own debt repayment or bankruptcy distribution. The line is anchored to the Civil Code's contract-of-mandate rules — a long-standing piece of Chinese commercial law extended cleanly into the data-element regime.", "original": { "title": "政策解读 | 数据委托处理情形中的产权配置", "author": "国家数据局 (National Data Administration)", "publication": "国家数据局 WeChat Official Account", "url": "https://mp.weixin.qq.com/s/CGEjaiKF7ba1Imqjl2zvjA", "language": "zh" } }, { "slug": "important-data-category-not-tier", "title": "'Important Data' Is a Category, Not a Tier", "url": "https://datacompliancechina.com/posts/important-data-category-not-tier/", "markdown_url": "https://datacompliancechina.com/posts/important-data-category-not-tier.md", "published": "2026-05-04T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "important-data", "dsl", "commentary", "data-classification" ], "laws_cited": [ "dsl", "pipl" ], "domains": [ "data-security", "cross-border" ], "account": "wangan-xunluren", "description": "Hong Yanqing argues the mainstream reading of Article 21 of the Data Security Law confuses enterprise asset-inventory language with state-level legal-interest protection — with real consequences for cross-border transfers, enforcement, and how PIPL and DSL stack.", "original": { "title": "重要数据性质的再认识:级别概念 vs. 类别概念", "author": "洪延青", "publication": "网安寻路人", "url": "https://mp.weixin.qq.com/s/RmrIs3PZnEHkGsMl3vlutg", "language": "zh" } }, { "slug": "manus-foreign-investment-security-review", "title": "Why China Used Foreign Investment Security Review on Manus — Not Tech or Data Export", "url": "https://datacompliancechina.com/posts/manus-foreign-investment-security-review/", "markdown_url": "https://datacompliancechina.com/posts/manus-foreign-investment-security-review.md", "published": "2026-04-28T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "foreign-investment-security-review", "manus", "ai-agent", "cross-border", "commentary" ], "laws_cited": [ "pipl", "dsl", "data-export-security-assessment-measures", "foreign-investment-security-review-measures" ], "domains": [ "cross-border", "ai-governance", "cybersecurity-review" ], "account": "wangan-xunluren", "description": "Hong Yanqing on Beijing's banning of Meta's Manus acquisition. The regulator's choice of pathway — Foreign Investment Security Review, not Technology or Data Export — signals a shift from 'transaction-level' to 'capability-level' oversight of frontier AI projects, with implications for any overseas tech investment touching China.", "original": { "title": "Manus 案的监管范式选择:为什么是外商投资安全审查?", "author": "洪延青", "publication": "网安寻路人", "url": "https://mp.weixin.qq.com/s/2Vs70BM2ILAE_qqKsdfAjw", "language": "zh" } }, { "slug": "qinglan-token-trading-cold-water", "title": "Cold Water on 'Token Trading' — Wang Qinglan on the NDA's High-Quality Data Set Initiative", "url": "https://datacompliancechina.com/posts/qinglan-token-trading-cold-water/", "markdown_url": "https://datacompliancechina.com/posts/qinglan-token-trading-cold-water.md", "published": "2026-04-24T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "tokens", "ai-training-data", "data-trading", "national-data-administration", "commentary" ], "laws_cited": [ "data-foundation-system-opinions", "common-data-terms-batch-1", "common-data-terms-batch-2" ], "domains": [ "data-economy", "ai-governance" ], "account": "qinglan-data", "description": "In March 2026, the National Data Administration released the *Implementation Plan for Promoting High-Quality Industry Data Set Construction (Draft for Public Consultation)*, which explores a 'token (词元) based value system' and 'token trading as a new transaction mode' for high-quality data sets. The Chinese AI policy community immediately heralded the move as 'revolutionizing data trading.' Wang Qinglan pours cold water: token is a measuring unit, not a magic transformer. AI tokens are not crypto tokens. The bottleneck in China's data-element market isn't measurement — it's supply, rights clarity, compliance cost, and data silos.", "original": { "title": "给\"词元交易\"泼一盆冷水", "author": "王青兰 (Wang Qinglan)", "publication": "青兰数据观察", "url": "https://mp.weixin.qq.com/s/0Nbcam7GbrYx8d31JmTGGA", "language": "zh" } }, { "slug": "pipl-criminal-threshold", "title": "When PIPL Violation Becomes a Crime — Hong Yanqing on China's Personal Information Criminal Threshold", "url": "https://datacompliancechina.com/posts/pipl-criminal-threshold/", "markdown_url": "https://datacompliancechina.com/posts/pipl-criminal-threshold.md", "published": "2026-04-22T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "criminal-liability", "pipl", "judicial-interpretation", "mozhi-case", "commentary" ], "laws_cited": [ "pipl", "civil-code-personal-info" ], "domains": [ "personal-information", "enforcement" ], "account": "wangan-xunluren", "description": "Hong Yanqing on the criminal-side analog to PIPL — when does mishandling personal information cross from administrative violation into the crime of 'infringing on citizens' personal information'? His critique: the two key elements ('relevant State provisions' and 'serious circumstances') are too loose, and courts have stretched them in ways that should worry compliance teams.", "original": { "title": "《个人信息保护法》背景下侵犯公民个人信息行为的罪与非罪认定标准分析", "author": "洪延青", "publication": "网安寻路人", "url": "https://mp.weixin.qq.com/s/5tXYwpeuLqkOLqv7xfTGgg", "language": "zh" } }, { "slug": "public-place-frt-necessity-framework", "title": "When Is Facial Recognition in a Public Place 'Necessary for Public Security'? Hong Yanqing's Four-Element Framework", "url": "https://datacompliancechina.com/posts/public-place-frt-necessity-framework/", "markdown_url": "https://datacompliancechina.com/posts/public-place-frt-necessity-framework.md", "published": "2026-04-04T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "facial-recognition", "public-surveillance", "pipl-article-26", "proportionality-test", "commentary" ], "laws_cited": [ "pipl", "facial-recognition-judicial-interpretation", "public-security-video-image-system-regulations", "facial-recognition-technology-application-measures" ], "domains": [ "personal-information", "ai-governance", "enforcement" ], "account": "wangan-xunluren", "description": "Hong Yanqing on how to operationalize PIPL Article 26's 'necessary for public security' principle for public-place video surveillance and facial recognition. His framework: a four-step necessity test, tiered risk regime with a published prohibited list, three-fold technical controls, and a lifecycle closure mechanism — drawing on EU AI Act and US state-level practice.", "original": { "title": "公共场所视频监控与人脸识别的治理路径:国际经验与中国方案", "author": "洪延青", "publication": "网安寻路人", "url": "https://mp.weixin.qq.com/s/gZIJDP5j9RW8S4NJDw_Mow", "language": "zh" } }, { "slug": "compliance-talker-csl-2025-amendment-ai-and-penalties", "title": "China's Cybersecurity Law Just Got Teeth — The 2025 Amendment and What Changed", "url": "https://datacompliancechina.com/posts/compliance-talker-csl-2025-amendment-ai-and-penalties/", "markdown_url": "https://datacompliancechina.com/posts/compliance-talker-csl-2025-amendment-ai-and-penalties.md", "published": "2026-01-12T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "csl", "csl-2025-amendment", "ai-governance", "penalties", "commentary" ], "laws_cited": [ "csl", "pipl", "dsl", "civil-code-personal-info" ], "domains": [ "cybersecurity-review", "data-security", "personal-information" ], "account": "compliance-talker", "description": "On October 28, 2025, the NPC Standing Committee adopted the first amendment to China's Cybersecurity Law since 2017, effective January 1, 2026. Compliance Talker's global legal policy team walks through what changed across 14 amendments: a new framework provision on AI safety and development, harmonization with PIPL and the Civil Code on personal information, sharply increased penalties (10× cap on top fines), expanded application of the dual-penalty system to individual officers, and broader extraterritorial reach. For overseas teams, the operational takeaway is that cybersecurity compliance is now an executive-level risk, not a documentation exercise.", "original": { "title": "原创 || 中国新《网络安全法》:促进AI安全与发展,升级处罚力度强化网安责任", "author": "全球法律政策研究 (Global Legal Policy Research Team)", "publication": "合规小叨客", "url": "https://mp.weixin.qq.com/s/p20K896Ad94taTuoecZqnQ", "language": "zh" } }, { "slug": "qinglan-cross-border-data-discovery-three-jurisdictions", "title": "Cross-Border Data Discovery — How the U.S., EU, and China Each Play Offense and Defense", "url": "https://datacompliancechina.com/posts/qinglan-cross-border-data-discovery-three-jurisdictions/", "markdown_url": "https://datacompliancechina.com/posts/qinglan-cross-border-data-discovery-three-jurisdictions.md", "published": "2026-01-08T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "cross-border", "data-sovereignty", "mlat", "cloud-act", "blocking-statute", "commentary" ], "laws_cited": [ "dsl", "pipl", "cross-border-data-flows-provisions" ], "domains": [ "cross-border", "enforcement" ], "account": "qinglan-data", "description": "When a foreign authority wants data stored in China — or vice versa — three doctrines compete. The U.S. uses a 'data controller standard' (CLOUD Act) that reaches globally on offense and shields domestically through ECPA blocking on defense. The EU uses 'market access' leverage (GDPR Article 3 jurisdictional reach plus Article 48 blocking). China uses a 'data location standard' (territorial sovereignty plus the MLA Law, DSL, and PIPL blocking clauses). Wang Qinglan maps the four discovery paths, the three jurisdictional doctrines, and what compliance teams should build to survive the squeeze.", "original": { "title": "跨境数据调取\"三国杀\":美欧中各出啥招?", "author": "王青兰 (Wang Qinglan)", "publication": "青兰数据观察", "url": "https://mp.weixin.qq.com/s/oqxjw7PbmnQ7OEmkV4Uu8g", "language": "zh" } }, { "slug": "spc-data-disputes-case-category-and-data-registration", "title": "Will Judicial Review 'Reset' the Data Registration Rush? — Reading Wang Qinglan on the SPC's New Data Disputes Case Category", "url": "https://datacompliancechina.com/posts/spc-data-disputes-case-category-and-data-registration/", "markdown_url": "https://datacompliancechina.com/posts/spc-data-disputes-case-category-and-data-registration.md", "published": "2025-12-19T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "data-property-rights", "data-registration", "spc", "judicial-review", "commentary" ], "laws_cited": [ "data-property-rights-registration-guide-draft", "public-data-registration-interim-measures", "data-foundation-system-opinions" ], "domains": [ "data-economy", "enforcement" ], "account": "qinglan-data", "description": "Wang Qinglan, head of compliance at a Chinese data exchange, asks what the Supreme People's Court's new 'data disputes' case category — effective January 1, 2026 — does to the data property rights registration certificates that institutions across the country have been issuing. Her argument: certificates issued through formal-only review will not survive substantive judicial scrutiny, and a single rejected certificate could erode trust in the entire registration regime. The path forward is a three-tiered protection model and aligned standards across regulators, registration institutions, and courts.", "original": { "title": "数据确权登记热潮,要被司法审查\"打回原形\"了?", "author": "王青兰 (Wang Qinglan)", "publication": "青兰数据观察", "url": "https://mp.weixin.qq.com/s/wvM52Sexl8UWlr_dHD1yBQ", "language": "zh" } }, { "slug": "pipo-vs-dpo-pi-protection-officer-comparison", "title": "PIPO vs. DPO — How China's Personal Information Protection Officer Differs from the GDPR Data Protection Officer", "url": "https://datacompliancechina.com/posts/pipo-vs-dpo-pi-protection-officer-comparison/", "markdown_url": "https://datacompliancechina.com/posts/pipo-vs-dpo-pi-protection-officer-comparison.md", "published": "2025-12-15T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "personal-information", "pipl", "gdpr-comparison", "data-protection-officer", "commentary" ], "laws_cited": [ "pipl", "personal-info-audit-measures" ], "domains": [ "personal-information", "enforcement" ], "account": "compliance-talker", "description": "The Cyberspace Administration of China announced in July 2025 that personal-information processors handling data on 1 million or more individuals must submit Personal Information Protection Officer (PIPO) information to CAC. Compliance Talker's global legal policy research team contrasts China's PIPO regime under PIPL Article 52 with the GDPR's Data Protection Officer (DPO) framework under Articles 37–39. The most consequential difference: PIPO carries individual administrative liability — up to RMB 1 million in personal fines and industry bans — where DPO does not.", "original": { "title": "原创 || 中国个人信息保护负责人与海外数据保护官的职责\"差异图鉴\"", "author": "全球法律政策研究 (Global Legal Policy Research Team)", "publication": "合规小叨客", "url": "https://mp.weixin.qq.com/s/eTH37QZSCSU6DUxiU6TQ-A", "language": "zh" } }, { "slug": "compliance-talker-cross-border-mutual-trust-trusted-data-spaces", "title": "Mutual Trust Mechanisms for Cross-Border Data Flow — China's 'Trusted Data Space' Bet", "url": "https://datacompliancechina.com/posts/compliance-talker-cross-border-mutual-trust-trusted-data-spaces/", "markdown_url": "https://datacompliancechina.com/posts/compliance-talker-cross-border-mutual-trust-trusted-data-spaces.md", "published": "2025-11-20T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "cross-border", "trusted-data-space", "confidential-computing", "data-sovereignty", "commentary" ], "laws_cited": [ "dsl", "pipl", "csl", "cross-border-data-flows-provisions" ], "domains": [ "cross-border", "data-economy" ], "account": "compliance-talker", "description": "Compliance Talker's global legal policy team analyzes three competing models for cross-border data mutual trust: the EU's 'rule trust' (adequacy + SCC), the US's 'market trust' (CLOUD Act + DPF), and China's 'technology trust' bet on Trusted Data Spaces (TDS). The NDA's November 2024 *TDS Development Action Plan 2024-2028* makes confidential computing, federated learning, and blockchain the technical layer through which China seeks to demonstrate cross-border data flow can be 'usable but invisible.' For overseas teams, this is the most concrete view of where Chinese cross-border data infrastructure is heading.", "original": { "title": "原创 || 数据要素跨境流动互信机制研究——探索兼顾安全与效率的互信机制", "author": "全球法律政策研究 (Global Legal Policy Research Team)", "publication": "合规小叨客", "url": "https://mp.weixin.qq.com/s/K0bJsC3XaNCWcws2wZBeCg", "language": "zh" } }, { "slug": "compliance-talker-frt-application-measures-impact", "title": "Reading the FRT Application Measures — What the 100k-Record Filing Threshold Actually Triggers", "url": "https://datacompliancechina.com/posts/compliance-talker-frt-application-measures-impact/", "markdown_url": "https://datacompliancechina.com/posts/compliance-talker-frt-application-measures-impact.md", "published": "2025-10-28T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "facial-recognition", "frt-measures", "sensitive-personal-information", "filing-regime", "commentary" ], "laws_cited": [ "facial-recognition-technology-application-measures", "facial-recognition-judicial-interpretation", "pipl" ], "domains": [ "personal-information", "enforcement" ], "account": "compliance-talker", "description": "The Administrative Measures for the Application Security of Facial Recognition Technology took effect June 1, 2025. The May 2025 announcement on FRT filing implementation followed. Compliance Talker's global legal policy team walks through the seven specific compliance obligations the Measures impose — the non-exclusive-use rule, end-side storage default, 100k-individual filing threshold, separate-consent reinforcement, PIA mandate, and more — with practical implementation guidance on each. For overseas firms with any China-facing FRT deployment, this is the operational walkthrough.", "original": { "title": "原创 || 《人脸识别技术应用安全管理办法》解读与企业影响分析", "author": "全球法律政策研究 (Global Legal Policy Research Team)", "publication": "合规小叨客", "url": "https://mp.weixin.qq.com/s/Pp_IuQ51wq0yrARWqQ0Y8g", "language": "zh" } }, { "slug": "qinglan-how-to-identify-important-data", "title": "How to Identify 'Important Data' — A Plain-Language Method from Wang Qinglan", "url": "https://datacompliancechina.com/posts/qinglan-how-to-identify-important-data/", "markdown_url": "https://datacompliancechina.com/posts/qinglan-how-to-identify-important-data.md", "published": "2025-10-16T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "important-data", "data-classification", "cross-border", "dsl", "commentary" ], "laws_cited": [ "dsl", "csl", "network-data-security-regulations", "data-export-security-assessment-measures", "cross-border-data-flows-provisions" ], "domains": [ "data-security", "cross-border" ], "account": "qinglan-data", "description": "Wang Qinglan, head of compliance at a Chinese data exchange, walks through China's unique 'important data' concept in plain language: where it came from, why no other major jurisdiction has anything quite like it, how the U.S., EU, Japan and Korea solve the same problem differently, and — most useful for compliance teams — three methods to identify whether a dataset is 'important' in practice. Her own 'unorthodox' shortcut: ask whether a hostile foreign actor could use this data to cause trouble. If yes, treat it as important data.", "original": { "title": "重要数据咋判断?这招\"邪修\"办法,小白也能看懂!", "author": "王青兰 (Wang Qinglan)", "publication": "青兰数据观察", "url": "https://mp.weixin.qq.com/s/eAD9Zhd-cbA5umcLoU9rxA", "language": "zh" } }, { "slug": "qinglan-what-is-data-rules-and-compliance-primer", "title": "What Is Data, Really? — A Plain-Language Primer on Rules and Compliance", "url": "https://datacompliancechina.com/posts/qinglan-what-is-data-rules-and-compliance-primer/", "markdown_url": "https://datacompliancechina.com/posts/qinglan-what-is-data-rules-and-compliance-primer.md", "published": "2025-08-28T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "data-fundamentals", "data-governance", "compliance-architecture", "commentary" ], "laws_cited": [ "dsl", "data-foundation-system-opinions" ], "domains": [ "data-economy", "data-security" ], "account": "qinglan-data", "description": "What does it actually mean to call something 'data,' and what turns raw recordings into a data asset? Wang Qinglan uses a toy storage room metaphor to walk through the foundational concept overseas readers often skip: data is not just 'records' — it's records made under rules. Master data, metadata, ontology, the three-tier compliance taxonomy (legal / ethical / promised), and the three-step compliance workflow (select / allocate / execute) — all anchored in a concrete example a non-specialist can follow.", "original": { "title": "数据的奇妙真相:从生活实例看它的真面目", "author": "王青兰 (Wang Qinglan)", "publication": "青兰数据观察", "url": "https://mp.weixin.qq.com/s/Dn4hlPZUHJOuUkLYzoaGLA", "language": "zh" } }, { "slug": "qinglan-data-governance-management-compliance-disambiguation", "title": "Data Governance vs. Data Management vs. Data Compliance — A Plain-Language Disambiguation", "url": "https://datacompliancechina.com/posts/qinglan-data-governance-management-compliance-disambiguation/", "markdown_url": "https://datacompliancechina.com/posts/qinglan-data-governance-management-compliance-disambiguation.md", "published": "2025-08-25T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "data-governance", "terminology", "dama", "compliance-architecture", "commentary" ], "laws_cited": [ "dsl", "data-foundation-system-opinions" ], "domains": [ "data-security", "data-economy" ], "account": "qinglan-data", "description": "Wang Qinglan disambiguates three terms that compliance and data teams habitually conflate: data governance, data management, and data compliance. Using a 'data manor' metaphor (the family council vs. the steward team vs. the community monitor), she maps each function to its job — setting direction, executing efficiently, and operating sustainably within external rules and self-imposed commitments. The piece is useful precisely where bilingual confusion is highest: 'data governance' in English carries different connotations than 数据治理 in Chinese practice.", "original": { "title": "3分钟读懂数据治理、数据管理与数据合规", "author": "王青兰 (Wang Qinglan)", "publication": "青兰数据观察", "url": "https://mp.weixin.qq.com/s/ylOsa9BV7m9nw3WMR037Wg", "language": "zh" } }, { "slug": "compliance-talker-ftz-negative-lists-important-data", "title": "FTZ Data Export Negative Lists — How 17 Sectors Across Seven Provinces Now Identify Important Data", "url": "https://datacompliancechina.com/posts/compliance-talker-ftz-negative-lists-important-data/", "markdown_url": "https://datacompliancechina.com/posts/compliance-talker-ftz-negative-lists-important-data.md", "published": "2025-08-12T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "cross-border", "important-data", "ftz-negative-list", "data-classification", "commentary" ], "laws_cited": [ "cross-border-data-flows-provisions", "data-export-security-assessment-measures", "dsl", "network-data-security-regulations" ], "domains": [ "cross-border", "data-security" ], "account": "compliance-talker", "description": "Article 6 of the 2024 CBDF Provisions authorized Free Trade Zones to publish data-export negative lists. Since then, Tianjin, Beijing, Hainan, Shanghai, Zhejiang and others have published negative lists covering 17 sectors — automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industry, seed industry, and more. Compliance Talker's analysis walks through the structural convergence of the negative lists, the important-data identification refinements each FTZ has produced, and the operational impact on enterprises both inside and outside the FTZs.", "original": { "title": "原创 || 我国自贸区相继发布数据出境负面清单,企业重要数据管理影响几何?", "author": "全球法律政策研究 (Global Legal Policy Research Team)", "publication": "合规小叨客", "url": "https://mp.weixin.qq.com/s/yZm01jMnCzMSsHBbUhYPGw", "language": "zh" } }, { "slug": "qinglan-what-data-registration-actually-confirms", "title": "What Does Data Registration Actually Confirm? — A Doctrinal Reading", "url": "https://datacompliancechina.com/posts/qinglan-what-data-registration-actually-confirms/", "markdown_url": "https://datacompliancechina.com/posts/qinglan-what-data-registration-actually-confirms.md", "published": "2024-09-19T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "data-property-rights", "data-registration", "civil-law-doctrine", "commentary" ], "laws_cited": [ "data-foundation-system-opinions", "data-property-rights-registration-guide-draft", "public-data-registration-interim-measures" ], "domains": [ "data-economy", "enforcement" ], "account": "qinglan-data", "description": "Long before the SPC's January 2026 'data disputes' case category started squeezing data registration certificates against judicial review, Wang Qinglan had already written the foundational critique: data registration does not 'confirm rights' because there are no legal data rights to confirm. The Data 20 Articles created data property rights, not data legal rights, and Chinese property rights are not Article-conferred civil rights. Registration certificates are 'trust credentials,' not 'rights certificates.' This is the doctrinal essay overseas counsel should read before the SPC sequel.", "original": { "title": "数据确权登记,谁给的勇气?", "author": "王青兰 (Wang Qinglan)", "publication": "青兰数据观察", "url": "https://mp.weixin.qq.com/s/BApKX7i4F6BoWooj3-DxjQ", "language": "zh" } }, { "slug": "qinglan-on-exchange-vs-off-exchange-data-trading", "title": "On-Exchange vs. Off-Exchange Data Trading — A Uniquely Chinese Market Structure", "url": "https://datacompliancechina.com/posts/qinglan-on-exchange-vs-off-exchange-data-trading/", "markdown_url": "https://datacompliancechina.com/posts/qinglan-on-exchange-vs-off-exchange-data-trading.md", "published": "2024-07-01T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "data-exchanges", "data-economy", "szdex", "market-structure", "commentary" ], "laws_cited": [ "data-foundation-system-opinions" ], "domains": [ "data-economy" ], "account": "qinglan-data", "description": "Why does China have data exchanges? Wang Qinglan's piece opens with an observation overseas readers will recognize: 'When you tell foreigners about China's on-exchange data trading market, you get blank stares — because exchange-organized data trading is uniquely Chinese.' The analogy she offers — Shenzhen Data Exchange is to data what the Shenzhen Stock Exchange is to securities — unlocks the architecture. Five tiers of trading venues by public-risk level. Three waves of Chinese data-exchange evolution. And the operational meaning of why on-exchange and off-exchange trading coexist.", "original": { "title": "场内数据交易一定比场外高贵吗?", "author": "王青兰 (Wang Qinglan)", "publication": "青兰数据观察", "url": "https://mp.weixin.qq.com/s/2qNmM5uxUZkfqE3YCYZx8g", "language": "zh" } }, { "slug": "qinglan-what-is-traded-on-data-exchanges", "title": "What Is Actually Traded on China's Data Exchanges — A Bakery Metaphor", "url": "https://datacompliancechina.com/posts/qinglan-what-is-traded-on-data-exchanges/", "markdown_url": "https://datacompliancechina.com/posts/qinglan-what-is-traded-on-data-exchanges.md", "published": "2024-05-28T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "data-economy", "data-trading", "data-products", "data-classification", "commentary" ], "laws_cited": [ "data-foundation-system-opinions", "common-data-terms-batch-1", "common-data-terms-batch-2", "public-data-authorized-operation-specifications" ], "domains": [ "data-economy" ], "account": "qinglan-data", "description": "Per the Shenzhen Provisional Measures for Data Trading Administration, four categories of object can be traded on a Chinese data exchange: data products, data services, data tools, and other regulator-approved objects. Wang Qinglan walks through what each means in plain language with a bakery metaphor — wheat (raw data) becomes flour (data resources) becomes cakes (data products); a baker is a data service; the oven is a data tool. The piece is useful precisely because it answers a question overseas teams rarely think to ask: what are the data exchanges actually selling?", "original": { "title": "数据交易,到底在交易什么?", "author": "王青兰 (Wang Qinglan)", "publication": "青兰数据观察", "url": "https://mp.weixin.qq.com/s/xFM7nS_E0BoB272Im6Mciw", "language": "zh" } }, { "slug": "qinglan-public-data-credit-licensing-case", "title": "Case Study — A Public-Data Operator Hands Personal Data to a Bank. Two Compliance Failures.", "url": "https://datacompliancechina.com/posts/qinglan-public-data-credit-licensing-case/", "markdown_url": "https://datacompliancechina.com/posts/qinglan-public-data-credit-licensing-case.md", "published": "2024-04-11T01:00:00.000Z", "author": "DCC Editorial", "featured": true, "tags": [ "public-data", "credit-reference", "authorized-operation", "case-study", "commentary" ], "laws_cited": [ "pipl", "public-data-registration-interim-measures", "public-data-authorized-operation-specifications" ], "domains": [ "personal-information", "data-economy", "enforcement" ], "account": "qinglan-data", "description": "A real-case analysis from Wang Qinglan. A state-affiliated auction company holds the public-data operating right for vehicle license-plate auction data. A bank persuades it to hand over the personal data of winning bidders. The bank builds a targeted credit product and pays the auction company RMB 12 million a year in revenue share. Two compliance failures: (1) no individual consent under PIPL; (2) no credit reference business license under the Credit Reference Industry Regulation and Credit Reference Business Measures. Public-data authorized operation does not displace the credit reference licensing regime.", "original": { "title": "案例分析 | 公共数据授权运营后提供给金融机构是否须取得征信业务资质?", "author": "王青兰 (Wang Qinglan)", "publication": "青兰数据观察", "url": "https://mp.weixin.qq.com/s/EOP5UAW6V3n1HRYW1KYPeg", "language": "zh" } } ], "laws": [ { "slug": "cs-joint-data-compliance-guide", "title_en": "China–Singapore Joint Data Compliance Guide: Practical Handbook — China Chapter", "title_zh": "中国—新加坡联合数据合规指引:实务手册(中国篇)", "abbreviation": "CN-SG Joint Guide", "hierarchy": "handbook", "issuing_body": "Shenzhen Data Exchange · Asian Business Law Institute (Singapore) · Authority of Qianhai · Shenzhen Bureau of Justice", "effective_date": "2025-08-01", "status": "effective", "url": "https://datacompliancechina.com/laws/cs-joint-data-compliance-guide/", "markdown_url": "https://datacompliancechina.com/laws/cs-joint-data-compliance-guide.md", "related_laws": [], "domains": [ "data-security", "personal-information", "cross-border" ], "featured": true, "full_text_available": false, "summary": "A 110-page bilingual practitioner handbook on Chinese data compliance, jointly compiled by the Shenzhen Data Exchange and Singapore's Asian Business Law Institute under the guidance of the Qianhai Authority. The China Chapter is structured around the Guide's two-axis compliance model: subject obligations (organizational structure, policy, classification & grading, partners, risk assessment, incident response) crossed with object types (general / important / personal / public / industry-specific data). Includes the regulator map, cross-border path selection trees, and worked examples. Current as of August 2025. This is the single most accessible authoritative reference DCC has identified for overseas counsel approaching the Chinese data regime." }, { "slug": "data-export-security-assessment-measures", "title_en": "Measures for the Security Assessment of Data Export", "title_zh": "数据出境安全评估办法", "hierarchy": "rule", "issuing_body": "Cyberspace Administration of China (CAC)", "adopted_date": "2022-05-19", "effective_date": "2022-09-01", "status": "effective", "url": "https://datacompliancechina.com/laws/data-export-security-assessment-measures/", "markdown_url": "https://datacompliancechina.com/laws/data-export-security-assessment-measures.md", "related_laws": [ "pipl", "dsl", "cross-border-data-flows-provisions" ], "domains": [ "cross-border", "personal-information", "data-security" ], "featured": true, "full_text_available": true, "summary": "The first of CAC's three cross-border transfer pathways. Required for CIIOs transferring any personal information or important data abroad, and for non-CIIO handlers above certain thresholds. Establishes the application procedure, evaluation factors, validity period, and self-assessment requirements. Read together with the 2024 Cross-border Data Flow Provisions, which relaxed thresholds." }, { "slug": "cii-protection-regulations", "title_en": "Security Protection Regulations for Critical Information Infrastructure", "title_zh": "关键信息基础设施安全保护条例", "abbreviation": "CII Regulations", "hierarchy": "regulation", "issuing_body": "State Council", "adopted_date": "2021-04-27", "effective_date": "2021-09-01", "status": "effective", "url": "https://datacompliancechina.com/laws/cii-protection-regulations/", "markdown_url": "https://datacompliancechina.com/laws/cii-protection-regulations.md", "related_laws": [ "csl", "network-data-security-regulations" ], "domains": [ "critical-information-infrastructure", "cybersecurity-review", "data-security" ], "featured": true, "full_text_available": true, "summary": "These Regulations operationalize the Critical Information Infrastructure (CII) regime under CSL Articles 31–39. They define CII identification rules, set out CIIO obligations (specialized security body, annual testing and risk assessment, security review of network products, breach reporting), and establish the inter-agency coordination structure under CAC + Ministry of Public Security." }, { "slug": "data-foundation-system-opinions", "title_en": "Opinions of the CPC Central Committee and the State Council on Building a Basic Data System to Better Play the Role of Data Elements", "title_zh": "中共中央 国务院关于构建数据基础制度更好发挥数据要素作用的意见", "abbreviation": "Data Twenty Opinions", "hierarchy": "regulation", "issuing_body": "CPC Central Committee and State Council", "adopted_date": "2022-12-02", "effective_date": "2022-12-02", "status": "effective", "url": "https://datacompliancechina.com/laws/data-foundation-system-opinions/", "markdown_url": "https://datacompliancechina.com/laws/data-foundation-system-opinions.md", "related_laws": [], "domains": [ "data-economy", "data-security", "personal-information" ], "featured": false, "full_text_available": true, "summary": "The foundational 20-article policy directive jointly issued by the CPC Central Committee and the State Council laying out China's national data basic system: data property rights structural subdivision (holding right / processing right / operation right), classified-and-graded right confirmation for public/enterprise/personal data, the on-floor + over-the-counter trading framework, the income distribution mechanism for data elements, and a multi-party governance model. This is the policy text that informs subsequent national-level legislation and rules on data assets, public data, and data property rights registration." }, { "slug": "data-property-rights-registration-guide-draft", "title_en": "Data Property Rights Registration Work Guide (Trial) — Draft for Public Consultation", "title_zh": "数据产权登记工作指引(试行)(公开征求意见稿)", "hierarchy": "draft", "issuing_body": "National Data Administration (NDA), Comprehensive Department", "adopted_date": "2025-05-23", "status": "draft", "url": "https://datacompliancechina.com/laws/data-property-rights-registration-guide-draft/", "markdown_url": "https://datacompliancechina.com/laws/data-property-rights-registration-guide-draft.md", "related_laws": [ "pipl", "dsl", "civil-code-personal-info", "public-data-registration-interim-measures", "public-data-authorized-operation-specifications" ], "domains": [ "data-economy", "personal-information", "data-security" ], "featured": true, "full_text_available": true, "summary": "NDA's first comprehensive draft framework for the registration of Data Property Rights — the rights to hold, use, and operate data established under the Data 20 Articles policy. The Guide sets out registration institutions, registration procedure (application, acceptance, review, public announcement, evidence preservation, certificate issuance), the eight ownership-clarity rules that determine who can register which right over which data, the five registration types (initial, transfer, change, renewal, deregistration), and liability for institutions and applicants. Includes six annexed form templates and a 15-digit certificate coding scheme. Released by NDA Comprehensive Department for public consultation. DCC translation; this is a draft and is not yet in force." }, { "slug": "gbt-44297-public-security-video-data-items", "title_en": "GB/T 44297—2024 Data Items of Video and Image Information for Public Security", "title_zh": "GB/T 44297—2024 公共安全视频图像信息数据项", "abbreviation": "GB/T 44297—2024", "hierarchy": "standard", "issuing_body": "Standardization Administration of China (SAC) and State Administration for Market Regulation (SAMR), proposed by Ministry of Public Security (MPS)", "adopted_date": "2024-08-23", "effective_date": "2024-08-23", "status": "effective", "url": "https://datacompliancechina.com/laws/gbt-44297-public-security-video-data-items/", "markdown_url": "https://datacompliancechina.com/laws/gbt-44297-public-security-video-data-items.md", "related_laws": [ "public-security-video-image-system-regulations", "facial-recognition-technology-application-measures", "facial-recognition-judicial-interpretation" ], "domains": [ "personal-information", "enforcement" ], "featured": false, "full_text_available": false, "summary": "GB/T 44297—2024 is the national recommended standard that specifies the data items used in public-security video image information systems — the underlying field-level schema that camera systems, video platforms, and analysis tools use to describe and exchange video and image data. It applies to data exchange in networked public-security video applications. The standard catalogs more than twenty top-level data-item groups — covering camera information, system/platform information, equipment status, video clips, images, file objects, persons of interest, vehicles of interest, non-motor vehicles, items, scenes, events, regions, motion targets, subscriptions, feature vectors, organized data libraries, and real-time matching against reference lists — plus a set of normative code tables (Appendix D) used to encode the field values. The standard is technical reference material for system integrators and data engineers operating public-security video systems. Cross-reference to the *Administrative Regulation for Public Security Video Image Information Systems* (State Council Decree No. 799) and the *Facial Recognition Technology Application Measures* (CAC + MPS Decree No. 19), which set the legal duties; this standard tells operators what field-level data to capture and exchange in order to meet those duties." }, { "slug": "personal-info-standard-contract-measures", "title_en": "Measures on the Standard Contract for the Outbound Transfer of Personal Information", "title_zh": "个人信息出境标准合同办法", "abbreviation": "SCC Measures", "hierarchy": "rule", "issuing_body": "Cyberspace Administration of China (CAC)", "adopted_date": "2023-02-22", "effective_date": "2023-06-01", "status": "effective", "url": "https://datacompliancechina.com/laws/personal-info-standard-contract-measures/", "markdown_url": "https://datacompliancechina.com/laws/personal-info-standard-contract-measures.md", "related_laws": [ "pipl", "cross-border-data-flows-provisions", "data-export-security-assessment-measures", "cross-border-pi-certification-measures" ], "domains": [ "cross-border", "personal-information" ], "featured": true, "full_text_available": true, "summary": "The second of CAC's three cross-border transfer pathways: signing a CAC-prescribed Standard Contract with the overseas recipient and filing it with the provincial CAC. Used by handlers below the Security Assessment thresholds. The Measures establish eligibility criteria, the filing procedure, ongoing obligations after filing, and the CAC's right to invalidate the contract on the recipient side. The Standard Contract template itself is annexed." }, { "slug": "pipl", "title_en": "Personal Information Protection Law of the People's Republic of China", "title_zh": "中华人民共和国个人信息保护法", "abbreviation": "PIPL", "hierarchy": "law", "issuing_body": "National People's Congress Standing Committee", "adopted_date": "2021-08-20", "effective_date": "2021-11-01", "status": "effective", "url": "https://datacompliancechina.com/laws/pipl/", "markdown_url": "https://datacompliancechina.com/laws/pipl.md", "related_laws": [ "dsl", "csl", "civil-code-personal-info" ], "domains": [ "personal-information", "cross-border" ], "featured": true, "full_text_available": true, "summary": "PIPL is China's comprehensive personal-information protection regime. It is structured around the concept of the personal information handler — a Chinese-law term that should not be flattened to GDPR's data controller. PIPL governs consent, sensitive personal information, cross-border transfer, and the rights of individuals, with extraterritorial reach to handlers outside China that target domestic natural persons." }, { "slug": "facial-recognition-judicial-interpretation", "title_en": "Provisions of the Supreme People's Court on Several Issues Concerning the Application of Law in the Trial of Civil Cases Involving the Use of Facial Recognition Technology to Process Personal Information", "title_zh": "最高人民法院关于审理使用人脸识别技术处理个人信息相关民事案件适用法律若干问题的规定", "abbreviation": "FRT Judicial Interpretation", "hierarchy": "judicial", "issuing_body": "Supreme People's Court", "adopted_date": "2021-06-08", "effective_date": "2021-08-01", "status": "effective", "url": "https://datacompliancechina.com/laws/facial-recognition-judicial-interpretation/", "markdown_url": "https://datacompliancechina.com/laws/facial-recognition-judicial-interpretation.md", "related_laws": [ "pipl", "civil-code-personal-info" ], "domains": [ "personal-information", "enforcement" ], "featured": true, "full_text_available": true, "summary": "The Supreme People's Court's interpretation of how civil courts should apply law in cases involving facial recognition. Defines what counts as 'processing facial information', enumerates conduct that infringes personality rights, addresses consent validity (mandatory consent through a service agreement is not valid), and sets out remedies and burden-of-proof allocation. Issued before PIPL took effect but designed to interoperate with PIPL's sensitive-personal-information regime." }, { "slug": "cross-border-data-flows-provisions", "title_en": "Provisions on Promoting and Regulating Cross-border Data Flows", "title_zh": "促进和规范数据跨境流动规定", "hierarchy": "rule", "issuing_body": "Cyberspace Administration of China (CAC)", "adopted_date": "2023-11-28", "effective_date": "2024-03-22", "status": "effective", "url": "https://datacompliancechina.com/laws/cross-border-data-flows-provisions/", "markdown_url": "https://datacompliancechina.com/laws/cross-border-data-flows-provisions.md", "related_laws": [ "pipl", "dsl", "network-data-security-regulations" ], "domains": [ "cross-border", "personal-information", "data-security" ], "featured": true, "full_text_available": true, "summary": "The 2024 Cross-border Data Flow Provisions are CAC's relaxation package on outbound data transfer. They introduce thresholds and exemptions for the security assessment, standard contract, and certification pathways, plus a free trade zone (FTZ) negative-list mechanism. For overseas counsel, this is the regulation that practically determines whether a routine cross-border transfer needs to clear formal CAC review or not." }, { "slug": "network-data-security-regulations", "title_en": "Regulation on Network Data Security Management", "title_zh": "网络数据安全管理条例", "hierarchy": "regulation", "issuing_body": "State Council", "adopted_date": "2024-08-30", "effective_date": "2025-01-01", "status": "effective", "url": "https://datacompliancechina.com/laws/network-data-security-regulations/", "markdown_url": "https://datacompliancechina.com/laws/network-data-security-regulations.md", "related_laws": [ "pipl", "dsl", "csl" ], "domains": [ "data-security", "personal-information", "cross-border", "critical-information-infrastructure" ], "featured": true, "full_text_available": true, "summary": "The Network Data Security Management Regulation is the State Council's overarching implementing regulation for the three foundational data-protection statutes (CSL, DSL, PIPL). It consolidates network-data security obligations, important-data identification and classification, cross-border transfer rules, security-incident reporting, and operator obligations for large data handlers and internet platforms. Promulgated as State Council Decree No. 790." }, { "slug": "personal-info-standard-contract-filing-guide", "title_en": "Guide to the Filing of the Standard Contract for Outbound Transfer of Personal Information (First Edition)", "title_zh": "个人信息出境标准合同备案指南(第一版)", "hierarchy": "rule", "issuing_body": "Cyberspace Administration of China (CAC)", "adopted_date": "2023-05-30", "effective_date": "2023-05-30", "status": "effective", "url": "https://datacompliancechina.com/laws/personal-info-standard-contract-filing-guide/", "markdown_url": "https://datacompliancechina.com/laws/personal-info-standard-contract-filing-guide.md", "related_laws": [ "personal-info-standard-contract-measures", "pipl" ], "domains": [ "cross-border", "personal-information" ], "featured": false, "full_text_available": true, "summary": "CAC's procedural guide accompanying the SCC Measures. Specifies the filing materials required, where to file (provincial CAC), online filing system mechanics, materials acceptance and review timeline, and standardized templates for the power of attorney, the letter of commitment, the Standard Contract itself, and the Personal Information Protection Impact Assessment Report. Read together with the SCC Measures for the operational filing path." }, { "slug": "common-data-terms-batch-1", "title_en": "Explanation of Common Terms in the Field of Data (First Batch)", "title_zh": "数据领域常用名词解释(第一批)", "abbreviation": "Data Terms Batch 1", "hierarchy": "rule", "issuing_body": "National Data Administration", "adopted_date": "2024-12-30", "effective_date": "2024-12-30", "status": "effective", "url": "https://datacompliancechina.com/laws/common-data-terms-batch-1/", "markdown_url": "https://datacompliancechina.com/laws/common-data-terms-batch-1.md", "related_laws": [], "domains": [ "data-economy", "data-security" ], "featured": false, "full_text_available": true, "summary": "The first installment of official terminology explanations issued by the National Data Administration. Establishes authoritative Chinese government definitions for 40 foundational data-field concepts including data, primary data, data resources, data elements, data products and services, data assets, data handling, data handler, commissioned data handler, data circulation, data transaction, data governance, data security, public data, digital industrialization, industrial digitalization, metadata, structured/semi-structured/unstructured data, privacy-protective computation (secure multi-party computing, federated learning, trusted execution environment, cryptographic computing), and blockchain." }, { "slug": "common-data-terms-batch-2", "title_en": "Explanation of Common Terms in the Field of Data (Second Batch)", "title_zh": "数据领域常用名词解释(第二批)", "abbreviation": "Data Terms Batch 2", "hierarchy": "rule", "issuing_body": "National Data Administration", "adopted_date": "2025-03-29", "effective_date": "2025-03-29", "status": "effective", "url": "https://datacompliancechina.com/laws/common-data-terms-batch-2/", "markdown_url": "https://datacompliancechina.com/laws/common-data-terms-batch-2.md", "related_laws": [], "domains": [ "data-economy", "data-security" ], "featured": false, "full_text_available": true, "summary": "The second installment of official terminology explanations issued by the National Data Administration, continuing the consensus-building effort that began with the First Batch in December 2024. The 20 terms in this batch focus on data property rights vocabulary (Data Property Rights, Data Property Rights Registration, Right to Hold Data, Right to Use Data, Right to Operate Data, derived data, enterprise data); data trading institutions and market structure (data trading institution, on-exchange data trading, off-exchange data trading, data trading matching, data third-party professional service institution); the data industry and data labeling sub-industry; trusted data space and data use control; data infrastructure; and computing-power scheduling and pooling. DCC translation, cross-checked against the glossary for consistency with the public-data property-rights registration documents." }, { "slug": "cross-border-pi-certification-measures", "title_en": "Measures for the Certification of the Cross-border Provision of Personal Information", "title_zh": "个人信息出境认证办法", "hierarchy": "rule", "issuing_body": "Cyberspace Administration of China (CAC) and State Administration for Market Regulation (SAMR)", "adopted_date": "2025-07-21", "effective_date": "2026-01-01", "status": "effective", "url": "https://datacompliancechina.com/laws/cross-border-pi-certification-measures/", "markdown_url": "https://datacompliancechina.com/laws/cross-border-pi-certification-measures.md", "related_laws": [ "pipl", "cross-border-data-flows-provisions", "data-export-security-assessment-measures" ], "domains": [ "cross-border", "personal-information" ], "featured": true, "full_text_available": true, "summary": "The third of CAC's three cross-border transfer pathways — PI Protection Certification — finally given its own dedicated rules effective January 1, 2026. Joint issuance with SAMR (which administers the certification body accreditation regime). Establishes who can be certified, eligibility thresholds, what certification covers, and the relationship to the Security Assessment and Standard Contract pathways." }, { "slug": "personal-info-audit-measures", "title_en": "Administrative Measures for Personal Information Protection Compliance Audits", "title_zh": "个人信息保护合规审计管理办法", "hierarchy": "rule", "issuing_body": "Cyberspace Administration of China (CAC)", "adopted_date": "2024-05-20", "effective_date": "2025-05-01", "status": "effective", "url": "https://datacompliancechina.com/laws/personal-info-audit-measures/", "markdown_url": "https://datacompliancechina.com/laws/personal-info-audit-measures.md", "related_laws": [ "pipl", "network-data-security-regulations" ], "domains": [ "personal-information" ], "featured": false, "full_text_available": true, "summary": "These Measures implement the compliance-audit obligation in PIPL Article 54. Self-audit is required at least every two years for handlers of more than 10 million people's personal information; CAC-directed audits by a third-party specialized agency are triggered by significant risk, large-scale infringement, or major security incidents. The Measures are accompanied by a 27-section Guidelines annex that lays out exactly what auditors should examine — effectively a regulator-issued checklist for personal-information compliance." }, { "slug": "cybersecurity-review-measures", "title_en": "Cybersecurity Review Measures", "title_zh": "网络安全审查办法", "hierarchy": "rule", "issuing_body": "CAC + 12 ministries (NDRC, MIIT, MPS, MSS, MOF, MOFCOM, PBOC, NRTA, CSRC, SSA, SCA)", "adopted_date": "2021-11-16", "effective_date": "2022-02-15", "status": "effective", "url": "https://datacompliancechina.com/laws/cybersecurity-review-measures/", "markdown_url": "https://datacompliancechina.com/laws/cybersecurity-review-measures.md", "related_laws": [ "csl", "dsl", "cii-protection-regulations" ], "domains": [ "cybersecurity-review", "critical-information-infrastructure", "cross-border" ], "featured": true, "full_text_available": true, "summary": "The 2021 update to the cybersecurity review regime, expanded after the Didi enforcement action. Applies to (i) CIIO procurement of network products/services that may affect national security, and (ii) network platforms holding personal information of more than one million users when seeking an overseas listing. Sets the procedure, factors considered, and outcomes (no-action, conditional approval, prohibition)." }, { "slug": "tc260-sensitive-pi-identification-guide", "title_en": "Cybersecurity Standards Practice Guide — Sensitive Personal Information Identification Guide (v1.0, September 2024)", "title_zh": "网络安全标准实践指南 — 敏感个人信息识别指南 (v1.0-202409)", "abbreviation": "TC260 Sensitive PI Guide", "hierarchy": "standard", "issuing_body": "Secretariat of the National Information Security Standardization Technical Committee (TC260)", "effective_date": "2024-09-01", "status": "effective", "url": "https://datacompliancechina.com/laws/tc260-sensitive-pi-identification-guide/", "markdown_url": "https://datacompliancechina.com/laws/tc260-sensitive-pi-identification-guide.md", "related_laws": [ "pipl", "facial-recognition-judicial-interpretation", "facial-recognition-technology-application-measures" ], "domains": [ "personal-information" ], "featured": false, "full_text_available": false, "summary": "TC260's September 2024 practice guide for identifying sensitive personal information under PIPL Article 28. Sets out a four-rule identification framework — damage to personal dignity, to personal safety, to property safety, and aggregation effects — and lists eight common categories of sensitive personal information with illustrative examples in Appendix A. The guide is not a mandatory standard; it is advisory practice guidance issued by the TC260 Secretariat to help organizations operationalize PIPL's sensitive-PI regime. Practical reference for handlers performing the PIPIA required by PIPL Article 55(I) before processing sensitive personal information." }, { "slug": "dsl", "title_en": "Data Security Law of the People's Republic of China", "title_zh": "中华人民共和国数据安全法", "abbreviation": "DSL", "hierarchy": "law", "issuing_body": "National People's Congress Standing Committee", "adopted_date": "2021-06-10", "effective_date": "2021-09-01", "status": "effective", "url": "https://datacompliancechina.com/laws/dsl/", "markdown_url": "https://datacompliancechina.com/laws/dsl.md", "related_laws": [ "pipl", "csl" ], "domains": [ "data-security", "cross-border" ], "featured": true, "full_text_available": true, "summary": "The Data Security Law is the second of China's three foundational data statutes (alongside CSL and PIPL). It governs all data processing activities — not just personal information — and establishes the data classification and grading regime, the 'important data' and 'national core data' categories, security obligations for data handlers, the cross-border transfer restrictions on important data, and the prohibition on providing data to foreign judicial or enforcement bodies without approval." }, { "slug": "minors-online-protection-regulations", "title_en": "Regulations on the Protection of Minors in Cyberspace", "title_zh": "未成年人网络保护条例", "hierarchy": "regulation", "issuing_body": "State Council", "adopted_date": "2023-09-20", "effective_date": "2024-01-01", "status": "effective", "url": "https://datacompliancechina.com/laws/minors-online-protection-regulations/", "markdown_url": "https://datacompliancechina.com/laws/minors-online-protection-regulations.md", "related_laws": [ "pipl", "csl" ], "domains": [ "minors-protection", "personal-information", "app-compliance" ], "featured": true, "full_text_available": true, "summary": "Implementing regulation for the protection of minors under PIPL and CSL. Covers age-appropriate content, online education, addiction-prevention regimes for video games and short videos, sensitive personal information of minors (under 14), parental consent mechanisms, and platform obligations for products targeting or accessible to minors." }, { "slug": "csl", "title_en": "Cybersecurity Law of the People's Republic of China (2025 Amendment)", "title_zh": "中华人民共和国网络安全法(2025 修正)", "abbreviation": "CSL", "hierarchy": "law", "issuing_body": "National People's Congress Standing Committee", "adopted_date": "2016-11-07", "effective_date": "2017-06-01", "status": "amended", "url": "https://datacompliancechina.com/laws/csl/", "markdown_url": "https://datacompliancechina.com/laws/csl.md", "related_laws": [ "pipl", "dsl" ], "domains": [ "data-security", "critical-information-infrastructure", "personal-information" ], "featured": true, "full_text_available": true, "summary": "The Cybersecurity Law is the earliest of the three foundational data-protection statutes. It establishes the Multi-Level Protection Scheme (MLPS), the Critical Information Infrastructure regime, network-operator obligations, and the cybersecurity review framework. The current text incorporates the 2025 amendment, which takes effect January 1, 2026." }, { "slug": "genai-services-interim-measures", "title_en": "Interim Measures for the Management of Generative Artificial Intelligence Services", "title_zh": "生成式人工智能服务管理暂行办法", "hierarchy": "rule", "issuing_body": "CAC + 6 ministries (NDRC, MOE, MOST, MIIT, MPS, NRTA)", "adopted_date": "2023-05-23", "effective_date": "2023-08-15", "status": "effective", "url": "https://datacompliancechina.com/laws/genai-services-interim-measures/", "markdown_url": "https://datacompliancechina.com/laws/genai-services-interim-measures.md", "related_laws": [ "pipl", "deep-synthesis-provisions", "algorithmic-recommendation-provisions" ], "domains": [ "ai-governance" ], "featured": true, "full_text_available": true, "summary": "China's flagship generative-AI regulation — the first comprehensive national regulation of GenAI services anywhere in the world. Covers content compliance, training data quality, personal-information handling, security assessment and algorithm filing, real-name verification, and labeling. Applies to GenAI services provided to the Chinese public; some obligations are conditioned on consumer-facing deployment." }, { "slug": "government-data-sharing-regulations", "title_en": "Regulations on the Sharing of Government Data", "title_zh": "政务数据共享条例", "hierarchy": "regulation", "issuing_body": "State Council", "adopted_date": "2025-05-09", "effective_date": "2025-08-01", "status": "effective", "url": "https://datacompliancechina.com/laws/government-data-sharing-regulations/", "markdown_url": "https://datacompliancechina.com/laws/government-data-sharing-regulations.md", "related_laws": [ "dsl", "network-data-security-regulations" ], "domains": [ "data-security", "personal-information" ], "featured": false, "full_text_available": true, "summary": "The first comprehensive State Council regulation specifically governing the sharing of government data across agencies. Establishes the unified national government-data sharing platform, defines responsibilities of the National Data Administration, sets data quality and security requirements, and addresses personal-information and important-data handling within the government-data context." }, { "slug": "civil-code-personal-info", "title_en": "Civil Code — Personality Rights Book, Chapter on Privacy and Protection of Personal Information", "title_zh": "中华人民共和国民法典 · 人格权编 · 隐私权和个人信息保护章", "abbreviation": "Civil Code (PI Chapter)", "hierarchy": "law", "issuing_body": "National People's Congress", "adopted_date": "2020-05-28", "effective_date": "2021-01-01", "status": "effective", "url": "https://datacompliancechina.com/laws/civil-code-personal-info/", "markdown_url": "https://datacompliancechina.com/laws/civil-code-personal-info.md", "related_laws": [ "pipl" ], "domains": [ "personal-information" ], "featured": false, "full_text_available": true, "summary": "Articles 1032–1039 of the Civil Code's Personality Rights Book establish the civil-law foundation for privacy and personal-information protection in China. The chapter defines the right of privacy, the scope of personal information, principles for handling, statutory defenses, individuals' rights of access and correction, processor obligations, and confidentiality duties of State organs. Civil-law remedies under this chapter operate alongside the public-law PIPL regime — neither displaces the other." }, { "slug": "algorithmic-recommendation-provisions", "title_en": "Provisions on the Administration of Algorithmic Recommendation Services for Internet Information Services", "title_zh": "互联网信息服务算法推荐管理规定", "hierarchy": "rule", "issuing_body": "CAC, MIIT, MPS, SAMR", "adopted_date": "2021-11-16", "effective_date": "2022-03-01", "status": "effective", "url": "https://datacompliancechina.com/laws/algorithmic-recommendation-provisions/", "markdown_url": "https://datacompliancechina.com/laws/algorithmic-recommendation-provisions.md", "related_laws": [ "pipl", "dsl", "deep-synthesis-provisions" ], "domains": [ "algorithm-recommendation", "ai-governance", "personal-information" ], "featured": true, "full_text_available": true, "summary": "The first comprehensive Chinese regulation of recommendation algorithms. Establishes the algorithm filing regime, requires opt-out mechanisms, regulates personalized pricing and targeted advertising, sets special protections for minors and the elderly, and bans practices like price discrimination based on user characteristics. Applies to all algorithmic recommendation services available to the Chinese public." }, { "slug": "internet-information-services-measures", "title_en": "Administrative Measures for Internet Information Services (2024 Revision)", "title_zh": "互联网信息服务管理办法(2024 修订)", "hierarchy": "regulation", "issuing_body": "State Council", "adopted_date": "2024-12-06", "effective_date": "2025-01-20", "status": "effective", "url": "https://datacompliancechina.com/laws/internet-information-services-measures/", "markdown_url": "https://datacompliancechina.com/laws/internet-information-services-measures.md", "related_laws": [ "csl", "pipl" ], "domains": [ "data-security", "personal-information" ], "featured": false, "full_text_available": true, "summary": "The foundational regulation of Internet Information Services (ICP) in China — the regulatory baseline beneath nearly every later data-protection rule. Establishes the ICP licensing regime (operational vs. non-operational), platform compliance obligations, content management, and the role of telecommunications and cyberspace administrative authorities. The 2024 revision aligns the regulation with CSL, DSL, PIPL, and the post-2022 platform rules." }, { "slug": "anti-telecom-fraud-law", "title_en": "Anti-Telecom and Online Fraud Law of the People's Republic of China", "title_zh": "中华人民共和国反电信网络诈骗法", "abbreviation": "ATFL", "hierarchy": "law", "issuing_body": "National People's Congress Standing Committee", "status": "effective", "url": "https://datacompliancechina.com/laws/anti-telecom-fraud-law/", "markdown_url": "https://datacompliancechina.com/laws/anti-telecom-fraud-law.md", "related_laws": [ "pipl", "csl" ], "domains": [ "personal-information", "enforcement" ], "featured": false, "full_text_available": false }, { "slug": "deep-synthesis-provisions", "title_en": "Provisions on the Administration of Deep Synthesis of Internet Information Services", "title_zh": "互联网信息服务深度合成管理规定", "hierarchy": "rule", "issuing_body": "CAC, MIIT, MPS", "adopted_date": "2022-11-03", "effective_date": "2023-01-10", "status": "effective", "url": "https://datacompliancechina.com/laws/deep-synthesis-provisions/", "markdown_url": "https://datacompliancechina.com/laws/deep-synthesis-provisions.md", "related_laws": [ "pipl", "algorithmic-recommendation-provisions", "genai-services-interim-measures" ], "domains": [ "ai-governance", "algorithm-recommendation" ], "featured": false, "full_text_available": true, "summary": "Regulates deepfakes and AI-driven content synthesis — the precursor to the GenAI Measures and the AI Content Labeling Measures. Requires real-name verification, content moderation, prominent labeling of synthesized content, prohibits use for fraud or disinformation, and establishes the deep synthesis service algorithm filing regime." }, { "slug": "public-security-video-image-system-regulations", "title_en": "Administrative Regulation for Public Security Video Image Information Systems", "title_zh": "公共安全视频图像信息系统管理条例", "abbreviation": "PVISR", "hierarchy": "regulation", "issuing_body": "State Council", "adopted_date": "2024-12-16", "effective_date": "2025-04-01", "status": "effective", "url": "https://datacompliancechina.com/laws/public-security-video-image-system-regulations/", "markdown_url": "https://datacompliancechina.com/laws/public-security-video-image-system-regulations.md", "related_laws": [ "pipl", "csl", "facial-recognition-judicial-interpretation" ], "domains": [ "personal-information", "enforcement" ], "featured": true, "full_text_available": true, "summary": "The State Council's overarching regulation for public security video image information systems (公共安全视频系统) in public places. Distinguishes three operator types: government-led, public-private partnership, and private-led, and applies graduated obligations depending on the operator type. Implements PIPL Article 26 for video-image capture in public places, including filing obligations, mandatory signage, retention, and security duties. Read with the 2025 FRT Measures (Decree No. 19) for facial-recognition deployments." }, { "slug": "ai-content-labeling-measures", "title_en": "Measures for the Labeling of AI-Generated and Composed Content", "title_zh": "人工智能生成合成内容标识办法", "hierarchy": "rule", "issuing_body": "CAC, MIIT, MPS, NRTA", "adopted_date": "2025-03-07", "effective_date": "2025-09-01", "status": "effective", "url": "https://datacompliancechina.com/laws/ai-content-labeling-measures/", "markdown_url": "https://datacompliancechina.com/laws/ai-content-labeling-measures.md", "related_laws": [ "genai-services-interim-measures", "deep-synthesis-provisions" ], "domains": [ "ai-governance" ], "featured": false, "full_text_available": true, "summary": "The newest of China's AI rules — mandatory labeling for AI-generated and AI-composed content, including text, images, audio, video, and virtual scenes. Distinguishes between 'visible/audible labels' (for end users) and 'implicit labels' (metadata/watermarks for platforms). Applies to all platforms providing GenAI or deep synthesis services in China, with corresponding obligations on app stores and content distribution platforms." }, { "slug": "ai-anthropomorphic-interaction-measures", "title_en": "Interim Measures for the Management of AI Anthropomorphic Interaction Services", "title_zh": "人工智能拟人化互动服务管理暂行办法", "hierarchy": "rule", "issuing_body": "CAC, NDRC, MIIT, MPS, SAMR", "adopted_date": "2026-04-10", "effective_date": "2026-07-15", "status": "effective", "url": "https://datacompliancechina.com/laws/ai-anthropomorphic-interaction-measures/", "markdown_url": "https://datacompliancechina.com/laws/ai-anthropomorphic-interaction-measures.md", "related_laws": [ "pipl", "genai-services-interim-measures", "deep-synthesis-provisions", "algorithmic-recommendation-provisions" ], "domains": [ "ai-governance", "personal-information" ], "featured": true, "full_text_available": true, "summary": "China's first regulation specifically targeting AI 'anthropomorphic interaction' — services where users converse with AI personas (virtual companions, chatbot relationships, character AI). Establishes registration requirements, age-verification and minor-protection obligations, mandatory disclaimers that users are interacting with AI, content moderation duties, and prohibitions on exploiting emotional vulnerabilities. Effective July 15, 2026. The first such regime globally." }, { "slug": "foreign-investment-security-review-measures", "title_en": "Measures for the Security Review of Foreign Investments", "title_zh": "外商投资安全审查办法", "abbreviation": "FISR Measures", "hierarchy": "rule", "issuing_body": "National Development and Reform Commission (NDRC) and Ministry of Commerce (MOFCOM)", "adopted_date": "2020-11-27", "effective_date": "2021-01-18", "status": "effective", "url": "https://datacompliancechina.com/laws/foreign-investment-security-review-measures/", "markdown_url": "https://datacompliancechina.com/laws/foreign-investment-security-review-measures.md", "related_laws": [ "pipl", "dsl", "csl", "cybersecurity-review-measures" ], "domains": [ "cross-border", "cybersecurity-review" ], "featured": true, "full_text_available": true, "summary": "The Foreign Investment Security Review (FISR) Measures govern review of foreign investment in China that affects or may affect national security. Article 2 covers new projects, M&A of equity or assets, and other forms of domestic investment by foreign investors. Article 4 brings important information technology, internet products and services, and key technologies into the mandatory pre-notification scope. The test for the security review's bite is actual control — defined broadly to include >50% equity, voting-share thresholds, and other circumstances that materially influence operational decisions, personnel, finance, or technology. These Measures were the legal basis for the April 2026 ban on the Meta–Manus acquisition." }, { "slug": "facial-recognition-technology-application-measures", "title_en": "Administrative Measures for the Application Security of Facial Recognition Technology", "title_zh": "人脸识别技术应用安全管理办法", "abbreviation": "FRT Measures", "hierarchy": "rule", "issuing_body": "Cyberspace Administration of China (CAC) and Ministry of Public Security (MPS)", "adopted_date": "2024-09-30", "effective_date": "2025-06-01", "status": "effective", "url": "https://datacompliancechina.com/laws/facial-recognition-technology-application-measures/", "markdown_url": "https://datacompliancechina.com/laws/facial-recognition-technology-application-measures.md", "related_laws": [ "pipl", "dsl", "csl", "network-data-security-regulations", "public-security-video-image-system-regulations", "facial-recognition-judicial-interpretation" ], "domains": [ "personal-information", "ai-governance", "enforcement" ], "featured": true, "full_text_available": true, "summary": "The dedicated CAC + MPS rule for facial-recognition technology applications, implementing PIPL Articles 26 and 28–32 and the Civil Code privacy chapter. Covers the three governing principles of minimum-use, voluntary choice, and minimum-storage; the filing regime for processors handling face data of more than 100,000 persons; mandatory PIPIA, signage, prohibition on FRT in private spaces (changing rooms, bathrooms, hotel rooms); preference for authoritative ID-verification channels over independent FRT collection; and the inter-agency coordination structure under CAC + MPS." }, { "slug": "public-data-registration-interim-measures", "title_en": "Interim Measures for the Registration and Administration of Public Data Resources", "title_zh": "公共数据资源登记管理暂行办法", "hierarchy": "rule", "issuing_body": "National Development and Reform Commission (NDRC) and National Data Administration (NDA)", "adopted_date": "2025-01-08", "effective_date": "2025-03-01", "status": "effective", "url": "https://datacompliancechina.com/laws/public-data-registration-interim-measures/", "markdown_url": "https://datacompliancechina.com/laws/public-data-registration-interim-measures.md", "related_laws": [ "pipl", "dsl", "csl", "network-data-security-regulations" ], "domains": [ "data-economy", "data-security" ], "featured": true, "full_text_available": true, "summary": "The Interim Measures establish a nationally unified registration system for public data resources — data collections produced by Party and government organs and public institutions in the course of performing statutory duties or providing public services. Registration is mandatory for public data resources that fall within authorized-operation scope; voluntary registration is encouraged for other public data resources and for data products and services derived from them. The Measures set the registration procedure (application, acceptance, formal review, public announcement, code issuance), define four registration types (initial, change, correction, deregistration), establish a three-year validity period with renewal, and provide for graded supervision under NDA's overall administration. Effective March 1, 2025, with a five-year validity period. DCC translation; no official English version exists." }, { "slug": "public-data-authorized-operation-specifications", "title_en": "Implementation Specifications for Authorized Operation of Public Data Resources (Trial)", "title_zh": "公共数据资源授权运营实施规范(试行)", "hierarchy": "rule", "issuing_body": "National Development and Reform Commission (NDRC) and National Data Administration (NDA)", "adopted_date": "2025-01-08", "effective_date": "2025-03-01", "status": "effective", "url": "https://datacompliancechina.com/laws/public-data-authorized-operation-specifications/", "markdown_url": "https://datacompliancechina.com/laws/public-data-authorized-operation-specifications.md", "related_laws": [ "pipl", "dsl", "csl", "network-data-security-regulations", "public-data-registration-interim-measures" ], "domains": [ "data-economy", "data-security" ], "featured": true, "full_text_available": true, "summary": "Companion rule to the Public Data Registration Interim Measures (also NDRC + NDA, January 2025). The Specifications establish the framework for 'authorized operation' (授权运营) of public data resources — the mechanism by which governments at and above the county level, and national sectoral authorities, can authorize qualified operating institutions to develop and operationalize public data resources, deliver data products and services to the market, and share in the revenue. Covers implementing institutions, operating institutions, the implementation plan, the agreement, supervision, anti-monopoly and security duties. The Operating-institution authorization period is capped at five years. Effective March 1, 2025, with a five-year validity period. DCC translation; no official English version exists." } ], "accounts": [ { "slug": "compliance-talker", "name_zh": "合规小叨客", "name_en": "Compliance Talker", "name_pinyin": "Hegui Xiaodaoke", "type": "kol", "wechat_id": "AllAboutCompliance", "priority": 2, "short_description": "A private compliance media account branding itself as 'China's most professional compliance public account.' Covers data compliance, anti-bribery, export controls, and other compliance verticals from a Chinese-practitioner perspective." }, { "slug": "data-he-gui", "name_zh": "数据何规", "name_en": "What Rules for Data", "name_pinyin": "Shuju Hegui", "type": "research", "wechat_id": "PIPL2021", "priority": 1, "short_description": "A high-volume daily aggregator and curator of Chinese privacy and AI-regulatory news (账号定位 '每日多次更新隐私、AI监管动态'). Reposts substantive practitioner pieces from law firms, scholars, and official channels with editor notes flagging the most operationally relevant items." }, { "slug": "dejyfz", "name_zh": "数字经济与法治", "name_en": "Digital Economy and Rule of Law", "name_pinyin": "Shuzi Jingji yu Fazhi", "type": "academic", "wechat_id": "DLTRL2019", "priority": 1, "short_description": "An academic-tier WeChat channel reposting peer-reviewed law-journal articles on Chinese digital economy and data law. The 学术| (Academic) column carries pieces from《法学家》《政治与法律》《政法论坛》《财经法学》and other top-tier Chinese legal journals, authored by law-school faculty at PKU, Tsinghua, Renmin University, China University of Political Science and Law, CASS, and other leading institutions." }, { "slug": "miit-weibao", "name_zh": "工信微报", "name_en": "MIIT Micro-Bulletin", "name_pinyin": "Gongxin Weibao", "type": "official", "affiliation": "Ministry of Industry and Information Technology (MIIT)", "wechat_id": "zhongguogongxin", "priority": 1, "short_description": "Official WeChat channel of the Ministry of Industry and Information Technology (MIIT, 工业和信息化部) — the central regulator for telecom, internet, and mobile-app personal-information protection. Carries the agency's batched public-naming enforcement notices (APP / SDK 侵害用户权益通报), regulatory announcements, and policy briefings issued by MIIT's Information & Communications Administration Bureau (信息通信管理局)." }, { "slug": "ndb", "name_zh": "国家数据局", "name_en": "National Data Administration", "name_pinyin": "Guojia Shuju Ju", "type": "official", "affiliation": "State Council (administered by NDRC)", "wechat_id": "guojiashujuju", "priority": 1, "short_description": "Official WeChat channel of the National Data Administration (NDA, 国家数据局) — the State Council body established October 2023 to oversee China's data infrastructure planning, data-element market construction, and data-resource integration. Posts include policy interpretations of the Data 20 Articles, rulemaking notices, and the agency's own commentary on data-property-rights design." }, { "slug": "qinglan-data", "name_zh": "青兰数据观察", "name_en": "Qinglan Data Observation", "name_pinyin": "Qinglan Shuju Guancha", "type": "kol", "wechat_id": "Wang-Qinglan", "priority": 2, "short_description": "A single-author observation column on Chinese data compliance and the data-element market — practical, plain-language commentary on legal practice, regulatory developments, and data-element market structure from a data-exchange compliance lead." }, { "slug": "renmin-tribune", "name_zh": "人民论坛", "name_en": "People's Tribune", "name_pinyin": "Renmin Luntan", "type": "academic", "affiliation": "People's Daily Publishing Group", "priority": 2, "short_description": "State-affiliated theoretical and policy journal under the People's Daily Publishing Group. Publishes academic and policy commentary by scholars on governance, law, and economic-system topics, including a sustained 'Frontier' (前沿) column on emerging legal and policy questions. Print and web editions." }, { "slug": "sansuo-data-security", "name_zh": "三所数据安全", "name_en": "TRIMPS Data Security", "name_pinyin": "Sansuo Shuju Anquan", "type": "official-research", "affiliation": "The Third Research Institute of the Ministry of Public Security (公安部第三研究所)", "priority": 1, "short_description": "The data-security technical channel of the Third Research Institute of the Ministry of Public Security (公安部第三研究所 / TRIMPS) — the Shanghai-based MPS institute that anchors China's cybersecurity classified-protection (等保) regime, the national eID / CTID network-identity platform, and a large share of the country's data-security technical standards work. The 数安观察 (Data Security Observation) column carries technical-legal analysis from the institute's Data Security Technology R&D Center." }, { "slug": "shenzhen-data-exchange", "name_zh": "深圳数据交易所", "name_en": "Shenzhen Data Exchange", "name_pinyin": "Shenzhen Shuju Jiaoyisuo", "type": "industry", "affiliation": "Shenzhen Data Exchange (state-backed data trading venue)", "priority": 1, "short_description": "One of China's principal state-backed data trading venues, and the most active institutional voice on data-element-market compliance. Its DEXC+ (Data Exchange Compliance+) program runs a think tank, a data-exchange-compliance-officer (DEXCO) credential, and a compliance-law-firm pool (DEXCA). The DEXC+ column publishes deep practitioner analysis on data property rights, registration, and trading compliance." }, { "slug": "wangan-xunluren", "name_zh": "网安寻路人", "name_pinyin": "Wang'an Xunluren", "type": "kol", "wechat_id": "DataProtection101", "priority": 1 }, { "slug": "xu-ke", "name_zh": "许可", "name_en": "Xu Ke", "name_pinyin": "Xu Ke", "type": "academic", "affiliation": "University of International Business and Economics (UIBE) — Director, Center for Digital Economy and Legal Innovation", "priority": 1, "short_description": "Xu Ke is a professor at the University of International Business and Economics (UIBE) Law School and director of its Center for Digital Economy and Legal Innovation — one of the most influential and widely-cited data-law scholars in China. His work spans data-rights theory, the data-property-rights framework, anonymization, and the financialization of data assets. Published across the top Chinese law journals (《政法论坛》《财经法学》and others)." } ], "domains": [ { "slug": "ai-governance", "name": "AI Governance", "name_zh": "人工智能治理", "description": "Rules and standards for generative AI services, deep synthesis, content labeling, and AI ethics in China.", "url": "https://datacompliancechina.com/domains/ai-governance/" }, { "slug": "algorithm-recommendation", "name": "Algorithmic Recommendation", "name_zh": "算法推荐", "description": "Regulation of recommendation algorithms, user profiling, and the filing regime for algorithmic services.", "url": "https://datacompliancechina.com/domains/algorithm-recommendation/" }, { "slug": "app-compliance", "name": "App Compliance", "name_zh": "App 合规", "description": "Mobile app personal-information collection rules, the necessary-information catalogue, SDK compliance, and app store removal.", "url": "https://datacompliancechina.com/domains/app-compliance/" }, { "slug": "critical-information-infrastructure", "name": "Critical Information Infrastructure", "name_zh": "关键信息基础设施", "description": "Identification and protection obligations for CII operators (CIIO) under CSL and the CII Protection Regulations.", "url": "https://datacompliancechina.com/domains/critical-information-infrastructure/" }, { "slug": "cross-border", "name": "Cross-Border Data", "name_zh": "数据跨境", "description": "Rules governing the transfer of personal information and important data outside mainland China — including the security assessment, standard contract, and certification pathways.", "url": "https://datacompliancechina.com/domains/cross-border/" }, { "slug": "cybersecurity-review", "name": "Cybersecurity Review", "name_zh": "网络安全审查", "description": "The cybersecurity review regime for critical information infrastructure operators and large data processors — including overseas listings.", "url": "https://datacompliancechina.com/domains/cybersecurity-review/" }, { "slug": "data-economy", "name": "Data Economy", "name_zh": "数据要素与数据产权", "description": "China's emerging regulatory framework for treating data as an economic factor of production — public-data resources, data-property rights, data-asset registration, and the rules governing how data can be authorized for operation, traded, and circulated. Distinct from data security and personal-information protection, this domain tracks the rules that turn data into a tradeable asset.", "url": "https://datacompliancechina.com/domains/data-economy/" }, { "slug": "data-security", "name": "Data Security", "name_zh": "数据安全", "description": "Data classification and grading, important data, core data, and the broader data security regime under DSL.", "url": "https://datacompliancechina.com/domains/data-security/" }, { "slug": "enforcement", "name": "Enforcement", "name_zh": "执法与处罚", "description": "Public enforcement actions by Chinese data regulators — MIIT's batched APP / SDK public-naming bulletins, CAC administrative penalties, MPS criminal-tier enforcement, regulatory interviews (约谈), app-store removals, and other published actions. DCC tracks these as the operational edge of the regime: they show what the regulator actually polices, in what cadence, against what targets, citing which legal bases.", "url": "https://datacompliancechina.com/domains/enforcement/" }, { "slug": "minors-protection", "name": "Minors Protection", "name_zh": "未成年人保护", "description": "Personal information of children and minors, gaming time limits, age-verification requirements, and the Minors Online Protection Regulations.", "url": "https://datacompliancechina.com/domains/minors-protection/" }, { "slug": "personal-information", "name": "Personal Information", "name_zh": "个人信息保护", "description": "Core personal-information protection regime under PIPL — consent, lawful bases, sensitive personal information, and the rights of individuals.", "url": "https://datacompliancechina.com/domains/personal-information/" } ], "glossary_sections": [ { "index": 1, "slug": "data-types", "title_en": "Data Types", "title_zh": "数据类型", "term_count": 27 }, { "index": 2, "slug": "data-processing-and-compliance-management", "title_en": "Data Processing & Compliance Management", "title_zh": "数据处理与合规管理", "term_count": 74 }, { "index": 3, "slug": "cross-border-data-flow", "title_en": "Cross-Border Data Flow", "title_zh": "数据出境", "term_count": 26 }, { "index": 4, "slug": "data-property-rights-and-trading", "title_en": "Data Property Rights & Trading", "title_zh": "数据产权与交易", "term_count": 55 }, { "index": 5, "slug": "key-laws-and-regulations", "title_en": "Key Laws & Regulations", "title_zh": "法律法规", "term_count": 26 }, { "index": 6, "slug": "regulators-and-authorities", "title_en": "Regulators & Authorities", "title_zh": "监管机构", "term_count": 30 }, { "index": 7, "slug": "cybersecurity-and-critical-information-infrastructure", "title_en": "Cybersecurity & Critical Information Infrastructure", "title_zh": null, "term_count": 16 }, { "index": 8, "slug": "ai-and-algorithms", "title_en": "AI & Algorithms", "title_zh": null, "term_count": 28 }, { "index": 9, "slug": "enforcement-procedure-and-liability", "title_en": "Enforcement, Procedure & Liability", "title_zh": "执法、程序与责任", "term_count": 17 }, { "index": 10, "slug": "document-types-and-regulatory-format", "title_en": "Document Types & Regulatory Format", "title_zh": "文件类型与立法体例", "term_count": 23 }, { "index": 11, "slug": "data-economy-industry-and-infrastructure", "title_en": "Data Economy, Industry & Infrastructure", "title_zh": "数据经济、产业与基础设施", "term_count": 22 }, { "index": 12, "slug": "privacy-enhancing-and-data-engineering-technologies", "title_en": "Privacy-Enhancing & Data Engineering Technologies", "title_zh": "隐私计算与数据工程技术", "term_count": 17 } ] }