Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ BRIEFINGS · PAGE 05

Every brief.

The full run, most recent first.

  • § 25 · DATA-PROPERTY-RIGHTS

    Two Paths for the 'Right to Hold Data' — and Why the Narrow One May Add Little

    Hong Yanqing (洪延青, 网安寻路人) works through the most unstable concept in China's 'separation of three rights' data-property framework — the Right to Hold Data (数据持有权). He pushes two readings to their logical ends. Path 1, the official 'complete separation' (三权完全切割): if the rights to hold, use, and operate data are truly independent, the holding right shrinks to a bare 'lawful-control state' whose only content is defensive — and that defense is already provided, against the world, by PIPL Article 10, DSL Article 32, the Network Data Security Regulation, and Article 13 of the Anti-Unfair Competition Law, so its incremental value as a standalone property right is thin. Path 2, the 'mother-right' reconstruction (持有权母权化): redefine 'holding' from factual control to a normative control that contains utilization potential, so the rights to use and operate are carved out from within it. DCC's read for overseas counsel: in Chinese data deals the tradeable substance sits in the rights to use and operate plus contract, registration, and compliance — not in 'who holds the data' — and China's data-property theory is still genuinely unsettled.

    data-property-rights · data-holding-right · data-economy
  • § 26 · AI-GOVERNANCE

    China's First 'AI Hallucination' Tort Judgment — GenAI Is a Service, Not a Product, and the Chatbot's '¥100,000 Promise' Binds No One

    The Hangzhou Internet Court has decided China's first 'AI hallucination' (AI幻觉) tort case — written into the Supreme People's Court's 2026 work report to the NPC. A user asking a chatbot about college applications was told, across seven rounds, that a non-existent campus existed; when finally shown the official website, the model 'apologised' and 'promised' to pay ¥100,000, even generating a fake lawsuit template telling him to sue. He did. The court dismissed every claim and, in doing so, laid down the first judicial articulation of China's generative-AI liability framework: (1) an AI model is not a civil subject, so its 'promise' is no declaration of intent — and is not attributable to the provider either; (2) generative AI is a service, not a product, so fault liability under Civil Code Article 1165 applies, not product liability's no-fault rule under Article 1202; (3) there is no result-based duty to guarantee accuracy for ordinary inaccurate output — only a process duty of care (conspicuous AI-content labelling plus industry-standard accuracy measures), which the provider had discharged; and (4) no proven damage, no causation. For any company deploying GenAI to the Chinese public, this is the operating liability surface and the evidentiary playbook.

    ai-governance · genai · ai-hallucination
  • § 27 · HEALTH-DATA

    China's Hospitals Get Their Own Data Rulebook: Reading the 2026 Healthcare Data Security & PI Measures

    On 12 February 2026 five agencies — the National Health Commission, the Ministry of Public Security, the Cyberspace Administration of China, the National Administration of Traditional Chinese Medicine, and the National Disease Control and Prevention Administration — jointly issued the Measures for the Administration of Data Security and Personal Information Protection of Healthcare Institutions (Trial). It is the first operational, sector-specific rulebook that turns the Data Security Law, PIPL, and the Network Data Security Regulation into concrete hospital obligations: a three-tier core/important/general data classification keyed to MLPS levels and commercial cryptography; a five-pillar full-lifecycle security system; a ten-item data prohibition list and an eight-item personal-information prohibition list; heightened protection for special groups; limits on facial recognition and AI; and a real enforcement chain running from named-person accountability through regulatory interviews, administrative penalties, civil tort liability, and criminal referral. DCC reads it for overseas pharma, medtech, and hospital-JV counsel — with the cross-border choke point and its academic-cooperation carve-out as the parts that most affect global clinical-data flows.

    health-data · healthcare · data-classification
  • § 28 · AI-GOVERNANCE

    Prompt Stacks and Prompt Governance — Why System-Level Prompts Are Emerging as a Regulatory Lever (and Where They Fall Short)

    A Chinese AI-law reading of Neumann, Sargeant and Singh's FAccT 2026 paper Prompt Governance? — and what it means for how China, the EU, and the US treat 'system prompts' as a regulatory object. Li Wenlong (科技利维坦) walks through the four-layer 'prompt stack' (system instructions → system guidelines → developer instructions → user prompts), five properties practitioners need to understand (layered, hidden, natural-language, malleable, loosely coupled to behaviour), and the comparative regulatory landscape: the EU GPAI Code of Practice requires signatories to disclose system prompts to regulators in model reports; the Trump EO 14319 / OMB M-26-04 stops at model / system / data cards and leaves system-prompt disclosure voluntary; the UK's AI Cybersecurity Code says effectively nothing. China's current GenAI safety regime (TC260-003 plus the GenAI Interim Measures) is output-evaluation-based — filing and pre-launch scoring, with no architectural hook into system prompts. Li predicts a Brussels Effect: system-prompt disclosure to regulators will become a global compliance baseline, analogous to the DPIA in data law. For overseas counsel: this is what is coming, what to start archiving now, and why 'what you write' in a system prompt is not 'what the model executes.'

    ai-governance · system-prompts · prompt-stack
  • § 29 · DATA-PLEDGE-FINANCING

    Data Pledge Financing in China: What Is Actually Being Pledged, and Where the Law Gets Stuck

    As Chinese banks and data exchanges experiment with data pledge financing (数据质押融资), a threshold question remains unresolved: what, legally, is being pledged? Chen Yiqian of Shenzhen Data Exchange walks through the two available routes under the Civil Code — chattel pledge (动产质权) and rights pledge (权利质权) — and the three operational problems that make chattel pledge difficult and the two doctrinal barriers that make rights pledge harder still. The analysis converges on a practical conclusion: chattel pledge via a third-party data custodian is the most workable path today, while data property rights and data intellectual-property rights both remain insufficiently legalised to support a reliable pledge. For overseas counsel advising on China data-asset financing, the gap between policy ambition and legal infrastructure is the central risk to price. Connects to the broader data property-rights registration project and the unresolved question of how data enters corporate balance sheets.

    data-pledge-financing · data-property-rights · data-as-asset
  • § 30 · CRITICAL-INFORMATION-INFRASTRUCTURE

    Are You a CII Operator or an Important-Data Handler? A Practitioner's Assessment Framework Under China's New Rules

    China's Cybersecurity Law, Data Security Law, and Network Data Security Management Regulations impose materially heavier compliance obligations on critical information infrastructure (CII) operators (关键信息基础设施运营者) and important-data handlers (重要数据处理者) than on ordinary data processors. This brief, drawing on a DEXC+ practitioner analysis by Gu Qingzhuo (古青卓) of the Shenzhen Data Exchange compliance team, explains how the two statuses are determined under the current framework, why neither is self-evident from a company's own assessment alone, how recent rules — including the Regulations on Promoting and Regulating Cross-Border Data Flows and the national standard GB/T 43697-2024 — have clarified but not fully resolved the important-data identification problem, and what overseas counsel should do when advising clients that operate in China's critical sectors.

    critical-information-infrastructure · important-data · data-security
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.