Every brief.
The full run, most recent first.
- § 43 · AI-GOVERNANCE
Open-Source Does Not Mean Open Data — Zhang Ping on Training-Data Compliance for Open-Source AI
Peking University Law School professor Zhang Ping, writing in 人民论坛 (People's Tribune), takes apart two misconceptions that have dominated the Chinese open-source AI discussion: that 'open source' means training data has no copyright protection, and that 'algorithm open-source' compels 'training data publication.' Both false. Zhang lays out the structural distinction: 'open source is conditional authorization under license' — applied to model weights, not to the training corpus, which is a legally independent object. She then maps the full-chain compliance risk (acquisition / processing / output) and proposes a four-tier differentiated governance framework that finance, healthcare, and government AI deployments can actually use to map their training-data inventory against compliance gates.
- § 44 · ENFORCEMENT
MIIT Public-Naming Bulletin 2026 Batch 3 (Total Batch 56): 31 Apps and SDKs Cited for PI Violations and Window-Redirect Abuse
MIIT's Information & Communications Administration Bureau published its 2026 Batch 3 public-naming bulletin (total Batch 56) on May 21, 2026, citing 31 apps and SDKs for violations of personal-information collection rules and window-redirect abuse. DCC frames this as the first entry in our enforcement tracker — explaining the joint CAC + MIIT + MPS 2026 Special Campaign that authorizes the batches, the four-statute legal architecture invoked, the rectification-then-enforcement pathway each named entity faces, the cadence of the bulletin series (roughly monthly, 56 batches since inception), and the operational picture this gives overseas counsel of which PI-protection violations actually attract enforcement in the Chinese mobile-app channel.
- § 45 · DATA-PROPERTY-RIGHTS
NDA Explains the Three-Rights Framework — A Plain-Language Walk-Through from the Regulator Itself
The National Data Administration's official 政策解读 (policy interpretation) on the three-rights framework — the right to hold, the right to use, and the right to operate data — established by the Data 20 Articles. NDA walks through what each right means, illustrative scenarios (group-company data subsidiaries; hospital-pharma research pools; data-broker commission arrangements), how the rights relate to each other (independently severable; non-exclusive across parties for the same data), and why the structural-separation design was chosen over a unitary-ownership model. The clearest available statement of the regulator's own intent on the framework that anchors every downstream rule — data-resource registration, data-property-rights registration, FTZ data-circulation negative lists, on-floor / over-the-counter trading rules.
- § 46 · DATA-PROPERTY-RIGHTS
Who Is the 'Data Processor' Under the Three-Rights Framework — NDA's Farm-Equipment Hypothetical
NDA's official 政策解读 on the threshold question that every three-rights allocation depends on: who is the 'data processor' and who is the 'information subject'? NDA uses a farm-equipment hypothetical — a farm rents tractor, irrigation, and fertilizer equipment from three different vendors; cultivation data is captured in the process — to work through who collects, who decides processing purposes, and how the property-rights regime balances the data-processor's commercial interest against the information-subject's rights to access copies of relevant data. The piece sketches the basic information-subject vs. data-processor dichotomy that anchors the entire downstream data-element regime, and surfaces the access-to-data right (data portability for commercial entities) that overseas counsel often miss.
- § 47 · DATA-PROPERTY-RIGHTS
Cloud, BPO, and Other Entrusted-Processing Arrangements: Why the Processor Doesn't Get the Rights
NDA's official 政策解读 on a tactically critical sub-question of the three-rights framework: when a data processor outsources storage, processing, or analysis to a third-party service provider — typical cloud, BPO, or e-government-system arrangements — does the entrusted party acquire any of the three property rights? NDA's clear answer: no. The entrusted processor (受托人) is not a 'data processor' in the property-rights sense — it merely executes instructions on behalf of the data processor (the principal). It cannot use the data outside the entrusted scope, cannot transfer the data into market circulation, and cannot apply the data to its own debt repayment or bankruptcy distribution. The line is anchored to the Civil Code's contract-of-mandate rules — a long-standing piece of Chinese commercial law extended cleanly into the data-element regime.
- § 48 · PUBLIC-DATA
Public Data Under Franchise and Concession Operations: Who Owns It and Can It Be Traded?
Infrastructure and public-utility operators in China — gas networks, urban parking, water systems, and similar franchise/concession (特许经营) businesses — generate data that falls within the statutory definition of 'public data.' That classification creates compliance questions that standard enterprise-data analysis does not answer: does a franchise agreement confer the right to process and sell that data, and under what conditions? Two Shenzhen Data Exchange compliance officers work through the asset-ownership and revenue-attribution routes for establishing data-use authority, flag the asset-transfer risk that attaches to API and dataset licensing, and explain why franchise-generated public data should not be silently assimilated into the authorised-operation (授权运营) model now being piloted across Chinese cities. The operational takeaway: amend legacy concession agreements to address data rights explicitly, and build the data-rights clause into every new franchise contract before signing.