Every brief.
The full run, most recent first.
- § 49 · DATA-PROPERTY-RIGHTS
Inside the Reviewer's Mind — A Compliance Guide to Data Property-Rights Registration at Shenzhen Data Exchange
China's data property-rights registration (数据产权登记) regime has no single national rulebook yet, which makes the reviewer's checklist at the registrar level the operational baseline for any applicant. This brief summarises a practitioner guide by two compliance managers at Shenzhen Data Exchange (深圳数据交易所), explaining what registration reviewers actually scrutinise: whether the subject-matter falls within the platform's accepted scope; whether the applicant can substantiate entitlement to one or more of the three data-property rights (持有权 / 使用权 / 经营权); and whether the submitted materials are internally consistent and complete. The guide also clarifies common misconceptions about the 'three rights' structure — including why 'data ownership' is not a legally recognised concept and why holding-right does not automatically confer use-right or operating-right. For overseas counsel advising clients on data-asset registration, this is the clearest available account of how the first-mover registrar reads applications.
- § 50 · PUBLIC-DATA
Authorized to Operate, Not Authorized to Ignore: Public-Data Operators Still Owe the Full PIPL/DSL Stack
China's public-data authorized-operation regime — established by the January 2025 Implementation Specifications and its companion instruments — does not exempt operators from the personal information and data-security duties that sit underneath it. This brief, drawn from the Shenzhen Data Exchange's DEXC+ compliance column, sets out six specific areas where authorized operators routinely fall short: failure to classify data before operating it, misreading the operator's role in multi-party processing chains, skipping notification obligations, misidentifying the lawful basis for processing, misapplying consent that was gathered for a different purpose, and omitting the separate impact-assessment and annual risk-evaluation obligations under PIPL and the Network Data Security Regulations. The operational takeaway for overseas counsel advising operators or investors: government authorization is the entry ticket to the public-data market, not a waiver of the compliance checklist that governs what happens once inside.
- § 51 · PUBLIC-DATA
Inside the Gate: How Enterprises Can Compliantly Process, Operate, and Trade Public Data Under China's Authorized-Operation Model
China's public-data authorized-operation regime (公共数据授权运营) is the primary route for enterprises to commercialise government-held data. A DEXC+ analysis by Yang Haoran maps the full compliance arc: what qualifies as public data, how it must be processed within a sandboxed platform, and what a data product needs to clear before it can be listed on an exchange. Drawing on the National Data Administration's draft Authorized-Operation Implementation Specifications and Shenzhen Data Exchange's own 3×4 dynamic-compliance framework — covering subject compliance, subject-matter compliance, and circulation compliance across legal, security, integrity, and rights dimensions — the brief gives overseas counsel a structured view of the obligations that attach at each stage of the public-data supply chain, from first authorisation to on-exchange listing.
- § 52 · DATA-TRADING
Mapping the Red Lines: Compliance Assessment for Surveying and Geographic-Information Data Products on a Chinese Data Exchange
When Sichuan province's first surveying and geographic-information (测绘地理信息) data product was listed on the Shenzhen Data Exchange (深圳数据交易所), the compliance team from Si Chuan Rui Li Heng Law Firm worked through a seven-point assessment framework that goes well beyond general data-trading rules. This brief walks overseas counsel through that framework: why the surveying-and-mapping regime (测绘法 and subordinate rules) adds a specialist qualification layer on top of the Network Data Security Management Regulations; how the classified-surveying-results (涉密测绘成果) screen works in practice; what 'important geographic-information data' (重要地理信息数据) means for tradability; and why data origin — self-collected versus purchased versus project-derived — changes the due-diligence checklist materially. The operational takeaway: for this sector, general data-exchange compliance is necessary but not sufficient.
- § 53 · SENSITIVE-PERSONAL-INFORMATION
Seven Highlights of China's New Sensitive Personal Information Processing Standard — and What They Mean in Practice
GB/T 45574-2025 《数据安全技术 敏感个人信息处理安全要求》 (Data Security Technology — Security Requirements for Processing Sensitive Personal Information) is China's first dedicated national standard on sensitive personal information (敏感个人信息), effective 1 November 2025. Authored by Wang Yi, Zhao Yanming, and Zeng Lingwei of the Shenzhen Data Exchange DEXC+ program, this brief walks through the seven highlights the standard introduces: a recalibrated scope of what counts as sensitive personal information under PIPL, dynamic classification logic, a new linkage between sensitive-PI volume and the important data threshold, industry-specific and group-specific protections, data-security-maturity requirements, a model written-consent template, and tightened lifecycle obligations covering collection, storage, display, and audit. The operational takeaway for overseas counsel: the standard converts PIPL's high-level sensitive-PI obligations into testable, auditable requirements — compliance teams should treat it as the primary implementation guide for PIPL Article 28 and beyond.
- § 54 · PIA
The PIA as a Trading-Compliance Line — What the Network Data Security Management Regulations Add for Personal-Information Data Products
China's personal-information protection impact assessment (PIA / 个人信息保护影响评估) has long been a statutory requirement under PIPL, but uptake in data-trading contexts remains low. A DEXC+ analysis by Wang Senpeng of Shenzhen Data Exchange argues that the Network Data Security Management Regulations (网络数据安全管理条例, 'Network Data Regs') significantly refine when and how a PIA must be conducted before a personal-information data product changes hands. The brief maps three trigger layers — subject compliance, subject-matter compliance, and circulation compliance — and then draws out the evaluation dimensions the Regulations add: a new 'dual-list' privacy-policy requirement, data-processing-agreement minimum contents, a three-year record-keeping obligation, and tightened rules on web-scraping and de-identification. For overseas counsel: a PIA is no longer just a cross-border formality — it is the primary compliance gate for trading sensitive data, delegated-processing arrangements, and any automated-decision-making data product.