Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ BRIEFINGS · PAGE 09

Every brief.

The full run, most recent first.

  • § 49 · DATA-PROPERTY-RIGHTS

    Inside the Reviewer's Mind — A Compliance Guide to Data Property-Rights Registration at Shenzhen Data Exchange

    China's data property-rights registration (数据产权登记) regime has no single national rulebook yet, which makes the reviewer's checklist at the registrar level the operational baseline for any applicant. This brief summarises a practitioner guide by two compliance managers at Shenzhen Data Exchange (深圳数据交易所), explaining what registration reviewers actually scrutinise: whether the subject-matter falls within the platform's accepted scope; whether the applicant can substantiate entitlement to one or more of the three data-property rights (持有权 / 使用权 / 经营权); and whether the submitted materials are internally consistent and complete. The guide also clarifies common misconceptions about the 'three rights' structure — including why 'data ownership' is not a legally recognised concept and why holding-right does not automatically confer use-right or operating-right. For overseas counsel advising clients on data-asset registration, this is the clearest available account of how the first-mover registrar reads applications.

    data-property-rights · data-registration · data-economy
  • § 50 · PUBLIC-DATA

    Authorized to Operate, Not Authorized to Ignore: Public-Data Operators Still Owe the Full PIPL/DSL Stack

    China's public-data authorized-operation regime — established by the January 2025 Implementation Specifications and its companion instruments — does not exempt operators from the personal information and data-security duties that sit underneath it. This brief, drawn from the Shenzhen Data Exchange's DEXC+ compliance column, sets out six specific areas where authorized operators routinely fall short: failure to classify data before operating it, misreading the operator's role in multi-party processing chains, skipping notification obligations, misidentifying the lawful basis for processing, misapplying consent that was gathered for a different purpose, and omitting the separate impact-assessment and annual risk-evaluation obligations under PIPL and the Network Data Security Regulations. The operational takeaway for overseas counsel advising operators or investors: government authorization is the entry ticket to the public-data market, not a waiver of the compliance checklist that governs what happens once inside.

    public-data · data-economy · pipl
  • § 51 · PUBLIC-DATA

    Inside the Gate: How Enterprises Can Compliantly Process, Operate, and Trade Public Data Under China's Authorized-Operation Model

    China's public-data authorized-operation regime (公共数据授权运营) is the primary route for enterprises to commercialise government-held data. A DEXC+ analysis by Yang Haoran maps the full compliance arc: what qualifies as public data, how it must be processed within a sandboxed platform, and what a data product needs to clear before it can be listed on an exchange. Drawing on the National Data Administration's draft Authorized-Operation Implementation Specifications and Shenzhen Data Exchange's own 3×4 dynamic-compliance framework — covering subject compliance, subject-matter compliance, and circulation compliance across legal, security, integrity, and rights dimensions — the brief gives overseas counsel a structured view of the obligations that attach at each stage of the public-data supply chain, from first authorisation to on-exchange listing.

    public-data · authorized-operation · data-trading
  • § 52 · DATA-TRADING

    Mapping the Red Lines: Compliance Assessment for Surveying and Geographic-Information Data Products on a Chinese Data Exchange

    When Sichuan province's first surveying and geographic-information (测绘地理信息) data product was listed on the Shenzhen Data Exchange (深圳数据交易所), the compliance team from Si Chuan Rui Li Heng Law Firm worked through a seven-point assessment framework that goes well beyond general data-trading rules. This brief walks overseas counsel through that framework: why the surveying-and-mapping regime (测绘法 and subordinate rules) adds a specialist qualification layer on top of the Network Data Security Management Regulations; how the classified-surveying-results (涉密测绘成果) screen works in practice; what 'important geographic-information data' (重要地理信息数据) means for tradability; and why data origin — self-collected versus purchased versus project-derived — changes the due-diligence checklist materially. The operational takeaway: for this sector, general data-exchange compliance is necessary but not sufficient.

    data-trading · surveying-data · geographic-information
  • § 53 · SENSITIVE-PERSONAL-INFORMATION

    Seven Highlights of China's New Sensitive Personal Information Processing Standard — and What They Mean in Practice

    GB/T 45574-2025 《数据安全技术 敏感个人信息处理安全要求》 (Data Security Technology — Security Requirements for Processing Sensitive Personal Information) is China's first dedicated national standard on sensitive personal information (敏感个人信息), effective 1 November 2025. Authored by Wang Yi, Zhao Yanming, and Zeng Lingwei of the Shenzhen Data Exchange DEXC+ program, this brief walks through the seven highlights the standard introduces: a recalibrated scope of what counts as sensitive personal information under PIPL, dynamic classification logic, a new linkage between sensitive-PI volume and the important data threshold, industry-specific and group-specific protections, data-security-maturity requirements, a model written-consent template, and tightened lifecycle obligations covering collection, storage, display, and audit. The operational takeaway for overseas counsel: the standard converts PIPL's high-level sensitive-PI obligations into testable, auditable requirements — compliance teams should treat it as the primary implementation guide for PIPL Article 28 and beyond.

    sensitive-personal-information · pipl · national-standard
  • § 54 · PIA

    The PIA as a Trading-Compliance Line — What the Network Data Security Management Regulations Add for Personal-Information Data Products

    China's personal-information protection impact assessment (PIA / 个人信息保护影响评估) has long been a statutory requirement under PIPL, but uptake in data-trading contexts remains low. A DEXC+ analysis by Wang Senpeng of Shenzhen Data Exchange argues that the Network Data Security Management Regulations (网络数据安全管理条例, 'Network Data Regs') significantly refine when and how a PIA must be conducted before a personal-information data product changes hands. The brief maps three trigger layers — subject compliance, subject-matter compliance, and circulation compliance — and then draws out the evaluation dimensions the Regulations add: a new 'dual-list' privacy-policy requirement, data-processing-agreement minimum contents, a three-year record-keeping obligation, and tightened rules on web-scraping and de-identification. For overseas counsel: a PIA is no longer just a cross-border formality — it is the primary compliance gate for trading sensitive data, delegated-processing arrangements, and any automated-decision-making data product.

    pia · personal-information-protection · data-trading
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.