Two Paths for the 'Right to Hold Data' — and Why the Narrow One May Add Little

Editor’s Note — DCC.

This is DCC’s summary and analysis — not a translation — of 《数据持有权的两条路径：三权完全切割 vs. 持有权母权化》, a study note by Hong Yanqing (洪延青) on his 网安寻路人 channel. Hong is one of China’s most-read data-law commentators; we have run his work before. The piece is a piece of legal theory, but a consequential one: it goes to how China’s “data property rights” actually allocate value, and therefore how data deals, licensing, and data-as-asset treatment should be structured. The original is linked at the foot of this brief; the framing for overseas counsel is ours.

The unstable middle of the “three rights”

China’s Opinions on Building the Basic Data Systems — the “Data Twenty Articles” (数据二十条) — set up a now-canonical structure that splits data property into three: the Right to Hold Data (数据持有权), the Right to Use Data (数据使用权), and the Right to Operate Data (数据经营权). Hong’s starting observation is that, of the three, the holding right has the least settled position. Two readings point in opposite directions:

• the official “complete separation” (三权完全切割), under which holding, use, and operation are independent modules that can each be held without the others; and
• a scholarly “mother-right” reconstruction (持有权母权化), under which holding is the foundational right and use and operation are carved out from within it.

His method is to refuse the compromise and instead “push each path to its end” (与其折中，不如将两条路径各自推理至尽头). The dispute, he argues, “is not a question of a right’s name, but a question of its position in the system” — and it turns entirely on one prior question: what is “holding” taken to mean?

Path 1 — official “complete separation”: holding shrinks to a lawful-control state

On the official reading, the three rights solve three different problems: the holding right protects “whose lawful control state should be protected”; the use right governs “who may process, analyse, and internally exploit”; the operation right governs “who may provide, license, transfer, contribute as capital, or pledge externally.” Crucially, having one does not entail having the others.

Hong then shows how much real-world practice already runs “use without holding” and “operation without holding”:

• Use without holding — privacy-preserving computation, trusted execution environments, secure multi-party computation, and federated learning (the user never takes the raw data, only outputs, model parameters, or verification results); data sandboxes and “data safes”; and API calls (the caller gets a result, not a copy it can store, migrate, or re-license).
• Operation without holding — agency licensing or entrusted operation (a data broker markets and licenses while the data stays in the rights-holder’s system); data trust / custody structures that split management-and-disposition from technical custody; and data capital-contribution, pledge, or revenue-right financing (the financing targets the utilisation interest, not the bare fact of storage).

If use and operation can each stand free of holding, then — once they are carved away — what is left of the holding right itself? Hong’s answer: not much beyond a “lawful control state” (合法控制状态), or “a legally recognised data holding.” As he puts it, the point of cloud custody, sandboxes, API calls, and pipes is precisely to let “holding” appear on its own — and what it shows is that “narrow holding is just holding” (狭义持有只是持有).

The defensive content is already covered — against the world

The only content that could give that bare holding state the flavour of a right is defensive: that others may not unlawfully steal, tamper with, leak, or destroy the data held. Hong’s central move is to show that this defence is already heavily provided by behavioural norms, and largely with erga omnes (对世) effect that does not depend on any contract:

• PIPL Article 10 bars any organisation or individual from unlawfully collecting, using, processing, transmitting, trading, providing, or publicising others’ personal information;
• DSL Article 32 requires data to be collected lawfully and bars theft or other illegal acquisition;
• the Regulation on Network Data Security Management bars stealing or illegally acquiring network data and requires encryption, backup, access control, and authentication.

He then splits “someone else obtains the data” into three cells:

1. Theft / intrusion / illegal acquisition — already inside the range of the norms above (plus criminal and administrative law). Illegality here does not require first proving a complete holding right.
2. Lawful collection from public or semi-public sources — here data’s non-exclusivity and circulation value should be respected; he cites SPC Guiding Case No. 264, which says non-secret, non-personal, non-trade-secret data should be allowed to flow freely to avoid “data barriers.” A holding right has no exclusionary force in this cell.
3. Public data taken by improper means — circumventing technical measures, breaching terms of service, free-riding — addressed directly by Article 13 of the Anti-Unfair Competition Law, which bars operators from obtaining or using other operators’ lawfully held data through improper means.

Cell 3 looks like the holding right’s best case, because AUCL Article 13 protects “lawfully held data.” But Hong’s sharpest point is that the holding right does not supply the test of illegality — the judgment of “improper” comes from the AUCL, contract, platform rules, anti-circumvention rules, and data-security norms. “The holding right does not tell us which means of acquisition are unlawful,” he writes; “it merely re-describes, as an infringement of ‘holding,’ conduct that other norms have already judged to be unlawful or improper.” A true exclusive right (his analogy: ownership of a car) excludes regardless of the means of taking; public data has no comparable baseline of “no access without the holder’s consent.” So in cell 3 the narrow holding right is “not an independent source of rights, but an interest position protected by behavioural regulation.”

The residual functions don’t rescue it

Hong tests three functions a standalone holding right might still perform, and finds each carried by something else:

• Private-law remedy (injunction, deletion, damages for the holder) — already largely available through PIPL’s individual rights, AUCL Article 13’s civil liability, trade-secret protection, contract, and tort. “Lawful holding as an interest position” is not the same as “creating an independent holding right.”
• Transaction and financing certainty — counterparties care whether you may use, license, sub-license, provide, productise, and collect revenue, and whether the authorisations are clean — i.e. the rights to use and operate, plus contract, registration, and compliance review. They do not care about “I am currently holding.”
• Data-as-asset / balance-sheet recognition (入表) — turns on lawful control, expected economic benefit, reliable measurement, business model, restrictions, and disclosure — not a single “holding right” label.

Path 1’s conclusion: under genuine complete separation, the narrow holding right “contracts into defensive protection of a lawful-control state.” It is not useless — it helps identify who lawfully controls data — but its incremental value as an independent property right is limited, and it cannot be the main axis of data trading and utilisation.

Path 2 — redefine “holding” as a “mother right”

The holding-centric school does not simply enlarge the narrow right; it changes the definition of “holding.” Holding is no longer mere storage or custody but “actual control over data coupled with the ability to decide how it is used” — a normative control that already contains utilisation potential. On that definition:

1. holding carries not just defence but positive powers (use, benefit, disposition);
2. the Right to Use becomes the internal processing/analysis power within holding, and the Right to Operate becomes the external-circulation power within holding — so they are no longer parallel to holding but “divided out” from inside it (a 母权—子权能, “mother-right / sub-power,” structure); and
3. factual holding is separated from holding as a right — cloud custodians, backup operators, entrusted processors, sandbox keepers, and pipes are factual holders or custodians, not full holding-right holders; the rights-holder is whoever can decide the manner of utilisation. (Data ownership, 所有权, is correspondingly thinned to a framing role at the production / initial-attribution stage.)

The structural contrast is clean: the official view reads use and operation out of holding; the mother-right view reads them into holding. The disagreement, Hong stresses, is not about whether data may be used or traded, nor whether a lawful holding state deserves protection — it is about how the relationship between holding and utilisation is conceived.

The real question

Hong’s conclusion is deliberately a fork, not a verdict: the two paths “share the name ‘持有权’ but carry two different concepts.” Path 1’s holding is narrow (a thin, defensive lawful-control state of limited standalone value); Path 2’s holding is broad (a utilisation-bearing normative control that can serve as a mother right). So the real question is not whether the holding right is “important,” but “how much normative content the word ‘holding’ should be made to carry.” Choose official complete separation, and you should accept that the narrow holding right is “thin” and that real circulation and trading ride on the use right, the operation right, contract, and behavioural regulation. Choose the mother-right view, and you must redefine holding and bring use and operation inside it. He closes by asking the practitioners in his audience what kind of holding-state protection — or holding right — the industry actually needs.

Why overseas counsel should care

• Don’t anchor a China data deal on “who holds the data.” On either path, the tradeable, financeable substance lives in the Right to Use and the Right to Operate — plus the contract, the registration, and the compliance posture. Diligence the authorisation chain and lawful sourcing, not the bare fact of custody.
• The protections exist even though the theory doesn’t settle. A held dataset is already defended, against the world, by PIPL, the DSL, the Network Data Security Regulation, and the AUCL — so counterparties are not unprotected while Chinese scholars argue about the holding right’s nature.
• “Use without holding” is the design pattern to expect. Privacy computing, sandboxes, and API delivery let a Chinese partner monetise data while never transferring a copy — increasingly the default structure for cross-border and inter-company data collaboration, and the one most compatible with China’s security regime.
• Watch which path registration practice drifts toward. Data-property registration rules and local data regulations will, in operation, pick an implicit answer; that choice shapes how data products are defined, licensed, pledged, and brought onto the balance sheet (入表).

DCC sources

• Original: Hong Yanqing (洪延青), 《数据持有权的两条路径：三权完全切割 vs. 持有权母权化》, on the 网安寻路人 channel — mp.weixin.qq.com.
• Cross-references on DCC: the Data Twenty Articles (the source of the three-rights structure) · the Interim Measures for Public Data Resource Registration and the draft Data Property Rights Registration Guidelines · PIPL · the Data Security Law · the Network Data Security Regulation.
• Part of the data-economy domain on DCC.

This is an editorial summary and analysis of Hong Yanqing’s commentary, written in DCC’s own words for overseas readers — not a translation of his article, and not a reproduction of it. Quoted phrases are short and attributed; the full argument is his, at the link above. Not legal advice.