DCC
Data Compliance China
Search · ⌘K
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
Back
§ 024 · DATA-PROPERTY-RIGHTS

From Copyright to Data Property: The Three-Layer Compliance Test for Registering Employee-Created Data in China

China's data property-rights registration regime treats copyright and data property (数据产权) as separate legal categories — a distinction that catches many applicants off guard when employee-created works are involved. This brief summarises a practitioner analysis by two Shenzhen Data Exchange compliance officers, who explain the three-layer 'penetrating review' (穿透审核) logic that registrars actually apply: lawful acquisition (合法获取), factual control (事实持有), and defined scope of use (使用范围). For overseas counsel advising clients that hold data generated by employees — including code, engineering drawings, maps, and other special categories of work-made-for-hire under China's Copyright Law — the key operational takeaway is that a copyright certificate alone is insufficient. Registration of all three data property rights (holding right, use right, operating right) requires distinct evidence chains for each, and the employment contract is the starting document, not the copyright certificate.

DCC Editorial SOURCE · ZH .MD ↓

Editor’s Note — DCC.

This brief summarises 《DEXC+专栏|数据产权登记实务:职务作品数据产权登记合规路径分析》, published in the Shenzhen Data Exchange’s DEXC+ practitioner column by Hu Jingzhuo (胡婧卓), Data Compliance Manager in the Exchange’s Compliance Department, and Chen Yiqian (陈一芊), Transaction Review Manager in the same department. Both authors hold DEXCO credentials and are lead drafters of the Shenzhen local standard on data-transaction compliance assessment. The analysis draws directly on their front-line experience reviewing data property-rights registration applications at one of China’s most active state-backed data trading venues.

The single most useful takeaway for overseas counsel: a Chinese copyright certificate covering employee-created work does not, by itself, establish data property rights over the underlying data. The data property-rights registration guide imposes a separate, three-part evidence test — lawful acquisition, factual control, and defined use scope — and each limb requires distinct documentary proof. For companies whose China data assets rest on employee-generated works (code, engineering drawings, market research, structured datasets), this brief sets out exactly what that evidence chain looks like.

The authors open with a diagnostic observation that goes to the heart of practitioner confusion: applicants regularly arrive at the Shenzhen Data Exchange’s registration window carrying a copyright certificate (著作权登记证书), expecting it to clear the data property-rights review. It does not.

The reason is conceptual. Copyright (著作权) protects the originality of expression — a specific literary, artistic, or scientific work. It controls how that work is reproduced and distributed, and it incentivises creation. Data property rights (数据产权), by contrast, are a new category of property interest defined under China’s data-element market framework. They are designed to resolve questions of ownership and circulation of data as a production factor — not to protect the creative expression that the data may happen to embody.

Under the three-right framework articulated by the National Data Bureau (国家数据局), data property rights break down as: the data holding right (数据持有权), focused on lawful acquisition and factual possession; the data use right (数据使用权), covering internal processing, aggregation, and analysis; and the data operating right (数据经营权), covering external transfer, licensing, and supply. As the authors summarise it: only when an applicant can simultaneously demonstrate lawful origin, actual control, and a clear boundary of permitted use can the registering entity be said to hold all three rights compliantly.

The bridge question — how to move from copyright to data property rights — is the analytical core of the piece.

The three-layer penetrating review

The Shenzhen Data Exchange applies what the authors call a “three-layer penetrating review” (三层穿透审核逻辑) when work-made-for-hire data is involved. Each layer probes a different dimension of the applicant’s claim.

Layer one: pierce the identity — look at source (lawful acquisition)

Lawful acquisition (合法获取) is described as the cornerstone of data property rights. “Having the data in hand” is not the same as having lawfully acquired it. For employee-created works, the analysis turns on whether the work falls into the general category or the special category under the Copyright Law (著作权法).

For general works-made-for-hire (一般职务作品): Article 18(1) of the Copyright Law provides that, in the absence of an express agreement to the contrary, copyright in a general work-made-for-hire belongs by default to the employee; the employing unit holds only a priority right to use (优先使用权) the work within its business scope. This priority right is sufficient to support the unit’s data holding right and data use right — that is, it can lawfully possess and internally process the data. However, if the unit wishes to register the data operating right (the external transfer/licensing layer), the default priority-use position is insufficient. At that point, an express written agreement signed by the employee is required.

For special works-made-for-hire (特殊职务作品): Article 18(2) of the Copyright Law assigns copyright (other than the moral right of attribution) to the employing unit by statute for certain categories — engineering designs (工程设计图), software (软件), maps (地图), and works created by employees of newspapers and broadcasting organisations. For these, demonstrating the employee’s identity and the creation date (noting that the revised Copyright Law took effect on 1 June 2021) is sufficient to establish that the unit has lawfully acquired the relevant data.

The practical implication: the employment contract (劳动合同) is the first document a reviewer reaches for, not the copyright certificate. The key question it must answer is whether the parties expressly agreed that all intellectual property rights and data rights arising during the employment relationship vest in the unit.

Layer two: pierce the form — look at control (factual possession)

Even where lawful acquisition is established, the data holding right requires separate proof of physical or technical actual control (事实持有) over the data. The authors frame this as the literal operationalisation of the word “holding” in “data holding right.”

Reviewers will ask: Where is the data stored? Is it in the applicant’s own data centre, or on a third-party cloud platform? If the latter, has the applicant signed a control agreement that establishes management authority? The required evidence includes storage architecture descriptions showing that data resides on self-owned or controlled servers, as well as management records — update logs, access-permission documentation, and security management systems. Without this, a reviewer may conclude that control is insufficient regardless of the legal title position.

Layer three: pierce the rights — look at the boundary (scope of use)

The third layer concerns the internal/external distinction within data property rights. Data use right covers internal operations; data operating right covers external supply. These are independent rights with clear boundaries and neither derives from the other.

The authors draw a structural analogy to the mature rights vocabulary of copyright law, which they suggest provides useful orientation for defining data use scope — though they are careful to note that the analogy is transitional and approximate, not definitively determinative:

  • Internal use (mapping to data use right): copyright’s reproduction right, adaptation right, and compilation right correspond conceptually to technical backup, algorithmic modelling, structured processing, and statistical aggregation of data for internal purposes.
  • External supply (mapping to data operating right): copyright’s right of communication via information networks, distribution right, and rental right correspond conceptually to API-based external provision, data-product distribution, and SaaS-format access licensing.

The authors are explicit that copyright provides only a structural reference point (结构性参考), not a direct confirmation or substitute for data property rights. Copyright and data property protect different interests, and the mapping between them is a transitional tool for digitised works — not a permanent solution. The more robust approach, the authors note, is to plan data rights allocation from the point at which the underlying work is created.

How the three rights combine: the registration formula

The authors summarise the operative logic for practitioners and reviewing lawyers as:

  • Data holding right = lawful acquisition + factual possession or control
  • Data use right = lawful acquisition + capacity for internal use
  • Data operating right = lawful acquisition + capacity for external supply

Because the three rights are independent in their scope — they do not derive from each other — an applicant may register all three simultaneously or may register any one or more on a selective basis depending on its compliance situation and operational needs. This flexibility is significant: it means a company that cannot currently satisfy all requirements for the operating right (for example, because it has not obtained sufficient consents for external transfer of personal information) can still register the holding and use rights and build out its compliance chain before seeking the broader operating right.

The authors flag one important example in this regard. Registering the data operating right over datasets containing personal information requires compliance with PIPL Article 23 — specifically, providing individuals with details of the recipient’s identity, contact information, processing purpose, processing method, and the categories of personal information involved, and obtaining their separate consent (单独同意). If that condition cannot be met, the recommended approach is to register only the holding and use rights and defer the operating right until the consent infrastructure is in place.

The practical compliance path: what to prepare

Drawing the threads together, the authors’ practitioner checklist for work-made-for-hire data registration runs as follows:

For the legal origin layer, the starting question is which category of work is involved. For general works, verify that the employment contract contains an explicit assignment of all data rights to the unit; if it does not, assess whether the default priority-use position supports the rights being claimed, and obtain any additional written agreements required for operating-right registration. For special works, confirm employee status and creation date post-1 June 2021.

For the factual control layer, prepare storage architecture evidence, cloud-platform control agreements where applicable, update and access logs, and the organisation’s data security management system documentation.

For the use-scope layer, define whether the registration claim is for internal use, external supply, or both, and document the evidence for each claimed right independently.

The authors close with the observation that the Datatang v. Yinmu data-IP registration case demonstrates that courts are now engaging seriously with data property rights claims — and that the same documentation rigour that supports a registration application is the documentation that will matter in litigation. Compliance is not a constraint but an expression of the data asset’s value: only when source legality, factual control, and use boundaries are all clear can a market participant claim a full pass to the data-element market.

Why overseas counsel should care

  • Copyright certificates held by China subsidiaries do not automatically establish data property rights over employee-generated data. If a client’s China data assets rest on employee-created works — particularly software, engineering drawings, or structured datasets — the data property-rights position needs to be assessed independently of any copyright registration already on file.
  • Employment contracts are the critical first document. Whether a unit can register all three data rights, or only the holding and use rights, turns substantially on what the employment contract says about IP and data ownership. Contracts that are silent on data rights, or that track older IP-assignment language without addressing the new “三权” (three-rights) framework, create gaps that surface at the registration stage.
  • The internal/external use distinction has direct trading implications. A client that wishes to monetise its China data — through API licensing, data-product sales, or cross-border data supply — needs the data operating right. That right requires both a compliant legal chain back to the original creators and, for personal-information datasets, PIPL-compliant separate consent from the individuals concerned. Building that chain before a transaction is always cheaper than resolving a gap mid-deal.
  • The Shenzhen Data Exchange’s three-layer review logic is the operational reality of the market. For clients approaching the data-element market via exchanges or other institutional venues, understanding how reviewers actually assess applications — and what evidence they expect — is the difference between a first-pass approval and a cycle of queries and resubmissions.

DCC sources

This is an editorial summary, not a translation of Hu Jingzhuo and Chen Yiqian’s piece. Conceptual framings, section organisation, and operational extrapolations are DCC’s. Any simplification or error of emphasis is DCC’s responsibility, not the authors’. Not legal advice.

FILED UNDER

— Not legal advice.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.