Editor’s Note — DCC.
This is DCC’s summary and analysis — not a translation — of 《越自主,越难流通?数据使用权外部化的结构张力》, the second study note by Hong Yanqing (洪延青) on his 网安寻路人 channel in a series on China’s “separation of three rights” (三权分置) data-property framework. Part one, on the Right to Hold Data, is on DCC as Two Paths for the “Right to Hold Data”; the third, on the Right to Operate Data, is Why Upstream Won’t Operate Its Data. The piece is legal theory, but a consequential one — it goes to how a Chinese data partner can and cannot license data, and therefore how data-use deals, AI-training-data supply, and data-as-asset structures should be built. The original is linked at the foot; the framing for overseas counsel is ours.
Where the use right sits
China’s Opinions on Building the Basic Data Systems — the “Data Twenty Articles” (数据二十条) — split data property into the Right to Hold Data (数据持有权), the Right to Use Data (数据使用权), and the Right to Operate Data (数据经营权). Part one argued the holding right is thin. This note argues the use right has more real content — and that precisely this content makes its externalisation structurally fraught.
The official definition is narrow in an easily-missed way. The National Data Administration’s Common Data Terms (Batch 2) defines the use right as the right to “process, aggregate, and analyse data to optimise operations, deliver services, and form derivative data” — and stresses that, as a rule, the use right is exercised on the premise of not providing data to the outside (不对外提供数据). The right to provide data externally is the separate operation right.
The consequence Hong draws: the paradigmatic use right is internal — “I use my own data,” not “I let someone else use my data.” So when people speak of “upstream granting a use right downstream,” that is not the upstream simply exercising its use right. Strictly, the upstream is exercising its operation right to license; the downstream is acquiring a use right. The single act has two faces — upstream operation, downstream use — and it is in this externalised form that personal-information compliance, data security, derivative-data ownership, and loss of upstream control all surface at once.
Externalisation moves the downstream from “entrusted processor” to “provision”
Granting a use right outward first changes the downstream party’s legal position under PIPL.
- If the downstream merely processes data on the upstream’s instructions and for the upstream’s purposes, it looks like an entrusted processor (受托处理人). PIPL’s entrusted-processing rule confines it to the agreed purpose and method, bars processing beyond what was agreed, and requires it to return or delete the data when the engagement ends — it may not retain the data.
- A genuine use right is different in kind: its core is that the downstream may process, aggregate, analyse, and exploit the data for its own purposes. Once it does that, it is no longer a service provider to the upstream. If the data is personal information, the downstream can become an independent personal information handler (个人信息处理者), and the upstream’s act falls into “providing personal information to another handler” (提供) — or, where the two jointly decide purpose and means, joint processing (共同处理).
That distinction carries a compliance load. Under PIPL, providing personal information to another handler requires telling the individual the recipient’s name and contact details, the purpose, the method, and the categories of personal information involved — and obtaining separate consent (单独同意); the recipient must then process only within that scope. So externalising a use right over personal information is not just a property-allocation question; it is a personal-information-compliance event.
For non-personal data, the load is different. The Data Security Law applies — lawful sourcing, no theft or illegal acquisition, classification and grading, important-data and cross-border controls, transaction compliance — but there is no general “separate consent before providing to another processor” rule. Externalising a use right therefore lands in very different places depending on the data type: a heavy provision/joint-processing burden for personal information; a data-security-and-transaction-compliance structure for everything else.
Derivative data: why value migrates downstream
The most consequential feature of the use right is not “provision” but production: a use right includes forming derivative data (衍生数据).
The official definition is specific — derivative data is data that a processor, exercising a use right, transforms through “professional processing, model-based analysis, and key-information extraction” such that its content, form, and structure are substantially changed and its value markedly increased. So a use right is not a bare right to read or query; it is a right that can create new value. A downstream party with a strong use right can turn upstream data into a new label system, scoring model, risk index, customer profile, market forecast, set of model parameters, training result, industry report, or data-API service.
And here is the pivot: absent a clear agreement, derivative data is generally claimed by the party that actually created it — the downstream — because it is not a copy of the raw data but the product of the downstream’s own algorithms, models, scenarios, and cleaning-and-processing work. The result is a structural leak: the upstream still holds the raw data, but a portion of its value has already moved downstream, embodied in models, parameters, scores, labels, indices, or predictive capability.
Hong is careful that this is not a statutory command — “derivative data severs the chain of succession from its source” is a scholarly inference from “a processor holds an interest in what it produces,” still bounded by contract, PIPL, trade secrets, IP, the DSL, anti-unfair-competition law, and the public interest. Parties can contract around it — derivative-data ownership, grant-back licences, revenue sharing, bans on external operation or model-training, no-fusion clauses, deletion duties, audit and output-review rights. But contract does not erase the cost of discovery, proof, tracing, and recovery. Once a derivative result is further aggregated, modelled, de-identified — or genuinely anonymised — it becomes much harder for the upstream to prove it came from a specific dataset and to assert control. What the upstream truly fears is not that the downstream sees the data, but that it absorbs the data’s value and fixes it into its own systems.
Two upstreams: controlled use vs. monetisation
Whether an upstream will grant a strong use right turns less on the data’s value than on its business model — does it rely on data to sustain a competitive relationship, or does it sell and license data products for a living?
- Control-dependent upstreams — platforms, holders of core user data, owners of high-value industrial data or irreplaceable training data — typically will not hand over a complete, autonomous, derivative-data-capable use right. They prefer controlled structures: API calls, data sandboxes, trusted execution environments, privacy-preserving computation, result delivery, joint modelling, co-development. The downstream may “use” the data, but the use is tightly bounded by technical measures and contract. For them, the question is not whether data can generate transaction value, but whether the transaction will erode their durable advantage — so the more open the use right, the more they compress its autonomy.
- Monetisation upstreams — data brokers, dataset licensors, sellers of industry data products, some AI-training-data licensors — do not aim to retain control. They productise and license, taking a one-off or recurring price; once the price and the contract cover the risk of weakened control, granting a strong use right is the rational choice. Their concern is price, licence scope, liability caps, compliance warranties, breach remedies, sub-licensing, exclusivity, term, and field-of-use.
The same problem, two solutions: control-dependent upstreams convert a strong use right into controlled use; monetisation upstreams price the control loss into the deal. Crucially, compliance risk and value-control risk are separate layers. “Provision” mainly creates compliance duties (notice, separate consent, recipient-scope control; and, for personal information and important data, the Network Data Security Regulation’s requirement to fix purpose, method, scope, and security duties by contract and to supervise the recipient). Value-control risk is the other layer — the downstream forming derivative data, model parameters, and predictive capability. The two can come apart: you can have a formal “provision” relationship locked down tightly by contract and technology, or no personal-information “provision” burden at all (non-personal data) yet still suffer value outflow. And anonymisation is not a clean escape — true anonymisation may take data out of the personal-information category, but most “anonymisation” in practice is mere de-identification, which remains personal information.
The use right is real — but its boundary comes from outside
Hong’s synthesis: the controlled-access arrangements above prove the use right is being traded — contracts allocate and limit it, sandboxes enforce its boundary, APIs constrain the manner of use, privacy computing controls visibility, output review decides what may leave. What can be licensed, limited, and enforced is exactly the interest in using data.
The problem is that the use right does not carry its own complete boundary. Purpose, term, scope, whether outputs may be downloaded or models trained, whether third-party data may be fused, who owns derivatives, whether sub-licensing or external operation is allowed — all of this must be fixed by contract, technical measures, compliance rules, and revenue arrangements. But, Hong argues, a right whose boundary and enforcement come from outside is not therefore empty — ownership itself depends on tort law, contract, registration, land-use and traffic and environmental rules, yet no one calls ownership “nominal.” A property right that needs external rules to be made concrete is the normal case. The use right answers “what kind of interest is this” — the interest in processing, aggregating, analysing, and internally exploiting data. “How far it can be used, what may be output, who owns the product, whether it can be re-used or externally operated, how breach is detected and remedied” — those are answered by the external rules. The right type supplies the language of the deal; the external rules supply the boundary.
Why overseas counsel should care
- “Granting use” of personal information is a PIPL provision event. If a Chinese partner lets you process its personal-information dataset for your own purposes, you are likely an independent handler and the transfer is provision (or joint processing) — requiring notice and separate consent from individuals, with the recipient confined to the disclosed scope. Diligence the consent basis before the data moves; a “data use licence” does not cure a missing separate consent.
- Expect controlled use, not a copy. A control-dependent Chinese counterparty will usually offer a sandbox, privacy-computing, or API structure rather than a raw dataset — the same “use without holding” pattern flagged in part one. Design your project around outputs and model results, and negotiate output-review and grant-back terms explicitly.
- Pin down derivative-data ownership in the contract. China’s default tilts the ownership of models, scores, and labels toward the party that builds them. If you are upstream, write derivative-data ownership, no-train/no-fusion, and deletion terms; if you are downstream, confirm your right to retain and operate what you build — silence will be litigated later.
- Map the compliance layer separately from the value layer. Treat personal-information provision duties (PIPL) and the Network Data Security Regulation’s contracting-and-supervision duties as one workstream, and the commercial control of derivative value as another; the deal can fail on either.
DCC sources
- Original: Hong Yanqing (洪延青), 《越自主,越难流通?数据使用权外部化的结构张力》, on the 网安寻路人 channel — mp.weixin.qq.com.
- Series on DCC: part one — Two Paths for the “Right to Hold Data”; part three — Why Upstream Won’t Operate Its Data; part four — Data “Parallel Property Rights”.
- Cross-references on DCC: the Data Twenty Articles (source of the three-rights structure) · the Common Data Terms, Batch 2 (the official definitions of the use and operation rights and of derivative data) · PIPL (provision, separate consent, entrusted processing) · the Data Security Law · the Network Data Security Regulation · the draft Data Property Rights Registration Guidelines.
- Part of the data-economy domain on DCC.
This is an editorial summary and analysis of Hong Yanqing’s commentary, written in DCC’s own words for overseas readers — not a translation of his article, and not a reproduction of it. Quoted phrases are short and attributed; the full argument is his, at the link above. Not legal advice.