DCC
Data Compliance China
Search · ⌘K
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
Back
§ 020 · DATA-PROPERTY-RIGHTS

Cloud, BPO, and Other Entrusted-Processing Arrangements: Why the Processor Doesn't Get the Rights

NDA's official 政策解读 on a tactically critical sub-question of the three-rights framework: when a data processor outsources storage, processing, or analysis to a third-party service provider — typical cloud, BPO, or e-government-system arrangements — does the entrusted party acquire any of the three property rights? NDA's clear answer: no. The entrusted processor (受托人) is not a 'data processor' in the property-rights sense — it merely executes instructions on behalf of the data processor (the principal). It cannot use the data outside the entrusted scope, cannot transfer the data into market circulation, and cannot apply the data to its own debt repayment or bankruptcy distribution. The line is anchored to the Civil Code's contract-of-mandate rules — a long-standing piece of Chinese commercial law extended cleanly into the data-element regime.

DCC Editorial SOURCE · ZH .MD ↓

Editor’s Note — DCC.

The Data 20 Articles’ three-rights framework leaves a tactically critical question unanswered in the headline text: when one entity outsources data storage, processing, or analysis to a service provider — the canonical scenario being cloud storage, but also BPO, e-government-system integrators, and analytical-services contractors — does the service provider acquire any of the three property rights over the data it touches?

NDA’s answer in this short interpretation is unambiguous: no. The entrusted party (受托人) does not become a “data processor” in the property-rights sense; it has no holding, use, or operating right over the data; and it specifically cannot use the data for its own debt repayment or bankruptcy liquidation. The reasoning anchors to the Civil Code’s long-established contract-of-mandate rules. For overseas counsel structuring cloud, vendor-managed-services, and outsourced-analytics arrangements, this is the most useful single clarification yet issued on the regime.

The scenario and the questions NDA poses

NDA opens with the operational scenarios:

  • Enterprises entrusting cloud platforms to store their data.
  • Government agencies entrusting software companies to develop e-government systems and perform related data processing.

It then frames three questions that arise in any such arrangement:

  • How should the property rights be allocated between the principal (the entity that owns / controls the underlying data set) and the entrusted party (the service provider that touches the data)?
  • Can the entrusted party, without authorization, use the principal’s data for circulation and trading (i.e., put the data on the market on its own behalf)?
  • If the entrusted party encounters financial distress, can it use the principal’s data for debt repayment or bankruptcy distribution (i.e., can creditors reach the data)?

These are real and consequential questions for any multinational running cloud workloads or vendor-managed services in China.

NDA’s analysis

The entrusted party is not a “data processor” — it is something else

NDA’s analytic move is to apply the data-processor definition developed in the second interpretation: a data processor is the party that independently determines the purpose and means of processing. The entrusted party (受托人), by contrast, processes the data on the principal’s instructions — it does not independently determine purpose or means. By definition, then, the entrusted party is not a data processor in the strict sense.

This is the structural pivot. Because the entrusted party is not a data processor, the default three-rights allocation (which assigns hold / use / operate to the data processor) does not apply to it. It holds none of the three property rights over the data merely by virtue of touching the data in the course of performing the entrustment.

Anchoring the conclusion to the Civil Code’s contract-of-mandate rules

NDA grounds the conclusion in long-existing Chinese commercial law: the Civil Code’s contract chapter (合同编) provisions on contracts of mandate (委托合同). Under the Civil Code, property the entrusted party (mandatary) acquires in the course of executing the entrusted matter must be transferred to the principal (mandator). The default rule is that the entrusted party holds no proprietary entitlement to assets it touches in fiduciary capacity for the principal.

NDA reads this principle forward into the data-element regime: “From the perspective of consistency with the Civil Code and of regulating entrusted-processing activity, where a data processor entrusts another party to process its data, the entrusted party — with respect to the original data, in-process data, and result data — does not hold the right to hold, the right to use, or the right to operate, except as otherwise provided by law or agreed in contract.”

The qualifier matters: except as otherwise provided by law or agreed in contract. The default is no rights for the entrusted party. The principal can, by contract, grant the entrusted party specified use or operating rights (e.g., a cloud-platform contract that grants the cloud vendor the right to use anonymized telemetry for internal product improvement). But the default — what the regime assigns absent contractual variation — is no rights.

The bankruptcy / debt-repayment carve-out

NDA’s third question — can the entrusted party use the principal’s data for debt repayment or bankruptcy distribution — is the most operationally consequential, and NDA’s answer is the cleanest.

Because the entrusted party holds no property rights over the data, the data is not part of the entrusted party’s estate. When the entrusted party is in financial distress, its creditors cannot reach the principal’s data. When the entrusted party is dissolved or enters bankruptcy, the principal’s data is not subject to bankruptcy distribution — it must be returned to the principal (consistent with the Civil Code’s contract-of-mandate rules).

This is the closest thing the Chinese data-element regime has to a trust-style segregation principle for entrusted data — and it is a clear answer to a question overseas counsel often raise when contracting with Chinese cloud vendors or BPO providers: if my vendor goes bankrupt, what happens to my data? NDA’s answer is that the data remains the principal’s; it is not pooled into the vendor’s bankruptcy estate.

The scope of the carve-out — three data states

NDA is careful to specify that the no-rights rule applies to three data states that arise in entrusted processing:

  • Original data (原始数据) — what the principal hands over to the entrusted party at the start of the engagement.
  • In-process data (过程数据) — what is generated transiently in the course of the entrusted processing (intermediate datasets, working files, temporary aggregations).
  • Result data (结果数据) — what the processing yields as output (cleaned datasets, analytical outputs, derived data products).

All three categories fall to the principal by default. The entrusted party cannot, for example, retain “result data” as its own property on the theory that it was created by the entrusted party’s work — that is exactly the kind of move the Civil Code’s mandate rules historically prohibited in non-data contexts, and NDA confirms the same rule applies here.

The point is that derivative-data-creation does not, of itself, vest property rights in the creator. If the principal’s data is the input and the work is being done as entrusted processing, the output is the principal’s. If the parties want a different allocation — e.g., the entrusted party should own derivative datasets it generates — the parties must say so in the contract.

What this means in transactional vocabulary

The default rule is a strong default. Where parties want to vary it, four contracting patterns are useful.

Pattern 1 — Service-provider operational rights. Cloud and BPO vendors typically want narrow operational rights to anonymized data for internal product improvement, security analytics, and capacity planning. Under NDA’s framework, those rights must be expressly granted by the principal; they don’t arise by default. Standard cloud-vendor terms should be reviewed against this baseline.

Pattern 2 — Derivative-data IP allocation. Where the entrusted party generates IP-protectable derivative work (analytical models, code, methodologies built on the principal’s data), the default — no rights for the entrusted party — may not match commercial expectation. Parties should specify which derivative outputs belong to which party, and whether the entrusted party retains use rights to its own analytical methodology absent the underlying data.

Pattern 3 — Bankruptcy protection. Principals should ensure that contracts with Chinese cloud and BPO vendors include data-return on insolvency clauses, anchored to the Civil Code contract-of-mandate framework and NDA’s interpretation. The default rule favors the principal, but documenting it strengthens the principal’s position in an actual bankruptcy proceeding.

Pattern 4 — Non-circulation undertakings. Because NDA explicitly states the entrusted party cannot put the principal’s data into market circulation without authorization, contracts should restate that prohibition and treat any breach as a material breach. The legal backing for the prohibition is now express — but a contractual restatement gives the principal a cleaner enforcement path.

How this connects to PIPL’s entrusted-processing rules

For data containing personal information, the PIPL regime applies in parallel and is more prescriptive than NDA’s general framework. PIPL Articles 21 and 59 address entrusted processing of personal information specifically:

  • The entrusted party may only process personal information within the agreed purpose and means.
  • The entrusted party must implement security measures and assist the entrusting party in complying with PIPL obligations.
  • The entrusted party must return or delete personal information upon completion of the entrusted matter; it may not retain.
  • The entrusted party may not sub-entrust without consent.

NDA’s framework is consistent with PIPL on entrusted processing — and extends the same structural principles to non-PI data. Overseas teams handling mixed PI + non-PI data sets should treat PIPL’s specific entrusted-processing requirements as the operational floor, with NDA’s broader no-property-rights principle as the default for the non-PI components.

What this tells overseas compliance teams

  • Cloud and BPO vendors do not acquire property rights over your data by default. Subject only to express contractual grant, the vendor has no right to hold, use, or operate your data outside the entrustment scope. This is the regulatory baseline; standard vendor terms-of-service that purport to grant the vendor broader rights (especially “we may use your data to improve our services” without scope limitation) should be negotiated against this baseline.

  • Vendor insolvency does not pool your data into the vendor’s estate. The Civil Code contract-of-mandate framework — now reinforced by NDA’s interpretation — segregates the principal’s data from the entrusted party’s estate. Build this into business-continuity and vendor-failure planning for China operations.

  • Derivative outputs default to the principal, not the vendor. Where the engagement involves analytical outputs, the default rule allocates them to you, not the vendor. If the commercial deal is otherwise, document it explicitly.

  • PIPL’s entrusted-processing rules layer on top for personal-information processing. Where the entrustment involves PI, PIPL’s more specific requirements — purpose limitation, security, return-or-deletion, no sub-entrustment without consent — apply directly. The NDA framework does not displace those; it complements them on the property-rights side.

The structural picture across the three NDA interpretations is now visible: the structural-separation principle defines the three rights; the data-processor allocation interpretation defines who holds them by default; this third interpretation carves out a class of actor (the entrusted party) that holds none of them despite touching the data. That carve-out is the part that protects the principal in the cloud-and-BPO supply chain — and it is the part overseas counsel will use most often in transactional negotiations.

国家数据局, 政策解读 | 数据委托处理情形中的产权配置 (Policy Interpretation: Property Rights Allocation in Entrusted Data Processing Scenarios), 国家数据局 WeChat Official Account. Original article (Chinese).

Not legal advice. The above is DCC’s structured summary of NDA’s policy interpretation, with framing for overseas counsel; the cloud / e-government scenarios and the Civil Code contract-of-mandate anchoring are NDA’s.

FILED UNDER

— Not legal advice.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.