DCC
Data Compliance China
Search · ⌘K
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
Back
§ 030 · PUBLIC-DATA

Authorized to Operate, Not Authorized to Ignore: Public-Data Operators Still Owe the Full PIPL/DSL Stack

China's public-data authorized-operation regime — established by the January 2025 Implementation Specifications and its companion instruments — does not exempt operators from the personal information and data-security duties that sit underneath it. This brief, drawn from the Shenzhen Data Exchange's DEXC+ compliance column, sets out six specific areas where authorized operators routinely fall short: failure to classify data before operating it, misreading the operator's role in multi-party processing chains, skipping notification obligations, misidentifying the lawful basis for processing, misapplying consent that was gathered for a different purpose, and omitting the separate impact-assessment and annual risk-evaluation obligations under PIPL and the Network Data Security Regulations. The operational takeaway for overseas counsel advising operators or investors: government authorization is the entry ticket to the public-data market, not a waiver of the compliance checklist that governs what happens once inside.

DCC Editorial SOURCE · ZH .MD ↓

Editor’s Note — DCC.

This brief summarises 《DEXC+专栏|公共数据授权运营不是数据合规的”免死金牌”》, published by the Shenzhen Data Exchange’s DEXC+ compliance column under the names of three in-house compliance practitioners: Hu Minzhe (data compliance manager, PKU LLM/LLB/BA Econ), Wang Senpeng (data compliance supervisor, University of Manchester LLM), and Wang Qinglan (head of compliance, LLD and PhD in computer science). The piece responds to a concrete operational problem: since the January 2025 publication of the public-data authorized-operation specifications and its companion instruments, the Exchange has been receiving product-listing applications in which operators — and their third-party compliance assessors — treat government authorization as a blanket exemption from the underlying personal-information and data-security framework. The authors disagree, and explain why in six structured arguments.

The DEXC+ column sits inside China’s most active institutional voice on data-element-market compliance, and the authors are practitioners who screen real listing applications. That vantage point makes this more than academic commentary: it is a description of what the Exchange actually flags when it rejects or returns an application. Overseas counsel advising on product listing, data-product investment, or the compliance posture of an authorized operator should read it as a practitioner checklist, not a theoretical primer.

The “1+3 policy system” and what it does (and does not) do

In January 2025, the National Development and Reform Commission and the National Data Administration published a cluster of instruments completing what the authors call the “1+3 policy system” for public-data authorized operation (公共数据授权运营):

  • the Implementation Specifications for Public Data Resource Authorized Operation (Trial) (《公共数据资源授权运营实施规范(试行)》, hereafter the Implementation Specifications) — the capstone instrument;
  • the Interim Measures for Public Data Resource Registration Management (《公共数据资源登记管理暂行办法》);
  • the Notice on Establishing a Price-Formation Mechanism for Public-Data Resource Authorized Operation (《关于建立公共数据资源授权运营价格形成 机制的通知》).

Together these implement the public-data authorized-operation framework called for in the Central Committee/State Council opinion on accelerating the development and use of public data resources. Since their publication, provincial and municipal governments have moved quickly to set up authorized-operation programs, and operators — referred to by the authors as 数据商 (data merchants) — have begun submitting public-data product listings to exchanges, including Shenzhen.

The problem the authors document is a category error. The 1+3 system establishes who may operate public data and on what terms. The “three laws and one regulation” (三法一条例) — the Cybersecurity Law (CSL), the Data Security Law (DSL), the Personal Information Protection Law (PIPL), and the Network Data Security Management Regulations (NDSR) — governs how data must be handled regardless of who is operating it. The authors’ central argument: these are not competing frameworks, and the former does not displace the latter.

The Implementation Specifications themselves make this explicit in their opening article, which names the CSL, DSL, and PIPL as its statutory basis. Later provisions require data-source departments to apply data-classification-and-grading protection requirements before including any resource in an authorized-operation program (Article 5); require implementation plans to cover data-security and personal-information protection measures (Article 9); and require the authorized-operation agreement between the implementing body and the operator to include data-security obligations, personal-information protection requirements, risk monitoring, and emergency-response measures (Article 14). In the authors’ reading, these provisions are not aspirational: they are binding obligations that travel with the authorization.

Failure point 1 — data classification is not being done

The Implementation Specifications require operators to apply data-classification-and-grading (数据分类分级) protection requirements before and during operation. This is not a formality: it is the mechanism by which operators determine which specific PIPL, DSL, and NDSR duties attach to the data they are handling.

The authors describe three patterns they have observed in listing applications:

Pattern A — silence. Some operators, and the third-party compliance assessors they engage, simply do not identify the data types in the product. No determination of whether personal information or important data (重要数据) is present; no explanation of which compliance obligations have been fulfilled.

Pattern B — the “public data is its own category” argument. Some third-party assessors argue that “public data” is a parallel category alongside “personal information” and “enterprise data” — citing the structural-separation data-property-rights framework in the 2022 Central Committee/State Council “Data Twenty Articles” opinion, which calls for “a classified and graded rights-authorization system for public data, enterprise data, and personal data.” The authors reject this reading: it ignores the fact that public datasets often contain individual- level records, and that personal information rights attach to the individual regardless of how the data arrived in a government database. The categories overlap; they are not mutually exclusive.

Pattern C — stop at identification. A third, marginally better pattern: the assessor identifies that personal information is present in the public data product, but then treats the government authorization as sufficient legal basis for processing it and goes no further. This is the authors’ central target: authorization is not a lawful-basis analysis, and a superficial nod to the presence of personal information does not discharge the downstream compliance obligations.

Failure point 2 — the processing-role analysis is missing

Under PIPL Article 73, a personal information handler (个人信息处理者) is any organisation or individual that independently determines the purpose and manner of personal information processing. The determination of who qualifies matters enormously: it defines who owes notification, consent, impact-assessment, and data-subject-rights duties.

The authors note that the processing-role relationships in public-data authorized operation remain unsettled as a matter of Chinese law, and that the full chain is longer than the operator-centric framing suggests. The chain runs from the entities that originally collect and aggregate individual-level records, through the government platform where data is consolidated, to the implementing body (实施机构) that holds the authorized pool, to the operator (运营机构) that develops products, and then into trading and distribution.

For the operator layer specifically, the authors identify two plausible configurations. Where the implementing body and the operator jointly determine purpose and manner for a specific application scenario, they may together constitute joint personal information handlers (共同处理 者). Where the implementing body grants the operator broad discretion to develop products within a compliant range, the operator may independently constitute a personal information handler. The authors do not resolve which applies in every case — they argue that the right answer depends on the facts of each project, and must be worked out and documented in the authorized-operation agreement. What they reject is the common pattern of not asking the question at all.

Failure point 3 — notification is not optional

PIPL requires personal information handlers to notify individuals before processing their information. The authors observe a widespread and incorrect belief in the market: that if processing is lawful on a basis other than consent (particularly, the public-interest or government-function bases), notification is also excused.

This is wrong under PIPL as it stands. The statutory carve-outs from the notification obligation are narrow: (1) cases where a law or administrative regulation requires confidentiality or explicitly removes the notification duty; (2) emergency situations where notification is genuinely impossible to deliver in time to protect life, health, or property (with a follow-up obligation once the emergency ends); and (3) cases where notification would obstruct a government body’s exercise of a statutory function.

None of these exemptions covers routine commercial public-data product development. Authorized operators must therefore comply with the general notification requirements. In multi-party distribution scenarios — product trading through an exchange — PIPL’s separate provision on disclosure of personal information to third parties also applies, requiring that the individual be informed of the receiving party, the purpose, the type of information being disclosed, and their right to refuse.

Failure point 4 — the lawful-basis chain breaks at each transfer

PIPL Article 13 specifies seven lawful bases for processing personal information. The authors focus on the one that most authorized operators will end up relying on for commercial data-product development: individual consent (个人的同意). The analysis is complicated, because public-data authorized operation involves multiple sequential transfers, each of which may rest on a different lawful basis.

The original data collection (for example, by a government department providing a public service) typically rests on a statutory basis — the department’s legal mandate, not consent. The onward transfer to the implementing body, and then to the operator for commercial product development, must itself have a lawful basis. Because commercial development is generally outside the scope of the original statutory mandate, operators are likely to find that individual consent is the only basis available — but they need to have traced the chain to understand that, rather than assuming the government’s statutory basis travels downstream with the data.

The authors identify three common mistakes:

  • Wrong-basis mapping. Operators apply the statutory-function basis or the contractual-necessity basis to stages of the chain where those bases do not hold, without analyzing whether the transfer-purpose and original-collection-purpose are actually aligned.

  • Pre-anonymization processing overlooked. Some operators argue that their finished product contains only anonymized aggregate data and is therefore outside PIPL entirely. The authors accept that genuine anonymization produces output that is no longer personal information — but the processing required to reach that output (collecting, cleaning, structuring, and transforming the original individual-level records) is personal information processing, and requires a lawful basis at each stage before anonymization is achieved.

  • Stale or scope-limited consent. Where consent was originally obtained for a specific function or service, that consent does not automatically extend to repurposing the same data for product development, analytics, or commercial licensing. PIPL requires that consent be “voluntary, explicit, and given on the basis of full information,” and mandates that fresh consent be obtained if the purpose, manner, or category of data changes. Operators who assume that consent obtained in one context travels to a new and different context are misstating the law.

Failure point 5 — assessment obligations stack, not substitute

The Implementation Specifications require an implementing body to assess and justify the necessity and feasibility of conducting authorized operation. The authors are careful to note this is valuable — but it is not the same thing as, and does not substitute for, the assessment obligations in the three-laws-one-regulation framework.

Two specific assessment regimes apply:

Personal information protection impact assessment (个人信息保护影响评估, PIPIA). PIPL Article 55 triggers a mandatory PIPIA when personal information is entrusted for processing by a third party, or when personal information is provided to a third party. In public-data authorized operation and data trading, both triggers are routinely tripped. Operators who have not conducted a PIPIA, or who have not confirmed that the implementing body has conducted one for the phases it controls, have an unfilled obligation.

Important-data risk assessment. Where the product dataset contains important data (重要数据), additional obligations apply under the NDSR. Processors of important data must conduct a risk assessment before providing, entrusting, or jointly processing important data. They must also conduct an annual risk assessment of their network data processing activities and submit the results to the relevant competent authority. These are recurring obligations, not one-time checks.

Why overseas counsel should care

  • Product listing exposure. Clients holding an authorized-operation license who seek to list public-data products on a Chinese exchange will encounter exactly this checklist. Applications that cannot demonstrate data-classification analysis, a lawful-basis chain, notification compliance, and completed PIPIA are likely to be returned. Understanding what the Exchange is actually looking for — documented here by the Exchange’s own compliance team — reduces both delay and rework.

  • Investment diligence. Investors evaluating a data merchant or a data-product portfolio built on authorized public data need to assess residual compliance exposure under PIPL and the DSL, not just whether the authorization instruments are in order. The gap between “authorized to operate” and “operationally compliant” is where material liability sits.

  • Contractual allocation in authorized-operation agreements. The authors emphasize that the authorized-operation agreement between implementing body and operator is the instrument through which processing roles, liability allocation, notification responsibilities, and assessment obligations must be assigned. Overseas parties advising on or negotiating these agreements need to populate the compliance clauses from the three-laws-one-regulation framework, not just from the 1+3 policy system.

  • The “public data is not personal information” argument is closed. The source article explicitly forecloses the argument that public datasets fall outside PIPL because they constitute a separate category. Practitioners who have encountered this position in client materials or counterparty representations now have a direct rebuttal from the institutional operator most active in the market.

DCC sources

  • Original: 胡敏喆、王森鹏、王青兰, 《DEXC+专栏|公共数据授权运营不是数据 合规的”免死金牌”》, 深圳数据交易所 DEXC+ 专栏 WeChat Official Account (source).
  • Public-data authorized-operation specifications (《公共数据资源授权运营实施规范(试行)》, NDRC/NDA, January 2025).
  • Data Security Law (《数据安全法》, 2021).
  • PIPL (《个人信息保护法》, 2021).

This is an editorial summary, not a translation of the DEXC+ column article. Analytical framing, section organization, and operational extrapolations are DCC’s. Any simplification or error of emphasis is attributable to DCC, not to the original authors. Not legal advice.

FILED UNDER

— Not legal advice.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.