Inside the Gate: How Enterprises Can Compliantly Process, Operate, and Trade Public Data Under China's Authorized-Operation Model

Editor’s Note — DCC.

This brief summarises 《DEXC+专栏｜授权运营模式下企业如何合规加工运营和交易公共数据？》by Yang Haoran (杨浩然), an undergraduate researcher at Shandong University Law School and member of Shenzhen Data Exchange’s DEXC+ Global Data-Element Legal-Talent Programme. The piece is framed as a practitioner compliance guide, not academic commentary: Yang maps the full public-data supply chain — from the definition of public data, through the authorised-operation approval process, through the technical requirements for processing, to the on-exchange listing of a finished data product. The analytical spine is Shenzhen Data Exchange’s own “3×4” dynamic-compliance framework (three stages × four dimensions), which the Exchange developed as a Shenzhen municipal local standard and which underpins its compliance-assessment practice. DCC runs this piece because it is the most operationally detailed account we have seen of what the public-data authorized-operation specifications and the public-data registration interim measures require at the firm level.

One context note for overseas readers: the primary national instrument Yang relies on is the National Data Administration’s Public Data Resource Authorized-Operation Implementation Specifications (Trial) (《公共数据资源授权运营实施规范（试行）》), issued as a public consultation draft (征求意见稿) and referred to throughout as the “Draft Specifications.” Where Yang cites provincial or municipal rules, DCC has preserved the jurisdiction, because China’s public-data regime is layered: the national draft sets floors, while Zhejiang, Shanghai, Guangdong, Hangzhou, Qingdao, and Shijiazhuang have each issued their own implementation rules that are binding in practice.

What counts as public data — the two-element test

China’s “public data” (公共数据) concept first appeared in the State Council’s 2015 Big Data Action Plan (《促进大数据发展行动纲要》) but was not formally defined until recently. The governing definition is now settled in the National Data Administration’s Common Terminology in the Data Domain (First Batch) (《数据领域常用名词解释（第一批）》): public data is “data generated by Party and government organs at all levels, and by enterprises and public institutions, in the course of lawfully performing official duties or providing public services.”

Yang distils this into a two-element test. The subject element (主体要件) requires that the collecting institution hold a public-management or public-service function — this covers government departments, public enterprises and institutions with public functions, and social organisations performing delegated public duties. The conduct element (行为要件) requires that the data be collected and generated specifically in the course of lawful public-management or public-service activity: data collected by a utility company outside its public-service function does not qualify, a position expressly codified by Guangdong’s Public Data Management Measures. Local definitions in Shenzhen, Shanghai, and Guangdong each extend this core in slightly different ways, but all converge on the two-element structure.

The Draft Specifications address scope from the supply side: the objects eligible for authorised operation are public-data resources held by county-level and above local governments and national sector regulators. Central Party and government organs, and county-level Party committees, fall under the same rules by reference. Public utilities — water, gas, heat, electricity, public transit — may participate in authorised operation by following the Draft Specifications’ procedural requirements.

The authorised-operation model and the data product it produces

Yang contrasts two routes for accessing public data: open access (数据开放, including unconditional open data and conditional on-request access) and authorised operation (授权运营). Open access has historically suffered from poor data quality and a mismatch between what government agencies publish and what enterprises actually need. Authorised operation addresses this by bringing in market mechanisms: a data-management authority (in practice, a local data bureau — the newly established 数据局 being the representative institution) authorises a specific enterprise to develop and commercialise a defined dataset, within a defined application scenario, with data quality and security obligations attached.

The output is a data product (数据产品), construed broadly: data packages, data interfaces, data models, data services, and data reports. The key constraint is that the authorised operator must have put substantial labour and technical investment into the product. The core processing rule, drawn from multiple local instruments and the Draft Specifications alike, is: “raw data does not leave the domain; data is usable but not visible” (原始数据不出域、数据可用不可见). A data product, once produced, is a derived artefact — processed, de-identified, and validated — not a copy or excerpt of the underlying government database.

Yang notes an unresolved property-rights question at the intermediate layer: the “Data Twenty Articles” (数据二十条 — the foundational document issued jointly by the Central Committee and the State Council) assigns data-processing-and-use rights (数据加工使用权) and data-product operating rights (数据产品经营权) to authorised processors, but does not clearly resolve whether an operator holds operating rights over derived data at the preliminary-processing stage, short of a finished product. The deeper-processed, finished data product sits on firmer legal ground: Beijing courts have recognised originality and substantial labour investment in data products as a basis for copyright-adjacent protection, and academic commentary has explored a civil-law “processing-creates-ownership” (加工取得所有权) theory for data products whose added value clearly exceeds that of the underlying raw data.

How authorised data products reach the market

Finished data products have two primary distribution channels. The first is the open-access route: an application-and-review pathway through which downstream users obtain a secondary licence to use the product, or direct publication on a government data-openness platform (Zhejiang’s provincial data-open platform hosts processed data applications in app and mini-programme form as examples). The second — and the one Yang focuses on — is the market-trading route (市场化道路): the data product is listed on a data exchange as a tradeable asset.

Practice has settled on on-exchange trading (场内交易) as the standard model. Pre-2024 local rules already encouraged operators to list processed public-data products on legally-established data-trading platforms. The October 2024 central document issued jointly by the General Office of the Central Committee and the State Council (Opinions on Accelerating the Development and Utilisation of Public Data Resources) went further, explicitly encouraging “eligible regions to explore on-exchange trading models for public-data products and services.” For public data specifically, on-exchange trading is both the state-preferred approach and the one best suited to demonstrating provenance and security compliance.

Some jurisdictions add a geographic constraint: Hangzhou’s Trial Implementation Plan for Public Data Authorised Operation, for instance, requires that authorised operators in principle list and manage approved data products on the Hangzhou Data Exchange. Operators dealing with locally-originating public data must verify whether the holding jurisdiction imposes a venue restriction of this kind before listing on a national exchange.

The flow chain: actors, platforms, and the compliance pressure points

Under the authorised-operation model, Yang maps a five-link flow chain:

1. Public-management and service institutions collect and generate data in the course of their duties.
2. The data aggregates to a local unified public-data authorised-operation platform (统一公共数据授权运营平台), which applies data-sandbox and privacy-computing techniques to cleanse and process the data, creating a trusted environment for authorised access.
3. Data-management authorities (数据主管部门, in practice the local data bureaux) manage and organise authorised operations.
4. Authorised operators (enterprises that have obtained authorisation) process the data within the platform environment to form data products and services.
5. Products are listed on local data exchanges (各地数据交易中心) and traded with counterparties.

Yang’s key analytical observation is that most published compliance commentary concentrates on the last link — the exchange listing — while most compliance risk materialises in the earlier links: data provenance, the scope of the authorisation, how processing personnel are credentialled, and whether the finished product stays within the approved application scenario. A breach at any upstream link disqualifies the product from compliant circulation, regardless of how well the on-exchange paperwork is managed.

The 3×4 compliance framework: three stages, four dimensions

The analytic core of Yang’s piece is the “3×4” dynamic-compliance assessment model developed by Shenzhen Data Exchange and adopted as a Shenzhen municipal local standard (DB4403/T《数据交易合规评估规范》). Three stages — subject compliance (主体合规), subject-matter compliance (标的合规), and circulation compliance (流通合规) — are each assessed across four dimensions: legal (合法), security (安全), integrity (诚信), and rights (权益). What follows is Yang’s application of that framework to the public-data authorised-operation context.

Subject compliance (主体合规)

Legal dimension. The authorised operator must be validly incorporated and in good standing. If the operating business falls within a sector requiring regulatory approval or a special industry licence (金融, healthcare, mapping, and similar), the operator must hold that approval before commencing operations.

Security dimension. The Draft Specifications require operators to demonstrate data-resource processing, operation, and management capacity, good standing, and conformity with national data-security protection requirements. Zhejiang’s rules are among the most detailed on the technical side: operators must have a designated data-security officer and management department; maintain an internal public-data authorised-operation management and security system; hold MLPS Level-3 (网络安全等级保护三级) certification and satisfy commercial cryptography application security-assessment requirements; possess mature data-management and data-security assurance capability; and have had no network-security or data-security incidents in the three years preceding application.

On the management side, operators must maintain three standing internal systems. An information-retention system (信息保存制度) requires that internal policies, operating agreements, and operating logs be preserved; Qingdao’s rules specify a minimum twenty-year retention period. A periodic reporting system (定期报备制度) requires regular reports to data-management authorities and state-asset management departments covering authorised storage, processing, analytical use, integration, and market operations of data resources. An emergency-response system (应急处置制度) requires a data-security incident response plan covering leakage, damage, and loss, with mandatory immediate activation and report-up to the data competent authority on occurrence of a security incident or major risk.

Integrity dimension. The Draft Specifications require operators to publish a public list of their data products and services and to periodically disclose data-resource usage to the public for social supervision. At the time of on-exchange listing, operators must submit accurate materials and disclose, as-true, any criminal penalties, administrative penalties, litigation, or arbitration relating to network security, data security, or personal-information protection in the preceding three years.

Rights dimension. Operators must maintain mechanisms protecting their own rights, data subjects’ rights, and partners’ rights. The Draft Specifications encourage implementing institutions and operators to support regional and departmental data-governance and service capacity through technology, products, services, and revenue sharing. For compliance review, relevant documentation includes personal-information protection policies and privacy notices; data-subject rights request response procedures and records; cooperation agreements and data-process records with partners; third-party management mechanisms; and intellectual-property ownership evidence and agreements.

Subject-matter compliance (标的合规)

Legal dimension — data source. Operators must have a valid authorisation from the competent data authority, obtained through an authorised-operation agreement or equivalent instrument, before accessing any public-data resource. The “one scenario, one authorisation” (一场景一授权) principle applies: each authorisation covers a specific application scenario, and the operator must state the purpose, scope, term, and security measures in the application. Public data that could endanger national security, damage the public interest, or falls within a statutory prohibition on commercialisation cannot be used.

The authorised-operation agreement must specify, at minimum: the purpose, use scope, service method, operating term, rights and obligations, data-security requirements, prohibited uses, liability for breach, dispute resolution, revenue sharing, and exit mechanism. The Draft Specifications’ Article 14 (of the draft) sets out a detailed required-terms list.

Legal dimension — data processing. All persons participating in data processing must be identity-authenticated, registered, and vetted; must have signed confidentiality agreements; and all their operations must be logged and auditable. Raw data must not be visible to processing personnel. The operator uses sampled and de-identified public data for model training and validation.

Legal dimension — data content. Yang addresses four sub-categories of data that may be blended into a public-data product. Social data (社会数据 — privately-held enterprise data) may be imported into the authorised-operation domain for fusion computation with public data only after approval from the public-data authority. Publicly scraped data must be described as to source, method, and scope, and must not be obtained by unlawful intrusion or technical circumvention. Operator-generated data must not infringe third-party rights. Contractually acquired data must be accompanied by the relevant procurement or licensing agreement; if the category requires a special licence to collect, evidence that the data provider holds it must be retained.

Where a data product involves personal information, PIPL obligations apply in full: collection must have a clear and legitimate purpose; the principles of lawfulness, necessity, and informed consent govern; and privacy-computing, anonymisation, and equivalent technical safeguards must be applied.

Security dimension. The operator must apply security management and technical measures calibrated to the data type and sensitivity level involved. For public data specifically, the requirement is conformity with the Shenzhen local standard DB4403/T 271—2022 basic security requirements, and with the GB/T 22239—2019 Level-2 requirements for data integrity, confidentiality, and backup-recovery.

Integrity and rights dimensions. Product documentation and descriptions must be accurate. Commitment letters confirming absence of illegal subject matter, no regulatory violations, and no adverse public-sentiment events are recommended at listing. Where a product implicates intellectual property, ownership evidence or IP agreements must be in place, and no third-party IP must be infringed. Where a product involves personal information of minors under fourteen, the applicable mandatory disclosure and consent procedures must be completed.

Circulation compliance (流通合规)

Legal dimension. The data product may not, directly or indirectly, be passed to a third party for use outside the authorised scenario. Products must pass review by the public-data authority. Raw data or products that could be reverse-engineered to recover raw data cannot leave the authorised-operation domain. Products exported from the operating platform cannot be applied, or disguised as being applied, to unapproved use cases.

Security dimension. Before any trading transaction, operators must: conduct a data-trading security risk assessment; apply multi-factor authentication (two or more of: password, cryptographic technology, biometrics) for identity verification; use a secure data transmission channel; and close data-access channels immediately upon delivery.

Integrity dimension. The trading activity must be real, not fictitious. A signed transaction contract must exist; the contract terms must align with the product specification, background, and stated purpose. The operator must provide the exchange with delivery-acceptance documents, payment records, and invoices as evidence of genuine commercial activity. Internal approval, authorisation, and procurement procedures of each transacting party must also be satisfied.

Rights dimension. Where personal information is in circulation, data subjects’ right to be informed — and their right to know how to exercise their information rights — must be protected. The trading activity must have the necessary internal authorisations from both parties and must not breach statutory or contractual obligations owed to third parties.

Why overseas counsel should care

• Market-access gate. Any foreign-invested enterprise, joint venture, or domestic subsidiary that wants to build data products on Chinese government-held data must pass through the authorised-operation model. The compliance obligations described here are the entry conditions for that market, not merely best practice. There is no alternative route to commercialise a government dataset of the kind that would otherwise require a government-procurement or data-sharing arrangement.
• “One scenario, one authorisation” creates real product-scope risk. Because each authorisation is tied to a specific application scenario, a product repurposed to a second use case — even one commercially adjacent to the first — is operating outside authorisation. Enterprises managing multiple product lines built on the same public-data source will need a separate authorisation for each, and the scope review is conducted by the local data bureau, not the exchange.
• Regime is layered and jurisdiction-specific. The national Draft Specifications establish the floor, but Zhejiang, Shanghai, Guangdong, Hangzhou, and Qingdao have each enacted binding local rules with additional or divergent requirements — including, in some cases, a venue restriction requiring that products be listed on the local exchange. Mapping applicable local rules is a prerequisite to compliance structuring.
• The 3×4 framework is becoming the de facto national benchmark. Shenzhen Data Exchange’s model was developed as a local standard and is already cited by multiple other exchanges as a reference. Enterprises advising on data-product trading compliance across multiple Chinese exchange venues should expect to encounter this framework — or its direct derivatives — as the audit checklist.

DCC sources

• Original: 杨浩然 (Yang Haoran), 《DEXC+专栏｜授权运营模式下企业如何合规加工运营和交易公共数据？》, 深圳数据交易所 DEXC+ 专栏 WeChat Official Account (source).
• National Data Administration: 公共数据资源授权运营实施规范（试行）（公开征求意见稿） (Public Data Resource Authorized-Operation Implementation Specifications (Trial), public consultation draft).
• National Data Administration: 公共数据资源登记管理暂行办法 (Public Data Resource Registration Management Interim Measures).
• 《中共中央 国务院关于构建数据基础制度更好发挥数据要素作用的意见》(“数据二十条”) — data-foundation system opinions.
• Shenzhen Data Exchange local standard: DB4403/T《数据交易合规评估规范》(Data Trading Compliance Assessment Specifications).
• 《中共中央办公厅 国务院办公厅关于加快公共数据资源开发利用的意见》(October 2024, Opinions on Accelerating the Development and Utilisation of Public Data Resources).
• Local instruments cited: Shenzhen Special Economic Zone Data Regulations; Shanghai Data Regulations; Guangdong Public Data Management Measures; Hangzhou Public Data Authorized-Operation Trial Implementation Plan; Shijiazhuang Public Data Product Compliance Review Management Measures (consultation draft); Qingdao and Zhejiang authorised-operation rules.

This is an editorial summary, not a translation of Yang Haoran’s piece. Structural framing, section organisation, and operational extrapolations are DCC’s; all factual claims and compliance requirements are grounded in the source text. The disclaimer in the original that the article represents academic opinion and does not constitute formal legal advice applies equally here. Not legal advice.