DCC
Data Compliance China
Search · ⌘K
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
Back
§ 028 · DATA-PROPERTY-RIGHTS

Wang Nian — Data Source's Rights as a 'Fair Use' Right Alongside the Three Rights

Wang Nian (Tsinghua Law) takes on the unresolved fourth-right question in the Data 20 Articles framework: what is the data source's right (数据来源者权), and how does it relate to the three rights (hold/use/operate)? Drawing on the 'data symbiosis' (数据共生) framework from the ALI-ELI Data Economy Principles and the EU Data Act, Wang argues that pre-existing legal entitlements — privacy, PI rights, IP, trade secrets — cover only part of the source's interest, leaving a residual that needs an independent legal protection. He frames the data-source right as a 'fair use right' (公平使用权): a contractual-relationship right against the specific data processor, distinct from the property-style three rights, that captures the value contribution of the source's participation in data co-creation. The corporate-data-portability analog DCC flagged in our NDA brief gets its doctrinal foundation here.

DCC Editorial SOURCE · ZH .MD ↓

Editor’s Note — DCC.

The Data 20 Articles created four data-property concepts: the three rights of the processor (hold / use / operate) and — almost as an afterthought in the policy text — the data source’s right (数据来源者权), the entitlement of the party whose information was collected to obtain or copy and transfer the relevant data. The NDA’s policy interpretation introduced the right in operational vocabulary; this academic piece by Wang Nian provides its doctrinal scaffolding. The piece is also, in DCC’s reading, the most useful single resource for overseas counsel structuring B2B data arrangements with Chinese counterparties: it frames the corporate data portability lever that has no clean Western analog.

The unresolved question

The Data 20 Articles framework allocates three rights — hold, use, operate — to the data processor (the party that collects, processes, and decides means and purposes of data handling). It also says the data source (数据来源者) — the party whose information was collected — has the right to “obtain or copy and transfer” data its participation gave rise to. But the policy text doesn’t say:

  • What kind of right this is — property, contract, statutory, sui generis?
  • How it relates to existing rights — privacy, PI, trade-secret, IP?
  • Who can invoke it — only natural persons (already covered by PIPL)? Or corporate “information subjects” too?
  • What is its scope — only data that identifies the source? Or any data the source’s activity helped generate?

These questions matter because the answer determines whether overseas counsel structuring a B2B data arrangement with a Chinese counterparty can rely on the data-source’s right as a contractual baseline. Wang’s piece reconstructs the doctrinal foundation that the operational rights need.

The “data symbiosis” foundation

Wang’s starting move is to import the concept of co-generated data (共生数据) from the ALI-ELI Data Economy Principles (a joint product of the American Law Institute and the European Law Institute, 2024) and the EU Data Act framework.

The concept’s claim: most operationally significant data is not the product of the processor’s investment alone, nor is it the property of the source alone. It’s the product of joint activity — the processor’s technology + the source’s contribution. Examples:

  • Social platform data — generated by user activity + platform infrastructure.
  • Connected-vehicle data — generated by driver behavior + vehicle sensors.
  • Platform-merchant operational data — generated by merchant transactions + platform observation.
  • Travel data — generated by passenger movement + carrier systems.
  • Industrial robot production data — generated by industrial-process activity + manufacturer telemetry.

In all five examples, neither party can claim sole authorship of the data. The processor’s investment in collection technology is necessary but not sufficient; the source’s participation is the other necessary input. Wang frames this as data symbiosis (数据共生): a joint-creation relationship that produces an interest split both parties hold simultaneously over the same data, with the processor’s interest being primarily proprietary and the source’s interest being primarily relational.

This is the foundation that the Data 20 Articles framework, in Wang’s reading, needs to articulate.

What “source” means — and what it excludes

Wang’s definition: a data source is a subject (natural or legal person) that (a) makes a substantial contribution to data generation and (b) does not in fact hold or control the resulting data.

The two-part test:

Test 1 — Substantial contribution. Three factors:

  • Type of contribution. Wang distinguishes three contribution modes: (i) the source is the subject described or recorded by the data; (ii) the source is the owner / operator / user of an object whose activity is recorded; (iii) the source uses a connected device to collect or provide data.
  • Directness. Where contribution is too indirect (e.g., the source’s data has been so heavily processed that the original contribution is “remote or attenuated”), the source-right does not attach. Wang’s example: a person’s PI becomes anonymized; the original PI subject’s contribution to the anonymized dataset is too attenuated to support a source-right claim.
  • Substitutability. If the same data could be obtained by any other route, the source’s contribution is fungible and the source-right does not attach. The right reflects the source’s non-substitutable role.

Test 2 — Non-control over the data. Even where contribution is substantial, the source-right requires that the source does not actually hold or control the data. Wang’s example: a large flagship e-commerce store has both the technology and the resources to process the data its merchants generate; it is not a “source” under the framework — it is a co-processor. A small or individual-merchant store, by contrast, is a source — it contributes to the data but lacks the technical capacity to control it.

This second test is the structural answer to a question overseas counsel often raise: can a corporate entity be a data source? Wang’s answer: yes, if it lacks practical data control. The framework is not nat-person-restricted in the way PIPL is.

A central counter-argument to creating a separate “data source’s right” is that the source’s interests are already protected by existing rights: privacy, PI, IP, trade secrets. Wang takes this on directly and rejects it on four grounds.

1. The “existing rights” framework misclassifies the source as a passive recorded subject

The “existing rights” view treats the source as the subject of recording — the party whose information is captured. But Wang’s data-symbiosis framework treats the source as a co-creator — an active participant whose contribution co-produces the data. Existing rights protect what the source has (privacy, PI); they don’t recognize what the source did (participate in generation).

2. Existing rights are defensive; the source-right interest is participative

Privacy, trade-secret, and IP rights are primarily negative defensive rights — the right to exclude or prevent improper use. The source’s interest in co-generated data is positive participative — the interest in accessing and using the data the source helped create. The existing-rights framework has no analog to this.

3. Knowledge IP rights protect single-author creation; data-source rights protect co-creation

Copyright and patent rights protect the single-party originator of creative or inventive work. Co-generated data is, by definition, multi-party. The IP model can’t be transposed.

4. The PIPL right of copy and transfer (Article 45) is the closest analog — but limited

PIPL Article 45 establishes the natural-person’s right to copy and transfer their personal information. This is conceptually the closest to the Data 20 Articles’ source-right. But three structural gaps:

  • PIPL Article 45 applies only to PI; the source-right is broader (any co-generated data).
  • PIPL Article 45 applies only to natural persons; the source-right extends to legal-person sources.
  • PIPL Article 45’s scope is the data identifying or relating to the subject; the source-right’s scope is data the source’s participation contributed to, which is broader.

PIPL is the floor; the source-right is what extends the entitlement past PIPL’s boundaries.

The source-right as a “fair use right”

Having shown that the source-right is not reducible to existing entitlements, Wang articulates its positive content: a fair use right (公平使用权).

Three properties define it:

(a) Contractual, not property. The source-right is not a property right in the data — it is a contractual-relationship right against the specific processor who is symbiotically linked to the source. The source cannot enforce the right against third parties; it can only enforce against the processor it co-created with.

(b) Bundled with content. The right contains a bundle of operational entitlements:

  • Right to be informed (知情权) of how the data is used
  • Right to access (访问权) the data
  • Right to transfer / port (转移权) the data to another processor
  • Right to correct (更正权) inaccuracies
  • Right to delete (删除权) under specified conditions

These mirror PIPL’s individual rights for personal information, generalized to any co-generated data.

(c) Scoped by the “relevance interest” standard. What data does the right cover? Wang proposes the “related interest” (相关利益) standard: the source’s right extends to data that meaningfully reflects the source’s contribution — even if the data does not directly identify the source. This is the doctrinal answer to the corporate-data-portability question: a merchant operating across e-commerce platforms can invoke the source-right against each platform for the merchant’s operational data — even though the data may not “identify” the merchant in PIPL’s strict sense.

What this tells overseas compliance teams

  • The corporate-data-portability lever is now doctrinally founded. Wang’s framework provides the academic foundation for treating the data-source’s right as a meaningful B2B contracting baseline. Multinationals contracting with Chinese counterparties as either the data source or the data processor should pay attention to how the right is being articulated — it is reshaping the operational defaults for data exchanges, platform partnerships, IoT vendor contracts, and joint-venture data arrangements.

  • Treat the “data source’s right” as PIPL Article 45 generalized. When designing Chinese counterparty contracts, use Article 45’s operational structure (knowledge / access / transfer / correction / deletion) as the template for source-right clauses for non-PI data. The PIPL precedent + Wang’s doctrinal framework + the NDA’s policy interpretation now jointly support that posture.

  • The “related interest” scope is broader than PI scope. Where a multinational’s Chinese affiliate generates operational data on a third-party platform, that data may not be PI under PIPL — but it may still be within the source-right scope as data the affiliate’s contribution generated. Don’t infer no entitlement from “no PI.”

  • The non-control test (Test 2) is the structural threshold for who has the source-right. If your Chinese affiliate has both substantial contribution and substantial data-control capability, it is a co-processor, not a source. The source-right is the right of the less powerful party in the data-symbiosis pair. Map this carefully in joint-venture and SLA contexts where the contribution / control allocation may not align with formal ownership.

  • The “substantiality + non-substitutability” filter rules out fungible inputs. Multinationals worried about source-right claims from every party whose data ever touched a system should note that the doctrinal framework filters out attenuated, fungible, indirect contributions. The right is reserved for parties whose contribution is non-substitutable — the source whose unique participation made the data possible.

The deeper architectural shift Wang’s piece signals: Chinese data law is moving toward a participative (not just consent-based) framework for individual and corporate interests in data. The PI subject’s consent matters; so does the data source’s participation. Where the two coexist (a natural person who both consented to PI processing and contributed to data co-generation), the two rights operate in parallel, with the source-right adding the participative-protection layer PIPL alone doesn’t provide. This is the direction in which downstream rulemaking — including the Data Property Rights Registration Guide draft — is moving.

王年, 数据来源者权利及其实现——基于数据共生的视角 (The Data Source’s Rights and Their Realization — From the Perspective of Data Symbiosis), 《财经法学》Issue 5, 2025; reposted via 数字经济与法治 WeChat Official Account, October 28, 2025. Original article (Chinese).

Not legal advice. The above is DCC’s structured summary of Wang’s analysis, with framing for overseas counsel; the data-symbiosis framework, the two-part test for data-source status, and the “fair use right” articulation are Wang’s.

FILED UNDER

— Not legal advice.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.