Filed under commentary
Every brief tagged "commentary".
- § 07 · DATA-ECONOMY
Tang Linyao — Data-Broker Derivative Harms and the 'Data Integration Analysis Framework'
Tang Linyao (Chinese Academy of Social Sciences) maps the regulatory gap for data-broker derivative harms — the harms that arise not from direct PI leakage but from the integration and aggregation activity that data brokers themselves perform. The analytical core: a vertical / horizontal data-relations framework that explains why existing PIPL-style protection (vertical-relationship-focused) systematically fails to address horizontal-relationship harms; and the 'abstract risk substantialization' doctrine borrowed from US precedent and EU GDPR to bring data-broker risk into ex-ante regulatory scope. Operationally, Tang proposes a 'Data Integration Analysis Framework' with concrete tiering (三高 / 双高 / 单高 / 三低) that translates academic doctrine into compliance-program-grade controls. Applied to a real Shenzhen Data Exchange listing as worked example.
- § 08 · DATA-PROPERTY-RIGHTS
Wang Nian — Data Source's Rights as a 'Fair Use' Right Alongside the Three Rights
Wang Nian (Tsinghua Law) takes on the unresolved fourth-right question in the Data 20 Articles framework: what is the data source's right (数据来源者权), and how does it relate to the three rights (hold/use/operate)? Drawing on the 'data symbiosis' (数据共生) framework from the ALI-ELI Data Economy Principles and the EU Data Act, Wang argues that pre-existing legal entitlements — privacy, PI rights, IP, trade secrets — cover only part of the source's interest, leaving a residual that needs an independent legal protection. He frames the data-source right as a 'fair use right' (公平使用权): a contractual-relationship right against the specific data processor, distinct from the property-style three rights, that captures the value contribution of the source's participation in data co-creation. The corporate-data-portability analog DCC flagged in our NDA brief gets its doctrinal foundation here.
- § 09 · ENFORCEMENT
Seven Lessons for Data Compliance Teams from the SAMR 'Ghost Takeout' Series — 3.5 Billion Yuan, 9-Month Suspensions, and the Per-Merchant Aggregation Doctrine
In April 2026, the State Administration for Market Regulation (SAMR) imposed administrative penalties on seven major e-commerce platforms in the 'ghost takeout' series — 3.5 billion yuan in aggregate corporate fines, nearly 20 million yuan in individual fines on legal representatives and food-safety officers, and 3-to-9-month business suspensions. While the cases were ostensibly food-safety enforcement, their analytical structure — pierce-the-paper-compliance, per-merchant aggregation of penalties, identification of licensed-entity liability holders, dual penalties on individual compliance officers — translates directly to data-compliance enforcement. Adapted from a substantive practitioner analysis by 黄春林 (Huang Chunlin), this DCC brief works through seven operational lessons that DSO / PIPO / DPO and compliance counsel should apply *before* the analogous enforcement wave reaches data compliance.
- § 10 · AI-AGENTS
Mapping the AI Agent Risk Surface — A Ten-Category Taxonomy Under China's New 智能体新规
China's Cyberspace Administration jointly issued the Implementation Opinions on Standardized Application and Innovation Development of AI Agents (the '智能体新规' or 'Agent Rules') on May 8, 2026 — the first dedicated regulatory document on AI agents anywhere in the world. This DCC brief works through the ten-category risk taxonomy that practitioners are now using to map the agent attack surface: goal hijacking, tool misuse, identity/permission abuse, supply-chain compromise, unintended code execution, memory and context poisoning, inter-agent communication insecurity, cascade failures, human-machine trust exploitation, and rogue agents. With the agent risk mapped, the brief works the legal-liability vector: how each risk maps to administrative, civil, and criminal exposure under existing PIPL, CSL, Anti-Unfair Competition, and trade-secret regimes. Closes with the Guangzhou Internet Court's recent dual-authorization ruling against an open-source agent that bypassed a chat platform's risk controls — the first Chinese case to articulate the dual-authorization principle for AI agents accessing third-party platforms.
- § 11 · AI-AGENTS
Operationalizing AI Agent Governance — A Ten-Step Internal Control Framework
Part 2 of DCC's brief on the Chinese Agent Rules (《智能体规范应用与创新发展实施意见》, May 2026). After mapping the ten-category risk taxonomy in Part 1, this brief works through the ten-step internal governance framework practitioners are now building to operationalize agent compliance: cross-functional governance organization + agent asset inventory; use-case admission and classification (L1 read-only / L2 limited-write / L3 sensitive-data / L4 high-impact); security assessment and AI red-team testing; identity authorization and permission control (with the under-discussed 'permission inheritance' trap); data protection; tool and protocol security; human-in-the-loop design; supply-chain security; continuous monitoring; and AI-specific incident response. Closes with five operational priorities for teams that need to start now without waiting for the 'big-and-comprehensive' regime build.
- § 12 · AI-GOVERNANCE
Open-Source Does Not Mean Open Data — Zhang Ping on Training-Data Compliance for Open-Source AI
Peking University Law School professor Zhang Ping, writing in 人民论坛 (People's Tribune), takes apart two misconceptions that have dominated the Chinese open-source AI discussion: that 'open source' means training data has no copyright protection, and that 'algorithm open-source' compels 'training data publication.' Both false. Zhang lays out the structural distinction: 'open source is conditional authorization under license' — applied to model weights, not to the training corpus, which is a legally independent object. She then maps the full-chain compliance risk (acquisition / processing / output) and proposes a four-tier differentiated governance framework that finance, healthcare, and government AI deployments can actually use to map their training-data inventory against compliance gates.