[Editor to fill: 200-word domain overview.]
Data Security.
数据安全
Data classification and grading, important data, core data, and the broader data security regime under DSL.
The legal corpus.
58 laws.
- CN-SG Joint Guide China–Singapore Joint Data Compliance Guide: Practical Handbook — China Chapter 中国—新加坡联合数据合规指引:实务手册(中国篇)
- CII Regulations Security Protection Regulations for Critical Information Infrastructure 关键信息基础设施安全保护条例
- RULE Measures for the Security Assessment of Data Export 数据出境安全评估办法
- Data Twenty Opinions Opinions of the CPC Central Committee and the State Council on Building a Basic Data System to Better Play the Role of Data Elements 中共中央 国务院关于构建数据基础制度更好发挥数据要素作用的意见
- RULE Provisions on Promoting and Regulating Cross-border Data Flows 促进和规范数据跨境流动规定
- RULE Data Property Rights Registration Work Guide (Trial) 数据产权登记工作指引(试行)
- REGULATION Regulation on Network Data Security Management 网络数据安全管理条例
- Network Data Risk Assessment Measures Measures for Network Data Security Risk Assessment 网络数据安全风险评估办法
- Data Terms Batch 1 Explanation of Common Terms in the Field of Data (First Batch) 数据领域常用名词解释(第一批)
- Basic Health Care Law Basic Medical and Health Care and Health Promotion Law of the People's Republic of China 中华人民共和国基本医疗卫生与健康促进法
- Data Terms Batch 2 Explanation of Common Terms in the Field of Data (Second Batch) 数据领域常用名词解释(第二批)
- DSL Data Security Law of the People's Republic of China 中华人民共和国数据安全法
- Incident Reporting Measures Measures for the Administration of National Cybersecurity Incident Reporting 国家网络安全事件报告管理办法
- CSL Cybersecurity Law of the People's Republic of China (2025 Amendment) 中华人民共和国网络安全法(2025 修正)
- REGULATION Regulations on the Sharing of Government Data 政务数据共享条例
- Healthcare Data Security & PI Measures Measures for the Administration of Data Security and Personal Information Protection of Healthcare Institutions (Trial) 医疗卫生机构数据安全和个人信息保护管理办法(试行)
- Health & Medical Big Data Measures Measures for the Administration of National Health and Medical Big Data Standards, Security and Services (Trial) 国家健康医疗大数据标准、安全和服务管理办法(试行)
- Healthcare Cybersecurity Measures Measures for the Cybersecurity Management of Healthcare Institutions 医疗卫生机构网络安全管理办法
- Population Health Information Measures Measures for the Administration of Population Health Information (Trial) 人口健康信息管理办法(试行)
- Shenzhen Health Data Measures Shenzhen Health Data Management Measures 深圳市卫生健康数据管理办法
- RULE Measures for the Administration of Data Security in the Energy Industry (Trial) 能源行业数据安全管理办法(试行)
- Industrial Data Security Measures Administrative Measures for Data Security in the Field of Industry and Information Technology (Trial) 工业和信息化领域数据安全管理办法(试行)
- PBOC Data Security Measures Measures for the Administration of Data Security in the Business Fields of the People's Bank of China 中国人民银行业务领域数据安全管理办法
- RULE Guide to the Classification and Grading of Energy Industry Data (2026 Edition) 能源行业数据分类分级指南(2026年版)
- Financial Sector Cybersecurity Measures (Draft) Measures for Cybersecurity Management in the Financial Sector (Draft for Comment) 金融业网络安全管理办法(征求意见稿)
- EMR Application Specification Specification for the Application and Administration of Electronic Medical Records (Trial) 电子病历应用管理规范(试行)
- RULE Implementing Rules for Data Security Risk Assessment in the Field of Industry and Information Technology (Trial) 工业和信息化领域数据安全风险评估实施细则(试行)
- RULE Measures for the Administration of Data Security in the Field of Natural Resources 自然资源领域数据安全管理办法
- NFRA Banking & Insurance Data Security Measures Measures for the Administration of Data Security of Banking and Insurance Institutions 银行保险机构数据安全管理办法
- EMR Information Use Notice Notice on Further Strengthening the Administration of the Use of Electronic Medical Record Information by Medical Institutions 关于进一步加强医疗机构电子病历信息使用管理的通知
- RULE Measures for the Administration of the Security of Regulatory Data of the China Banking and Insurance Regulatory Commission (Trial) 中国银保监会监管数据安全管理办法(试行)
- HGR Regulation Regulation of the People's Republic of China on the Administration of Human Genetic Resources 中华人民共和国人类遗传资源管理条例
- RULE Emergency Response Plan for Data Security Incidents in the Field of Industry and Information Technology (Trial) 工业和信息化领域数据安全事件应急预案(试行)
- HGR Implementing Rules Implementing Rules for the Regulation on the Administration of Human Genetic Resources 人类遗传资源管理条例实施细则
- RULE Notice of the Ministry of Industry and Information Technology on Strengthening the Cybersecurity and Data Security of the Internet of Vehicles 工业和信息化部关于加强车联网网络安全和数据安全工作的通知
- RWD Guiding Principles Guiding Principles for Real-World Data Used to Generate Real-World Evidence (Trial) 用于产生真实世界证据的真实世界数据指导原则(试行)
- Tongfang Management Provisions Provisions on Strengthening the Administration of Prescription-Volume Statistics (Tongfang) in Healthcare Institutions 关于加强医疗卫生机构统方管理的规定
- REGULATION Administrative Measures for Internet Information Services (2024 Revision) 互联网信息服务管理办法(2024 修订)
- CII Commercial Cryptography Provisions Provisions on the Administration of the Use of Commercial Cryptography in Critical Information Infrastructure 关键信息基础设施商用密码使用管理规定
- Accounting Firms Data Security Measures Interim Measures for the Data Security Management of Accounting Firms 会计师事务所数据安全管理暂行办法
- Data Export Declaration Guide (v3) Guidelines for the Declaration of Data Export Security Assessment (Third Edition) 数据出境安全评估申报指南(第三版)
- Data Security Certification Announcement Announcement of the State Administration for Market Regulation and the Cyberspace Administration of China on Carrying Out Data Security Management Certification 国家市场监督管理总局、国家互联网信息办公室关于开展数据安全管理认证工作的公告
- Shenzhen Data Regulations Shenzhen Special Economic Zone Data Regulations 深圳经济特区数据条例
- MH/T 3038—2025 Technical Requirements for Monitoring and Warning of Data Security in Civil Aviation (MH/T 3038—2025) 民用航空数据安全监测预警技术要求(MH/T 3038—2025)
- Hospital Informatization Standards National Standards and Norms for Hospital Informatization Construction (Trial) 全国医院信息化建设标准与规范(试行)
- STANDARD Implementing Guidelines for the Protection of Customer Data Security in Internet Data Centers 互联网数据中心客户数据安全保护实施指引
- GB/T 43697 Data Security Technology — Rules for Data Classification and Grading (GB/T 43697-2024) 数据安全技术 数据分类分级规则 (GB/T 43697-2024)
- Telemedicine System Technical Guide Technical Guide for the Construction of Telemedicine Information Systems (2014 Edition) 远程医疗信息系统建设技术指南(2014年版)
- GB/T 41479 Information Security Technology — Security Requirements for Network Data Processing (GB/T 41479-2022) 信息安全技术 网络数据处理安全要求 (GB/T 41479-2022)
- GB/T 45577 Data Security Technology — Data Security Risk Assessment Method (GB/T 45577-2025) 数据安全技术 数据安全风险评估方法 (GB/T 45577-2025)
- GB/T 46071 Data Security Technology — Guide to Social Responsibility for Data Security and Personal Information Protection (GB/T 46071-2025) 数据安全技术 数据安全和个人信息保护社会责任指南 (GB/T 46071-2025)
- RULE Interim Measures for the Registration and Administration of Public Data Resources 公共数据资源登记管理暂行办法
- TC260 Data Risk Assessment Guide Cybersecurity Standards Practice Guide — Implementation Guidelines for Network Data Security Risk Assessment 网络安全标准实践指南 — 网络数据安全风险评估实施指引
- RULE Implementation Specifications for Authorized Operation of Public Data Resources (Trial) 公共数据资源授权运营实施规范(试行)
- Cybercrime Prevention Law (Draft) Cybercrime Prevention Law (Draft for Public Consultation) 网络犯罪防治法(征求意见稿)
- Cybersecurity Label Measures Measures for the Administration of Cybersecurity Labels 网络安全标识管理办法
- Trade Secret Protection Provisions Provisions on the Protection of Trade Secrets 商业秘密保护规定
- Banking & Insurance Cybersecurity Measures (Draft) Measures for the Administration of Cybersecurity in the Banking and Insurance Sectors (Draft for Public Consultation) 银行业保险业网络安全管理办法(征求意见稿)
In this domain.
34 briefs.
- § 01 · SECURITY-REVIEW
One Company, Four Reviews: JunHe Maps China's Security-Review 'Matrix' in the Security-First Era
With the Measures for Network Data Security Risk Assessment (Order No. 24) in place, China's security-review architecture has four operating pillars: foreign investment security review (NDRC + MOFCOM), cybersecurity review (CAC + 12 departments), data export security assessment (CAC), and the new normalized network data security risk assessment (CAC coordination + sectoral authorities). JunHe lawyer Chen Sijia walks each regime through the same five questions — who reviews, what is reviewed, when review is triggered, and with what legal consequences — and lands on two points overseas counsel should not miss. First, the four regimes differ in kind: the first three are ex-ante, admission-style reviews with veto power, while the risk assessment is an annual, improvement-oriented 'physical exam.' Second, review decisions are effectively final — the mainstream view treats them as final administrative acts with no administrative reconsideration or litigation available — so cooperation during the review is the only real strategy. A closing lifecycle walkthrough shows how a single AI-model company can trip all four lines in sequence: FDI review at fundraising, cybersecurity review at GPU procurement, export assessment at model training, cybersecurity review again at foreign listing, and the annual risk assessment as a standing duty.
- § 02 · CYBERSECURITY
NFRA Opens Consultation on Banking and Insurance Cybersecurity Measures: 72 Articles, a Four-Tier Incident Scale, and a Hard CII Chapter
The National Financial Regulatory Administration is consulting on the Measures for the Administration of Cybersecurity in the Banking and Insurance Sectors — a 72-article draft that would give banks, insurers, and financial holding companies a single cybersecurity rulebook under the CSL, DSL, PIPL, and CII Regulations. It fixes board-level responsibility, a six-month log-retention floor, annual penetration testing, a four-tier incident scale with a two-hour reporting clock, and a dedicated critical-information-infrastructure chapter with a one-hour reporting deadline, domestic-operation and disaster-recovery requirements, and annual procurement-list reporting. Comments close August 10, 2026.
- § 03 · DATA-PROPERTY-RIGHTS
China's Data Property Rights Registration Guide Is Final: The Draft-to-Trial Diff
On 1 July 2026, the National Data Administration issued the Data Property Rights Registration Work Guide (Trial), converting its April 2026 consultation draft into China's first national framework for registering the Right to Hold Data, Right to Use Data and Right to Operate Data. The final text keeps the same six-chapter, 42-article structure, but the diff is not cosmetic: security and public-interest gates are stronger; derived data is now defined; the national infrastructure shifts from a service platform to a service system; registrars face tighter qualification, disclosure, annual-evaluation, change-reporting and exit rules; public-data registration is softened from mandatory to conditional/voluntary wording; unclear contractual entitlement receives a cure path; evidence preservation, not certificate issuance, now starts the validity period; and certificate use is sharpened for data-asset balance-sheet entry, financing guarantees and valuation-based equity contribution.
- § 04 · AI-AGENTS
TC260's Practice Guide on AI-Agent Deployment: A Five-Stage Lifecycle Checklist, Read Against PIPL, DSL, and CSL Obligations
On July 1, 2026 the National Cybersecurity Standardization Technical Committee (TC260) issued the Cybersecurity Standards Practice Guide — Security Guidelines for the Deployment and Use of AI Agents (网络安全标准实践指南——智能体部署使用安全指引), covering the full lifecycle of high-permission, LLM-based personal-assistant agents across five stages: assessment, preparation, deployment, use, and decommissioning, plus a star-rated security checklist (Appendix A) and an organizational management framework including shadow-agent discovery (Appendix B). This DCC brief adapts the HexCode reading published on 数据何规 — itself generated, the account notes, by its own AI agent — which maps each stage onto hard-law anchors: PIPIA duties under PIPL Article 55 and DSL Article 27 risk monitoring at assessment; the GenAI Measures' filed-model requirement and the ban on unverified API relays at preparation; least privilege, directory isolation, CSL Article 21 log retention, and high-risk-operation confirmation lists at deployment; minimum-necessary provision of personal information and long-term-memory management in use; and credential revocation and data disposal at decommissioning. Practice guides are soft law — but in Chinese enforcement practice they calibrate what 'necessary measures' means, and this one is the first lifecycle baseline for the agent era.
- § 05 · IMPORTANT-DATA
Are You Caught by the Annual Assessment? TRIMPS's Self-Identification Guide for 'Important-Data Handlers'
With the Network Data Security Risk Assessment Measures (Order No. 24) taking effect August 20, 2026, the annual risk-assessment duty stops being a principle and becomes a hard calendar event — but only for 'important-data handlers' (重要数据处理者). DCC's summary of a self-identification guide from the Data Security R&D Center of the Ministry of Public Security's Third Research Institute (公安部三所 / TRIMPS), author Lü Mingxuan, walks the threshold test the institution that helps draft the standards wants processors to run before the clock starts. There are three independent gates, any one of which puts you in: (1) you process data meeting the 'important data' definition under Article 62 of the Network Data Security Management Regulation; (2) the deeming rule — you process the personal information of more than 10 million people, which pulls you into the important-data duties of Regulation Arts. 30 and 32 regardless of whether you hold any 'important data'; or (3) your data sits on a regional, departmental, or sectoral important-data catalogue. Entrusted processors inherit the duty from an important-data-handler client; CIIO status and important-data-handler status are separate, intersecting tests; and identifying important data runs through GB/T 43697-2024 Appendix G's 18 factors plus the applicable catalogues. The guide then lays out the operating requirements once you are in: annual mandatory assessment plus trigger-based instant assessments, a stacked PIPIA for the 10-million-PI cohort, three-year report retention, and submission within 20 working days. DCC's read for overseas counsel: classification is the gate, the 10-million-PI deeming rule is the trap for consumer businesses with no 'important data' at all, and the self-ID needs to happen now.
- § 06 · RISK-ASSESSMENT
From Principle to Running System: How the Network Data Security Risk Assessment Measures Operationalize the Data Security Law
On June 18, 2026 the CAC, MIIT and the Ministry of Public Security jointly issued the Measures for Network Data Security Risk Assessment as Order No. 24, effective August 20, 2026. The 25-article rule adds no new substantive duty; it turns the Data Security Law's open-ended 'conduct risk assessment' obligation into an executable, verifiable, trigger-able governance system. DCC reads it as a three-tier standing model plus an event-driven escalation layer: important-data handlers must assess every year (general-data handlers are encouraged to every three), retain the report for three years and submit it within 20 working days; sectoral competent authorities run annual inspection plans filed by end-January; the national cyberspace administration consolidates and cross-shares reports with telecom, public-security and state-security departments; and where a high-risk finding or a breach of important data or large-scale personal information appears, regulators can compel assessment by a certified institution and order the operator to cease processing important data. The four institutional increments over the DSL: an annual mandatory action, networked multi-department supervision, a three-track assessment structure, and dynamic event-triggered oversight.
- § 07 · DATA-PROPERTY-RIGHTS
Data 'Parallel Property Rights' — They Can Confer Status, but Can't Secure Control
Part four — and the synthesis — of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' data-property framework takes up 'parallel property rights' (数据平行财产权): how to allocate rights when the *same* data is held, used, and operated by *multiple* parties at once. Building on Xiong Bingwan and Zhuang Hongshan's 'one-data, multiple-rights' (一数数权) idea — data is non-rivalrous and copyable, so the same right over the same data can sit with several parties without excluding each other — Hong argues parallel property rights are best understood as *default rules* for incomplete-contract, collaborative-production settings: internally, parallel use is presumed; externally, operation is classified by data type (by-products each party may operate alone; purpose-built or fused data needs the others' consent); and parallel holders share a *joint defensive* interest against third parties. But the substance, he shows, falls back on derivative data — and here Xiong, Xu Ke (许可), and Shen Weixing (申卫星), despite different scenarios and tests, all tilt the derivative-data right to the *processor*, leaving the data contributor with contract/compensation/tort/PI remedies rather than ownership of the new product. DCC's read for overseas counsel: parallel property rights cut *attribution* uncertainty (who may use, operate, defend) but not *control* uncertainty (future use, detection, tracing, modelled value, third-party chains, ongoing compliance) — status, not control.
- § 08 · DATA-PROPERTY-RIGHTS
Why Upstream Won't Operate Its Data — Control Degradation, Derivative Data, and Irreducible Uncertainty
Part three of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' framework turns to the Right to Operate Data (数据经营权) — the right to provide data externally by transfer, licence, capital contribution, or pledge — and asks a question prior to 'what does operation transfer?': in real conditions, *will* an upstream party operate its data at all? His answer: yes, but narrowly. Control-dependent upstreams (platforms, holders of core user or irreplaceable industrial/training data) tend not to provide open, raw, autonomous access, and shift to controlled use or simply decline. The reason is structural. Once a downstream party is licensed to use data, the derivative data it produces is a *new object*: the upstream's *erga omnes* (对世) control over the raw data does not reach it, leaving the upstream — at most — a contractual claim against one counterparty. Hong then catalogues the uncertainties an upstream faces *ex ante*: some that attribution rules could touch but can't eliminate (qualification of the output, default ownership, good-faith of the processor, measurement of remedy), and some no rule can reach (combinatorial/unforeseeable value, undetectable misuse, the privity-and-insolvency chain, fusion and co-ownership, abstraction leakage into model parameters and learned skills, personal-information exposure, and counterparty hold-up). DCC's read for overseas counsel: this is the rigorous explanation of why Chinese data 'supply' is thin and why sandbox / privacy-computing structures dominate — defining a right does not supply the conditions to exercise it.
- § 09 · DATA-PROPERTY-RIGHTS
When the 'Right to Use Data' Goes External — Provision, Derivative Data, and the Erosion of Upstream Control
Part two of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' data-property framework turns to the Right to Use Data (数据使用权). The official definition (国家数据局, Common Data Terms Batch 2) makes the use right an *internal* power — 'I use my own data' to process, aggregate, analyse, and form derivative data — exercised on the premise of *not* providing data externally. So 'granting a use right to a downstream party' is not the use right travelling outward; it is the upstream party exercising its **operation right** to license, while the downstream party acquires a use right. That externalisation flips the downstream's legal position from PIPL **entrusted processor** (委托处理) to **provision** (提供) or **joint processing** — triggering notice and *separate consent* for personal information, and the Network Data Security Regulation's contracting duties. And because a strong use right lets the downstream form **derivative data** (衍生数据) — models, scores, indices, labels — value migrates downstream even though the raw data stays upstream. DCC's read for overseas counsel: in China data deals the use right is real but never self-bounding; whether a partner will grant an open, autonomous use right depends on its business model (control-dependent vs monetisation), and the default structure you should expect is *controlled use* (sandbox, privacy computing, federated modelling), not a clean copy.
- § 10 · DATA-PROPERTY-RIGHTS
Two Paths for the 'Right to Hold Data' — and Why the Narrow One May Add Little
Hong Yanqing (洪延青, 网安寻路人) works through the most unstable concept in China's 'separation of three rights' data-property framework — the Right to Hold Data (数据持有权). He pushes two readings to their logical ends. Path 1, the official 'complete separation' (三权完全切割): if the rights to hold, use, and operate data are truly independent, the holding right shrinks to a bare 'lawful-control state' whose only content is defensive — and that defense is already provided, against the world, by PIPL Article 10, DSL Article 32, the Network Data Security Regulation, and Article 13 of the Anti-Unfair Competition Law, so its incremental value as a standalone property right is thin. Path 2, the 'mother-right' reconstruction (持有权母权化): redefine 'holding' from factual control to a normative control that contains utilization potential, so the rights to use and operate are carved out from within it. DCC's read for overseas counsel: in Chinese data deals the tradeable substance sits in the rights to use and operate plus contract, registration, and compliance — not in 'who holds the data' — and China's data-property theory is still genuinely unsettled.
- § 11 · HEALTH-DATA
China's Hospitals Get Their Own Data Rulebook: Reading the 2026 Healthcare Data Security & PI Measures
On 12 February 2026 five agencies — the National Health Commission, the Ministry of Public Security, the Cyberspace Administration of China, the National Administration of Traditional Chinese Medicine, and the National Disease Control and Prevention Administration — jointly issued the Measures for the Administration of Data Security and Personal Information Protection of Healthcare Institutions (Trial). It is the first operational, sector-specific rulebook that turns the Data Security Law, PIPL, and the Network Data Security Regulation into concrete hospital obligations: a three-tier core/important/general data classification keyed to MLPS levels and commercial cryptography; a five-pillar full-lifecycle security system; a ten-item data prohibition list and an eight-item personal-information prohibition list; heightened protection for special groups; limits on facial recognition and AI; and a real enforcement chain running from named-person accountability through regulatory interviews, administrative penalties, civil tort liability, and criminal referral. DCC reads it for overseas pharma, medtech, and hospital-JV counsel — with the cross-border choke point and its academic-cooperation carve-out as the parts that most affect global clinical-data flows.
- § 12 · CRITICAL-INFORMATION-INFRASTRUCTURE
Are You a CII Operator or an Important-Data Handler? A Practitioner's Assessment Framework Under China's New Rules
China's Cybersecurity Law, Data Security Law, and Network Data Security Management Regulations impose materially heavier compliance obligations on critical information infrastructure (CII) operators (关键信息基础设施运营者) and important-data handlers (重要数据处理者) than on ordinary data processors. This brief, drawing on a DEXC+ practitioner analysis by Gu Qingzhuo (古青卓) of the Shenzhen Data Exchange compliance team, explains how the two statuses are determined under the current framework, why neither is self-evident from a company's own assessment alone, how recent rules — including the Regulations on Promoting and Regulating Cross-Border Data Flows and the national standard GB/T 43697-2024 — have clarified but not fully resolved the important-data identification problem, and what overseas counsel should do when advising clients that operate in China's critical sectors.
- § 13 · JUDICIAL
Datatang v. Yinmu — China's First Ruling on a Data-IP Registration Certificate, and Why Open-Sourced Data Is Still Protected
A consolidated case study of 数据堂诉隐木科技 (Datatang v. Yinmu) — the Beijing IP Court's June 2024 appeal ruling, widely called China's first case on the evidentiary effect of a data-IP registration certificate. The dispute: Datatang built voice datasets for AI training, open-sourced some under a license; Yinmu took and redistributed them in the same data-services market. DCC synthesizes four commentaries (the case report, a Tsinghua analysis, and two Shenzhen Data Exchange DEXC+ deep-dives) into the four holdings that matter for overseas counsel: (1) a data-IP registration certificate is prima facie evidence of property-type interests and lawful sourcing — but not an absolute property right (property-rights-statutism); (2) open-sourced data, though neither trade secret nor copyrightable compilation, is protectable under the Anti-Unfair Competition Law's general clause; (3) the protection hierarchy (compilation work → trade secret → AUCL Art. 2); and (4) whether the taker honored the open-source license is the hinge for 'improper conduct.'
- § 14 · ANONYMIZATION
Reviving a Zombie Provision — Xu Ke's Concentric-Circle Reconstruction of the Anonymization Regime
Xu Ke (UIBE) calls PIPL Article 4's anonymization carve-out a 'zombie provision' (僵尸法条) — on the books, never used, and one of the biggest blockages in the data-element market. His diagnosis: the zombie state is caused not by the text but by three unaddressed worries (processors fear the standard is unattainable or value-destroying; regulators fear anonymization becomes an evasion tool; users fear it's a hollow promise). His cure is a concentric-circle architecture that maps three risk types (systemic / operational / residual) onto three layers of anonymity (presumptive / determined / trust). This is the most complete academic blueprint yet for making the anonymization clause operational — and it pairs directly with TRIMPS's risk-based, recipient-relative reading.
- § 15 · DATA-PROPERTY-RIGHTS
The 'Rights Block' — Xu Ke's Structural Theory Behind China's Data-Property Framework
Xu Ke's highly-cited (255×) 政法论坛 article on the structure of data rights — the theoretical scaffolding that the Data 20 Articles' three-rights framework rests on. He maps the field's two warring paradigms (formalist 'empowerment' vs substantivist 'conduct regulation'), argues both fail alone, and integrates them via a 'reflexive law' approach. The payoff is a taxonomy of three possible rights structures — rights-ball, rights-bundle, rights-block — and the case that the 'data rights block' (数据权利块) best fits data's 'one principle, many manifestations' character. For overseas counsel, this is the conceptual map that explains why Chinese data rights are structured the way they are — and why Western property and IP analogies keep failing.
- § 16 · ANONYMIZATION
From 'Cannot Be Restored' to 'Difficult to Restore' — TRIMPS on Whether Anonymization Is Absolute, and Whether It's Recipient-Relative
The Third Research Institute of the Ministry of Public Security (TRIMPS) — the body behind China's classified-protection regime and national eID platform — takes on the two questions that determine whether anonymization actually gets data out of PIPL scope. First: does PIPL's 'cannot be restored' standard (Art 73) require re-identification probability of literally zero? The 2025 draft PI Anonymization Guide quietly softened it to 'difficult to restore,' aligning China with the GDPR 'all reasonable means' test and reframing anonymization as a dynamic, continuously-assessed, risk-based process rather than a one-time terminal state. Second: is anonymization recipient-relative — can the same dataset be PI in one party's hands and anonymized in another's? TRIMPS reads the EU SRB v EDPS case and UK ICO guidance toward 'yes,' with major implications for how overseas counsel structure data sharing and cross-border transfer.
- § 17 · AI-GOVERNANCE
Zhu Xiaofeng — Who Pays When GenAI Causation Is Unclear? Applying Civil Code Article 1254 by Analogy
Zhu Xiaofeng (Central University of Finance and Economics Law School) takes on the GenAI causation black hole — when a personal-information harm clearly arises from a GenAI service but specific causation among model designer, model provider, model user, and data provider cannot be established, who pays? Zhu's structural answer: when conventional construction-element-analysis and Article 998 interest-balancing both fail (and they do), apply Civil Code Article 1254's 'unclear-causation' rule by analogy — the same rule used for falling-object-from-building cases. The doctrinal scaffolding: communication-safety theory, gain-and-risk allocation theory, causation proof + harm prevention. Critically: each potential injurer compensates the full damage; among themselves, allocation is proportional, with judges determining specific amounts case-by-case. Highly relevant for multinationals deploying GenAI in China — the proposed framework restructures the operating liability surface.
- § 18 · DATA-ECONOMY
Tang Linyao — Data-Broker Derivative Harms and the 'Data Integration Analysis Framework'
Tang Linyao (Chinese Academy of Social Sciences) maps the regulatory gap for data-broker derivative harms — the harms that arise not from direct PI leakage but from the integration and aggregation activity that data brokers themselves perform. The analytical core: a vertical / horizontal data-relations framework that explains why existing PIPL-style protection (vertical-relationship-focused) systematically fails to address horizontal-relationship harms; and the 'abstract risk substantialization' doctrine borrowed from US precedent and EU GDPR to bring data-broker risk into ex-ante regulatory scope. Operationally, Tang proposes a 'Data Integration Analysis Framework' with concrete tiering (三高 / 双高 / 单高 / 三低) that translates academic doctrine into compliance-program-grade controls. Applied to a real Shenzhen Data Exchange listing as worked example.
- § 19 · ENFORCEMENT
Seven Lessons for Data Compliance Teams from the SAMR 'Ghost Takeout' Series — 3.5 Billion Yuan, 9-Month Suspensions, and the Per-Merchant Aggregation Doctrine
In April 2026, the State Administration for Market Regulation (SAMR) imposed administrative penalties on seven major e-commerce platforms in the 'ghost takeout' series — 3.5 billion yuan in aggregate corporate fines, nearly 20 million yuan in individual fines on legal representatives and food-safety officers, and 3-to-9-month business suspensions. While the cases were ostensibly food-safety enforcement, their analytical structure — pierce-the-paper-compliance, per-merchant aggregation of penalties, identification of licensed-entity liability holders, dual penalties on individual compliance officers — translates directly to data-compliance enforcement. Adapted from a substantive practitioner analysis by 黄春林 (Huang Chunlin), this DCC brief works through seven operational lessons that DSO / PIPO / DPO and compliance counsel should apply *before* the analogous enforcement wave reaches data compliance.
- § 20 · AI-AGENTS
Mapping the AI Agent Risk Surface — A Ten-Category Taxonomy Under China's New 智能体新规
China's Cyberspace Administration jointly issued the Implementation Opinions on Standardized Application and Innovation Development of AI Agents (the '智能体新规' or 'Agent Rules') on May 8, 2026 — the first dedicated regulatory document on AI agents anywhere in the world. This DCC brief works through the ten-category risk taxonomy that practitioners are now using to map the agent attack surface: goal hijacking, tool misuse, identity/permission abuse, supply-chain compromise, unintended code execution, memory and context poisoning, inter-agent communication insecurity, cascade failures, human-machine trust exploitation, and rogue agents. With the agent risk mapped, the brief works the legal-liability vector: how each risk maps to administrative, civil, and criminal exposure under existing PIPL, CSL, Anti-Unfair Competition, and trade-secret regimes. Closes with the Guangzhou Internet Court's recent dual-authorization ruling against an open-source agent that bypassed a chat platform's risk controls — the first Chinese case to articulate the dual-authorization principle for AI agents accessing third-party platforms.
- § 21 · AI-AGENTS
Operationalizing AI Agent Governance — A Ten-Step Internal Control Framework
Part 2 of DCC's brief on the Chinese Agent Rules (《智能体规范应用与创新发展实施意见》, May 2026). After mapping the ten-category risk taxonomy in Part 1, this brief works through the ten-step internal governance framework practitioners are now building to operationalize agent compliance: cross-functional governance organization + agent asset inventory; use-case admission and classification (L1 read-only / L2 limited-write / L3 sensitive-data / L4 high-impact); security assessment and AI red-team testing; identity authorization and permission control (with the under-discussed 'permission inheritance' trap); data protection; tool and protocol security; human-in-the-loop design; supply-chain security; continuous monitoring; and AI-specific incident response. Closes with five operational priorities for teams that need to start now without waiting for the 'big-and-comprehensive' regime build.
- § 22 · AI-GOVERNANCE
Open-Source Does Not Mean Open Data — Zhang Ping on Training-Data Compliance for Open-Source AI
Peking University Law School professor Zhang Ping, writing in 人民论坛 (People's Tribune), takes apart two misconceptions that have dominated the Chinese open-source AI discussion: that 'open source' means training data has no copyright protection, and that 'algorithm open-source' compels 'training data publication.' Both false. Zhang lays out the structural distinction: 'open source is conditional authorization under license' — applied to model weights, not to the training corpus, which is a legally independent object. She then maps the full-chain compliance risk (acquisition / processing / output) and proposes a four-tier differentiated governance framework that finance, healthcare, and government AI deployments can actually use to map their training-data inventory against compliance gates.
- § 23 · DATA-PROPERTY-RIGHTS
NDA Explains the Three-Rights Framework — A Plain-Language Walk-Through from the Regulator Itself
The National Data Administration's official 政策解读 (policy interpretation) on the three-rights framework — the right to hold, the right to use, and the right to operate data — established by the Data 20 Articles. NDA walks through what each right means, illustrative scenarios (group-company data subsidiaries; hospital-pharma research pools; data-broker commission arrangements), how the rights relate to each other (independently severable; non-exclusive across parties for the same data), and why the structural-separation design was chosen over a unitary-ownership model. The clearest available statement of the regulator's own intent on the framework that anchors every downstream rule — data-resource registration, data-property-rights registration, FTZ data-circulation negative lists, on-floor / over-the-counter trading rules.
- § 24 · DATA-PROPERTY-RIGHTS
Who Is the 'Data Processor' Under the Three-Rights Framework — NDA's Farm-Equipment Hypothetical
NDA's official 政策解读 on the threshold question that every three-rights allocation depends on: who is the 'data processor' and who is the 'information subject'? NDA uses a farm-equipment hypothetical — a farm rents tractor, irrigation, and fertilizer equipment from three different vendors; cultivation data is captured in the process — to work through who collects, who decides processing purposes, and how the property-rights regime balances the data-processor's commercial interest against the information-subject's rights to access copies of relevant data. The piece sketches the basic information-subject vs. data-processor dichotomy that anchors the entire downstream data-element regime, and surfaces the access-to-data right (data portability for commercial entities) that overseas counsel often miss.
- § 25 · DATA-PROPERTY-RIGHTS
Cloud, BPO, and Other Entrusted-Processing Arrangements: Why the Processor Doesn't Get the Rights
NDA's official 政策解读 on a tactically critical sub-question of the three-rights framework: when a data processor outsources storage, processing, or analysis to a third-party service provider — typical cloud, BPO, or e-government-system arrangements — does the entrusted party acquire any of the three property rights? NDA's clear answer: no. The entrusted processor (受托人) is not a 'data processor' in the property-rights sense — it merely executes instructions on behalf of the data processor (the principal). It cannot use the data outside the entrusted scope, cannot transfer the data into market circulation, and cannot apply the data to its own debt repayment or bankruptcy distribution. The line is anchored to the Civil Code's contract-of-mandate rules — a long-standing piece of Chinese commercial law extended cleanly into the data-element regime.
- § 26 · PUBLIC-DATA
Authorized to Operate, Not Authorized to Ignore: Public-Data Operators Still Owe the Full PIPL/DSL Stack
China's public-data authorized-operation regime — established by the January 2025 Implementation Specifications and its companion instruments — does not exempt operators from the personal information and data-security duties that sit underneath it. This brief, drawn from the Shenzhen Data Exchange's DEXC+ compliance column, sets out six specific areas where authorized operators routinely fall short: failure to classify data before operating it, misreading the operator's role in multi-party processing chains, skipping notification obligations, misidentifying the lawful basis for processing, misapplying consent that was gathered for a different purpose, and omitting the separate impact-assessment and annual risk-evaluation obligations under PIPL and the Network Data Security Regulations. The operational takeaway for overseas counsel advising operators or investors: government authorization is the entry ticket to the public-data market, not a waiver of the compliance checklist that governs what happens once inside.
- § 27 · DATA-TRADING
Mapping the Red Lines: Compliance Assessment for Surveying and Geographic-Information Data Products on a Chinese Data Exchange
When Sichuan province's first surveying and geographic-information (测绘地理信息) data product was listed on the Shenzhen Data Exchange (深圳数据交易所), the compliance team from Si Chuan Rui Li Heng Law Firm worked through a seven-point assessment framework that goes well beyond general data-trading rules. This brief walks overseas counsel through that framework: why the surveying-and-mapping regime (测绘法 and subordinate rules) adds a specialist qualification layer on top of the Network Data Security Management Regulations; how the classified-surveying-results (涉密测绘成果) screen works in practice; what 'important geographic-information data' (重要地理信息数据) means for tradability; and why data origin — self-collected versus purchased versus project-derived — changes the due-diligence checklist materially. The operational takeaway: for this sector, general data-exchange compliance is necessary but not sufficient.
- § 28 · SENSITIVE-PERSONAL-INFORMATION
Seven Highlights of China's New Sensitive Personal Information Processing Standard — and What They Mean in Practice
GB/T 45574-2025 《数据安全技术 敏感个人信息处理安全要求》 (Data Security Technology — Security Requirements for Processing Sensitive Personal Information) is China's first dedicated national standard on sensitive personal information (敏感个人信息), effective 1 November 2025. Authored by Wang Yi, Zhao Yanming, and Zeng Lingwei of the Shenzhen Data Exchange DEXC+ program, this brief walks through the seven highlights the standard introduces: a recalibrated scope of what counts as sensitive personal information under PIPL, dynamic classification logic, a new linkage between sensitive-PI volume and the important data threshold, industry-specific and group-specific protections, data-security-maturity requirements, a model written-consent template, and tightened lifecycle obligations covering collection, storage, display, and audit. The operational takeaway for overseas counsel: the standard converts PIPL's high-level sensitive-PI obligations into testable, auditable requirements — compliance teams should treat it as the primary implementation guide for PIPL Article 28 and beyond.
- § 29 · IMPORTANT-DATA
'Important Data' Is a Category, Not a Tier
Hong Yanqing argues the mainstream reading of Article 21 of the Data Security Law confuses enterprise asset-inventory language with state-level legal-interest protection — with real consequences for cross-border transfers, enforcement, and how PIPL and DSL stack.
- § 30 · CSL
China's Cybersecurity Law Just Got Teeth — The 2025 Amendment and What Changed
On October 28, 2025, the NPC Standing Committee adopted the first amendment to China's Cybersecurity Law since 2017, effective January 1, 2026. Compliance Talker's global legal policy team walks through what changed across 14 amendments: a new framework provision on AI safety and development, harmonization with PIPL and the Civil Code on personal information, sharply increased penalties (10× cap on top fines), expanded application of the dual-penalty system to individual officers, and broader extraterritorial reach. For overseas teams, the operational takeaway is that cybersecurity compliance is now an executive-level risk, not a documentation exercise.
- § 31 · IMPORTANT-DATA
How to Identify 'Important Data' — A Plain-Language Method from Wang Qinglan
Wang Qinglan, head of compliance at a Chinese data exchange, walks through China's unique 'important data' concept in plain language: where it came from, why no other major jurisdiction has anything quite like it, how the U.S., EU, Japan and Korea solve the same problem differently, and — most useful for compliance teams — three methods to identify whether a dataset is 'important' in practice. Her own 'unorthodox' shortcut: ask whether a hostile foreign actor could use this data to cause trouble. If yes, treat it as important data.
- § 32 · DATA-FUNDAMENTALS
What Is Data, Really? — A Plain-Language Primer on Rules and Compliance
What does it actually mean to call something 'data,' and what turns raw recordings into a data asset? Wang Qinglan uses a toy storage room metaphor to walk through the foundational concept overseas readers often skip: data is not just 'records' — it's records made under rules. Master data, metadata, ontology, the three-tier compliance taxonomy (legal / ethical / promised), and the three-step compliance workflow (select / allocate / execute) — all anchored in a concrete example a non-specialist can follow.
- § 33 · DATA-GOVERNANCE
Data Governance vs. Data Management vs. Data Compliance — A Plain-Language Disambiguation
Wang Qinglan disambiguates three terms that compliance and data teams habitually conflate: data governance, data management, and data compliance. Using a 'data manor' metaphor (the family council vs. the steward team vs. the community monitor), she maps each function to its job — setting direction, executing efficiently, and operating sustainably within external rules and self-imposed commitments. The piece is useful precisely where bilingual confusion is highest: 'data governance' in English carries different connotations than 数据治理 in Chinese practice.
- § 34 · CROSS-BORDER
FTZ Data Export Negative Lists — How 17 Sectors Across Seven Provinces Now Identify Important Data
Article 6 of the 2024 CBDF Provisions authorized Free Trade Zones to publish data-export negative lists. Since then, Tianjin, Beijing, Hainan, Shanghai, Zhejiang and others have published negative lists covering 17 sectors — automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industry, seed industry, and more. Compliance Talker's analysis walks through the structural convergence of the negative lists, the important-data identification refinements each FTZ has produced, and the operational impact on enterprises both inside and outside the FTZs.