Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · DSL

Data Security Law of the People's Republic of China.

中华人民共和国数据安全法

Promulgated by: National People’s Congress Standing Committee.
Document No.: Order of the President No. 84.
Adopted at the 29th Session of the Standing Committee of the 13th National People’s Congress on June 10, 2021. Effective September 1, 2021.


Chapter 1 General Provisions

Article 1. In order to regulate data handling activities, ensure data security, promote data exploitation and use, protect the lawful rights and interests of individuals and organizations, and safeguard national sovereignty, security and development interests, this Law is enacted.

Article 2. This Law shall apply to data handling activities carried out within the territory of the People’s Republic of China and to the security regulation thereof. Where data handling activities are carried out outside the territory of the People’s Republic of China, which damage the national security or public interest of the People’s Republic of China or the lawful rights and interests of citizens or organizations, legal liability shall be investigated in accordance with the law.

Article 3. For the purposes of this Law, the term “data (records)” refers to any record of information made electronically or by other means. Data handling includes the collection, storage, use, processing, transmission, provision and disclosure of data, among others. Data security refers to the state of effective protection and lawful use of data achieved by taking necessary measures, and the capacity to ensure that such a state of continuous security is maintained.

Article 4. In maintaining data security, the overall national security concept shall be upheld, a sound data security governance system shall be established and improved, and the capacity for safeguarding data security shall be enhanced.

Article 5. The central national security leadership body shall be responsible for decision-making and deliberation and coordination with respect to national data security work, shall study, formulate and guide the implementation of the national data security strategy and relevant major guidelines and policies, shall overall plan and coordinate major matters and important tasks of national data security, and shall establish a data security coordination mechanism at the National level.

Article 6. Each region and each department shall be responsible for the data (records) collected and generated in the course of its work in its respective region and department, and for the security of such data. Departments in charge of industries and sectors such as industry, telecommunications, transport, finance, natural resources, health, education and science and technology shall undertake data security regulatory responsibilities for their respective industries and sectors. Public security organs, state security organs and others shall, in accordance with this Law and relevant Laws and Administrative Regulations, undertake data security regulatory responsibilities within the scope of their respective duties. The national cyberspace administration shall, in accordance with this Law and relevant Laws and Administrative Regulations, be responsible for overall planning and coordination of network data security and related regulatory work.

Article 7. The State shall protect the rights and interests of individuals and organizations related to data (records), encourage the lawful, reasonable and effective exploitation and use of data (records), ensure the lawful, orderly and free flow of data (records), and promote the development of the digital economy in which data (records) are a key factor of production.

Article 8. In carrying out data handling activities, Laws and Administrative Regulations shall be observed, social morality and ethics shall be respected, business ethics and professional ethics shall be observed, honesty and good faith shall be maintained, data security protection obligations shall be performed, social responsibilities shall be assumed, and national security and public interest shall not be jeopardized, nor shall the lawful rights and interests of individuals or organizations be harmed.

Article 9. The State shall support the dissemination and popularization of knowledge on data security, raise the awareness and level of the whole society in protecting data security, and promote the joint participation of relevant departments, industry organizations, research institutions, enterprises and individuals in data security protection work, so as to form a sound environment in which the whole society jointly maintains data security and promotes development.

Article 10. Relevant industry organizations shall, in accordance with their articles of association, formulate in accordance with the law codes of conduct for data security and group standards, strengthen self-discipline in their industries, guide their members in strengthening data security protection, improve data security protection standards, and promote the sound development of their industries.

Article 11. The State shall actively conduct international exchanges and cooperation in the fields of data security governance and data exploitation and use, participate in the formulation of international rules and standards related to data security, and promote the secure and free cross-border flow of data (records).

Article 12. Any individual or organization shall have the right to lodge complaints or reports with the relevant competent departments against acts that violate the provisions of this Law. The departments receiving complaints or reports shall handle them in a timely manner in accordance with the law. The relevant competent departments shall keep confidential the relevant information of the complainants and informants and protect their lawful rights and interests.

Chapter 2 Data Security and Development

Article 13. The State shall coordinate development and security, and shall adhere to the promotion of data security through data exploitation and use and industrial development, and the safeguarding of data exploitation and use and industrial development through data security.

Article 14. The State shall implement a big data strategy, promote the construction of data infrastructure, and encourage and support innovative applications of data (records) in all industries and fields. People’s governments at or above the provincial level shall incorporate the development of the digital economy into the national economic and social development plans at their respective levels, and may, as needed, formulate digital economy development plans.

Article 15. The State shall support the exploitation and use of data (records) to improve the level of intelligence of public services. In providing intelligent public services, the needs of the elderly and persons with disabilities shall be fully taken into account, so as to avoid creating obstacles to the daily life of the elderly and persons with disabilities.

Article 16. The State shall support research into data exploitation and use and data security technologies, encourage the promotion of technologies and commercial innovation in the fields of data exploitation and use and data security, and cultivate and develop systems of products and industries for data exploitation and use and data security.

Article 17. The State shall promote the development of systems of standards for data exploitation and use technologies and for data security. The administrative department of standardization under the State Council and the relevant departments under the State Council shall, according to their respective functions, organize the formulation and timely revision of standards related to data exploitation and use technologies, products and data security. The State shall support enterprises, social organizations and educational and research institutions in participating in standard-setting.

Article 18. The State shall promote the development of services such as data security testing and appraisal and certification, and shall support professional institutions engaging in data security testing and appraisal, certification and other such services in carrying out service activities in accordance with the law. The State shall support relevant departments, industry organizations, enterprises, educational and research institutions and relevant professional institutions in carrying out cooperation in data security risk appraisal, prevention and handling.

Article 19. The State shall establish and improve a data trading governance scheme, regulate data trading activities, and foster a data trading market.

Article 20. The State shall support educational and research institutions and enterprises in conducting education and training related to data exploitation and use technologies and data security, cultivate, through multiple means, professionals in data exploitation and use technologies and data security, and promote the exchange of such professionals.

Chapter 3 Data Security Regime

Article 21. The State shall establish a data tiered protection regime, under which data (records) shall be accorded classified and tiered protection according to the importance of such data (records) to economic and social development and the degree of harm that may be caused to national security or public interest or to the lawful rights and interests of individuals and organizations if such data (records) are tampered with, destroyed, leaked, or illegally obtained or illegally used. The data security coordination mechanism at the National level shall coordinate relevant departments in formulating catalogues of significant data and shall strengthen the protection of significant data. Data (records) related to national security, the lifelines of the national economy, critical livelihoods of the people and major public interest shall fall under national core datasets and shall be subject to a more stringent management regime. Each region and each department shall, in accordance with the data tiered protection regime, determine specific catalogues of significant data for its respective region, department and related industries and sectors, and shall provide key protection for data (records) included in the catalogues.

Article 22. The State shall establish a centralized, unified, efficient and authoritative mechanism for data security risk appraisal, reporting, information sharing and monitoring and early warning. The data security coordination mechanism at the National level shall coordinate relevant departments in strengthening efforts to obtain, analyze, assess and provide early warnings of data security risk information.

Article 23. The State shall establish a data security contingency system. In the event of a data security incident, the relevant competent departments shall, in accordance with the law, initiate contingency plans, take corresponding emergency response measures, prevent the expansion of harm, eliminate security hazards, and promptly release to the public warning information relevant to the public.

Article 24. The State shall establish a data security review framework and conduct national security reviews for data handling activities that affect or might affect national security. Security review decisions lawfully made shall be final decisions.

Article 25. The State shall, in accordance with the law, impose export control on data (records) that fall under controlled items and relate to safeguarding national security and interests and performing international obligations.

Article 26. Where any country or region adopts discriminatory prohibitions, restrictions or other similar measures against the People’s Republic of China in respect of investment, trade or other matters related to data (records) and data exploitation and use technologies, the People’s Republic of China may, based on actual circumstances, adopt reciprocal measures against such country or region.

Chapter 4 Obligations for Data Security Protection

Article 27. Those carrying out data handling activities shall, in accordance with the provisions of Laws and Administrative Regulations, establish and improve a data security management system covering the whole process, organize and carry out data security education and training, and adopt corresponding technical and other necessary measures to ensure data security. Those carrying out data handling activities by using the Internet and other information networks shall perform the above-mentioned data security protection obligations on the basis of the multilevel cybersecurity protection regime. Handlers of significant data shall designate persons in charge of data security and establish a management body, and shall implement data security protection responsibilities.

Article 28. Data handling activities and research and development of new data technologies shall be conducive to promoting economic and social development, improving the well-being of the people, and conforming to social morality and ethics.

Article 29. In carrying out data handling activities, risk monitoring shall be strengthened. Where risks such as data security defects and vulnerabilities are discovered, remedial measures shall be taken immediately; where a data security incident occurs, handling measures shall be taken immediately, users shall be promptly informed in accordance with the provisions, and reports shall be made to the relevant competent departments.

Article 30. Handlers of significant data shall, in accordance with the provisions, periodically carry out risk appraisal of their data handling activities and shall submit risk appraisal reports to the relevant competent departments. Risk appraisal reports shall include such contents as the types and quantities of significant data handled, the circumstances of data handling activities, the data security risks faced, and the measures taken to address such risks.

Article 31. The outbound security management of significant data collected and generated in the course of operations within the territory of the People’s Republic of China by operators of critical information infrastructure shall be governed by the provisions of the Cybersecurity Law of the People’s Republic of China; the measures for outbound security management of significant data collected and generated in the course of operations within the territory of the People’s Republic of China by other data handlers shall be formulated by the national cyberspace administration in conjunction with the relevant departments under the State Council.

Article 32. Any organization or individual collecting data (records) shall adopt lawful and proper means and shall not steal or obtain data (records) by other illegal means. Where Laws or Administrative Regulations contain provisions on the purposes and scope of the collection and use of data (records), data (records) shall be collected and used within the purposes and scope prescribed by such Laws and Administrative Regulations.

Article 33. Institutions engaging in data trading intermediary services, when providing services, shall require data providers to explain the sources of the data (records), shall verify the identities of both parties to the transaction, and shall retain verification and transaction records.

Article 34. Where Laws or Administrative Regulations provide that administrative licences shall be obtained for the provision of services related to data handling, service providers shall obtain such licences in accordance with the law.

Article 35. Where public security organs or state security organs, for the purpose of lawfully safeguarding national security or investigating crimes, need to obtain data (records), they shall do so in accordance with the relevant provisions of the State, after undergoing strict approval procedures and in accordance with the law, and the relevant organizations and individuals shall cooperate.

Article 36. The competent authorities of the People’s Republic of China shall, in accordance with relevant Laws and the international treaties and agreements to which the People’s Republic of China is a party or in which it participates, or on the basis of the principle of equality and reciprocity, handle requests from foreign judicial or law enforcement authorities for the provision of data (records). Without the approval of the competent authorities of the People’s Republic of China, organizations and individuals within the territory shall not provide data (records) stored within the territory of the People’s Republic of China to foreign judicial or law enforcement authorities.

Chapter 5 Security and Openness of Government Data

Article 37. The State shall vigorously promote the development of e-government, improve the scientificity, accuracy and timeliness of government data (records), and enhance the capacity to use data (records) to serve economic and social development.

Article 38. Where State organs, for the purpose of performing their statutory duties, need to collect and use data (records), they shall do so within the scope of their statutory duties and in accordance with the conditions and procedures prescribed by Laws and Administrative Regulations; data such as personal privacy, personal information, trade secrets and confidential business information learned in the course of performing their duties shall be kept confidential in accordance with the law and shall not be divulged or illegally provided to others.

Article 39. State organs shall, in accordance with the provisions of Laws and Administrative Regulations, establish and improve data security management systems, implement data security protection responsibilities, and ensure the security of government data (records).

Article 40. Where State organs entrust others with the construction and maintenance of e-government systems or the storage and processing of government data (records), they shall undergo strict approval procedures and shall supervise the entrusted parties in performing the corresponding data security protection obligations. The entrusted parties shall, in accordance with the provisions of Laws and Administrative Regulations and the contractual agreements, perform data security protection obligations, and shall not retain, use, divulge or provide government data (records) to others without authorization.

Article 41. State organs shall, in accordance with the principles of justice, fairness and convenience for the people, disclose government data (records) in a timely and accurate manner in accordance with the provisions, except where such data (records) are not to be disclosed in accordance with the law.

Article 42. The State shall formulate catalogues for the openness of government data (records), establish a unified, standardized, interconnected and secure and controllable platform for the openness of government data (records), and promote the openness and use of government data (records).

Article 43. The provisions of this Chapter shall apply to data handling activities carried out by organizations authorized by Laws and Regulations to manage public affairs functions for the purpose of performing their statutory duties.

Article 44. Where, in the course of performing data security regulatory responsibilities, the relevant competent departments discover that data handling activities involve relatively high security risks, they may, in accordance with the prescribed powers and procedures, conduct interviews with the relevant organizations and individuals, and may require the relevant organizations and individuals to take measures to make rectifications and eliminate hidden dangers.

Article 45. Where organizations or individuals carrying out data handling activities fail to perform the data security protection obligations prescribed in Articles 27, 29 and 30 of this Law, the relevant competent departments shall order them to make corrections, issue a warning, and may impose a fine of not less than 50,000 yuan but not more than 500,000 yuan; and a fine of not less than 10,000 yuan but not more than 100,000 yuan may be imposed on the persons directly in charge and other directly responsible persons; where they refuse to make corrections or where serious consequences such as the leakage of a large amount of data (records) are caused, a fine of not less than 500,000 yuan but not more than 2,000,000 yuan shall be imposed, and they may also be ordered to suspend relevant business, suspend operations for rectification, have the relevant business permits revoked or have their business licences revoked, and a fine of not less than 50,000 yuan but not more than 200,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons. Where the management regime for national core datasets is violated and national sovereignty, security and development interests are jeopardized, the relevant competent departments shall impose a fine of not less than 2,000,000 yuan but not more than 10,000,000 yuan and, depending on the circumstances, may order the suspension of relevant business, suspension of operations for rectification, revocation of relevant business permits or revocation of business licences; where a crime is constituted, criminal liability shall be investigated in accordance with the law.

Article 46. Where significant data are provided overseas in violation of the provisions of Article 31 of this Law, the relevant competent departments shall order corrections to be made, issue a warning, and may impose a fine of not less than 100,000 yuan but not more than 1,000,000 yuan, and a fine of not less than 10,000 yuan but not more than 100,000 yuan may be imposed on the persons directly in charge and other directly responsible persons; where the circumstances are serious, a fine of not less than 1,000,000 yuan but not more than 10,000,000 yuan shall be imposed, and they may also be ordered to suspend relevant business, suspend operations for rectification, have the relevant business permits revoked or have their business licences revoked, and a fine of not less than 100,000 yuan but not more than 1,000,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons.

Article 47. Where an institution engaging in data trading intermediary services fails to perform the obligations prescribed in Article 33 of this Law, the relevant competent departments shall order it to make corrections, confiscate its unlawful gains and impose a fine of not less than one time but not more than ten times the amount of the unlawful gains; where there are no unlawful gains or the unlawful gains are less than 100,000 yuan, a fine of not less than 100,000 yuan but not more than 1,000,000 yuan shall be imposed, and it may also be ordered to suspend relevant business, suspend operations for rectification, have the relevant business permits revoked or have its business licence revoked; and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons.

Article 48. Where the provisions of Article 35 of this Law are violated by refusing to cooperate in the retrieval of data (records), the relevant competent departments shall order corrections to be made, issue a warning, and impose a fine of not less than 50,000 yuan but not more than 500,000 yuan, and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons. Where the provisions of Article 36 of this Law are violated by providing data (records) to foreign judicial or law enforcement authorities without the approval of the competent authorities, the relevant competent departments shall issue a warning and may impose a fine of not less than 100,000 yuan but not more than 1,000,000 yuan, and a fine of not less than 10,000 yuan but not more than 100,000 yuan may be imposed on the persons directly in charge and other directly responsible persons; where serious consequences are caused, a fine of not less than 1,000,000 yuan but not more than 5,000,000 yuan shall be imposed, and they may also be ordered to suspend relevant business, suspend operations for rectification, have the relevant business permits revoked or have their business licences revoked, and a fine of not less than 50,000 yuan but not more than 500,000 yuan shall be imposed on the persons directly in charge and other directly responsible persons.

Article 49. Where State organs fail to perform the data security protection obligations prescribed by this Law, the persons directly in charge and other directly responsible persons shall be given sanctions in accordance with the law.

Article 50. Where State functionaries performing data security regulatory responsibilities commit dereliction of duty, abuse of power or engage in malpractices for personal gain, they shall be given sanctions in accordance with the law.

Article 51. Where data (records) are stolen or obtained by other illegal means, or data handling activities are carried out to exclude or restrict competition, or the lawful rights and interests of individuals or organizations are harmed, punishment shall be imposed in accordance with the provisions of relevant Laws and Administrative Regulations.

Article 52. Where the provisions of this Law are violated and damage is caused to others, civil liability shall be borne in accordance with the law. Where violations of the provisions of this Law constitute acts violating public security administration, public security administration penalties shall be imposed in accordance with the law; where a crime is constituted, criminal liability shall be investigated in accordance with the law.

Chapter 7 Supplementary Provisions

Article 53. Data handling activities involving State secrets shall be governed by the provisions of the Law of the People’s Republic of China on Guarding State Secrets and other Laws and Administrative Regulations. Data handling activities carried out in statistics and archival work, and data handling activities involving personal information, shall also comply with the provisions of relevant Laws and Administrative Regulations.

Article 54. The measures for the protection of military data security shall be formulated separately by the Central Military Commission in accordance with this Law.

Article 55. This Law shall enter into force as of September 1, 2021.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

33 briefs reference this law.

  • § 01 · SECURITY-REVIEW

    One Company, Four Reviews: JunHe Maps China's Security-Review 'Matrix' in the Security-First Era

    With the Measures for Network Data Security Risk Assessment (Order No. 24) in place, China's security-review architecture has four operating pillars: foreign investment security review (NDRC + MOFCOM), cybersecurity review (CAC + 12 departments), data export security assessment (CAC), and the new normalized network data security risk assessment (CAC coordination + sectoral authorities). JunHe lawyer Chen Sijia walks each regime through the same five questions — who reviews, what is reviewed, when review is triggered, and with what legal consequences — and lands on two points overseas counsel should not miss. First, the four regimes differ in kind: the first three are ex-ante, admission-style reviews with veto power, while the risk assessment is an annual, improvement-oriented 'physical exam.' Second, review decisions are effectively final — the mainstream view treats them as final administrative acts with no administrative reconsideration or litigation available — so cooperation during the review is the only real strategy. A closing lifecycle walkthrough shows how a single AI-model company can trip all four lines in sequence: FDI review at fundraising, cybersecurity review at GPU procurement, export assessment at model training, cybersecurity review again at foreign listing, and the annual risk assessment as a standing duty.

    security-review · national-security · cybersecurity-review
  • § 02 · CYBERSECURITY

    NFRA Opens Consultation on Banking and Insurance Cybersecurity Measures: 72 Articles, a Four-Tier Incident Scale, and a Hard CII Chapter

    The National Financial Regulatory Administration is consulting on the Measures for the Administration of Cybersecurity in the Banking and Insurance Sectors — a 72-article draft that would give banks, insurers, and financial holding companies a single cybersecurity rulebook under the CSL, DSL, PIPL, and CII Regulations. It fixes board-level responsibility, a six-month log-retention floor, annual penetration testing, a four-tier incident scale with a two-hour reporting clock, and a dedicated critical-information-infrastructure chapter with a one-hour reporting deadline, domestic-operation and disaster-recovery requirements, and annual procurement-list reporting. Comments close August 10, 2026.

    cybersecurity · financial-sector · critical-information-infrastructure
  • § 03 · DATA-PROPERTY-RIGHTS

    China's Data Property Rights Registration Guide Is Final: The Draft-to-Trial Diff

    On 1 July 2026, the National Data Administration issued the Data Property Rights Registration Work Guide (Trial), converting its April 2026 consultation draft into China's first national framework for registering the Right to Hold Data, Right to Use Data and Right to Operate Data. The final text keeps the same six-chapter, 42-article structure, but the diff is not cosmetic: security and public-interest gates are stronger; derived data is now defined; the national infrastructure shifts from a service platform to a service system; registrars face tighter qualification, disclosure, annual-evaluation, change-reporting and exit rules; public-data registration is softened from mandatory to conditional/voluntary wording; unclear contractual entitlement receives a cure path; evidence preservation, not certificate issuance, now starts the validity period; and certificate use is sharpened for data-asset balance-sheet entry, financing guarantees and valuation-based equity contribution.

    data-property-rights · data-registration · data-economy
  • § 04 · AI-AGENTS

    TC260's Practice Guide on AI-Agent Deployment: A Five-Stage Lifecycle Checklist, Read Against PIPL, DSL, and CSL Obligations

    On July 1, 2026 the National Cybersecurity Standardization Technical Committee (TC260) issued the Cybersecurity Standards Practice Guide — Security Guidelines for the Deployment and Use of AI Agents (网络安全标准实践指南——智能体部署使用安全指引), covering the full lifecycle of high-permission, LLM-based personal-assistant agents across five stages: assessment, preparation, deployment, use, and decommissioning, plus a star-rated security checklist (Appendix A) and an organizational management framework including shadow-agent discovery (Appendix B). This DCC brief adapts the HexCode reading published on 数据何规 — itself generated, the account notes, by its own AI agent — which maps each stage onto hard-law anchors: PIPIA duties under PIPL Article 55 and DSL Article 27 risk monitoring at assessment; the GenAI Measures' filed-model requirement and the ban on unverified API relays at preparation; least privilege, directory isolation, CSL Article 21 log retention, and high-risk-operation confirmation lists at deployment; minimum-necessary provision of personal information and long-term-memory management in use; and credential revocation and data disposal at decommissioning. Practice guides are soft law — but in Chinese enforcement practice they calibrate what 'necessary measures' means, and this one is the first lifecycle baseline for the agent era.

    ai-agents · ai-governance · tc260
  • § 05 · IMPORTANT-DATA

    Are You Caught by the Annual Assessment? TRIMPS's Self-Identification Guide for 'Important-Data Handlers'

    With the Network Data Security Risk Assessment Measures (Order No. 24) taking effect August 20, 2026, the annual risk-assessment duty stops being a principle and becomes a hard calendar event — but only for 'important-data handlers' (重要数据处理者). DCC's summary of a self-identification guide from the Data Security R&D Center of the Ministry of Public Security's Third Research Institute (公安部三所 / TRIMPS), author Lü Mingxuan, walks the threshold test the institution that helps draft the standards wants processors to run before the clock starts. There are three independent gates, any one of which puts you in: (1) you process data meeting the 'important data' definition under Article 62 of the Network Data Security Management Regulation; (2) the deeming rule — you process the personal information of more than 10 million people, which pulls you into the important-data duties of Regulation Arts. 30 and 32 regardless of whether you hold any 'important data'; or (3) your data sits on a regional, departmental, or sectoral important-data catalogue. Entrusted processors inherit the duty from an important-data-handler client; CIIO status and important-data-handler status are separate, intersecting tests; and identifying important data runs through GB/T 43697-2024 Appendix G's 18 factors plus the applicable catalogues. The guide then lays out the operating requirements once you are in: annual mandatory assessment plus trigger-based instant assessments, a stacked PIPIA for the 10-million-PI cohort, three-year report retention, and submission within 20 working days. DCC's read for overseas counsel: classification is the gate, the 10-million-PI deeming rule is the trap for consumer businesses with no 'important data' at all, and the self-ID needs to happen now.

    important-data · risk-assessment · network-data
  • § 06 · GBT-35273

    From Consent to Governance: What the 2026 Draft Revision of GB/T 35273 Changes Against the 2020 Standard

    On June 17, 2026 the National Cybersecurity Standardization Technical Committee (TC260), with CESI as drafting lead, released for public comment a systematic revision of GB/T 35273 — China's most-cited personal-information standard, the de-facto 'small PIPL.' The draft retitles the standard from 'Information Security Technology' to 'Data Security Technology' and expands its normative references from one standard to eight. DCC reads the revision as a role change, not a clause count: the standard moves from a consent-and-notice manual into a governance-capability framework. The substantive increments against GB/T 35273-2020: a new Chapter 5 importing PIPL Article 13's seven lawful bases as a standalone chapter with hard boundaries on each (contract-necessity, HR, public-disclosure) plus an evidence-chain duty; a sensitive-PI redefinition aligned to PIPL Article 28 with a new aggregation rule (multiple items that together meet the threshold are treated as sensitive as a whole); a formal 'separate consent' definition (3.7) with a negative list; a new eighth basic principle, 'quality assurance' (Chapter 4(f)); dedicated AI clauses on the collection side (6.7), in minimum-necessity (6.1 d–f), in aggregation/training (8.4), and a new generative-AI use clause (8.5.4) with output review and a 15-working-day deletion SLA; a unified-account-system clause (8.6) aimed at one-account-many-products groups; a terminal/IoT collection clause (6.8); a wholly new Chapter 11 on overseas-jurisdiction determination and conflict handling; and a systematized internal-control chapter (13) covering the person in charge of personal information protection, working body, processing-activity records, impact assessment, and a GB/T 46903-anchored compliance audit. Subject-rights response time tightens from 30 days to 15 working days. Clause numbers are from the comment draft and are not final; formal release is expected after 2027.

    gbt-35273 · personal-information · pipl
  • § 07 · RISK-ASSESSMENT

    From Principle to Running System: How the Network Data Security Risk Assessment Measures Operationalize the Data Security Law

    On June 18, 2026 the CAC, MIIT and the Ministry of Public Security jointly issued the Measures for Network Data Security Risk Assessment as Order No. 24, effective August 20, 2026. The 25-article rule adds no new substantive duty; it turns the Data Security Law's open-ended 'conduct risk assessment' obligation into an executable, verifiable, trigger-able governance system. DCC reads it as a three-tier standing model plus an event-driven escalation layer: important-data handlers must assess every year (general-data handlers are encouraged to every three), retain the report for three years and submit it within 20 working days; sectoral competent authorities run annual inspection plans filed by end-January; the national cyberspace administration consolidates and cross-shares reports with telecom, public-security and state-security departments; and where a high-risk finding or a breach of important data or large-scale personal information appears, regulators can compel assessment by a certified institution and order the operator to cease processing important data. The four institutional increments over the DSL: an annual mandatory action, networked multi-department supervision, a three-track assessment structure, and dynamic event-triggered oversight.

    risk-assessment · network-data · data-security
  • § 08 · DATA-PROPERTY-RIGHTS

    Data 'Parallel Property Rights' — They Can Confer Status, but Can't Secure Control

    Part four — and the synthesis — of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' data-property framework takes up 'parallel property rights' (数据平行财产权): how to allocate rights when the *same* data is held, used, and operated by *multiple* parties at once. Building on Xiong Bingwan and Zhuang Hongshan's 'one-data, multiple-rights' (一数数权) idea — data is non-rivalrous and copyable, so the same right over the same data can sit with several parties without excluding each other — Hong argues parallel property rights are best understood as *default rules* for incomplete-contract, collaborative-production settings: internally, parallel use is presumed; externally, operation is classified by data type (by-products each party may operate alone; purpose-built or fused data needs the others' consent); and parallel holders share a *joint defensive* interest against third parties. But the substance, he shows, falls back on derivative data — and here Xiong, Xu Ke (许可), and Shen Weixing (申卫星), despite different scenarios and tests, all tilt the derivative-data right to the *processor*, leaving the data contributor with contract/compensation/tort/PI remedies rather than ownership of the new product. DCC's read for overseas counsel: parallel property rights cut *attribution* uncertainty (who may use, operate, defend) but not *control* uncertainty (future use, detection, tracing, modelled value, third-party chains, ongoing compliance) — status, not control.

    data-property-rights · parallel-property-rights · derivative-data
  • § 09 · DATA-PROPERTY-RIGHTS

    Why Upstream Won't Operate Its Data — Control Degradation, Derivative Data, and Irreducible Uncertainty

    Part three of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' framework turns to the Right to Operate Data (数据经营权) — the right to provide data externally by transfer, licence, capital contribution, or pledge — and asks a question prior to 'what does operation transfer?': in real conditions, *will* an upstream party operate its data at all? His answer: yes, but narrowly. Control-dependent upstreams (platforms, holders of core user or irreplaceable industrial/training data) tend not to provide open, raw, autonomous access, and shift to controlled use or simply decline. The reason is structural. Once a downstream party is licensed to use data, the derivative data it produces is a *new object*: the upstream's *erga omnes* (对世) control over the raw data does not reach it, leaving the upstream — at most — a contractual claim against one counterparty. Hong then catalogues the uncertainties an upstream faces *ex ante*: some that attribution rules could touch but can't eliminate (qualification of the output, default ownership, good-faith of the processor, measurement of remedy), and some no rule can reach (combinatorial/unforeseeable value, undetectable misuse, the privity-and-insolvency chain, fusion and co-ownership, abstraction leakage into model parameters and learned skills, personal-information exposure, and counterparty hold-up). DCC's read for overseas counsel: this is the rigorous explanation of why Chinese data 'supply' is thin and why sandbox / privacy-computing structures dominate — defining a right does not supply the conditions to exercise it.

    data-property-rights · data-operation-right · data-economy
  • § 10 · DATA-PROPERTY-RIGHTS

    When the 'Right to Use Data' Goes External — Provision, Derivative Data, and the Erosion of Upstream Control

    Part two of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' data-property framework turns to the Right to Use Data (数据使用权). The official definition (国家数据局, Common Data Terms Batch 2) makes the use right an *internal* power — 'I use my own data' to process, aggregate, analyse, and form derivative data — exercised on the premise of *not* providing data externally. So 'granting a use right to a downstream party' is not the use right travelling outward; it is the upstream party exercising its **operation right** to license, while the downstream party acquires a use right. That externalisation flips the downstream's legal position from PIPL **entrusted processor** (委托处理) to **provision** (提供) or **joint processing** — triggering notice and *separate consent* for personal information, and the Network Data Security Regulation's contracting duties. And because a strong use right lets the downstream form **derivative data** (衍生数据) — models, scores, indices, labels — value migrates downstream even though the raw data stays upstream. DCC's read for overseas counsel: in China data deals the use right is real but never self-bounding; whether a partner will grant an open, autonomous use right depends on its business model (control-dependent vs monetisation), and the default structure you should expect is *controlled use* (sandbox, privacy computing, federated modelling), not a clean copy.

    data-property-rights · data-use-right · data-economy
  • § 11 · DATA-ECONOMY

    China Halts Data-Asset ABS: Exchanges Pull the Handbrake on a ¥200 Billion Pipeline

    According to reporting by Caixin (财新) and 财联社 circulated on 3–5 June 2026, the Shanghai and Shenzhen stock exchanges issued window guidance bringing the entire data-asset ABS (数据资产ABS) business chain to a stop — new filings turned away, approved-but-unissued deals told to pause, even issuance-approved deals told to delay. This halts a category that exploded from roughly 11 issuances raising ~¥4.6bn in 2025 to 21 issuances and ¥15.4bn in the first five months of 2026, with a declared pipeline approaching ¥200bn. The stated trigger is mission drift: pure-data-asset deals are under 2% of the market, while local-government financing vehicles (城投/LGFV) used the loose, fast 'data-asset' label to repackage existing non-standard debt as standardised bonds — data as window-dressing, with no real data cash flow behind it. DCC reads the event, the structural reasons, the three審查 gates the exchanges are expected to harden, and what it means for anyone underwriting, rating, or investing in China data-asset financing.

    data-economy · data-asset-abs · securitisation
  • § 12 · DATA-ECONOMY

    What a 'Data-Asset ABS' Actually Securitises — The Collateral Is Data, the Cash Flow Is Not

    The name misleads. A Chinese 'data-asset ABS' (数据资产证券化) is labelled as such when data-pledged collateral exceeds 50% of the asset pool — but the underlying assets that actually generate the repayment cash flow are conventional financial claims: supply-chain receivables, trust-loan beneficiary rights, or finance-lease claims. Data is the collateral, the credit-enhancement, or the pricing-and-monitoring tool — not the cash-flow source. This brief, the second in DCC's data-asset-ABS series, unpacks the mechanism overseas counsel need to price the risk: the four live deal structures (trust-loan, receivables, finance-lease, data-empowerment); the difference between accounting recognition (入表) and legal right-confirmation (确权); and the four legal infirmities that make these deals fragile — unsettled data property rights, the true-sale problem created by data's non-exclusivity, the limits of bankruptcy isolation when asset value depends on the originator's continued operation, and the PIPL/DSL eligibility gates. It reads the flagship deals (平安-如皋, 华鑫-鑫欣, 青岛, 杭州高新金投) for what each actually did.

    data-economy · data-asset-abs · securitisation
  • § 13 · DATA-ECONOMY

    From Collateral to Cash Flow: The 'Secondary Licensing' Model That Would Make Data-Asset ABS Real

    If today's data-asset ABS is '1.0' — data as collateral behind a conventional debt claim — then '2.0' is the version where the data's own cash flow (licensing fees, data-service subscriptions) directly repays the securities, upgrading data from credit-enhancement tool to genuine underlying asset. This third brief in DCC's data-asset-ABS series examines the structure most likely to get there: the 'secondary licensing' (二次许可) model borrowed from intellectual-property ABS, in which a holder exclusively licenses data to an originator for an upfront lump sum, then takes a reverse exclusive licence back and pays periodic fees that become the ABS cash flow — ownership never moving. It maps the obstacles (data's non-exclusivity defeats 'exclusive licence' and 'exclusive possession'; PIPL/DSL cap what can be licensed; valuation is immature), the finance-lease-of-data variant, and the early policy encouragement (Anhui's March 2026 measures endorsing reverse-licensing). The irony the June 2026 halt exposed: regulators want real data cash flow — which is exactly what 2.0 promises but cannot yet deliver at scale.

    data-economy · data-asset-abs · securitisation
  • § 14 · DATA-PROPERTY-RIGHTS

    Two Paths for the 'Right to Hold Data' — and Why the Narrow One May Add Little

    Hong Yanqing (洪延青, 网安寻路人) works through the most unstable concept in China's 'separation of three rights' data-property framework — the Right to Hold Data (数据持有权). He pushes two readings to their logical ends. Path 1, the official 'complete separation' (三权完全切割): if the rights to hold, use, and operate data are truly independent, the holding right shrinks to a bare 'lawful-control state' whose only content is defensive — and that defense is already provided, against the world, by PIPL Article 10, DSL Article 32, the Network Data Security Regulation, and Article 13 of the Anti-Unfair Competition Law, so its incremental value as a standalone property right is thin. Path 2, the 'mother-right' reconstruction (持有权母权化): redefine 'holding' from factual control to a normative control that contains utilization potential, so the rights to use and operate are carved out from within it. DCC's read for overseas counsel: in Chinese data deals the tradeable substance sits in the rights to use and operate plus contract, registration, and compliance — not in 'who holds the data' — and China's data-property theory is still genuinely unsettled.

    data-property-rights · data-holding-right · data-economy
  • § 15 · HEALTH-DATA

    China's Hospitals Get Their Own Data Rulebook: Reading the 2026 Healthcare Data Security & PI Measures

    On 12 February 2026 five agencies — the National Health Commission, the Ministry of Public Security, the Cyberspace Administration of China, the National Administration of Traditional Chinese Medicine, and the National Disease Control and Prevention Administration — jointly issued the Measures for the Administration of Data Security and Personal Information Protection of Healthcare Institutions (Trial). It is the first operational, sector-specific rulebook that turns the Data Security Law, PIPL, and the Network Data Security Regulation into concrete hospital obligations: a three-tier core/important/general data classification keyed to MLPS levels and commercial cryptography; a five-pillar full-lifecycle security system; a ten-item data prohibition list and an eight-item personal-information prohibition list; heightened protection for special groups; limits on facial recognition and AI; and a real enforcement chain running from named-person accountability through regulatory interviews, administrative penalties, civil tort liability, and criminal referral. DCC reads it for overseas pharma, medtech, and hospital-JV counsel — with the cross-border choke point and its academic-cooperation carve-out as the parts that most affect global clinical-data flows.

    health-data · healthcare · data-classification
  • § 16 · CRITICAL-INFORMATION-INFRASTRUCTURE

    Are You a CII Operator or an Important-Data Handler? A Practitioner's Assessment Framework Under China's New Rules

    China's Cybersecurity Law, Data Security Law, and Network Data Security Management Regulations impose materially heavier compliance obligations on critical information infrastructure (CII) operators (关键信息基础设施运营者) and important-data handlers (重要数据处理者) than on ordinary data processors. This brief, drawing on a DEXC+ practitioner analysis by Gu Qingzhuo (古青卓) of the Shenzhen Data Exchange compliance team, explains how the two statuses are determined under the current framework, why neither is self-evident from a company's own assessment alone, how recent rules — including the Regulations on Promoting and Regulating Cross-Border Data Flows and the national standard GB/T 43697-2024 — have clarified but not fully resolved the important-data identification problem, and what overseas counsel should do when advising clients that operate in China's critical sectors.

    critical-information-infrastructure · important-data · data-security
  • § 17 · JUDICIAL

    Datatang v. Yinmu — China's First Ruling on a Data-IP Registration Certificate, and Why Open-Sourced Data Is Still Protected

    A consolidated case study of 数据堂诉隐木科技 (Datatang v. Yinmu) — the Beijing IP Court's June 2024 appeal ruling, widely called China's first case on the evidentiary effect of a data-IP registration certificate. The dispute: Datatang built voice datasets for AI training, open-sourced some under a license; Yinmu took and redistributed them in the same data-services market. DCC synthesizes four commentaries (the case report, a Tsinghua analysis, and two Shenzhen Data Exchange DEXC+ deep-dives) into the four holdings that matter for overseas counsel: (1) a data-IP registration certificate is prima facie evidence of property-type interests and lawful sourcing — but not an absolute property right (property-rights-statutism); (2) open-sourced data, though neither trade secret nor copyrightable compilation, is protectable under the Anti-Unfair Competition Law's general clause; (3) the protection hierarchy (compilation work → trade secret → AUCL Art. 2); and (4) whether the taker honored the open-source license is the hinge for 'improper conduct.'

    judicial · data-property-rights · data-registration
  • § 18 · ANONYMIZATION

    Reviving a Zombie Provision — Xu Ke's Concentric-Circle Reconstruction of the Anonymization Regime

    Xu Ke (UIBE) calls PIPL Article 4's anonymization carve-out a 'zombie provision' (僵尸法条) — on the books, never used, and one of the biggest blockages in the data-element market. His diagnosis: the zombie state is caused not by the text but by three unaddressed worries (processors fear the standard is unattainable or value-destroying; regulators fear anonymization becomes an evasion tool; users fear it's a hollow promise). His cure is a concentric-circle architecture that maps three risk types (systemic / operational / residual) onto three layers of anonymity (presumptive / determined / trust). This is the most complete academic blueprint yet for making the anonymization clause operational — and it pairs directly with TRIMPS's risk-based, recipient-relative reading.

    anonymization · personal-information · data-economy
  • § 19 · DATA-PROPERTY-RIGHTS

    The 'Rights Block' — Xu Ke's Structural Theory Behind China's Data-Property Framework

    Xu Ke's highly-cited (255×) 政法论坛 article on the structure of data rights — the theoretical scaffolding that the Data 20 Articles' three-rights framework rests on. He maps the field's two warring paradigms (formalist 'empowerment' vs substantivist 'conduct regulation'), argues both fail alone, and integrates them via a 'reflexive law' approach. The payoff is a taxonomy of three possible rights structures — rights-ball, rights-bundle, rights-block — and the case that the 'data rights block' (数据权利块) best fits data's 'one principle, many manifestations' character. For overseas counsel, this is the conceptual map that explains why Chinese data rights are structured the way they are — and why Western property and IP analogies keep failing.

    data-property-rights · data-rights-theory · data-twenty
  • § 20 · ANONYMIZATION

    From 'Cannot Be Restored' to 'Difficult to Restore' — TRIMPS on Whether Anonymization Is Absolute, and Whether It's Recipient-Relative

    The Third Research Institute of the Ministry of Public Security (TRIMPS) — the body behind China's classified-protection regime and national eID platform — takes on the two questions that determine whether anonymization actually gets data out of PIPL scope. First: does PIPL's 'cannot be restored' standard (Art 73) require re-identification probability of literally zero? The 2025 draft PI Anonymization Guide quietly softened it to 'difficult to restore,' aligning China with the GDPR 'all reasonable means' test and reframing anonymization as a dynamic, continuously-assessed, risk-based process rather than a one-time terminal state. Second: is anonymization recipient-relative — can the same dataset be PI in one party's hands and anonymized in another's? TRIMPS reads the EU SRB v EDPS case and UK ICO guidance toward 'yes,' with major implications for how overseas counsel structure data sharing and cross-border transfer.

    anonymization · personal-information · de-identification
  • § 21 · DATA-ECONOMY

    Tang Linyao — Data-Broker Derivative Harms and the 'Data Integration Analysis Framework'

    Tang Linyao (Chinese Academy of Social Sciences) maps the regulatory gap for data-broker derivative harms — the harms that arise not from direct PI leakage but from the integration and aggregation activity that data brokers themselves perform. The analytical core: a vertical / horizontal data-relations framework that explains why existing PIPL-style protection (vertical-relationship-focused) systematically fails to address horizontal-relationship harms; and the 'abstract risk substantialization' doctrine borrowed from US precedent and EU GDPR to bring data-broker risk into ex-ante regulatory scope. Operationally, Tang proposes a 'Data Integration Analysis Framework' with concrete tiering (三高 / 双高 / 单高 / 三低) that translates academic doctrine into compliance-program-grade controls. Applied to a real Shenzhen Data Exchange listing as worked example.

    data-economy · data-broker · data-exchange
  • § 22 · ENFORCEMENT

    Seven Lessons for Data Compliance Teams from the SAMR 'Ghost Takeout' Series — 3.5 Billion Yuan, 9-Month Suspensions, and the Per-Merchant Aggregation Doctrine

    In April 2026, the State Administration for Market Regulation (SAMR) imposed administrative penalties on seven major e-commerce platforms in the 'ghost takeout' series — 3.5 billion yuan in aggregate corporate fines, nearly 20 million yuan in individual fines on legal representatives and food-safety officers, and 3-to-9-month business suspensions. While the cases were ostensibly food-safety enforcement, their analytical structure — pierce-the-paper-compliance, per-merchant aggregation of penalties, identification of licensed-entity liability holders, dual penalties on individual compliance officers — translates directly to data-compliance enforcement. Adapted from a substantive practitioner analysis by 黄春林 (Huang Chunlin), this DCC brief works through seven operational lessons that DSO / PIPO / DPO and compliance counsel should apply *before* the analogous enforcement wave reaches data compliance.

    enforcement · samr · platform-liability
  • § 23 · AI-GOVERNANCE

    Open-Source Does Not Mean Open Data — Zhang Ping on Training-Data Compliance for Open-Source AI

    Peking University Law School professor Zhang Ping, writing in 人民论坛 (People's Tribune), takes apart two misconceptions that have dominated the Chinese open-source AI discussion: that 'open source' means training data has no copyright protection, and that 'algorithm open-source' compels 'training data publication.' Both false. Zhang lays out the structural distinction: 'open source is conditional authorization under license' — applied to model weights, not to the training corpus, which is a legally independent object. She then maps the full-chain compliance risk (acquisition / processing / output) and proposes a four-tier differentiated governance framework that finance, healthcare, and government AI deployments can actually use to map their training-data inventory against compliance gates.

    ai-governance · open-source · training-data
  • § 24 · PUBLIC-DATA

    Authorized to Operate, Not Authorized to Ignore: Public-Data Operators Still Owe the Full PIPL/DSL Stack

    China's public-data authorized-operation regime — established by the January 2025 Implementation Specifications and its companion instruments — does not exempt operators from the personal information and data-security duties that sit underneath it. This brief, drawn from the Shenzhen Data Exchange's DEXC+ compliance column, sets out six specific areas where authorized operators routinely fall short: failure to classify data before operating it, misreading the operator's role in multi-party processing chains, skipping notification obligations, misidentifying the lawful basis for processing, misapplying consent that was gathered for a different purpose, and omitting the separate impact-assessment and annual risk-evaluation obligations under PIPL and the Network Data Security Regulations. The operational takeaway for overseas counsel advising operators or investors: government authorization is the entry ticket to the public-data market, not a waiver of the compliance checklist that governs what happens once inside.

    public-data · data-economy · pipl
  • § 25 · IMPORTANT-DATA

    'Important Data' Is a Category, Not a Tier

    Hong Yanqing argues the mainstream reading of Article 21 of the Data Security Law confuses enterprise asset-inventory language with state-level legal-interest protection — with real consequences for cross-border transfers, enforcement, and how PIPL and DSL stack.

    important-data · dsl · commentary
  • § 26 · FOREIGN-INVESTMENT-SECURITY-REVIEW

    Why China Used Foreign Investment Security Review on Manus — Not Tech or Data Export

    Hong Yanqing on Beijing's banning of Meta's Manus acquisition. The regulator's choice of pathway — Foreign Investment Security Review, not Technology or Data Export — signals a shift from 'transaction-level' to 'capability-level' oversight of frontier AI projects, with implications for any overseas tech investment touching China.

    foreign-investment-security-review · manus · ai-agent
  • § 27 · CSL

    China's Cybersecurity Law Just Got Teeth — The 2025 Amendment and What Changed

    On October 28, 2025, the NPC Standing Committee adopted the first amendment to China's Cybersecurity Law since 2017, effective January 1, 2026. Compliance Talker's global legal policy team walks through what changed across 14 amendments: a new framework provision on AI safety and development, harmonization with PIPL and the Civil Code on personal information, sharply increased penalties (10× cap on top fines), expanded application of the dual-penalty system to individual officers, and broader extraterritorial reach. For overseas teams, the operational takeaway is that cybersecurity compliance is now an executive-level risk, not a documentation exercise.

    csl · csl-2025-amendment · ai-governance
  • § 28 · CROSS-BORDER

    Cross-Border Data Discovery — How the U.S., EU, and China Each Play Offense and Defense

    When a foreign authority wants data stored in China — or vice versa — three doctrines compete. The U.S. uses a 'data controller standard' (CLOUD Act) that reaches globally on offense and shields domestically through ECPA blocking on defense. The EU uses 'market access' leverage (GDPR Article 3 jurisdictional reach plus Article 48 blocking). China uses a 'data location standard' (territorial sovereignty plus the MLA Law, DSL, and PIPL blocking clauses). Wang Qinglan maps the four discovery paths, the three jurisdictional doctrines, and what compliance teams should build to survive the squeeze.

    cross-border · data-sovereignty · mlat
  • § 29 · CROSS-BORDER

    Mutual Trust Mechanisms for Cross-Border Data Flow — China's 'Trusted Data Space' Bet

    Compliance Talker's global legal policy team analyzes three competing models for cross-border data mutual trust: the EU's 'rule trust' (adequacy + SCC), the US's 'market trust' (CLOUD Act + DPF), and China's 'technology trust' bet on Trusted Data Spaces (TDS). The NDA's November 2024 *TDS Development Action Plan 2024-2028* makes confidential computing, federated learning, and blockchain the technical layer through which China seeks to demonstrate cross-border data flow can be 'usable but invisible.' For overseas teams, this is the most concrete view of where Chinese cross-border data infrastructure is heading.

    cross-border · trusted-data-space · confidential-computing
  • § 30 · IMPORTANT-DATA

    How to Identify 'Important Data' — A Plain-Language Method from Wang Qinglan

    Wang Qinglan, head of compliance at a Chinese data exchange, walks through China's unique 'important data' concept in plain language: where it came from, why no other major jurisdiction has anything quite like it, how the U.S., EU, Japan and Korea solve the same problem differently, and — most useful for compliance teams — three methods to identify whether a dataset is 'important' in practice. Her own 'unorthodox' shortcut: ask whether a hostile foreign actor could use this data to cause trouble. If yes, treat it as important data.

    important-data · data-classification · cross-border
  • § 31 · DATA-FUNDAMENTALS

    What Is Data, Really? — A Plain-Language Primer on Rules and Compliance

    What does it actually mean to call something 'data,' and what turns raw recordings into a data asset? Wang Qinglan uses a toy storage room metaphor to walk through the foundational concept overseas readers often skip: data is not just 'records' — it's records made under rules. Master data, metadata, ontology, the three-tier compliance taxonomy (legal / ethical / promised), and the three-step compliance workflow (select / allocate / execute) — all anchored in a concrete example a non-specialist can follow.

    data-fundamentals · data-governance · compliance-architecture
  • § 32 · DATA-GOVERNANCE

    Data Governance vs. Data Management vs. Data Compliance — A Plain-Language Disambiguation

    Wang Qinglan disambiguates three terms that compliance and data teams habitually conflate: data governance, data management, and data compliance. Using a 'data manor' metaphor (the family council vs. the steward team vs. the community monitor), she maps each function to its job — setting direction, executing efficiently, and operating sustainably within external rules and self-imposed commitments. The piece is useful precisely where bilingual confusion is highest: 'data governance' in English carries different connotations than 数据治理 in Chinese practice.

    data-governance · terminology · dama
  • § 33 · CROSS-BORDER

    FTZ Data Export Negative Lists — How 17 Sectors Across Seven Provinces Now Identify Important Data

    Article 6 of the 2024 CBDF Provisions authorized Free Trade Zones to publish data-export negative lists. Since then, Tianjin, Beijing, Hainan, Shanghai, Zhejiang and others have published negative lists covering 17 sectors — automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industry, seed industry, and more. Compliance Talker's analysis walks through the structural convergence of the negative lists, the important-data identification refinements each FTZ has produced, and the operational impact on enterprises both inside and outside the FTZs.

    cross-border · important-data · ftz-negative-list
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →