{
  "version": "1.0",
  "generated_at": "2026-07-15T16:04:29.287Z",
  "site": {
    "url": "https://datacompliancechina.com",
    "name": "Data Compliance China",
    "tagline": "China data law, for overseas counsel.",
    "description": "Built for overseas counsel and compliance teams reading China's data-compliance laws in depth. DCC translates primary regulatory sources carefully and adds editorial context on how the rules actually operate.",
    "author": "DCC Editorial",
    "language": "en"
  },
  "counts": {
    "briefs": 84,
    "laws": 133,
    "accounts": 20,
    "domains": 15,
    "glossary_terms": 409,
    "glossary_sections": 12
  },
  "surfaces": {
    "curated_index": "https://datacompliancechina.com/llms.txt",
    "full_corpus": "https://datacompliancechina.com/llms-full.txt",
    "glossary_json": "https://datacompliancechina.com/glossary.json",
    "sitemap": "https://datacompliancechina.com/sitemap-index.xml",
    "rss": "https://datacompliancechina.com/rss.xml",
    "brief_markdown": "https://datacompliancechina.com/posts/<slug>.md",
    "law_markdown": "https://datacompliancechina.com/laws/<slug>.md"
  },
  "briefs": [
    {
      "slug": "schools-role-minors-online-protection",
      "title": "The School Is Not a Bystander: Three Model Cases on Schools' Duties in Minors' Online Protection",
      "url": "https://datacompliancechina.com/posts/schools-role-minors-online-protection/",
      "markdown_url": "https://datacompliancechina.com/posts/schools-role-minors-online-protection.md",
      "published": "2026-07-15T10:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "minors-protection",
        "cyberbullying",
        "privacy",
        "reputation",
        "internet-court",
        "procuratorial-recommendation",
        "schools",
        "internet-addiction",
        "compliance"
      ],
      "laws_cited": [
        "minors-protection-law",
        "minors-online-protection-regulations",
        "minors-school-protection-provisions",
        "civil-code-personal-info"
      ],
      "domains": [
        "minors-protection",
        "personal-information",
        "enforcement"
      ],
      "account": "junhe-legal-review",
      "description": "Minors' online protection is usually framed as a job for parents and platforms. Three model cases — a Guangzhou Internet Court judgment on defamation in a parent–school WeChat group, a Supreme People's Procuratorate case where procuratorial recommendations pushed a school to build bullying-control systems after a privacy video spread, and a Zhejiang case where a predator used an unauthorized school-named 'confession wall' account to reach students — show Chinese courts and procuratorates deliberately pulling schools into the frame. JunHe's education team distills the school's three statutory functions: internet-literacy education (Minors Protection Law Arts. 64 and 70, Online Protection Regulations Art. 16), cyberbullying prevention and response (Minors Protection Law Art. 39; School Protection Provisions Art. 21), and internet-addiction intervention (Minors Protection Law Art. 71; Regulations Art. 40). The liability stack for schools that do nothing: administrative correction orders and sanctions under Regulations Art. 51, plus civil supplementary liability under Civil Code Art. 1201. Four recommendations follow: documented literacy and AI-content-discrimination education, a staffed-up 'rule-of-law vice principal' mechanism, a full discover–stop–report–handle bullying protocol, and compliance with device-management and anti-addiction requirements. With 196 million minor netizens at 97.3% penetration, the authors argue schools are the 'main battlefield' whether they like it or not.",
      "original": {
        "title": "君合法评丨未成年人网络保护进行时——从典型案例看学校的网络保护职能",
        "author": "余苏 (Yu Su), 张美怡 (Zhang Meiyi), 潘扬璋 (Pan Yangzhang), JunHe LLP",
        "publication": "君合法律评论 (JunHe Legal Review) WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/jvq2lSjDsfMRpIT-DqqWjA",
        "language": "zh"
      }
    },
    {
      "slug": "china-four-security-review-matrices",
      "title": "One Company, Four Reviews: JunHe Maps China's Security-Review 'Matrix' in the Security-First Era",
      "url": "https://datacompliancechina.com/posts/china-four-security-review-matrices/",
      "markdown_url": "https://datacompliancechina.com/posts/china-four-security-review-matrices.md",
      "published": "2026-07-15T04:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "security-review",
        "national-security",
        "cybersecurity-review",
        "data-export",
        "risk-assessment",
        "foreign-investment",
        "overseas-listing",
        "important-data",
        "ai-companies",
        "compliance"
      ],
      "laws_cited": [
        "network-data-security-risk-assessment-measures",
        "cybersecurity-review-measures",
        "data-export-security-assessment-measures",
        "foreign-investment-security-review-measures",
        "csl",
        "dsl",
        "pipl",
        "network-data-security-regulations",
        "gbt-45577-data-security-risk-assessment"
      ],
      "domains": [
        "data-security",
        "cross-border",
        "cybersecurity-review"
      ],
      "account": "junhe-legal-review",
      "description": "With the Measures for Network Data Security Risk Assessment (Order No. 24) in place, China's security-review architecture has four operating pillars: foreign investment security review (NDRC + MOFCOM), cybersecurity review (CAC + 12 departments), data export security assessment (CAC), and the new normalized network data security risk assessment (CAC coordination + sectoral authorities). JunHe lawyer Chen Sijia walks each regime through the same five questions — who reviews, what is reviewed, when review is triggered, and with what legal consequences — and lands on two points overseas counsel should not miss. First, the four regimes differ in kind: the first three are ex-ante, admission-style reviews with veto power, while the risk assessment is an annual, improvement-oriented 'physical exam.' Second, review decisions are effectively final — the mainstream view treats them as final administrative acts with no administrative reconsideration or litigation available — so cooperation during the review is the only real strategy. A closing lifecycle walkthrough shows how a single AI-model company can trip all four lines in sequence: FDI review at fundraising, cybersecurity review at GPU procurement, export assessment at model training, cybersecurity review again at foreign listing, and the annual risk assessment as a standing duty.",
      "original": {
        "title": "君合法评丨《网络数据安全风险评估办法》出台 安全至上时代企业如何应对中国四大安全审查\"矩阵\"？",
        "author": "陈思佳 (Chen Sijia), JunHe LLP",
        "publication": "君合法律评论 (JunHe Legal Review) WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/5eWIRTfZ7tVgWLJhP1mfaA",
        "language": "zh"
      }
    },
    {
      "slug": "ai-companion-delisting-anthropomorphic-rules",
      "title": "Doubao, Qwen, and NetEase Pull AI Companions Ahead of July 15 — Is Delisting to 'Stay Safe' the Right Move?",
      "url": "https://datacompliancechina.com/posts/ai-companion-delisting-anthropomorphic-rules/",
      "markdown_url": "https://datacompliancechina.com/posts/ai-companion-delisting-anthropomorphic-rules.md",
      "published": "2026-07-13T02:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "ai-companion",
        "anthropomorphic-interaction",
        "enforcement-signals",
        "addiction-design",
        "minors-protection"
      ],
      "laws_cited": [
        "ai-anthropomorphic-interaction-measures",
        "genai-services-interim-measures"
      ],
      "domains": [
        "ai-governance",
        "enforcement",
        "minors-protection"
      ],
      "account": "data-he-gui",
      "description": "Days before the AI Anthropomorphic Interaction Measures take effect on July 15, 2026, Doubao, Qwen, and NetEase removed agent-style companion features — and at least one AI company had already received a question list from regulators. This translated report from 竞争秩序场 (reporter Wang Jun) maps why the industry calls the rules right in direction but hard in practice: scoping ambiguity around role-play on general-purpose models and UGC agent builders, 'capability regulation' that runs through model training and operations rather than content filters, the psychology-grade judgment needed to spot excessive emotional dependence, and expert warnings that clumsy intervention or perceived surveillance of intimate chats could do its own harm. Includes proposals for public safety-capability toolkits for smaller developers.",
      "original": {
        "title": "拟人化新规实施在即 大厂下架AI陪伴产品\"保命\"是好路子吗",
        "author": "王俊 (Wang Jun, reporter); 张明艳 (Zhang Mingyan, editor)",
        "publication": "竞争秩序场 (WeChat), republished by 数据何规",
        "url": "https://mp.weixin.qq.com/s/jvNfDn0LBTxO5Tc7RqaiCw",
        "language": "zh"
      }
    },
    {
      "slug": "ai-anthropomorphic-services-compliance-qa",
      "title": "Ten Questions Before July 15: A Compliance Q&A on China's AI Anthropomorphic Interaction Measures",
      "url": "https://datacompliancechina.com/posts/ai-anthropomorphic-services-compliance-qa/",
      "markdown_url": "https://datacompliancechina.com/posts/ai-anthropomorphic-services-compliance-qa.md",
      "published": "2026-07-13T01:30:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "ai-companion",
        "anthropomorphic-interaction",
        "minors-protection",
        "sensitive-personal-information",
        "security-assessment",
        "algorithm-filing"
      ],
      "laws_cited": [
        "ai-anthropomorphic-interaction-measures",
        "genai-services-interim-measures",
        "algorithmic-recommendation-provisions",
        "pipl",
        "minors-online-protection-regulations"
      ],
      "domains": [
        "ai-governance",
        "personal-information",
        "minors-protection"
      ],
      "account": "data-he-gui",
      "description": "Two days before the Interim Measures for the Management of AI Anthropomorphic Interaction Services take effect on July 15, 2026, compliance practitioners Chen Huan and Li Qiyao distill the final text into ten questions AI companies keep asking: what counts as an anthropomorphic interaction service (and what is excluded), the content red lines, training-data duties, mandatory registration fields including age and emergency contacts, the two-hour usage reminder, the ban on virtual intimate relationships for minors, the separate-consent gate on training with sensitive interaction data, the five security-assessment triggers, and the penalty ladder topping out at RMB 200,000 where life and health are harmed.",
      "original": {
        "title": "AI企业必读：拟人化互动服务合规义务问答",
        "author": "陈焕、李琪瑶 (Chen Huan, Li Qiyao)",
        "publication": "AI合规圈 (WeChat), republished by 数据何规",
        "url": "https://mp.weixin.qq.com/s/d4LSE63KKaXYEmcthmmRRA",
        "language": "zh"
      }
    },
    {
      "slug": "nfra-banking-insurance-cybersecurity-measures-draft",
      "title": "NFRA Opens Consultation on Banking and Insurance Cybersecurity Measures: 72 Articles, a Four-Tier Incident Scale, and a Hard CII Chapter",
      "url": "https://datacompliancechina.com/posts/nfra-banking-insurance-cybersecurity-measures-draft/",
      "markdown_url": "https://datacompliancechina.com/posts/nfra-banking-insurance-cybersecurity-measures-draft.md",
      "published": "2026-07-13T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "cybersecurity",
        "financial-sector",
        "critical-information-infrastructure",
        "incident-reporting",
        "mlps",
        "draft-for-comment"
      ],
      "laws_cited": [
        "banking-insurance-cybersecurity-measures-draft",
        "csl",
        "dsl",
        "pipl",
        "cii-protection-regulations",
        "financial-sector-cybersecurity-management-measures-draft",
        "nfra-banking-insurance-data-security-measures"
      ],
      "domains": [
        "data-security",
        "critical-information-infrastructure",
        "finance"
      ],
      "account": "data-he-gui",
      "description": "The National Financial Regulatory Administration is consulting on the Measures for the Administration of Cybersecurity in the Banking and Insurance Sectors — a 72-article draft that would give banks, insurers, and financial holding companies a single cybersecurity rulebook under the CSL, DSL, PIPL, and CII Regulations. It fixes board-level responsibility, a six-month log-retention floor, annual penetration testing, a four-tier incident scale with a two-hour reporting clock, and a dedicated critical-information-infrastructure chapter with a one-hour reporting deadline, domestic-operation and disaster-recovery requirements, and annual procurement-list reporting. Comments close August 10, 2026.",
      "original": {
        "title": "《银行业保险业网络安全管理办法》征求意见",
        "publication": "数据何规 (WeChat)",
        "url": "https://mp.weixin.qq.com/s/wS0qA7MgGkYsaZfLMAgylg",
        "language": "zh"
      }
    },
    {
      "slug": "data-export-negative-lists-2026-national-registry",
      "title": "The Negative-List Map, Region by Region: Ten Zones, Two Models, and the Year Data Export Went Province-Wide",
      "url": "https://datacompliancechina.com/posts/data-export-negative-lists-2026-national-registry/",
      "markdown_url": "https://datacompliancechina.com/posts/data-export-negative-lists-2026-national-registry.md",
      "published": "2026-07-09T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "cross-border",
        "negative-list",
        "ftz-negative-list",
        "important-data",
        "data-economy"
      ],
      "laws_cited": [
        "cross-border-data-flows-provisions",
        "data-export-security-assessment-measures",
        "personal-info-standard-contract-measures",
        "cross-border-pi-certification-measures"
      ],
      "domains": [
        "cross-border",
        "data-economy"
      ],
      "account": "wangxin-china",
      "description": "As of July 2026, ten Chinese regions — nine free-trade zones plus the Hainan Free Trade Port — have published data-export negative lists under Article 6 of the 2024 Cross-border Data Flows Provisions, and this year Beijing and Shanghai took the mechanism province- and city-wide, off the FTZ footprint entirely. DCC's roundup maps the full set: which sectors each zone lists (from Tianjin's 13 commodity categories to Guangdong's smart-manufacturing and personal-credit fields, Chongqing's intelligent-connected-vehicle chain, and Jiangsu's biopharma-only list), the two management models that have crystallized — pre-export filing versus Shanghai and Guangdong's 'transfer-first, report-after' — and how an overseas team should read the map. Compiled from the CAC's national negative-list index and each region's official notice, and paired with DCC's new downloadable negative-list registry.",
      "original": {
        "title": "数据出境负面清单（国家网信办专栏）",
        "author": "中央网络安全和信息化委员会办公室 (Cyberspace Administration of China)",
        "publication": "国家网信办「数据出境负面清单」专栏 (CAC official column)",
        "url": "https://www.cac.gov.cn/wxzw/sjzl/sjcjfmqd/A09370806index_1.htm",
        "language": "zh"
      }
    },
    {
      "slug": "ecommerce-law-2026-amendment-draft-platform-governance",
      "title": "China's 2026 Draft E-Commerce Law Amendment: From Marketplace Transactions to Platform-Economy Governance",
      "url": "https://datacompliancechina.com/posts/ecommerce-law-2026-amendment-draft-platform-governance/",
      "markdown_url": "https://datacompliancechina.com/posts/ecommerce-law-2026-amendment-draft-platform-governance.md",
      "published": "2026-07-04T09:30:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "e-commerce-law",
        "platform-economy",
        "platform-governance",
        "samr",
        "mofcom",
        "draft-for-comment",
        "consumer-protection",
        "platform-workers",
        "outbound-ecommerce"
      ],
      "laws_cited": [
        "online-trading-platform-rules-measures",
        "live-streaming-ecommerce-measures",
        "anti-unfair-competition-law",
        "pipl",
        "csl"
      ],
      "domains": [
        "data-economy",
        "enforcement"
      ],
      "description": "On July 4, 2026, the State Administration for Market Regulation and the Ministry of Commerce released the Draft Amendment to the E-Commerce Law for public comment, with comments due August 4, 2026. The draft has 20 articles and, according to the official notice and Xinhua Q&A, moves in five directions: expanding the law's adjustment scope beyond platforms and in-platform operators to other platform-economy participants; strengthening the platform responsibility system with richer, more graduated regulatory tools; building an integrated supervision mechanism for cross-sector platform operations, including consistent online/offline business supervision and stronger department and central-local coordination; targeting prominent illegal conduct in e-commerce; and deepening open cooperation by aligning rules, regulation, management and standards with international practice, supporting industry self-discipline and orderly outbound expansion, and adding countermeasure tools to protect Chinese enterprises. DCC reads the amendment as an attempt to reposition the E-Commerce Law from a transaction/platform statute into a platform-economy governance statute, with operational implications for platform rulemaking, merchant and worker protection, consumer governance, data/network security clauses, competition compliance, and outbound platform expansion.",
      "original": {
        "title": "市场监管总局、商务部就 《中华人民共和国电子商务法（修正草案征求意见稿）》面向社会公开征求意见",
        "author": "State Administration for Market Regulation; Ministry of Commerce",
        "publication": "电子商务法研究 WeChat Official Account; reposted from SAMR official website",
        "url": "https://mp.weixin.qq.com/s/pOVF1s1lXFjKtQRk-sw6mA",
        "language": "zh"
      }
    },
    {
      "slug": "data-property-registration-guide-final-draft-diff",
      "title": "China's Data Property Rights Registration Guide Is Final: The Draft-to-Trial Diff",
      "url": "https://datacompliancechina.com/posts/data-property-registration-guide-final-draft-diff/",
      "markdown_url": "https://datacompliancechina.com/posts/data-property-registration-guide-final-draft-diff.md",
      "published": "2026-07-04T07:30:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "data-property-rights",
        "data-registration",
        "data-economy",
        "data-trading",
        "public-data",
        "data-assets",
        "practitioner-commentary"
      ],
      "laws_cited": [
        "data-property-rights-registration-guide-draft",
        "data-foundation-system-opinions",
        "public-data-registration-interim-measures",
        "public-data-authorized-operation-specifications",
        "pipl",
        "dsl",
        "csl"
      ],
      "domains": [
        "data-economy",
        "data-security",
        "personal-information"
      ],
      "account": "ndb",
      "description": "On 1 July 2026, the National Data Administration issued the Data Property Rights Registration Work Guide (Trial), converting its April 2026 consultation draft into China's first national framework for registering the Right to Hold Data, Right to Use Data and Right to Operate Data. The final text keeps the same six-chapter, 42-article structure, but the diff is not cosmetic: security and public-interest gates are stronger; derived data is now defined; the national infrastructure shifts from a service platform to a service system; registrars face tighter qualification, disclosure, annual-evaluation, change-reporting and exit rules; public-data registration is softened from mandatory to conditional/voluntary wording; unclear contractual entitlement receives a cure path; evidence preservation, not certificate issuance, now starts the validity period; and certificate use is sharpened for data-asset balance-sheet entry, financing guarantees and valuation-based equity contribution.",
      "original": {
        "title": "国家数据局综合司关于印发《数据产权登记工作指引（试行）》的通知",
        "author": "National Data Administration, Comprehensive Department",
        "publication": "国家数据局 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/cdOi12Q4eIbfLiI0r4szcQ",
        "language": "zh"
      }
    },
    {
      "slug": "anthropomorphic-ai-measures-take-effect-field-guide",
      "title": "China's AI-Companion Rule Takes Effect July 15 — A Clause-by-Clause Field Guide to What Actually Changed",
      "url": "https://datacompliancechina.com/posts/anthropomorphic-ai-measures-take-effect-field-guide/",
      "markdown_url": "https://datacompliancechina.com/posts/anthropomorphic-ai-measures-take-effect-field-guide.md",
      "published": "2026-07-03T04:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "ai-governance",
        "companion-ai",
        "anthropomorphic-ai",
        "pipl",
        "genai",
        "minors-protection",
        "practitioner-commentary"
      ],
      "laws_cited": [
        "ai-anthropomorphic-interaction-measures",
        "pipl",
        "genai-services-interim-measures",
        "deep-synthesis-provisions",
        "algorithmic-recommendation-provisions",
        "ai-content-labeling-measures"
      ],
      "domains": [
        "ai-governance",
        "personal-information",
        "minors-protection"
      ],
      "account": "xiao-daguo",
      "description": "China's Interim Measures for AI Anthropomorphic Interaction Services (人工智能拟人化互动服务管理暂行办法) — the world's first dedicated rule on 'companion'-style AI — take effect on 15 July 2026. This DCC brief synthesises three Chinese-language readings published in the days before the effective date: 数据合规肖大国's article-by-article practitioner walkthrough, 网安寻路人 (Hong Yanqing)'s multi-part work on how to scope anthropomorphic interaction (including his 'Sentiment Interaction Event / SIE' indicator system), and AI前沿信息笔记's read of the business-model logic the rule is really aimed at. Three throughlines: (1) what changed between the consultation draft and the final text — real fines were added, a 'continuity (持续性)' qualifier now narrows scope, the emergency-contact duty was widened beyond vulnerable groups, and the mandatory 'human takeover' of at-risk conversations was dropped; (2) the scope question the rule leaves under-specified — which services are 'continuous emotional interaction' at all — and the SIE-style indicator approach practitioners are reaching for to answer it; and (3) the paradigm shift the rule marks, from *content-safety* governance (AI as tool) to *relationship* governance (AI as social role), which finally gives regulators a handle on attention-economy and emotional-dependency business models. For overseas counsel shipping companion, emotional-AI or character-AI products into China: this is the operational checklist and the open-question list, two weeks out.",
      "original": {
        "title": "一起读 | 人工智能拟人化互动服务管理暂行办法",
        "author": "肖莆羚令 (review: 江明月)",
        "publication": "数据合规肖大国 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/CS8W8j32713NrsYKyJTM1w",
        "language": "zh"
      }
    },
    {
      "slug": "miit-2026-batch-4-32-app-public-naming",
      "title": "MIIT Public-Naming Bulletin 2026 Batch 4 (Total Batch 57): 32 Apps and SDKs Cited for PI Violations, Excessive Permission Demands, and SDK Disclosure Failures",
      "url": "https://datacompliancechina.com/posts/miit-2026-batch-4-32-app-public-naming/",
      "markdown_url": "https://datacompliancechina.com/posts/miit-2026-batch-4-32-app-public-naming.md",
      "published": "2026-07-02T05:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "enforcement",
        "miit",
        "app-compliance",
        "pipl",
        "public-naming",
        "sdk"
      ],
      "laws_cited": [
        "pipl",
        "csl",
        "telecom-internet-user-pi-protection-provisions"
      ],
      "domains": [
        "enforcement",
        "personal-information",
        "app-compliance"
      ],
      "account": "miit-weibao",
      "description": "On July 2, 2026, MIIT's Information & Communications Administration Bureau issued its fourth public-naming bulletin of 2026 (total Batch 57), citing 32 apps and SDKs for infringing user rights — unlawful and beyond-scope collection of personal information, forced/frequent/excessive permission demands, frequent self-starting and chained starting, uncloseable and redirect-abusing information windows, and inadequate SDK information disclosure. The batch runs under the same 2026 CAC + MIIT + MPS special campaign as the earlier CAC notification and Shanghai takedown covered in DCC's enforcement tracker, on the same rectify-or-face-disposition pathway. DCC transcribes the full 32-entry list from the bulletin's attached image table. The profile: a mobility-and-transport long tail (ride-hailing driver apps, EV charging, bus-information tools) alongside recognizable names — Neta Auto's app, PetroChina Kunlun's charging app, NetDragon's fortune-telling app, iFlyPlus — plus two WeChat mini-programs, multiple Apple App Store listings, one developer named twice, and three SDKs, one of which (闪登 SDK) drew four separate findings including the headline SDK-disclosure failure.",
      "original": {
        "title": "关于侵害用户权益行为的APP（SDK）通报（2026年第4批，总第57批）",
        "author": "工业和信息化部信息通信管理局 (MIIT Information & Communications Administration Bureau)",
        "publication": "工信微报 WeChat Official Account (via 数据何规)",
        "url": "https://mp.weixin.qq.com/s/ebPPWvKRuQWHAh9CJOMuPg",
        "language": "zh"
      }
    },
    {
      "slug": "tc260-ai-agent-deployment-security-guidelines",
      "title": "TC260's Practice Guide on AI-Agent Deployment: A Five-Stage Lifecycle Checklist, Read Against PIPL, DSL, and CSL Obligations",
      "url": "https://datacompliancechina.com/posts/tc260-ai-agent-deployment-security-guidelines/",
      "markdown_url": "https://datacompliancechina.com/posts/tc260-ai-agent-deployment-security-guidelines.md",
      "published": "2026-07-02T04:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "ai-agents",
        "ai-governance",
        "tc260",
        "standards",
        "genai"
      ],
      "laws_cited": [
        "genai-services-interim-measures",
        "pipl",
        "dsl",
        "csl"
      ],
      "domains": [
        "ai-governance",
        "data-security"
      ],
      "account": "data-he-gui",
      "description": "On July 1, 2026 the National Cybersecurity Standardization Technical Committee (TC260) issued the Cybersecurity Standards Practice Guide — Security Guidelines for the Deployment and Use of AI Agents (网络安全标准实践指南——智能体部署使用安全指引), covering the full lifecycle of high-permission, LLM-based personal-assistant agents across five stages: assessment, preparation, deployment, use, and decommissioning, plus a star-rated security checklist (Appendix A) and an organizational management framework including shadow-agent discovery (Appendix B). This DCC brief adapts the HexCode reading published on 数据何规 — itself generated, the account notes, by its own AI agent — which maps each stage onto hard-law anchors: PIPIA duties under PIPL Article 55 and DSL Article 27 risk monitoring at assessment; the GenAI Measures' filed-model requirement and the ban on unverified API relays at preparation; least privilege, directory isolation, CSL Article 21 log retention, and high-risk-operation confirmation lists at deployment; minimum-necessary provision of personal information and long-term-memory management in use; and credential revocation and data disposal at decommissioning. Practice guides are soft law — but in Chinese enforcement practice they calibrate what 'necessary measures' means, and this one is the first lifecycle baseline for the agent era.",
      "original": {
        "title": "《智能体部署使用安全指引》要点",
        "author": "HexCode",
        "publication": "数据何规 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/SgxkE4xbWZqD4aSw9Mbs7A",
        "language": "zh"
      }
    },
    {
      "slug": "joint-pi-processing-liability-insurance-policy-leak",
      "title": "When Is a Business Partner a 'Joint Handler'? A Shanghai Insurance-Policy Leak Works Through PIPL Article 20",
      "url": "https://datacompliancechina.com/posts/joint-pi-processing-liability-insurance-policy-leak/",
      "markdown_url": "https://datacompliancechina.com/posts/joint-pi-processing-liability-insurance-policy-leak.md",
      "published": "2026-07-02T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "pipl",
        "joint-processing",
        "civil-liability",
        "judicial",
        "commentary"
      ],
      "laws_cited": [
        "pipl",
        "civil-code-personal-info"
      ],
      "domains": [
        "personal-information",
        "enforcement"
      ],
      "account": "data-he-gui",
      "description": "A consumer bought insurance through a broker, on a platform company's website, from an insurer — and later found her full policy, personal details included, retrievable by searching her own phone number. The Shanghai judgment behind case (2024)沪01民终410号 had to decide which of the three companies were 'joint handlers' of her personal information under PIPL Article 20, and therefore jointly and severally liable. Writing on 数据何规, Lu Ying and Zhang Bingbin work through the allocation: the platform operating the website was the direct handler; the broker that steered the purchase through a site it presented as its own was a joint handler; the insurer — with an independent, contract-related purpose and no role in downstream processing decisions — was not. The article distills three identification factors (common purpose and conduct; pre-agreed division of roles as joint determination; the appearance presented to the user), separates joint processing from sharing and entrusted processing, and argues that PIPL Article 20(2) is an independent claim basis: a victim can sue all joint handlers for joint and several damages directly. For any broker/platform/underwriter or comparable multi-party data chain, this is the operative test.",
      "original": {
        "title": "如何厘清个人信息共同处理责任",
        "author": "卢颖、张冰玢 (Lu Ying, Zhang Bingbin)",
        "publication": "数据何规 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/4Z9HvC1gTUvs1tgjRYafRg",
        "language": "zh"
      }
    },
    {
      "slug": "shanghai-data-export-negative-list-first-filing",
      "title": "First Filing Under Shanghai's Citywide Data-Export Negative List: Inditex's China Arm Drops from Security Assessment to Standard-Contract Filing",
      "url": "https://datacompliancechina.com/posts/shanghai-data-export-negative-list-first-filing/",
      "markdown_url": "https://datacompliancechina.com/posts/shanghai-data-export-negative-list-first-filing.md",
      "published": "2026-07-02T02:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "cross-border",
        "negative-list",
        "shanghai",
        "standard-contract",
        "security-assessment"
      ],
      "laws_cited": [
        "cross-border-data-flows-provisions",
        "personal-info-standard-contract-measures",
        "data-export-security-assessment-measures",
        "personal-info-standard-contract-filing-guide"
      ],
      "domains": [
        "cross-border",
        "personal-information"
      ],
      "account": "data-he-gui",
      "description": "On June 26, 2026, ITX Asia Pacific Enterprise Management Co., Ltd. (爱特思亚太企业管理有限公司) — the Inditex group entity behind ZARA and Pull&Bear in China — received Shanghai's first data-export negative-list filing result notice (数据出境负面清单备案结果通知书) issued under the Shanghai Data-Export Negative List Administrative Measures, cleared jointly by the Shanghai CAC and the Shanghai Data Bureau after same-day district-level initial review at the Jing'an District Cross-Border Data Service Center. The practical effect: member-information exports that previously sat in Data Export Security Assessment territory now clear on a Personal Information Standard Contract filing. DCC reads the case as the first operational proof of Shanghai's two policy moves — negative-list eligibility extended citywide beyond Pudong-registered enterprises, and volume thresholds inside listed scenarios (retail member management) raised so that non-sensitive member data between 1 and 10 million individuals falls to the standard-contract/certification tier. For overseas retail groups running membership programs out of China, this is the template case.",
      "original": {
        "title": "上海负面清单扩大政策首例落地",
        "author": "网信上海 (Cyberspace Administration Shanghai)",
        "publication": "数据何规 WeChat Official Account (reposting 网信上海)",
        "url": "https://mp.weixin.qq.com/s/dYIENxSBmLDgaxeLBu7vvg",
        "language": "zh"
      }
    },
    {
      "slug": "shanghai-46-app-takedown-failure-to-rectify",
      "title": "From Naming to Takedown: Shanghai Pulls 46 Apps That Missed the Rectification Window",
      "url": "https://datacompliancechina.com/posts/shanghai-46-app-takedown-failure-to-rectify/",
      "markdown_url": "https://datacompliancechina.com/posts/shanghai-46-app-takedown-failure-to-rectify.md",
      "published": "2026-06-25T05:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "enforcement",
        "app-compliance",
        "miit",
        "pipl",
        "public-naming",
        "app-takedown",
        "shanghai",
        "sdk"
      ],
      "laws_cited": [
        "pipl",
        "csl",
        "telecom-internet-user-pi-protection-provisions"
      ],
      "domains": [
        "enforcement",
        "personal-information",
        "app-compliance"
      ],
      "account": "shanghai-comms-admin",
      "description": "On June 24, 2026 the Shanghai Communications Administration (上海市通信管理局, the MIIT's directly-administered local communications authority) issued a notification ordering the takedown of 46 apps and SDKs that, after public naming and a rectification window, still had not fixed user-rights and personal-information violations. DCC reads it as the next rung on the enforcement ladder above the CAC's 30-app naming notification: same 2026 CAC + MIIT + MPS special campaign, but the local communications-administration tier converting an unrectified naming into an operative sanction — removal from distribution, with further measures flagged (suspension of access, administrative penalty, inclusion in the telecom-business bad-record list). The legal basis is PIPL, the Cybersecurity Law, the Telecom Regulations, and the Telecom and Internet User PI Protection Provisions. The 46-app list — transcribed here from the notice's attached image — is almost entirely Shanghai-registered long-tail O2O lifestyle apps (moving, housekeeping and cleaning, pet services, local travel agencies, community group-buy food, fitness and restaurants), and several operators appear with multiple apps taken down at once. DCC's read for overseas counsel: the provincial communications administrations are where a missed rectification window becomes a removed app, and the takedown tier sweeps the small-operator long tail, not just big nationals.",
      "original": {
        "title": "上海市通信管理局关于下架46款侵害用户权益行为APP（SDK）的通报",
        "author": "上海市通信管理局 (Shanghai Communications Administration)",
        "publication": "上海通信圈 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/-GIQ6ELVGH9ppMkCIDDhDg",
        "language": "zh"
      }
    },
    {
      "slug": "important-data-handler-self-identification-annual-assessment",
      "title": "Are You Caught by the Annual Assessment? TRIMPS's Self-Identification Guide for 'Important-Data Handlers'",
      "url": "https://datacompliancechina.com/posts/important-data-handler-self-identification-annual-assessment/",
      "markdown_url": "https://datacompliancechina.com/posts/important-data-handler-self-identification-annual-assessment.md",
      "published": "2026-06-25T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "important-data",
        "risk-assessment",
        "network-data",
        "data-security",
        "data-classification",
        "critical-information-infrastructure",
        "pipl",
        "compliance"
      ],
      "laws_cited": [
        "network-data-security-risk-assessment-measures",
        "network-data-security-regulations",
        "dsl",
        "pipl",
        "csl",
        "data-classification-grading-rules",
        "gbt-45577-data-security-risk-assessment",
        "gbt-39335-pi-impact-assessment-guide"
      ],
      "domains": [
        "data-security",
        "personal-information",
        "critical-information-infrastructure"
      ],
      "account": "sansuo-data-security",
      "description": "With the Network Data Security Risk Assessment Measures (Order No. 24) taking effect August 20, 2026, the annual risk-assessment duty stops being a principle and becomes a hard calendar event — but only for 'important-data handlers' (重要数据处理者). DCC's summary of a self-identification guide from the Data Security R&D Center of the Ministry of Public Security's Third Research Institute (公安部三所 / TRIMPS), author Lü Mingxuan, walks the threshold test the institution that helps draft the standards wants processors to run before the clock starts. There are three independent gates, any one of which puts you in: (1) you process data meeting the 'important data' definition under Article 62 of the Network Data Security Management Regulation; (2) the deeming rule — you process the personal information of more than 10 million people, which pulls you into the important-data duties of Regulation Arts. 30 and 32 regardless of whether you hold any 'important data'; or (3) your data sits on a regional, departmental, or sectoral important-data catalogue. Entrusted processors inherit the duty from an important-data-handler client; CIIO status and important-data-handler status are separate, intersecting tests; and identifying important data runs through GB/T 43697-2024 Appendix G's 18 factors plus the applicable catalogues. The guide then lays out the operating requirements once you are in: annual mandatory assessment plus trigger-based instant assessments, a stacked PIPIA for the 10-million-PI cohort, three-year report retention, and submission within 20 working days. DCC's read for overseas counsel: classification is the gate, the 10-million-PI deeming rule is the trap for consumer businesses with no 'important data' at all, and the self-ID needs to happen now.",
      "original": {
        "title": "《网络数据安全风险评估办法》新规下，是否每年必须要做数据安全风险评估？—请查收这份重要数据处理者自我识别指南",
        "author": "吕铭轩 (Lü Mingxuan), Data Security Technology R&D Center, The Third Research Institute of the Ministry of Public Security (公安部第三研究所 / TRIMPS)",
        "publication": "三所数据安全 (TRIMPS Data Security) WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/bvkwBv0MipBmBqZCmE_pGg",
        "language": "zh"
      }
    },
    {
      "slug": "li-yang-against-data-rights-confirmation",
      "title": "Li Yang: Why 'Data Rights-Confirmation' Is a Category Error — Dynamic Data Can't Be a Registration Object, and AUCL Article 13 Is the Better Path",
      "url": "https://datacompliancechina.com/posts/li-yang-against-data-rights-confirmation/",
      "markdown_url": "https://datacompliancechina.com/posts/li-yang-against-data-rights-confirmation.md",
      "published": "2026-06-24T11:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "data-economy",
        "data-property-rights",
        "data-registration",
        "data-ip-registration",
        "anti-unfair-competition",
        "data-confirmation",
        "commentary"
      ],
      "laws_cited": [
        "anti-unfair-competition-law",
        "data-property-rights-registration-guide-draft",
        "data-foundation-system-opinions"
      ],
      "domains": [
        "data-economy"
      ],
      "account": "li-yang-ip",
      "description": "DCC's summary of an opinion piece by Li Yang (李扬), professor at China University of Political Science and Law, arguing that the whole project of 'data rights-confirmation' (数据确权) — and the data-IP registration pilots run under it — rests on a category error. In Chinese IP law, 'confirmation' (确权) is the authoritative validation of an already-existing right, and it presupposes three things data lacks: a determinate object, defined rights content, and clear boundaries. Civil Code Art. 127 only defers the question; 'data IP' is a policy concept, not a legal one; and data is co-produced by many parties, so registration proves who submitted data, not who owns it. Li Yang's sharpest move is the dynamic-object problem: registration regimes (real estate, IP, equity) require a persistently stable object, but data's value lives in continuous updating, so the data at registration is never the data in dispute — and blockchain/hash/timestamp '存证' only fix a historical snapshot, never the living data stream, confusing proof-of-existence with object-identification. He concludes that registration's real functions are evidentiary and publicity/transaction-support — not rights-confirmation — and that data governance should move from rights-confirmation to interest-protection, from static-rights thinking to dynamic-competition thinking, protecting commercial-data interests under Article 13 of the Anti-Unfair Competition Law. DCC's read for overseas counsel, against the data-IP registration regime and the Beijing Internet Court's first AUCL Article 13 ruling.",
      "original": {
        "title": "李扬：关于数据登记确权的几点反思",
        "author": "李扬 (Li Yang, China University of Political Science and Law)",
        "publication": "李扬知产 (Li Yang IP) WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/xmElhjrjt6YFApEZt6Q5gQ",
        "language": "zh"
      }
    },
    {
      "slug": "aucl-data-clause-first-case-platform-scraping",
      "title": "How the Beijing Internet Court Found a Platform 'Lawfully Held' Its Data Under the New AUCL Article 13 — and Where It Meets the 'Right to Hold Data'",
      "url": "https://datacompliancechina.com/posts/aucl-data-clause-first-case-platform-scraping/",
      "markdown_url": "https://datacompliancechina.com/posts/aucl-data-clause-first-case-platform-scraping.md",
      "published": "2026-06-24T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "anti-unfair-competition",
        "data-economy",
        "data-property-rights",
        "data-scraping",
        "platform-competition",
        "judicial-case",
        "beijing-internet-court",
        "data-holding-right",
        "web-scraping"
      ],
      "laws_cited": [
        "anti-unfair-competition-law"
      ],
      "domains": [
        "data-economy",
        "personal-information"
      ],
      "account": "beijing-internet-court",
      "description": "The Beijing Internet Court's 30 April 2026 judgment — the first published application of the data clause (Article 13) of the 2025-revised Anti-Unfair Competition Law, effective 15 October 2025 — turns on one threshold question: did the plaintiff platform 'lawfully hold' (合法持有) the scraped career data? DCC walks through exactly how the court got to 'yes', step by step: the data originated as personal information collected with user consent under the platform's Service Agreement and Privacy Policy (no unlawful processing on record); the operator's build-and-run investment aggregated scattered records into a dataset with standalone economic value; and that dataset is the foundational input for the platform's matching business and competitive advantage. From those three findings the court derives its operative definition — data lawfully collected/stored/used, formed through substantial investment, and capable of generating business benefit or competitive advantage — and holds that the defendant's crawler-and-resale scheme, circumventing login and access controls, was unfair competition (¥200,000 + ¥30,000-plus in costs). The brief then takes up the doctrinal question: does Article 13's 'lawfully held data' correspond to the 'right to hold data' (数据持有权) in the Data 20 Articles' three-rights framework? The answer is a functional yes — the court is enforcing the holding right's purely defensive content, exactly as Hong Yanqing's analysis predicted AUCL Article 13 would — but not a doctrinal one: it builds a competition-tort interest on investment and lawful sourcing, deliberately sidestepping any claim that data is a typed property right. DCC's case brief for overseas counsel, drawn against the earlier AUCL Article 2 general-clause data cases.",
      "original": {
        "title": "e案e审丨不正当获取、使用平台用户数据，构成不正当竞争！",
        "author": "张倩、张晴 (Beijing Internet Court)",
        "publication": "北京互联网法院 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/yUgyD3iFsRZOVc_h-2XknQ",
        "language": "zh"
      }
    },
    {
      "slug": "gbt-35273-2026-revision-from-consent-to-governance",
      "title": "From Consent to Governance: What the 2026 Draft Revision of GB/T 35273 Changes Against the 2020 Standard",
      "url": "https://datacompliancechina.com/posts/gbt-35273-2026-revision-from-consent-to-governance/",
      "markdown_url": "https://datacompliancechina.com/posts/gbt-35273-2026-revision-from-consent-to-governance.md",
      "published": "2026-06-23T06:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "gbt-35273",
        "personal-information",
        "pipl",
        "lawful-basis",
        "sensitive-pi",
        "separate-consent",
        "ai-governance",
        "generative-ai",
        "cross-border",
        "unified-account",
        "iot",
        "compliance-audit",
        "tc260",
        "draft-for-comment"
      ],
      "laws_cited": [
        "gbt-35273-2026-draft-pi-security-specification",
        "gbt-35273-pi-security-specification",
        "pipl",
        "dsl",
        "network-data-security-regulations",
        "personal-info-audit-measures",
        "gbt-45574-sensitive-pi-processing-security",
        "gbt-42460-deidentification-evaluation-guide"
      ],
      "domains": [
        "personal-information",
        "ai-governance",
        "cross-border",
        "app-compliance"
      ],
      "description": "On June 17, 2026 the National Cybersecurity Standardization Technical Committee (TC260), with CESI as drafting lead, released for public comment a systematic revision of GB/T 35273 — China's most-cited personal-information standard, the de-facto 'small PIPL.' The draft retitles the standard from 'Information Security Technology' to 'Data Security Technology' and expands its normative references from one standard to eight. DCC reads the revision as a role change, not a clause count: the standard moves from a consent-and-notice manual into a governance-capability framework. The substantive increments against GB/T 35273-2020: a new Chapter 5 importing PIPL Article 13's seven lawful bases as a standalone chapter with hard boundaries on each (contract-necessity, HR, public-disclosure) plus an evidence-chain duty; a sensitive-PI redefinition aligned to PIPL Article 28 with a new aggregation rule (multiple items that together meet the threshold are treated as sensitive as a whole); a formal 'separate consent' definition (3.7) with a negative list; a new eighth basic principle, 'quality assurance' (Chapter 4(f)); dedicated AI clauses on the collection side (6.7), in minimum-necessity (6.1 d–f), in aggregation/training (8.4), and a new generative-AI use clause (8.5.4) with output review and a 15-working-day deletion SLA; a unified-account-system clause (8.6) aimed at one-account-many-products groups; a terminal/IoT collection clause (6.8); a wholly new Chapter 11 on overseas-jurisdiction determination and conflict handling; and a systematized internal-control chapter (13) covering the person in charge of personal information protection, working body, processing-activity records, impact assessment, and a GB/T 46903-anchored compliance audit. Subject-rights response time tightens from 30 days to 15 working days. Clause numbers are from the comment draft and are not final; formal release is expected after 2027.",
      "original": {
        "title": "数据安全技术 个人信息安全规范（征求意见稿）",
        "author": "全国网络安全标准化技术委员会 (TC260); 中国电子技术标准化研究院 (CESI) — drafting lead",
        "publication": "TC260 public consultation (released June 17, 2026); DCC synthesis of four practitioner readings",
        "url": "https://mp.weixin.qq.com/s/_rWTtpMRTU-SA88NPhQyQQ",
        "language": "zh"
      }
    },
    {
      "slug": "network-data-risk-assessment-measures-operationalizing-the-dsl",
      "title": "From Principle to Running System: How the Network Data Security Risk Assessment Measures Operationalize the Data Security Law",
      "url": "https://datacompliancechina.com/posts/network-data-risk-assessment-measures-operationalizing-the-dsl/",
      "markdown_url": "https://datacompliancechina.com/posts/network-data-risk-assessment-measures-operationalizing-the-dsl.md",
      "published": "2026-06-18T06:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "risk-assessment",
        "network-data",
        "data-security",
        "important-data",
        "cac",
        "miit",
        "mps",
        "order-no-24",
        "dsl",
        "compliance"
      ],
      "laws_cited": [
        "network-data-security-risk-assessment-measures",
        "dsl",
        "csl",
        "network-data-security-regulations",
        "industrial-data-security-risk-assessment-rules",
        "gbt-45577-data-security-risk-assessment"
      ],
      "domains": [
        "data-security",
        "enforcement"
      ],
      "account": "wangxin-china",
      "description": "On June 18, 2026 the CAC, MIIT and the Ministry of Public Security jointly issued the Measures for Network Data Security Risk Assessment as Order No. 24, effective August 20, 2026. The 25-article rule adds no new substantive duty; it turns the Data Security Law's open-ended 'conduct risk assessment' obligation into an executable, verifiable, trigger-able governance system. DCC reads it as a three-tier standing model plus an event-driven escalation layer: important-data handlers must assess every year (general-data handlers are encouraged to every three), retain the report for three years and submit it within 20 working days; sectoral competent authorities run annual inspection plans filed by end-January; the national cyberspace administration consolidates and cross-shares reports with telecom, public-security and state-security departments; and where a high-risk finding or a breach of important data or large-scale personal information appears, regulators can compel assessment by a certified institution and order the operator to cease processing important data. The four institutional increments over the DSL: an annual mandatory action, networked multi-department supervision, a three-track assessment structure, and dynamic event-triggered oversight.",
      "original": {
        "title": "网络数据安全风险评估办法",
        "author": "国家互联网信息办公室、工业和信息化部、公安部 (CAC, MIIT, MPS) — Order No. 24",
        "publication": "网信中国 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/ypoiNq_5IxGtLw8o9pg9xQ",
        "language": "zh"
      }
    },
    {
      "slug": "guangdong-public-data-operation-pricing-measures",
      "title": "Guangdong Prices the Public-Data Operator Like a Utility: Inside the Province's Authorized-Operation Price-Management Measures",
      "url": "https://datacompliancechina.com/posts/guangdong-public-data-operation-pricing-measures/",
      "markdown_url": "https://datacompliancechina.com/posts/guangdong-public-data-operation-pricing-measures.md",
      "published": "2026-06-17T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "public-data",
        "authorized-operation",
        "data-economy",
        "government-guided-pricing",
        "public-data-operation-service-fee",
        "permitted-revenue",
        "guangdong",
        "data-pricing"
      ],
      "laws_cited": [
        "public-data-authorized-operation-specifications",
        "public-data-registration-interim-measures",
        "data-foundation-system-opinions"
      ],
      "domains": [
        "data-economy"
      ],
      "account": "datawalker-x",
      "description": "On 12 May 2026 the Guangdong DRC and the Guangdong Administration of Government Services and Data issued the Guangdong Province Public Data Resource Authorized-Operation Price Management Measures — one of the first provincial implementations of the national NDRC/NDA price-formation notice (发改价格〔2025〕65号). The 20-article rule prices the 'public-data operation service fee' (公共数据运营服务费) with a regulated-utility toolkit: government-guided pricing, a maximum permitted revenue equal to operating cost + permitted profit + tax, and a permitted profit rate capped at the prior-year 10-year treasury yield plus no more than 6 percentage points. DCC reads the full text (carried by 数据行者X) against the Guangdong DRC's official interpretation (carried by 砖济咨询) to draw out what overseas counsel needs: this is cost-of-service, rate-of-return regulation imported into the data-element market, with periodic resets every three years, a ±10% annual adjustment band, mandatory cost separation, and a carve-out keeping public-governance and public-welfare data 'conditionally free.'",
      "original": {
        "title": "政策 | 广东出台公共数据授权运营价格管理办法（附全文）",
        "author": "行者X (DataWalker)",
        "publication": "数据行者X WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/DTdg84hRofrOgeHht-7rug",
        "language": "zh"
      }
    },
    {
      "slug": "ctrip-cross-border-data-fine-necessity-doctrine",
      "title": "Ctrip's ¥10 Million Fine: China's First Publicly Disclosed Cross-Border Data Penalty — and the 'Necessity' Doctrine Behind Four Cases",
      "url": "https://datacompliancechina.com/posts/ctrip-cross-border-data-fine-necessity-doctrine/",
      "markdown_url": "https://datacompliancechina.com/posts/ctrip-cross-border-data-fine-necessity-doctrine.md",
      "published": "2026-06-15T02:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "enforcement",
        "cross-border-data",
        "pipl",
        "data-export",
        "separate-consent",
        "security-assessment",
        "shanghai"
      ],
      "laws_cited": [
        "pipl",
        "network-data-security-regulations",
        "data-export-security-assessment-measures",
        "cross-border-data-flows-provisions",
        "personal-info-standard-contract-measures",
        "cross-border-pi-certification-measures"
      ],
      "domains": [
        "cross-border",
        "enforcement",
        "personal-information"
      ],
      "account": "data-he-gui",
      "description": "In June 2026 Shanghai's cyberspace authority fined Shanghai Ctrip Commerce ¥10 million for unlawfully exporting personal information without implementing data-export security-assessment requirements — the first time a Chinese cross-border data penalty amount has been made public. DCC reads the fine against the three earlier Shanghai / MPS cross-border cases compiled by HexCode in 数据何规 (a hotel company that exported fields the CAC assessment had rejected, a property company that exported accommodation and financial-account data with no approval at all, and the Dior breach case) to surface the doctrine all four share: building a CRM or central-reservation system offshore does not make the bulk transfer of customer PI to headquarters 'necessary,' so it cannot escape the security-assessment / standard-contract / certification gate or PIPL's separate-consent and individual-notification requirements. The enforcement gradient — the assessment-rejected exporter was fined while the no-approval exporter was only warned — signals that subjective culpability is weighing on penalty severity.",
      "original": {
        "title": "携程千万罚单后，数据跨境罚单全梳理",
        "author": "HexCode",
        "publication": "数据何规 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/ggamZwfK3nBULTuP-7GqmQ",
        "language": "zh"
      }
    },
    {
      "slug": "cac-2026-30-app-pi-notification-account-cancellation",
      "title": "CAC Names 30 Apps and Mini-Programs for PI Violations — Nearly Half for Ineffective Account Cancellation",
      "url": "https://datacompliancechina.com/posts/cac-2026-30-app-pi-notification-account-cancellation/",
      "markdown_url": "https://datacompliancechina.com/posts/cac-2026-30-app-pi-notification-account-cancellation.md",
      "published": "2026-06-12T02:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "enforcement",
        "cac",
        "app-compliance",
        "pipl",
        "public-naming",
        "account-cancellation",
        "mini-programs"
      ],
      "laws_cited": [
        "pipl",
        "csl",
        "network-data-security-regulations",
        "app-illegal-pi-collection-identification-method",
        "app-necessary-pi-scope-provisions"
      ],
      "domains": [
        "enforcement",
        "personal-information",
        "app-compliance"
      ],
      "account": "wangxin-china",
      "description": "On June 11, 2026 the Office of the Central Cyberspace Affairs Commission published a notification naming 30 apps and mini-programs for personal-information collection and use violations, found in testing organized under the 2026 CAC + MIIT + MPS joint special campaign. The violations fall into four categories — undisclosed PI collection rules (7 apps), frequent demands for non-essential permissions (4), incomplete SDK disclosure (5), and, the dominant category at 14 of 30, failure to provide an effective account-cancellation function. DCC reads the notification as the CAC tier of the same campaign whose MIIT testing tier we covered in the Batch 56 brief: a broader perimeter that expressly includes mini-programs, a 15-working-day rectify-and-report deadline, and a clear signal that exit rights — account cancellation and deletion — are a 2026 testing priority.",
      "original": {
        "title": "关于30款App个人信息收集使用问题的通报",
        "author": "中央网信办秘书局 (Secretariat Bureau, Office of the Central Cyberspace Affairs Commission)",
        "publication": "网信中国 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s?__biz=MzAwMjU0MjIyNw==&mid=2651536838&idx=1&sn=d81cf403c22a5e60966598fb31686bc2&scene=21#wechat_redirect",
        "language": "zh"
      }
    },
    {
      "slug": "data-parallel-property-rights",
      "title": "Data 'Parallel Property Rights' — They Can Confer Status, but Can't Secure Control",
      "url": "https://datacompliancechina.com/posts/data-parallel-property-rights/",
      "markdown_url": "https://datacompliancechina.com/posts/data-parallel-property-rights.md",
      "published": "2026-06-09T02:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "data-property-rights",
        "parallel-property-rights",
        "derivative-data",
        "data-economy",
        "three-rights-separation",
        "data-twenty-articles",
        "data-trading",
        "academic-commentary"
      ],
      "laws_cited": [
        "data-foundation-system-opinions",
        "common-data-terms-batch-2",
        "pipl",
        "dsl",
        "network-data-security-regulations",
        "data-property-rights-registration-guide-draft"
      ],
      "domains": [
        "data-economy",
        "data-security"
      ],
      "account": "wangan-xunluren",
      "description": "Part four — and the synthesis — of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' data-property framework takes up 'parallel property rights' (数据平行财产权): how to allocate rights when the *same* data is held, used, and operated by *multiple* parties at once. Building on Xiong Bingwan and Zhuang Hongshan's 'one-data, multiple-rights' (一数数权) idea — data is non-rivalrous and copyable, so the same right over the same data can sit with several parties without excluding each other — Hong argues parallel property rights are best understood as *default rules* for incomplete-contract, collaborative-production settings: internally, parallel use is presumed; externally, operation is classified by data type (by-products each party may operate alone; purpose-built or fused data needs the others' consent); and parallel holders share a *joint defensive* interest against third parties. But the substance, he shows, falls back on derivative data — and here Xiong, Xu Ke (许可), and Shen Weixing (申卫星), despite different scenarios and tests, all tilt the derivative-data right to the *processor*, leaving the data contributor with contract/compensation/tort/PI remedies rather than ownership of the new product. DCC's read for overseas counsel: parallel property rights cut *attribution* uncertainty (who may use, operate, defend) but not *control* uncertainty (future use, detection, tracing, modelled value, third-party chains, ongoing compliance) — status, not control.",
      "original": {
        "title": "数据平行财产权：能定资格，难保控制",
        "author": "洪延青",
        "publication": "网安寻路人",
        "url": "https://mp.weixin.qq.com/s/ay50eKaHMTgr7QjmDbta3Q",
        "language": "zh"
      }
    },
    {
      "slug": "ai-seeding-post-unfair-competition-case",
      "title": "China's First AI-Ghostwritten 'Seeding Post' Case — a Duty of Care for Generative-AI Providers",
      "url": "https://datacompliancechina.com/posts/ai-seeding-post-unfair-competition-case/",
      "markdown_url": "https://datacompliancechina.com/posts/ai-seeding-post-unfair-competition-case.md",
      "published": "2026-06-08T03:00:00.000Z",
      "modified": "2026-06-08T07:30:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "ai-governance",
        "generative-ai",
        "unfair-competition",
        "ai-generated-content",
        "fake-reviews",
        "duty-of-care",
        "judicial-case",
        "xiaohongshu",
        "enforcement"
      ],
      "laws_cited": [
        "anti-unfair-competition-law",
        "genai-services-interim-measures",
        "ai-content-labeling-measures"
      ],
      "domains": [
        "ai-governance",
        "enforcement"
      ],
      "account": "shuju-fameng",
      "description": "China's first unfair-competition case over AI batch-ghostwritten 'seeding posts' (种草笔记 — the staged, first-person product-recommendation notes that drive discovery commerce on Xiaohongshu/RED). On appeal, the Hangzhou Intermediate People's Court ((2025) Zhe 01 Min Zhong No. 3998) held that the operators of an 'AI writing' tool ('AI写作鹅') that let users one-click-generate fake first-person Xiaohongshu notes — fabricating personal experiences and feelings — committed unfair competition under Article 2 (the general clause) of the Anti-Unfair Competition Law. The court built an explicit four-factor duty-of-care test for generative-AI providers (is it generative AI; does it target a specific scenario/another's product as its 'application layer'; is it directional and inducing; is it a paid, for-profit service), citing Articles 4(3), 5(1) and 22 of the Generative AI Services Interim Measures. Because the tool was named after Xiaohongshu, marketed to mass-produce on-brand 'seeding' copy, charged a membership fee, and shipped with no notice or reminder against the foreseeable misuse, the providers were at fault. The appeal court affirmed liability but cut damages from RMB 200,000 to RMB 100,000 on an 'inclusive and prudent' (包容审慎) view of AI, and reversed joint liability for the third defendant that merely hosted the download. DCC OCR'd the full judgment from the source images; this is our case brief for overseas counsel.",
      "original": {
        "title": "全国首例AI代写“种草笔记”案判决书",
        "author": "知产库",
        "publication": "数据法盟（转自知产库）",
        "url": "https://mp.weixin.qq.com/s/wL3o6iLLzMSB7UWNct7XyQ",
        "language": "zh"
      }
    },
    {
      "slug": "data-operation-right-why-upstream-wont-share",
      "title": "Why Upstream Won't Operate Its Data — Control Degradation, Derivative Data, and Irreducible Uncertainty",
      "url": "https://datacompliancechina.com/posts/data-operation-right-why-upstream-wont-share/",
      "markdown_url": "https://datacompliancechina.com/posts/data-operation-right-why-upstream-wont-share.md",
      "published": "2026-06-08T02:30:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "data-property-rights",
        "data-operation-right",
        "data-economy",
        "three-rights-separation",
        "data-twenty-articles",
        "data-trading",
        "derivative-data",
        "privacy-computing",
        "academic-commentary"
      ],
      "laws_cited": [
        "data-foundation-system-opinions",
        "common-data-terms-batch-2",
        "pipl",
        "dsl",
        "network-data-security-regulations",
        "data-property-rights-registration-guide-draft"
      ],
      "domains": [
        "data-economy",
        "data-security",
        "personal-information"
      ],
      "account": "wangan-xunluren",
      "description": "Part three of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' framework turns to the Right to Operate Data (数据经营权) — the right to provide data externally by transfer, licence, capital contribution, or pledge — and asks a question prior to 'what does operation transfer?': in real conditions, *will* an upstream party operate its data at all? His answer: yes, but narrowly. Control-dependent upstreams (platforms, holders of core user or irreplaceable industrial/training data) tend not to provide open, raw, autonomous access, and shift to controlled use or simply decline. The reason is structural. Once a downstream party is licensed to use data, the derivative data it produces is a *new object*: the upstream's *erga omnes* (对世) control over the raw data does not reach it, leaving the upstream — at most — a contractual claim against one counterparty. Hong then catalogues the uncertainties an upstream faces *ex ante*: some that attribution rules could touch but can't eliminate (qualification of the output, default ownership, good-faith of the processor, measurement of remedy), and some no rule can reach (combinatorial/unforeseeable value, undetectable misuse, the privity-and-insolvency chain, fusion and co-ownership, abstraction leakage into model parameters and learned skills, personal-information exposure, and counterparty hold-up). DCC's read for overseas counsel: this is the rigorous explanation of why Chinese data 'supply' is thin and why sandbox / privacy-computing structures dominate — defining a right does not supply the conditions to exercise it.",
      "original": {
        "title": "上游为何不愿对外经营数据？控制降级、衍生数据与不确定性下的经营决策",
        "author": "洪延青",
        "publication": "网安寻路人",
        "url": "https://mp.weixin.qq.com/s/1cOaLNxF6VO83Le-apCRdQ",
        "language": "zh"
      }
    },
    {
      "slug": "data-use-right-externalization",
      "title": "When the 'Right to Use Data' Goes External — Provision, Derivative Data, and the Erosion of Upstream Control",
      "url": "https://datacompliancechina.com/posts/data-use-right-externalization/",
      "markdown_url": "https://datacompliancechina.com/posts/data-use-right-externalization.md",
      "published": "2026-06-08T02:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "data-property-rights",
        "data-use-right",
        "data-economy",
        "three-rights-separation",
        "data-twenty-articles",
        "data-trading",
        "derivative-data",
        "privacy-computing",
        "academic-commentary"
      ],
      "laws_cited": [
        "data-foundation-system-opinions",
        "common-data-terms-batch-2",
        "pipl",
        "dsl",
        "network-data-security-regulations",
        "data-property-rights-registration-guide-draft"
      ],
      "domains": [
        "data-economy",
        "personal-information",
        "data-security"
      ],
      "account": "wangan-xunluren",
      "description": "Part two of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' data-property framework turns to the Right to Use Data (数据使用权). The official definition (国家数据局, Common Data Terms Batch 2) makes the use right an *internal* power — 'I use my own data' to process, aggregate, analyse, and form derivative data — exercised on the premise of *not* providing data externally. So 'granting a use right to a downstream party' is not the use right travelling outward; it is the upstream party exercising its **operation right** to license, while the downstream party acquires a use right. That externalisation flips the downstream's legal position from PIPL **entrusted processor** (委托处理) to **provision** (提供) or **joint processing** — triggering notice and *separate consent* for personal information, and the Network Data Security Regulation's contracting duties. And because a strong use right lets the downstream form **derivative data** (衍生数据) — models, scores, indices, labels — value migrates downstream even though the raw data stays upstream. DCC's read for overseas counsel: in China data deals the use right is real but never self-bounding; whether a partner will grant an open, autonomous use right depends on its business model (control-dependent vs monetisation), and the default structure you should expect is *controlled use* (sandbox, privacy computing, federated modelling), not a clean copy.",
      "original": {
        "title": "越自主，越难流通？数据使用权外部化的结构张力",
        "author": "洪延青",
        "publication": "网安寻路人",
        "url": "https://mp.weixin.qq.com/s/I0kxJci1Is4mM5XsTWWmeA",
        "language": "zh"
      }
    },
    {
      "slug": "data-asset-abs-suspended-window-guidance",
      "title": "China Halts Data-Asset ABS: Exchanges Pull the Handbrake on a ¥200 Billion Pipeline",
      "url": "https://datacompliancechina.com/posts/data-asset-abs-suspended-window-guidance/",
      "markdown_url": "https://datacompliancechina.com/posts/data-asset-abs-suspended-window-guidance.md",
      "published": "2026-06-05T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "data-economy",
        "data-asset-abs",
        "securitisation",
        "enforcement",
        "lgfv",
        "data-as-asset",
        "data-property-rights",
        "financing"
      ],
      "laws_cited": [
        "data-foundation-system-opinions",
        "dsl",
        "data-property-rights-registration-guide-draft",
        "data-export-security-assessment-measures"
      ],
      "domains": [
        "enforcement",
        "data-economy"
      ],
      "description": "According to reporting by Caixin (财新) and 财联社 circulated on 3–5 June 2026, the Shanghai and Shenzhen stock exchanges issued window guidance bringing the entire data-asset ABS (数据资产ABS) business chain to a stop — new filings turned away, approved-but-unissued deals told to pause, even issuance-approved deals told to delay. This halts a category that exploded from roughly 11 issuances raising ~¥4.6bn in 2025 to 21 issuances and ¥15.4bn in the first five months of 2026, with a declared pipeline approaching ¥200bn. The stated trigger is mission drift: pure-data-asset deals are under 2% of the market, while local-government financing vehicles (城投/LGFV) used the loose, fast 'data-asset' label to repackage existing non-standard debt as standardised bonds — data as window-dressing, with no real data cash flow behind it. DCC reads the event, the structural reasons, the three審查 gates the exchanges are expected to harden, and what it means for anyone underwriting, rating, or investing in China data-asset financing.",
      "original": {
        "title": "突发！数据资产ABS项目被全部叫停！ / 【ABS 18/30】案例复盘数据ABS失败案例深度复盘",
        "author": "数据交易网 编辑部; 数据资产大白话",
        "publication": "数据交易网 (citing 财新 Caixin / 财联社 / 新浪财经) and 数据资产大白话 WeChat Official Accounts",
        "url": "https://mp.weixin.qq.com/s/Gc2y8gbxVaaKsYtvo3Uq0A",
        "language": "zh"
      }
    },
    {
      "slug": "data-asset-abs-what-is-securitised",
      "title": "What a 'Data-Asset ABS' Actually Securitises — The Collateral Is Data, the Cash Flow Is Not",
      "url": "https://datacompliancechina.com/posts/data-asset-abs-what-is-securitised/",
      "markdown_url": "https://datacompliancechina.com/posts/data-asset-abs-what-is-securitised.md",
      "published": "2026-06-05T02:30:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "data-economy",
        "data-asset-abs",
        "securitisation",
        "data-property-rights",
        "data-as-asset",
        "true-sale",
        "bankruptcy-isolation",
        "data-registration",
        "financing"
      ],
      "laws_cited": [
        "data-foundation-system-opinions",
        "common-data-terms-batch-1",
        "dsl",
        "pipl",
        "civil-code-personal-info",
        "data-property-rights-registration-guide-draft"
      ],
      "domains": [
        "data-economy",
        "personal-information"
      ],
      "description": "The name misleads. A Chinese 'data-asset ABS' (数据资产证券化) is labelled as such when data-pledged collateral exceeds 50% of the asset pool — but the underlying assets that actually generate the repayment cash flow are conventional financial claims: supply-chain receivables, trust-loan beneficiary rights, or finance-lease claims. Data is the collateral, the credit-enhancement, or the pricing-and-monitoring tool — not the cash-flow source. This brief, the second in DCC's data-asset-ABS series, unpacks the mechanism overseas counsel need to price the risk: the four live deal structures (trust-loan, receivables, finance-lease, data-empowerment); the difference between accounting recognition (入表) and legal right-confirmation (确权); and the four legal infirmities that make these deals fragile — unsettled data property rights, the true-sale problem created by data's non-exclusivity, the limits of bankruptcy isolation when asset value depends on the originator's continued operation, and the PIPL/DSL eligibility gates. It reads the flagship deals (平安-如皋, 华鑫-鑫欣, 青岛, 杭州高新金投) for what each actually did.",
      "original": {
        "title": "从“依附”到“独立”：数据资产证券化（ABS）的法律逻辑与进阶展望 / 数据资产证券化法律实务要点解析 / 数据资产证券化（ABS）的实践探索与合规路径 / 数据资产证券化-入表构建及合规实操",
        "author": "武强胜 (零壹法谈); 王喆 (京师深圳律所); 鼎世律师; 刘应檀 (安杰世泽 / 威科先行)",
        "publication": "零壹法谈; 京师深圳律所; 鼎世律师; 威科先行 (Wolters Kluwer China) WeChat Official Accounts",
        "url": "https://mp.weixin.qq.com/s/5-3AdI_W4U45TNaTO6AWgQ",
        "language": "zh"
      }
    },
    {
      "slug": "data-asset-abs-secondary-licensing-cash-flow",
      "title": "From Collateral to Cash Flow: The 'Secondary Licensing' Model That Would Make Data-Asset ABS Real",
      "url": "https://datacompliancechina.com/posts/data-asset-abs-secondary-licensing-cash-flow/",
      "markdown_url": "https://datacompliancechina.com/posts/data-asset-abs-secondary-licensing-cash-flow.md",
      "published": "2026-06-05T02:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "data-economy",
        "data-asset-abs",
        "securitisation",
        "secondary-licensing",
        "data-property-rights",
        "data-licensing",
        "finance-lease",
        "financing"
      ],
      "laws_cited": [
        "data-foundation-system-opinions",
        "data-property-rights-registration-guide-draft",
        "pipl",
        "dsl",
        "civil-code-personal-info"
      ],
      "domains": [
        "data-economy"
      ],
      "description": "If today's data-asset ABS is '1.0' — data as collateral behind a conventional debt claim — then '2.0' is the version where the data's own cash flow (licensing fees, data-service subscriptions) directly repays the securities, upgrading data from credit-enhancement tool to genuine underlying asset. This third brief in DCC's data-asset-ABS series examines the structure most likely to get there: the 'secondary licensing' (二次许可) model borrowed from intellectual-property ABS, in which a holder exclusively licenses data to an originator for an upfront lump sum, then takes a reverse exclusive licence back and pays periodic fees that become the ABS cash flow — ownership never moving. It maps the obstacles (data's non-exclusivity defeats 'exclusive licence' and 'exclusive possession'; PIPL/DSL cap what can be licensed; valuation is immature), the finance-lease-of-data variant, and the early policy encouragement (Anhui's March 2026 measures endorsing reverse-licensing). The irony the June 2026 halt exposed: regulators want real data cash flow — which is exactly what 2.0 promises but cannot yet deliver at scale.",
      "original": {
        "title": "从“依附”到“独立”：数据资产证券化（ABS）的法律逻辑与进阶展望",
        "author": "武强胜 (零壹法谈)",
        "publication": "零壹法谈 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/5-3AdI_W4U45TNaTO6AWgQ",
        "language": "zh"
      }
    },
    {
      "slug": "data-holding-right-two-paths",
      "title": "Two Paths for the 'Right to Hold Data' — and Why the Narrow One May Add Little",
      "url": "https://datacompliancechina.com/posts/data-holding-right-two-paths/",
      "markdown_url": "https://datacompliancechina.com/posts/data-holding-right-two-paths.md",
      "published": "2026-06-05T02:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "data-property-rights",
        "data-holding-right",
        "data-economy",
        "three-rights-separation",
        "data-twenty-articles",
        "data-trading",
        "academic-commentary"
      ],
      "laws_cited": [
        "data-foundation-system-opinions",
        "data-property-rights-registration-guide-draft",
        "public-data-registration-interim-measures",
        "pipl",
        "dsl",
        "network-data-security-regulations"
      ],
      "domains": [
        "data-economy",
        "data-security"
      ],
      "account": "wangan-xunluren",
      "description": "Hong Yanqing (洪延青, 网安寻路人) works through the most unstable concept in China's 'separation of three rights' data-property framework — the Right to Hold Data (数据持有权). He pushes two readings to their logical ends. Path 1, the official 'complete separation' (三权完全切割): if the rights to hold, use, and operate data are truly independent, the holding right shrinks to a bare 'lawful-control state' whose only content is defensive — and that defense is already provided, against the world, by PIPL Article 10, DSL Article 32, the Network Data Security Regulation, and Article 13 of the Anti-Unfair Competition Law, so its incremental value as a standalone property right is thin. Path 2, the 'mother-right' reconstruction (持有权母权化): redefine 'holding' from factual control to a normative control that contains utilization potential, so the rights to use and operate are carved out from within it. DCC's read for overseas counsel: in Chinese data deals the tradeable substance sits in the rights to use and operate plus contract, registration, and compliance — not in 'who holds the data' — and China's data-property theory is still genuinely unsettled.",
      "original": {
        "title": "数据持有权的两条路径：三权完全切割 vs. 持有权母权化",
        "author": "洪延青",
        "publication": "网安寻路人",
        "url": "https://mp.weixin.qq.com/s/UIPnTIo9AOWUkPwjEYGbEw",
        "language": "zh"
      }
    },
    {
      "slug": "ai-hallucination-tort-genai-service-not-product",
      "title": "China's First 'AI Hallucination' Tort Judgment — GenAI Is a Service, Not a Product, and the Chatbot's '¥100,000 Promise' Binds No One",
      "url": "https://datacompliancechina.com/posts/ai-hallucination-tort-genai-service-not-product/",
      "markdown_url": "https://datacompliancechina.com/posts/ai-hallucination-tort-genai-service-not-product.md",
      "published": "2026-06-04T02:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "ai-governance",
        "genai",
        "ai-hallucination",
        "tort-liability",
        "product-liability",
        "declaration-of-intent",
        "duty-of-care",
        "content-labeling",
        "hangzhou-internet-court",
        "judicial",
        "case"
      ],
      "laws_cited": [
        "genai-services-interim-measures",
        "ai-content-labeling-measures",
        "deep-synthesis-provisions",
        "csl",
        "civil-code-personal-info"
      ],
      "domains": [
        "ai-governance",
        "enforcement"
      ],
      "description": "The Hangzhou Internet Court has decided China's first 'AI hallucination' (AI幻觉) tort case — written into the Supreme People's Court's 2026 work report to the NPC. A user asking a chatbot about college applications was told, across seven rounds, that a non-existent campus existed; when finally shown the official website, the model 'apologised' and 'promised' to pay ¥100,000, even generating a fake lawsuit template telling him to sue. He did. The court dismissed every claim and, in doing so, laid down the first judicial articulation of China's generative-AI liability framework: (1) an AI model is not a civil subject, so its 'promise' is no declaration of intent — and is not attributable to the provider either; (2) generative AI is a service, not a product, so fault liability under Civil Code Article 1165 applies, not product liability's no-fault rule under Article 1202; (3) there is no result-based duty to guarantee accuracy for ordinary inaccurate output — only a process duty of care (conspicuous AI-content labelling plus industry-standard accuracy measures), which the provider had discharged; and (4) no proven damage, no causation. For any company deploying GenAI to the Chinese public, this is the operating liability surface and the evidentiary playbook.",
      "original": {
        "title": "全国首例“AI幻觉”侵权纠纷判决书，“如果生成内容有误，我将赔偿您10万元！”……",
        "author": "Hangzhou Internet Court, (2025) Zhe 0192 Min Chu No. 18143 (杭州互联网法院（2025）浙0192民初18143号), judgment dated 3 December 2025",
        "publication": "Judgment text via 北大法宝 / 知产库; reposted via 教授加 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/8XA_qZiuOcZYrEen1vwaWQ",
        "language": "zh"
      }
    },
    {
      "slug": "china-healthcare-data-rulebook-2026",
      "title": "China's Hospitals Get Their Own Data Rulebook: Reading the 2026 Healthcare Data Security & PI Measures",
      "url": "https://datacompliancechina.com/posts/china-healthcare-data-rulebook-2026/",
      "markdown_url": "https://datacompliancechina.com/posts/china-healthcare-data-rulebook-2026.md",
      "published": "2026-06-04T02:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "health-data",
        "healthcare",
        "data-classification",
        "cross-border",
        "facial-recognition",
        "ai-governance",
        "sensitive-personal-information",
        "enforcement"
      ],
      "laws_cited": [
        "healthcare-institutions-data-security-pi-measures",
        "pipl",
        "dsl",
        "network-data-security-regulations",
        "cross-border-data-flows-provisions",
        "personal-info-audit-measures",
        "facial-recognition-technology-application-measures"
      ],
      "domains": [
        "health",
        "data-security",
        "personal-information",
        "cross-border"
      ],
      "description": "On 12 February 2026 five agencies — the National Health Commission, the Ministry of Public Security, the Cyberspace Administration of China, the National Administration of Traditional Chinese Medicine, and the National Disease Control and Prevention Administration — jointly issued the Measures for the Administration of Data Security and Personal Information Protection of Healthcare Institutions (Trial). It is the first operational, sector-specific rulebook that turns the Data Security Law, PIPL, and the Network Data Security Regulation into concrete hospital obligations: a three-tier core/important/general data classification keyed to MLPS levels and commercial cryptography; a five-pillar full-lifecycle security system; a ten-item data prohibition list and an eight-item personal-information prohibition list; heightened protection for special groups; limits on facial recognition and AI; and a real enforcement chain running from named-person accountability through regulatory interviews, administrative penalties, civil tort liability, and criminal referral. DCC reads it for overseas pharma, medtech, and hospital-JV counsel — with the cross-border choke point and its academic-cooperation carve-out as the parts that most affect global clinical-data flows."
    },
    {
      "slug": "system-prompts-as-regulatory-instrument",
      "title": "Prompt Stacks and Prompt Governance — Why System-Level Prompts Are Emerging as a Regulatory Lever (and Where They Fall Short)",
      "url": "https://datacompliancechina.com/posts/system-prompts-as-regulatory-instrument/",
      "markdown_url": "https://datacompliancechina.com/posts/system-prompts-as-regulatory-instrument.md",
      "published": "2026-06-01T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "ai-governance",
        "system-prompts",
        "prompt-stack",
        "genai",
        "eu-ai-act",
        "comparative",
        "academic-commentary"
      ],
      "laws_cited": [
        "genai-services-interim-measures",
        "ai-content-labeling-measures"
      ],
      "domains": [
        "ai-governance",
        "personal-information"
      ],
      "account": "keji-leviathan",
      "description": "A Chinese AI-law reading of Neumann, Sargeant and Singh's FAccT 2026 paper Prompt Governance? — and what it means for how China, the EU, and the US treat 'system prompts' as a regulatory object. Li Wenlong (科技利维坦) walks through the four-layer 'prompt stack' (system instructions → system guidelines → developer instructions → user prompts), five properties practitioners need to understand (layered, hidden, natural-language, malleable, loosely coupled to behaviour), and the comparative regulatory landscape: the EU GPAI Code of Practice requires signatories to disclose system prompts to regulators in model reports; the Trump EO 14319 / OMB M-26-04 stops at model / system / data cards and leaves system-prompt disclosure voluntary; the UK's AI Cybersecurity Code says effectively nothing. China's current GenAI safety regime (TC260-003 plus the GenAI Interim Measures) is output-evaluation-based — filing and pre-launch scoring, with no architectural hook into system prompts. Li predicts a Brussels Effect: system-prompt disclosure to regulators will become a global compliance baseline, analogous to the DPIA in data law. For overseas counsel: this is what is coming, what to start archiving now, and why 'what you write' in a system prompt is not 'what the model executes.'",
      "original": {
        "title": "系统级提示词作为监管抓手？",
        "author": "李汶龙 (Li Wenlong)",
        "publication": "科技利维坦 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/LKG-QIs0Y-4N3t-qKCuGmQ",
        "language": "zh"
      }
    },
    {
      "slug": "data-pledge-financing-what-is-pledged",
      "title": "Data Pledge Financing in China: What Is Actually Being Pledged, and Where the Law Gets Stuck",
      "url": "https://datacompliancechina.com/posts/data-pledge-financing-what-is-pledged/",
      "markdown_url": "https://datacompliancechina.com/posts/data-pledge-financing-what-is-pledged.md",
      "published": "2026-05-31T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "data-pledge-financing",
        "data-property-rights",
        "data-as-asset",
        "civil-code",
        "data-economy",
        "data-registration",
        "financing",
        "data-trading"
      ],
      "laws_cited": [
        "data-property-rights-registration-guide-draft",
        "data-foundation-system-opinions"
      ],
      "domains": [
        "data-economy"
      ],
      "account": "shenzhen-data-exchange",
      "description": "As Chinese banks and data exchanges experiment with data pledge financing (数据质押融资), a threshold question remains unresolved: what, legally, is being pledged? Chen Yiqian of Shenzhen Data Exchange walks through the two available routes under the Civil Code — chattel pledge (动产质权) and rights pledge (权利质权) — and the three operational problems that make chattel pledge difficult and the two doctrinal barriers that make rights pledge harder still. The analysis converges on a practical conclusion: chattel pledge via a third-party data custodian is the most workable path today, while data property rights and data intellectual-property rights both remain insufficiently legalised to support a reliable pledge. For overseas counsel advising on China data-asset financing, the gap between policy ambition and legal infrastructure is the central risk to price. Connects to the broader data property-rights registration project and the unresolved question of how data enters corporate balance sheets.",
      "original": {
        "title": "DEXC+专栏|数据质押融资，出质什么？难点在哪里？",
        "author": "陈一芊 (Chen Yiqian)",
        "publication": "深圳数据交易所 DEXC+ 专栏 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/8ttXR-A4Ex3kU-pTbeCEXA",
        "language": "zh"
      }
    },
    {
      "slug": "assessing-cii-operator-important-data-handler-status",
      "title": "Are You a CII Operator or an Important-Data Handler? A Practitioner's Assessment Framework Under China's New Rules",
      "url": "https://datacompliancechina.com/posts/assessing-cii-operator-important-data-handler-status/",
      "markdown_url": "https://datacompliancechina.com/posts/assessing-cii-operator-important-data-handler-status.md",
      "published": "2026-05-29T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "critical-information-infrastructure",
        "important-data",
        "data-security",
        "data-classification",
        "cross-border-data",
        "cii-identification",
        "data-compliance-risk",
        "network-data-security"
      ],
      "laws_cited": [
        "network-data-security-regulations",
        "cii-protection-regulations",
        "dsl"
      ],
      "domains": [
        "data-security",
        "critical-information-infrastructure"
      ],
      "account": "shenzhen-data-exchange",
      "description": "China's Cybersecurity Law, Data Security Law, and Network Data Security Management Regulations impose materially heavier compliance obligations on critical information infrastructure (CII) operators (关键信息基础设施运营者) and important-data handlers (重要数据处理者) than on ordinary data processors. This brief, drawing on a DEXC+ practitioner analysis by Gu Qingzhuo (古青卓) of the Shenzhen Data Exchange compliance team, explains how the two statuses are determined under the current framework, why neither is self-evident from a company's own assessment alone, how recent rules — including the Regulations on Promoting and Regulating Cross-Border Data Flows and the national standard GB/T 43697-2024 — have clarified but not fully resolved the important-data identification problem, and what overseas counsel should do when advising clients that operate in China's critical sectors.",
      "original": {
        "title": "DEXC+专栏 | 新规背景下，如何评估企业是否属于关键基础设施运营者、重要数据处理者",
        "author": "古青卓 (Gu Qingzhuo)",
        "publication": "深圳数据交易所 DEXC+ 专栏 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/BHV-ixP0mN7HoLcyCHcw4g",
        "language": "zh"
      }
    },
    {
      "slug": "datatang-v-yinmu-data-ip-registration-case",
      "title": "Datatang v. Yinmu — China's First Ruling on a Data-IP Registration Certificate, and Why Open-Sourced Data Is Still Protected",
      "url": "https://datacompliancechina.com/posts/datatang-v-yinmu-data-ip-registration-case/",
      "markdown_url": "https://datacompliancechina.com/posts/datatang-v-yinmu-data-ip-registration-case.md",
      "published": "2026-05-29T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "judicial",
        "data-property-rights",
        "data-registration",
        "anti-unfair-competition",
        "ai-training-data",
        "open-source",
        "case"
      ],
      "laws_cited": [
        "anti-unfair-competition-law",
        "data-foundation-system-opinions",
        "data-property-rights-registration-guide-draft",
        "dsl"
      ],
      "domains": [
        "data-economy",
        "data-security"
      ],
      "account": "shenzhen-data-exchange",
      "description": "A consolidated case study of 数据堂诉隐木科技 (Datatang v. Yinmu) — the Beijing IP Court's June 2024 appeal ruling, widely called China's first case on the evidentiary effect of a data-IP registration certificate. The dispute: Datatang built voice datasets for AI training, open-sourced some under a license; Yinmu took and redistributed them in the same data-services market. DCC synthesizes four commentaries (the case report, a Tsinghua analysis, and two Shenzhen Data Exchange DEXC+ deep-dives) into the four holdings that matter for overseas counsel: (1) a data-IP registration certificate is prima facie evidence of property-type interests and lawful sourcing — but not an absolute property right (property-rights-statutism); (2) open-sourced data, though neither trade secret nor copyrightable compilation, is protectable under the Anti-Unfair Competition Law's general clause; (3) the protection hierarchy (compilation work → trade secret → AUCL Art. 2); and (4) whether the taker honored the open-source license is the hinge for 'improper conduct.'",
      "original": {
        "title": "数据堂诉隐木公司 AI 训练数据源案 — 全国首例涉数据知识产权登记证书效力案 (consolidated)",
        "author": "Beijing IP Court (2024)京73民终546号; commentary by 法律与新经济, 清华大学智能法治研究院, 深圳数据交易所 DEXC+",
        "publication": "Multiple — see sources below",
        "url": "https://mp.weixin.qq.com/s/RRsiqVpVcL6eXG077JCjvQ",
        "language": "zh"
      }
    },
    {
      "slug": "xu-ke-anonymization-zombie-provision",
      "title": "Reviving a Zombie Provision — Xu Ke's Concentric-Circle Reconstruction of the Anonymization Regime",
      "url": "https://datacompliancechina.com/posts/xu-ke-anonymization-zombie-provision/",
      "markdown_url": "https://datacompliancechina.com/posts/xu-ke-anonymization-zombie-provision.md",
      "published": "2026-05-28T09:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "anonymization",
        "personal-information",
        "data-economy",
        "de-identification",
        "commentary"
      ],
      "laws_cited": [
        "pipl",
        "csl",
        "dsl",
        "network-data-security-regulations"
      ],
      "domains": [
        "personal-information",
        "data-security",
        "data-economy"
      ],
      "account": "xu-ke",
      "description": "Xu Ke (UIBE) calls PIPL Article 4's anonymization carve-out a 'zombie provision' (僵尸法条) — on the books, never used, and one of the biggest blockages in the data-element market. His diagnosis: the zombie state is caused not by the text but by three unaddressed worries (processors fear the standard is unattainable or value-destroying; regulators fear anonymization becomes an evasion tool; users fear it's a hollow promise). His cure is a concentric-circle architecture that maps three risk types (systemic / operational / residual) onto three layers of anonymity (presumptive / determined / trust). This is the most complete academic blueprint yet for making the anonymization clause operational — and it pairs directly with TRIMPS's risk-based, recipient-relative reading.",
      "original": {
        "title": "复活僵尸法条：个人信息匿名化制度的再造",
        "author": "许可 (Xu Ke), UIBE",
        "publication": "《财经法学》(Finance and Economics Law Journal), Issue 4, 2024; reposted via 数字经济与社会 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/yaO_RB-rzTKouqevxCb-Xw",
        "language": "zh"
      }
    },
    {
      "slug": "xu-ke-data-rights-block-structure",
      "title": "The 'Rights Block' — Xu Ke's Structural Theory Behind China's Data-Property Framework",
      "url": "https://datacompliancechina.com/posts/xu-ke-data-rights-block-structure/",
      "markdown_url": "https://datacompliancechina.com/posts/xu-ke-data-rights-block-structure.md",
      "published": "2026-05-28T08:30:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "data-property-rights",
        "data-rights-theory",
        "data-twenty",
        "data-economy",
        "commentary"
      ],
      "laws_cited": [
        "data-foundation-system-opinions",
        "pipl",
        "dsl",
        "data-property-rights-registration-guide-draft"
      ],
      "domains": [
        "data-economy",
        "personal-information",
        "data-security"
      ],
      "account": "xu-ke",
      "description": "Xu Ke's highly-cited (255×) 政法论坛 article on the structure of data rights — the theoretical scaffolding that the Data 20 Articles' three-rights framework rests on. He maps the field's two warring paradigms (formalist 'empowerment' vs substantivist 'conduct regulation'), argues both fail alone, and integrates them via a 'reflexive law' approach. The payoff is a taxonomy of three possible rights structures — rights-ball, rights-bundle, rights-block — and the case that the 'data rights block' (数据权利块) best fits data's 'one principle, many manifestations' character. For overseas counsel, this is the conceptual map that explains why Chinese data rights are structured the way they are — and why Western property and IP analogies keep failing.",
      "original": {
        "title": "数据权利：范式统合与规范分殊",
        "author": "许可 (Xu Ke), UIBE",
        "publication": "《政法论坛》(Tribune of Political Science and Law), Issue 4, 2021, pp. 86-96; reposted via 政法论坛 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/0l_QZgvXbMKQ2I50aOqxaA",
        "language": "zh"
      }
    },
    {
      "slug": "xu-ke-data-asset-identification",
      "title": "When Does Data Become an Asset? Xu Ke on Identifying and Defining Data Assets",
      "url": "https://datacompliancechina.com/posts/xu-ke-data-asset-identification/",
      "markdown_url": "https://datacompliancechina.com/posts/xu-ke-data-asset-identification.md",
      "published": "2026-05-28T08:15:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "data-asset",
        "data-property-rights",
        "data-on-balance-sheet",
        "data-economy",
        "commentary"
      ],
      "laws_cited": [
        "data-foundation-system-opinions",
        "pipl",
        "public-data-authorized-operation-specifications",
        "data-property-rights-registration-guide-draft"
      ],
      "domains": [
        "data-economy",
        "personal-information"
      ],
      "account": "xu-ke",
      "description": "Xu Ke (UIBE), writing for a practitioner audience, draws the line between data resource (国家视角, public/strategic) and data asset (市场主体视角, commercial), then between the broad sense (anything that creates value for the enterprise) and the narrow sense (meets the MOF accounting-standard test for on-balance-sheet recognition — owned/controlled, generates economic benefit, reliably measurable). He works the three-rights framework into operational boundaries by data type (personal / enterprise / government) and flags the practical questions overseas counsel face when a Chinese counterparty wants to put data on its balance sheet.",
      "original": {
        "title": "数据资产的识别与界定",
        "author": "许可 (Xu Ke), UIBE",
        "publication": "《企业家》杂志 (Entrepreneur Magazine); reposted via 企业家杂志 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/i8LzBioix-fTBB-_FcGC-g",
        "language": "zh"
      }
    },
    {
      "slug": "yao-qian-pi-anonymization-relativity",
      "title": "From 'Cannot Be Restored' to 'Difficult to Restore' — TRIMPS on Whether Anonymization Is Absolute, and Whether It's Recipient-Relative",
      "url": "https://datacompliancechina.com/posts/yao-qian-pi-anonymization-relativity/",
      "markdown_url": "https://datacompliancechina.com/posts/yao-qian-pi-anonymization-relativity.md",
      "published": "2026-05-28T08:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "anonymization",
        "personal-information",
        "de-identification",
        "cross-border-data",
        "commentary"
      ],
      "laws_cited": [
        "pipl",
        "csl",
        "dsl",
        "network-data-security-regulations"
      ],
      "domains": [
        "personal-information",
        "data-security",
        "cross-border"
      ],
      "account": "sansuo-data-security",
      "description": "The Third Research Institute of the Ministry of Public Security (TRIMPS) — the body behind China's classified-protection regime and national eID platform — takes on the two questions that determine whether anonymization actually gets data out of PIPL scope. First: does PIPL's 'cannot be restored' standard (Art 73) require re-identification probability of literally zero? The 2025 draft PI Anonymization Guide quietly softened it to 'difficult to restore,' aligning China with the GDPR 'all reasonable means' test and reframing anonymization as a dynamic, continuously-assessed, risk-based process rather than a one-time terminal state. Second: is anonymization recipient-relative — can the same dataset be PI in one party's hands and anonymized in another's? TRIMPS reads the EU SRB v EDPS case and UK ICO guidance toward 'yes,' with major implications for how overseas counsel structure data sharing and cross-border transfer.",
      "original": {
        "title": "个人信息匿名化的一些问题",
        "author": "姚迁 (Yao Qian), TRIMPS Data Security Technology R&D Center",
        "publication": "三所数据安全 (TRIMPS Data Security) WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/B420B2O-X0QYCi86slnuaA",
        "language": "zh"
      }
    },
    {
      "slug": "zhu-xiaofeng-genai-pi-causation-unclear-liability",
      "title": "Zhu Xiaofeng — Who Pays When GenAI Causation Is Unclear? Applying Civil Code Article 1254 by Analogy",
      "url": "https://datacompliancechina.com/posts/zhu-xiaofeng-genai-pi-causation-unclear-liability/",
      "markdown_url": "https://datacompliancechina.com/posts/zhu-xiaofeng-genai-pi-causation-unclear-liability.md",
      "published": "2026-05-28T07:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "ai-governance",
        "genai",
        "personal-information",
        "causation",
        "liability",
        "commentary"
      ],
      "laws_cited": [
        "pipl",
        "civil-code-personal-info",
        "genai-services-interim-measures",
        "personal-info-audit-measures"
      ],
      "domains": [
        "ai-governance",
        "personal-information",
        "data-security"
      ],
      "account": "dejyfz",
      "description": "Zhu Xiaofeng (Central University of Finance and Economics Law School) takes on the GenAI causation black hole — when a personal-information harm clearly arises from a GenAI service but specific causation among model designer, model provider, model user, and data provider cannot be established, who pays? Zhu's structural answer: when conventional construction-element-analysis and Article 998 interest-balancing both fail (and they do), apply Civil Code Article 1254's 'unclear-causation' rule by analogy — the same rule used for falling-object-from-building cases. The doctrinal scaffolding: communication-safety theory, gain-and-risk allocation theory, causation proof + harm prevention. Critically: each potential injurer compensates the full damage; among themselves, allocation is proportional, with judges determining specific amounts case-by-case. Highly relevant for multinationals deploying GenAI in China — the proposed framework restructures the operating liability surface.",
      "original": {
        "title": "学术｜朱晓峰：生成式人工智能个人信息侵权因果关系不明时的责任认定",
        "author": "朱晓峰 (Zhu Xiaofeng), Central University of Finance and Economics Law School",
        "publication": "《政法论坛》(Tribune of Political Science and Law), Issue 6, 2025; reposted via 数字经济与法治 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/V1EbvwB4Ib-fc5j0EgT3Zw",
        "language": "zh"
      }
    },
    {
      "slug": "ai-lin-platform-gig-worker-pi-protection",
      "title": "Ai Lin — Why Platform Gig Workers Need PI-Protection Tilt and How to Build It",
      "url": "https://datacompliancechina.com/posts/ai-lin-platform-gig-worker-pi-protection/",
      "markdown_url": "https://datacompliancechina.com/posts/ai-lin-platform-gig-worker-pi-protection.md",
      "published": "2026-05-28T06:30:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "personal-information",
        "platform-economy",
        "gig-economy",
        "employment",
        "commentary"
      ],
      "laws_cited": [
        "pipl",
        "civil-code-personal-info",
        "algorithmic-recommendation-provisions",
        "personal-info-audit-measures"
      ],
      "domains": [
        "personal-information",
        "app-compliance"
      ],
      "account": "dejyfz",
      "description": "Ai Lin (Jilin University Law School) takes on the under-attended question of personal-information protection for platform gig workers — the food-delivery couriers, ride-hail drivers, freight drivers, and 'internet marketers' who occupy China's new-employment-form category. The structural problem: PIPL's individual-consent baseline doesn't work in employment relations where the worker has no meaningful bargaining power against the platform's algorithmic management. Ai imports the alienated-labor framework from Marx and the 'scenario fairness' principle from contextual integrity to argue for a tilt-protection regime. Three operational responses: enhanced transparency + tiered PI safeguards; treating algorithmic rules as workplace regulations subject to collective bargaining; full-process regulatory accountability. Highly relevant for multinationals operating platform-gig models in China or contracting with Chinese platform workforces.",
      "original": {
        "title": "学术｜艾琳：平台用工中个人信息保护的困境表现与规则回应",
        "author": "艾琳 (Ai Lin), Jilin University Law School and Theoretical Law Research Center",
        "publication": "《政治与法律》(Political Science and Law), Issue 3, 2026; reposted via 数字经济与法治 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/vl6-9obLhfkCA8p5qEvw2g",
        "language": "zh"
      }
    },
    {
      "slug": "tang-linyao-data-broker-derivative-harms",
      "title": "Tang Linyao — Data-Broker Derivative Harms and the 'Data Integration Analysis Framework'",
      "url": "https://datacompliancechina.com/posts/tang-linyao-data-broker-derivative-harms/",
      "markdown_url": "https://datacompliancechina.com/posts/tang-linyao-data-broker-derivative-harms.md",
      "published": "2026-05-28T06:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "data-economy",
        "data-broker",
        "data-exchange",
        "derivative-harm",
        "privacy",
        "commentary"
      ],
      "laws_cited": [
        "data-foundation-system-opinions",
        "pipl",
        "dsl",
        "personal-info-audit-measures",
        "network-data-security-regulations"
      ],
      "domains": [
        "data-economy",
        "data-security",
        "personal-information"
      ],
      "account": "dejyfz",
      "description": "Tang Linyao (Chinese Academy of Social Sciences) maps the regulatory gap for data-broker derivative harms — the harms that arise not from direct PI leakage but from the integration and aggregation activity that data brokers themselves perform. The analytical core: a vertical / horizontal data-relations framework that explains why existing PIPL-style protection (vertical-relationship-focused) systematically fails to address horizontal-relationship harms; and the 'abstract risk substantialization' doctrine borrowed from US precedent and EU GDPR to bring data-broker risk into ex-ante regulatory scope. Operationally, Tang proposes a 'Data Integration Analysis Framework' with concrete tiering (三高 / 双高 / 单高 / 三低) that translates academic doctrine into compliance-program-grade controls. Applied to a real Shenzhen Data Exchange listing as worked example.",
      "original": {
        "title": "学术｜唐林垚：数据经纪的衍生风险与法律应对",
        "author": "唐林垚 (Tang Linyao), Chinese Academy of Social Sciences Law Institute",
        "publication": "《法学家》(The Jurist), Issue 2, 2026; reposted via 数字经济与法治 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/L4A6N26tXnN05iSxqMNe3w",
        "language": "zh"
      }
    },
    {
      "slug": "wang-nian-data-source-rights-as-fair-use",
      "title": "Wang Nian — Data Source's Rights as a 'Fair Use' Right Alongside the Three Rights",
      "url": "https://datacompliancechina.com/posts/wang-nian-data-source-rights-as-fair-use/",
      "markdown_url": "https://datacompliancechina.com/posts/wang-nian-data-source-rights-as-fair-use.md",
      "published": "2026-05-28T05:30:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "data-property-rights",
        "data-twenty",
        "data-source-rights",
        "data-economy",
        "commentary"
      ],
      "laws_cited": [
        "data-foundation-system-opinions",
        "data-property-rights-registration-guide-draft",
        "pipl",
        "civil-code-personal-info"
      ],
      "domains": [
        "data-economy",
        "personal-information"
      ],
      "account": "dejyfz",
      "description": "Wang Nian (Tsinghua Law) takes on the unresolved fourth-right question in the Data 20 Articles framework: what is the data source's right (数据来源者权), and how does it relate to the three rights (hold/use/operate)? Drawing on the 'data symbiosis' (数据共生) framework from the ALI-ELI Data Economy Principles and the EU Data Act, Wang argues that pre-existing legal entitlements — privacy, PI rights, IP, trade secrets — cover only part of the source's interest, leaving a residual that needs an independent legal protection. He frames the data-source right as a 'fair use right' (公平使用权): a contractual-relationship right against the specific data processor, distinct from the property-style three rights, that captures the value contribution of the source's participation in data co-creation. The corporate-data-portability analog DCC flagged in our NDA brief gets its doctrinal foundation here.",
      "original": {
        "title": "学术｜王年：数据来源者权利及其实现——基于数据共生的视角",
        "author": "王年 (Wang Nian), Tsinghua University Law School",
        "publication": "《财经法学》(Finance and Economics Law Journal), Issue 5, 2025; reposted via 数字经济与法治 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/DeoiXUp2emdS-yjzWl8o7g",
        "language": "zh"
      }
    },
    {
      "slug": "samr-ghost-takeout-data-compliance-lessons",
      "title": "Seven Lessons for Data Compliance Teams from the SAMR 'Ghost Takeout' Series — 3.5 Billion Yuan, 9-Month Suspensions, and the Per-Merchant Aggregation Doctrine",
      "url": "https://datacompliancechina.com/posts/samr-ghost-takeout-data-compliance-lessons/",
      "markdown_url": "https://datacompliancechina.com/posts/samr-ghost-takeout-data-compliance-lessons.md",
      "published": "2026-05-28T04:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "enforcement",
        "samr",
        "platform-liability",
        "personal-information",
        "commentary"
      ],
      "laws_cited": [
        "pipl",
        "network-data-security-regulations",
        "personal-info-audit-measures",
        "dsl"
      ],
      "domains": [
        "enforcement",
        "personal-information",
        "data-security",
        "app-compliance"
      ],
      "account": "data-he-gui",
      "description": "In April 2026, the State Administration for Market Regulation (SAMR) imposed administrative penalties on seven major e-commerce platforms in the 'ghost takeout' series — 3.5 billion yuan in aggregate corporate fines, nearly 20 million yuan in individual fines on legal representatives and food-safety officers, and 3-to-9-month business suspensions. While the cases were ostensibly food-safety enforcement, their analytical structure — pierce-the-paper-compliance, per-merchant aggregation of penalties, identification of licensed-entity liability holders, dual penalties on individual compliance officers — translates directly to data-compliance enforcement. Adapted from a substantive practitioner analysis by 黄春林 (Huang Chunlin), this DCC brief works through seven operational lessons that DSO / PIPO / DPO and compliance counsel should apply *before* the analogous enforcement wave reaches data compliance.",
      "original": {
        "title": "巨额处罚电商平台系列案对企业数据合规责任的启示",
        "author": "黄春林、柴明银 (Huang Chunlin, Chai Mingyin)",
        "publication": "数据何规 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/9w4AQMPmH9roj2qiILuHTw",
        "language": "zh"
      }
    },
    {
      "slug": "ai-agent-rules-risk-taxonomy",
      "title": "Mapping the AI Agent Risk Surface — A Ten-Category Taxonomy Under China's New 智能体新规",
      "url": "https://datacompliancechina.com/posts/ai-agent-rules-risk-taxonomy/",
      "markdown_url": "https://datacompliancechina.com/posts/ai-agent-rules-risk-taxonomy.md",
      "published": "2026-05-28T03:30:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "ai-agents",
        "ai-governance",
        "genai",
        "commentary"
      ],
      "laws_cited": [
        "genai-services-interim-measures",
        "algorithmic-recommendation-provisions",
        "deep-synthesis-provisions",
        "ai-content-labeling-measures"
      ],
      "domains": [
        "ai-governance",
        "data-security",
        "personal-information"
      ],
      "account": "data-he-gui",
      "description": "China's Cyberspace Administration jointly issued the Implementation Opinions on Standardized Application and Innovation Development of AI Agents (the '智能体新规' or 'Agent Rules') on May 8, 2026 — the first dedicated regulatory document on AI agents anywhere in the world. This DCC brief works through the ten-category risk taxonomy that practitioners are now using to map the agent attack surface: goal hijacking, tool misuse, identity/permission abuse, supply-chain compromise, unintended code execution, memory and context poisoning, inter-agent communication insecurity, cascade failures, human-machine trust exploitation, and rogue agents. With the agent risk mapped, the brief works the legal-liability vector: how each risk maps to administrative, civil, and criminal exposure under existing PIPL, CSL, Anti-Unfair Competition, and trade-secret regimes. Closes with the Guangzhou Internet Court's recent dual-authorization ruling against an open-source agent that bypassed a chat platform's risk controls — the first Chinese case to articulate the dual-authorization principle for AI agents accessing third-party platforms.",
      "original": {
        "title": "从《智能体新规》看AI智能体的风险防范与合规治理（上）",
        "author": "朱垒 (Zhu Lei)",
        "publication": "数据何规 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/jQyo7KEwu1sREIWH3imZnA",
        "language": "zh"
      }
    },
    {
      "slug": "ai-agent-rules-governance-framework",
      "title": "Operationalizing AI Agent Governance — A Ten-Step Internal Control Framework",
      "url": "https://datacompliancechina.com/posts/ai-agent-rules-governance-framework/",
      "markdown_url": "https://datacompliancechina.com/posts/ai-agent-rules-governance-framework.md",
      "published": "2026-05-28T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "ai-agents",
        "ai-governance",
        "genai",
        "compliance-program",
        "commentary"
      ],
      "laws_cited": [
        "genai-services-interim-measures",
        "algorithmic-recommendation-provisions",
        "deep-synthesis-provisions",
        "personal-info-audit-measures"
      ],
      "domains": [
        "ai-governance",
        "data-security",
        "personal-information"
      ],
      "account": "data-he-gui",
      "description": "Part 2 of DCC's brief on the Chinese Agent Rules (《智能体规范应用与创新发展实施意见》, May 2026). After mapping the ten-category risk taxonomy in Part 1, this brief works through the ten-step internal governance framework practitioners are now building to operationalize agent compliance: cross-functional governance organization + agent asset inventory; use-case admission and classification (L1 read-only / L2 limited-write / L3 sensitive-data / L4 high-impact); security assessment and AI red-team testing; identity authorization and permission control (with the under-discussed 'permission inheritance' trap); data protection; tool and protocol security; human-in-the-loop design; supply-chain security; continuous monitoring; and AI-specific incident response. Closes with five operational priorities for teams that need to start now without waiting for the 'big-and-comprehensive' regime build.",
      "original": {
        "title": "从《智能体新规》看AI智能体的风险防范与合规治理（下）",
        "author": "朱垒 (Zhu Lei)",
        "publication": "数据何规 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/VAoNJBWEa7yM7TsOg0OMvw",
        "language": "zh"
      }
    },
    {
      "slug": "open-source-ai-training-data-compliance",
      "title": "Open-Source Does Not Mean Open Data — Zhang Ping on Training-Data Compliance for Open-Source AI",
      "url": "https://datacompliancechina.com/posts/open-source-ai-training-data-compliance/",
      "markdown_url": "https://datacompliancechina.com/posts/open-source-ai-training-data-compliance.md",
      "published": "2026-05-28T02:30:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "ai-governance",
        "open-source",
        "training-data",
        "copyright",
        "commentary"
      ],
      "laws_cited": [
        "genai-services-interim-measures",
        "pipl",
        "dsl",
        "csl"
      ],
      "domains": [
        "ai-governance",
        "personal-information",
        "data-security"
      ],
      "account": "renmin-tribune",
      "description": "Peking University Law School professor Zhang Ping, writing in 人民论坛 (People's Tribune), takes apart two misconceptions that have dominated the Chinese open-source AI discussion: that 'open source' means training data has no copyright protection, and that 'algorithm open-source' compels 'training data publication.' Both false. Zhang lays out the structural distinction: 'open source is conditional authorization under license' — applied to model weights, not to the training corpus, which is a legally independent object. She then maps the full-chain compliance risk (acquisition / processing / output) and proposes a four-tier differentiated governance framework that finance, healthcare, and government AI deployments can actually use to map their training-data inventory against compliance gates.",
      "original": {
        "title": "前沿 | 开源人工智能训练数据的合规治理",
        "author": "张平 (Zhang Ping), Peking University Law School",
        "publication": "人民论坛 (People's Tribune), April 1, 2026",
        "url": "https://www.rmlt.com.cn/2026/0401/748659.shtml",
        "language": "zh"
      }
    },
    {
      "slug": "miit-2026-batch-3-31-app-public-naming",
      "title": "MIIT Public-Naming Bulletin 2026 Batch 3 (Total Batch 56): 31 Apps and SDKs Cited for PI Violations and Window-Redirect Abuse",
      "url": "https://datacompliancechina.com/posts/miit-2026-batch-3-31-app-public-naming/",
      "markdown_url": "https://datacompliancechina.com/posts/miit-2026-batch-3-31-app-public-naming.md",
      "published": "2026-05-28T02:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "enforcement",
        "miit",
        "app-compliance",
        "pipl",
        "public-naming"
      ],
      "laws_cited": [
        "pipl",
        "csl",
        "personal-info-audit-measures",
        "network-data-security-regulations"
      ],
      "domains": [
        "enforcement",
        "personal-information",
        "app-compliance"
      ],
      "account": "miit-weibao",
      "description": "MIIT's Information & Communications Administration Bureau published its 2026 Batch 3 public-naming bulletin (total Batch 56) on May 21, 2026, citing 31 apps and SDKs for violations of personal-information collection rules and window-redirect abuse. DCC frames this as the first entry in our enforcement tracker — explaining the joint CAC + MIIT + MPS 2026 Special Campaign that authorizes the batches, the four-statute legal architecture invoked, the rectification-then-enforcement pathway each named entity faces, the cadence of the bulletin series (roughly monthly, 56 batches since inception), and the operational picture this gives overseas counsel of which PI-protection violations actually attract enforcement in the Chinese mobile-app channel.",
      "original": {
        "title": "违规收集个人信息、窗口乱跳转……这31款APP及SDK被通报！",
        "author": "工业和信息化部信息通信管理局 (MIIT Information & Communications Administration Bureau)",
        "publication": "工信微报 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/pI6fsJpm6O9u7Icntw8guA",
        "language": "zh"
      }
    },
    {
      "slug": "nda-three-rights-structural-separation",
      "title": "NDA Explains the Three-Rights Framework — A Plain-Language Walk-Through from the Regulator Itself",
      "url": "https://datacompliancechina.com/posts/nda-three-rights-structural-separation/",
      "markdown_url": "https://datacompliancechina.com/posts/nda-three-rights-structural-separation.md",
      "published": "2026-05-28T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "data-property-rights",
        "data-twenty",
        "structural-separation",
        "data-economy",
        "commentary"
      ],
      "laws_cited": [
        "data-foundation-system-opinions",
        "data-property-rights-registration-guide-draft",
        "public-data-authorized-operation-specifications",
        "public-data-registration-interim-measures"
      ],
      "domains": [
        "data-economy",
        "data-security"
      ],
      "account": "ndb",
      "description": "The National Data Administration's official 政策解读 (policy interpretation) on the three-rights framework — the right to hold, the right to use, and the right to operate data — established by the Data 20 Articles. NDA walks through what each right means, illustrative scenarios (group-company data subsidiaries; hospital-pharma research pools; data-broker commission arrangements), how the rights relate to each other (independently severable; non-exclusive across parties for the same data), and why the structural-separation design was chosen over a unitary-ownership model. The clearest available statement of the regulator's own intent on the framework that anchors every downstream rule — data-resource registration, data-property-rights registration, FTZ data-circulation negative lists, on-floor / over-the-counter trading rules.",
      "original": {
        "title": "政策解读 | 如何理解数据产权结构性分置",
        "author": "国家数据局 (National Data Administration)",
        "publication": "国家数据局 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/AvOjnMGTAa2uNrC10aKGTg",
        "language": "zh"
      }
    },
    {
      "slug": "nda-data-processor-property-rights-allocation",
      "title": "Who Is the 'Data Processor' Under the Three-Rights Framework — NDA's Farm-Equipment Hypothetical",
      "url": "https://datacompliancechina.com/posts/nda-data-processor-property-rights-allocation/",
      "markdown_url": "https://datacompliancechina.com/posts/nda-data-processor-property-rights-allocation.md",
      "published": "2026-05-28T00:30:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "data-property-rights",
        "data-twenty",
        "data-processor",
        "data-economy",
        "commentary"
      ],
      "laws_cited": [
        "data-foundation-system-opinions",
        "pipl",
        "civil-code-personal-info",
        "data-property-rights-registration-guide-draft"
      ],
      "domains": [
        "data-economy",
        "data-security",
        "personal-information"
      ],
      "account": "ndb",
      "description": "NDA's official 政策解读 on the threshold question that every three-rights allocation depends on: who is the 'data processor' and who is the 'information subject'? NDA uses a farm-equipment hypothetical — a farm rents tractor, irrigation, and fertilizer equipment from three different vendors; cultivation data is captured in the process — to work through who collects, who decides processing purposes, and how the property-rights regime balances the data-processor's commercial interest against the information-subject's rights to access copies of relevant data. The piece sketches the basic information-subject vs. data-processor dichotomy that anchors the entire downstream data-element regime, and surfaces the access-to-data right (data portability for commercial entities) that overseas counsel often miss.",
      "original": {
        "title": "政策解读 | 数据处理者的数据产权配置安排",
        "author": "国家数据局 (National Data Administration)",
        "publication": "国家数据局 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/O1hmeSC9cSbYDg5-L3mXbA",
        "language": "zh"
      }
    },
    {
      "slug": "nda-entrusted-data-processing-property-rights",
      "title": "Cloud, BPO, and Other Entrusted-Processing Arrangements: Why the Processor Doesn't Get the Rights",
      "url": "https://datacompliancechina.com/posts/nda-entrusted-data-processing-property-rights/",
      "markdown_url": "https://datacompliancechina.com/posts/nda-entrusted-data-processing-property-rights.md",
      "published": "2026-05-28T00:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "data-property-rights",
        "data-twenty",
        "entrusted-processing",
        "cloud",
        "commentary"
      ],
      "laws_cited": [
        "data-foundation-system-opinions",
        "civil-code-personal-info",
        "pipl",
        "network-data-security-regulations"
      ],
      "domains": [
        "data-economy",
        "data-security"
      ],
      "account": "ndb",
      "description": "NDA's official 政策解读 on a tactically critical sub-question of the three-rights framework: when a data processor outsources storage, processing, or analysis to a third-party service provider — typical cloud, BPO, or e-government-system arrangements — does the entrusted party acquire any of the three property rights? NDA's clear answer: no. The entrusted processor (受托人) is not a 'data processor' in the property-rights sense — it merely executes instructions on behalf of the data processor (the principal). It cannot use the data outside the entrusted scope, cannot transfer the data into market circulation, and cannot apply the data to its own debt repayment or bankruptcy distribution. The line is anchored to the Civil Code's contract-of-mandate rules — a long-standing piece of Chinese commercial law extended cleanly into the data-element regime.",
      "original": {
        "title": "政策解读 | 数据委托处理情形中的产权配置",
        "author": "国家数据局 (National Data Administration)",
        "publication": "国家数据局 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/CGEjaiKF7ba1Imqjl2zvjA",
        "language": "zh"
      }
    },
    {
      "slug": "public-data-under-franchise-concession",
      "title": "Public Data Under Franchise and Concession Operations: Who Owns It and Can It Be Traded?",
      "url": "https://datacompliancechina.com/posts/public-data-under-franchise-concession/",
      "markdown_url": "https://datacompliancechina.com/posts/public-data-under-franchise-concession.md",
      "published": "2026-05-27T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "public-data",
        "franchise-concession",
        "authorized-operation",
        "data-economy",
        "data-property-rights",
        "infrastructure",
        "public-utilities",
        "data-trading-compliance"
      ],
      "laws_cited": [
        "public-data-authorized-operation-specifications",
        "data-foundation-system-opinions"
      ],
      "domains": [
        "data-economy"
      ],
      "account": "shenzhen-data-exchange",
      "description": "Infrastructure and public-utility operators in China — gas networks, urban parking, water systems, and similar franchise/concession (特许经营) businesses — generate data that falls within the statutory definition of 'public data.' That classification creates compliance questions that standard enterprise-data analysis does not answer: does a franchise agreement confer the right to process and sell that data, and under what conditions? Two Shenzhen Data Exchange compliance officers work through the asset-ownership and revenue-attribution routes for establishing data-use authority, flag the asset-transfer risk that attaches to API and dataset licensing, and explain why franchise-generated public data should not be silently assimilated into the authorised-operation (授权运营) model now being piloted across Chinese cities. The operational takeaway: amend legacy concession agreements to address data rights explicitly, and build the data-rights clause into every new franchise contract before signing.",
      "original": {
        "title": "DEXC+专栏丨特许经营业务下的公共数据，能用?怎么用?",
        "author": "胡婧卓; 陈一芊",
        "publication": "深圳数据交易所 DEXC+ 专栏 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/K1zqNbOyao8cXhEIVGTn-Q",
        "language": "zh"
      }
    },
    {
      "slug": "data-property-registration-review-guide",
      "title": "Inside the Reviewer's Mind — A Compliance Guide to Data Property-Rights Registration at Shenzhen Data Exchange",
      "url": "https://datacompliancechina.com/posts/data-property-registration-review-guide/",
      "markdown_url": "https://datacompliancechina.com/posts/data-property-registration-review-guide.md",
      "published": "2026-05-26T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "data-property-rights",
        "data-registration",
        "data-economy",
        "data-element-market",
        "three-rights",
        "data-compliance",
        "shenzhen-data-exchange",
        "legal-opinion"
      ],
      "laws_cited": [
        "data-property-rights-registration-guide-draft",
        "data-foundation-system-opinions"
      ],
      "domains": [
        "data-economy"
      ],
      "account": "shenzhen-data-exchange",
      "description": "China's data property-rights registration (数据产权登记) regime has no single national rulebook yet, which makes the reviewer's checklist at the registrar level the operational baseline for any applicant. This brief summarises a practitioner guide by two compliance managers at Shenzhen Data Exchange (深圳数据交易所), explaining what registration reviewers actually scrutinise: whether the subject-matter falls within the platform's accepted scope; whether the applicant can substantiate entitlement to one or more of the three data-property rights (持有权 / 使用权 / 经营权); and whether the submitted materials are internally consistent and complete. The guide also clarifies common misconceptions about the 'three rights' structure — including why 'data ownership' is not a legally recognised concept and why holding-right does not automatically confer use-right or operating-right. For overseas counsel advising clients on data-asset registration, this is the clearest available account of how the first-mover registrar reads applications.",
      "original": {
        "title": "DEXC+专栏｜数据产权登记审核，审核员都在想什么？——送上一份数据产权登记合规审核指南",
        "author": "陈一芊、胡婧卓",
        "publication": "深圳数据交易所 DEXC+ 专栏 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/tDRmD9Bcz_I4rWF1fOBJ5g",
        "language": "zh"
      }
    },
    {
      "slug": "public-data-authorized-operation-not-a-shield",
      "title": "Authorized to Operate, Not Authorized to Ignore: Public-Data Operators Still Owe the Full PIPL/DSL Stack",
      "url": "https://datacompliancechina.com/posts/public-data-authorized-operation-not-a-shield/",
      "markdown_url": "https://datacompliancechina.com/posts/public-data-authorized-operation-not-a-shield.md",
      "published": "2026-05-24T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "public-data",
        "data-economy",
        "pipl",
        "data-security-law",
        "authorized-operation",
        "data-classification",
        "personal-information-protection",
        "data-trading"
      ],
      "laws_cited": [
        "public-data-authorized-operation-specifications",
        "pipl",
        "dsl"
      ],
      "domains": [
        "data-economy",
        "data-security"
      ],
      "account": "shenzhen-data-exchange",
      "description": "China's public-data authorized-operation regime — established by the January 2025 Implementation Specifications and its companion instruments — does not exempt operators from the personal information and data-security duties that sit underneath it. This brief, drawn from the Shenzhen Data Exchange's DEXC+ compliance column, sets out six specific areas where authorized operators routinely fall short: failure to classify data before operating it, misreading the operator's role in multi-party processing chains, skipping notification obligations, misidentifying the lawful basis for processing, misapplying consent that was gathered for a different purpose, and omitting the separate impact-assessment and annual risk-evaluation obligations under PIPL and the Network Data Security Regulations. The operational takeaway for overseas counsel advising operators or investors: government authorization is the entry ticket to the public-data market, not a waiver of the compliance checklist that governs what happens once inside.",
      "original": {
        "title": "DEXC+专栏｜公共数据授权运营不是数据合规的“免死金牌”",
        "author": "胡敏喆、王森鹏、王青兰",
        "publication": "深圳数据交易所 DEXC+ 专栏 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/pYNLXFiqr1wKpc60YjTdbQ",
        "language": "zh"
      }
    },
    {
      "slug": "public-data-authorized-operation-processing-trading",
      "title": "Inside the Gate: How Enterprises Can Compliantly Process, Operate, and Trade Public Data Under China's Authorized-Operation Model",
      "url": "https://datacompliancechina.com/posts/public-data-authorized-operation-processing-trading/",
      "markdown_url": "https://datacompliancechina.com/posts/public-data-authorized-operation-processing-trading.md",
      "published": "2026-05-22T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "public-data",
        "authorized-operation",
        "data-trading",
        "data-economy",
        "data-products",
        "public-data-registration",
        "data-compliance",
        "data-element-market"
      ],
      "laws_cited": [
        "public-data-authorized-operation-specifications",
        "public-data-registration-interim-measures",
        "data-foundation-system-opinions"
      ],
      "domains": [
        "data-economy"
      ],
      "account": "shenzhen-data-exchange",
      "description": "China's public-data authorized-operation regime (公共数据授权运营) is the primary route for enterprises to commercialise government-held data. A DEXC+ analysis by Yang Haoran maps the full compliance arc: what qualifies as public data, how it must be processed within a sandboxed platform, and what a data product needs to clear before it can be listed on an exchange. Drawing on the National Data Administration's draft Authorized-Operation Implementation Specifications and Shenzhen Data Exchange's own 3×4 dynamic-compliance framework — covering subject compliance, subject-matter compliance, and circulation compliance across legal, security, integrity, and rights dimensions — the brief gives overseas counsel a structured view of the obligations that attach at each stage of the public-data supply chain, from first authorisation to on-exchange listing.",
      "original": {
        "title": "DEXC+专栏｜授权运营模式下企业如何合规加工运营和交易公共数据？",
        "author": "杨浩然 (Yang Haoran)",
        "publication": "深圳数据交易所 DEXC+ 专栏 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/tkH9NitKcBZMCb5q9zNUPg",
        "language": "zh"
      }
    },
    {
      "slug": "surveying-geographic-data-products-trading-compliance",
      "title": "Mapping the Red Lines: Compliance Assessment for Surveying and Geographic-Information Data Products on a Chinese Data Exchange",
      "url": "https://datacompliancechina.com/posts/surveying-geographic-data-products-trading-compliance/",
      "markdown_url": "https://datacompliancechina.com/posts/surveying-geographic-data-products-trading-compliance.md",
      "published": "2026-05-20T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "data-trading",
        "surveying-data",
        "geographic-information",
        "data-exchange-compliance",
        "state-owned-enterprises",
        "data-classification",
        "sector-specific-data",
        "important-data"
      ],
      "laws_cited": [
        "data-foundation-system-opinions",
        "network-data-security-regulations"
      ],
      "domains": [
        "data-economy",
        "data-security"
      ],
      "account": "shenzhen-data-exchange",
      "description": "When Sichuan province's first surveying and geographic-information (测绘地理信息) data product was listed on the Shenzhen Data Exchange (深圳数据交易所), the compliance team from Si Chuan Rui Li Heng Law Firm worked through a seven-point assessment framework that goes well beyond general data-trading rules. This brief walks overseas counsel through that framework: why the surveying-and-mapping regime (测绘法 and subordinate rules) adds a specialist qualification layer on top of the Network Data Security Management Regulations; how the classified-surveying-results (涉密测绘成果) screen works in practice; what 'important geographic-information data' (重要地理信息数据) means for tradability; and why data origin — self-collected versus purchased versus project-derived — changes the due-diligence checklist materially. The operational takeaway: for this sector, general data-exchange compliance is necessary but not sufficient.",
      "original": {
        "title": "DEXC+专栏｜测绘地理信息数据产品上市交易合规评估要点及经验总结",
        "author": "吴锦熤 (Wu Jinxi); 陈秋连 (Chen Qiulian)",
        "publication": "深圳数据交易所 DEXC+ 专栏 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/qSzwFKrJV_GlxzxTPJb4PQ",
        "language": "zh"
      }
    },
    {
      "slug": "sensitive-pi-processing-security-requirements-standard",
      "title": "Seven Highlights of China's New Sensitive Personal Information Processing Standard — and What They Mean in Practice",
      "url": "https://datacompliancechina.com/posts/sensitive-pi-processing-security-requirements-standard/",
      "markdown_url": "https://datacompliancechina.com/posts/sensitive-pi-processing-security-requirements-standard.md",
      "published": "2026-05-19T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "sensitive-personal-information",
        "pipl",
        "national-standard",
        "gb-t-45574-2025",
        "tc260",
        "data-security",
        "compliance"
      ],
      "laws_cited": [
        "tc260-sensitive-pi-identification-guide",
        "pipl"
      ],
      "domains": [
        "personal-information",
        "data-security"
      ],
      "account": "shenzhen-data-exchange",
      "description": "GB/T 45574-2025 《数据安全技术 敏感个人信息处理安全要求》 (Data Security Technology — Security Requirements for Processing Sensitive Personal Information) is China's first dedicated national standard on sensitive personal information (敏感个人信息), effective 1 November 2025. Authored by Wang Yi, Zhao Yanming, and Zeng Lingwei of the Shenzhen Data Exchange DEXC+ program, this brief walks through the seven highlights the standard introduces: a recalibrated scope of what counts as sensitive personal information under PIPL, dynamic classification logic, a new linkage between sensitive-PI volume and the important data threshold, industry-specific and group-specific protections, data-security-maturity requirements, a model written-consent template, and tightened lifecycle obligations covering collection, storage, display, and audit. The operational takeaway for overseas counsel: the standard converts PIPL's high-level sensitive-PI obligations into testable, auditable requirements — compliance teams should treat it as the primary implementation guide for PIPL Article 28 and beyond.",
      "original": {
        "title": "DEXC+专栏｜《数据安全技术 敏感个人信息处理安全要求》的七大亮点及合规建议",
        "author": "王艺、赵艳明、曾令玮 (Wang Yi, Zhao Yanming, Zeng Lingwei)",
        "publication": "深圳数据交易所 DEXC+ 专栏 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/3UlXi2v8cDRO3xbUrxyQQw",
        "language": "zh"
      }
    },
    {
      "slug": "pi-trading-pia-network-data-regulations",
      "title": "The PIA as a Trading-Compliance Line — What the Network Data Security Management Regulations Add for Personal-Information Data Products",
      "url": "https://datacompliancechina.com/posts/pi-trading-pia-network-data-regulations/",
      "markdown_url": "https://datacompliancechina.com/posts/pi-trading-pia-network-data-regulations.md",
      "published": "2026-05-18T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "pia",
        "personal-information-protection",
        "data-trading",
        "network-data-security-regulations",
        "pipl",
        "data-element-market",
        "sensitive-personal-information",
        "cross-border"
      ],
      "laws_cited": [
        "network-data-security-regulations",
        "pipl"
      ],
      "domains": [
        "personal-information",
        "data-economy"
      ],
      "account": "shenzhen-data-exchange",
      "description": "China's personal-information protection impact assessment (PIA / 个人信息保护影响评估) has long been a statutory requirement under PIPL, but uptake in data-trading contexts remains low. A DEXC+ analysis by Wang Senpeng of Shenzhen Data Exchange argues that the Network Data Security Management Regulations (网络数据安全管理条例, 'Network Data Regs') significantly refine when and how a PIA must be conducted before a personal-information data product changes hands. The brief maps three trigger layers — subject compliance, subject-matter compliance, and circulation compliance — and then draws out the evaluation dimensions the Regulations add: a new 'dual-list' privacy-policy requirement, data-processing-agreement minimum contents, a three-year record-keeping obligation, and tightened rules on web-scraping and de-identification. For overseas counsel: a PIA is no longer just a cross-border formality — it is the primary compliance gate for trading sensitive data, delegated-processing arrangements, and any automated-decision-making data product.",
      "original": {
        "title": "DEXC+专栏 ｜个人信息交易危机：《网数条例》下被忽视的PIA能否构建交易合规防线？",
        "author": "王森鹏 (Wang Senpeng)",
        "publication": "深圳数据交易所 DEXC+ 专栏 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/_LT4nIubx315hvjG5ibF-g",
        "language": "zh"
      }
    },
    {
      "slug": "derivative-data-products-public-data-opening",
      "title": "Derivative Data Products and Public Data Opening — Legal Challenges and Compliance Points",
      "url": "https://datacompliancechina.com/posts/derivative-data-products-public-data-opening/",
      "markdown_url": "https://datacompliancechina.com/posts/derivative-data-products-public-data-opening.md",
      "published": "2026-05-16T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "derivative-data",
        "public-data",
        "data-property-rights",
        "data-product",
        "anti-unfair-competition",
        "authorized-operation",
        "data-economy",
        "data-registration"
      ],
      "laws_cited": [
        "public-data-authorized-operation-specifications",
        "data-foundation-system-opinions"
      ],
      "domains": [
        "data-economy"
      ],
      "account": "shenzhen-data-exchange",
      "description": "As China opens public-sector datasets for commercial exploitation, companies building derivative data products (衍生数据产品) face a layered compliance problem: the definition of 'derivative data' in the National Data Administration's 2025 glossary is deliberately high-threshold (substantial transformation, significant value uplift); provincial rules on automated collection, source-labelling, and sensitive-data assessment are inconsistent; and a three-way collision between the open-data rules, third-party platform terms, and the 2025 Anti-Unfair Competition Law amendments has no clean resolution. Wang Yi and Yu Hao (both DEXCO-certified partners at Global Law Office Shenzhen) map the definitional landscape, five categories of operational red lines, and four protective strategies — including the new data-specific provision in the revised Anti-Unfair Competition Law — for practitioners building or advising on derivative-data businesses.",
      "original": {
        "title": "DEXC+专栏 | 公共数据开放背景下衍生数据产品开发利用的法律挑战与合规要点",
        "author": "王艺，余灏 (Wang Yi, Yu Hao)",
        "publication": "深圳数据交易所 DEXC+ 专栏 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/nNJVdLFSs65EsCR99TmXIw",
        "language": "zh"
      }
    },
    {
      "slug": "data-property-registration-work-for-hire-data",
      "title": "From Copyright to Data Property: The Three-Layer Compliance Test for Registering Employee-Created Data in China",
      "url": "https://datacompliancechina.com/posts/data-property-registration-work-for-hire-data/",
      "markdown_url": "https://datacompliancechina.com/posts/data-property-registration-work-for-hire-data.md",
      "published": "2026-05-15T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "data-property-rights",
        "data-registration",
        "work-made-for-hire",
        "data-element-market",
        "copyright",
        "data-trading",
        "employment-data"
      ],
      "laws_cited": [
        "data-property-rights-registration-guide-draft",
        "data-foundation-system-opinions"
      ],
      "domains": [
        "data-economy"
      ],
      "account": "shenzhen-data-exchange",
      "description": "China's data property-rights registration regime treats copyright and data property (数据产权) as separate legal categories — a distinction that catches many applicants off guard when employee-created works are involved. This brief summarises a practitioner analysis by two Shenzhen Data Exchange compliance officers, who explain the three-layer 'penetrating review' (穿透审核) logic that registrars actually apply: lawful acquisition (合法获取), factual control (事实持有), and defined scope of use (使用范围). For overseas counsel advising clients that hold data generated by employees — including code, engineering drawings, maps, and other special categories of work-made-for-hire under China's Copyright Law — the key operational takeaway is that a copyright certificate alone is insufficient. Registration of all three data property rights (holding right, use right, operating right) requires distinct evidence chains for each, and the employment contract is the starting document, not the copyright certificate.",
      "original": {
        "title": "DEXC+专栏｜数据产权登记实务：职务作品数据产权登记合规路径分析",
        "author": "胡婧卓 (Hu Jingzhuo); 陈一芊 (Chen Yiqian)",
        "publication": "深圳数据交易所 DEXC+ 专栏 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/hL00n0vIhiqOzW15QVTLKA",
        "language": "zh"
      }
    },
    {
      "slug": "important-data-category-not-tier",
      "title": "'Important Data' Is a Category, Not a Tier",
      "url": "https://datacompliancechina.com/posts/important-data-category-not-tier/",
      "markdown_url": "https://datacompliancechina.com/posts/important-data-category-not-tier.md",
      "published": "2026-05-04T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "important-data",
        "dsl",
        "commentary",
        "data-classification"
      ],
      "laws_cited": [
        "dsl",
        "pipl"
      ],
      "domains": [
        "data-security",
        "cross-border"
      ],
      "account": "wangan-xunluren",
      "description": "Hong Yanqing argues the mainstream reading of Article 21 of the Data Security Law confuses enterprise asset-inventory language with state-level legal-interest protection — with real consequences for cross-border transfers, enforcement, and how PIPL and DSL stack.",
      "original": {
        "title": "重要数据性质的再认识：级别概念 vs. 类别概念",
        "author": "洪延青",
        "publication": "网安寻路人",
        "url": "https://mp.weixin.qq.com/s/RmrIs3PZnEHkGsMl3vlutg",
        "language": "zh"
      }
    },
    {
      "slug": "manus-foreign-investment-security-review",
      "title": "Why China Used Foreign Investment Security Review on Manus — Not Tech or Data Export",
      "url": "https://datacompliancechina.com/posts/manus-foreign-investment-security-review/",
      "markdown_url": "https://datacompliancechina.com/posts/manus-foreign-investment-security-review.md",
      "published": "2026-04-28T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "foreign-investment-security-review",
        "manus",
        "ai-agent",
        "cross-border",
        "commentary"
      ],
      "laws_cited": [
        "pipl",
        "dsl",
        "data-export-security-assessment-measures",
        "foreign-investment-security-review-measures"
      ],
      "domains": [
        "cross-border",
        "ai-governance",
        "cybersecurity-review"
      ],
      "account": "wangan-xunluren",
      "description": "Hong Yanqing on Beijing's banning of Meta's Manus acquisition. The regulator's choice of pathway — Foreign Investment Security Review, not Technology or Data Export — signals a shift from 'transaction-level' to 'capability-level' oversight of frontier AI projects, with implications for any overseas tech investment touching China.",
      "original": {
        "title": "Manus 案的监管范式选择：为什么是外商投资安全审查？",
        "author": "洪延青",
        "publication": "网安寻路人",
        "url": "https://mp.weixin.qq.com/s/2Vs70BM2ILAE_qqKsdfAjw",
        "language": "zh"
      }
    },
    {
      "slug": "qinglan-token-trading-cold-water",
      "title": "Cold Water on 'Token Trading' — Wang Qinglan on the NDA's High-Quality Data Set Initiative",
      "url": "https://datacompliancechina.com/posts/qinglan-token-trading-cold-water/",
      "markdown_url": "https://datacompliancechina.com/posts/qinglan-token-trading-cold-water.md",
      "published": "2026-04-24T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "tokens",
        "ai-training-data",
        "data-trading",
        "national-data-administration",
        "commentary"
      ],
      "laws_cited": [
        "data-foundation-system-opinions",
        "common-data-terms-batch-1",
        "common-data-terms-batch-2"
      ],
      "domains": [
        "data-economy",
        "ai-governance"
      ],
      "account": "qinglan-data",
      "description": "In March 2026, the National Data Administration released the *Implementation Plan for Promoting High-Quality Industry Data Set Construction (Draft for Public Consultation)*, which explores a 'token (词元) based value system' and 'token trading as a new transaction mode' for high-quality data sets. The Chinese AI policy community immediately heralded the move as 'revolutionizing data trading.' Wang Qinglan pours cold water: token is a measuring unit, not a magic transformer. AI tokens are not crypto tokens. The bottleneck in China's data-element market isn't measurement — it's supply, rights clarity, compliance cost, and data silos.",
      "original": {
        "title": "给\"词元交易\"泼一盆冷水",
        "author": "王青兰 (Wang Qinglan)",
        "publication": "青兰数据观察",
        "url": "https://mp.weixin.qq.com/s/0Nbcam7GbrYx8d31JmTGGA",
        "language": "zh"
      }
    },
    {
      "slug": "pipl-criminal-threshold",
      "title": "When PIPL Violation Becomes a Crime — Hong Yanqing on China's Personal Information Criminal Threshold",
      "url": "https://datacompliancechina.com/posts/pipl-criminal-threshold/",
      "markdown_url": "https://datacompliancechina.com/posts/pipl-criminal-threshold.md",
      "published": "2026-04-22T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "criminal-liability",
        "pipl",
        "judicial-interpretation",
        "mozhi-case",
        "commentary"
      ],
      "laws_cited": [
        "pipl",
        "civil-code-personal-info"
      ],
      "domains": [
        "personal-information",
        "enforcement"
      ],
      "account": "wangan-xunluren",
      "description": "Hong Yanqing on the criminal-side analog to PIPL — when does mishandling personal information cross from administrative violation into the crime of 'infringing on citizens' personal information'? His critique: the two key elements ('relevant State provisions' and 'serious circumstances') are too loose, and courts have stretched them in ways that should worry compliance teams.",
      "original": {
        "title": "《个人信息保护法》背景下侵犯公民个人信息行为的罪与非罪认定标准分析",
        "author": "洪延青",
        "publication": "网安寻路人",
        "url": "https://mp.weixin.qq.com/s/5tXYwpeuLqkOLqv7xfTGgg",
        "language": "zh"
      }
    },
    {
      "slug": "public-place-frt-necessity-framework",
      "title": "When Is Facial Recognition in a Public Place 'Necessary for Public Security'? Hong Yanqing's Four-Element Framework",
      "url": "https://datacompliancechina.com/posts/public-place-frt-necessity-framework/",
      "markdown_url": "https://datacompliancechina.com/posts/public-place-frt-necessity-framework.md",
      "published": "2026-04-04T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "facial-recognition",
        "public-surveillance",
        "pipl-article-26",
        "proportionality-test",
        "commentary"
      ],
      "laws_cited": [
        "pipl",
        "facial-recognition-judicial-interpretation",
        "public-security-video-image-system-regulations",
        "facial-recognition-technology-application-measures"
      ],
      "domains": [
        "personal-information",
        "ai-governance",
        "enforcement"
      ],
      "account": "wangan-xunluren",
      "description": "Hong Yanqing on how to operationalize PIPL Article 26's 'necessary for public security' principle for public-place video surveillance and facial recognition. His framework: a four-step necessity test, tiered risk regime with a published prohibited list, three-fold technical controls, and a lifecycle closure mechanism — drawing on EU AI Act and US state-level practice.",
      "original": {
        "title": "公共场所视频监控与人脸识别的治理路径：国际经验与中国方案",
        "author": "洪延青",
        "publication": "网安寻路人",
        "url": "https://mp.weixin.qq.com/s/gZIJDP5j9RW8S4NJDw_Mow",
        "language": "zh"
      }
    },
    {
      "slug": "anthropomorphic-ai-measures-reform-directions",
      "title": "Where China's Draft AI Anthropomorphic-Interaction Measures Need Work — A Scholar's Reform Map",
      "url": "https://datacompliancechina.com/posts/anthropomorphic-ai-measures-reform-directions/",
      "markdown_url": "https://datacompliancechina.com/posts/anthropomorphic-ai-measures-reform-directions.md",
      "published": "2026-02-01T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "ai-governance",
        "companion-ai",
        "anthropomorphic-ai",
        "pipl",
        "genai",
        "rulemaking",
        "academic-commentary"
      ],
      "laws_cited": [
        "ai-anthropomorphic-interaction-measures",
        "pipl",
        "genai-services-interim-measures"
      ],
      "domains": [
        "ai-governance",
        "personal-information"
      ],
      "account": "keji-leviathan",
      "description": "Li Wenlong (科技利维坦) walks through the directions in which he would amend China's draft Interim Measures for the Administration of AI Anthropomorphic Interaction Services (人工智能拟人化互动服务管理办法) — the country's first dedicated rule on 'companion'-style AI. His critique is structural, not cosmetic: the core definition of '拟人化 (anthropomorphisation)' is too broad because it anchors on human-like expression rather than the real harm (relational dependency); the invented concept of '交互数据 (interaction data)' should be deleted and folded back into PIPL rather than blanket-prohibited; Chapter 2 mixes three incompatible duty types and should be split; the '1M registered / 100k MAU' security-assessment trigger is borrowed from other regimes and does not track real risk; and the training-data duties are horizontal obligations misplaced in a vertical rule. For overseas counsel building companion-AI or emotional-AI products for the China market: this is a map of where the draft is likely to move, and which duties fall on deployers versus base-model providers.",
      "original": {
        "title": "AI拟人化互动服务管理暂行办法可以考虑修改的几个方向",
        "author": "李汶龙 (Li Wenlong)",
        "publication": "科技利维坦 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/iJYQs1bRzGCLx_Zi43HmNQ",
        "language": "zh"
      }
    },
    {
      "slug": "ai-agents-and-the-limits-of-consent",
      "title": "AI Agents and the Limits of Consent — When 'Authorisation' Stops Being One Click",
      "url": "https://datacompliancechina.com/posts/ai-agents-and-the-limits-of-consent/",
      "markdown_url": "https://datacompliancechina.com/posts/ai-agents-and-the-limits-of-consent.md",
      "published": "2026-01-30T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "ai-governance",
        "ai-agents",
        "pipl",
        "consent",
        "automated-decision-making",
        "privacy",
        "academic-commentary"
      ],
      "laws_cited": [
        "pipl",
        "genai-services-interim-measures"
      ],
      "domains": [
        "personal-information",
        "ai-governance"
      ],
      "account": "keji-leviathan",
      "description": "Li Wenlong (科技利维坦) takes the Doubao phone assistant — an AI that 'reads your screen' and acts across apps — and asks whether the consent/authorisation mechanism that traditional data law leans on can survive the agent era. His four challenges: the app-bounded 'private' environment dissolves as data and permissions move across apps (with Nissenbaum's Contextual Integrity as the only real conceptual anchor, and far from operational); agents that *act* (not just retrieve) push informed consent past the point of failure already reached by personalised ads; purpose limitation collapses because an agent chooses its own path, means and decisions from a low-information instruction, edging into automated decision-making; and ultra vires agency shifts liability from user to platform, with China's 'hallucination case' and the Air Canada case as the only thin precedents. For overseas counsel building or advising on agentic AI in China: a map of why 'authorisation' is becoming a problem of agency, system control, liability allocation and autonomy — not a checkbox — and why transparency is now a prerequisite, not a feature.",
      "original": {
        "title": "当AI能“阅读”你的屏幕：用户授权能否化解跨端智能体的隐私风险",
        "author": "李汶龙 (Li Wenlong)",
        "publication": "科技利维坦 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/AH3wtKKKrTz7aQ91Xy2D-g",
        "language": "zh"
      }
    },
    {
      "slug": "compliance-talker-csl-2025-amendment-ai-and-penalties",
      "title": "China's Cybersecurity Law Just Got Teeth — The 2025 Amendment and What Changed",
      "url": "https://datacompliancechina.com/posts/compliance-talker-csl-2025-amendment-ai-and-penalties/",
      "markdown_url": "https://datacompliancechina.com/posts/compliance-talker-csl-2025-amendment-ai-and-penalties.md",
      "published": "2026-01-12T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "csl",
        "csl-2025-amendment",
        "ai-governance",
        "penalties",
        "commentary"
      ],
      "laws_cited": [
        "csl",
        "pipl",
        "dsl",
        "civil-code-personal-info"
      ],
      "domains": [
        "cybersecurity-review",
        "data-security",
        "personal-information"
      ],
      "account": "compliance-talker",
      "description": "On October 28, 2025, the NPC Standing Committee adopted the first amendment to China's Cybersecurity Law since 2017, effective January 1, 2026. Compliance Talker's global legal policy team walks through what changed across 14 amendments: a new framework provision on AI safety and development, harmonization with PIPL and the Civil Code on personal information, sharply increased penalties (10× cap on top fines), expanded application of the dual-penalty system to individual officers, and broader extraterritorial reach. For overseas teams, the operational takeaway is that cybersecurity compliance is now an executive-level risk, not a documentation exercise.",
      "original": {
        "title": "原创 || 中国新《网络安全法》：促进AI安全与发展，升级处罚力度强化网安责任",
        "author": "全球法律政策研究 (Global Legal Policy Research Team)",
        "publication": "合规小叨客",
        "url": "https://mp.weixin.qq.com/s/p20K896Ad94taTuoecZqnQ",
        "language": "zh"
      }
    },
    {
      "slug": "qinglan-cross-border-data-discovery-three-jurisdictions",
      "title": "Cross-Border Data Discovery — How the U.S., EU, and China Each Play Offense and Defense",
      "url": "https://datacompliancechina.com/posts/qinglan-cross-border-data-discovery-three-jurisdictions/",
      "markdown_url": "https://datacompliancechina.com/posts/qinglan-cross-border-data-discovery-three-jurisdictions.md",
      "published": "2026-01-08T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "cross-border",
        "data-sovereignty",
        "mlat",
        "cloud-act",
        "blocking-statute",
        "commentary"
      ],
      "laws_cited": [
        "dsl",
        "pipl",
        "cross-border-data-flows-provisions"
      ],
      "domains": [
        "cross-border",
        "enforcement"
      ],
      "account": "qinglan-data",
      "description": "When a foreign authority wants data stored in China — or vice versa — three doctrines compete. The U.S. uses a 'data controller standard' (CLOUD Act) that reaches globally on offense and shields domestically through ECPA blocking on defense. The EU uses 'market access' leverage (GDPR Article 3 jurisdictional reach plus Article 48 blocking). China uses a 'data location standard' (territorial sovereignty plus the MLA Law, DSL, and PIPL blocking clauses). Wang Qinglan maps the four discovery paths, the three jurisdictional doctrines, and what compliance teams should build to survive the squeeze.",
      "original": {
        "title": "跨境数据调取\"三国杀\"：美欧中各出啥招？",
        "author": "王青兰 (Wang Qinglan)",
        "publication": "青兰数据观察",
        "url": "https://mp.weixin.qq.com/s/oqxjw7PbmnQ7OEmkV4Uu8g",
        "language": "zh"
      }
    },
    {
      "slug": "spc-data-disputes-case-category-and-data-registration",
      "title": "Will Judicial Review 'Reset' the Data Registration Rush? — Reading Wang Qinglan on the SPC's New Data Disputes Case Category",
      "url": "https://datacompliancechina.com/posts/spc-data-disputes-case-category-and-data-registration/",
      "markdown_url": "https://datacompliancechina.com/posts/spc-data-disputes-case-category-and-data-registration.md",
      "published": "2025-12-19T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "data-property-rights",
        "data-registration",
        "spc",
        "judicial-review",
        "commentary"
      ],
      "laws_cited": [
        "data-property-rights-registration-guide-draft",
        "public-data-registration-interim-measures",
        "data-foundation-system-opinions"
      ],
      "domains": [
        "data-economy",
        "enforcement"
      ],
      "account": "qinglan-data",
      "description": "Wang Qinglan, head of compliance at a Chinese data exchange, asks what the Supreme People's Court's new 'data disputes' case category — effective January 1, 2026 — does to the data property rights registration certificates that institutions across the country have been issuing. Her argument: certificates issued through formal-only review will not survive substantive judicial scrutiny, and a single rejected certificate could erode trust in the entire registration regime. The path forward is a three-tiered protection model and aligned standards across regulators, registration institutions, and courts.",
      "original": {
        "title": "数据确权登记热潮，要被司法审查\"打回原形\"了？",
        "author": "王青兰 (Wang Qinglan)",
        "publication": "青兰数据观察",
        "url": "https://mp.weixin.qq.com/s/wvM52Sexl8UWlr_dHD1yBQ",
        "language": "zh"
      }
    },
    {
      "slug": "pipo-vs-dpo-pi-protection-officer-comparison",
      "title": "PIPO vs. DPO — How China's Personal Information Protection Officer Differs from the GDPR Data Protection Officer",
      "url": "https://datacompliancechina.com/posts/pipo-vs-dpo-pi-protection-officer-comparison/",
      "markdown_url": "https://datacompliancechina.com/posts/pipo-vs-dpo-pi-protection-officer-comparison.md",
      "published": "2025-12-15T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "personal-information",
        "pipl",
        "gdpr-comparison",
        "data-protection-officer",
        "commentary"
      ],
      "laws_cited": [
        "pipl",
        "personal-info-audit-measures"
      ],
      "domains": [
        "personal-information",
        "enforcement"
      ],
      "account": "compliance-talker",
      "description": "The Cyberspace Administration of China announced in July 2025 that personal-information processors handling data on 1 million or more individuals must submit Personal Information Protection Officer (PIPO) information to CAC. Compliance Talker's global legal policy research team contrasts China's PIPO regime under PIPL Article 52 with the GDPR's Data Protection Officer (DPO) framework under Articles 37–39. The most consequential difference: PIPO carries individual administrative liability — up to RMB 1 million in personal fines and industry bans — where DPO does not.",
      "original": {
        "title": "原创 || 中国个人信息保护负责人与海外数据保护官的职责\"差异图鉴\"",
        "author": "全球法律政策研究 (Global Legal Policy Research Team)",
        "publication": "合规小叨客",
        "url": "https://mp.weixin.qq.com/s/eTH37QZSCSU6DUxiU6TQ-A",
        "language": "zh"
      }
    },
    {
      "slug": "doubao-reverse-interoperability-on-device-agents",
      "title": "Reverse Interoperability: Li Wenlong's Frame for the Doubao On-Device Agent Fight",
      "url": "https://datacompliancechina.com/posts/doubao-reverse-interoperability-on-device-agents/",
      "markdown_url": "https://datacompliancechina.com/posts/doubao-reverse-interoperability-on-device-agents.md",
      "published": "2025-12-12T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "ai-governance",
        "ai-agents",
        "interoperability",
        "anti-unfair-competition",
        "platform-governance",
        "on-device-agents",
        "academic-commentary"
      ],
      "laws_cited": [
        "genai-services-interim-measures"
      ],
      "domains": [
        "data-economy",
        "ai-governance"
      ],
      "account": "keji-leviathan",
      "description": "ByteDance's Doubao phone assistant — preinstalled at the device layer to operate other apps on a user's behalf — was met with pop-up blocks from WeChat and others citing security and risk-control. Li Wenlong (科技利维坦) argues the dispute is, at bottom, a question of how China's competition-law toolkit (反不正当竞争法 / 反垄断法) absorbs the idea of interoperability — and specifically what he calls 'reverse interoperability (反向互操作性)'. The classic interoperability problem is a platform refusing to open up, with antitrust used as a market remedy to force access. Doubao inverts it: interoperability is fully achieved at the device level, and the legal question becomes whether the law should restrict 'over-interoperation.' Li maps interoperability's journey from the Microsoft case through GDPR data portability and the DMA to the agent era, distinguishes the Doubao fight from the decade-old 3Q War, and predicts on-device-agent governance will look less like classic antitrust and more like the ex-ante, conditional-use compliance model emerging for AI training data. For overseas counsel: a structural read on the platform-access war that on-device AI agents are about to intensify.",
      "original": {
        "title": "豆包手机助手说到底是个被动互联问题",
        "author": "李汶龙 (Li Wenlong)",
        "publication": "科技利维坦 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/E6RjF63A3vqd4WW78mVlXQ",
        "language": "zh"
      }
    },
    {
      "slug": "in-game-personal-data-collection-china",
      "title": "Is There Such a Thing as 'Game Data Compliance' in China? — Li Wenlong's Field Notes",
      "url": "https://datacompliancechina.com/posts/in-game-personal-data-collection-china/",
      "markdown_url": "https://datacompliancechina.com/posts/in-game-personal-data-collection-china.md",
      "published": "2025-12-09T03:00:00.000Z",
      "author": "DCC Editorial",
      "featured": false,
      "tags": [
        "personal-information",
        "pipl",
        "app-compliance",
        "gaming",
        "enforcement",
        "academic-commentary"
      ],
      "laws_cited": [
        "pipl",
        "network-data-security-regulations"
      ],
      "domains": [
        "personal-information",
        "app-compliance"
      ],
      "account": "keji-leviathan",
      "description": "Li Wenlong (科技利维坦) reports field observations on personal-data collection inside Chinese games, framed around three questions: is there an industry-specific 'game data compliance' mode; where is enforcement actually concentrated; and does the Chinese picture differ from abroad. His read: domestic game-data compliance is still at a 'wild-west stage' — the violations being caught are the blunt, clearly-unlawful kind (a game demanding photo-album permission), and the enforcement frontier is no different from any other app ecosystem. A principle-level framework was in place before 2023, but the yardstick stays crude, with no breakthrough on concrete evaluation standards — which caps how deep either enforcement or compliance can go. Overseas (GDPR and consumer law), games were under-scrutinised until the last year or two. The forward warning: games will be the main carrier of VR and will embed many models, so the compliance picture is about to get far more complex. For overseas counsel advising game studios on the China market: a reality check on what is — and isn't — being enforced.",
      "original": {
        "title": "游戏内个人数据收集的界限和合法性基础",
        "author": "李汶龙 (Li Wenlong)",
        "publication": "科技利维坦 WeChat Official Account",
        "url": "https://mp.weixin.qq.com/s/EF7L9R6wMlo_Cz8OZXsZnA",
        "language": "zh"
      }
    },
    {
      "slug": "compliance-talker-cross-border-mutual-trust-trusted-data-spaces",
      "title": "Mutual Trust Mechanisms for Cross-Border Data Flow — China's 'Trusted Data Space' Bet",
      "url": "https://datacompliancechina.com/posts/compliance-talker-cross-border-mutual-trust-trusted-data-spaces/",
      "markdown_url": "https://datacompliancechina.com/posts/compliance-talker-cross-border-mutual-trust-trusted-data-spaces.md",
      "published": "2025-11-20T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "cross-border",
        "trusted-data-space",
        "confidential-computing",
        "data-sovereignty",
        "commentary"
      ],
      "laws_cited": [
        "dsl",
        "pipl",
        "csl",
        "cross-border-data-flows-provisions"
      ],
      "domains": [
        "cross-border",
        "data-economy"
      ],
      "account": "compliance-talker",
      "description": "Compliance Talker's global legal policy team analyzes three competing models for cross-border data mutual trust: the EU's 'rule trust' (adequacy + SCC), the US's 'market trust' (CLOUD Act + DPF), and China's 'technology trust' bet on Trusted Data Spaces (TDS). The NDA's November 2024 *TDS Development Action Plan 2024-2028* makes confidential computing, federated learning, and blockchain the technical layer through which China seeks to demonstrate cross-border data flow can be 'usable but invisible.' For overseas teams, this is the most concrete view of where Chinese cross-border data infrastructure is heading.",
      "original": {
        "title": "原创 || 数据要素跨境流动互信机制研究——探索兼顾安全与效率的互信机制",
        "author": "全球法律政策研究 (Global Legal Policy Research Team)",
        "publication": "合规小叨客",
        "url": "https://mp.weixin.qq.com/s/K0bJsC3XaNCWcws2wZBeCg",
        "language": "zh"
      }
    },
    {
      "slug": "compliance-talker-frt-application-measures-impact",
      "title": "Reading the FRT Application Measures — What the 100k-Record Filing Threshold Actually Triggers",
      "url": "https://datacompliancechina.com/posts/compliance-talker-frt-application-measures-impact/",
      "markdown_url": "https://datacompliancechina.com/posts/compliance-talker-frt-application-measures-impact.md",
      "published": "2025-10-28T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "facial-recognition",
        "frt-measures",
        "sensitive-personal-information",
        "filing-regime",
        "commentary"
      ],
      "laws_cited": [
        "facial-recognition-technology-application-measures",
        "facial-recognition-judicial-interpretation",
        "pipl"
      ],
      "domains": [
        "personal-information",
        "enforcement"
      ],
      "account": "compliance-talker",
      "description": "The Administrative Measures for the Application Security of Facial Recognition Technology took effect June 1, 2025. The May 2025 announcement on FRT filing implementation followed. Compliance Talker's global legal policy team walks through the seven specific compliance obligations the Measures impose — the non-exclusive-use rule, end-side storage default, 100k-individual filing threshold, separate-consent reinforcement, PIA mandate, and more — with practical implementation guidance on each. For overseas firms with any China-facing FRT deployment, this is the operational walkthrough.",
      "original": {
        "title": "原创 || 《人脸识别技术应用安全管理办法》解读与企业影响分析",
        "author": "全球法律政策研究 (Global Legal Policy Research Team)",
        "publication": "合规小叨客",
        "url": "https://mp.weixin.qq.com/s/Pp_IuQ51wq0yrARWqQ0Y8g",
        "language": "zh"
      }
    },
    {
      "slug": "qinglan-how-to-identify-important-data",
      "title": "How to Identify 'Important Data' — A Plain-Language Method from Wang Qinglan",
      "url": "https://datacompliancechina.com/posts/qinglan-how-to-identify-important-data/",
      "markdown_url": "https://datacompliancechina.com/posts/qinglan-how-to-identify-important-data.md",
      "published": "2025-10-16T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "important-data",
        "data-classification",
        "cross-border",
        "dsl",
        "commentary"
      ],
      "laws_cited": [
        "dsl",
        "csl",
        "network-data-security-regulations",
        "data-export-security-assessment-measures",
        "cross-border-data-flows-provisions"
      ],
      "domains": [
        "data-security",
        "cross-border"
      ],
      "account": "qinglan-data",
      "description": "Wang Qinglan, head of compliance at a Chinese data exchange, walks through China's unique 'important data' concept in plain language: where it came from, why no other major jurisdiction has anything quite like it, how the U.S., EU, Japan and Korea solve the same problem differently, and — most useful for compliance teams — three methods to identify whether a dataset is 'important' in practice. Her own 'unorthodox' shortcut: ask whether a hostile foreign actor could use this data to cause trouble. If yes, treat it as important data.",
      "original": {
        "title": "重要数据咋判断？这招\"邪修\"办法，小白也能看懂！",
        "author": "王青兰 (Wang Qinglan)",
        "publication": "青兰数据观察",
        "url": "https://mp.weixin.qq.com/s/eAD9Zhd-cbA5umcLoU9rxA",
        "language": "zh"
      }
    },
    {
      "slug": "qinglan-what-is-data-rules-and-compliance-primer",
      "title": "What Is Data, Really? — A Plain-Language Primer on Rules and Compliance",
      "url": "https://datacompliancechina.com/posts/qinglan-what-is-data-rules-and-compliance-primer/",
      "markdown_url": "https://datacompliancechina.com/posts/qinglan-what-is-data-rules-and-compliance-primer.md",
      "published": "2025-08-28T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "data-fundamentals",
        "data-governance",
        "compliance-architecture",
        "commentary"
      ],
      "laws_cited": [
        "dsl",
        "data-foundation-system-opinions"
      ],
      "domains": [
        "data-economy",
        "data-security"
      ],
      "account": "qinglan-data",
      "description": "What does it actually mean to call something 'data,' and what turns raw recordings into a data asset? Wang Qinglan uses a toy storage room metaphor to walk through the foundational concept overseas readers often skip: data is not just 'records' — it's records made under rules. Master data, metadata, ontology, the three-tier compliance taxonomy (legal / ethical / promised), and the three-step compliance workflow (select / allocate / execute) — all anchored in a concrete example a non-specialist can follow.",
      "original": {
        "title": "数据的奇妙真相：从生活实例看它的真面目",
        "author": "王青兰 (Wang Qinglan)",
        "publication": "青兰数据观察",
        "url": "https://mp.weixin.qq.com/s/Dn4hlPZUHJOuUkLYzoaGLA",
        "language": "zh"
      }
    },
    {
      "slug": "qinglan-data-governance-management-compliance-disambiguation",
      "title": "Data Governance vs. Data Management vs. Data Compliance — A Plain-Language Disambiguation",
      "url": "https://datacompliancechina.com/posts/qinglan-data-governance-management-compliance-disambiguation/",
      "markdown_url": "https://datacompliancechina.com/posts/qinglan-data-governance-management-compliance-disambiguation.md",
      "published": "2025-08-25T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "data-governance",
        "terminology",
        "dama",
        "compliance-architecture",
        "commentary"
      ],
      "laws_cited": [
        "dsl",
        "data-foundation-system-opinions"
      ],
      "domains": [
        "data-security",
        "data-economy"
      ],
      "account": "qinglan-data",
      "description": "Wang Qinglan disambiguates three terms that compliance and data teams habitually conflate: data governance, data management, and data compliance. Using a 'data manor' metaphor (the family council vs. the steward team vs. the community monitor), she maps each function to its job — setting direction, executing efficiently, and operating sustainably within external rules and self-imposed commitments. The piece is useful precisely where bilingual confusion is highest: 'data governance' in English carries different connotations than 数据治理 in Chinese practice.",
      "original": {
        "title": "3分钟读懂数据治理、数据管理与数据合规",
        "author": "王青兰 (Wang Qinglan)",
        "publication": "青兰数据观察",
        "url": "https://mp.weixin.qq.com/s/ylOsa9BV7m9nw3WMR037Wg",
        "language": "zh"
      }
    },
    {
      "slug": "compliance-talker-ftz-negative-lists-important-data",
      "title": "FTZ Data Export Negative Lists — How 17 Sectors Across Seven Provinces Now Identify Important Data",
      "url": "https://datacompliancechina.com/posts/compliance-talker-ftz-negative-lists-important-data/",
      "markdown_url": "https://datacompliancechina.com/posts/compliance-talker-ftz-negative-lists-important-data.md",
      "published": "2025-08-12T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "cross-border",
        "important-data",
        "ftz-negative-list",
        "data-classification",
        "commentary"
      ],
      "laws_cited": [
        "cross-border-data-flows-provisions",
        "data-export-security-assessment-measures",
        "dsl",
        "network-data-security-regulations"
      ],
      "domains": [
        "cross-border",
        "data-security"
      ],
      "account": "compliance-talker",
      "description": "Article 6 of the 2024 CBDF Provisions authorized Free Trade Zones to publish data-export negative lists. Since then, Tianjin, Beijing, Hainan, Shanghai, Zhejiang and others have published negative lists covering 17 sectors — automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industry, seed industry, and more. Compliance Talker's analysis walks through the structural convergence of the negative lists, the important-data identification refinements each FTZ has produced, and the operational impact on enterprises both inside and outside the FTZs.",
      "original": {
        "title": "原创 || 我国自贸区相继发布数据出境负面清单，企业重要数据管理影响几何？",
        "author": "全球法律政策研究 (Global Legal Policy Research Team)",
        "publication": "合规小叨客",
        "url": "https://mp.weixin.qq.com/s/yZm01jMnCzMSsHBbUhYPGw",
        "language": "zh"
      }
    },
    {
      "slug": "qinglan-what-data-registration-actually-confirms",
      "title": "What Does Data Registration Actually Confirm? — A Doctrinal Reading",
      "url": "https://datacompliancechina.com/posts/qinglan-what-data-registration-actually-confirms/",
      "markdown_url": "https://datacompliancechina.com/posts/qinglan-what-data-registration-actually-confirms.md",
      "published": "2024-09-19T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "data-property-rights",
        "data-registration",
        "civil-law-doctrine",
        "commentary"
      ],
      "laws_cited": [
        "data-foundation-system-opinions",
        "data-property-rights-registration-guide-draft",
        "public-data-registration-interim-measures"
      ],
      "domains": [
        "data-economy",
        "enforcement"
      ],
      "account": "qinglan-data",
      "description": "Long before the SPC's January 2026 'data disputes' case category started squeezing data registration certificates against judicial review, Wang Qinglan had already written the foundational critique: data registration does not 'confirm rights' because there are no legal data rights to confirm. The Data 20 Articles created data property rights, not data legal rights, and Chinese property rights are not Article-conferred civil rights. Registration certificates are 'trust credentials,' not 'rights certificates.' This is the doctrinal essay overseas counsel should read before the SPC sequel.",
      "original": {
        "title": "数据确权登记，谁给的勇气？",
        "author": "王青兰 (Wang Qinglan)",
        "publication": "青兰数据观察",
        "url": "https://mp.weixin.qq.com/s/BApKX7i4F6BoWooj3-DxjQ",
        "language": "zh"
      }
    },
    {
      "slug": "qinglan-on-exchange-vs-off-exchange-data-trading",
      "title": "On-Exchange vs. Off-Exchange Data Trading — A Uniquely Chinese Market Structure",
      "url": "https://datacompliancechina.com/posts/qinglan-on-exchange-vs-off-exchange-data-trading/",
      "markdown_url": "https://datacompliancechina.com/posts/qinglan-on-exchange-vs-off-exchange-data-trading.md",
      "published": "2024-07-01T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "data-exchanges",
        "data-economy",
        "szdex",
        "market-structure",
        "commentary"
      ],
      "laws_cited": [
        "data-foundation-system-opinions"
      ],
      "domains": [
        "data-economy"
      ],
      "account": "qinglan-data",
      "description": "Why does China have data exchanges? Wang Qinglan's piece opens with an observation overseas readers will recognize: 'When you tell foreigners about China's on-exchange data trading market, you get blank stares — because exchange-organized data trading is uniquely Chinese.' The analogy she offers — Shenzhen Data Exchange is to data what the Shenzhen Stock Exchange is to securities — unlocks the architecture. Five tiers of trading venues by public-risk level. Three waves of Chinese data-exchange evolution. And the operational meaning of why on-exchange and off-exchange trading coexist.",
      "original": {
        "title": "场内数据交易一定比场外高贵吗？",
        "author": "王青兰 (Wang Qinglan)",
        "publication": "青兰数据观察",
        "url": "https://mp.weixin.qq.com/s/2qNmM5uxUZkfqE3YCYZx8g",
        "language": "zh"
      }
    },
    {
      "slug": "qinglan-what-is-traded-on-data-exchanges",
      "title": "What Is Actually Traded on China's Data Exchanges — A Bakery Metaphor",
      "url": "https://datacompliancechina.com/posts/qinglan-what-is-traded-on-data-exchanges/",
      "markdown_url": "https://datacompliancechina.com/posts/qinglan-what-is-traded-on-data-exchanges.md",
      "published": "2024-05-28T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "data-economy",
        "data-trading",
        "data-products",
        "data-classification",
        "commentary"
      ],
      "laws_cited": [
        "data-foundation-system-opinions",
        "common-data-terms-batch-1",
        "common-data-terms-batch-2",
        "public-data-authorized-operation-specifications"
      ],
      "domains": [
        "data-economy"
      ],
      "account": "qinglan-data",
      "description": "Per the Shenzhen Provisional Measures for Data Trading Administration, four categories of object can be traded on a Chinese data exchange: data products, data services, data tools, and other regulator-approved objects. Wang Qinglan walks through what each means in plain language with a bakery metaphor — wheat (raw data) becomes flour (data resources) becomes cakes (data products); a baker is a data service; the oven is a data tool. The piece is useful precisely because it answers a question overseas teams rarely think to ask: what are the data exchanges actually selling?",
      "original": {
        "title": "数据交易，到底在交易什么？",
        "author": "王青兰 (Wang Qinglan)",
        "publication": "青兰数据观察",
        "url": "https://mp.weixin.qq.com/s/xFM7nS_E0BoB272Im6Mciw",
        "language": "zh"
      }
    },
    {
      "slug": "qinglan-public-data-credit-licensing-case",
      "title": "Case Study — A Public-Data Operator Hands Personal Data to a Bank. Two Compliance Failures.",
      "url": "https://datacompliancechina.com/posts/qinglan-public-data-credit-licensing-case/",
      "markdown_url": "https://datacompliancechina.com/posts/qinglan-public-data-credit-licensing-case.md",
      "published": "2024-04-11T01:00:00.000Z",
      "author": "DCC Editorial",
      "featured": true,
      "tags": [
        "public-data",
        "credit-reference",
        "authorized-operation",
        "case-study",
        "commentary"
      ],
      "laws_cited": [
        "pipl",
        "public-data-registration-interim-measures",
        "public-data-authorized-operation-specifications"
      ],
      "domains": [
        "personal-information",
        "data-economy",
        "enforcement"
      ],
      "account": "qinglan-data",
      "description": "A real-case analysis from Wang Qinglan. A state-affiliated auction company holds the public-data operating right for vehicle license-plate auction data. A bank persuades it to hand over the personal data of winning bidders. The bank builds a targeted credit product and pays the auction company RMB 12 million a year in revenue share. Two compliance failures: (1) no individual consent under PIPL; (2) no credit reference business license under the Credit Reference Industry Regulation and Credit Reference Business Measures. Public-data authorized operation does not displace the credit reference licensing regime.",
      "original": {
        "title": "案例分析 | 公共数据授权运营后提供给金融机构是否须取得征信业务资质？",
        "author": "王青兰 (Wang Qinglan)",
        "publication": "青兰数据观察",
        "url": "https://mp.weixin.qq.com/s/EOP5UAW6V3n1HRYW1KYPeg",
        "language": "zh"
      }
    }
  ],
  "laws": [
    {
      "slug": "cs-joint-data-compliance-guide",
      "title_en": "China–Singapore Joint Data Compliance Guide: Practical Handbook — China Chapter",
      "title_zh": "中国—新加坡联合数据合规指引：实务手册（中国篇）",
      "abbreviation": "CN-SG Joint Guide",
      "hierarchy": "handbook",
      "issuing_body": "Shenzhen Data Exchange · Asian Business Law Institute (Singapore) · Authority of Qianhai · Shenzhen Bureau of Justice",
      "effective_date": "2025-08-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/cs-joint-data-compliance-guide/",
      "markdown_url": "https://datacompliancechina.com/laws/cs-joint-data-compliance-guide.md",
      "related_laws": [],
      "domains": [
        "data-security",
        "personal-information",
        "cross-border"
      ],
      "featured": true,
      "full_text_available": false,
      "summary": "A 110-page bilingual practitioner handbook on Chinese data compliance, jointly compiled by the Shenzhen Data Exchange and Singapore's Asian Business Law Institute under the guidance of the Qianhai Authority. The China Chapter is structured around the Guide's two-axis compliance model: subject obligations (organizational structure, policy, classification & grading, partners, risk assessment, incident response) crossed with object types (general / important / personal / public / industry-specific data). Includes the regulator map, cross-border path selection trees, and worked examples. Current as of August 2025. This is the single most accessible authoritative reference DCC has identified for overseas counsel approaching the Chinese data regime."
    },
    {
      "slug": "data-export-security-assessment-measures",
      "title_en": "Measures for the Security Assessment of Data Export",
      "title_zh": "数据出境安全评估办法",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China (CAC)",
      "adopted_date": "2022-05-19",
      "effective_date": "2022-09-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/data-export-security-assessment-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/data-export-security-assessment-measures.md",
      "related_laws": [
        "pipl",
        "dsl",
        "cross-border-data-flows-provisions"
      ],
      "domains": [
        "cross-border",
        "personal-information",
        "data-security"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "The first of CAC's three cross-border transfer pathways. Required for CIIOs transferring any personal information or important data abroad, and for non-CIIO handlers above certain thresholds. Establishes the application procedure, evaluation factors, validity period, and self-assessment requirements. Read together with the 2024 Cross-border Data Flow Provisions, which relaxed thresholds."
    },
    {
      "slug": "cii-protection-regulations",
      "title_en": "Security Protection Regulations for Critical Information Infrastructure",
      "title_zh": "关键信息基础设施安全保护条例",
      "abbreviation": "CII Regulations",
      "hierarchy": "regulation",
      "issuing_body": "State Council",
      "adopted_date": "2021-04-27",
      "effective_date": "2021-09-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/cii-protection-regulations/",
      "markdown_url": "https://datacompliancechina.com/laws/cii-protection-regulations.md",
      "related_laws": [
        "csl",
        "network-data-security-regulations"
      ],
      "domains": [
        "critical-information-infrastructure",
        "cybersecurity-review",
        "data-security"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "These Regulations operationalize the Critical Information Infrastructure (CII) regime under CSL Articles 31–39. They define CII identification rules, set out CIIO obligations (specialized security body, annual testing and risk assessment, security review of network products, breach reporting), and establish the inter-agency coordination structure under CAC + Ministry of Public Security."
    },
    {
      "slug": "data-foundation-system-opinions",
      "title_en": "Opinions of the CPC Central Committee and the State Council on Building a Basic Data System to Better Play the Role of Data Elements",
      "title_zh": "中共中央 国务院关于构建数据基础制度更好发挥数据要素作用的意见",
      "abbreviation": "Data Twenty Opinions",
      "hierarchy": "regulation",
      "issuing_body": "CPC Central Committee and State Council",
      "adopted_date": "2022-12-02",
      "effective_date": "2022-12-02",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/data-foundation-system-opinions/",
      "markdown_url": "https://datacompliancechina.com/laws/data-foundation-system-opinions.md",
      "related_laws": [],
      "domains": [
        "data-economy",
        "data-security",
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "The foundational 20-article policy directive jointly issued by the CPC Central Committee and the State Council laying out China's national data basic system: data property rights structural subdivision (holding right / processing right / operation right), classified-and-graded right confirmation for public/enterprise/personal data, the on-floor + over-the-counter trading framework, the income distribution mechanism for data elements, and a multi-party governance model. This is the policy text that informs subsequent national-level legislation and rules on data assets, public data, and data property rights registration."
    },
    {
      "slug": "data-property-rights-registration-guide-draft",
      "title_en": "Data Property Rights Registration Work Guide (Trial)",
      "title_zh": "数据产权登记工作指引（试行）",
      "hierarchy": "rule",
      "issuing_body": "National Data Administration (NDA), Comprehensive Department",
      "adopted_date": "2026-07-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/data-property-rights-registration-guide-draft/",
      "markdown_url": "https://datacompliancechina.com/laws/data-property-rights-registration-guide-draft.md",
      "source_url": "https://mp.weixin.qq.com/s/cdOi12Q4eIbfLiI0r4szcQ",
      "related_laws": [
        "pipl",
        "dsl",
        "civil-code-personal-info",
        "public-data-registration-interim-measures",
        "public-data-authorized-operation-specifications"
      ],
      "domains": [
        "data-economy",
        "personal-information",
        "data-security"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "NDA's first national framework for the registration of Data Property Rights — the rights to hold, use, and operate data established under the Data 20 Articles policy. Issued by the NDA Comprehensive Department on July 1, 2026 as the Trial Work Guide, it sets out registration institutions, the registration procedure (application, acceptance, review, public announcement, objection handling, evidence preservation, certificate issuance), the ownership-clarity rules that determine who can register which right over which data, the five registration types (initial, transfer, change, renewal, deregistration), and liability for institutions and applicants. Compared with the April 2026 consultation draft, the final text tightens security/public-interest gates, adds a definition of derived data, shifts the national platform terminology to a service system, strengthens provincial management and institution-exit rules, narrows public-data registration from mandatory to conditional/voluntary wording, and moves certificate validity from issuance to evidence-preservation completion."
    },
    {
      "slug": "gbt-44297-public-security-video-data-items",
      "title_en": "GB/T 44297—2024 Data Items of Video and Image Information for Public Security",
      "title_zh": "GB/T 44297—2024 公共安全视频图像信息数据项",
      "abbreviation": "GB/T 44297—2024",
      "hierarchy": "standard",
      "issuing_body": "Standardization Administration of China (SAC) and State Administration for Market Regulation (SAMR), proposed by Ministry of Public Security (MPS)",
      "adopted_date": "2024-08-23",
      "effective_date": "2024-08-23",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/gbt-44297-public-security-video-data-items/",
      "markdown_url": "https://datacompliancechina.com/laws/gbt-44297-public-security-video-data-items.md",
      "related_laws": [
        "public-security-video-image-system-regulations",
        "facial-recognition-technology-application-measures",
        "facial-recognition-judicial-interpretation"
      ],
      "domains": [
        "personal-information",
        "enforcement"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "GB/T 44297—2024 is the national recommended standard that specifies the data items used in public-security video image information systems — the underlying field-level schema that camera systems, video platforms, and analysis tools use to describe and exchange video and image data. It applies to data exchange in networked public-security video applications. The standard catalogs more than twenty top-level data-item groups — covering camera information, system/platform information, equipment status, video clips, images, file objects, persons of interest, vehicles of interest, non-motor vehicles, items, scenes, events, regions, motion targets, subscriptions, feature vectors, organized data libraries, and real-time matching against reference lists — plus a set of normative code tables (Appendix D) used to encode the field values. The standard is technical reference material for system integrators and data engineers operating public-security video systems. Cross-reference to the *Administrative Regulation for Public Security Video Image Information Systems* (State Council Decree No. 799) and the *Facial Recognition Technology Application Measures* (CAC + MPS Decree No. 19), which set the legal duties; this standard tells operators what field-level data to capture and exchange in order to meet those duties."
    },
    {
      "slug": "personal-info-standard-contract-measures",
      "title_en": "Measures on the Standard Contract for the Outbound Transfer of Personal Information",
      "title_zh": "个人信息出境标准合同办法",
      "abbreviation": "SCC Measures",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China (CAC)",
      "adopted_date": "2023-02-22",
      "effective_date": "2023-06-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/personal-info-standard-contract-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/personal-info-standard-contract-measures.md",
      "related_laws": [
        "pipl",
        "cross-border-data-flows-provisions",
        "data-export-security-assessment-measures",
        "cross-border-pi-certification-measures"
      ],
      "domains": [
        "cross-border",
        "personal-information"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "The second of CAC's three cross-border transfer pathways: signing a CAC-prescribed Standard Contract with the overseas recipient and filing it with the provincial CAC. Used by handlers below the Security Assessment thresholds. The Measures establish eligibility criteria, the filing procedure, ongoing obligations after filing, and the CAC's right to invalidate the contract on the recipient side. The Standard Contract template itself is annexed."
    },
    {
      "slug": "pipl",
      "title_en": "Personal Information Protection Law of the People's Republic of China",
      "title_zh": "中华人民共和国个人信息保护法",
      "abbreviation": "PIPL",
      "hierarchy": "law",
      "issuing_body": "National People's Congress Standing Committee",
      "adopted_date": "2021-08-20",
      "effective_date": "2021-11-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/pipl/",
      "markdown_url": "https://datacompliancechina.com/laws/pipl.md",
      "related_laws": [
        "dsl",
        "csl",
        "civil-code-personal-info"
      ],
      "domains": [
        "personal-information",
        "cross-border"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "PIPL is China's comprehensive personal-information protection regime. It is structured around the concept of the personal information handler — a Chinese-law term that should not be flattened to GDPR's data controller. PIPL governs consent, sensitive personal information, cross-border transfer, and the rights of individuals, with extraterritorial reach to handlers outside China that target domestic natural persons."
    },
    {
      "slug": "facial-recognition-judicial-interpretation",
      "title_en": "Provisions of the Supreme People's Court on Several Issues Concerning the Application of Law in the Trial of Civil Cases Involving the Use of Facial Recognition Technology to Process Personal Information",
      "title_zh": "最高人民法院关于审理使用人脸识别技术处理个人信息相关民事案件适用法律若干问题的规定",
      "abbreviation": "FRT Judicial Interpretation",
      "hierarchy": "judicial",
      "issuing_body": "Supreme People's Court",
      "adopted_date": "2021-06-08",
      "effective_date": "2021-08-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/facial-recognition-judicial-interpretation/",
      "markdown_url": "https://datacompliancechina.com/laws/facial-recognition-judicial-interpretation.md",
      "related_laws": [
        "pipl",
        "civil-code-personal-info"
      ],
      "domains": [
        "personal-information",
        "enforcement"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "The Supreme People's Court's interpretation of how civil courts should apply law in cases involving facial recognition. Defines what counts as 'processing facial information', enumerates conduct that infringes personality rights, addresses consent validity (mandatory consent through a service agreement is not valid), and sets out remedies and burden-of-proof allocation. Issued before PIPL took effect but designed to interoperate with PIPL's sensitive-personal-information regime."
    },
    {
      "slug": "cross-border-data-flows-provisions",
      "title_en": "Provisions on Promoting and Regulating Cross-border Data Flows",
      "title_zh": "促进和规范数据跨境流动规定",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China (CAC)",
      "adopted_date": "2023-11-28",
      "effective_date": "2024-03-22",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/cross-border-data-flows-provisions/",
      "markdown_url": "https://datacompliancechina.com/laws/cross-border-data-flows-provisions.md",
      "related_laws": [
        "pipl",
        "dsl",
        "network-data-security-regulations"
      ],
      "domains": [
        "cross-border",
        "personal-information",
        "data-security"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "The 2024 Cross-border Data Flow Provisions are CAC's relaxation package on outbound data transfer. They introduce thresholds and exemptions for the security assessment, standard contract, and certification pathways, plus a free trade zone (FTZ) negative-list mechanism. For overseas counsel, this is the regulation that practically determines whether a routine cross-border transfer needs to clear formal CAC review or not."
    },
    {
      "slug": "network-data-security-regulations",
      "title_en": "Regulation on Network Data Security Management",
      "title_zh": "网络数据安全管理条例",
      "hierarchy": "regulation",
      "issuing_body": "State Council",
      "adopted_date": "2024-08-30",
      "effective_date": "2025-01-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/network-data-security-regulations/",
      "markdown_url": "https://datacompliancechina.com/laws/network-data-security-regulations.md",
      "related_laws": [
        "pipl",
        "dsl",
        "csl"
      ],
      "domains": [
        "data-security",
        "personal-information",
        "cross-border",
        "critical-information-infrastructure"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "The Network Data Security Management Regulation is the State Council's overarching implementing regulation for the three foundational data-protection statutes (CSL, DSL, PIPL). It consolidates network-data security obligations, important-data identification and classification, cross-border transfer rules, security-incident reporting, and operator obligations for large data handlers and internet platforms. Promulgated as State Council Decree No. 790."
    },
    {
      "slug": "network-data-security-risk-assessment-measures",
      "title_en": "Measures for Network Data Security Risk Assessment",
      "title_zh": "网络数据安全风险评估办法",
      "abbreviation": "Network Data Risk Assessment Measures",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China; Ministry of Industry and Information Technology; Ministry of Public Security",
      "adopted_date": "2026-06-01",
      "effective_date": "2026-08-20",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/network-data-security-risk-assessment-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/network-data-security-risk-assessment-measures.md",
      "source_url": "https://mp.weixin.qq.com/s/ypoiNq_5IxGtLw8o9pg9xQ",
      "related_laws": [
        "network-data-security-regulations",
        "dsl",
        "csl",
        "gbt-45577-data-security-risk-assessment",
        "industrial-data-security-risk-assessment-rules"
      ],
      "domains": [
        "data-security",
        "enforcement"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "The first dedicated, cross-sector implementing rule for the annual network-data risk-assessment obligation created by the Network Data Security Management Regulation (State Council Decree No. 790). Jointly issued by the CAC, MIIT and the Ministry of Public Security as Order No. 24, it requires every important-data handler to conduct a risk assessment each year — and again whenever a material change in the security status of important data may adversely affect security — to retain the report for at least three years, and to submit it to the competent authority within 20 working days; general-data handlers are encouraged to assess at least once every three years. It builds the regime for third-party assessment institutions: voluntary certification, a ban on sub-entrustment, a no-more-than-three-consecutive-years rotation rule, and confidentiality and deletion duties. Regulators may compel a certified-institution assessment after a high-risk finding or a breach involving important data or large-scale personal information, and may order an important-data handler to stop processing important data where activities endanger national security or the public interest. Adopted June 1, 2026; promulgated June 18, 2026; effective August 20, 2026."
    },
    {
      "slug": "personal-info-standard-contract-filing-guide",
      "title_en": "Guide to the Filing of the Standard Contract for Outbound Transfer of Personal Information (First Edition)",
      "title_zh": "个人信息出境标准合同备案指南（第一版）",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China (CAC)",
      "adopted_date": "2023-05-30",
      "effective_date": "2023-05-30",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/personal-info-standard-contract-filing-guide/",
      "markdown_url": "https://datacompliancechina.com/laws/personal-info-standard-contract-filing-guide.md",
      "related_laws": [
        "personal-info-standard-contract-measures",
        "pipl"
      ],
      "domains": [
        "cross-border",
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "CAC's procedural guide accompanying the SCC Measures. Specifies the filing materials required, where to file (provincial CAC), online filing system mechanics, materials acceptance and review timeline, and standardized templates for the power of attorney, the letter of commitment, the Standard Contract itself, and the Personal Information Protection Impact Assessment Report. Read together with the SCC Measures for the operational filing path."
    },
    {
      "slug": "pi-infringement-criminal-interpretation",
      "title_en": "Interpretation of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues Concerning the Application of Law in Handling Criminal Cases of Infringing upon Citizens' Personal Information",
      "title_zh": "最高人民法院、最高人民检察院关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释",
      "abbreviation": "PI Criminal Interpretation",
      "hierarchy": "judicial",
      "issuing_body": "Supreme People's Court; Supreme People's Procuratorate",
      "adopted_date": "2017-05-08",
      "effective_date": "2017-06-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/pi-infringement-criminal-interpretation/",
      "markdown_url": "https://datacompliancechina.com/laws/pi-infringement-criminal-interpretation.md",
      "related_laws": [
        "pipl"
      ],
      "domains": [
        "personal-information",
        "enforcement"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "The principal judicial interpretation governing the crime of infringing upon citizens' personal information under Article 253a of the Criminal Law. It defines 'citizens' personal information', clarifies what constitutes 'providing' and 'illegally obtaining' such information, and sets quantitative thresholds for 'serious circumstances' and 'particularly serious circumstances' (e.g., 50 items of tracking, communication-content, credit-reporting or property information; 500 items of accommodation, communication-record, health or transaction information; 5,000 items of other personal information). It also addresses corporate liability, sentencing for related network crimes, and the determination of fines."
    },
    {
      "slug": "common-data-terms-batch-1",
      "title_en": "Explanation of Common Terms in the Field of Data (First Batch)",
      "title_zh": "数据领域常用名词解释（第一批）",
      "abbreviation": "Data Terms Batch 1",
      "hierarchy": "rule",
      "issuing_body": "National Data Administration",
      "adopted_date": "2024-12-30",
      "effective_date": "2024-12-30",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/common-data-terms-batch-1/",
      "markdown_url": "https://datacompliancechina.com/laws/common-data-terms-batch-1.md",
      "related_laws": [],
      "domains": [
        "data-economy",
        "data-security"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "The first installment of official terminology explanations issued by the National Data Administration. Establishes authoritative Chinese government definitions for 40 foundational data-field concepts including data, primary data, data resources, data elements, data products and services, data assets, data handling, data handler, commissioned data handler, data circulation, data transaction, data governance, data security, public data, digital industrialization, industrial digitalization, metadata, structured/semi-structured/unstructured data, privacy-protective computation (secure multi-party computing, federated learning, trusted execution environment, cryptographic computing), and blockchain."
    },
    {
      "slug": "spp-pi-crime-reply-letter",
      "title_en": "Reply of the Research Office of the Supreme People's Procuratorate on the Solicitation of Opinions Concerning the Application of Law in the Crime of Infringing upon Citizens' Personal Information",
      "title_zh": "最高人民检察院法律政策研究室关于侵犯公民个人信息罪有关法律适用问题征求意见的复函",
      "abbreviation": "SPP PI Crime Reply",
      "hierarchy": "judicial",
      "issuing_body": "Research Office of the Supreme People's Procuratorate",
      "adopted_date": "2018-01-01",
      "effective_date": "2018-01-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/spp-pi-crime-reply-letter/",
      "markdown_url": "https://datacompliancechina.com/laws/spp-pi-crime-reply-letter.md",
      "related_laws": [
        "pi-infringement-criminal-interpretation"
      ],
      "domains": [
        "personal-information",
        "enforcement"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "A short reply letter (Fa Yan [2018] No. 11) addressing whether 'citizens' personal information' under Article 253a of the Criminal Law is confined to the personal information of Chinese nationals. It concludes that the term covers not only the personal information of Chinese citizens but also that of foreign nationals and stateless persons, reasoning from the wording of the statute, legislative intent (equal protection), and judicial practice (excluding foreigners would let offenders escape punishment and be unworkable in mixed-data cases)."
    },
    {
      "slug": "basic-medical-health-care-promotion-law",
      "title_en": "Basic Medical and Health Care and Health Promotion Law of the People's Republic of China",
      "title_zh": "中华人民共和国基本医疗卫生与健康促进法",
      "abbreviation": "Basic Health Care Law",
      "hierarchy": "law",
      "issuing_body": "Standing Committee of the National People's Congress",
      "adopted_date": "2019-12-28",
      "effective_date": "2020-06-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/basic-medical-health-care-promotion-law/",
      "markdown_url": "https://datacompliancechina.com/laws/basic-medical-health-care-promotion-law.md",
      "source_url": "https://wsjkw.nx.gov.cn/zfxxgk_279/zcfg/202109/t20210906_3006970.html",
      "related_laws": [
        "civil-code-personal-info",
        "pipl",
        "medical-institutions-regulation",
        "medical-records-administration-provisions",
        "hgr-regulation",
        "healthcare-institutions-data-security-pi-measures"
      ],
      "domains": [
        "health",
        "personal-information",
        "data-security"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "China's foundational health-sector statute, enacted by the NPCSC on 28 December 2019 and effective from 1 June 2020, establishes the architecture of the national health-care system across 10 chapters and 110 articles — covering basic medical and public-health services, health-care institutions, medical personnel, drug supply, health promotion, funding, and supervision. For data-compliance purposes the central provision is Article 92, which lays down a sector-specific protection regime for citizens' personal health information (公民个人健康信息) that operates as an overlay on PIPL: it prohibits any organisation or individual from unlawfully collecting, using, processing, or transmitting such information, or from unlawfully buying, selling, providing, or disclosing it. Article 102 makes disclosure of personal health information by medical personnel a disciplinary offence, and Articles 101 and 105 attach administrative and public-security penalties to inadequate information-security systems and unlawful data handling. Overseas counsel advising on health-data projects, clinical-trial data transfers, or digital-health deployments in China should read this law alongside PIPL and the Cybersecurity Law to identify the full stack of obligations."
    },
    {
      "slug": "common-data-terms-batch-2",
      "title_en": "Explanation of Common Terms in the Field of Data (Second Batch)",
      "title_zh": "数据领域常用名词解释（第二批）",
      "abbreviation": "Data Terms Batch 2",
      "hierarchy": "rule",
      "issuing_body": "National Data Administration",
      "adopted_date": "2025-03-29",
      "effective_date": "2025-03-29",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/common-data-terms-batch-2/",
      "markdown_url": "https://datacompliancechina.com/laws/common-data-terms-batch-2.md",
      "related_laws": [],
      "domains": [
        "data-economy",
        "data-security"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "The second installment of official terminology explanations issued by the National Data Administration, continuing the consensus-building effort that began with the First Batch in December 2024. The 20 terms in this batch focus on data property rights vocabulary (Data Property Rights, Data Property Rights Registration, Right to Hold Data, Right to Use Data, Right to Operate Data, derived data, enterprise data); data trading institutions and market structure (data trading institution, on-exchange data trading, off-exchange data trading, data trading matching, data third-party professional service institution); the data industry and data labeling sub-industry; trusted data space and data use control; data infrastructure; and computing-power scheduling and pooling. DCC translation, cross-checked against the glossary for consistency with the public-data property-rights registration documents."
    },
    {
      "slug": "cross-border-pi-certification-measures",
      "title_en": "Measures for the Certification of the Cross-border Provision of Personal Information",
      "title_zh": "个人信息出境认证办法",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China (CAC) and State Administration for Market Regulation (SAMR)",
      "adopted_date": "2025-07-21",
      "effective_date": "2026-01-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/cross-border-pi-certification-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/cross-border-pi-certification-measures.md",
      "related_laws": [
        "pipl",
        "cross-border-data-flows-provisions",
        "data-export-security-assessment-measures"
      ],
      "domains": [
        "cross-border",
        "personal-information"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "The third of CAC's three cross-border transfer pathways — PI Protection Certification — finally given its own dedicated rules effective January 1, 2026. Joint issuance with SAMR (which administers the certification body accreditation regime). Establishes who can be certified, eligibility thresholds, what certification covers, and the relationship to the Security Assessment and Standard Contract pathways."
    },
    {
      "slug": "personal-info-audit-measures",
      "title_en": "Administrative Measures for Personal Information Protection Compliance Audits",
      "title_zh": "个人信息保护合规审计管理办法",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China (CAC)",
      "adopted_date": "2024-05-20",
      "effective_date": "2025-05-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/personal-info-audit-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/personal-info-audit-measures.md",
      "related_laws": [
        "pipl",
        "network-data-security-regulations"
      ],
      "domains": [
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "These Measures implement the compliance-audit obligation in PIPL Article 54. Self-audit is required at least every two years for handlers of more than 10 million people's personal information; CAC-directed audits by a third-party specialized agency are triggered by significant risk, large-scale infringement, or major security incidents. The Measures are accompanied by a 27-section Guidelines annex that lays out exactly what auditors should examine — effectively a regulator-issued checklist for personal-information compliance."
    },
    {
      "slug": "cybersecurity-review-measures",
      "title_en": "Cybersecurity Review Measures",
      "title_zh": "网络安全审查办法",
      "hierarchy": "rule",
      "issuing_body": "CAC + 12 ministries (NDRC, MIIT, MPS, MSS, MOF, MOFCOM, PBOC, NRTA, CSRC, SSA, SCA)",
      "adopted_date": "2021-11-16",
      "effective_date": "2022-02-15",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/cybersecurity-review-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/cybersecurity-review-measures.md",
      "related_laws": [
        "csl",
        "dsl",
        "cii-protection-regulations"
      ],
      "domains": [
        "cybersecurity-review",
        "critical-information-infrastructure",
        "cross-border"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "The 2021 update to the cybersecurity review regime, expanded after the Didi enforcement action. Applies to (i) CIIO procurement of network products/services that may affect national security, and (ii) network platforms holding personal information of more than one million users when seeking an overseas listing. Sets the procedure, factors considered, and outcomes (no-action, conditional approval, prohibition)."
    },
    {
      "slug": "tc260-sensitive-pi-identification-guide",
      "title_en": "Cybersecurity Standards Practice Guide — Sensitive Personal Information Identification Guide (v1.0, September 2024)",
      "title_zh": "网络安全标准实践指南 — 敏感个人信息识别指南 (v1.0-202409)",
      "abbreviation": "TC260 Sensitive PI Guide",
      "hierarchy": "standard",
      "issuing_body": "Secretariat of the National Information Security Standardization Technical Committee (TC260)",
      "effective_date": "2024-09-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/tc260-sensitive-pi-identification-guide/",
      "markdown_url": "https://datacompliancechina.com/laws/tc260-sensitive-pi-identification-guide.md",
      "related_laws": [
        "pipl",
        "facial-recognition-judicial-interpretation",
        "facial-recognition-technology-application-measures"
      ],
      "domains": [
        "personal-information"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "TC260's September 2024 practice guide for identifying sensitive personal information under PIPL Article 28. Sets out a four-rule identification framework — damage to personal dignity, to personal safety, to property safety, and aggregation effects — and lists eight common categories of sensitive personal information with illustrative examples in Appendix A. The guide is not a mandatory standard; it is advisory practice guidance issued by the TC260 Secretariat to help organizations operationalize PIPL's sensitive-PI regime. Practical reference for handlers performing the PIPIA required by PIPL Article 55(I) before processing sensitive personal information."
    },
    {
      "slug": "dsl",
      "title_en": "Data Security Law of the People's Republic of China",
      "title_zh": "中华人民共和国数据安全法",
      "abbreviation": "DSL",
      "hierarchy": "law",
      "issuing_body": "National People's Congress Standing Committee",
      "adopted_date": "2021-06-10",
      "effective_date": "2021-09-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/dsl/",
      "markdown_url": "https://datacompliancechina.com/laws/dsl.md",
      "related_laws": [
        "pipl",
        "csl"
      ],
      "domains": [
        "data-security",
        "cross-border"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "The Data Security Law is the second of China's three foundational data statutes (alongside CSL and PIPL). It governs all data processing activities — not just personal information — and establishes the data classification and grading regime, the 'important data' and 'national core data' categories, security obligations for data handlers, the cross-border transfer restrictions on important data, and the prohibition on providing data to foreign judicial or enforcement bodies without approval."
    },
    {
      "slug": "minors-online-protection-regulations",
      "title_en": "Regulations on the Protection of Minors in Cyberspace",
      "title_zh": "未成年人网络保护条例",
      "hierarchy": "regulation",
      "issuing_body": "State Council",
      "adopted_date": "2023-09-20",
      "effective_date": "2024-01-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/minors-online-protection-regulations/",
      "markdown_url": "https://datacompliancechina.com/laws/minors-online-protection-regulations.md",
      "related_laws": [
        "pipl",
        "csl"
      ],
      "domains": [
        "minors-protection",
        "personal-information",
        "app-compliance"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "Implementing regulation for the protection of minors under PIPL and CSL. Covers age-appropriate content, online education, addiction-prevention regimes for video games and short videos, sensitive personal information of minors (under 14), parental consent mechanisms, and platform obligations for products targeting or accessible to minors."
    },
    {
      "slug": "drug-administration-law",
      "title_en": "Drug Administration Law of the People's Republic of China (2019 Revision)",
      "title_zh": "中华人民共和国药品管理法（2019修订）",
      "abbreviation": "Drug Administration Law",
      "hierarchy": "law",
      "issuing_body": "National People's Congress Standing Committee",
      "adopted_date": "2019-08-26",
      "effective_date": "2019-12-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/drug-administration-law/",
      "markdown_url": "https://datacompliancechina.com/laws/drug-administration-law.md",
      "related_laws": [
        "basic-medical-health-care-promotion-law"
      ],
      "domains": [
        "health"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "The Drug Administration Law is China's foundational statute governing the research, manufacture, distribution, and use of drugs. The 2019 revision overhauled the regime around the marketing authorization holder (MAH) system, under which the holder bears full-lifecycle responsibility for a drug's safety, efficacy, and quality controllability. Although the law is predominantly product- and market-regulation in character, it contains discrete data-compliance touchpoints: a national drug traceability system, a pharmacovigilance and adverse-reaction reporting and monitoring regime, extensive production, inspection, and purchase-and-sale recordkeeping duties, and the use of clinical-trial and real-world data to support drug approvals. These provisions impose data integrity, retention, and reporting obligations on MAHs, manufacturers, distributors, and medical institutions."
    },
    {
      "slug": "cybersecurity-incident-reporting-measures",
      "title_en": "Measures for the Administration of National Cybersecurity Incident Reporting",
      "title_zh": "国家网络安全事件报告管理办法",
      "abbreviation": "Incident Reporting Measures",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China (CAC)",
      "adopted_date": "2025-09-11",
      "effective_date": "2025-11-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/cybersecurity-incident-reporting-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/cybersecurity-incident-reporting-measures.md",
      "source_url": "https://www.cac.gov.cn/2025-09/15/c_1759583017717009.htm",
      "related_laws": [
        "csl",
        "dsl",
        "pipl",
        "cii-protection-regulations",
        "network-data-security-regulations",
        "healthcare-institutions-cybersecurity-measures"
      ],
      "domains": [
        "data-security",
        "cybersecurity-review"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Issued by the CAC on September 11, 2025 and effective November 1, 2025, these Measures establish a unified national workflow for cybersecurity incident reporting, triggered whenever an incident is graded 'relatively significant' or above under the annexed Classification Guidelines (which track GB/T 20986-2023). Reporting clocks are calibrated by operator type: critical information infrastructure (CII) operators must report within one hour, central and state organs within two hours, and all other network operators within four hours, with tighter escalation windows for major and especially major incidents. Each report must cover eight specified elements — including, for ransomware, the ransom amount and payment deadline — and a comprehensive 30-day summary report is required after incident handling concludes; the 12387 hotline serves as the central intake. Article 11 creates an explicit safe harbour for operators that prepared adequately, responded under their emergency plan, and reported in good time, while Article 10 subjects late, false, or concealed reporting that causes serious harm to heavier penalties for both the entity and responsible individuals — a combination that overseas counsel should factor into incident-response playbooks for any China-nexus operation."
    },
    {
      "slug": "medical-devices-supervision-regulation",
      "title_en": "Regulation on the Supervision and Administration of Medical Devices (2024 Revision)",
      "title_zh": "医疗器械监督管理条例（2024修订）",
      "abbreviation": "Medical Devices Regulation",
      "hierarchy": "regulation",
      "issuing_body": "State Council",
      "adopted_date": "2000-01-04",
      "effective_date": "2025-01-20",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/medical-devices-supervision-regulation/",
      "markdown_url": "https://datacompliancechina.com/laws/medical-devices-supervision-regulation.md",
      "related_laws": [
        "basic-medical-health-care-promotion-law"
      ],
      "domains": [
        "health"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "The Regulation on the Supervision and Administration of Medical Devices is the State Council's foundational administrative regulation governing the research, manufacture, distribution, and use of medical devices on a risk-based, full-lifecycle basis. For data-compliance purposes it mandates the unique device identification (UDI) system to achieve device traceability (Article 38), requires registrants to build and operate product traceability and recall systems (Articles 20, 62), and establishes the adverse-event monitoring regime with a dedicated information network and mandatory reporting to monitoring technical institutions (Chapter V). It also requires registration applicants to ensure submitted data is lawful, authentic, accurate, complete, and traceable, and requires device-use records (including implant and large-equipment parameters) to be preserved in patient medical records and use archives."
    },
    {
      "slug": "csl",
      "title_en": "Cybersecurity Law of the People's Republic of China (2025 Amendment)",
      "title_zh": "中华人民共和国网络安全法（2025 修正）",
      "abbreviation": "CSL",
      "hierarchy": "law",
      "issuing_body": "National People's Congress Standing Committee",
      "adopted_date": "2016-11-07",
      "effective_date": "2017-06-01",
      "status": "amended",
      "url": "https://datacompliancechina.com/laws/csl/",
      "markdown_url": "https://datacompliancechina.com/laws/csl.md",
      "related_laws": [
        "pipl",
        "dsl"
      ],
      "domains": [
        "data-security",
        "critical-information-infrastructure",
        "personal-information"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "The Cybersecurity Law is the earliest of the three foundational data-protection statutes. It establishes the Multi-Level Protection Scheme (MLPS), the Critical Information Infrastructure regime, network-operator obligations, and the cybersecurity review framework. The current text incorporates the 2025 amendment, which takes effect January 1, 2026."
    },
    {
      "slug": "genai-services-interim-measures",
      "title_en": "Interim Measures for the Management of Generative Artificial Intelligence Services",
      "title_zh": "生成式人工智能服务管理暂行办法",
      "hierarchy": "rule",
      "issuing_body": "CAC + 6 ministries (NDRC, MOE, MOST, MIIT, MPS, NRTA)",
      "adopted_date": "2023-05-23",
      "effective_date": "2023-08-15",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/genai-services-interim-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/genai-services-interim-measures.md",
      "related_laws": [
        "pipl",
        "deep-synthesis-provisions",
        "algorithmic-recommendation-provisions"
      ],
      "domains": [
        "ai-governance"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "China's flagship generative-AI regulation — the first comprehensive national regulation of GenAI services anywhere in the world. Covers content compliance, training data quality, personal-information handling, security assessment and algorithm filing, real-name verification, and labeling. Applies to GenAI services provided to the Chinese public; some obligations are conditioned on consumer-facing deployment."
    },
    {
      "slug": "healthcare-institutions-data-security-pi-measures",
      "title_en": "Measures for the Administration of Data Security and Personal Information Protection of Healthcare Institutions (Trial)",
      "title_zh": "医疗卫生机构数据安全和个人信息保护管理办法（试行）",
      "abbreviation": "Healthcare Data Security & PI Measures",
      "hierarchy": "rule",
      "issuing_body": "National Health Commission, Ministry of Public Security, Cyberspace Administration of China, National Administration of Traditional Chinese Medicine, and National Disease Control and Prevention Administration",
      "adopted_date": "2026-02-12",
      "effective_date": "2026-02-12",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/healthcare-institutions-data-security-pi-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/healthcare-institutions-data-security-pi-measures.md",
      "source_url": "https://www.nhc.gov.cn/guihuaxxs/c100133/202602/",
      "related_laws": [
        "pipl",
        "dsl",
        "network-data-security-regulations",
        "healthcare-institutions-cybersecurity-measures",
        "national-health-medical-big-data-measures",
        "population-health-information-measures",
        "basic-medical-health-care-promotion-law"
      ],
      "domains": [
        "health",
        "data-security",
        "personal-information"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "Issued jointly in February 2026 by five agencies — the National Health Commission, Ministry of Public Security, Cyberspace Administration of China, National Administration of Traditional Chinese Medicine, and National Disease Control and Prevention Administration — this trial rule applies the Data Security Law, PIPL, and the Regulation on Network Data Security Management to healthcare institutions. The Measures establish a three-tier data classification and grading framework (core data, important data, and general data), impose full-lifecycle security management obligations (governance, personnel, operations, technology, and incident response), and set out a ten-item data security prohibition list and an eight-item personal information prohibition list covering unlawful collection, unauthorized cross-border transfers, excessive access, and misuse of facial recognition. It is the sector's primary data-compliance instrument and the reference point for overseas pharma, medtech, and hospital joint-venture operators navigating data sharing, cross-border transfers, AI deployment, and clinical research partnerships in China."
    },
    {
      "slug": "government-data-sharing-regulations",
      "title_en": "Regulations on the Sharing of Government Data",
      "title_zh": "政务数据共享条例",
      "hierarchy": "regulation",
      "issuing_body": "State Council",
      "adopted_date": "2025-05-09",
      "effective_date": "2025-08-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/government-data-sharing-regulations/",
      "markdown_url": "https://datacompliancechina.com/laws/government-data-sharing-regulations.md",
      "related_laws": [
        "dsl",
        "network-data-security-regulations"
      ],
      "domains": [
        "data-security",
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "The first comprehensive State Council regulation specifically governing the sharing of government data across agencies. Establishes the unified national government-data sharing platform, defines responsibilities of the National Data Administration, sets data quality and security requirements, and addresses personal-information and important-data handling within the government-data context."
    },
    {
      "slug": "national-health-medical-big-data-measures",
      "title_en": "Measures for the Administration of National Health and Medical Big Data Standards, Security and Services (Trial)",
      "title_zh": "国家健康医疗大数据标准、安全和服务管理办法（试行）",
      "abbreviation": "Health & Medical Big Data Measures",
      "hierarchy": "rule",
      "issuing_body": "National Health Commission",
      "adopted_date": "2018-07-12",
      "effective_date": "2018-07-12",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/national-health-medical-big-data-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/national-health-medical-big-data-measures.md",
      "source_url": "https://www.cac.gov.cn/2018-09/15/c_1123432498.htm",
      "related_laws": [
        "dsl",
        "pipl",
        "healthcare-institutions-data-security-pi-measures",
        "healthcare-institutions-cybersecurity-measures",
        "population-health-information-measures",
        "basic-medical-health-care-promotion-law"
      ],
      "domains": [
        "health",
        "data-security",
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Issued by the National Health Commission on 12 July 2018 (document no. 国卫规划发〔2018〕23号), these Measures declare health and medical big data a fundamental national strategic resource and establish a comprehensive governance framework across three pillars: standards management, data security, and service management. Mandatory domestic storage within PRC territory is required, and cross-border transfer of health and medical big data is subject to a security assessment and approval process. Responsible units — including hospitals, health-information platforms, and enterprises — must implement the national Multi-Level Protection Scheme (MLPS), establish electronic real-name authentication and access-control systems, maintain full-process audit trails, and report major cybersecurity incidents. The Measures predate but directly feed into the Data Security Law and the Personal Information Protection Law and remain the primary sector-specific rule governing Chinese health data."
    },
    {
      "slug": "healthcare-institutions-cybersecurity-measures",
      "title_en": "Measures for the Cybersecurity Management of Healthcare Institutions",
      "title_zh": "医疗卫生机构网络安全管理办法",
      "abbreviation": "Healthcare Cybersecurity Measures",
      "hierarchy": "rule",
      "issuing_body": "National Health Commission, National Administration of Traditional Chinese Medicine, and National Disease Control and Prevention Administration",
      "adopted_date": "2022-08-08",
      "effective_date": "2022-08-08",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/healthcare-institutions-cybersecurity-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/healthcare-institutions-cybersecurity-measures.md",
      "source_url": "https://www.gov.cn/zhengce/zhengceku/2022-08/30/content_5707404.htm",
      "related_laws": [
        "csl",
        "cii-protection-regulations",
        "healthcare-institutions-data-security-pi-measures",
        "national-health-medical-big-data-measures",
        "population-health-information-measures",
        "cybersecurity-incident-reporting-measures"
      ],
      "domains": [
        "health",
        "data-security",
        "cybersecurity-review"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Issued jointly in August 2022 by the National Health Commission (NHC), the National Administration of Traditional Chinese Medicine (NATCM), and the National Disease Control and Prevention Administration (NDCPA), these Measures translate the Cybersecurity Law and the Multi-Level Protection Scheme (MLPS) into sector-specific obligations for every healthcare institution operating a network in China. They establish a graded classification and protection framework, fix the institution as the primary responsible party for cybersecurity, and impose tailored security requirements for emerging technologies including cloud computing, IoT, internet-based diagnosis, facial recognition, and cross-border data flows. A dedicated data security chapter covers the full data lifecycle — from lawful collection through encrypted storage and transmission to irreversible destruction — with a hard data-localization rule and a requirement to submit national security review filings for processing activities that affect or may affect national security. Overseas counsel advising on digital-health investments, telemedicine joint ventures, or health-data export transactions will find these Measures to be the primary sector law governing operational cybersecurity and data security obligations for Chinese healthcare entities."
    },
    {
      "slug": "population-health-information-measures",
      "title_en": "Measures for the Administration of Population Health Information (Trial)",
      "title_zh": "人口健康信息管理办法（试行）",
      "abbreviation": "Population Health Information Measures",
      "hierarchy": "rule",
      "issuing_body": "National Health and Family Planning Commission",
      "adopted_date": "2014-05-05",
      "effective_date": "2014-05-05",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/population-health-information-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/population-health-information-measures.md",
      "source_url": "http://www.cac.gov.cn/2014-08/20/c_1112064075.htm",
      "related_laws": [
        "pipl",
        "healthcare-institutions-data-security-pi-measures",
        "national-health-medical-big-data-measures",
        "healthcare-institutions-cybersecurity-measures",
        "shenzhen-health-data-management-measures"
      ],
      "domains": [
        "health",
        "personal-information",
        "data-security"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Issued by the National Health and Family Planning Commission in May 2014 under Document No. 国卫规划发〔2014〕24号, these Measures govern the collection, storage, management, use, and security protection of population health information by all health and family-planning service institutions. The Measures define population health information, establish a 'one data point, one source' collection principle, and—crucially—prohibit the storage of population health information on servers located overseas. They impose a system of classified information utilization, trace-management for all access and modification, and a liability-investigation mechanism for breaches. As one of China's earliest sectoral health-data localization rules, these Measures remain relevant for overseas counsel advising on health-tech investment, cross-border health-data transfers, and compliance due diligence under the layered framework that now includes PIPL and the Data Security Law."
    },
    {
      "slug": "shenzhen-health-data-management-measures",
      "title_en": "Shenzhen Health Data Management Measures",
      "title_zh": "深圳市卫生健康数据管理办法",
      "abbreviation": "Shenzhen Health Data Measures",
      "hierarchy": "rule",
      "issuing_body": "Shenzhen Municipal Health Commission",
      "adopted_date": "2023-11-16",
      "effective_date": "2024-01-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/shenzhen-health-data-management-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/shenzhen-health-data-management-measures.md",
      "source_url": "https://wjw.sz.gov.cn/xxgk/zcfggfxwj/mybh_5/content/post_11009298.html",
      "related_laws": [
        "shenzhen-sez-data-regulations",
        "pipl",
        "healthcare-institutions-data-security-pi-measures",
        "national-health-medical-big-data-measures",
        "population-health-information-measures"
      ],
      "domains": [
        "health",
        "data-security",
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Shenzhen's 2023 local rule operationalizes the Shenzhen Special Economic Zone Data Regulations specifically for the health sector, establishing a unified municipal health data platform (the Shenzhen Municipal Health Data Center) and a 'one-data-one-source' collection principle. The Measures introduce a five-tier health data classification — general health data, public health data, personal health data, sensitive personal health data, and data processing — and impose differentiated notice-and-consent, access-control, security, and retention rules that track PIPL's risk-proportionate approach. A dedicated chapter on data sharing and openness sets out consent-gated sharing of personal health data, unconditional sharing of basic public health information, and a three-tier public openness framework (unconditional / conditional / not open), with explicit prohibition on re-identification of shared data. Overseas counsel advising multinational hospitals, diagnostics companies, health-tech platforms, or life-sciences firms with Shenzhen operations must understand these Measures: they impose MLPS filing requirements, domestic-server storage for health data, six specific transmission-security measures including mandatory use of nationally certified cryptographic algorithms, and an annual data-security audit cycle — obligations that layer on top of PIPL and the DSL."
    },
    {
      "slug": "miit-industrial-data-security-measures",
      "title_en": "Administrative Measures for Data Security in the Field of Industry and Information Technology (Trial)",
      "title_zh": "工业和信息化领域数据安全管理办法（试行）",
      "abbreviation": "Industrial Data Security Measures",
      "hierarchy": "rule",
      "issuing_body": "Ministry of Industry and Information Technology",
      "adopted_date": "2022-12-08",
      "effective_date": "2023-01-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/miit-industrial-data-security-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/miit-industrial-data-security-measures.md",
      "related_laws": [
        "dsl"
      ],
      "domains": [
        "industrial",
        "data-security"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "These Measures are the principal sector-specific framework implementing the Data Security Law within the industry, telecommunications and radio-spectrum fields administered by MIIT. They establish a three-tier data classification (general / important / core data), filing of important- and core-data catalogues, full-lifecycle security obligations, cross-border transfer controls, monitoring and incident-response duties, and a testing/certification/assessment regime. Issued as MIIT Cyber Security [2022] No. 166 and effective January 1, 2023."
    },
    {
      "slug": "civil-code-personal-info",
      "title_en": "Civil Code — Personality Rights Book, Chapter on Privacy and Protection of Personal Information",
      "title_zh": "中华人民共和国民法典 · 人格权编 · 隐私权和个人信息保护章",
      "abbreviation": "Civil Code (PI Chapter)",
      "hierarchy": "law",
      "issuing_body": "National People's Congress",
      "adopted_date": "2020-05-28",
      "effective_date": "2021-01-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/civil-code-personal-info/",
      "markdown_url": "https://datacompliancechina.com/laws/civil-code-personal-info.md",
      "related_laws": [
        "pipl"
      ],
      "domains": [
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Articles 1032–1039 of the Civil Code's Personality Rights Book establish the civil-law foundation for privacy and personal-information protection in China. The chapter defines the right of privacy, the scope of personal information, principles for handling, statutory defenses, individuals' rights of access and correction, processor obligations, and confidentiality duties of State organs. Civil-law remedies under this chapter operate alongside the public-law PIPL regime — neither displaces the other."
    },
    {
      "slug": "pboc-data-security-measures",
      "title_en": "Measures for the Administration of Data Security in the Business Fields of the People's Bank of China",
      "title_zh": "中国人民银行业务领域数据安全管理办法",
      "abbreviation": "PBOC Data Security Measures",
      "hierarchy": "rule",
      "issuing_body": "People's Bank of China",
      "adopted_date": "2025-04-02",
      "effective_date": "2025-06-30",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/pboc-data-security-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/pboc-data-security-measures.md",
      "related_laws": [
        "dsl"
      ],
      "domains": [
        "finance",
        "data-security"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "Promulgated as PBOC Order [2025] No. 3 and effective June 30, 2025, these Measures are the People's Bank of China's departmental rule on data security across the business fields it supervises. They build a full-lifecycle security regime for business data — covering classification and grading (general / important / core data and a sensitivity dimension), management and technical requirements for collection, storage, use, processing, transmission, provision, cross-border transfer, public disclosure and deletion, and risk and incident management. Data processors (financial institutions and other PBOC-approved institutions) must inventory their data, designate security officers for important data, conduct annual risk assessments, and report security incidents, with penalties keyed to Article 45 of the Data Security Law."
    },
    {
      "slug": "energy-industry-data-security-measures",
      "title_en": "Measures for the Administration of Data Security in the Energy Industry (Trial)",
      "title_zh": "能源行业数据安全管理办法（试行）",
      "hierarchy": "rule",
      "issuing_body": "National Energy Administration",
      "adopted_date": "2025-12-08",
      "effective_date": "2026-07-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/energy-industry-data-security-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/energy-industry-data-security-measures.md",
      "related_laws": [
        "dsl",
        "energy-industry-data-classification-grading-guide"
      ],
      "domains": [
        "energy-resources",
        "data-security"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "Issued by the National Energy Administration as a departmental normative document (Doc. No. Guo Neng Fa Gui Hua Gui [2025] No. 108) on December 8, 2025, effective July 1, 2026, with a five-year term. These trial measures implement the Data Security Law within the energy sector. They define 'energy industry data' (data collected and generated in energy activities — planning, design, construction, production, storage and transport, consumption, and research) and establish the three-tier classification of general, important, and core data. The measures assign supervisory roles to the National Energy Administration, provincial energy authorities, and central energy enterprises; set out catalog-reporting duties for important and core data; and impose graduated protection requirements keyed to Multi-Level Protection Scheme (MLPS) levels — Level 3 or above for important data, and Level 4 (or CII protection) for core data. They also require annual risk assessments for important-data processors, cross-border security assessment for outbound important data, risk-assessment thresholds for core-data transfers (the 30% annual cumulative volume trigger), and a monitoring, early-warning, and emergency-response regime with a one-working-day reporting deadline for major incidents."
    },
    {
      "slug": "algorithmic-recommendation-provisions",
      "title_en": "Provisions on the Administration of Algorithmic Recommendation Services for Internet Information Services",
      "title_zh": "互联网信息服务算法推荐管理规定",
      "hierarchy": "rule",
      "issuing_body": "CAC, MIIT, MPS, SAMR",
      "adopted_date": "2021-11-16",
      "effective_date": "2022-03-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/algorithmic-recommendation-provisions/",
      "markdown_url": "https://datacompliancechina.com/laws/algorithmic-recommendation-provisions.md",
      "related_laws": [
        "pipl",
        "dsl",
        "deep-synthesis-provisions"
      ],
      "domains": [
        "algorithm-recommendation",
        "ai-governance",
        "personal-information"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "The first comprehensive Chinese regulation of recommendation algorithms. Establishes the algorithm filing regime, requires opt-out mechanisms, regulates personalized pricing and targeted advertising, sets special protections for minors and the elderly, and bans practices like price discrimination based on user characteristics. Applies to all algorithmic recommendation services available to the Chinese public."
    },
    {
      "slug": "medical-records-administration-provisions",
      "title_en": "Provisions on the Administration of Medical Records of Medical Institutions (2013)",
      "title_zh": "医疗机构病历管理规定（2013年版）",
      "abbreviation": "Medical Records Provisions",
      "hierarchy": "rule",
      "issuing_body": "National Health and Family Planning Commission and State Administration of Traditional Chinese Medicine",
      "adopted_date": "2013-11-20",
      "effective_date": "2014-01-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/medical-records-administration-provisions/",
      "markdown_url": "https://datacompliancechina.com/laws/medical-records-administration-provisions.md",
      "source_url": "https://www.gov.cn/gongbao/content/2014/content_2600084.htm",
      "related_laws": [
        "pipl",
        "civil-code-personal-info",
        "electronic-medical-records-application-specification",
        "emr-information-use-management-notice",
        "basic-medical-health-care-promotion-law",
        "medical-institutions-regulation"
      ],
      "domains": [
        "health",
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "These Provisions, jointly issued by the National Health and Family Planning Commission and the State Administration of Traditional Chinese Medicine in November 2013 and effective from 1 January 2014, govern the creation, custody, access, copying, sealing, and retention of medical records (病历) in all medical institutions. Patients and their authorized agents, as well as deceased patients' statutory heirs, have a right to copy specified categories of their medical records; public security, judicial, insurance, and medical-malpractice appraisal bodies may access records on production of prescribed credentials. Outpatient records must be retained for at least 15 years and inpatient records for at least 30 years from the last visit or discharge. Medical institutions and their staff are strictly prohibited from leaking patients' medical record materials for any non-medical, non-teaching, or non-research purpose, making this instrument a foundational rule on health-data privacy that overseas counsel should read alongside PIPL Article 28 (sensitive personal information) and the Civil Code personal information chapter when advising on patient-data sharing, cross-border transfers of health data, or secondary use of clinical records in China."
    },
    {
      "slug": "energy-industry-data-classification-grading-guide",
      "title_en": "Guide to the Classification and Grading of Energy Industry Data (2026 Edition)",
      "title_zh": "能源行业数据分类分级指南（2026年版）",
      "hierarchy": "rule",
      "issuing_body": "National Energy Administration",
      "adopted_date": "2026-06-30",
      "effective_date": "2026-07-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/energy-industry-data-classification-grading-guide/",
      "markdown_url": "https://datacompliancechina.com/laws/energy-industry-data-classification-grading-guide.md",
      "source_url": "https://www.nea.gov.cn/20260630/3b456b6f83144abcb989110dcfba4d7d/c.html",
      "related_laws": [
        "dsl",
        "energy-industry-data-security-measures",
        "data-classification-grading-rules"
      ],
      "domains": [
        "energy-resources",
        "data-security"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "Issued by the National Energy Administration on June 30, 2026 and effective July 1, 2026 — the same day as the companion Measures for the Administration of Data Security in the Energy Industry (Trial) — this Guide (4 chapters, 15 articles) operationalizes the trial Measures' three-tier general/important/core classification for the energy sector. It sets classification dimensions (energy type — coal, petroleum, natural gas, nuclear, hydro, wind, solar, biomass, geothermal, ocean, electric power, hydrogen — and energy activity — planning, design, construction, production, storage and transport, consumption, research), grading rules for derived and de-sensitized data, and bright-line thresholds for identifying important and core data: precise (100m-or-better) geo-coordinates and any materials containing them for large coal mines, thermal/hydro/nuclear power stations, and 750kV-plus substations and converter stations; real-time dispatch/control instruction data for designated hydropower stations, ultra-high-voltage substations, and PipeChina's oil-and-gas dispatch control system; and electric-power consumption-data thresholds keyed to user count (10 million users triggers important-data status; 100 million users, or a special-grade important user's continuous 1-year consumption record, triggers core-data status). The National Energy Administration's accompanying press Q&A explains that the grading logic tracks the degree of harm to national security from leakage or tampering, and sets out the six post-issuance compliance duties for important/core data processors: compile and file an important-data catalogue, build a data-security management system, implement multi-level protection scheme (MLPS)/CII/cryptographic protection, run annual risk assessments, apply for risk assessment before outbound transfer of important data or cross-entity transfer of core data, and report incidents immediately."
    },
    {
      "slug": "financial-sector-cybersecurity-management-measures-draft",
      "title_en": "Measures for Cybersecurity Management in the Financial Sector (Draft for Comment)",
      "title_zh": "金融业网络安全管理办法（征求意见稿）",
      "abbreviation": "Financial Sector Cybersecurity Measures (Draft)",
      "hierarchy": "draft",
      "issuing_body": "People's Bank of China; National Financial Regulatory Administration; China Securities Regulatory Commission; State Administration of Foreign Exchange",
      "status": "draft",
      "url": "https://datacompliancechina.com/laws/financial-sector-cybersecurity-management-measures-draft/",
      "markdown_url": "https://datacompliancechina.com/laws/financial-sector-cybersecurity-management-measures-draft.md",
      "source_url": "https://www.nfra.gov.cn/cn/view/pages/ItemDetail.html?docId=1263328&itemId=951",
      "related_laws": [
        "csl",
        "dsl",
        "pipl",
        "cii-protection-regulations",
        "cybersecurity-review-measures",
        "network-data-security-regulations",
        "cybersecurity-incident-reporting-measures",
        "pboc-data-security-measures",
        "nfra-banking-insurance-data-security-measures"
      ],
      "domains": [
        "finance",
        "data-security",
        "critical-information-infrastructure",
        "cybersecurity-review"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "A July 3, 2026 public-consultation draft that would create a cross-financial-sector cybersecurity rulebook for financial institutions and other entities approved or recognized by China's State Council financial management departments. The draft sits on top of the Cybersecurity Law, Data Security Law, PIPL, the CII Regulations and the Network Data Security Regulation, and translates them into a financial-sector baseline: cybersecurity responsibility systems, governance structures, network operation security, MLPS, commercial cryptography, network-data and personal-information protection, emerging-technology risk management, illegal-information response, app-download security duties, and a dedicated CII layer for financial critical information infrastructure. For financial CIIOs, the draft adds identification by the State Council financial management departments, a chief cybersecurity officer, a dedicated security body and background checks, cybersecurity-review pre-judgment for network-product and service procurement, annual reporting of network products, services and cloud procurement, annual testing and risk assessment, and sector-specific incident plans and drills. It also creates a coordination frame among the PBOC, NFRA, CSRC, SAFE and the CAC/public security/cryptography authorities, with legal liability routed through the existing financial, cybersecurity, data, personal-information, CII and cryptography statutes. Public comments are due August 3, 2026."
    },
    {
      "slug": "industrial-data-security-risk-assessment-rules",
      "title_en": "Implementing Rules for Data Security Risk Assessment in the Field of Industry and Information Technology (Trial)",
      "title_zh": "工业和信息化领域数据安全风险评估实施细则（试行）",
      "hierarchy": "rule",
      "issuing_body": "Ministry of Industry and Information Technology",
      "adopted_date": "2024-05-10",
      "effective_date": "2024-06-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/industrial-data-security-risk-assessment-rules/",
      "markdown_url": "https://datacompliancechina.com/laws/industrial-data-security-risk-assessment-rules.md",
      "related_laws": [
        "dsl"
      ],
      "domains": [
        "industrial",
        "data-security"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "These Implementing Rules operationalize the annual risk-assessment obligation imposed on processors of important data and core data by the MIIT Industrial Data Security Measures. They prescribe the assessment scope, the eight mandatory assessment focus areas, the once-a-year cadence and one-year validity of results, triggering events for re-assessment, requirements for in-house or third-party assessment teams, reporting timelines to local regulators, and the duties and capability-certification regime for third-party assessment institutions. Issued as MIIT Cyber Security [2024] No. 82 and effective June 1, 2024."
    },
    {
      "slug": "natural-resources-data-security-measures",
      "title_en": "Measures for the Administration of Data Security in the Field of Natural Resources",
      "title_zh": "自然资源领域数据安全管理办法",
      "hierarchy": "rule",
      "issuing_body": "Ministry of Natural Resources",
      "adopted_date": "2024-03-22",
      "effective_date": "2024-03-22",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/natural-resources-data-security-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/natural-resources-data-security-measures.md",
      "related_laws": [
        "dsl"
      ],
      "domains": [
        "energy-resources",
        "data-security"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Issued by the Ministry of Natural Resources as a departmental normative document (Doc. No. Zi Ran Zi Fa [2024] No. 57) on March 22, 2024, and effective the same day, having been approved by the national data security work coordination mechanism. These measures implement the Data Security Law for non-classified data in the natural-resources field — geographic information data (including basic geographic information and remote-sensing imagery), natural-resources survey and monitoring data (land, minerals, forests, grasslands, water, wetlands, sea areas and islands), territorial spatial planning data, and natural-resources management data (use control, asset management, cultivated-land protection, ecological restoration, real estate registration, etc.). The measures establish the three-tier general/important/core classification with six reference indicators for identifying important data, assign supervisory roles to the Ministry of Natural Resources, the National Forestry and Grassland Administration, and local industry regulators, and set out a full data-lifecycle security regime (collection, storage, use and processing, transmission, provision, disclosure, deletion). Key obligations include catalog reporting and review of important and core data, MLPS Level 3+ for important data and Level 4 / CII protection for core data, the 30% cumulative-volume risk-assessment trigger for core-data provision, in-country storage with cross-border security assessment for important data, annual risk assessment for important-data processors, and a monitoring, early-warning, and emergency-response framework."
    },
    {
      "slug": "nfra-banking-insurance-data-security-measures",
      "title_en": "Measures for the Administration of Data Security of Banking and Insurance Institutions",
      "title_zh": "银行保险机构数据安全管理办法",
      "abbreviation": "NFRA Banking & Insurance Data Security Measures",
      "hierarchy": "rule",
      "issuing_body": "National Financial Regulatory Administration",
      "adopted_date": "2024-12-27",
      "effective_date": "2024-12-27",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/nfra-banking-insurance-data-security-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/nfra-banking-insurance-data-security-measures.md",
      "related_laws": [
        "dsl",
        "pipl"
      ],
      "domains": [
        "finance",
        "data-security"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "Issued by the National Financial Regulatory Administration (NFRA) as Jin Gui [2024] No. 24 and effective December 27, 2024, these Measures are the comprehensive data security rule for banking and insurance institutions. Across nine chapters they establish a data security governance structure (board, senior management, a centralized administration department and an IT technical-protection department), a four-tier classification (core / important / sensitive / other general data), and full-lifecycle management and technical-protection requirements. They also contain a dedicated chapter on personal information protection, prescribe risk monitoring and a two-hour incident reporting timeline, set out supervisory and penalty provisions under the Banking Regulation Law and Insurance Law, and append a detailed data-security incident grading scheme. They supersede the 2022 trial measures (Yin Bao Jian Ban Fa [2022] No. 118)."
    },
    {
      "slug": "electronic-medical-records-application-specification",
      "title_en": "Specification for the Application and Administration of Electronic Medical Records (Trial)",
      "title_zh": "电子病历应用管理规范（试行）",
      "abbreviation": "EMR Application Specification",
      "hierarchy": "standard",
      "issuing_body": "National Health and Family Planning Commission and State Administration of Traditional Chinese Medicine",
      "adopted_date": "2017-02-15",
      "effective_date": "2017-04-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/electronic-medical-records-application-specification/",
      "markdown_url": "https://datacompliancechina.com/laws/electronic-medical-records-application-specification.md",
      "source_url": "http://www.nhc.gov.cn/yzygj/s3593/201702/22bb2525318f496f846e8566754876a1.shtml",
      "related_laws": [
        "pipl",
        "medical-records-administration-provisions",
        "emr-information-use-management-notice",
        "healthcare-institutions-data-security-pi-measures"
      ],
      "domains": [
        "health",
        "personal-information",
        "data-security"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Issued jointly by the National Health and Family Planning Commission and the State Administration of Traditional Chinese Medicine in February 2017, this Specification sets out binding requirements for how healthcare institutions create, record, amend, use, store, and seal electronic medical records (EMRs) and the information systems that support them. It mandates unique patient identifiers, role-based access controls, reliable electronic signatures, full audit trails of every write and edit operation, minimum retention periods (15 years for outpatient records, 30 years for inpatient records), and a formal sealing procedure for litigation-related EMR preservation. As the principal companion to the paper-record rules and the Electronic Signature Law, it forms the baseline data-security and access-control framework for digitized health data — making it essential reading for overseas counsel advising on China health-data processing, clinical-trial data governance, and any cross-border transfer of patient records."
    },
    {
      "slug": "emr-information-use-management-notice",
      "title_en": "Notice on Further Strengthening the Administration of the Use of Electronic Medical Record Information by Medical Institutions",
      "title_zh": "关于进一步加强医疗机构电子病历信息使用管理的通知",
      "abbreviation": "EMR Information Use Notice",
      "hierarchy": "rule",
      "issuing_body": "General Office of the National Health Commission, General Office of the National Administration of Traditional Chinese Medicine, and General Office of the National Disease Control and Prevention Administration",
      "adopted_date": "2025-06-23",
      "effective_date": "2025-06-23",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/emr-information-use-management-notice/",
      "markdown_url": "https://datacompliancechina.com/laws/emr-information-use-management-notice.md",
      "source_url": "https://www.nhc.gov.cn/yzygj/c100068/202506/c68abee7c54b4651a774cd533761780b.shtml",
      "related_laws": [
        "pipl",
        "network-data-security-regulations",
        "medical-records-administration-provisions",
        "electronic-medical-records-application-specification",
        "healthcare-institutions-cybersecurity-measures"
      ],
      "domains": [
        "health",
        "personal-information",
        "data-security"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Issued jointly on 23 June 2025 by the General Offices of the NHC, NATCM, and NDCPA (Document No. 国卫办医政函〔2025〕262号), this notice tightens the rules under which hospitals and other medical institutions may access, copy, and share electronic medical records (EMRs), embedding the PIPL purpose-limitation and minimum-necessary principles into the clinical records environment for the first time at this regulatory level. Key obligations include graded and role-based access controls, full end-to-end audit trails (with digital-watermark support), strict restrictions on secondary use for research or commercial purposes, mandatory confidentiality and authorization agreements with external IT vendors, and a requirement to freeze access to records when a patient becomes the subject of public-controversy media coverage. Provincial health authorities must incorporate EMR-information compliance into hospital accreditation reviews and smart-hospital evaluations, creating a direct enforcement lever for overseas counsel advising multinationals that process Chinese patient data for clinical trials, real-world evidence studies, or health-tech product development."
    },
    {
      "slug": "industrial-data-security-incident-emergency-plan",
      "title_en": "Emergency Response Plan for Data Security Incidents in the Field of Industry and Information Technology (Trial)",
      "title_zh": "工业和信息化领域数据安全事件应急预案（试行）",
      "hierarchy": "rule",
      "issuing_body": "Ministry of Industry and Information Technology",
      "adopted_date": "2024-10-29",
      "effective_date": "2024-11-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/industrial-data-security-incident-emergency-plan/",
      "markdown_url": "https://datacompliancechina.com/laws/industrial-data-security-incident-emergency-plan.md",
      "related_laws": [
        "dsl"
      ],
      "domains": [
        "industrial",
        "data-security"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "This Emergency Response Plan, issued as MIIT Cyber Security [2024] No. 214, establishes the incident-response framework for data security incidents in the industry, telecommunications and radio fields. It grades incidents into four levels (especially significant, significant, relatively significant, and general), sets out the organizational structure, monitoring and early-warning, reporting timelines, graded response measures and post-incident handling, and defines how MIIT and local industry regulators coordinate with data processors. The page below translates the issuing notice in full; the annexed plan text was distributed as a separate attachment and is summarized rather than reproduced article-by-article."
    },
    {
      "slug": "cbirc-regulatory-data-security-measures",
      "title_en": "Measures for the Administration of the Security of Regulatory Data of the China Banking and Insurance Regulatory Commission (Trial)",
      "title_zh": "中国银保监会监管数据安全管理办法（试行）",
      "hierarchy": "rule",
      "issuing_body": "China Banking and Insurance Regulatory Commission",
      "adopted_date": "2020-09-23",
      "effective_date": "2020-09-23",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/cbirc-regulatory-data-security-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/cbirc-regulatory-data-security-measures.md",
      "related_laws": [
        "dsl"
      ],
      "domains": [
        "finance",
        "data-security"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Issued by the China Banking and Insurance Regulatory Commission (CBIRC) on September 23, 2020, these trial measures govern the security of regulatory data — the figures, indicators, reports and other information that the CBIRC lawfully collects and that is recorded, generated and stored by regulatory information systems. They establish centralized (归口) administration, prescribe rules for the collection, storage, processing, use and cross-border sharing of regulatory data, and set out requirements for entrusted service providers, supervision, and reporting of major data security incidents within 48 hours."
    },
    {
      "slug": "hgr-regulation",
      "title_en": "Regulation of the People's Republic of China on the Administration of Human Genetic Resources",
      "title_zh": "中华人民共和国人类遗传资源管理条例",
      "abbreviation": "HGR Regulation",
      "hierarchy": "regulation",
      "issuing_body": "State Council",
      "adopted_date": "2019-05-28",
      "effective_date": "2019-07-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/hgr-regulation/",
      "markdown_url": "https://datacompliancechina.com/laws/hgr-regulation.md",
      "source_url": "https://www.nhc.gov.cn/qjjys/rlyczygl/202503/c5373f14621e4011b6cbc932184086a2/files/1746832760945_40292.pdf",
      "related_laws": [
        "dsl",
        "data-export-security-assessment-measures",
        "hgr-implementing-rules",
        "rwd-guiding-principles",
        "basic-medical-health-care-promotion-law"
      ],
      "domains": [
        "health",
        "data-security",
        "cross-border"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "China's primary instrument governing the collection, preservation, utilization, and cross-border provision of human genetic resources (HGR), including both physical materials (organs, tissues, cells) and the data and information derived from them. Promulgated as State Council Decree No. 717 on 28 May 2019, effective 1 July 2019, and amended by the State Council Decision on Revising and Abolishing Certain Administrative Regulations dated 10 March 2024 (which transferred administrative authority from MOST to the National Health Commission). The Regulation prohibits foreign organizations, individuals, and their controlled entities from collecting or preserving China's HGR within the territory or providing it abroad, and requires Chinese-party collaboration for any international cooperative research; cross-border transfer of HGR materials and provision of HGR information to foreign parties are subject to approval, security review, and filing requirements. For overseas pharmaceutical, biotech, and clinical-research counsel this is the single most operationally significant instrument: it governs every phase of multinational clinical trials and genomic research that touches Chinese samples or data, and non-compliance carries fines of RMB 100 000–10 000 000 plus permanent debarment."
    },
    {
      "slug": "hgr-implementing-rules",
      "title_en": "Implementing Rules for the Regulation on the Administration of Human Genetic Resources",
      "title_zh": "人类遗传资源管理条例实施细则",
      "abbreviation": "HGR Implementing Rules",
      "hierarchy": "rule",
      "issuing_body": "Ministry of Science and Technology (MOST)",
      "adopted_date": "2023-05-26",
      "effective_date": "2023-07-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/hgr-implementing-rules/",
      "markdown_url": "https://datacompliancechina.com/laws/hgr-implementing-rules.md",
      "source_url": "https://www.most.gov.cn/xxgk/xinxifenlei/fdzdgknr/fgzc/bmgz/202306/t20230601_186416.html",
      "related_laws": [
        "dsl",
        "hgr-regulation",
        "rwd-guiding-principles",
        "basic-medical-health-care-promotion-law",
        "data-export-security-assessment-measures"
      ],
      "domains": [
        "health",
        "data-security",
        "cross-border"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "MOST's 2023 implementing rules operationalize the 2019 State Council Regulation on the Administration of Human Genetic Resources, providing granular definitions, the step-by-step approval and filing system for collection, preservation, international research collaboration, and clinical trials, and the criteria for determining when an entity is a 'foreign-party-controlled' institution (境外组织或个人控制). The rules establish the cross-border information-provision regime — requiring advance reporting, information backup submission to MOST, and a security review for certain sensitive categories (e.g., whole-exome or genome sequencing data for 500 or more subjects) — and set out inspection powers, penalty-discretion standards, and administrative-enforcement procedures. Overseas life-sciences counsel care because the rules directly govern how global pharma, biotech, and genomics companies structure China clinical trials and collaborative research arrangements to avoid unlicensed cross-border transfer of human genetic resource information."
    },
    {
      "slug": "children-pi-online-protection-provisions",
      "title_en": "Provisions on the Online Protection of Children's Personal Information",
      "title_zh": "儿童个人信息网络保护规定",
      "abbreviation": "Children's PI Provisions",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China (CAC)",
      "adopted_date": "2019-08-22",
      "effective_date": "2019-10-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/children-pi-online-protection-provisions/",
      "markdown_url": "https://datacompliancechina.com/laws/children-pi-online-protection-provisions.md",
      "source_url": "https://www.cac.gov.cn/2019-08/23/c_1124913903.htm",
      "related_laws": [
        "csl",
        "pipl",
        "minors-online-protection-regulations",
        "minors-pi-compliance-audit-reporting-announcement"
      ],
      "domains": [
        "personal-information",
        "minors-protection"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "China's first dedicated rule for children's personal information online, issued by the CAC in 2019 and effective October 1, 2019. It fixes 14 as the age of childhood, requires verifiable guardian consent before a network operator collects, stores, uses, transfers, or discloses a child's personal information, and imposes a guardian-facing notice-and-refusal regime, data-minimization and storage-limitation duties, encrypted storage, minimum-authorization access controls, entrustment and transfer safeguards, deletion and correction rights, and breach notification to guardians. It predates PIPL but is read together with PIPL Article 28 (which treats the personal information of minors under 14 as sensitive personal information) and the Regulations on the Protection of Minors in Cyberspace."
    },
    {
      "slug": "rwd-guiding-principles",
      "title_en": "Guiding Principles for Real-World Data Used to Generate Real-World Evidence (Trial)",
      "title_zh": "用于产生真实世界证据的真实世界数据指导原则（试行）",
      "abbreviation": "RWD Guiding Principles",
      "hierarchy": "standard",
      "issuing_body": "Center for Drug Evaluation, National Medical Products Administration (NMPA-CDE)",
      "adopted_date": "2021-04-13",
      "effective_date": "2021-04-13",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/rwd-guiding-principles/",
      "markdown_url": "https://datacompliancechina.com/laws/rwd-guiding-principles.md",
      "source_url": "https://www.cde.org.cn/news.do?method=viewInfoCommon&id=eaed86b800e8d9d9",
      "related_laws": [
        "pipl",
        "hgr-regulation",
        "hgr-implementing-rules",
        "national-health-medical-big-data-measures"
      ],
      "domains": [
        "health",
        "data-security",
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Issued by NMPA-CDE on 13 April 2021, these guiding principles establish the technical framework for assessing whether real-world data is fit for use in generating real-world evidence to support drug regulatory decisions in China. The principles catalogue the main sources of real-world data (hospital information systems, medical insurance claims, registry studies, pharmacovigilance data, cohort databases, and more), define a two-stage suitability assessment (source-data and post-curation stages), and impose detailed data governance, security, de-identification, and quality-management requirements. A dedicated chapter on personal information protection and data security requires de-identification of sensitive personal information and encryption across the full data lifecycle. For overseas pharmaceutical and medical-device regulatory counsel, the guidelines are the primary reference point when designing China real-world studies, because any real-world evidence submitted to NMPA must satisfy these standards, and non-compliance with the personal information and data-security provisions may jeopardise both study approval and data transfer out of China."
    },
    {
      "slug": "iov-cybersecurity-data-security-notice",
      "title_en": "Notice of the Ministry of Industry and Information Technology on Strengthening the Cybersecurity and Data Security of the Internet of Vehicles",
      "title_zh": "工业和信息化部关于加强车联网网络安全和数据安全工作的通知",
      "hierarchy": "rule",
      "issuing_body": "Ministry of Industry and Information Technology",
      "adopted_date": "2021-09-15",
      "effective_date": "2021-09-15",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/iov-cybersecurity-data-security-notice/",
      "markdown_url": "https://datacompliancechina.com/laws/iov-cybersecurity-data-security-notice.md",
      "related_laws": [
        "dsl",
        "csl"
      ],
      "domains": [
        "industrial",
        "data-security"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "This Notice sets out MIIT's consolidated cybersecurity and data security requirements for the Internet of Vehicles (IoV) ecosystem, covering intelligent connected vehicle manufacturers, IoV service-platform operators and related parties. It addresses vehicle network security, vulnerability management, IoV network and communications security, monitoring and emergency response, MLPS grading and filing, platform security, OTA upgrade security, data classification and grading, data security technical safeguards, and cross-border data transfer. Issued as MIIT Cyber Security [2021] No. 134 and effective September 15, 2021."
    },
    {
      "slug": "medical-institutions-regulation",
      "title_en": "Regulation on the Administration of Medical Institutions",
      "title_zh": "医疗机构管理条例",
      "abbreviation": "Medical Institutions Regulation",
      "hierarchy": "regulation",
      "issuing_body": "State Council",
      "adopted_date": "1994-02-26",
      "effective_date": "1994-09-01",
      "status": "amended",
      "url": "https://datacompliancechina.com/laws/medical-institutions-regulation/",
      "markdown_url": "https://datacompliancechina.com/laws/medical-institutions-regulation.md",
      "source_url": "https://policy.mofcom.gov.cn/claw/clawContent.shtml?id=94685",
      "related_laws": [
        "pipl",
        "basic-medical-health-care-promotion-law",
        "medical-records-administration-provisions",
        "internet-diagnosis-treatment-measures"
      ],
      "domains": [
        "health",
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "A State Council administrative regulation first promulgated in 1994 that establishes the licensing, registration, and supervision framework for all medical institutions operating in China. It requires institutions to obtain and maintain an execution licence (or, for clinics, complete a filing), to practise within their registered scope, and to protect patients through informed-consent requirements and honest documentation — obligations that directly underpin the duty to safeguard medical records and patient personal information. The regulation was amended twice: in 2016 (State Council Decree No. 666) and in 2022 (State Council Decree No. 752, effective 1 May 2022), with the 2022 revision extending the clinic filing system and aligning the informed-consent standard with the Civil Code. For overseas counsel advising health-sector clients in China, this regulation is the foundational licensing instrument and provides the institutional context in which sector-specific health-data rules — including electronic medical-record standards and PIPL obligations for sensitive personal information — operate."
    },
    {
      "slug": "anti-unfair-competition-law",
      "title_en": "Anti-Unfair Competition Law of the People's Republic of China",
      "title_zh": "中华人民共和国反不正当竞争法",
      "abbreviation": "AUCL",
      "hierarchy": "law",
      "issuing_body": "National People's Congress Standing Committee",
      "adopted_date": "2025-06-27",
      "effective_date": "2025-10-15",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/anti-unfair-competition-law/",
      "markdown_url": "https://datacompliancechina.com/laws/anti-unfair-competition-law.md",
      "source_url": "https://www.spp.gov.cn/spp/fl/202506/t20250627_699862.shtml",
      "related_laws": [
        "dsl",
        "data-foundation-system-opinions",
        "data-property-rights-registration-guide-draft"
      ],
      "domains": [
        "data-economy"
      ],
      "featured": false,
      "full_text_available": false
    },
    {
      "slug": "internet-diagnosis-treatment-measures",
      "title_en": "Notice Issuing the Measures for the Administration of Internet Diagnosis and Treatment (Trial) and Two Related Documents",
      "title_zh": "关于印发《互联网诊疗管理办法（试行）》等3个文件的通知",
      "abbreviation": "Internet Diagnosis & Treatment Measures",
      "hierarchy": "rule",
      "issuing_body": "National Health Commission and National Administration of Traditional Chinese Medicine",
      "adopted_date": "2018-07-17",
      "effective_date": "2018-07-17",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/internet-diagnosis-treatment-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/internet-diagnosis-treatment-measures.md",
      "source_url": "https://www.gov.cn/zhengce/zhengceku/2018-12/31/content_5435436.htm",
      "related_laws": [
        "pipl",
        "healthcare-institutions-cybersecurity-measures",
        "mobile-app-information-services-provisions",
        "medical-institutions-regulation",
        "basic-medical-health-care-promotion-law"
      ],
      "domains": [
        "health",
        "personal-information",
        "app-compliance"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Issued jointly by the National Health Commission and the National Administration of Traditional Chinese Medicine in July 2018, Document No. 国卫医发〔2018〕25号 establishes the foundational regulatory framework for internet-based healthcare in China through three companion instruments. The first document, the Measures for the Administration of Internet Diagnosis and Treatment (Trial), restricts online diagnosis to follow-up consultations for previously diagnosed common and chronic diseases, prohibits first-visit online diagnosis, and requires healthcare institutions to safeguard patient information, adopt Cybersecurity Multi-Level Protection Scheme Level 3, and immediately report data breaches to health authorities. The Internet Hospital Measures (Trial) sets licensing conditions for internet hospitals, mandates real-name identity authentication for medical staff, and imposes patient-privacy and information-security duties including prohibition on illegally selling or disclosing patient data. The Telemedicine Service Norms (Trial) governs inter-institutional telemedicine referrals, requires written informed consent, mandates real-name patient management, and obliges all participating parties to protect information security and patient privacy. Together these instruments are the gateway rules for any digital-health or telemedicine product operating in China: they determine which online medical services are lawful, what licensing is required, and how patient personal information and medical records must be handled and protected."
    },
    {
      "slug": "automotive-data-security-provisions",
      "title_en": "Several Provisions on Automotive Data Security Management (Trial)",
      "title_zh": "汽车数据安全管理若干规定（试行）",
      "abbreviation": "Automotive Data Provisions",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China; National Development and Reform Commission; MIIT; Ministry of Public Security; Ministry of Transport",
      "adopted_date": "2021-08-16",
      "effective_date": "2021-10-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/automotive-data-security-provisions/",
      "markdown_url": "https://datacompliancechina.com/laws/automotive-data-security-provisions.md",
      "related_laws": [
        "pipl",
        "dsl"
      ],
      "domains": [
        "industrial",
        "cross-border"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "These Provisions are the foundational rule governing the processing of automotive data — both personal information and important data arising in the design, production, sale, use and maintenance of vehicles. They define automotive data, personal/sensitive personal information and important data (including a list of important-data categories), set out processing principles (in-vehicle processing, default no-collection, precision-range applicability, anonymization), notice-and-consent requirements, important-data risk assessment and annual reporting, and domestic storage with security assessment for cross-border transfer. Jointly issued by the CAC, NDRC, MIIT, MPS and MOT as Order No. 7 and effective October 1, 2021."
    },
    {
      "slug": "tongfang-management-provisions",
      "title_en": "Provisions on Strengthening the Administration of Prescription-Volume Statistics (Tongfang) in Healthcare Institutions",
      "title_zh": "关于加强医疗卫生机构统方管理的规定",
      "abbreviation": "Tongfang Management Provisions",
      "hierarchy": "rule",
      "issuing_body": "National Health and Family Planning Commission and State Administration of Traditional Chinese Medicine",
      "adopted_date": "2014-11-20",
      "effective_date": "2015-01-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/tongfang-management-provisions/",
      "markdown_url": "https://datacompliancechina.com/laws/tongfang-management-provisions.md",
      "source_url": "https://www.nhc.gov.cn/jws/s3577/201401/c29d9662d7784fe891a17b1ef01dbd8a.shtml",
      "related_laws": [
        "pipl",
        "medical-records-administration-provisions",
        "healthcare-institutions-data-security-pi-measures",
        "medical-institutions-regulation"
      ],
      "domains": [
        "health",
        "data-security",
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Issued jointly by the National Health and Family Planning Commission and the State Administration of Traditional Chinese Medicine in November 2014 (Document No. 国卫纠发〔2014〕1号) and effective January 1, 2015, these Provisions define and tightly restrict access to prescription-volume statistics (tongfang) — the statistical compilation of individual physicians' or departments' drug and medical-consumable usage volumes — in order to sever the data conduit through which pharmaceutical companies pay kickbacks to prescribers. Core obligations include access-control and least-privilege rules for hospital information systems, mandatory query-logging and anomaly review, binding confidentiality agreements with IT vendors, a categorical prohibition on disclosing individual or departmental tongfang data to pharmaceutical or device marketers, and a ban on linking clinician income to prescription volumes. An early health-sector data-access-governance and anti-corruption measure, these Provisions remain operative and are relevant to overseas pharmaceutical and medical-device companies operating in China: supplying, inducing, or receiving tongfang data constitutes a compliance risk under both these Provisions and China's anti-commercial-bribery rules."
    },
    {
      "slug": "internet-information-services-measures",
      "title_en": "Administrative Measures for Internet Information Services (2024 Revision)",
      "title_zh": "互联网信息服务管理办法（2024 修订）",
      "hierarchy": "regulation",
      "issuing_body": "State Council",
      "adopted_date": "2024-12-06",
      "effective_date": "2025-01-20",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/internet-information-services-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/internet-information-services-measures.md",
      "related_laws": [
        "csl",
        "pipl"
      ],
      "domains": [
        "data-security",
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "The foundational regulation of Internet Information Services (ICP) in China — the regulatory baseline beneath nearly every later data-protection rule. Establishes the ICP licensing regime (operational vs. non-operational), platform compliance obligations, content management, and the role of telecommunications and cyberspace administrative authorities. The 2024 revision aligns the regulation with CSL, DSL, PIPL, and the post-2022 platform rules."
    },
    {
      "slug": "live-streaming-ecommerce-measures",
      "title_en": "Administrative Measures for the Supervision of Live-Streaming E-Commerce",
      "title_zh": "直播电商监督管理办法",
      "hierarchy": "rule",
      "issuing_body": "State Administration for Market Regulation",
      "adopted_date": "2025-12-18",
      "effective_date": "2026-02-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/live-streaming-ecommerce-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/live-streaming-ecommerce-measures.md",
      "related_laws": [
        "pipl"
      ],
      "domains": [
        "industrial",
        "data-economy"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "These Measures establish the supervisory framework for live-streaming e-commerce in China, allocating obligations among platform operators, live-streaming-room operators, live-streaming marketing personnel and their service agencies. They impose real-identity verification and registration, periodic reporting of identity information to market-regulation authorities, graded and classified management, transaction-information retention of at least three years, prohibitions on false or misleading commercial publicity (including via AI), AI-generated-persona labeling, and consumer-rights and credit-supervision mechanisms. Jointly issued by the State Administration for Market Regulation and the Cyberspace Administration of China as Order No. 117 and effective February 1, 2026."
    },
    {
      "slug": "anti-telecom-fraud-law",
      "title_en": "Anti-Telecom and Online Fraud Law of the People's Republic of China",
      "title_zh": "中华人民共和国反电信网络诈骗法",
      "abbreviation": "ATFL",
      "hierarchy": "law",
      "issuing_body": "National People's Congress Standing Committee",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/anti-telecom-fraud-law/",
      "markdown_url": "https://datacompliancechina.com/laws/anti-telecom-fraud-law.md",
      "related_laws": [
        "pipl",
        "csl"
      ],
      "domains": [
        "personal-information",
        "enforcement"
      ],
      "featured": false,
      "full_text_available": false
    },
    {
      "slug": "app-illegal-pi-collection-identification-method",
      "title_en": "Method for Identifying the Unlawful Collection and Use of Personal Information by Apps",
      "title_zh": "App违法违规收集使用个人信息行为认定方法",
      "abbreviation": "App PI Identification Method",
      "hierarchy": "rule",
      "issuing_body": "Secretariat of the Cyberspace Administration of China, General Office of MIIT, General Office of the Ministry of Public Security, and General Office of SAMR",
      "adopted_date": "2019-11-28",
      "effective_date": "2019-11-28",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/app-illegal-pi-collection-identification-method/",
      "markdown_url": "https://datacompliancechina.com/laws/app-illegal-pi-collection-identification-method.md",
      "source_url": "https://www.cac.gov.cn/2019-12/27/c_1578986455686625.htm",
      "related_laws": [
        "pipl",
        "csl",
        "app-necessary-pi-scope-provisions",
        "mobile-app-information-services-provisions",
        "telecom-internet-user-pi-protection-provisions"
      ],
      "domains": [
        "personal-information",
        "app-compliance"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Issued jointly in November 2019 by the CAC Secretariat, MIIT, MPS, and SAMR under Document No. 国信办秘字〔2019〕191号, this instrument provides the operational six-category test that regulators use to determine whether an app's collection and use of personal information is unlawful or excessive: (1) failure to publicly disclose collection and use rules; (2) failure to clearly state the purpose, method, and scope of collection; (3) collection without user consent; (4) collection beyond what is necessary for the service; (5) sharing personal information with third parties without consent; and (6) failure to provide deletion or correction functions or complaint channels. The method underpins the national App special-governance campaign and is the direct basis for app-store removal orders issued by regulators. Overseas counsel advising Chinese-market apps or cross-border data-sharing arrangements must treat compliance with each of the six categories as a threshold checklist, as a single identified violation can trigger mandatory rectification and removal."
    },
    {
      "slug": "deep-synthesis-provisions",
      "title_en": "Provisions on the Administration of Deep Synthesis of Internet Information Services",
      "title_zh": "互联网信息服务深度合成管理规定",
      "hierarchy": "rule",
      "issuing_body": "CAC, MIIT, MPS",
      "adopted_date": "2022-11-03",
      "effective_date": "2023-01-10",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/deep-synthesis-provisions/",
      "markdown_url": "https://datacompliancechina.com/laws/deep-synthesis-provisions.md",
      "related_laws": [
        "pipl",
        "algorithmic-recommendation-provisions",
        "genai-services-interim-measures"
      ],
      "domains": [
        "ai-governance",
        "algorithm-recommendation"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Regulates deepfakes and AI-driven content synthesis — the precursor to the GenAI Measures and the AI Content Labeling Measures. Requires real-name verification, content moderation, prominent labeling of synthesized content, prohibits use for fraud or disinformation, and establishes the deep synthesis service algorithm filing regime."
    },
    {
      "slug": "online-trading-platform-rules-measures",
      "title_en": "Measures for the Supervision and Administration of Online Trading Platform Rules",
      "title_zh": "网络交易平台规则监督管理办法",
      "abbreviation": "Platform Rules Measures",
      "hierarchy": "rule",
      "issuing_body": "State Administration for Market Regulation; Cyberspace Administration of China",
      "adopted_date": "2025-12-18",
      "effective_date": "2026-02-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/online-trading-platform-rules-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/online-trading-platform-rules-measures.md",
      "related_laws": [],
      "domains": [
        "data-economy",
        "app-compliance"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Departmental rule (SAMR/CAC Order No. 116) governing how online trading platform operators formulate, amend and enforce their platform rules (service agreements, in-platform management rules, dispute-handling rules, personal-information protection rules, IP rules, etc.). It requires conspicuous publication, comment solicitation, advance notice before changes take effect, retention of historical versions, and an appeals channel including human review where decisions are made solely by AI. Separate chapters address information/network/data security (including minors' protection and personal-information allocation between platforms and in-platform operators), protection of in-platform operators against unreasonable restrictions and fees, and consumer protection against discriminatory pricing and unilateral membership changes. Effective February 1, 2026."
    },
    {
      "slug": "app-necessary-pi-scope-provisions",
      "title_en": "Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications",
      "title_zh": "常见类型移动互联网应用程序必要个人信息范围规定",
      "abbreviation": "Necessary PI Scope Provisions",
      "hierarchy": "rule",
      "issuing_body": "Secretariat of the Cyberspace Administration of China, General Office of MIIT, General Office of the Ministry of Public Security, and General Office of SAMR",
      "adopted_date": "2021-03-12",
      "effective_date": "2021-05-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/app-necessary-pi-scope-provisions/",
      "markdown_url": "https://datacompliancechina.com/laws/app-necessary-pi-scope-provisions.md",
      "source_url": "https://www.cac.gov.cn/2021-03/22/c_1617990997054277.htm",
      "related_laws": [
        "pipl",
        "app-illegal-pi-collection-identification-method",
        "mobile-app-information-services-provisions",
        "telecom-internet-user-pi-protection-provisions"
      ],
      "domains": [
        "personal-information",
        "app-compliance"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "These Provisions, issued jointly by the CAC, MIIT, MPS, and SAMR in March 2021 and effective May 1, 2021, define 'necessary personal information' as the minimum data indispensable for an app's basic functional service to operate — and expressly prohibit operators from refusing basic service to users who decline to provide non-necessary personal information. The Provisions enumerate 39 common mobile app categories (including map navigation, ride-hailing, instant messaging, online shopping, mobile banking, and more), specifying the precise personal information each category may require; 12 of the 39 categories — including browsers, input methods, news apps, and short-video apps — require no personal information at all for basic use. Overseas counsel advise on these Provisions when auditing the data-collection practices of apps distributed in China, assessing whether consent gates or account-wall practices are lawful, and preparing for MIIT or CAC enforcement inspections targeting excessive or non-necessary data collection."
    },
    {
      "slug": "pi-protection-certification-implementation-rules",
      "title_en": "Implementation Rules for Personal Information Protection Certification",
      "title_zh": "个人信息保护认证实施规则",
      "abbreviation": "PI Certification Rules",
      "hierarchy": "rule",
      "issuing_body": "State Administration for Market Regulation (SAMR) and Cyberspace Administration of China (CAC)",
      "adopted_date": "2022-11-18",
      "effective_date": "2022-11-18",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/pi-protection-certification-implementation-rules/",
      "markdown_url": "https://datacompliancechina.com/laws/pi-protection-certification-implementation-rules.md",
      "source_url": "https://www.cac.gov.cn/2022-11/18/c_1670399936983876.htm",
      "related_laws": [
        "pipl",
        "cross-border-pi-certification-measures",
        "pi-protection-certification-announcement"
      ],
      "domains": [
        "personal-information",
        "cross-border"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "The Implementation Rules for Personal Information Protection Certification, issued as the annex to SAMR and CAC Joint Announcement No. 37 of 2022 on November 18, 2022, operationalize the certification pathway that PIPL Article 38(2) authorizes for cross-border transfers of personal information and that simultaneously governs domestic personal information protection certification. The Rules establish a three-stage certification model — technical verification, on-site audit, and post-certification supervision — grounded in GB/T 35273 (Personal Information Security Specification) for all personal information handlers, with the additional requirement that handlers engaged in cross-border processing activities comply with TC260-PG-20222A (Security Certification Specification for Cross-border Personal Information Processing Activities). Certification certificates are valid for three years, subject to ongoing supervisory audits, and may be suspended or revoked for non-compliance; certified handlers may display the corresponding certification mark (with a distinct cross-border variant). The Rules were subsequently supplemented by the Measures for the Certification of the Cross-border Provision of Personal Information (effective January 1, 2026), which specifically governs the cross-border certification route; overseas counsel advising on cross-border transfers should read the two instruments together, as the Implementation Rules set the foundational procedural framework that the 2026 Measures build upon."
    },
    {
      "slug": "cii-commercial-cryptography-provisions",
      "title_en": "Provisions on the Administration of the Use of Commercial Cryptography in Critical Information Infrastructure",
      "title_zh": "关键信息基础设施商用密码使用管理规定",
      "abbreviation": "CII Commercial Cryptography Provisions",
      "hierarchy": "rule",
      "issuing_body": "State Cryptography Administration; Cyberspace Administration of China",
      "adopted_date": "2025-06-11",
      "effective_date": "2025-08-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/cii-commercial-cryptography-provisions/",
      "markdown_url": "https://datacompliancechina.com/laws/cii-commercial-cryptography-provisions.md",
      "related_laws": [
        "cii-protection-regulations"
      ],
      "domains": [
        "critical-information-infrastructure",
        "data-security"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Departmental rule (State Cryptography Administration / CAC / Ministry of Public Security Order No. 5) requiring operators of critical information infrastructure (CII) to use commercial cryptography to protect their CII, and to plan, build and operate commercial-cryptography assurance systems concurrently with the CII itself. It mandates commercial-cryptography application security assessments at the planning, construction and operation stages (at least annually once in operation), requires the use of certified commercial-cryptography products and State-vetted algorithms, sets staffing and funding requirements (key administrators, cipher operators, security auditors), imposes annual reporting duties, and provides penalties of up to RMB 1,000,000. Effective August 1, 2025."
    },
    {
      "slug": "pi-protection-certification-announcement",
      "title_en": "Announcement on the Implementation of Personal Information Protection Certification",
      "title_zh": "关于实施个人信息保护认证的公告",
      "abbreviation": "PI Certification Announcement",
      "hierarchy": "rule",
      "issuing_body": "State Administration for Market Regulation (SAMR) and Cyberspace Administration of China (CAC)",
      "adopted_date": "2022-11-04",
      "effective_date": "2022-11-04",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/pi-protection-certification-announcement/",
      "markdown_url": "https://datacompliancechina.com/laws/pi-protection-certification-announcement.md",
      "source_url": "https://www.cac.gov.cn/2022-11/18/c_1670399936658129.htm",
      "related_laws": [
        "pipl",
        "cross-border-pi-certification-measures",
        "pi-protection-certification-implementation-rules"
      ],
      "domains": [
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "The November 2022 joint announcement by SAMR and CAC (Announcement No. 37 of 2022) formally launched the Personal Information Protection Certification scheme, designating approved certification bodies to conduct certification activities in accordance with the Implementation Rules for Personal Information Protection Certification and, for cross-border processing activities, the TC260 standard TC260-PG-20222A. Participation is voluntary: the announcement encourages personal information handlers to obtain certification as a means of demonstrating and improving their personal information protection capabilities. The announcement is short — one operative paragraph — and works in tandem with the accompanying Implementation Rules (attached to the announcement) and the subsequently issued Measures for the Certification of the Cross-border Provision of Personal Information (2026). For overseas counsel, the scheme provides a third compliance pathway alongside the Security Assessment and the Standard Contract for cross-border transfers of personal information."
    },
    {
      "slug": "ai-meteorological-services-measures",
      "title_en": "Measures for Artificial Intelligence Meteorological Application Services",
      "title_zh": "人工智能气象应用服务办法",
      "abbreviation": "AI Meteorological Services Measures",
      "hierarchy": "rule",
      "issuing_body": "China Meteorological Administration; Cyberspace Administration of China",
      "adopted_date": "2025-04-23",
      "effective_date": "2025-06-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/ai-meteorological-services-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/ai-meteorological-services-measures.md",
      "related_laws": [],
      "domains": [
        "ai-governance"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Departmental rule (China Meteorological Administration / CAC Order No. 45) regulating the provision of meteorological application services using artificial intelligence. It establishes inclusive-prudential and tiered-classified supervision, sets out support-and-promotion measures (AI–meteorology fusion, basic databases and themed datasets, computing-power infrastructure, standards and talent), and imposes service norms: providers must obtain meteorological data through lawful channels carrying a meteorological-data identity tag, add AI-generated-content labels, and may not publish to the public weather forecasts, severe-weather warnings or meteorological-disaster early-warning signals other than those issued by meteorological-authority stations. It also requires algorithm filing and security assessment for services with public-opinion or social-mobilization capacity, and addresses data security, cross-border data transfer and penalties (fines up to RMB 50,000). Effective June 1, 2025."
    },
    {
      "slug": "accounting-firms-data-security-measures",
      "title_en": "Interim Measures for the Data Security Management of Accounting Firms",
      "title_zh": "会计师事务所数据安全管理暂行办法",
      "abbreviation": "Accounting Firms Data Security Measures",
      "hierarchy": "rule",
      "issuing_body": "Ministry of Finance; Cyberspace Administration of China",
      "adopted_date": "2024-04-15",
      "effective_date": "2024-10-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/accounting-firms-data-security-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/accounting-firms-data-security-measures.md",
      "related_laws": [
        "dsl"
      ],
      "domains": [
        "data-security",
        "finance"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Departmental normative document (Cai Kuai [2024] No. 6) issued by the Ministry of Finance and the Cyberspace Administration of China governing data-processing activities by accounting firms in audit engagements. It applies to firms auditing listed companies, state-owned financial institutions and central enterprises, CII operators and large online-platform operators (over one million users), and overseas-listing engagements, as well as any engagement involving important or core data. It requires full-life-cycle data security management, data classification and grading, least-privilege access controls, domestic storage of audit working papers (with domestic encryption equipment and key storage), prohibitions on clauses providing domestic project data to overseas regulators, and compliance with cross-border data transfer rules. The chief partner is designated as the firm's data security officer. Effective October 1, 2024."
    },
    {
      "slug": "telecom-internet-user-pi-protection-provisions",
      "title_en": "Provisions on Protecting the Personal Information of Telecommunications and Internet Users",
      "title_zh": "电信和互联网用户个人信息保护规定",
      "abbreviation": "Telecom & Internet User PI Provisions",
      "hierarchy": "rule",
      "issuing_body": "Ministry of Industry and Information Technology (MIIT)",
      "adopted_date": "2013-07-16",
      "effective_date": "2013-09-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/telecom-internet-user-pi-protection-provisions/",
      "markdown_url": "https://datacompliancechina.com/laws/telecom-internet-user-pi-protection-provisions.md",
      "source_url": "https://www.gov.cn/zhengce/2022-08/23/content_5722717.htm",
      "related_laws": [
        "pipl",
        "csl",
        "app-illegal-pi-collection-identification-method",
        "app-necessary-pi-scope-provisions",
        "mobile-app-information-services-provisions"
      ],
      "domains": [
        "personal-information",
        "app-compliance"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Issued by the Ministry of Industry and Information Technology (MIIT) in July 2013 and effective 1 September 2013, these Provisions are the principal sector-specific rule governing the collection and use of users' personal information by telecommunications business operators and internet information service providers operating in China. They establish consent and notice requirements before collection, data-minimisation and purpose-limitation duties, strict confidentiality obligations, mandatory security safeguards (including access controls, breach reporting, annual self-audits, and staff training), and a two-tier penalty regime enforced by MIIT and its provincial communications-administration bureaus. Predating the Personal Information Protection Law (PIPL) by eight years, the Provisions remain in force as a sectoral antecedent and continue to bind telecom and ISP licensees directly through the licence-review process; overseas counsel advising clients who hold or apply for Chinese ICP or telecom value-added service licences must treat these Provisions as the operative data-protection floor alongside PIPL."
    },
    {
      "slug": "public-security-video-image-system-regulations",
      "title_en": "Administrative Regulation for Public Security Video Image Information Systems",
      "title_zh": "公共安全视频图像信息系统管理条例",
      "abbreviation": "PVISR",
      "hierarchy": "regulation",
      "issuing_body": "State Council",
      "adopted_date": "2024-12-16",
      "effective_date": "2025-04-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/public-security-video-image-system-regulations/",
      "markdown_url": "https://datacompliancechina.com/laws/public-security-video-image-system-regulations.md",
      "related_laws": [
        "pipl",
        "csl",
        "facial-recognition-judicial-interpretation"
      ],
      "domains": [
        "personal-information",
        "enforcement"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "The State Council's overarching regulation for public security video image information systems (公共安全视频系统) in public places. Distinguishes three operator types: government-led, public-private partnership, and private-led, and applies graduated obligations depending on the operator type. Implements PIPL Article 26 for video-image capture in public places, including filing obligations, mandatory signage, retention, and security duties. Read with the 2025 FRT Measures (Decree No. 19) for facial-recognition deployments."
    },
    {
      "slug": "minors-protection-law",
      "title_en": "Law on the Protection of Minors",
      "title_zh": "中华人民共和国未成年人保护法",
      "abbreviation": "Minors Protection Law",
      "hierarchy": "law",
      "issuing_body": "Standing Committee of the National People's Congress",
      "adopted_date": "1991-09-04",
      "effective_date": "2021-06-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/minors-protection-law/",
      "markdown_url": "https://datacompliancechina.com/laws/minors-protection-law.md",
      "related_laws": [
        "minors-online-protection-regulations",
        "children-pi-online-protection-provisions",
        "minors-harmful-info-classification-measures",
        "pipl"
      ],
      "domains": [
        "minors-protection",
        "personal-information"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "The umbrella statute for the protection of minors in China. Its 2020 revision added a dedicated 'Network Protection' chapter that anchors the entire minors-online-protection regime: internet-literacy education duties for the state, society, schools, and families (Art. 64); school management of smartphones and smart terminals (Art. 70); mandatory school bullying prevention-and-control systems with reporting duties for serious incidents (Art. 39); and school duties to notify parents and intervene when students show internet addiction (Art. 71). The Regulations on the Protection of Minors in Cyberspace (2024) implement the chapter at administrative-regulation level, and the MOE's Provisions on the Protection of Minors by Schools implement the school-facing duties."
    },
    {
      "slug": "ai-content-labeling-measures",
      "title_en": "Measures for the Labeling of AI-Generated and Composed Content",
      "title_zh": "人工智能生成合成内容标识办法",
      "hierarchy": "rule",
      "issuing_body": "CAC, MIIT, MPS, NRTA",
      "adopted_date": "2025-03-07",
      "effective_date": "2025-09-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/ai-content-labeling-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/ai-content-labeling-measures.md",
      "related_laws": [
        "genai-services-interim-measures",
        "deep-synthesis-provisions"
      ],
      "domains": [
        "ai-governance"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "The newest of China's AI rules — mandatory labeling for AI-generated and AI-composed content, including text, images, audio, video, and virtual scenes. Distinguishes between 'visible/audible labels' (for end users) and 'implicit labels' (metadata/watermarks for platforms). Applies to all platforms providing GenAI or deep synthesis services in China, with corresponding obligations on app stores and content distribution platforms."
    },
    {
      "slug": "mobile-app-information-services-provisions",
      "title_en": "Provisions on the Administration of Mobile Internet Application Information Services (2022 Revision)",
      "title_zh": "移动互联网应用程序信息服务管理规定（2022 修订）",
      "abbreviation": "Mobile App Information Services Provisions",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China (CAC)",
      "adopted_date": "2022-06-14",
      "effective_date": "2022-08-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/mobile-app-information-services-provisions/",
      "markdown_url": "https://datacompliancechina.com/laws/mobile-app-information-services-provisions.md",
      "source_url": "https://www.cac.gov.cn/2022-06/14/c_1656821626455324.htm",
      "related_laws": [
        "internet-information-services-measures",
        "pipl",
        "app-illegal-pi-collection-identification-method",
        "app-necessary-pi-scope-provisions",
        "telecom-internet-user-pi-protection-provisions"
      ],
      "domains": [
        "app-compliance",
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "The 2022 revision of the CAC's flagship app-governance rule, effective 1 August 2022, imposes dual-track obligations on app providers and app distribution platforms (including app stores, mini-program platforms, and browser plug-in platforms). App providers must verify users' real identity information via mobile-phone number, identity-document number, or unified social credit code before enabling publication or messaging features, and must comply with personal information minimization requirements — including a prohibition on denying core service functionality solely because a user declines to supply non-essential personal information. App distribution platforms must register with provincial-level CAC offices within 30 days of going live, implement multi-factor real identity verification of every app provider seeking to list on the platform, and conduct substantive pre-listing and ongoing review of apps for legal compliance, data security risks, and illegal or excessive collection and use of personal information. Overseas counsel advise on these provisions because they set the compliance baseline that any foreign app operator — whether publishing directly or distributing through Chinese app stores — must satisfy before reaching Chinese users."
    },
    {
      "slug": "children-in-distress-pi-protection-measures",
      "title_en": "Working Measures for the Protection of the Personal Information of Children in Distress",
      "title_zh": "困境儿童个人信息保护工作办法",
      "abbreviation": "Children in Distress PI Measures",
      "hierarchy": "rule",
      "issuing_body": "Ministry of Civil Affairs; Publicity Department of the CPC Central Committee; Commission for Political and Legal Affairs of the CPC Central Committee; Cyberspace Administration of China; Supreme People's Court; Supreme People's Procuratorate; Ministry of Education; Ministry of Public Security; Ministry of Justice; Ministry of Culture and Tourism; National Health Commission; National Radio and Television Administration; Office of the National Working Committee on Children and Women under the State Council; All-China Federation of Trade Unions; Central Committee of the Communist Youth League; All-China Women's Federation; China Disabled Persons' Federation; National Working Committee on Caring for the Next Generation",
      "adopted_date": "2024-11-18",
      "effective_date": "2024-11-18",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/children-in-distress-pi-protection-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/children-in-distress-pi-protection-measures.md",
      "related_laws": [
        "children-pi-online-protection-provisions"
      ],
      "domains": [
        "personal-information",
        "minors-protection"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Working measures (Min Fa [2024] No. 67) jointly issued by the Ministry of Civil Affairs and seventeen other central authorities and mass organizations to regulate the use and protection of the personal information of children in distress. Following the principle of 'whoever is in charge / whoever processes is responsible', the measures assign protection duties across the civil-affairs, education, health, judicial, publicity, cyberspace, culture-and-tourism and broadcasting systems, as well as trade unions, the Communist Youth League, women's federations and disabled persons' federations. They require consent of parents or guardians for processing the information of children under 14 (and consent of the child plus notice to guardians for those 14 and over), prohibit labeling, traffic-chasing and using such information for fundraising or live-stream commerce, and grant children and their guardians a right to inquire about and object to processing. Effective November 18, 2024."
    },
    {
      "slug": "minors-school-protection-provisions",
      "title_en": "Provisions on the Protection of Minors by Schools",
      "title_zh": "未成年人学校保护规定",
      "abbreviation": "School Protection Provisions",
      "hierarchy": "rule",
      "issuing_body": "Ministry of Education (MOE)",
      "adopted_date": "2021-06-01",
      "effective_date": "2021-09-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/minors-school-protection-provisions/",
      "markdown_url": "https://datacompliancechina.com/laws/minors-school-protection-provisions.md",
      "related_laws": [
        "minors-protection-law",
        "minors-online-protection-regulations"
      ],
      "domains": [
        "minors-protection"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "MOE Order No. 50, the school-facing implementing rule under the Law on the Protection of Minors. For the online-protection regime its load-bearing provision is Article 21: teachers and staff who discover students fabricating facts to defame others, spreading rumors or false information, or maliciously disseminating others' private information through networks or other means must stop it promptly — the hook that turns online defamation and privacy-spreading incidents among students into a school management duty, with civil supplementary liability under Civil Code Article 1201 if the school fails to act."
    },
    {
      "slug": "data-security-management-certification-announcement",
      "title_en": "Announcement of the State Administration for Market Regulation and the Cyberspace Administration of China on Carrying Out Data Security Management Certification",
      "title_zh": "国家市场监督管理总局、国家互联网信息办公室关于开展数据安全管理认证工作的公告",
      "abbreviation": "Data Security Certification Announcement",
      "hierarchy": "rule",
      "issuing_body": "State Administration for Market Regulation; Cyberspace Administration of China",
      "adopted_date": "2022-06-05",
      "effective_date": "2022-06-05",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/data-security-management-certification-announcement/",
      "markdown_url": "https://datacompliancechina.com/laws/data-security-management-certification-announcement.md",
      "related_laws": [
        "dsl"
      ],
      "domains": [
        "data-security"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Announcement (SAMR/CAC Announcement No. 18 of 2022) launching a voluntary data security management certification scheme that encourages network operators to certify their network-data processing activities (collection, storage, use, processing, transmission, provision, disclosure, etc.) and strengthen network data security protection. The attached Data Security Management Certification Implementation Rules, based on the Regulations on Certification and Accreditation and the standard GB/T 41479 (Information security technology—Security requirements for network data processing), set out a certification mode of 'technical verification + on-site audit + post-certification supervision', the certification procedure, a three-year certificate validity period, and rules on certificates, certification marks and the responsibilities of certification bodies. Effective June 5, 2022."
    },
    {
      "slug": "data-export-assessment-declaration-guide-v3",
      "title_en": "Guidelines for the Declaration of Data Export Security Assessment (Third Edition)",
      "title_zh": "数据出境安全评估申报指南（第三版）",
      "abbreviation": "Data Export Declaration Guide (v3)",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China (CAC)",
      "adopted_date": "2025-06-27",
      "effective_date": "2025-06-27",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/data-export-assessment-declaration-guide-v3/",
      "markdown_url": "https://datacompliancechina.com/laws/data-export-assessment-declaration-guide-v3.md",
      "source_url": "https://www.cac.gov.cn/2025-06/27/c_1752652339765002.htm",
      "related_laws": [
        "data-export-security-assessment-measures",
        "cross-border-data-flows-provisions",
        "personal-info-standard-contract-measures",
        "pipl"
      ],
      "domains": [
        "cross-border",
        "data-security"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "The CAC's third-edition procedural guide — issued and effective 27 June 2025 — sets out in detail who must file a Data Export Security Assessment declaration, the step-by-step filing process through the online declaration system (sjcj.cac.gov.cn), the eight categories of required materials (including the self-assessment report and the legally binding contract with the overseas recipient), and the newly introduced procedure for applying to extend an approved assessment's validity period. It supersedes the first and second editions, streamlines the documentary requirements, and clarifies the conditions (capped volume increases of no more than 20 % over the prior three-year approval period) and timeline (60 working days before expiry) for extension applications. Overseas counsel advising on cross-border data transactions need this guide to prepare compliant declaration packages and to structure the legal agreement with the overseas recipient so that it satisfies the mandatory contractual checklist in the self-assessment report template."
    },
    {
      "slug": "gba-macao-cross-border-pi-standard-contract-guidelines",
      "title_en": "Implementation Guidelines for the Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Macao)",
      "title_zh": "粤港澳大湾区（内地、澳门）个人信息跨境流动标准合同实施指引",
      "abbreviation": "GBA (Mainland-Macao) SCC Guidelines",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China and Economic and Technological Development Bureau of the Macao SAR",
      "adopted_date": "2024-09-10",
      "effective_date": "2024-09-10",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/gba-macao-cross-border-pi-standard-contract-guidelines/",
      "markdown_url": "https://datacompliancechina.com/laws/gba-macao-cross-border-pi-standard-contract-guidelines.md",
      "source_url": "https://www.cac.gov.cn/2024-09/10/c_1727567893741986.htm",
      "related_laws": [
        "personal-info-standard-contract-measures",
        "cross-border-data-flows-provisions",
        "gba-hongkong-cross-border-pi-standard-contract-guidelines",
        "pipl"
      ],
      "domains": [
        "cross-border",
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Jointly issued on 10 September 2024 by the CAC, the Economic and Technological Development Bureau of the Macao SAR, and the Personal Data Protection Bureau of the Macao SAR, these Implementation Guidelines establish a bilateral facilitation arrangement that allows eligible personal information handlers registered or located in the nine Guangdong cities of the Greater Bay Area or the Macao SAR to transfer personal information between those two jurisdictions by executing a prescribed Standard Contract and filing it with the applicable local authority within 10 working days, without needing to pass a CAC security assessment — even where data volumes exceed the national thresholds that would otherwise trigger that assessment. The arrangement operates under the Cooperation Memorandum on Promoting Cross-Border Data Flows in the Guangdong-Hong Kong-Macao Greater Bay Area signed between the CAC and the Economic and Finance Bureau of the Macao SAR. The Guidelines exclude personal information classified as important data and require handlers to complete a Personal Information Protection Impact Assessment (PIPIA) before each cross-border provision. For overseas counsel, the arrangement is significant because it creates a distinct GBA intra-Bay-Area pathway that sits alongside — and in some respects relaxes — the three national cross-border transfer routes under PIPL and the Provisions on Promoting and Regulating Cross-border Data Flows."
    },
    {
      "slug": "medical-insurance-designated-institutions-measures",
      "title_en": "Interim Measures for the Administration of Medical Institutions as Designated Medical Insurance Institutions",
      "title_zh": "医疗机构医疗保障定点管理暂行办法",
      "hierarchy": "rule",
      "issuing_body": "National Healthcare Security Administration",
      "adopted_date": "2020-12-30",
      "effective_date": "2021-02-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/medical-insurance-designated-institutions-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/medical-insurance-designated-institutions-measures.md",
      "related_laws": [
        "population-health-information-measures"
      ],
      "domains": [
        "health"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Issued as Order No. 2 of the National Healthcare Security Administration, these Interim Measures govern how medical institutions become and remain designated providers under China's basic medical insurance scheme. For data-compliance purposes, designation is conditioned on the institution's hospital information system meeting the technical and interface standards required to interface effectively with the medical-insurance information system and transmit all patient (treatment) data to it for direct online settlement (Articles 6 and 9). Designated institutions must report settlement statements and full settlement data—diagnoses, procedures, drug/consumable/service itemized costs, and physician/nurse identifiers—and bear responsibility for their authenticity (Article 21), while safeguarding the security of the medical-insurance-linked information system, complying with data-security rules, and protecting the privacy of insured persons (Article 24). The handling agency, in turn, publishes the medical-insurance information-system data sets and interface standards and is likewise bound by data-security and privacy obligations (Articles 34 and 35)."
    },
    {
      "slug": "gba-hongkong-cross-border-pi-standard-contract-guidelines",
      "title_en": "Implementation Guidelines for the Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)",
      "title_zh": "粤港澳大湾区（内地、香港）个人信息跨境流动标准合同实施指引",
      "abbreviation": "GBA (Mainland-Hong Kong) SCC Guidelines",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China and Innovation, Technology and Industry Bureau of the Hong Kong SAR",
      "adopted_date": "2023-12-10",
      "effective_date": "2023-12-10",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/gba-hongkong-cross-border-pi-standard-contract-guidelines/",
      "markdown_url": "https://datacompliancechina.com/laws/gba-hongkong-cross-border-pi-standard-contract-guidelines.md",
      "source_url": "https://www.cac.gov.cn/2023-12/13/c_1704042786237103.htm",
      "related_laws": [
        "personal-info-standard-contract-measures",
        "cross-border-data-flows-provisions",
        "gba-macao-cross-border-pi-standard-contract-guidelines",
        "pipl"
      ],
      "domains": [
        "cross-border",
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "The 2023 GBA Mainland-Hong Kong facilitation arrangement jointly issued by the CAC and Hong Kong's Innovation, Technology and Industry Bureau on 10 December 2023, implementing the bilateral Memorandum of Cooperation on Promoting Cross-Border Data Flows in the Greater Bay Area. It establishes a simplified standard-contract pathway enabling personal information handlers and recipients registered or located in the nine mainland GBA cities (Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, Zhaoqing) or in Hong Kong SAR to transfer personal information cross-border without triggering the full national-level security assessment regime, subject to a mandatory Personal Information Protection Impact Assessment and filing with the Guangdong CAC or the Hong Kong Office of the Government Chief Information Officer within ten working days of contract entry into force. Personal information that has been notified or publicly released as important data is excluded. This arrangement was the model for the subsequent September 2024 GBA Mainland-Macao version and matters to overseas counsel because it creates a distinct, lighter-touch bilateral track for intra-GBA flows that operates alongside — and does not replace — PIPL's three national-level pathways."
    },
    {
      "slug": "pi-protection-officer-reporting-announcement",
      "title_en": "Announcement on Carrying Out the Reporting of Personal Information Protection Officer Information",
      "title_zh": "关于开展个人信息保护负责人信息报送工作的公告",
      "abbreviation": "PIPO Reporting Announcement",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China (CAC)",
      "adopted_date": "2025-07-18",
      "effective_date": "2025-07-18",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/pi-protection-officer-reporting-announcement/",
      "markdown_url": "https://datacompliancechina.com/laws/pi-protection-officer-reporting-announcement.md",
      "source_url": "https://www.cac.gov.cn/2025-07/18/c_1754553420421538.htm",
      "related_laws": [
        "pipl",
        "personal-info-audit-measures",
        "network-data-security-regulations"
      ],
      "domains": [
        "personal-information",
        "enforcement"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "The July 2025 CAC announcement operationalises the person-in-charge-of-personal-information-protection (PIPO) designation and filing requirement under PIPL Article 52 and Article 12 of the Administrative Measures for Personal Information Protection Compliance Audits: any personal information handler that processes the personal information of one million or more individuals must report the identity and contact details of its designated person in charge of personal information protection to the municipal-level CAC office where it is registered. Personal information handlers that had already crossed the one-million threshold before 18 July 2025 were given until 29 August 2025 to complete the initial filing; those crossing the threshold after that date must file within 30 business days. Reporting is done exclusively online through the Personal Information Protection Business System (grxxbh.cacdtsc.cn), also reachable from the CAC website's 'National Cyberspace Administration Affairs Hall.' For overseas counsel advising China-facing businesses, this announcement means that any client meeting the PIPL Art. 52 threshold must have a named, reported PIPO on file with the local regulator — failure to do so is an express regulatory violation."
    },
    {
      "slug": "medical-device-use-quality-measures",
      "title_en": "Measures for the Supervision and Administration of the Quality of Medical Device Use",
      "title_zh": "医疗器械使用质量监督管理办法",
      "hierarchy": "rule",
      "issuing_body": "China Food and Drug Administration",
      "adopted_date": "2015-10-21",
      "effective_date": "2016-02-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/medical-device-use-quality-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/medical-device-use-quality-measures.md",
      "related_laws": [
        "medical-devices-supervision-regulation"
      ],
      "domains": [
        "health"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "This CFDA rule (Order No. 18) governs the quality management of medical devices at the point of use by hospitals and other using entities, covering procurement, acceptance, storage, use, maintenance, and transfer. It imposes detailed record-keeping and traceability obligations: incoming-inspection records, implantable-device usage records, and original records for Class III devices must be retained (in some cases permanently) to ensure information is traceable. The data-compliance touchpoints are the mandated traceability and recordkeeping systems, the encouragement of informatized (IT-based) quality management, and the requirement to monitor and log storage-environment data such as temperature and humidity."
    },
    {
      "slug": "facial-recognition-application-filing-announcement",
      "title_en": "Announcement on Carrying Out the Filing of Facial Recognition Technology Applications",
      "title_zh": "关于开展人脸识别技术应用备案工作的公告",
      "abbreviation": "FRT Filing Announcement",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China (CAC)",
      "adopted_date": "2025-05-28",
      "effective_date": "2025-05-28",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/facial-recognition-application-filing-announcement/",
      "markdown_url": "https://datacompliancechina.com/laws/facial-recognition-application-filing-announcement.md",
      "source_url": "https://www.cac.gov.cn/2025-05/30/c_1750315544241157.htm",
      "related_laws": [
        "facial-recognition-technology-application-measures",
        "pipl",
        "facial-recognition-judicial-interpretation"
      ],
      "domains": [
        "personal-information",
        "ai-governance"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "This May 2025 CAC announcement operationalizes the filing duty established under Article 15 of the Facial Recognition Technology Application Security Measures (CAC and MPS Order No. 19), which takes effect June 1, 2025. Personal information handlers that store facial information of 100,000 or more persons processed via facial recognition technology must file with the provincial-level cyberspace administration authority in their locality; those already at that threshold before June 1, 2025 have until July 14, 2025 to complete the initial filing. Filing is conducted exclusively online through the Personal Information Protection Business System at grxxbh.cacdtsc.cn, and any material change to filed information triggers a 30-working-day update obligation. Overseas counsel advising clients with operations or consumer-facing systems in China should note that the threshold is low by global standards and applies across sectors, making this a compliance priority for any deployment of biometric authentication, access control, or consumer identification at scale."
    },
    {
      "slug": "minors-pi-compliance-audit-reporting-announcement",
      "title_en": "Announcement on Submitting Reports on the Compliance Audit of Minors' Personal Information Protection",
      "title_zh": "关于报送未成年人个人信息保护合规审计情况的公告",
      "abbreviation": "Minors PI Audit Reporting Announcement",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China (CAC)",
      "adopted_date": "2025-12-29",
      "effective_date": "2025-12-29",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/minors-pi-compliance-audit-reporting-announcement/",
      "markdown_url": "https://datacompliancechina.com/laws/minors-pi-compliance-audit-reporting-announcement.md",
      "source_url": "https://www.cac.gov.cn/2025-12/29/c_1768735145606358.htm",
      "related_laws": [
        "personal-info-audit-measures",
        "minors-online-protection-regulations",
        "children-pi-online-protection-provisions",
        "pipl"
      ],
      "domains": [
        "personal-information",
        "minors-protection"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Issued by the CAC on 29 December 2025, this short announcement operationalizes the annual compliance-audit-and-report obligation that Article 37 of the Regulations on the Protection of Minors in Cyberspace imposes on every personal information handler that processes personal information of minors. It fixes the annual reporting deadline (by 31 January of the following year), designates the local prefecture-level cyberspace administration authority as the recipient, mandates online submission through the CAC's Personal Information Protection Business System, and warns that failure to conduct or report the compliance audit will be dealt with under the applicable laws, regulations, and rules. The announcement bridges the PI Audit Measures (effective May 2025) and the minors-protection regime: any handler—regardless of scale—must audit its minors-PI practices each year. Overseas counsel advising multinationals with Chinese apps or platforms that reach minors should ensure clients have a standing annual audit-and-submission process in place before 31 January."
    },
    {
      "slug": "medical-device-recall-measures",
      "title_en": "Measures for the Administration of Medical Device Recall",
      "title_zh": "医疗器械召回管理办法",
      "hierarchy": "rule",
      "issuing_body": "China Food and Drug Administration",
      "adopted_date": "2017-01-25",
      "effective_date": "2017-05-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/medical-device-recall-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/medical-device-recall-measures.md",
      "related_laws": [
        "medical-devices-supervision-regulation"
      ],
      "domains": [
        "health"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "This CFDA rule (Order No. 29) establishes the recall regime for marketed medical devices, defining defective products, classifying recalls into three grades by severity of health hazard, and setting out both voluntary and ordered (mandatory) recall procedures. Manufacturers must build a recall management system, collect device-safety information, investigate and assess potential defects, and keep detailed recall-handling records (retained for five years after the registration certificate expires). The data-compliance touchpoints are the mandated safety-information collection and adverse-event monitoring systems, the investigation/assessment recordkeeping, and the public disclosure of defect and recall information."
    },
    {
      "slug": "ai-anthropomorphic-interaction-measures",
      "title_en": "Interim Measures for the Management of AI Anthropomorphic Interaction Services",
      "title_zh": "人工智能拟人化互动服务管理暂行办法",
      "hierarchy": "rule",
      "issuing_body": "CAC, NDRC, MIIT, MPS, SAMR",
      "adopted_date": "2026-04-10",
      "effective_date": "2026-07-15",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/ai-anthropomorphic-interaction-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/ai-anthropomorphic-interaction-measures.md",
      "related_laws": [
        "pipl",
        "genai-services-interim-measures",
        "deep-synthesis-provisions",
        "algorithmic-recommendation-provisions"
      ],
      "domains": [
        "ai-governance",
        "personal-information"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "China's first regulation specifically targeting AI 'anthropomorphic interaction' — services where users converse with AI personas (virtual companions, chatbot relationships, character AI). Establishes registration requirements, age-verification and minor-protection obligations, mandatory disclaimers that users are interacting with AI, content moderation duties, and prohibitions on exploiting emotional vulnerabilities. Effective July 15, 2026. The first such regime globally."
    },
    {
      "slug": "large-medical-equipment-management-measures",
      "title_en": "Measures for the Administration of the Configuration and Use of Large Medical Equipment (Trial)",
      "title_zh": "大型医用设备配置与使用管理办法（试行）",
      "abbreviation": "Large Medical Equipment Measures",
      "hierarchy": "rule",
      "issuing_body": "National Health Commission",
      "adopted_date": "2018-05-22",
      "effective_date": "2018-05-22",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/large-medical-equipment-management-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/large-medical-equipment-management-measures.md",
      "source_url": "https://www.nhc.gov.cn/guihuaxxs/s10741/201805/",
      "related_laws": [
        "healthcare-institutions-data-security-pi-measures"
      ],
      "domains": [
        "health"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Issued jointly on 22 May 2018 by the National Health Commission and the National Medical Products Administration (document no. 国卫规划发〔2018〕12号) under the Regulation on the Supervision and Administration of Medical Devices and the Administrative Licensing Law, these trial Measures govern the configuration (allocation) licensing and use of 'large medical equipment' — technically complex, high-cost devices placed on a managed catalogue. They establish a Class-A / Class-B catalogue with national versus provincial licensing, five-year configuration planning, a configuration-licence (one machine, one licence) regime, use-management obligations, and supervision through a configuration-and-use supervision information system. The data touchpoints are narrow but real: the configuration-management information system that operators must file equipment data into, the use/quality records and use archives that operators must maintain, and Article 33's requirement that operators build information-security safeguards for large-equipment use to ensure the security of the relevant information systems and of medical data. Credit-record (信用档案) consequences attach to misreporting and to certain licence lapses."
    },
    {
      "slug": "shenzhen-sez-data-regulations",
      "title_en": "Shenzhen Special Economic Zone Data Regulations",
      "title_zh": "深圳经济特区数据条例",
      "abbreviation": "Shenzhen Data Regulations",
      "hierarchy": "regulation",
      "issuing_body": "Standing Committee of the Shenzhen Municipal People's Congress",
      "adopted_date": "2021-06-29",
      "effective_date": "2022-01-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/shenzhen-sez-data-regulations/",
      "markdown_url": "https://datacompliancechina.com/laws/shenzhen-sez-data-regulations.md",
      "source_url": "https://www.sz.gov.cn/szzsj/gkmlpt/content/8/8935/post_8935483.html",
      "related_laws": [
        "pipl",
        "dsl",
        "data-foundation-system-opinions",
        "shenzhen-health-data-management-measures"
      ],
      "domains": [
        "data-economy",
        "personal-information",
        "data-security"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "China's first comprehensive local data law, adopted by the Standing Committee of the Shenzhen Municipal People's Congress on 29 June 2021 and effective 1 January 2022. The Regulations pioneered express recognition of 'data rights and interests' (数据权益) — conferring personality-rights interests on individuals over their personal data and property-rights interests on lawful data processors over their data products — and introduced China's most detailed consent-and-notice regime for personal data at the time, including an explicit prohibition on big-data price discrimination against existing users (大数据杀熟). It established a public data sharing-as-default framework, a data factor market chapter with fair-competition rules, and comprehensive data security obligations including mandatory cross-border transfer security assessments. As the first sub-national regulation to span personal data, public data, the data factor market, and data security in a single instrument, Shenzhen's Regulations served as an influential drafting model ahead of PIPL (2021) and the Data Security Law (2021) and remain directly applicable to businesses operating in Shenzhen; overseas counsel should note that penalties for unlawful data trading can reach RMB 1 million, and anticompetitive data-market conduct can attract fines of up to 5% of prior-year revenue or RMB 50 million."
    },
    {
      "slug": "foreign-investment-security-review-measures",
      "title_en": "Measures for the Security Review of Foreign Investments",
      "title_zh": "外商投资安全审查办法",
      "abbreviation": "FISR Measures",
      "hierarchy": "rule",
      "issuing_body": "National Development and Reform Commission (NDRC) and Ministry of Commerce (MOFCOM)",
      "adopted_date": "2020-11-27",
      "effective_date": "2021-01-18",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/foreign-investment-security-review-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/foreign-investment-security-review-measures.md",
      "related_laws": [
        "pipl",
        "dsl",
        "csl",
        "cybersecurity-review-measures"
      ],
      "domains": [
        "cross-border",
        "cybersecurity-review"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "The Foreign Investment Security Review (FISR) Measures govern review of foreign investment in China that affects or may affect national security. Article 2 covers new projects, M&A of equity or assets, and other forms of domestic investment by foreign investors. Article 4 brings important information technology, internet products and services, and key technologies into the mandatory pre-notification scope. The test for the security review's bite is actual control — defined broadly to include >50% equity, voting-share thresholds, and other circumstances that materially influence operational decisions, personnel, finance, or technology. These Measures were the legal basis for the April 2026 ban on the Meta–Manus acquisition."
    },
    {
      "slug": "automotive-data-export-security-guidelines",
      "title_en": "Guidelines for the Security of Automotive Data Export (2026 Edition)",
      "title_zh": "汽车数据出境安全指引（2026版）",
      "hierarchy": "standard",
      "issuing_body": "Cyberspace Administration of China",
      "adopted_date": "2026-01-01",
      "effective_date": "2026-01-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/automotive-data-export-security-guidelines/",
      "markdown_url": "https://datacompliancechina.com/laws/automotive-data-export-security-guidelines.md",
      "related_laws": [
        "automotive-data-security-provisions",
        "data-export-security-assessment-measures"
      ],
      "domains": [
        "industrial",
        "cross-border"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "These Guidelines give automotive data processors a practical, scenario-based roadmap for lawfully exporting automotive data under the Data Security Law, PIPL and the Network Data Security Management Regulation. They define what counts as a data-export act, set out the quantitative thresholds that trigger a security assessment, standard contract or certification (and the exemptions), provide a detailed important-data determination catalogue across six business scenarios, describe the end-to-end export procedure, and impose management, technical-protection, logging and emergency-response requirements. The important-data determination tables are rendered below as structured prose by scenario rather than reproduced cell-by-cell."
    },
    {
      "slug": "civil-aviation-data-security-monitoring-requirements",
      "title_en": "Technical Requirements for Monitoring and Warning of Data Security in Civil Aviation (MH/T 3038—2025)",
      "title_zh": "民用航空数据安全监测预警技术要求（MH/T 3038—2025）",
      "abbreviation": "MH/T 3038—2025",
      "hierarchy": "standard",
      "issuing_body": "Civil Aviation Administration of China",
      "adopted_date": "2025-07-18",
      "effective_date": "2025-08-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/civil-aviation-data-security-monitoring-requirements/",
      "markdown_url": "https://datacompliancechina.com/laws/civil-aviation-data-security-monitoring-requirements.md",
      "related_laws": [
        "dsl"
      ],
      "domains": [
        "energy-resources",
        "data-security"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "MH/T 3038—2025 is a civil-aviation industry standard issued by the Civil Aviation Administration of China (CAAC), released July 18, 2025 and effective August 1, 2025. It establishes the basic principles for civil-aviation data security monitoring and warning and specifies the technical requirements for data security monitoring and warning, to guide data processors in the civil-aviation field in building monitoring and early-warning capabilities; it does not apply to data security monitoring and warning involving State secrets. The standard sets out monitoring requirements across the full data-processing lifecycle (collection, storage, use and processing, transmission, provision, deletion), keyed to the protection of core data, important data, and sensitive personal information, and aligned with the aviation data classification and grading standard MH/T 3039. It defines a four-tier warning system — red (Level I), orange (Level II), yellow (Level III), and blue (Level IV) — based on data level and volume, together with requirements for warning issuance, response, and escalation/de-escalation or cancellation. Appendix A provides illustrative monitoring examples for typical civil-aviation business scenarios (passenger ticketing, security screening, baggage check-in, check-in, air traffic management, and safety supervision)."
    },
    {
      "slug": "idc-customer-data-security-guidelines",
      "title_en": "Implementing Guidelines for the Protection of Customer Data Security in Internet Data Centers",
      "title_zh": "互联网数据中心客户数据安全保护实施指引",
      "hierarchy": "standard",
      "issuing_body": "General Office of the Ministry of Industry and Information Technology",
      "adopted_date": "2025-01-13",
      "effective_date": "2025-01-13",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/idc-customer-data-security-guidelines/",
      "markdown_url": "https://datacompliancechina.com/laws/idc-customer-data-security-guidelines.md",
      "related_laws": [
        "dsl",
        "csl",
        "network-data-security-regulations"
      ],
      "domains": [
        "industrial",
        "data-security"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Issued as MIIT General Office Cyber Security [2025] No. 5, this instrument comprises a notice and an annexed implementing guideline directing Internet Data Center (IDC) operators to strengthen the security of customer data they host. It follows the principle of consistent rights and responsibilities, classified strategy, combined management-and-technology, and ensured security, and sets out general safeguard capabilities (responsibility boundaries, access/operation/destruction/isolation controls, incident response, and security-service provision) plus scenario-specific requirements for server-hosting and for data-storage-and-computing (including AI training-data and computing-power-scheduling security). Both the notice and the annexed guideline are translated in full below."
    },
    {
      "slug": "hospital-informatization-standards",
      "title_en": "National Standards and Norms for Hospital Informatization Construction (Trial)",
      "title_zh": "全国医院信息化建设标准与规范（试行）",
      "abbreviation": "Hospital Informatization Standards",
      "hierarchy": "standard",
      "issuing_body": "National Health Commission; State Administration of Traditional Chinese Medicine",
      "adopted_date": "2018-04-02",
      "effective_date": "2018-04-02",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/hospital-informatization-standards/",
      "markdown_url": "https://datacompliancechina.com/laws/hospital-informatization-standards.md",
      "source_url": "https://www.nhc.gov.cn/guihuaxxs/s10741/201804/",
      "related_laws": [
        "csl",
        "healthcare-institutions-cybersecurity-measures",
        "healthcare-institutions-data-security-pi-measures",
        "electronic-medical-records-application-specification"
      ],
      "domains": [
        "health",
        "data-security"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "Issued on 2 April 2018 by the General Office of the National Health Commission (document no. 国卫办规划发〔2018〕4号), this trial standard defines the baseline build-out content and requirements for hospital informatization across China. It builds on the earlier 'Hospital Information Platform Application Function Guide' and 'Hospital Informatization Construction Application Technology Guide' and organizes 262 specific items into five chapters — business applications, information platform, infrastructure, security protection, and emerging technologies — with tiered requirements for Grade-II, Grade-III Class-B, and Grade-III Class-A hospitals. Chapter 4 (Security Protection) is the data-compliance core: it specifies functional requirements for data-center security, endpoint security, network security, and disaster-recovery backup, including firewalls, database audit and access control, intrusion detection/prevention, encryption gateways, data-leak prevention, and offsite backup. The full instrument is a large tabular technical standard; the page below translates the issuing notice in full and gives a structured English summary of the standard's security, network-security, and information-security functional requirements."
    },
    {
      "slug": "medical-device-clinical-trial-qms",
      "title_en": "Good Clinical Practice for Medical Devices",
      "title_zh": "医疗器械临床试验质量管理规范",
      "abbreviation": "Device GCP",
      "hierarchy": "standard",
      "issuing_body": "National Medical Products Administration; National Health Commission",
      "adopted_date": "2022-03-24",
      "effective_date": "2022-05-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/medical-device-clinical-trial-qms/",
      "markdown_url": "https://datacompliancechina.com/laws/medical-device-clinical-trial-qms.md",
      "related_laws": [
        "medical-devices-supervision-regulation"
      ],
      "domains": [
        "health",
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Issued jointly by the NMPA and the National Health Commission (Announcement No. 28 of 2022) and effective May 1, 2022, this standard (Device GCP) governs the entire lifecycle of medical-device clinical trials (including in-vitro diagnostic reagents), from protocol design through monitoring, audit, inspection, and the collection, recording, retention, analysis, summarization and reporting of trial data. It places heavy emphasis on trial-data integrity — data must be authentic, accurate, complete and traceable, source data must be identifiable and changes tracked, and electronic data-capture systems must be validated with full permission management and audit trails. The data-compliance touchpoints are pervasive: subject-privacy protection and informed consent (with explicit confidentiality of subjects' personal data subject to defined access by regulators, the ethics committee, monitors and auditors), source-data/source-document traceability, electronic-records controls, and long-term retention of trial master files."
    },
    {
      "slug": "drug-clinical-trial-qms",
      "title_en": "Good Clinical Practice for Drugs (2020 Revision)",
      "title_zh": "药物临床试验质量管理规范（2020修订）",
      "abbreviation": "Drug GCP",
      "hierarchy": "standard",
      "issuing_body": "National Medical Products Administration; National Health Commission",
      "adopted_date": "2020-04-23",
      "effective_date": "2020-07-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/drug-clinical-trial-qms/",
      "markdown_url": "https://datacompliancechina.com/laws/drug-clinical-trial-qms.md",
      "related_laws": [
        "rwd-guiding-principles",
        "drug-administration-law"
      ],
      "domains": [
        "health",
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "Issued jointly by the NMPA and the National Health Commission (Announcement No. 57 of 2020) and effective July 1, 2020, this revised standard (Drug GCP) is the quality benchmark for the entire process of drug clinical trials — protocol design, organization and implementation, monitoring, audit, recording, analysis, summarization and reporting. It contains detailed requirements for trial-data management and integrity: source data must satisfy attributability, legibility, contemporaneousness, originality, accuracy, completeness, consistency and durability (ALCOA), changes must leave a trail, and electronic data-management/computerized systems must be validated with audit trails, access controls and data backup. The data-compliance touchpoints are extensive: protection of subject privacy and confidentiality of related information, use of a subject identification code in place of names, electronic-data and computerized-system controls, defined direct-access rights for monitors/auditors/the ethics committee/regulators, rules on transfer of data ownership, and long retention of essential documents."
    },
    {
      "slug": "gbt-35273-2026-draft-pi-security-specification",
      "title_en": "Data Security Technology — Personal Information Security Specification (2026 Draft for Comment)",
      "title_zh": "数据安全技术 个人信息安全规范（征求意见稿）",
      "abbreviation": "GB/T 35273 (2026 draft)",
      "hierarchy": "draft",
      "issuing_body": "National Cybersecurity Standardization Technical Committee (TC260); drafting lead: China Electronics Standardization Institute (CESI)",
      "status": "draft",
      "url": "https://datacompliancechina.com/laws/gbt-35273-2026-draft-pi-security-specification/",
      "markdown_url": "https://datacompliancechina.com/laws/gbt-35273-2026-draft-pi-security-specification.md",
      "source_url": "https://mp.weixin.qq.com/s/_rWTtpMRTU-SA88NPhQyQQ",
      "related_laws": [
        "gbt-35273-pi-security-specification",
        "pipl",
        "network-data-security-regulations",
        "personal-info-audit-measures",
        "gbt-45574-sensitive-pi-processing-security"
      ],
      "domains": [
        "personal-information",
        "ai-governance",
        "cross-border",
        "app-compliance"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "The 2026 draft revision of GB/T 35273 — released by TC260 for public comment on June 17, 2026 (project No. 20260700-T-469; drafting lead CESI) to replace GB/T 35273-2020. It retitles the standard 'Data Security Technology — Personal Information Security Specification', expands normative references from one standard to eight, and recasts China's most-cited personal information benchmark from a consent/notice manual into a full-lifecycle governance framework. Headline additions: a Chapter 5 lawful-basis chapter importing PIPL Art. 13's seven bases with hard per-basis boundaries; a sensitive-PI redefinition aligned to PIPL Art. 28 with an aggregation rule; a 'separate consent' definition; a new eighth 'quality assurance' principle; dedicated AI/generative-AI clauses (6.7, 6.1, 8.4, 8.5.4); unified-account (8.6) and terminal/IoT (6.8) collection clauses; a wholly new Chapter 11 on overseas-jurisdiction determination and conflict handling; and a systematized internal-control chapter (person in charge, records, PIPIA, GB/T 46903 compliance audit). Subject-rights response tightens from 30 days to 15 working days. Comment draft, non-binding and non-final; formal release expected after 2027."
    },
    {
      "slug": "data-classification-grading-rules",
      "title_en": "Data Security Technology — Rules for Data Classification and Grading (GB/T 43697-2024)",
      "title_zh": "数据安全技术 数据分类分级规则 (GB/T 43697-2024)",
      "abbreviation": "GB/T 43697",
      "hierarchy": "standard",
      "issuing_body": "Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)",
      "effective_date": "2024-10-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/data-classification-grading-rules/",
      "markdown_url": "https://datacompliancechina.com/laws/data-classification-grading-rules.md",
      "related_laws": [
        "dsl",
        "network-data-security-regulations"
      ],
      "domains": [
        "data-security"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "GB/T 43697-2024 is the foundational national standard operationalizing the data classification and grading protection system mandated by DSL Article 21. Issued 15 March 2024 and effective 1 October 2024, it sets out the principles, framework, methods and workflow for classifying data by sector/business attribute and grading it into three tiers — core data (核心数据), important data (重要数据) and general data (一般数据) — and provides an important-data identification guide. It is the reference document that sector regulators use to build sector-specific catalogues and that data processors use to classify and grade their own holdings."
    },
    {
      "slug": "facial-recognition-technology-application-measures",
      "title_en": "Administrative Measures for the Application Security of Facial Recognition Technology",
      "title_zh": "人脸识别技术应用安全管理办法",
      "abbreviation": "FRT Measures",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China (CAC) and Ministry of Public Security (MPS)",
      "adopted_date": "2024-09-30",
      "effective_date": "2025-06-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/facial-recognition-technology-application-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/facial-recognition-technology-application-measures.md",
      "related_laws": [
        "pipl",
        "dsl",
        "csl",
        "network-data-security-regulations",
        "public-security-video-image-system-regulations",
        "facial-recognition-judicial-interpretation"
      ],
      "domains": [
        "personal-information",
        "ai-governance",
        "enforcement"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "The dedicated CAC + MPS rule for facial-recognition technology applications, implementing PIPL Articles 26 and 28–32 and the Civil Code privacy chapter. Covers the three governing principles of minimum-use, voluntary choice, and minimum-storage; the filing regime for processors handling face data of more than 100,000 persons; mandatory PIPIA, signage, prohibition on FRT in private spaces (changing rooms, bathrooms, hotel rooms); preference for authoritative ID-verification channels over independent FRT collection; and the inter-agency coordination structure under CAC + MPS."
    },
    {
      "slug": "gbt-35273-pi-security-specification",
      "title_en": "Information Security Technology — Personal Information Security Specification (GB/T 35273-2020)",
      "title_zh": "信息安全技术 个人信息安全规范 (GB/T 35273-2020)",
      "abbreviation": "GB/T 35273",
      "hierarchy": "standard",
      "issuing_body": "Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)",
      "effective_date": "2020-10-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/gbt-35273-pi-security-specification/",
      "markdown_url": "https://datacompliancechina.com/laws/gbt-35273-pi-security-specification.md",
      "related_laws": [
        "gbt-35273-2026-draft-pi-security-specification",
        "pipl"
      ],
      "domains": [
        "personal-information"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "GB/T 35273-2020 is China's foundational recommended national standard on personal information protection. First issued in 2017 and revised in 2020, it predates PIPL and shaped much of its drafting; it sets out detailed good-practice requirements across the full personal-information lifecycle — collection, storage, use, sharing/transfer/disclosure, deletion — plus security incident handling and organizational governance. Although a recommended (non-mandatory) standard, it has long been the operational benchmark Chinese regulators reference, and it remains the most detailed practical gloss on PIPL's principles."
    },
    {
      "slug": "telemedicine-information-system-technical-guide",
      "title_en": "Technical Guide for the Construction of Telemedicine Information Systems (2014 Edition)",
      "title_zh": "远程医疗信息系统建设技术指南（2014年版）",
      "abbreviation": "Telemedicine System Technical Guide",
      "hierarchy": "standard",
      "issuing_body": "National Health and Family Planning Commission",
      "adopted_date": "2014-11-01",
      "effective_date": "2014-01-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/telemedicine-information-system-technical-guide/",
      "markdown_url": "https://datacompliancechina.com/laws/telemedicine-information-system-technical-guide.md",
      "source_url": "https://www.nhc.gov.cn/",
      "related_laws": [
        "csl",
        "internet-diagnosis-treatment-measures",
        "healthcare-institutions-cybersecurity-measures",
        "healthcare-institutions-data-security-pi-measures"
      ],
      "domains": [
        "health",
        "data-security"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "Issued in November 2014 by the National Health and Family Planning Commission, this technical guide is the normative reference document for designing, procuring, deploying, and accepting telemedicine information systems in China. Across eleven parts it sets out the principles, goals and tasks of telemedicine-system construction; a needs analysis covering user, business, functional, information, technical and information-security requirements; a four-layer design architecture (system, function, information, technical); a standards-and-security chapter; and detailed build-out specifications for national- and provincial-level telemedicine service and resource supervision centres and for service stations down to the township/community level. For data compliance, the relevant material is the information-security needs analysis (Part 3.6) and the information-security construction chapter (Part 5.2), which require patient-privacy protection, integrity and confidentiality of data in transmission and storage, local and offsite backup, security-domain isolation between hospital intranets and the telemedicine extranet, and an MLPS-aligned security architecture spanning physical, network, host, application, and data security plus five management domains. The document is a large technical guide; the page below is a structured English summary rather than a verbatim translation."
    },
    {
      "slug": "gbt-39335-pi-impact-assessment-guide",
      "title_en": "Information Security Technology — Guide for Personal Information Security Impact Assessment (GB/T 39335-2020)",
      "title_zh": "信息安全技术 个人信息安全影响评估指南 (GB/T 39335-2020)",
      "abbreviation": "GB/T 39335",
      "hierarchy": "standard",
      "issuing_body": "Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)",
      "effective_date": "2021-06-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/gbt-39335-pi-impact-assessment-guide/",
      "markdown_url": "https://datacompliancechina.com/laws/gbt-39335-pi-impact-assessment-guide.md",
      "related_laws": [
        "pipl"
      ],
      "domains": [
        "personal-information"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "GB/T 39335-2020 is the recommended national standard that operationalizes the personal-information security impact assessment (PIA / 个人信息安全影响评估). It sets out the principles, implementation method, working steps and reporting format for assessing the risks that personal-information processing poses to data subjects' rights and interests. Issued in 2020 and effective 1 June 2021, it is the practical reference China's handlers use to conduct the impact assessment that PIPL Article 55 makes mandatory before high-risk processing activities."
    },
    {
      "slug": "gbt-41479-network-data-processing-security",
      "title_en": "Information Security Technology — Security Requirements for Network Data Processing (GB/T 41479-2022)",
      "title_zh": "信息安全技术 网络数据处理安全要求 (GB/T 41479-2022)",
      "abbreviation": "GB/T 41479",
      "hierarchy": "standard",
      "issuing_body": "Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)",
      "effective_date": "2022-11-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/gbt-41479-network-data-processing-security/",
      "markdown_url": "https://datacompliancechina.com/laws/gbt-41479-network-data-processing-security.md",
      "related_laws": [
        "dsl",
        "network-data-security-regulations"
      ],
      "domains": [
        "data-security"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "GB/T 41479-2022 is the recommended national standard specifying security requirements for the processing of network data — data collected, stored, transmitted, used, provided, disclosed and deleted through networks. It sets lifecycle security requirements for network data processing activities by network operators, organized by processing stage, and serves as a baseline reference for implementing the data-security duties of the Cybersecurity Law and Data Security Law. It applies across general network operations and informs the Network Data Security Management Regulations."
    },
    {
      "slug": "gbt-42460-deidentification-evaluation-guide",
      "title_en": "Information Security Technology — Guide for Evaluation of Personal Information De-identification Effect (GB/T 42460-2023)",
      "title_zh": "信息安全技术 个人信息去标识化效果评估指南 (GB/T 42460-2023)",
      "abbreviation": "GB/T 42460",
      "hierarchy": "standard",
      "issuing_body": "Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)",
      "effective_date": "2023-12-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/gbt-42460-deidentification-evaluation-guide/",
      "markdown_url": "https://datacompliancechina.com/laws/gbt-42460-deidentification-evaluation-guide.md",
      "related_laws": [
        "pipl"
      ],
      "domains": [
        "personal-information"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "GB/T 42460-2023 is the recommended national standard for evaluating whether a personal-information de-identification process has actually worked. It sets out the goals, principles, evaluation framework and methods for judging re-identification risk in de-identified datasets — covering identifiers, the choice of de-identification models, and how to test residual risk. It complements GB/T 37964 (the de-identification guide) by providing the effectiveness-evaluation half, and supports PIPL's treatment of de-identification and anonymization."
    },
    {
      "slug": "gbt-42574-notification-consent-guide",
      "title_en": "Information Security Technology — Implementation Guide for Notification and Consent in Personal Information Processing (GB/T 42574-2023)",
      "title_zh": "信息安全技术 个人信息处理中告知和同意的实施指南 (GB/T 42574-2023)",
      "abbreviation": "GB/T 42574",
      "hierarchy": "standard",
      "issuing_body": "Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)",
      "effective_date": "2023-12-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/gbt-42574-notification-consent-guide/",
      "markdown_url": "https://datacompliancechina.com/laws/gbt-42574-notification-consent-guide.md",
      "related_laws": [
        "pipl"
      ],
      "domains": [
        "personal-information"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "GB/T 42574-2023 is the recommended national standard that operationalizes PIPL's notification (告知) and consent (同意) obligations. It gives handlers practical guidance on what to tell data subjects and how, when and in what form to obtain consent — including separate consent, written consent, consent from minors' guardians, and withdrawal of consent — across web, app and other interfaces. It is the implementation manual for PIPL Articles 14–17 and 23/25/29/39, turning the statute's notice-and-consent rules into concrete design requirements."
    },
    {
      "slug": "gbt-44588-platform-pi-processing-rules",
      "title_en": "Data Security Technology — Personal Information Processing Rules for Internet Platforms and Products/Services (GB/T 44588-2024)",
      "title_zh": "数据安全技术 互联网平台及产品服务个人信息处理规则 (GB/T 44588-2024)",
      "abbreviation": "GB/T 44588",
      "hierarchy": "standard",
      "issuing_body": "Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/gbt-44588-platform-pi-processing-rules/",
      "markdown_url": "https://datacompliancechina.com/laws/gbt-44588-platform-pi-processing-rules.md",
      "related_laws": [
        "pipl"
      ],
      "domains": [
        "personal-information"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "GB/T 44588-2024 is a recommended national standard setting personal-information processing rules tailored to internet platforms and their products and services. It addresses how platform operators — and the products, services and third-party providers within their ecosystems — should handle personal information consistently with PIPL, including the heightened 'gatekeeper' obligations PIPL imposes on large platforms. It is one of the 2024 'Data Security Technology' series standards that build sector- and scenario-specific guidance on top of PIPL's general framework."
    },
    {
      "slug": "gbt-45392-automated-decision-security",
      "title_en": "Data Security Technology — Security Requirements for Automated Decision-Making Based on Personal Information (GB/T 45392-2025)",
      "title_zh": "数据安全技术 基于个人信息的自动化决策安全要求 (GB/T 45392-2025)",
      "abbreviation": "GB/T 45392",
      "hierarchy": "standard",
      "issuing_body": "Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/gbt-45392-automated-decision-security/",
      "markdown_url": "https://datacompliancechina.com/laws/gbt-45392-automated-decision-security.md",
      "related_laws": [
        "pipl"
      ],
      "domains": [
        "personal-information",
        "algorithm-recommendation"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "GB/T 45392-2025 is a recommended national standard setting security requirements for automated decision-making (自动化决策) that is based on personal information. It operationalizes PIPL's automated-decision-making rules — transparency, fairness, the prohibition on unreasonable differential treatment, opt-out for personalized push and marketing, and the right to an explanation and to refuse decisions made solely by automated means. It is a 2025 'Data Security Technology' series standard that complements the algorithmic-recommendation regime."
    },
    {
      "slug": "gbt-45574-sensitive-pi-processing-security",
      "title_en": "Data Security Technology — Security Requirements for Processing Sensitive Personal Information (GB/T 45574-2025)",
      "title_zh": "数据安全技术 敏感个人信息处理安全要求 (GB/T 45574-2025)",
      "abbreviation": "GB/T 45574",
      "hierarchy": "standard",
      "issuing_body": "Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/gbt-45574-sensitive-pi-processing-security/",
      "markdown_url": "https://datacompliancechina.com/laws/gbt-45574-sensitive-pi-processing-security.md",
      "related_laws": [
        "pipl"
      ],
      "domains": [
        "personal-information"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "GB/T 45574-2025 is a recommended national standard setting security requirements for processing sensitive personal information (敏感个人信息) as defined by PIPL Article 28. It addresses the heightened safeguards that attach across the lifecycle when handling sensitive PI — separate (and where required written) consent, specific-purpose and strict-necessity limits, intensified impact assessment, and enhanced technical and organizational controls. It complements the TC260 sensitive-PI identification guide by specifying how, once identified, sensitive PI must be protected."
    },
    {
      "slug": "gbt-45577-data-security-risk-assessment",
      "title_en": "Data Security Technology — Data Security Risk Assessment Method (GB/T 45577-2025)",
      "title_zh": "数据安全技术 数据安全风险评估方法 (GB/T 45577-2025)",
      "abbreviation": "GB/T 45577",
      "hierarchy": "standard",
      "issuing_body": "Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/gbt-45577-data-security-risk-assessment/",
      "markdown_url": "https://datacompliancechina.com/laws/gbt-45577-data-security-risk-assessment.md",
      "related_laws": [
        "dsl"
      ],
      "domains": [
        "data-security"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "GB/T 45577-2025 is a recommended national standard specifying a method for assessing data security risk. It provides the principles, framework, process and assessment content for identifying and evaluating risks to data across its lifecycle — covering data assets, threats, vulnerabilities, existing safeguards and potential impact — and for rating overall data-security risk. It is a 2025 'Data Security Technology' series standard supporting the risk-assessment duties of the Data Security Law and the network-data regime."
    },
    {
      "slug": "gbt-46068-cross-border-pi-certification-requirements",
      "title_en": "Data Security Technology — Security Certification Requirements for Cross-Border Processing of Personal Information (GB/T 46068-2025)",
      "title_zh": "数据安全技术 个人信息跨境处理活动安全认证要求 (GB/T 46068-2025)",
      "abbreviation": "GB/T 46068",
      "hierarchy": "standard",
      "issuing_body": "Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/gbt-46068-cross-border-pi-certification-requirements/",
      "markdown_url": "https://datacompliancechina.com/laws/gbt-46068-cross-border-pi-certification-requirements.md",
      "related_laws": [
        "cross-border-pi-certification-measures",
        "pipl"
      ],
      "domains": [
        "cross-border",
        "personal-information"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "GB/T 46068-2025 is a recommended national standard setting the security requirements for certifying cross-border processing of personal information — the personal-information protection certification route that PIPL Article 38 offers as one lawful basis for transferring personal information abroad. It specifies the requirements that handlers and overseas recipients must meet to be certified, including legally binding agreements, organizational and technical safeguards, and protection of data subjects' rights. It elevates and complements the earlier TC260 certification specification."
    },
    {
      "slug": "gbt-46071-data-protection-social-responsibility",
      "title_en": "Data Security Technology — Guide to Social Responsibility for Data Security and Personal Information Protection (GB/T 46071-2025)",
      "title_zh": "数据安全技术 数据安全和个人信息保护社会责任指南 (GB/T 46071-2025)",
      "abbreviation": "GB/T 46071",
      "hierarchy": "standard",
      "issuing_body": "Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/gbt-46071-data-protection-social-responsibility/",
      "markdown_url": "https://datacompliancechina.com/laws/gbt-46071-data-protection-social-responsibility.md",
      "related_laws": [
        "dsl"
      ],
      "domains": [
        "data-security"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "GB/T 46071-2025 is a recommended national standard offering guidance on social responsibility in data security and personal information protection. It frames data security and PI protection as elements of organizational social responsibility, providing principles and guidance for organizations to take responsibility toward data subjects, society and the public — covering governance, transparency, stakeholder engagement and accountability. It is a 2025 'Data Security Technology' series standard that complements the binding duties of the DSL and PIPL with a responsibility-and-governance framing."
    },
    {
      "slug": "pharma-data-supplier-credit-compliance-rules-draft",
      "title_en": "Implementing Rules for the Credit-Compliance Certification and Assessment of Pharmaceutical-Data Supplier Entities (Shenzhen Data Exchange — Draft / Redline)",
      "title_zh": "医药数据供方主体信用合规认证评估实施细则（深圳数据交易所·征求意见/红线稿）",
      "abbreviation": "Pharma-Data Supplier Credit-Compliance Rules (Draft)",
      "hierarchy": "draft",
      "issuing_body": "Shenzhen Data Exchange (深圳数据交易所)",
      "status": "draft",
      "url": "https://datacompliancechina.com/laws/pharma-data-supplier-credit-compliance-rules-draft/",
      "markdown_url": "https://datacompliancechina.com/laws/pharma-data-supplier-credit-compliance-rules-draft.md",
      "related_laws": [
        "healthcare-institutions-data-security-pi-measures"
      ],
      "domains": [
        "health",
        "data-economy"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "A DRAFT, self-regulatory certification rule from the Shenzhen Data Exchange (深圳数据交易所) — not a government regulation. The Exchange runs a 'supplier-entity credit-compliance certification' programme for participants in the data-element market; this instrument is the medical/health-data-specific implementing rule that sits beneath the Exchange's general certification guidance (《数据要素市场供方主体信用合规认证评估指引（通用）》). It applies to healthcare institutions seeking certification before they may supply medical-health data on the Exchange, and may be applied by reference by other entities that handle medical-health data. The rule layers medical-sector-specific requirements on top of the general guidance across three certification grades (A / AA / AAA): entity qualifications; a data-management-system build-out (governance, classification-grading into core/important/general data, physical and cryptographic security, storage and backup, monitoring and incident response, MLPS); and data-business compliance covering lawful sourcing, lawful internal processing (including dedicated EMR, medical-device, medical-insurance, clinical-trial, human-genetic-resources, and statistics rules), and lawful external circulation including cross-border transfer. The version translated below is the clean current text of a tracked-changes ('redline') V3 draft; each requirement carries a footnote citing the underlying Chinese law or rule. Because it is an Exchange certification standard rather than a binding legal instrument, it is a practical map of how the Shenzhen Data Exchange operationalizes China's health-data compliance regime for market participants, not a source of independent legal obligation."
    },
    {
      "slug": "public-data-registration-interim-measures",
      "title_en": "Interim Measures for the Registration and Administration of Public Data Resources",
      "title_zh": "公共数据资源登记管理暂行办法",
      "hierarchy": "rule",
      "issuing_body": "National Development and Reform Commission (NDRC) and National Data Administration (NDA)",
      "adopted_date": "2025-01-08",
      "effective_date": "2025-03-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/public-data-registration-interim-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/public-data-registration-interim-measures.md",
      "related_laws": [
        "pipl",
        "dsl",
        "csl",
        "network-data-security-regulations"
      ],
      "domains": [
        "data-economy",
        "data-security"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "The Interim Measures establish a nationally unified registration system for public data resources — data collections produced by Party and government organs and public institutions in the course of performing statutory duties or providing public services. Registration is mandatory for public data resources that fall within authorized-operation scope; voluntary registration is encouraged for other public data resources and for data products and services derived from them. The Measures set the registration procedure (application, acceptance, formal review, public announcement, code issuance), define four registration types (initial, change, correction, deregistration), establish a three-year validity period with renewal, and provide for graded supervision under NDA's overall administration. Effective March 1, 2025, with a five-year validity period. DCC translation; no official English version exists."
    },
    {
      "slug": "tc260-pi-audit-practice-guide",
      "title_en": "Cybersecurity Standards Practice Guide — Personal Information Protection Compliance Audit Requirements",
      "title_zh": "网络安全标准实践指南 — 个人信息保护合规审计要求",
      "abbreviation": "TC260 PI Audit Guide",
      "hierarchy": "standard",
      "issuing_body": "National Information Security Standardization Technical Committee (TC260)",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/tc260-pi-audit-practice-guide/",
      "markdown_url": "https://datacompliancechina.com/laws/tc260-pi-audit-practice-guide.md",
      "related_laws": [
        "personal-info-audit-measures"
      ],
      "domains": [
        "personal-information",
        "enforcement"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "This TC260 practice guide sets out requirements for conducting the personal-information-protection compliance audit that PIPL Article 54 requires handlers to perform periodically. It provides an audit framework — the matters to examine across a handler's personal-information processing against PIPL obligations — to support both self-audits and audits commissioned to professional bodies under the Administrative Measures for Personal Information Protection Compliance Audits. It is advisory practice guidance, not a mandatory standard."
    },
    {
      "slug": "tc260-frt-payment-pi-guide",
      "title_en": "Cybersecurity Standards Practice Guide — Personal Information Security Protection Requirements for Facial-Recognition Payment Scenarios",
      "title_zh": "网络安全标准实践指南 — 人脸识别支付场景个人信息安全保护要求",
      "abbreviation": "TC260 FRT Payment Guide",
      "hierarchy": "standard",
      "issuing_body": "National Information Security Standardization Technical Committee (TC260)",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/tc260-frt-payment-pi-guide/",
      "markdown_url": "https://datacompliancechina.com/laws/tc260-frt-payment-pi-guide.md",
      "related_laws": [
        "facial-recognition-technology-application-measures"
      ],
      "domains": [
        "personal-information"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "This TC260 practice guide sets personal-information security protection requirements specific to facial-recognition payment (人脸识别支付) scenarios. It addresses how face data should be collected, verified, transmitted, stored and protected when facial recognition is used to authorize payments, with an emphasis on consent, the availability of non-facial alternatives, anti-spoofing and minimization. It is advisory practice guidance complementing the facial-recognition application rules and PIPL's sensitive-PI regime."
    },
    {
      "slug": "tc260-qr-ordering-pi-guide",
      "title_en": "Cybersecurity Standards Practice Guide — Personal Information Protection Requirements for QR-Code Ordering",
      "title_zh": "网络安全标准实践指南 — 扫码点餐个人信息保护要求",
      "abbreviation": "TC260 QR Ordering Guide",
      "hierarchy": "standard",
      "issuing_body": "National Information Security Standardization Technical Committee (TC260)",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/tc260-qr-ordering-pi-guide/",
      "markdown_url": "https://datacompliancechina.com/laws/tc260-qr-ordering-pi-guide.md",
      "related_laws": [
        "app-necessary-pi-scope-provisions"
      ],
      "domains": [
        "personal-information"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "This TC260 practice guide sets personal-information protection requirements for QR-code ordering (扫码点餐) in restaurants and similar settings — a response to the common practice of forcing customers to follow accounts, register, or hand over excessive personal information just to view a menu or order. It emphasizes minimum necessity, the availability of order-without-registration options, and no forced follows or over-collection. It is advisory practice guidance applying PIPL's minimum-necessity principle and the app necessary-PI rules to this everyday scenario."
    },
    {
      "slug": "tc260-data-security-risk-assessment-guide",
      "title_en": "Cybersecurity Standards Practice Guide — Implementation Guidelines for Network Data Security Risk Assessment",
      "title_zh": "网络安全标准实践指南 — 网络数据安全风险评估实施指引",
      "abbreviation": "TC260 Data Risk Assessment Guide",
      "hierarchy": "standard",
      "issuing_body": "National Information Security Standardization Technical Committee (TC260)",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/tc260-data-security-risk-assessment-guide/",
      "markdown_url": "https://datacompliancechina.com/laws/tc260-data-security-risk-assessment-guide.md",
      "related_laws": [
        "network-data-security-regulations"
      ],
      "domains": [
        "data-security"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "This TC260 practice guide gives step-by-step implementation guidelines for conducting a network data security risk assessment. It walks organizations through preparing for, executing and reporting an assessment of data-security risks across the data lifecycle — identifying assets, threats, vulnerabilities and impacts and rating overall risk — in support of the assessment duties created by the Network Data Security Management Regulations. It is the practice-oriented companion to the GB/T 45577 risk-assessment method, and is advisory rather than mandatory."
    },
    {
      "slug": "public-data-authorized-operation-specifications",
      "title_en": "Implementation Specifications for Authorized Operation of Public Data Resources (Trial)",
      "title_zh": "公共数据资源授权运营实施规范（试行）",
      "hierarchy": "rule",
      "issuing_body": "National Development and Reform Commission (NDRC) and National Data Administration (NDA)",
      "adopted_date": "2025-01-08",
      "effective_date": "2025-03-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/public-data-authorized-operation-specifications/",
      "markdown_url": "https://datacompliancechina.com/laws/public-data-authorized-operation-specifications.md",
      "related_laws": [
        "pipl",
        "dsl",
        "csl",
        "network-data-security-regulations",
        "public-data-registration-interim-measures"
      ],
      "domains": [
        "data-economy",
        "data-security"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "Companion rule to the Public Data Registration Interim Measures (also NDRC + NDA, January 2025). The Specifications establish the framework for 'authorized operation' (授权运营) of public data resources — the mechanism by which governments at and above the county level, and national sectoral authorities, can authorize qualified operating institutions to develop and operationalize public data resources, deliver data products and services to the market, and share in the revenue. Covers implementing institutions, operating institutions, the implementation plan, the agreement, supervision, anti-monopoly and security duties. The Operating-institution authorization period is capped at five years. Effective March 1, 2025, with a five-year validity period. DCC translation; no official English version exists."
    },
    {
      "slug": "app-pi-collection-use-provisions-draft",
      "title_en": "Provisions on the Collection and Use of Personal Information by Internet Applications (Draft for Public Consultation)",
      "title_zh": "互联网应用程序个人信息收集使用规定（征求意见稿）",
      "abbreviation": "App PI Collection and Use Provisions (Draft)",
      "hierarchy": "draft",
      "issuing_body": "Cyberspace Administration of China (CAC)",
      "status": "draft",
      "url": "https://datacompliancechina.com/laws/app-pi-collection-use-provisions-draft/",
      "markdown_url": "https://datacompliancechina.com/laws/app-pi-collection-use-provisions-draft.md",
      "related_laws": [
        "pipl",
        "csl",
        "network-data-security-regulations",
        "app-necessary-pi-scope-provisions",
        "app-illegal-pi-collection-identification-method",
        "mobile-app-information-services-provisions",
        "telecom-internet-user-pi-protection-provisions"
      ],
      "domains": [
        "personal-information",
        "app-compliance"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "A 39-article CAC draft, opened for comment on January 10, 2026, that consolidates app-privacy regulation into a single instrument covering four classes of actors for the first time: app operators, SDK operators, distribution platforms (app stores, mini-program and quick-app platforms), and smart-terminal/OS makers. It operationalizes minimum-necessary and notice-and-consent principles into granular, engineering-level rules — permission requests tied to the moment of use, scenario-based consent toggles, mandatory system-level storage-access frameworks in place of blanket storage permissions, on-device-only default storage for biometric identifiers, a 15-business-day account-cancellation deadline, and behavioral-audit duties for embedded SDKs. It also builds out platform-level gatekeeping: distribution platforms and terminal makers must vet operator identity before listing or preinstalling an app, refuse apps lacking a privacy policy or deletion/cancellation function, and post risk warnings on apps that regulators have publicly named for violations. For overseas counsel, this draft would sit alongside (and in several respects supersede in practice) the 2019 App PI Identification Method and the 2021 Necessary PI Scope Provisions, raising the bar on SDK due diligence, permission-timing UX, and cross-entity contractual allocation of responsibility across the app supply chain."
    },
    {
      "slug": "cybercrime-prevention-law-draft",
      "title_en": "Cybercrime Prevention Law (Draft for Public Consultation)",
      "title_zh": "网络犯罪防治法（征求意见稿）",
      "abbreviation": "Cybercrime Prevention Law (Draft)",
      "hierarchy": "draft",
      "issuing_body": "Ministry of Public Security (drafting); for eventual enactment by the NPC Standing Committee",
      "status": "draft",
      "url": "https://datacompliancechina.com/laws/cybercrime-prevention-law-draft/",
      "markdown_url": "https://datacompliancechina.com/laws/cybercrime-prevention-law-draft.md",
      "related_laws": [
        "csl",
        "dsl",
        "pipl",
        "cybersecurity-review-measures",
        "network-data-security-regulations",
        "genai-services-interim-measures",
        "minors-online-protection-regulations"
      ],
      "domains": [
        "data-security",
        "cross-border",
        "enforcement"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "China's first standalone, comprehensive cybercrime statute, drafted by the Ministry of Public Security with a comment period that closed March 2, 2026. It goes well beyond the Criminal Law's cybercrime provisions to build a full prevention and governance framework: real-name controls over phone cards, bank accounts, and network accounts; a fifteen-item catalogue of prohibited \"cybercrime ecosystem\" conduct such as technical support, financial support, and personal-information or data misuse; tiered monitoring and reporting duties for ten categories of internet service, including a special obligation for AI service providers to detect and block abuse of their services; and cross-border tools including technical blocking of offshore actors, asset seizure, and entry/exit bans. Overseas counsel should read it closely for Article 2's extraterritorial reach, which extends to any offshore entity serving PRC users whose conduct harms China's national security, public interest, or the lawful rights of PRC citizens or organizations."
    },
    {
      "slug": "digital-virtual-human-info-service-measures-draft",
      "title_en": "Measures for the Administration of Digital Virtual Human Information Services (Draft for Public Consultation)",
      "title_zh": "数字虚拟人信息服务管理办法（征求意见稿）",
      "abbreviation": "Digital Virtual Human Measures (Draft)",
      "hierarchy": "draft",
      "issuing_body": "Cyberspace Administration of China (CAC)",
      "status": "draft",
      "url": "https://datacompliancechina.com/laws/digital-virtual-human-info-service-measures-draft/",
      "markdown_url": "https://datacompliancechina.com/laws/digital-virtual-human-info-service-measures-draft.md",
      "related_laws": [
        "pipl",
        "csl",
        "dsl",
        "network-data-security-regulations",
        "minors-online-protection-regulations",
        "deep-synthesis-provisions",
        "ai-content-labeling-measures",
        "ai-anthropomorphic-interaction-measures"
      ],
      "domains": [
        "ai-governance",
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "CAC's first dedicated regime for 'digital virtual humans' — human-driven or computation-driven digital avatars used to deliver Internet information services. The 27-article draft assigns obligations across five roles in the value chain (providers, technical-support parties, users, content-distribution platforms, and the real person behind a human-driven avatar) and bans a defined list of harmful conduct alongside a persistent, on-screen 'digital human' labeling duty. Its most consequential feature for overseas counsel: withdrawing consent to use of one's biometric data for avatar creation obliges the provider not just to delete the data but to affirmatively deregister the digital virtual human itself. It also bars virtual 'intimate relationships' marketed to minors and restricts manipulative retention tactics in AI anthropomorphic interaction. Comments closed May 6, 2026; the effective date is still blank in the draft."
    },
    {
      "slug": "cybersecurity-label-management-measures",
      "title_en": "Measures for the Administration of Cybersecurity Labels",
      "title_zh": "网络安全标识管理办法",
      "abbreviation": "Cybersecurity Label Measures",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China (CAC), Ministry of Industry and Information Technology (MIIT), and Ministry of Public Security (MPS)",
      "adopted_date": "2026-07-01",
      "effective_date": "2026-07-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/cybersecurity-label-management-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/cybersecurity-label-management-measures.md",
      "related_laws": [
        "csl",
        "cybersecurity-review-measures"
      ],
      "domains": [
        "data-security"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "A joint CAC–MIIT–MPS rule establishing a voluntary product-certification scheme — the 'China Cybersecurity Label' — for internet-connected products, layered into one/two/three-star tiers (basic, enhanced, and leading cybersecurity capability). Coverage is catalogue-managed: products are added in batches, each with its own implementing rules and technical basis, and critical network equipment and dedicated cybersecurity products already regulated under the 2023 security-management framework are carved out. Three-star products must clear penetration testing by a qualified third-party lab, and every label carries a scannable filing code linking to the test report and the manufacturer's compliance declaration. Misuse — forged or misappropriated labels, false advertising, or fabricated test results — triggers filing revocation, public naming, a one-year bar on re-filing, and entry into the national credit-information system. For overseas counsel, this is a market-facing trust mark rather than a mandatory compliance gate, but it interacts with existing MLPS and product-security obligations and is likely to become a de facto procurement or channel-access signal even though participation is nominally voluntary."
    },
    {
      "slug": "small-pi-processor-protection-guide-draft",
      "title_en": "Data Security Technology — Guide for Personal Information Protection by Small Personal Information Processors (Draft for Public Consultation)",
      "title_zh": "数据安全技术 小型个人信息处理者个人信息保护指南（征求意见稿）",
      "abbreviation": "Small PI Processor Protection Guide (Draft)",
      "hierarchy": "draft",
      "issuing_body": "National Information Security Standardization Technical Committee (TC260)",
      "status": "draft",
      "url": "https://datacompliancechina.com/laws/small-pi-processor-protection-guide-draft/",
      "markdown_url": "https://datacompliancechina.com/laws/small-pi-processor-protection-guide-draft.md",
      "related_laws": [
        "pipl",
        "gbt-35273-pi-security-specification",
        "gbt-39335-pi-impact-assessment-guide",
        "gbt-45574-sensitive-pi-processing-security",
        "gbt-46068-cross-border-pi-certification-requirements"
      ],
      "domains": [
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "A TC260 draft national standard implementing PIPL Article 62's mandate to write simplified personal-information rules for small processors — those handling fewer than 100,000 people's personal information, such as small merchants, sole proprietors, and community-service providers. It systematically scales down compliance expectations: oral or posted-notice consent in place of layered privacy policies, a five-year (rather than annual) compliance-audit cycle, a one-page impact-assessment worksheet (Annex D) instead of a formal PIPIA report, and SMS or phone verification for identity checks on rights requests. It also sets out four cross-border exemption scenarios and an audit exemption for processors already holding personal information protection certification. For overseas counsel, this is the practitioner-level document defining what proportionate PIPL compliance looks like at the smallest end of the market — the small merchants, franchisees, and local service providers that portfolio companies and platform counterparties often deal with in China."
    },
    {
      "slug": "ai-ethics-review-service-measures",
      "title_en": "Measures for the Ethics Review of and Services for Artificial Intelligence Science and Technology (Trial)",
      "title_zh": "人工智能科技伦理审查与服务办法（试行）",
      "abbreviation": "AI Ethics Review Measures (Trial)",
      "hierarchy": "rule",
      "issuing_body": "Ministry of Industry and Information Technology (MIIT) and nine other departments",
      "adopted_date": "2026-03-20",
      "effective_date": "2026-03-20",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/ai-ethics-review-service-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/ai-ethics-review-service-measures.md",
      "related_laws": [
        "genai-services-interim-measures",
        "deep-synthesis-provisions",
        "algorithmic-recommendation-provisions",
        "ai-anthropomorphic-interaction-measures"
      ],
      "domains": [
        "ai-governance"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "China's first dedicated departmental rule on AI-specific science-and-technology ethics review, issued jointly by MIIT, NDRC, MOE, MOST, NHC, PBOC, the CAC, and three other bodies. It requires every organization running qualifying AI research or development to stand up an ethics committee spanning technical, application, ethics, and legal expertise, and routes proposals through general, expedited, or emergency review tracks against six review criteria: wellbeing, fairness, controllability, transparency, traceability, and privacy. Its sharpest feature is a closed list of three high-risk activity categories — strongly influential human-machine fusion systems, algorithms with public-opinion mobilization capability, and highly autonomous automated decision systems in safety-critical settings — that must clear a mandatory expert re-review on top of the ordinary committee sign-off. Violations are enforced through the underlying CSL, DSL, PIPL, and Science and Technology Progress Law rather than through standalone penalties in this rule. Overseas counsel advising China-facing AI developers should treat this as the operational rulebook for internal AI ethics governance structures, not merely an academic-research formality."
    },
    {
      "slug": "gbt-46901-pi-transfer-requirements",
      "title_en": "Data Security Technology — Requirements for Personal Information Transfer Based on Individual Requests (GB/T 46901—2025)",
      "title_zh": "数据安全技术 基于个人请求的个人信息转移要求（GB/T 46901—2025）",
      "abbreviation": "GB/T 46901-2025 (PI Portability)",
      "hierarchy": "standard",
      "issuing_body": "State Administration for Market Regulation (SAMR) and Standardization Administration of China (SAC)",
      "adopted_date": "2025-12-31",
      "effective_date": "2026-07-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/gbt-46901-pi-transfer-requirements/",
      "markdown_url": "https://datacompliancechina.com/laws/gbt-46901-pi-transfer-requirements.md",
      "related_laws": [
        "pipl",
        "gbt-35273-pi-security-specification",
        "gbt-39335-pi-impact-assessment-guide"
      ],
      "domains": [
        "personal-information"
      ],
      "featured": true,
      "full_text_available": true,
      "summary": "The first national standard implementing the personal-information-portability right in PIPL Article 45, effective July 1, 2026. It sets out two transfer models (subject-as-intermediary and processor-as-intermediary), scopes the portable-data boundary to actively-provided information and service-usage records — expressly excluding derived data such as profiling tags and friend graphs, network logs, trade secrets, and anonymized data — and fixes three preconditions: a consent-or-contract-necessity legal basis, no harm to third-party rights, and requests kept within reasonable limits (indicatively no more than twice a year). It prescribes a five-step process (initiation, verification, processing, export, import) with 15-working-day response times, mandatory structured and machine-readable export formats (CSV/JSON/XML), and dedicated rules for minors under 14, third-party data caught up in a transfer, and overseas recipients. Any consumer-facing personal information handler now has a concrete technical and procedural playbook to build against."
    },
    {
      "slug": "internet-platform-pricing-rules",
      "title_en": "Rules on Pricing Conduct by Internet Platforms",
      "title_zh": "互联网平台价格行为规则",
      "abbreviation": "Platform Pricing Rules",
      "hierarchy": "rule",
      "issuing_body": "National Development and Reform Commission (NDRC), State Administration for Market Regulation (SAMR), and Cyberspace Administration of China (CAC)",
      "adopted_date": "2025-12-09",
      "effective_date": "2026-04-10",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/internet-platform-pricing-rules/",
      "markdown_url": "https://datacompliancechina.com/laws/internet-platform-pricing-rules.md",
      "related_laws": [
        "algorithmic-recommendation-provisions",
        "online-trading-platform-rules-measures",
        "anti-unfair-competition-law",
        "pipl"
      ],
      "domains": [
        "data-economy",
        "algorithm-recommendation"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "A joint NDRC/SAMR/CAC rule (29 articles, five-year mandate) that regulates how e-commerce and service platforms set, display, and compete on price. It is fundamentally a pricing and anti-monopoly instrument, not a data-protection one — but Article 15 is the first pricing-level ban on algorithmic price discrimination against existing users (大数据杀熟), barring platforms from using data and algorithms to charge different prices for the same good or service under equivalent transaction conditions based on a consumer's willingness or ability to pay, or their consumption preferences and habits, without the consumer's knowledge. Article 24 also requires platforms to fold personal-information handling and algorithm filing into their internal price-compliance system. DCC catalogues it as background for briefs on algorithmic pricing and platform data practices, not as a standalone data-protection statute."
    },
    {
      "slug": "trade-secret-protection-provisions",
      "title_en": "Provisions on the Protection of Trade Secrets",
      "title_zh": "商业秘密保护规定",
      "abbreviation": "Trade Secret Protection Provisions",
      "hierarchy": "rule",
      "issuing_body": "State Administration for Market Regulation (SAMR)",
      "adopted_date": "2026-02-24",
      "effective_date": "2026-06-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/trade-secret-protection-provisions/",
      "markdown_url": "https://datacompliancechina.com/laws/trade-secret-protection-provisions.md",
      "related_laws": [
        "anti-unfair-competition-law",
        "dsl"
      ],
      "domains": [
        "data-security"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "SAMR's rewrite of China's 1995 trade-secret enforcement rules — issued as Order No. 126 under the Anti-Unfair Competition Law — folds algorithms, data, and source code squarely into the definition of a protectable technical-information trade secret, and for the first time recognizes tiered access, data masking, and audit-log retention as adequate confidentiality measures for remote-work and cross-border collaboration setups. It also names electronic intrusion and unauthorized transfer of files to personal cloud drives or external storage as 'improper means' of misappropriation, giving SAMR an administrative-enforcement path for conduct that would otherwise only surface as a data-security incident or a cybercrime case. For overseas counsel, it matters less as a data-protection instrument than as the rule that now lets an aggrieved company route an insider data-exfiltration episode through market-regulation enforcement rather than the police or the courts alone."
    },
    {
      "slug": "ai-agent-standardization-innovation-opinion",
      "title_en": "Implementation Opinions on the Standardized Application and Innovative Development of AI Agents",
      "title_zh": "智能体规范应用与创新发展实施意见",
      "abbreviation": "AI Agent Implementation Opinions",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China (CAC), National Development and Reform Commission (NDRC), and Ministry of Industry and Information Technology (MIIT)",
      "adopted_date": "2026-05-08",
      "effective_date": "2026-05-08",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/ai-agent-standardization-innovation-opinion/",
      "markdown_url": "https://datacompliancechina.com/laws/ai-agent-standardization-innovation-opinion.md",
      "related_laws": [
        "data-foundation-system-opinions",
        "genai-services-interim-measures",
        "pipl",
        "algorithmic-recommendation-provisions"
      ],
      "domains": [
        "ai-governance",
        "data-economy"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "CAC, NDRC, and MIIT's joint policy blueprint for AI agents (智能体) — autonomous systems that perceive, remember, decide, and act — sets 38 initiatives to grow the industry while keeping it 'safe and controllable.' Most of the document is industrial promotion outside DCC's scope, but Part Three sets the first governance-specific requirements for agents: boundaries between decisions users must make themselves, decisions requiring user authorization, and decisions an agent may make autonomously; agent-specific technical duties on data security, personal information protection, and anti-data-poisoning defenses; and a tiered, risk-based governance framework that layers filing, testing, and product-recall obligations onto agent deployments in sensitive sectors. It is a policy opinion, not a binding rule with penalty provisions, but it signals where CAC's next agent-specific rulemaking is headed. Overseas counsel advising on agentic AI products aimed at the China market should treat it as an early map of the compliance architecture to come."
    },
    {
      "slug": "minors-harmful-info-classification-measures",
      "title_en": "Measures for the Classification of Online Information That May Affect the Physical and Mental Health of Minors",
      "title_zh": "可能影响未成年人身心健康的网络信息分类办法",
      "abbreviation": "Minors Harmful-Info Classification Measures",
      "hierarchy": "rule",
      "issuing_body": "Cyberspace Administration of China (CAC) and seven other departments",
      "adopted_date": "2025-12-26",
      "effective_date": "2026-03-01",
      "status": "effective",
      "url": "https://datacompliancechina.com/laws/minors-harmful-info-classification-measures/",
      "markdown_url": "https://datacompliancechina.com/laws/minors-harmful-info-classification-measures.md",
      "related_laws": [
        "minors-online-protection-regulations",
        "children-pi-online-protection-provisions",
        "csl",
        "pipl",
        "deep-synthesis-provisions"
      ],
      "domains": [
        "minors-protection",
        "personal-information"
      ],
      "featured": false,
      "full_text_available": true,
      "summary": "A short but operationally important CAC-led rule that, for the first time, defines and catalogues a middle tier of online content: material that falls short of outright illegal content but may still harm minors' physical or mental health. It sorts this content into four classes — inducements to imitate unsafe or antisocial behavior, content harmful to values, improper use of a minor's image, and improper disclosure or use of a minor's personal information — and requires platforms to label it prominently and keep it out of high-traffic slots like homepages, push notifications, and trending lists when the audience includes minors. For overseas counsel, Article 6's personal-information category is the one to watch: it reaches conduct such as showing an under-14's schooling or daily life in enough detail to expose identifying information without guardian consent, or content that induces minors to disclose their own or others' personal information, layering content-moderation duties on top of existing PIPL and minors-protection consent obligations."
    },
    {
      "slug": "banking-insurance-cybersecurity-measures-draft",
      "title_en": "Measures for the Administration of Cybersecurity in the Banking and Insurance Sectors (Draft for Public Consultation)",
      "title_zh": "银行业保险业网络安全管理办法（征求意见稿）",
      "abbreviation": "Banking & Insurance Cybersecurity Measures (Draft)",
      "hierarchy": "draft",
      "issuing_body": "National Financial Regulatory Administration",
      "status": "draft",
      "url": "https://datacompliancechina.com/laws/banking-insurance-cybersecurity-measures-draft/",
      "markdown_url": "https://datacompliancechina.com/laws/banking-insurance-cybersecurity-measures-draft.md",
      "source_url": "https://www.nfra.gov.cn/cn/view/pages/ItemDetail.html?docId=1264207&itemId=951",
      "related_laws": [
        "csl",
        "dsl",
        "pipl",
        "cii-protection-regulations",
        "financial-sector-cybersecurity-management-measures-draft",
        "nfra-banking-insurance-data-security-measures"
      ],
      "domains": [
        "finance",
        "data-security",
        "critical-information-infrastructure"
      ],
      "featured": false,
      "full_text_available": false,
      "summary": "A July 10, 2026 public-consultation draft in which the National Financial Regulatory Administration (NFRA) would consolidate cybersecurity supervision of banking financial institutions, insurance financial institutions, and financial holding companies into a single 72-article sectoral rulebook under the CSL, DSL, PIPL, and CII Regulations, expressly interlocking with the cross-sector financial-industry cybersecurity measures released for comment on July 3. The draft fixes board and Party-committee primary responsibility with the institution's principal officer as first person responsible; requires an independent cybersecurity risk-management function, network security domains with minimum-necessary cross-domain access, a six-month log-retention floor, closed-loop vulnerability management with industry-impact reporting, pre-launch security testing for MLPS Level 3-and-above and internet-facing systems, supply-chain product inventories, and annual penetration testing plus a triennial cybersecurity audit. A four-tier incident scale keyed to data compromise and outage duration drives reporting clocks: two hours to the NFRA for Level 3 and above, with two-hourly progress reports for Level 1 incidents. A dedicated CII chapter requires domestic operation and maintenance, disaster-recovery centers capable of fully taking over production, MLPS grading no lower than Level 3, cybersecurity review of procurement that may affect national security, annual procurement-list filing, a 24/7 security operations center, in-house mastery of key technologies, and a one-hour incident-reporting deadline to the NFRA and public security authorities. Comments close August 10, 2026."
    }
  ],
  "accounts": [
    {
      "slug": "beijing-internet-court",
      "name_zh": "北京互联网法院",
      "name_en": "Beijing Internet Court",
      "name_pinyin": "Beijing Hulianwang Fayuan",
      "type": "official",
      "affiliation": "Beijing Internet Court (北京互联网法院) — one of China's three Internet Courts (with Hangzhou and Guangzhou)",
      "priority": 1,
      "short_description": "Official WeChat channel of the Beijing Internet Court (北京互联网法院), the specialised court established in 2018 to hear internet-related civil and administrative disputes arising in Beijing — online contract and IP disputes, personality-rights and personal-information claims, data and platform-competition cases, and algorithm-related matters. Its 'e案e审' column publishes selected first-instance and effective judgments with the presiding judge's reasoning (法官说法) and outside-expert commentary."
    },
    {
      "slug": "compliance-talker",
      "name_zh": "合规小叨客",
      "name_en": "Compliance Talker",
      "name_pinyin": "Hegui Xiaodaoke",
      "type": "kol",
      "wechat_id": "AllAboutCompliance",
      "priority": 2,
      "short_description": "A private compliance media account branding itself as 'China's most professional compliance public account.' Covers data compliance, anti-bribery, export controls, and other compliance verticals from a Chinese-practitioner perspective."
    },
    {
      "slug": "data-he-gui",
      "name_zh": "数据何规",
      "name_en": "What Rules for Data",
      "name_pinyin": "Shuju Hegui",
      "type": "research",
      "wechat_id": "PIPL2021",
      "priority": 1,
      "short_description": "A high-volume daily aggregator and curator of Chinese privacy and AI-regulatory news (账号定位 '每日多次更新隐私、AI监管动态'). Reposts substantive practitioner pieces from law firms, scholars, and official channels with editor notes flagging the most operationally relevant items."
    },
    {
      "slug": "datawalker-x",
      "name_zh": "数据行者X",
      "name_en": "DataWalker X",
      "name_pinyin": "Shuju Xingzhe X",
      "type": "kol",
      "affiliation": "Independent data-industry practitioner channel",
      "priority": 3,
      "short_description": "A personal WeChat channel run by an independent data-industry practitioner ('行者X', self-described as 'an atypical data labourer'). It reposts and lightly annotates public-data, data-element-market, and data-asset policy material — full regulatory texts, research reports, and industry news — organised into standing albums (policy & regulation, standards, public data, data assets, data elements)."
    },
    {
      "slug": "dejyfz",
      "name_zh": "数字经济与法治",
      "name_en": "Digital Economy and Rule of Law",
      "name_pinyin": "Shuzi Jingji yu Fazhi",
      "type": "academic",
      "wechat_id": "DLTRL2019",
      "priority": 1,
      "short_description": "An academic-tier WeChat channel reposting peer-reviewed law-journal articles on Chinese digital economy and data law. The 学术｜ (Academic) column carries pieces from《法学家》《政治与法律》《政法论坛》《财经法学》and other top-tier Chinese legal journals, authored by law-school faculty at PKU, Tsinghua, Renmin University, China University of Political Science and Law, CASS, and other leading institutions."
    },
    {
      "slug": "junhe-legal-review",
      "name_zh": "君合法律评论",
      "name_en": "JunHe Legal Review",
      "name_pinyin": "Junhe Falü Pinglun",
      "type": "law-firm",
      "affiliation": "君合律师事务所 (JunHe LLP)",
      "wechat_id": "JUNHE_LegalUpdates",
      "priority": 2,
      "short_description": "The client-alert channel of JunHe LLP, one of China's oldest and largest full-service law firms. Publishes practitioner analyses of new legislation and enforcement across practice areas; DCC tracks its data, cybersecurity, and technology-regulation commentary."
    },
    {
      "slug": "keji-leviathan",
      "name_zh": "科技利维坦",
      "name_en": "Tech Leviathan",
      "name_pinyin": "Keji Liweitan",
      "type": "kol",
      "affiliation": "Personal channel of Li Wenlong (李汶龙), an AI-governance scholar",
      "wechat_id": "techleviathan",
      "priority": 1,
      "short_description": "The personal WeChat channel of Li Wenlong (李汶龙), a China-trained, UK-based AI-governance scholar. The 2026 relaunch frames the channel around a self-imposed '100 AI-Governance Papers Challenge' (百篇 AI 治理论文挑战) — each post walks through one carefully chosen frontier paper from venues like FAccT, weaving in EU/US regulatory developments and, where relevant, the Chinese regulatory analogue (TC260 standards, the GenAI Interim Measures, the AI Anthropomorphic Interaction Measures, etc.)."
    },
    {
      "slug": "li-yang-ip",
      "name_zh": "李扬",
      "name_en": "Li Yang",
      "name_pinyin": "Li Yang",
      "type": "academic",
      "affiliation": "China University of Political Science and Law (CUPL) — School of Civil, Commercial and Economic Law; Vice President, China Intellectual Property Law Society",
      "priority": 2,
      "short_description": "Li Yang is a professor at the China University of Political Science and Law (中国政法大学) School of Civil, Commercial and Economic Law, and a vice president of the China Intellectual Property Law Society. His work centres on intellectual-property and competition law; he is the author of Research on Legal Protection of Databases (《数据库法律保护研究》) and has written extensively on the boundaries of enterprise data. He publishes his data-rights commentary through his personal '李扬知产' (Li Yang IP) WeChat account."
    },
    {
      "slug": "miit-weibao",
      "name_zh": "工信微报",
      "name_en": "MIIT Micro-Bulletin",
      "name_pinyin": "Gongxin Weibao",
      "type": "official",
      "affiliation": "Ministry of Industry and Information Technology (MIIT)",
      "wechat_id": "zhongguogongxin",
      "priority": 1,
      "short_description": "Official WeChat channel of the Ministry of Industry and Information Technology (MIIT, 工业和信息化部) — the central regulator for telecom, internet, and mobile-app personal-information protection. Carries the agency's batched public-naming enforcement notices (APP / SDK 侵害用户权益通报), regulatory announcements, and policy briefings issued by MIIT's Information & Communications Administration Bureau (信息通信管理局)."
    },
    {
      "slug": "ndb",
      "name_zh": "国家数据局",
      "name_en": "National Data Administration",
      "name_pinyin": "Guojia Shuju Ju",
      "type": "official",
      "affiliation": "State Council (administered by NDRC)",
      "wechat_id": "guojiashujuju",
      "priority": 1,
      "short_description": "Official WeChat channel of the National Data Administration (NDA, 国家数据局) — the State Council body established October 2023 to oversee China's data infrastructure planning, data-element market construction, and data-resource integration. Posts include policy interpretations of the Data 20 Articles, rulemaking notices, and the agency's own commentary on data-property-rights design."
    },
    {
      "slug": "qinglan-data",
      "name_zh": "青兰数据观察",
      "name_en": "Qinglan Data Observation",
      "name_pinyin": "Qinglan Shuju Guancha",
      "type": "kol",
      "wechat_id": "Wang-Qinglan",
      "priority": 2,
      "short_description": "A single-author observation column on Chinese data compliance and the data-element market — practical, plain-language commentary on legal practice, regulatory developments, and data-element market structure from a data-exchange compliance lead."
    },
    {
      "slug": "renmin-tribune",
      "name_zh": "人民论坛",
      "name_en": "People's Tribune",
      "name_pinyin": "Renmin Luntan",
      "type": "academic",
      "affiliation": "People's Daily Publishing Group",
      "priority": 2,
      "short_description": "State-affiliated theoretical and policy journal under the People's Daily Publishing Group. Publishes academic and policy commentary by scholars on governance, law, and economic-system topics, including a sustained 'Frontier' (前沿) column on emerging legal and policy questions. Print and web editions."
    },
    {
      "slug": "sansuo-data-security",
      "name_zh": "三所数据安全",
      "name_en": "TRIMPS Data Security",
      "name_pinyin": "Sansuo Shuju Anquan",
      "type": "official-research",
      "affiliation": "The Third Research Institute of the Ministry of Public Security (公安部第三研究所)",
      "priority": 1,
      "short_description": "The data-security technical channel of the Third Research Institute of the Ministry of Public Security (公安部第三研究所 / TRIMPS) — the Shanghai-based MPS institute that anchors China's cybersecurity classified-protection (等保) regime, the national eID / CTID network-identity platform, and a large share of the country's data-security technical standards work. The 数安观察 (Data Security Observation) column carries technical-legal analysis from the institute's Data Security Technology R&D Center."
    },
    {
      "slug": "shanghai-comms-admin",
      "name_zh": "上海通信圈",
      "name_en": "Shanghai Comms Circle (Shanghai Communications Administration)",
      "name_pinyin": "Shanghai Tongxin Quan",
      "type": "official",
      "affiliation": "Shanghai Communications Administration (上海市通信管理局) — the MIIT's directly-administered local communications authority for Shanghai",
      "priority": 2,
      "short_description": "Official WeChat channel of the Shanghai Communications Administration (上海市通信管理局, SHCA) — the Ministry of Industry and Information Technology's directly-administered provincial-level communications authority for Shanghai. It carries SHCA's local enforcement output under the national app PI-protection regime: public-naming notices, rectification deadlines, and takedown notifications for apps and SDKs that infringe user rights, alongside local telecom and internet administration announcements."
    },
    {
      "slug": "shenzhen-data-exchange",
      "name_zh": "深圳数据交易所",
      "name_en": "Shenzhen Data Exchange",
      "name_pinyin": "Shenzhen Shuju Jiaoyisuo",
      "type": "industry",
      "affiliation": "Shenzhen Data Exchange (state-backed data trading venue)",
      "wechat_id": "szdex2021",
      "priority": 1,
      "short_description": "One of China's principal state-backed data trading venues, and the most active institutional voice on data-element-market compliance. Its DEXC+ (Data Exchange Compliance+) program runs a think tank, a data-exchange-compliance-officer (DEXCO) credential, and a compliance-law-firm pool (DEXCA). The DEXC+ column publishes deep practitioner analysis on data property rights, registration, and trading compliance."
    },
    {
      "slug": "shuju-fameng",
      "name_zh": "数据法盟",
      "name_en": "Data Law Alliance",
      "name_pinyin": "Shuju Fameng",
      "type": "kol",
      "priority": 2,
      "short_description": "数据法盟 是与何渊相关的数据与人工智能法评论平台，转载案例、判决与政策分析，覆盖数据安全、人工智能治理与数据要素经济。"
    },
    {
      "slug": "wangan-xunluren",
      "name_zh": "网安寻路人",
      "name_pinyin": "Wang'an Xunluren",
      "type": "kol",
      "wechat_id": "DataProtection101",
      "priority": 1
    },
    {
      "slug": "wangxin-china",
      "name_zh": "网信中国",
      "name_en": "Cyberspace China",
      "name_pinyin": "Wangxin Zhongguo",
      "type": "official",
      "affiliation": "Cyberspace Administration of China (CAC) / Office of the Central Cyberspace Affairs Commission",
      "priority": 1,
      "short_description": "Official WeChat channel of the Cyberspace Administration of China (国家互联网信息办公室) / Office of the Central Cyberspace Affairs Commission (中央网信办) — the lead regulator for personal information protection, data security, and online content. Carries the agency's enforcement notifications (通报), rulemaking announcements, draft consultations, and campaign launches, including the app personal-information testing notifications issued under the annual joint special campaigns."
    },
    {
      "slug": "xiao-daguo",
      "name_zh": "数据合规肖大国",
      "name_en": "Data Compliance Xiao Daguo",
      "name_pinyin": "Shuju Hegui Xiao Daguo",
      "type": "kol",
      "wechat_id": "sjhgxdg",
      "priority": 2,
      "short_description": "A Chinese data-compliance practitioner channel that runs '一起读' (read-along) posts: it takes a newly issued rule and walks it article by article, comparing the final text against the consultation draft and against adjacent instruments (most often the Generative AI Interim Measures), and flagging the operational questions a compliance team will actually hit. Bylines seen: author 肖莆羚令, review 江明月."
    },
    {
      "slug": "xu-ke",
      "name_zh": "许可",
      "name_en": "Xu Ke",
      "name_pinyin": "Xu Ke",
      "type": "academic",
      "affiliation": "University of International Business and Economics (UIBE) — Director, Center for Digital Economy and Legal Innovation",
      "priority": 1,
      "short_description": "Xu Ke is a professor at the University of International Business and Economics (UIBE) Law School and director of its Center for Digital Economy and Legal Innovation — one of the most influential and widely-cited data-law scholars in China. His work spans data-rights theory, the data-property-rights framework, anonymization, and the financialization of data assets. Published across the top Chinese law journals (《政法论坛》《财经法学》and others)."
    }
  ],
  "domains": [
    {
      "slug": "ai-governance",
      "name": "AI Governance",
      "name_zh": "人工智能治理",
      "description": "Rules and standards for generative AI services, deep synthesis, content labeling, and AI ethics in China.",
      "url": "https://datacompliancechina.com/domains/ai-governance/"
    },
    {
      "slug": "algorithm-recommendation",
      "name": "Algorithmic Recommendation",
      "name_zh": "算法推荐",
      "description": "Regulation of recommendation algorithms, user profiling, and the filing regime for algorithmic services.",
      "url": "https://datacompliancechina.com/domains/algorithm-recommendation/"
    },
    {
      "slug": "app-compliance",
      "name": "App Compliance",
      "name_zh": "App 合规",
      "description": "Mobile app personal-information collection rules, the necessary-information catalogue, SDK compliance, and app store removal.",
      "url": "https://datacompliancechina.com/domains/app-compliance/"
    },
    {
      "slug": "critical-information-infrastructure",
      "name": "Critical Information Infrastructure",
      "name_zh": "关键信息基础设施",
      "description": "Identification and protection obligations for CII operators (CIIO) under CSL and the CII Protection Regulations.",
      "url": "https://datacompliancechina.com/domains/critical-information-infrastructure/"
    },
    {
      "slug": "cross-border",
      "name": "Cross-Border Data",
      "name_zh": "数据跨境",
      "description": "Rules governing the transfer of personal information and important data outside mainland China — including the security assessment, standard contract, and certification pathways.",
      "url": "https://datacompliancechina.com/domains/cross-border/"
    },
    {
      "slug": "cybersecurity-review",
      "name": "Cybersecurity Review",
      "name_zh": "网络安全审查",
      "description": "The cybersecurity review regime for critical information infrastructure operators and large data processors — including overseas listings.",
      "url": "https://datacompliancechina.com/domains/cybersecurity-review/"
    },
    {
      "slug": "data-economy",
      "name": "Data Economy",
      "name_zh": "数据要素与数据产权",
      "description": "China's emerging regulatory framework for treating data as an economic factor of production — public-data resources, data-property rights, data-asset registration, and the rules governing how data can be authorized for operation, traded, and circulated. Distinct from data security and personal-information protection, this domain tracks the rules that turn data into a tradeable asset.",
      "url": "https://datacompliancechina.com/domains/data-economy/"
    },
    {
      "slug": "data-security",
      "name": "Data Security",
      "name_zh": "数据安全",
      "description": "Data classification and grading, important data, core data, and the broader data security regime under DSL.",
      "url": "https://datacompliancechina.com/domains/data-security/"
    },
    {
      "slug": "energy-resources",
      "name": "Energy, Aviation & Resources",
      "name_zh": "能源·航空·自然资源",
      "description": "The sector-specific data regimes for energy, civil aviation, and natural resources — the National Energy Administration's energy-industry data-security measures, the Ministry of Natural Resources' data-security measures, and the CAAC's civil-aviation data-security monitoring requirements — built on the Data Security Law.",
      "url": "https://datacompliancechina.com/domains/energy-resources/"
    },
    {
      "slug": "enforcement",
      "name": "Enforcement",
      "name_zh": "执法与处罚",
      "description": "Public enforcement actions by Chinese data regulators — MIIT's batched APP / SDK public-naming bulletins, CAC administrative penalties, MPS criminal-tier enforcement, regulatory interviews (约谈), app-store removals, and other published actions. DCC tracks these as the operational edge of the regime: they show what the regulator actually polices, in what cadence, against what targets, citing which legal bases.",
      "url": "https://datacompliancechina.com/domains/enforcement/"
    },
    {
      "slug": "finance",
      "name": "Financial Data",
      "name_zh": "金融数据",
      "description": "The financial-sector data regime — the People's Bank of China's data-security measures for the banking and payments system, and the National Financial Regulatory Administration's data-security rules for banking and insurance institutions — stacked on top of the Data Security Law and PIPL.",
      "url": "https://datacompliancechina.com/domains/finance/"
    },
    {
      "slug": "health",
      "name": "Health & Medical Data",
      "name_zh": "医疗健康数据",
      "description": "China's health- and medical-sector data regime — the sector-specific overlay on PIPL, the Data Security Law, and the Network Data Security Regulation governing how healthcare institutions, life-sciences companies, and digital-health providers handle patient and population data.",
      "url": "https://datacompliancechina.com/domains/health/"
    },
    {
      "slug": "industrial",
      "name": "Industrial Internet & IoV",
      "name_zh": "工业互联网与车联网",
      "description": "The sector-specific data regime for industry and connected vehicles — MIIT's industrial-data classification, risk-assessment, and incident-response rules, the automotive data-security and data-export regime, internet data centers, and live-streaming commerce — layered on top of the Data Security Law and PIPL.",
      "url": "https://datacompliancechina.com/domains/industrial/"
    },
    {
      "slug": "minors-protection",
      "name": "Minors Protection",
      "name_zh": "未成年人保护",
      "description": "Personal information of children and minors, gaming time limits, age-verification requirements, and the Minors Online Protection Regulations.",
      "url": "https://datacompliancechina.com/domains/minors-protection/"
    },
    {
      "slug": "personal-information",
      "name": "Personal Information",
      "name_zh": "个人信息保护",
      "description": "Core personal-information protection regime under PIPL — consent, lawful bases, sensitive personal information, and the rights of individuals.",
      "url": "https://datacompliancechina.com/domains/personal-information/"
    }
  ],
  "glossary_sections": [
    {
      "index": 1,
      "slug": "data-types",
      "title_en": "Data Types",
      "title_zh": "数据类型",
      "term_count": 27
    },
    {
      "index": 2,
      "slug": "data-processing-and-compliance-management",
      "title_en": "Data Processing & Compliance Management",
      "title_zh": "数据处理与合规管理",
      "term_count": 77
    },
    {
      "index": 3,
      "slug": "cross-border-data-flow",
      "title_en": "Cross-Border Data Flow",
      "title_zh": "数据出境",
      "term_count": 29
    },
    {
      "index": 4,
      "slug": "data-property-rights-and-trading",
      "title_en": "Data Property Rights & Trading",
      "title_zh": "数据产权与交易",
      "term_count": 55
    },
    {
      "index": 5,
      "slug": "key-laws-and-regulations",
      "title_en": "Key Laws & Regulations",
      "title_zh": "法律法规",
      "term_count": 40
    },
    {
      "index": 6,
      "slug": "regulators-and-authorities",
      "title_en": "Regulators & Authorities",
      "title_zh": "监管机构",
      "term_count": 32
    },
    {
      "index": 7,
      "slug": "cybersecurity-and-critical-information-infrastructure",
      "title_en": "Cybersecurity & Critical Information Infrastructure",
      "title_zh": null,
      "term_count": 23
    },
    {
      "index": 8,
      "slug": "ai-and-algorithms",
      "title_en": "AI & Algorithms",
      "title_zh": null,
      "term_count": 33
    },
    {
      "index": 9,
      "slug": "enforcement-procedure-and-liability",
      "title_en": "Enforcement, Procedure & Liability",
      "title_zh": "执法、程序与责任",
      "term_count": 31
    },
    {
      "index": 10,
      "slug": "document-types-and-regulatory-format",
      "title_en": "Document Types & Regulatory Format",
      "title_zh": "文件类型与立法体例",
      "term_count": 23
    },
    {
      "index": 11,
      "slug": "data-economy-industry-and-infrastructure",
      "title_en": "Data Economy, Industry & Infrastructure",
      "title_zh": "数据经济、产业与基础设施",
      "term_count": 22
    },
    {
      "index": 12,
      "slug": "privacy-enhancing-and-data-engineering-technologies",
      "title_en": "Privacy-Enhancing & Data Engineering Technologies",
      "title_zh": "隐私计算与数据工程技术",
      "term_count": 17
    }
  ]
}