Read by theme, not by date.
84 briefings, organized into reading tracks that follow the structure of the regime. Each brief can sit in more than one track — that's how the topics actually connect.
New to the Chinese data regime? Begin with the Overview — a five-minute visual intro to the foundation laws, the regulators, and the Subject × Object framework. Then pick a track below. To see how everything connects, open the knowledge graph.
Data rights & the data-element market .
41 BRIEFSThe Data 20 Articles world: structural separation of data property rights (hold / use / operate), the data-source's right, data brokery, data trading and registration, and data-as-asset. Start here if you're trying to understand how China is building a market for data.
- China's Data Property Rights Registration Guide Is Final: The Draft-to-Trial Diff ★
- Li Yang: Why 'Data Rights-Confirmation' Is a Category Error — Dynamic Data Can't Be a Registration Object, and AUCL Article 13 Is the Better Path ★
- How the Beijing Internet Court Found a Platform 'Lawfully Held' Its Data Under the New AUCL Article 13 — and Where It Meets the 'Right to Hold Data' ★
- Data 'Parallel Property Rights' — They Can Confer Status, but Can't Secure Control ★
- Why Upstream Won't Operate Its Data — Control Degradation, Derivative Data, and Irreducible Uncertainty ★
- When the 'Right to Use Data' Goes External — Provision, Derivative Data, and the Erosion of Upstream Control ★
- China Halts Data-Asset ABS: Exchanges Pull the Handbrake on a ¥200 Billion Pipeline ★
- What a 'Data-Asset ABS' Actually Securitises — The Collateral Is Data, the Cash Flow Is Not ★
- Two Paths for the 'Right to Hold Data' — and Why the Narrow One May Add Little ★
- Datatang v. Yinmu — China's First Ruling on a Data-IP Registration Certificate, and Why Open-Sourced Data Is Still Protected ★
- Reviving a Zombie Provision — Xu Ke's Concentric-Circle Reconstruction of the Anonymization Regime ★
- Tang Linyao — Data-Broker Derivative Harms and the 'Data Integration Analysis Framework' ★
- Wang Nian — Data Source's Rights as a 'Fair Use' Right Alongside the Three Rights ★
- NDA Explains the Three-Rights Framework — A Plain-Language Walk-Through from the Regulator Itself ★
- Cold Water on 'Token Trading' — Wang Qinglan on the NDA's High-Quality Data Set Initiative ★
- Will Judicial Review 'Reset' the Data Registration Rush? — Reading Wang Qinglan on the SPC's New Data Disputes Case Category ★
- Mutual Trust Mechanisms for Cross-Border Data Flow — China's 'Trusted Data Space' Bet ★
- What Is Data, Really? — A Plain-Language Primer on Rules and Compliance ★
- Data Governance vs. Data Management vs. Data Compliance — A Plain-Language Disambiguation ★
- What Does Data Registration Actually Confirm? — A Doctrinal Reading ★
- On-Exchange vs. Off-Exchange Data Trading — A Uniquely Chinese Market Structure ★
- What Is Actually Traded on China's Data Exchanges — A Bakery Metaphor ★
- Case Study — A Public-Data Operator Hands Personal Data to a Bank. Two Compliance Failures. ★
- The Negative-List Map, Region by Region: Ten Zones, Two Models, and the Year Data Export Went Province-Wide
- China's 2026 Draft E-Commerce Law Amendment: From Marketplace Transactions to Platform-Economy Governance
- Guangdong Prices the Public-Data Operator Like a Utility: Inside the Province's Authorized-Operation Price-Management Measures
- From Collateral to Cash Flow: The 'Secondary Licensing' Model That Would Make Data-Asset ABS Real
- Data Pledge Financing in China: What Is Actually Being Pledged, and Where the Law Gets Stuck
- The 'Rights Block' — Xu Ke's Structural Theory Behind China's Data-Property Framework
- When Does Data Become an Asset? Xu Ke on Identifying and Defining Data Assets
- Who Is the 'Data Processor' Under the Three-Rights Framework — NDA's Farm-Equipment Hypothetical
- Cloud, BPO, and Other Entrusted-Processing Arrangements: Why the Processor Doesn't Get the Rights
- Public Data Under Franchise and Concession Operations: Who Owns It and Can It Be Traded?
- Inside the Reviewer's Mind — A Compliance Guide to Data Property-Rights Registration at Shenzhen Data Exchange
- Authorized to Operate, Not Authorized to Ignore: Public-Data Operators Still Owe the Full PIPL/DSL Stack
- Inside the Gate: How Enterprises Can Compliantly Process, Operate, and Trade Public Data Under China's Authorized-Operation Model
- Mapping the Red Lines: Compliance Assessment for Surveying and Geographic-Information Data Products on a Chinese Data Exchange
- The PIA as a Trading-Compliance Line — What the Network Data Security Management Regulations Add for Personal-Information Data Products
- Derivative Data Products and Public Data Opening — Legal Challenges and Compliance Points
- From Copyright to Data Property: The Three-Layer Compliance Test for Registering Employee-Created Data in China
- Reverse Interoperability: Li Wenlong's Frame for the Doubao On-Device Agent Fight
Personal information .
43 BRIEFSPIPL and the personal-information regime: lawful bases, the PIPO role, the criminal threshold, anonymization (the gateway out of PIPL scope), and the harder edge cases — platform gig workers, GenAI causation.
- China's Data Property Rights Registration Guide Is Final: The Draft-to-Trial Diff ★
- China's AI-Companion Rule Takes Effect July 15 — A Clause-by-Clause Field Guide to What Actually Changed ★
- Are You Caught by the Annual Assessment? TRIMPS's Self-Identification Guide for 'Important-Data Handlers' ★
- How the Beijing Internet Court Found a Platform 'Lawfully Held' Its Data Under the New AUCL Article 13 — and Where It Meets the 'Right to Hold Data' ★
- Ctrip's ¥10 Million Fine: China's First Publicly Disclosed Cross-Border Data Penalty — and the 'Necessity' Doctrine Behind Four Cases ★
- CAC Names 30 Apps and Mini-Programs for PI Violations — Nearly Half for Ineffective Account Cancellation ★
- Why Upstream Won't Operate Its Data — Control Degradation, Derivative Data, and Irreducible Uncertainty ★
- When the 'Right to Use Data' Goes External — Provision, Derivative Data, and the Erosion of Upstream Control ★
- What a 'Data-Asset ABS' Actually Securitises — The Collateral Is Data, the Cash Flow Is Not ★
- China's Hospitals Get Their Own Data Rulebook: Reading the 2026 Healthcare Data Security & PI Measures ★
- Prompt Stacks and Prompt Governance — Why System-Level Prompts Are Emerging as a Regulatory Lever (and Where They Fall Short) ★
- Reviving a Zombie Provision — Xu Ke's Concentric-Circle Reconstruction of the Anonymization Regime ★
- From 'Cannot Be Restored' to 'Difficult to Restore' — TRIMPS on Whether Anonymization Is Absolute, and Whether It's Recipient-Relative ★
- Zhu Xiaofeng — Who Pays When GenAI Causation Is Unclear? Applying Civil Code Article 1254 by Analogy ★
- Tang Linyao — Data-Broker Derivative Harms and the 'Data Integration Analysis Framework' ★
- Wang Nian — Data Source's Rights as a 'Fair Use' Right Alongside the Three Rights ★
- Seven Lessons for Data Compliance Teams from the SAMR 'Ghost Takeout' Series — 3.5 Billion Yuan, 9-Month Suspensions, and the Per-Merchant Aggregation Doctrine ★
- Mapping the AI Agent Risk Surface — A Ten-Category Taxonomy Under China's New 智能体新规 ★
- Operationalizing AI Agent Governance — A Ten-Step Internal Control Framework ★
- Open-Source Does Not Mean Open Data — Zhang Ping on Training-Data Compliance for Open-Source AI ★
- MIIT Public-Naming Bulletin 2026 Batch 3 (Total Batch 56): 31 Apps and SDKs Cited for PI Violations and Window-Redirect Abuse ★
- When PIPL Violation Becomes a Crime — Hong Yanqing on China's Personal Information Criminal Threshold ★
- When Is Facial Recognition in a Public Place 'Necessary for Public Security'? Hong Yanqing's Four-Element Framework ★
- China's Cybersecurity Law Just Got Teeth — The 2025 Amendment and What Changed ★
- PIPO vs. DPO — How China's Personal Information Protection Officer Differs from the GDPR Data Protection Officer ★
- Reading the FRT Application Measures — What the 100k-Record Filing Threshold Actually Triggers ★
- Case Study — A Public-Data Operator Hands Personal Data to a Bank. Two Compliance Failures. ★
- The School Is Not a Bystander: Three Model Cases on Schools' Duties in Minors' Online Protection
- Ten Questions Before July 15: A Compliance Q&A on China's AI Anthropomorphic Interaction Measures
- MIIT Public-Naming Bulletin 2026 Batch 4 (Total Batch 57): 32 Apps and SDKs Cited for PI Violations, Excessive Permission Demands, and SDK Disclosure Failures
- When Is a Business Partner a 'Joint Handler'? A Shanghai Insurance-Policy Leak Works Through PIPL Article 20
- First Filing Under Shanghai's Citywide Data-Export Negative List: Inditex's China Arm Drops from Security Assessment to Standard-Contract Filing
- From Naming to Takedown: Shanghai Pulls 46 Apps That Missed the Rectification Window
- From Consent to Governance: What the 2026 Draft Revision of GB/T 35273 Changes Against the 2020 Standard
- The 'Rights Block' — Xu Ke's Structural Theory Behind China's Data-Property Framework
- When Does Data Become an Asset? Xu Ke on Identifying and Defining Data Assets
- Ai Lin — Why Platform Gig Workers Need PI-Protection Tilt and How to Build It
- Who Is the 'Data Processor' Under the Three-Rights Framework — NDA's Farm-Equipment Hypothetical
- Seven Highlights of China's New Sensitive Personal Information Processing Standard — and What They Mean in Practice
- The PIA as a Trading-Compliance Line — What the Network Data Security Management Regulations Add for Personal-Information Data Products
- Where China's Draft AI Anthropomorphic-Interaction Measures Need Work — A Scholar's Reform Map
- AI Agents and the Limits of Consent — When 'Authorisation' Stops Being One Click
- Is There Such a Thing as 'Game Data Compliance' in China? — Li Wenlong's Field Notes
AI governance .
18 BRIEFSThe fast-moving AI layer: the Agent Rules and their risk/governance frameworks, algorithmic recommendation and its filing regime, open-source training-data compliance, and liability when GenAI causation is unclear.
- China's AI-Companion Rule Takes Effect July 15 — A Clause-by-Clause Field Guide to What Actually Changed ★
- China's First AI-Ghostwritten 'Seeding Post' Case — a Duty of Care for Generative-AI Providers ★
- China's First 'AI Hallucination' Tort Judgment — GenAI Is a Service, Not a Product, and the Chatbot's '¥100,000 Promise' Binds No One ★
- Prompt Stacks and Prompt Governance — Why System-Level Prompts Are Emerging as a Regulatory Lever (and Where They Fall Short) ★
- Zhu Xiaofeng — Who Pays When GenAI Causation Is Unclear? Applying Civil Code Article 1254 by Analogy ★
- Mapping the AI Agent Risk Surface — A Ten-Category Taxonomy Under China's New 智能体新规 ★
- Operationalizing AI Agent Governance — A Ten-Step Internal Control Framework ★
- Open-Source Does Not Mean Open Data — Zhang Ping on Training-Data Compliance for Open-Source AI ★
- Why China Used Foreign Investment Security Review on Manus — Not Tech or Data Export ★
- Cold Water on 'Token Trading' — Wang Qinglan on the NDA's High-Quality Data Set Initiative ★
- When Is Facial Recognition in a Public Place 'Necessary for Public Security'? Hong Yanqing's Four-Element Framework ★
- Doubao, Qwen, and NetEase Pull AI Companions Ahead of July 15 — Is Delisting to 'Stay Safe' the Right Move?
- Ten Questions Before July 15: A Compliance Q&A on China's AI Anthropomorphic Interaction Measures
- TC260's Practice Guide on AI-Agent Deployment: A Five-Stage Lifecycle Checklist, Read Against PIPL, DSL, and CSL Obligations
- From Consent to Governance: What the 2026 Draft Revision of GB/T 35273 Changes Against the 2020 Standard
- Where China's Draft AI Anthropomorphic-Interaction Measures Need Work — A Scholar's Reform Map
- AI Agents and the Limits of Consent — When 'Authorisation' Stops Being One Click
- Reverse Interoperability: Li Wenlong's Frame for the Doubao On-Device Agent Fight
Data security & classification .
34 BRIEFSThe DSL spine: data classification and grading, the important-data tier and how to identify it, anonymization as a security process, and the technical-standards layer.
- China's Data Property Rights Registration Guide Is Final: The Draft-to-Trial Diff ★
- Are You Caught by the Annual Assessment? TRIMPS's Self-Identification Guide for 'Important-Data Handlers' ★
- Data 'Parallel Property Rights' — They Can Confer Status, but Can't Secure Control ★
- Why Upstream Won't Operate Its Data — Control Degradation, Derivative Data, and Irreducible Uncertainty ★
- When the 'Right to Use Data' Goes External — Provision, Derivative Data, and the Erosion of Upstream Control ★
- Two Paths for the 'Right to Hold Data' — and Why the Narrow One May Add Little ★
- China's Hospitals Get Their Own Data Rulebook: Reading the 2026 Healthcare Data Security & PI Measures ★
- Datatang v. Yinmu — China's First Ruling on a Data-IP Registration Certificate, and Why Open-Sourced Data Is Still Protected ★
- Reviving a Zombie Provision — Xu Ke's Concentric-Circle Reconstruction of the Anonymization Regime ★
- From 'Cannot Be Restored' to 'Difficult to Restore' — TRIMPS on Whether Anonymization Is Absolute, and Whether It's Recipient-Relative ★
- Zhu Xiaofeng — Who Pays When GenAI Causation Is Unclear? Applying Civil Code Article 1254 by Analogy ★
- Tang Linyao — Data-Broker Derivative Harms and the 'Data Integration Analysis Framework' ★
- Seven Lessons for Data Compliance Teams from the SAMR 'Ghost Takeout' Series — 3.5 Billion Yuan, 9-Month Suspensions, and the Per-Merchant Aggregation Doctrine ★
- Mapping the AI Agent Risk Surface — A Ten-Category Taxonomy Under China's New 智能体新规 ★
- Operationalizing AI Agent Governance — A Ten-Step Internal Control Framework ★
- Open-Source Does Not Mean Open Data — Zhang Ping on Training-Data Compliance for Open-Source AI ★
- NDA Explains the Three-Rights Framework — A Plain-Language Walk-Through from the Regulator Itself ★
- 'Important Data' Is a Category, Not a Tier ★
- China's Cybersecurity Law Just Got Teeth — The 2025 Amendment and What Changed ★
- How to Identify 'Important Data' — A Plain-Language Method from Wang Qinglan ★
- What Is Data, Really? — A Plain-Language Primer on Rules and Compliance ★
- Data Governance vs. Data Management vs. Data Compliance — A Plain-Language Disambiguation ★
- FTZ Data Export Negative Lists — How 17 Sectors Across Seven Provinces Now Identify Important Data ★
- One Company, Four Reviews: JunHe Maps China's Security-Review 'Matrix' in the Security-First Era
- NFRA Opens Consultation on Banking and Insurance Cybersecurity Measures: 72 Articles, a Four-Tier Incident Scale, and a Hard CII Chapter
- TC260's Practice Guide on AI-Agent Deployment: A Five-Stage Lifecycle Checklist, Read Against PIPL, DSL, and CSL Obligations
- From Principle to Running System: How the Network Data Security Risk Assessment Measures Operationalize the Data Security Law
- Are You a CII Operator or an Important-Data Handler? A Practitioner's Assessment Framework Under China's New Rules
- The 'Rights Block' — Xu Ke's Structural Theory Behind China's Data-Property Framework
- Who Is the 'Data Processor' Under the Three-Rights Framework — NDA's Farm-Equipment Hypothetical
- Cloud, BPO, and Other Entrusted-Processing Arrangements: Why the Processor Doesn't Get the Rights
- Authorized to Operate, Not Authorized to Ignore: Public-Data Operators Still Owe the Full PIPL/DSL Stack
- Mapping the Red Lines: Compliance Assessment for Surveying and Geographic-Information Data Products on a Chinese Data Exchange
- Seven Highlights of China's New Sensitive Personal Information Processing Standard — and What They Mean in Practice
Cross-border data .
13 BRIEFSGetting data across the border: the assessment / SCC / certification paths, FTZ negative lists, the important-data choke point, cross-border discovery, and the trusted-data-space experiments.
- Ctrip's ¥10 Million Fine: China's First Publicly Disclosed Cross-Border Data Penalty — and the 'Necessity' Doctrine Behind Four Cases ★
- China's Hospitals Get Their Own Data Rulebook: Reading the 2026 Healthcare Data Security & PI Measures ★
- From 'Cannot Be Restored' to 'Difficult to Restore' — TRIMPS on Whether Anonymization Is Absolute, and Whether It's Recipient-Relative ★
- 'Important Data' Is a Category, Not a Tier ★
- Why China Used Foreign Investment Security Review on Manus — Not Tech or Data Export ★
- Cross-Border Data Discovery — How the U.S., EU, and China Each Play Offense and Defense ★
- Mutual Trust Mechanisms for Cross-Border Data Flow — China's 'Trusted Data Space' Bet ★
- How to Identify 'Important Data' — A Plain-Language Method from Wang Qinglan ★
- FTZ Data Export Negative Lists — How 17 Sectors Across Seven Provinces Now Identify Important Data ★
- One Company, Four Reviews: JunHe Maps China's Security-Review 'Matrix' in the Security-First Era
- The Negative-List Map, Region by Region: Ten Zones, Two Models, and the Year Data Export Went Province-Wide
- First Filing Under Shanghai's Citywide Data-Export Negative List: Inditex's China Arm Drops from Security Assessment to Standard-Contract Filing
- From Consent to Governance: What the 2026 Draft Revision of GB/T 35273 Changes Against the 2020 Standard
Enforcement .
22 BRIEFSWhat the regulators actually police: MIIT's batched app naming, SAMR's platform penalties, the criminal tier. See the live chronicle on the Enforcement tracker.
- Ctrip's ¥10 Million Fine: China's First Publicly Disclosed Cross-Border Data Penalty — and the 'Necessity' Doctrine Behind Four Cases ★
- CAC Names 30 Apps and Mini-Programs for PI Violations — Nearly Half for Ineffective Account Cancellation ★
- China's First AI-Ghostwritten 'Seeding Post' Case — a Duty of Care for Generative-AI Providers ★
- China Halts Data-Asset ABS: Exchanges Pull the Handbrake on a ¥200 Billion Pipeline ★
- China's First 'AI Hallucination' Tort Judgment — GenAI Is a Service, Not a Product, and the Chatbot's '¥100,000 Promise' Binds No One ★
- Seven Lessons for Data Compliance Teams from the SAMR 'Ghost Takeout' Series — 3.5 Billion Yuan, 9-Month Suspensions, and the Per-Merchant Aggregation Doctrine ★
- MIIT Public-Naming Bulletin 2026 Batch 3 (Total Batch 56): 31 Apps and SDKs Cited for PI Violations and Window-Redirect Abuse ★
- When PIPL Violation Becomes a Crime — Hong Yanqing on China's Personal Information Criminal Threshold ★
- When Is Facial Recognition in a Public Place 'Necessary for Public Security'? Hong Yanqing's Four-Element Framework ★
- Cross-Border Data Discovery — How the U.S., EU, and China Each Play Offense and Defense ★
- Will Judicial Review 'Reset' the Data Registration Rush? — Reading Wang Qinglan on the SPC's New Data Disputes Case Category ★
- PIPO vs. DPO — How China's Personal Information Protection Officer Differs from the GDPR Data Protection Officer ★
- Reading the FRT Application Measures — What the 100k-Record Filing Threshold Actually Triggers ★
- What Does Data Registration Actually Confirm? — A Doctrinal Reading ★
- Case Study — A Public-Data Operator Hands Personal Data to a Bank. Two Compliance Failures. ★
- The School Is Not a Bystander: Three Model Cases on Schools' Duties in Minors' Online Protection
- Doubao, Qwen, and NetEase Pull AI Companions Ahead of July 15 — Is Delisting to 'Stay Safe' the Right Move?
- China's 2026 Draft E-Commerce Law Amendment: From Marketplace Transactions to Platform-Economy Governance
- MIIT Public-Naming Bulletin 2026 Batch 4 (Total Batch 57): 32 Apps and SDKs Cited for PI Violations, Excessive Permission Demands, and SDK Disclosure Failures
- When Is a Business Partner a 'Joint Handler'? A Shanghai Insurance-Policy Leak Works Through PIPL Article 20
- From Naming to Takedown: Shanghai Pulls 46 Apps That Missed the Rectification Window
- From Principle to Running System: How the Network Data Security Risk Assessment Measures Operationalize the Data Security Law