Every brief.
The full run, most recent first.
- § 07 · E-COMMERCE-LAW
China's 2026 Draft E-Commerce Law Amendment: From Marketplace Transactions to Platform-Economy Governance
On July 4, 2026, the State Administration for Market Regulation and the Ministry of Commerce released the Draft Amendment to the E-Commerce Law for public comment, with comments due August 4, 2026. The draft has 20 articles and, according to the official notice and Xinhua Q&A, moves in five directions: expanding the law's adjustment scope beyond platforms and in-platform operators to other platform-economy participants; strengthening the platform responsibility system with richer, more graduated regulatory tools; building an integrated supervision mechanism for cross-sector platform operations, including consistent online/offline business supervision and stronger department and central-local coordination; targeting prominent illegal conduct in e-commerce; and deepening open cooperation by aligning rules, regulation, management and standards with international practice, supporting industry self-discipline and orderly outbound expansion, and adding countermeasure tools to protect Chinese enterprises. DCC reads the amendment as an attempt to reposition the E-Commerce Law from a transaction/platform statute into a platform-economy governance statute, with operational implications for platform rulemaking, merchant and worker protection, consumer governance, data/network security clauses, competition compliance, and outbound platform expansion.
- § 08 · DATA-PROPERTY-RIGHTS
China's Data Property Rights Registration Guide Is Final: The Draft-to-Trial Diff
On 1 July 2026, the National Data Administration issued the Data Property Rights Registration Work Guide (Trial), converting its April 2026 consultation draft into China's first national framework for registering the Right to Hold Data, Right to Use Data and Right to Operate Data. The final text keeps the same six-chapter, 42-article structure, but the diff is not cosmetic: security and public-interest gates are stronger; derived data is now defined; the national infrastructure shifts from a service platform to a service system; registrars face tighter qualification, disclosure, annual-evaluation, change-reporting and exit rules; public-data registration is softened from mandatory to conditional/voluntary wording; unclear contractual entitlement receives a cure path; evidence preservation, not certificate issuance, now starts the validity period; and certificate use is sharpened for data-asset balance-sheet entry, financing guarantees and valuation-based equity contribution.
- § 09 · AI-GOVERNANCE
China's AI-Companion Rule Takes Effect July 15 — A Clause-by-Clause Field Guide to What Actually Changed
China's Interim Measures for AI Anthropomorphic Interaction Services (人工智能拟人化互动服务管理暂行办法) — the world's first dedicated rule on 'companion'-style AI — take effect on 15 July 2026. This DCC brief synthesises three Chinese-language readings published in the days before the effective date: 数据合规肖大国's article-by-article practitioner walkthrough, 网安寻路人 (Hong Yanqing)'s multi-part work on how to scope anthropomorphic interaction (including his 'Sentiment Interaction Event / SIE' indicator system), and AI前沿信息笔记's read of the business-model logic the rule is really aimed at. Three throughlines: (1) what changed between the consultation draft and the final text — real fines were added, a 'continuity (持续性)' qualifier now narrows scope, the emergency-contact duty was widened beyond vulnerable groups, and the mandatory 'human takeover' of at-risk conversations was dropped; (2) the scope question the rule leaves under-specified — which services are 'continuous emotional interaction' at all — and the SIE-style indicator approach practitioners are reaching for to answer it; and (3) the paradigm shift the rule marks, from *content-safety* governance (AI as tool) to *relationship* governance (AI as social role), which finally gives regulators a handle on attention-economy and emotional-dependency business models. For overseas counsel shipping companion, emotional-AI or character-AI products into China: this is the operational checklist and the open-question list, two weeks out.
- § 10 · ENFORCEMENT
MIIT Public-Naming Bulletin 2026 Batch 4 (Total Batch 57): 32 Apps and SDKs Cited for PI Violations, Excessive Permission Demands, and SDK Disclosure Failures
On July 2, 2026, MIIT's Information & Communications Administration Bureau issued its fourth public-naming bulletin of 2026 (total Batch 57), citing 32 apps and SDKs for infringing user rights — unlawful and beyond-scope collection of personal information, forced/frequent/excessive permission demands, frequent self-starting and chained starting, uncloseable and redirect-abusing information windows, and inadequate SDK information disclosure. The batch runs under the same 2026 CAC + MIIT + MPS special campaign as the earlier CAC notification and Shanghai takedown covered in DCC's enforcement tracker, on the same rectify-or-face-disposition pathway. DCC transcribes the full 32-entry list from the bulletin's attached image table. The profile: a mobility-and-transport long tail (ride-hailing driver apps, EV charging, bus-information tools) alongside recognizable names — Neta Auto's app, PetroChina Kunlun's charging app, NetDragon's fortune-telling app, iFlyPlus — plus two WeChat mini-programs, multiple Apple App Store listings, one developer named twice, and three SDKs, one of which (闪登 SDK) drew four separate findings including the headline SDK-disclosure failure.
- § 11 · AI-AGENTS
TC260's Practice Guide on AI-Agent Deployment: A Five-Stage Lifecycle Checklist, Read Against PIPL, DSL, and CSL Obligations
On July 1, 2026 the National Cybersecurity Standardization Technical Committee (TC260) issued the Cybersecurity Standards Practice Guide — Security Guidelines for the Deployment and Use of AI Agents (网络安全标准实践指南——智能体部署使用安全指引), covering the full lifecycle of high-permission, LLM-based personal-assistant agents across five stages: assessment, preparation, deployment, use, and decommissioning, plus a star-rated security checklist (Appendix A) and an organizational management framework including shadow-agent discovery (Appendix B). This DCC brief adapts the HexCode reading published on 数据何规 — itself generated, the account notes, by its own AI agent — which maps each stage onto hard-law anchors: PIPIA duties under PIPL Article 55 and DSL Article 27 risk monitoring at assessment; the GenAI Measures' filed-model requirement and the ban on unverified API relays at preparation; least privilege, directory isolation, CSL Article 21 log retention, and high-risk-operation confirmation lists at deployment; minimum-necessary provision of personal information and long-term-memory management in use; and credential revocation and data disposal at decommissioning. Practice guides are soft law — but in Chinese enforcement practice they calibrate what 'necessary measures' means, and this one is the first lifecycle baseline for the agent era.
- § 12 · PIPL
When Is a Business Partner a 'Joint Handler'? A Shanghai Insurance-Policy Leak Works Through PIPL Article 20
A consumer bought insurance through a broker, on a platform company's website, from an insurer — and later found her full policy, personal details included, retrievable by searching her own phone number. The Shanghai judgment behind case (2024)沪01民终410号 had to decide which of the three companies were 'joint handlers' of her personal information under PIPL Article 20, and therefore jointly and severally liable. Writing on 数据何规, Lu Ying and Zhang Bingbin work through the allocation: the platform operating the website was the direct handler; the broker that steered the purchase through a site it presented as its own was a joint handler; the insurer — with an independent, contract-related purpose and no role in downstream processing decisions — was not. The article distills three identification factors (common purpose and conduct; pre-agreed division of roles as joint determination; the appearance presented to the user), separates joint processing from sharing and entrusted processing, and argues that PIPL Article 20(2) is an independent claim basis: a victim can sue all joint handlers for joint and several damages directly. For any broker/platform/underwriter or comparable multi-party data chain, this is the operative test.