Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ BRIEFINGS · PAGE 06

Every brief.

The full run, most recent first.

  • § 31 · AI-GOVERNANCE

    China's First 'AI Hallucination' Tort Judgment — GenAI Is a Service, Not a Product, and the Chatbot's '¥100,000 Promise' Binds No One

    The Hangzhou Internet Court has decided China's first 'AI hallucination' (AI幻觉) tort case — written into the Supreme People's Court's 2026 work report to the NPC. A user asking a chatbot about college applications was told, across seven rounds, that a non-existent campus existed; when finally shown the official website, the model 'apologised' and 'promised' to pay ¥100,000, even generating a fake lawsuit template telling him to sue. He did. The court dismissed every claim and, in doing so, laid down the first judicial articulation of China's generative-AI liability framework: (1) an AI model is not a civil subject, so its 'promise' is no declaration of intent — and is not attributable to the provider either; (2) generative AI is a service, not a product, so fault liability under Civil Code Article 1165 applies, not product liability's no-fault rule under Article 1202; (3) there is no result-based duty to guarantee accuracy for ordinary inaccurate output — only a process duty of care (conspicuous AI-content labelling plus industry-standard accuracy measures), which the provider had discharged; and (4) no proven damage, no causation. For any company deploying GenAI to the Chinese public, this is the operating liability surface and the evidentiary playbook.

    ai-governance · genai · ai-hallucination
  • § 32 · HEALTH-DATA

    China's Hospitals Get Their Own Data Rulebook: Reading the 2026 Healthcare Data Security & PI Measures

    On 12 February 2026 five agencies — the National Health Commission, the Ministry of Public Security, the Cyberspace Administration of China, the National Administration of Traditional Chinese Medicine, and the National Disease Control and Prevention Administration — jointly issued the Measures for the Administration of Data Security and Personal Information Protection of Healthcare Institutions (Trial). It is the first operational, sector-specific rulebook that turns the Data Security Law, PIPL, and the Network Data Security Regulation into concrete hospital obligations: a three-tier core/important/general data classification keyed to MLPS levels and commercial cryptography; a five-pillar full-lifecycle security system; a ten-item data prohibition list and an eight-item personal-information prohibition list; heightened protection for special groups; limits on facial recognition and AI; and a real enforcement chain running from named-person accountability through regulatory interviews, administrative penalties, civil tort liability, and criminal referral. DCC reads it for overseas pharma, medtech, and hospital-JV counsel — with the cross-border choke point and its academic-cooperation carve-out as the parts that most affect global clinical-data flows.

    health-data · healthcare · data-classification
  • § 33 · AI-GOVERNANCE

    Prompt Stacks and Prompt Governance — Why System-Level Prompts Are Emerging as a Regulatory Lever (and Where They Fall Short)

    A Chinese AI-law reading of Neumann, Sargeant and Singh's FAccT 2026 paper Prompt Governance? — and what it means for how China, the EU, and the US treat 'system prompts' as a regulatory object. Li Wenlong (科技利维坦) walks through the four-layer 'prompt stack' (system instructions → system guidelines → developer instructions → user prompts), five properties practitioners need to understand (layered, hidden, natural-language, malleable, loosely coupled to behaviour), and the comparative regulatory landscape: the EU GPAI Code of Practice requires signatories to disclose system prompts to regulators in model reports; the Trump EO 14319 / OMB M-26-04 stops at model / system / data cards and leaves system-prompt disclosure voluntary; the UK's AI Cybersecurity Code says effectively nothing. China's current GenAI safety regime (TC260-003 plus the GenAI Interim Measures) is output-evaluation-based — filing and pre-launch scoring, with no architectural hook into system prompts. Li predicts a Brussels Effect: system-prompt disclosure to regulators will become a global compliance baseline, analogous to the DPIA in data law. For overseas counsel: this is what is coming, what to start archiving now, and why 'what you write' in a system prompt is not 'what the model executes.'

    ai-governance · system-prompts · prompt-stack
  • § 34 · DATA-PLEDGE-FINANCING

    Data Pledge Financing in China: What Is Actually Being Pledged, and Where the Law Gets Stuck

    As Chinese banks and data exchanges experiment with data pledge financing (数据质押融资), a threshold question remains unresolved: what, legally, is being pledged? Chen Yiqian of Shenzhen Data Exchange walks through the two available routes under the Civil Code — chattel pledge (动产质权) and rights pledge (权利质权) — and the three operational problems that make chattel pledge difficult and the two doctrinal barriers that make rights pledge harder still. The analysis converges on a practical conclusion: chattel pledge via a third-party data custodian is the most workable path today, while data property rights and data intellectual-property rights both remain insufficiently legalised to support a reliable pledge. For overseas counsel advising on China data-asset financing, the gap between policy ambition and legal infrastructure is the central risk to price. Connects to the broader data property-rights registration project and the unresolved question of how data enters corporate balance sheets.

    data-pledge-financing · data-property-rights · data-as-asset
  • § 35 · CRITICAL-INFORMATION-INFRASTRUCTURE

    Are You a CII Operator or an Important-Data Handler? A Practitioner's Assessment Framework Under China's New Rules

    China's Cybersecurity Law, Data Security Law, and Network Data Security Management Regulations impose materially heavier compliance obligations on critical information infrastructure (CII) operators (关键信息基础设施运营者) and important-data handlers (重要数据处理者) than on ordinary data processors. This brief, drawing on a DEXC+ practitioner analysis by Gu Qingzhuo (古青卓) of the Shenzhen Data Exchange compliance team, explains how the two statuses are determined under the current framework, why neither is self-evident from a company's own assessment alone, how recent rules — including the Regulations on Promoting and Regulating Cross-Border Data Flows and the national standard GB/T 43697-2024 — have clarified but not fully resolved the important-data identification problem, and what overseas counsel should do when advising clients that operate in China's critical sectors.

    critical-information-infrastructure · important-data · data-security
  • § 36 · JUDICIAL

    Datatang v. Yinmu — China's First Ruling on a Data-IP Registration Certificate, and Why Open-Sourced Data Is Still Protected

    A consolidated case study of 数据堂诉隐木科技 (Datatang v. Yinmu) — the Beijing IP Court's June 2024 appeal ruling, widely called China's first case on the evidentiary effect of a data-IP registration certificate. The dispute: Datatang built voice datasets for AI training, open-sourced some under a license; Yinmu took and redistributed them in the same data-services market. DCC synthesizes four commentaries (the case report, a Tsinghua analysis, and two Shenzhen Data Exchange DEXC+ deep-dives) into the four holdings that matter for overseas counsel: (1) a data-IP registration certificate is prima facie evidence of property-type interests and lawful sourcing — but not an absolute property right (property-rights-statutism); (2) open-sourced data, though neither trade secret nor copyrightable compilation, is protectable under the Anti-Unfair Competition Law's general clause; (3) the protection hierarchy (compilation work → trade secret → AUCL Art. 2); and (4) whether the taker honored the open-source license is the hinge for 'improper conduct.'

    judicial · data-property-rights · data-registration
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →