Shanghai and Shenzhen, the two economic hubs of China, implemented their respective “Data Regulations” on the same day January 1, 2022. These municipal-level legislations attempt to balance the interest of stakeholders in the utilization of public data, data sharing, and privacy protection. The local governments apparently plan to use these regulations to stay ahead in the data-related industries among Chinese cities.
In China, local governments’ attitudes to data vary from city to city. In addition to adjusting business activities pursuant to the laws and regulations issued by the central government, companies should seek advice on municipal-level regulations, by which a clear and accurate big picture of data governance in China could be established. Economic hubs like Shanghai and Shenzhen have led the reform of the Chinese regime for a few decades, forward-looking businesses are recommended to monitor their practices closely.
The following is a brief overview of the two cities’ data regulations.
“Property Interests” in Data & Permission of Data Transaction
The Shanghai Regulations recognize that companies have certain “property interests” in the datasets they acquire and generate during their business operation. Companies also have property interests in the data sets they collect after cleansing and filtering the raw personal data. Because Chinese local authorities are not entitled to add statutory property rights, Shanghai Regulations use the phrase “protect statutory or contractual property rights and interests” to deliberately maintain the ambiguity. However, it is obvious that Shanghai Regulations encourage the transfer of de-identified and anonymized data.
The Shenzhen Regulations also state that the local authorities will protect the property interests as provided by law.
The Shanghai Regulations clearly state that it encourages data transaction and support the development of data transaction service agencies. The Shenzhen Regulations also stipulate that the products or services formed by companies’ legitimate data processing can be traded, excluding unauthorized personal data and public data not opened by law.
Data Exchange Agencies
Both Shanghai and Shenzhen encourage the establishment of data transaction service agencies, i.e., the institution of “Data Exchange”. In fact, the government-backed Shanghai Data Exchange has officially started business on November 25, 2021. In addition to providing venues and facilities for data trading, the Shanghai Data Exchange will also organize and supervise the data transaction. We noted that the Shenzhen government is also actively promoting the establishment of a Data Exchange institute, which will be announced in near future.
Facilitating Cross-border Data Transfer
Chinese national-level laws are generally open to cross-border data transfers, but it is unclear what data can be transferred outside of China. The ambiguity leaves law enforcement agencies with the possibility of selective enforcement and creates uncertainty for business operators.
To address this issue, Shanghai Regulations proposed a “low-risk cross-border data catalog” to inform companies what datasets are allowed to be exported. Once it is published, the catalog may help businesses in designing their data processing solutions. Unfortunately, the Shenzhen Regulations do not have specific provisions for cross-border data transfers.
Sharing and Utilization of Public Data
Both regulations provide for the sharing and utilization of public (government) data at a large length. For example, the regulations confirm that data controlled by government agencies should be shared with each other as a principle. Besides, Shanghai Regulations specifically provide penalties for government departments and their personnel who neglect to compile a public data catalog (to facilitate the sharing of data).
Companies that offer data processing services to government agencies should hire data lawyers to analyze the local data regulations and monitor their implementation so that they can tailor their business and compliance strategies.
Protection of Personal Information
The Shenzhen Regulations contain a few provisions detailing the obligations of data controllers during their course of the collection, processing, and use of personal information. These obligations are generally consistent with the provisions of China’s Personal Information Protection Law, but more detailed for certain specific data processing practices. For example, except for the listed exceptions, companies are required to de-identify the personal data they collected before sharing the same. Also, data controllers should store the de-identified data separately from the original data. Moreover, Shenzhen Regulations provide further requirements over information security issues.
The Shanghai Regulations also have numerous provisions for personal information protection. These provisions address issues like surveillance systems in public areas, automated decision-making systems, and biometric information.
* * * * *
Author: Donnie Dong. Admitted to practice in China and New York State, the author is a Certified Information Privacy Manager (CIPM) by the International Association of Privacy Professionals (IAPP).