China considers data to be a valuable strategic national resource and has made it a centerpiece of his digital economy policy. In 2020, the government’s economists recognized data as a distinct factor of production which needs to be transacted in a more vibrant market. The country’s economic planners believe that while data alone cannot generate value, it can be allocated by the market and traded to transform potential value into realized value.
Data sales enable transferring data from companies that produce a large quantity of data, to companies that can utilize the data to create value, and China is growing this market by progressively implementing a regulatory regime to govern these transactions. In this article, we will provide an overview of what these marketplaces are doing and how data sales are regulated in China.
Contents
Data Sales, Open Data, and Data Sharing
Policy and Regulatory Foundations
Data Marketplace Organizations in China Today
Bad Law Makes China’s Data Marketplaces a Bad Choice
China’s Law on Data Sales
China laws define data sales as transactions of data products between a buyer and seller for cash or liquid assets. A data product is defined as a product comprised of data elements that are treated as property.
Data products are categorized as raw data or derivative data products, which are defined narrowly as data that has been processed and transformed. Common examples of the latter are data sets and data APIs but can include other categories such as AI machine learning models, data visualization, analytics, and industry reports.
Regulations classify data sales as occurring in on-exchange transactions or over-the-counter transactions. An on-exchange transaction occurs at a data brokerage or marketplace; an over-the-counter transaction is a sale by a business or individual that occurs outside the marketplace. Over-the-counter transactions comprise 95% of all transactions in the China market.
Data Sales, Open Data, and Data Sharing
Here, we turn from our discussion of data sale to discuss the related topics of open data and data sharing, and how these are treated under the law so you can understand the differences between these three concepts.
The legal meaning of open data is not clearly defined. The China Data Security Act § 42 states that “the government will make a public data list and set up a single, standardized, interoperable, and secure online portal and will be an advocate for governmental public data.” This emphasizes how open data is about governmental data specifically.
Several Chinese provinces have data laws and open data administrative regulations covering government and the public sector. For example, the Shandong Open Public Data Procedures § 2 state that “public data covered by these Procedures includes any data collected or produced by local government agencies or other authorized government agencies, or public institution in the course of providing public goods or services. Open data as used here refers to providing original machine-readable data sets for the public benefit in a manner openly available.
The national standards GB/T 38664.1-2020 and GB/T 38664.2-2020 set forth additional fundamental open data administrative principles.
The several China data statutes all refer to “providing” and not “sharing” data, but the data protection industry standard GB/T 35273-2020, treats them as essentially the same thing, and specifically it is where one party uses data provided by another for its operations and may involve several types of activities. Shared data will typically involve the classifications of government data, personal information, or non-personal information.
A business must determine whether an which Chinese law applies based on the categories of data sales, open data, or data sharing before it develops, shares, or sells data. Data sales involve monetary payment and require a contract covering ownership, purpose, security measures, and an audit trail. Open data usually involves government data that can be accessed free of charge but is subject to the requirements in the list and use restrictions.
Data sharing is usually done for business collaborations and does not require a price but nonetheless must have authorization and comply with the minimization principle. The operations team, if handling personal data must get separate consent from the person and making it possible for them to revoke consent and to exercise their right to deletion.
Financial staff must preserve auditable documentation in CHina that shows legal ownership and pricing. Products that incorporate employees, consumer, or supply chain data with sale to or processing by a third party must be under a contract that limits its use and requires the data to be graded and classified, then encrypted, and monitored to prevent unauthorized access.
Sellers and platforms must meet several compliance requirements before they can commence on-exchange transactions. Those requirements cover continuous updates, lawful sourcing, and pricing. Internal teams must set aside funds for security assessments and training ensuring compliance across the entire life cycle.
Data Sale Policy and Regulatory Foundations
The China Data Security Act of 2021 establishes a regulatory policy for data sales requiring that traceability be implemented for all data before a purchase and sale transaction or sharing. The entire course of business complies with the principles of lawful conduct, legitimate grounds for use, and minimization, with audit logs showing that the identity and data use by the transaction parties has been continuously validated.
Separate consent must be obtained following conspicuous notice covering any personal information and include a mechanism to exercise users’ right to revoke consent and delete their data. Raw data must be processed using federated analytics methods that reduce data breach risks by ensuring that the data underlying the analysis result cannot be viewed.
The required accounting treatment under China GAAP for purchased data is intangible assets or inventory valued in the amount of the contract price plus the security assessment cost. Technical staff must implement a process that grades, classifies, audits, and monitors the data. Supplier and employee contracts must implement sufficient controls to prevent unauthorized duplication, transmission or sale of the data by including clauses that impose penalties and damages for violations. When a subsidiary or business partner transfers data into another region, they must comply with all local laws, by updating their compliance documentation and undergoing an audit by the marketplace platform or regulator.
The regulatory basis for data sales is the China Data Security Act of 2021 at § 19, which provides the government is empowered to regulate and improve policies for data marketplace organizations. Any data sale intermediary services must verify the source of the data and identities of the transaction parties. They must also retain and audit transaction records.
Businesses must at the same time comply with local law. In 2016, the year following the first big data administrative regulations issuance, over 20 provinces and regions in China have adopted data laws to develop local industry within a strategic framework; they have also mandated specific standardized practices for data sale security and published business compliance management guidance. Local data law has the purpose of enabling data to be exploited and freely transacted by setting up data marketplaces operating according to a logical data transactions rule.
For example, the Shanghai Data Regulations § 56 provides, “Parties may purchase and sell data on lawfully established data marketplaces or conduct private data sales.” The regulations mandate the city government facilitate setting up data marketplace platforms and onward transfer of data on those platforms. Parties already in full compliance with the law can also make private data sales over the counter. These localities have established uniform laws legalizing private data sales, though each local government will provide its own guidance.
Data sales must also be in accord with the China National Standards on data product sales. GB/T 36343-2018 was the first China National Standard on big data sales and provides instruction on how data should be described by data sale service providers. GB/T 37728-2019 provides a framework for how a data sale service platform should operate. Other national standards include GB/T 37932-2019, GB/T 40094. 3-2021, and GB/T 40094. 4-2021.
Data Marketplace Organizations in China Today
Most on-exchange data sales in China are done at a data marketplace organization; this industry had rapid growth in two different waves which occurred after the government issued the Big Data Development Framework Policy to encourage them.
The first data marketplace organization in China was Guiyang Big Data Marketplace LLC in 2015, kicking off a wave of seven new platform launches that year, and another ten marketplace platforms launched between 2016 and 2018, but by 2019 there were none.
The government issued a new round of policies to encourage data marketplaces in 2021, leading to a boom with sixteen new launches through 2021-2022, with notable organizations being Data Marketplace LLCs named for Suzhou, Beijing, Shenzhen, Guangzhou, and Shanghai.
A whitepaper by the China CICS found there are 40 data marketplace organizations processing transactions on platforms, they are operated mostly by state owned enterprises in the economically developed areas of East or South China. Some noteworthy examples of who operates the exchanges are:
- Guiyang Big Data Marketplace: Guiyang government agency
- Guangzhou Data Marketplace LLC: Guangzhou city government
- Hunan Big Data Marketplace: state owned asset commission in Changsha
- Beijing International Big Data Marketplace: Beijing city government state owned assets management department
These data marketplace organizations have substantial registered capital, ranging between 50 million to 100 million CNY, with Shanghai Data Marketplace LLC at 800 million CNY.
The Law Makes China’s Data Marketplaces a Bad Choice
Many data marketplace organizations are being launched but there are few transactions. The latest reports say only 5% of China data sales were on-exchange transactions; the Guiyang Big Data Marketplace initially projected 1 billion RMB daily sales, but its actual volume was only 37 million CNY. For China nationwide, the data industry stood at 1.3 trillion CNY in annual activity with 150 billion CNY in annual sales with only 2.7 billion CNY as on-exchange transactions. There are a few reasons for the low volume.
Data ownership rights are hotly debated and there is an interest in supporting more data sales. Currently, most sales are of business data or non-personal data from public sources or contracted and derived from products or business operations. Governments have effectively shut the door to selling personal data, despite no explicit ban found in local law.
Impracticality of Sales. A variety of legal factors amount to a ban on personal data sales throughout China. Obtaining personal information requires separate consent with clear and conspicuous notice to the individual, but it’s not clear how that might be achieved. A personal data sale must comply with the minimization principle, but that could cause defects in data ownership rights. Finally, parties to data sale must enable users to exercise their rights to request correction, revoke consent, or ask data to be deleted, which defeats the legal assignability of personal data.
China’s “20 Points” data policy emphasizes the right to use data but not the right to own it, focusing on three types of data rights: data sourcing rights, the right to use prepared data, and data product rights. Subdividing data ownership rights in this manner is currently merely a policy goal, but eventually this framework will be codified to add legal certainty to what can be owned when data is sold.
The subdividing data ownership rights policy recognizes the right to use prepared data to generate revenue so long as it does not impair the public interest or data security or infringe on the rights of from whom the data is sourced. An online platform can create derived data products using either personal or non-personal data.
Data Pricing Challenges. Overpricing is common because China does not regulate data or have standardized prices or mandatory model contracts, and data sale involves significant contextualization. Large tech companies have market dominance over vast amounts of data and can use it to set prices.
The underutilized China Asset Appraisal Association’s Asset Appraisal Professional Guidelines No. 9: Data Asset Appraisal § 12 describes valuation approaches including basis in cost, income, and market value, but they do not apply effectively to large data sets. As a result, parties are not very interested in data marketplaces. There are also heightened litigation risks for contracts.
Lack of Trust. China’s law and practice provide inadequate guidelines on issues such as property rights, grading/classifying data, and allocating earnings. The law lacks sufficient detail to follow when buying or selling data. The value of the data could also be wiped out due to issues like theft or unlicensed copying, so it is hard to determine the quality of the data being sold.
The legal framework makes it impossible for parties to a data sale to trust each other, because a transaction implicates legal issues related to collection, storage, and sources of data that implicate many data subjects. Data providers have legitimate concerns that purchasers will create legal risks by abusing their customers’ data rights, and data purchasers are worried whether the data was sourced legally.
On-exchange transaction limitations. As noted above, the major data marketplace organizations in China restrict personal data transactions, even though personal data and its derivative products being a major part of the data market and enable activities such as consumer credit report sales. Data transactions are done in a variety of contexts which can be only accessed via OTC trading, such as digital advertising platforms, office park foot traffic analysis. On-exchange transactions can’t meet the need of most data transaction contexts.
Chinese data marketplaces make it difficult to make data products available for sale. For example, the Shanghai data marketplace has these requirements: demonstrated use cases, technical ability, supply capability, data authentication compliance, sourcing compliance, and pricing compliance. Once on the market, there must be potential buyers for the data product, thus you need to forecast sales in advance.
Sellers’ willingness to participate in data marketplaces is further eroded by requirements to describe in detail their data source, use and purpose of the data, processing practices, to hire an independent firm to issue data compliance information, and to pay for data security assessments and certification. On-exchange transactions are thus mainly usable for standardized and repeatable-use data products.
A key rule was issued by the China Ministry of Finance General Office in the Business Data Resource Accounting Treatment Temporary Rules. It specifies that accounting statements may use data assets and can be used to increase corporate valuations as either intangible assets or stock. Purchased data can apply the price plus taxes and fees. While these business valuation methods are helpful for outside investment, M&A, or IPOs, these are unlikely to effectively support on-exchange transactions because they are registered as intangible assets.
Duplicative Products. Most of China’s data marketplace organizations are concentrated on the eastern coast and are use local data. These data marketplaces offer highly duplicative products, which makes buying on these exchanges wasteful. By contrast, over-the-counter data transactions are not constrained by the marketplace or region. Marketplaces are unlikely to attract parties unless they diversify the types of data products and innovate in their business models.
Conclusion
Overall, China’s market for data sales has been growing rapidly and there are now a wide variety of data products available. New data marketplace platforms are launching regularly. Nonetheless, the lack of clarity in the law and how marketplaces should work in practice means there are major legal compliance concerns surrounding illegal data sourcing, privacy rights, and data security risks.