What is it, and why?
Exchanges and transactions involving large amounts of data have been a hot topic for quite long time, and are becoming more prevalent. Soon after the implementation of China’s Personal Information Protection Law (PIPL), the Shanghai Data Regulation (the Regulation) was promulgated on November 25th, 2021. This follows the national drive towards building up a data-oriented cybersecurity framework. The Regulation, as the first comprehensive legislation of its kind at a municipal level, is designed to offer certain benefits in order to encourage some data-related industries to adhere to more specific regulatory requirements surrounding data processing, data processors, etc.
While data exchange activities were initially mentioned in China’s Data Security Law (DSL), which proposed to establish national management systems regulating data exchanges and requires institutions engaging in data exchanges to ensure overall regulatory compliance, this Regulation provides some evidence that local governments also have a deep interest in engaging with businesses on this topic. So, Shanghai aims to “advance the order development of service institutions for data exchange by providing professional services of deal arrangement, agency, consultancy, broker, dealing, etc.”
With that in mind, on the same day as the announcement of the Regulation, and on the same day as the opening ceremony of the Global Data Ecosystem Conference 2021, the Shanghai Data Exchange was officially established. The Shanghai Data Exchange will act as a service provider for data exchanges and transactional deals for all parties relevant to the deal. Additionally, this institution will not only play a platform role, but also serve as a clearing house to assure overall compliance related to the data itself, as well as related transactions. In theory, this might serve to streamline these exchanges and transactions, while at the same time mitigate some of the costs and uncertainties related to compliance.
Some primary considerations for participating in the data exchange include the fact that data should be of course be legally collected and processed in accordance with the Cybersecurity Law, DSL or PIPL. In other words, if an illegal method of collection, such as an unauthorized web crawl, is employed during data collection, the data collected data and its collector would be prohibited from participating. Additionally, the Regulation draws clear lines between data that can be exchanged and that cannot. Article 49 of Regulation allows data products or services that are derived from substantial (legal) processing and creative labor to be freely exchanged on the market. However, data that could be considered a threat to national security, public health, or personality rights are tentatively excluded.
In short, data exchanges and transactions are an inherent part of China’s evolving cybersecurity and data compliance landscape, and authorities at both the national and municipal levels see the need for further regulation – and, potentially, the need to streamline these processes. Data-intensive industries such as artificial intelligence and e-commerce platforms, for example, should pay special attentions to the Regulation and Shanghai’s Data Exchange over the coming months.
Our cybersecurity and data compliance team is ready to answer any questions you might have about this or other related topics.