Compliance First, Separation of Data Rights, and the Long-Term Mechanism for Cross-Border Data Flows
Introduction: Reconstructing Data Asset Management Under a Macro Paradigm Shift
As the global digital economy deepens, data has ceased to be a merely supporting layer of information. It has become a factor of production capable of reshaping national economic structures and determining the core competitiveness of enterprises. Data asset management is accordingly undergoing a historical shift: the focus of enterprises and regulators is moving from passive compliance, aimed at avoiding administrative penalties, data breaches and cyber-attacks, to value realisation, centred on data rights confirmation, factor capitalisation and market-based allocation.
The entry of data onto the balance sheet, namely the conversion of data resources into recognised intangible assets, is not only a financial upgrade. It is the practical test of whether data can move beyond physical storage and be transformed into commercial capital. Yet data is non-rivalrous, weakly excludable, easy to copy and rich in externalities. The process of assetisation is therefore constrained by legal boundaries and technical verification requirements. Compliance is no longer a back-end risk-control review. It is the condition precedent for rights confirmation, registration, valuation, audit and eventual recognition in the accounts.
This report examines the legal due-diligence standards and rights architecture required for data assetisation, the authorised operation of public data under the Shanghai model, and the negative-list mechanism for cross-border data flows in free trade ports and the Lingang Special Area. It seeks to provide digital-economy participants with a map that combines legal rights confirmation, privacy-preserving technology and global business operation.
Legal Due Diligence for Data Assetisation and the Reconstruction of Rights Architecture
To turn intangible and mobile data resources into precise figures on a balance sheet, an enterprise must satisfy demanding preconditions in both accounting and law. This is not a mere accounting reclassification. It requires a legal reconstruction of the underlying chain through which data is collected, aggregated, processed and circulated.
Accounting Thresholds and Compliance Preconditions
Although official policy documents do not use completely identical criteria for recognising data assets, practice has broadly converged on three requirements: the enterprise must lawfully own or substantively control the data resource; the resource must be expected to generate continuing and foreseeable economic benefits; and its cost or fair value must be capable of reliable measurement.
Lawful ownership or substantive control is the foundation of all subsequent commercial logic and audit work. The legality of the source determines whether the enterprise has lawful rights and interests in holding, processing and operating the data during its life cycle. It also reflects the policy logic of China’s “Twenty Measures on Data”: national data security, personal information protection and trade-secret protection are the premises of data-factor circulation. In market transactions, source legality clarifies rights and obligations, interrupts circulation risk and prevents asset value from collapsing because of title disputes.
Looking Through the Code: The “Separation of Three Data Rights”
The traditional civil-law concept of real rights is ill-suited to data, which may be copied indefinitely and used by multiple actors at the same time. China has therefore developed a framework commonly described as the separation of three data rights. For legal due diligence, this changes the working method. Lawyers cannot confine themselves to contracts and authorisation letters; they must look through code logic, API call rules and database architecture in order to define the following rights.
First, the right to hold data resources. This protects the factual control lawfully achieved by the original collector. In the Supreme People’s Court’s first guiding cases on judicial protection of data rights and interests, including Guiding Case No. 262 and related unfair-competition disputes, the Court recognised protection for enterprise data resources lawfully collected and controlled through substantial investment. Due diligence should therefore review scraping scripts, notice-and-consent mechanisms in privacy policies, and the complete authorisation chain for third-party data purchases.
Secondly, the right to process and use data. This concerns the computing power and intellectual labour invested through cleaning, desensitisation, feature engineering, annotation and modelling. The key question is whether secondary development exceeds the purpose originally authorised. A dataset authorised for user profiling, for example, may not lawfully be diverted wholesale into the training of a commercial generative AI model.
Thirdly, the right to operate data products. This relates to final commercialisation and circulation, including the listing of standardised products on data exchanges, real-time API services, customised analytical reports and federated-learning node authorisations. Due diligence should test product form, pricing, licensing scope, competition-law risk and the possibility of data monopoly.
The “Fruit of the Poisonous Tree” in Data Practice
The criminal-law metaphor of the fruit of the poisonous tree is increasingly useful in data-rights review. If the underlying source is unlawful, for example if trade secrets are scraped from a third-party platform without authorisation, or consumer personal information is collected in serious breach of privacy policies and the Personal Information Protection Law, then algorithmic models and data products developed from that raw data are tainted at source.
The consequence for balance-sheet recognition is severe. A registration authority may reject proof of rights. Auditors may refuse to recognise the item as an intangible asset because lawful control cannot be established and administrative, civil and litigation risks cannot be excluded. In financing, IPO or M&A due diligence, the data asset may be removed from valuation and treated as a contingent liability.
Recent personal-information and data-rights cases cited by the Supreme People’s Court show the same point: improper processing may trigger a rights-confirmation crisis and damages exposure. Before data is recorded as an asset, enterprises must conduct a strict source-tracing review. The first mile of acquisition must be clean.
Authorised Operation of Public Data: The Shanghai Model
Public data, including healthcare, transport, finance and tax data, carries significant macroeconomic and social-governance value. Shanghai has become a leading jurisdiction in the authorised operation of public data, attempting to activate this “sleeping gold mine” while safeguarding national security, public interests and personal privacy.
Healthcare Data and Value Inversion
Healthcare data is one of the most commercially valuable public-data categories. EY’s 2019 analysis of the UK National Health Service estimated that approximately 55 million health records, if scientifically managed and effectively operated, could generate up to GBP 9.6 billion per year. China’s population scale, healthcare volume and commercial conversion space suggest an even larger potential market.
Demand is clear. Pharmaceutical companies seek real-world clinical feedback to optimise drug-development pipelines. Insurers need correlations between medical expenses and treatment behaviour for actuarial models and dynamic claims management. Medical AI companies need high-quality labelled data for image recognition and disease-prediction models. In the competition around foundation models, access to reliable medical data may determine whether a technology company survives.
The practical problem is value inversion. Medical data is difficult to use, technically specialised and expensive to clean. Data standards are often missing, unstructured text is widespread, and hospital systems do not always align. In a specialised-disease project at an eastern tertiary hospital, laboratory results exported from the LIS system could not be matched with diagnoses in the HIS system, requiring substantial manual and computational mapping. The cost of governance can exceed short-term commercial value.
Shanghai has nevertheless made progress. The Shanghai Data Exchange has launched China’s first compliant tradable healthcare data products, including disease datasets and administrative healthcare datasets from core clinical departments and public hospital management bodies. This indicates that a multi-party governance mechanism for public medical data is beginning to close the commercial loop.
“Usable but Invisible”: Privacy-Preserving Computing
The Shanghai rules on authorised operation of public data encourage technical approaches such as “raw data not leaving the domain”, “data usable but invisible”, and “data controllable and measurable”. This moves privacy-preserving computing from research to commercial infrastructure.
- Secure multi-party computation allows mutually distrustful institutions to perform joint computation without revealing local raw data. It is particularly useful in finance and government-data scenarios.
- Federated learning allows hospitals or other data holders to exchange model parameters or gradients while retaining sensitive individual data locally. It is a core route for medical and transport AI models.
- Trusted execution environments provide hardware-isolated enclaves for high-value data processing, protecting confidentiality and integrity during computation.
Legally, these technologies change the character of data processing. They cut the direct identifiable link between raw micro-data and final macro-analysis, converting high-risk delivery of sensitive data into a more compliant exchange of statistical features. Privacy-preserving computing is therefore an essential foundation for public-data commercialisation.
Authorisation Agreements: Monopoly, Revenue and Accountability
The operation of public data requires careful allocation of interests among government, operating institutions and developers. The Shanghai model is notable in three respects.
First, exclusivity is constrained. Operators with first-mover advantages must not become new data monopolists. The separation between administration and operation prevents a data operator from being both referee and player. Developers must submit application scenarios and pass compliance assessment before using public data resources.
Secondly, revenue allocation follows contribution. Public-data cleaning, desensitisation and governance require significant social capital. Shanghai’s model follows the principle that those who invest and contribute should share in the benefit. Public-interest scenarios may use data conditionally without charge, while commercial scenarios may be subject to government-guided pricing.
Thirdly, accountability is allocated through a look-through principle. Responsibility follows collection, holding, operation and use. Regular public disclosure of authorised operation creates social supervision and, in practice, a due-diligence boundary for public-data managers. This helps reduce the institutional fear that every defect in public data will lead to unlimited accountability.
Cross-Border Data Flows: The Negative-List Green Channel
For multinational enterprises, the cost and efficiency of cross-border data transfers now sit alongside tax and logistics as core considerations in selecting regional headquarters and R&D locations. The 2024 Provisions on Promoting and Regulating Cross-Border Data Flows opened space for free trade zones to issue their own negative lists for data exports. Shanghai and Hainan are representative examples.
From Case-by-Case Approval to Negative Lists
China’s principal compliance routes for exporting important data and personal information are security assessment, the standard contract for personal information export, and personal information protection certification. Applying those mechanisms indiscriminately to ordinary business data generated by cross-border HR, R&D and after-sales operations would create excessive transaction costs.
The negative-list approach reverses the logic. Data on the list must follow strict compliance paths; data outside the list may generally flow without security assessment, standard contract or certification. Shanghai has implemented this model across the municipality, established consultation channels in all 16 districts, and created cross-border data service centres. The result is a more predictable legal-business service model for multinational companies.
Hainan Free Trade Port and Infrastructure Synergy
Hainan’s data-transfer policy corresponds to its whole-island customs closure regime. The Hainan Free Trade Port Law establishes a special customs supervision area for the island, and the port applies liberal measures for goods, including zero-tariff policies and duty-free treatment for qualifying value-added processing.
This physical model of opening the first line and controlling the second line has influenced data design. A multinational enterprise that establishes a data-processing centre in Hainan and uses high-end imported computing equipment to process global data may benefit from a data negative-list regime that functions, in digital services, like a compliance exemption space for value-added processing in goods. Physical-factor efficiency and low-cost data export reinforce each other.
The Lingang Negative List and Quantitative Thresholds
The 2024 negative list for the Shanghai Pilot Free Trade Zone and Lingang Special Area covers finance, shipping, commerce and meteorology, and breaks them down into nine scenarios, 29 subcategories and 109 data items. Critical information infrastructure operators are excluded and must follow the national approval regime.
| Industry and scenario | Security-assessment red line | Standard contract or certification range | Important-data features |
|---|---|---|---|
| Finance: reinsurance | Sensitive personal information exceeding 1 million individuals; general personal information exceeding 10 million individuals. | Sensitive personal information from 10,000 to 1 million individuals; general personal information from 1 million to 10 million individuals. | Underwriting and claims data concerning major national projects, defence research and production entities; non-public data reflecting economic and financial activity in key sectors. |
| International shipping | Sensitive crew personal information exceeding 150,000 individuals. | Sensitive crew personal information from 10,000 to 150,000 individuals; general crew personal information from 150,000 to 1 million individuals. | Port geographic and topographic data at national precision; key cybersecurity operation data; non-public internal decision-making data of shipping companies. |
| Commerce | Retail, catering and accommodation membership management follows national general thresholds. | Same, with focus on loyalty management based on customer analysis. | Undisclosed strategic data concerning core supply chains. |
Individuals are counted after de-duplication, and exempted data, such as information necessary for contract performance, is not included. This quantitative model allows enterprises to build automated auditing and threshold-warning systems for outbound flows. If a risk engine detects that financial data is nearing a threshold, or that non-public shipping decision data is about to be transferred, it can block transmission and trigger security assessment.
Shanghai also allows enterprises to refer to negative lists issued by other free trade zones and ports, and has compiled lists from multiple provinces and sectors. This horizontal policy linkage gives multinational groups a more unified national compliance map.
Conclusion: A Future-Oriented Data Compliance Middle Platform
Data asset management has left the stage of disorderly exploration. It is entering a mature phase built on precise legal rights confirmation, cryptographic infrastructure and quantitative threshold controls. For enterprises, the old model of business first and legal remediation later no longer works. Compliance is not a friction cost. It is the core evidence that allows data resources to survive source-legality review and be capitalised as assets.
Enterprises should build an end-to-end data compliance middle platform with three capabilities. First, it should integrate the separation of three data rights and conduct strict source tracing for crawlers, APIs, app privacy policies and third-party procurement. Secondly, it should adopt privacy-preserving technologies, including MPC and federated learning, so that value can be extracted from public data without raw data leaving the domain. Thirdly, it should track negative-list thresholds in free trade zones and build automated auditing and blocking systems for cross-border data flows. Only in this way can enterprises identify data assets capable of surviving regulatory cycles and driving long-term commercial value.
Sources
- JT&N, legal due diligence points for data assets proposed for balance-sheet recognition.
- Supreme People’s Court, guiding cases on judicial protection of data rights and interests.
- Shanghai Measures on Authorised Operation of Public Data Resources.
- Yicai, first tradable medical data products launched.
- CCIDNet, federated learning and privacy-preserving computing.
- Commentary on Shanghai public-data operation measures.
- China Law Insight, Hainan data-export negative list.
- Shanghai Information Office, city-wide negative-list implementation.
- Shanghai Financial Services Office, data-export facilitation.
- Grandall, Hainan Free Trade Port closure policy.
- Lingang Special Area, 2024 cross-border data negative list.