The new year ushered in a new way to commoditize personal data: the Shanghai Data Exchange (SDE). With the Personal Information Protection Law (PIPL) becoming effective on November 1, 2021 – as well as the Data Security Law (DSL) effective September 1, 2021, and the Cybersecurity Law (CSL) effective June 1, 2017 – the People's Republic of China has established an ambitious and comprehensive national framework to regulate cybersecurity, privacy and data protection. We anticipate ongoing efforts at the provincial and local levels to establish varying implementing regulations, template documents, best practices and guidance regarding many of the yet-to-be-defined elements in these laws. We may also start to see enforcement that could help clarify key risk areas.

What's the Shanghai Data Exchange?

One effort that has been made possible by PRC laws regulating data1 is the creation of national and local markets for data trading. These markets allow data to be categorized, priced and traded like other commodities. Among the most watched of these initiatives is the SDE, a quasi-government entity that opened for trading nationwide on November 25, 2021.2 On the same day, the Standing Committee of Shanghai Municipal People's Congress issued the final version of the Shanghai Data Regulation (上海市数据条例), which implements the PIPL, the CSL and the DSL, and became effective on January 1, 2022. The Shanghai Data Regulation consists of more than 90 articles spanning 10 chapters, and covers key topics such as the protection of data subject rights, definition of public data and its processing rules, data trading, data reformation in the Shanghai Pudong New Area, data security, and supervision. The regulation showcases how one of the most influential Chinese municipal governments intends to implement these laws. Importantly for this post, it also provides a legal basis for the SDE.

The SDE establishes a "data ecosystem" by tackling five identified challenges that data trading faces in the PRC:

  1. Rights determination
  2. Pricing
  3. Effective supervision
  4. Market entry
  5. Establishing trust in the system and its participants

The SDE's creators aspire to provide and facilitate services including data compliance consulting, data quality assessment, data product valuation and delivery.3 There are also plans for the SDE to be the PRC's first data trading system to create a standardized, transparent, safe, controllable, real-time listing and trading, and traceable data trading service environment.4 To facilitate these solutions, the SDE also plans to introduce a series of enforceable and detailed rules and regulations for data trading.

With the support of market participants, the SDE's creators envision new ways to monetize data through the design of data products (helping turning data from individual participants to tradeable commodities) and the issuance of data product and data trading certificates.5 This would allow data-related products and transactions to become verifiable and accountable.6 There are, however, few details as to how it will achieve these goals, and these high-level plans face real-world limitations that have not been addressed.

A global, open market

The first data products listed on the SDE were released by established Chinese companies, and the first batch of transactions in the SDE appeared to be orchestrated by state-owned companies or their proxies. It remains to be seen whether the SDE could potentially be used by multinational companies and handle data that comes with cross-border implications. We expect that the SDE will mostly be used by state-owned enterprises, public utility companies, and major technology, media and telecommunications companies, with limited opportunities for emerging and non-PRC companies.

Key implementation questions

While the SDE is active, there are not clear rules or standards in place for market participants to design, list and trade data products. For example, current guidance does not address the core issue of data ownership; operative data trading price evaluation guidelines and industrial indexes have not been formulated or published.

Oversight could curtail value creation

There is limited evidence as to how the additional government oversight and involvement brought by the creation of an exchange will work in practice. Private companies may balk at the involvement of the PRC government in otherwise private exchanges. It is yet to be determined whether the SDE and other exchanges will be a driver of value creation or fail due to a perception of state intrusion.

Survival of the fittest data exchange

Ultimately, even if the SDE can overcome these challenges, it would still need to compete with other local data exchanges to be successful. Like the Shanghai or New York Stock Exchange, it will need to prove itself as a valuable marketplace. To do so, the local Shanghai Data Regulation will also need to evolve to provide clear and reliable rules to govern the SDE. Alongside the SDE, there is a high-level plan to build an international data hub within Shanghai in the Lin-gang Special Area,7 and a similar plan within Shenzhen in the Guangdong-Hong Kong-Macau Greater Bay Area region.8

What comes next?

Despite lofty ambitions, the creation of the SDE leaves many questions unanswered. To become a success, the SDE will need to make progress on the challenges laid out above. Yet one thing is certain: While many view privacy and regulatory frameworks as solely a compliance cost, these initial efforts to establish the SDE highlight the untapped opportunities these frameworks can facilitate. The future is bright for PRC technology companies.9

At Cooley, we keep a close eye on the PRC's ongoing efforts to modernize its cybersecurity, data and privacy legislation, with a focus on facilitating data stewardship and practical ways to implement compliance solutions. Companies that are doing business in the PRC would be well advised to employ data protection counsel with a global perspective.

Reach out to any of the contacts listed below to discuss how ongoing changes to the PRC's privacy and security regulations might impact your business.

Footnotes

1 For example, per Article 19 of the DSL, the PRC shall establish and improve a data trading management system, regulate data trading activities and develop a data trading market.

2 GLOBALink | Shanghai Data Exchange begins trading: http://www.news.cn/english/2021-11/25/c_1310332879.htm.

3 Shanghai Data Regulation Article 53.

4 Shanghai Data Regulation Article 54.

5 Shanghai Data Regulation Article 50.

6 上海数据交易所今日揭牌成立: https://www.chinadep.com/#/news/newsDetail/CTC_20211201164845938594/1.

7 Shanghai Data Regulation Article 69.

8 《广东省人民政府关于印发广东省数据要素市场化配置改革行动方案的通知》: http://www.gd.gov.cn/xxts/content/post_3342648.html.

9 On November 1, 2021, the PRC officially applied to join the Digital Economy Partnership Agreement (DEPA), an international agreement that promotes collaboration in upgrading digital trade around the world. 中方正式提出申请加入《数字经济伙伴关系协定》(DEPA): http://www.gov.cn/xinwen/2021-11/01/content_5648158.htm.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.