Source:http://www.spcsc.sh.cn/n8347/n8481/n9119/index.html Comment Period: 9/30/2021 - 10/20/2021
Explanation of Matters Related to the Comment Draft
I. Drafting Background
The successive release of the PRC Data Security Law and the PRC Personal Information Protection Law made clear provisions for regulating data handling activities, ensuring data security, and promoting the development and use of data. As a new factor in production, the important role of data in driving high-quality economic development and promoting a comprehensive digital transition is increasingly pronounced. Now, Shanghai's drafting of comprehensive regulations for the data sector is an important measure for implementing and embodying the spirit of state policy and higher law, locking in experience in digital reform and innovation, and providing a foundational system for Shanghai to fully advance the city's digital transition.
II. Principal Content
The comment draft has 10 Chapters with 91 articles, divided into General Provisions, Protection of Rights and Interests in Data, Public Data, Data Element Markets, Exploitation and Use of Data Resources, Data Reform in the Pudong New District, Data Cooperation in the Yangtze River Delta, Data Security, Legal Responsibility, and Supplementary Provisions. The prinicipal content is as follows:
(1) On data development and management systems
The comment draft clarifies the duties of each level of people's government and relevant municipal departments in the development and use of data, data protection, and other areas, and further clarifies efforts such as the establishment of a data experts committee and strengthening safeguards for human resources. (Articles 4-6 and 8)
(2) Safeguards for Rights and Interests in Data
Starting from the perspective of safeguarding rights and interests in data, mechanisms for the protection of each type of entity's rights and interests in data are determined: First, is safeguarding the rights and interests of natural persons, legal persons, and unincorporated organizations related to data; Second is strengthening protections for personal information; Third is providing for data collection in emergency incidents. (Articles 12-23)
(3) On Public Data
The comment draft further optimizes the full life-cycle data management system for data collection, integration, sharing, opening, and use, and creates a mechanism for authorizing public data business. (Articles 24-45)
(4) On the Data Element Market
To stimulate the role of data elements playing a larger role in promoting industrial development, the comment draft consolidates the cultivation of the data elements market and the establishment of mechanisms for the production, circulation, use, and distribution of revenue; having data flow lead the globalized allocation of funds, talent, technology, knowledge, and other elements, and promoting the maximization of data's value. (Article 46-55)
(5) On opening and application of data resources
The comment draft clarifies content such as plans for the opening and use of data, the construction of data resource facilities and platforms, the development of digital industrialization and industry digitization, and digital transitions such as data energizing life and governance. (Article 56-62)
(6) On The Pudong New District's Data Reforms
The Comment Draft sets out a special chapter on 'Data Reforms in the Pudong New District, supporting the Pudong New District in playing a role as an innovator and leader in thorough sharing of public data, data exchange venues, cross-border data flow, industry development, and digital trust. (Article 63-69)
(7) Data Cooperation in the Yangtze River Delta
The Comment Draft clarifies a uniform data standard system and mechanisms for sharing and openness in the Yangtze River Delta, promotes the establishment of inter-regional mechanisms for checking and handling objections to data and data reconciliation; advance mutual recognition of digital verification and electronic licenses; and support inter-regional coordination in government affairs and municipal operations management, etc. (Articles 70-75)
(8) On Data Security
The Comment Draft establishes a comprehensive system for data security governance within the framework of the PRC Data Security Law and other higher-level laws, and in consideration of the city's actual conditions. (Articles 76-83)
In addition, the Comment Draft lays out a chapter on "Legal Responsibility." (Articles 84-89)
III. Key Points for the Solicitation of Comments
1. Comments and suggestions on the rights and interests in data assets and data transactions;
2. Comments and suggestions on public data sharing, opening, and authorized operations;
3. Comments and suggestions on the development of the digital economy and the markets' digital transition;
4. Other comments and suggestions.
Shanghai Data Regulations (Draft)
Chapter I: General Provisions
Article 1: (Legislative Purpose)
These Regulations are drafted on the basis of the Civil Code of the PRC, The PRC Data Security Law, The PRC Law on the Protection of Personal Information, and other such laws and administrative regulations, and in consideration of the city's actual conditions, so as to protect natural persons', legal persons', and unincorporated organizations' rights and interests related to data; to regulate data handling activities; to promote the lawful and orderly free flow of data; to ensure data security; and to accelerate the cultivation of a data elements market and the development of the digital economy.
Article 2: (Basic Definitions)
The following language in these Regulations below has these meanings:
(1) "Data" refers to any record of information in electronic or other forms.
(2) "Data handling" refers to activities such as the collection, storage, use, processing, transmission, sharing, opening, and circulation of data.
(3) "Data security" refers to employing necessary measures to ensure that data is effectively protected and legally used, as well as possessing the capacity to ensure a sustained state of security.
(4) "Public data" refers to all types of data collected or produced by the city's state organs, public institutions, organizations authorized to have public affairs functions in accordance with law, as well organizations providing public services such as water, electricity, and public transportation (hereinafter collectively referred to as public management and service bodies) in the performance of public management and service duties.
Article 3: (Overall Requirements and Basic Principles)
The city is to make overall plans for advancing the protection of rights and interests in data, the circulation and use of data, and data security management, giving full play to the role of data in municipal governance, optimizing the commercial environment, and promoting economic and social development.
The city is to follow the principles of combining data openness and protection, planning security and development and persisting in combining innovation and breakthroughs with prudent regulation, to promote the opening and use of data, implement categorical and hierarchical protections, highlight the priority of the public interest, and strengthen protections for personal information.
Article 4: (Governmental Duties)
The municipal people's government shall include the development and use of data, industry development, and the development of the digital economy in the economic and social development plan, establish and complete systems for data governance and the circulation and use of data; coordinate the resolution of major problems in efforts on the development and use of data, industry development, and data security; promote the development of the digital economy with data as a key element; and promote the city's digital transition.
District, village, and township people's governments and neighborhood offices shall complete efforts related to the development and management of the administrative area's data in accordance with the city's overall requirements and arrangements.
Article 5: (Departmental Duties)
The general office of the municipal government is responsible for the overall planning and comprehensive coordination of efforts to develop and manage data in the entire city, advancing, guiding, and overseeing the entire city's public data work.
The municipal reform and development department is responsible for efforts such as planning and construction of the city's new form of digital infrastructure, developing the city's digital economy, advancing reforms of the city's major digitized institutional mechanisms, comprehensively drafting policies, and linking the region.
The municipal department for economics and information technology is responsible for coordinating and advancing the city's efforts such as on public data openness and data openness and use and industry development in each sector of society and the economy, planning and advancement of the construction of information infrastructure, promoting industry advancing digitalization of industry, and the industrialization of data.
The municipal internet information department is responsible for planning and coordinating the city's network data security and related regulatory efforts.
The municipal public security organs and state security organs are to bear duties for data security regulation with the scope of their respective duties in accordance with law.
Municipal departments such as for finance, human resources and social security, market regulation, statistics, and pricing are to perform related duties within the scope of their respective duties in accordance with relevant laws and regulations.
The municipal data center is to specifically undertake the centralized and uniform management of the city's public data and promote the integration and use of data.
Article 6: (Experts Committee)
The municipal people's government is to establish a data experts committee comprised of experts from schools of higher learning, scientific research bodies, enterprises, and relevant departments. The data experts committee is to carry out research in areas such as the protection of rights and interests in data, the circulation and use of data, and data security management, to provide professional opinions on the city's development and management of data.
Article 7: (infrastructure construction)
The city is to strengthen and improve digital infrastructure plans and layouts; increasing the capacity of government affairs infrastructure such as the e-government cloud and external government affairs network; constructing new forms of infrastructure for the new era such as telecommunications networks, data centers, AI platforms, and smart-terminals; establish and improve digital infrastructure systems such as for networks, storage, computing, and security; and promoting joint building and sharing, and interconnectivity, of digital infrastructure.
Article 8: (Human Resource Safeguards, Publicity and Education)
The relevant municipal and district departments shall include high-level personnel in the data sector with high degrees and high technical capacity, as well as other talent for which there is a shortage, in the policy support system, innovate mechanisms for assessing and encouraging data talent, and complete mechanisms for data personnel services and safeguards.
The city is to strengthen publicity, education, and training on knowledge in the data sector, and increase the public's digital literacy and skill, including training in digitalization capability in the education and training system for public management and service bodies.
Article 9: (Industry Organizations)
The city is to support the development of data-related industry associations and organizations. Industry associations and organizations shall draft and promote the implementation of group standards and industry norms in accordance with law, give feedback on member enterprises' reasonable demands and suggestions, strengthen industry self-discipline; provide services such as information, techniques, and training; guide members to carry out data handling activities in accordance with law; cooperate with relevant departments carrying out industry regulation, and promote the healthy development of the industry.
Article 10: (Data Standardization)
The municipal administrative department for standardization shall collaborate with the government general office and market regulation department to strengthen the planning, construction, and management of the data standardization system.
The municipal technical organization for data standardization shall draw on international standards, state operations standards, and industry standards, to promote the establishment and improvement of the city's basic and widely used local data standards.
Article 11: (Chief Data Officers)
Each district, department, enterprise, public institution, and unit is encouraged to establish a chief data officer system.
The responsible person for a district, department, or unit is to serve as its chief data officer, and the chief data officers shall strengthen the coordination and management of the district, department, or unit's data work.
Chapter II: Safeguards for Rights and Interests in Data
Section 1: Ordinary Provisions
Article 12: (Common Principles)
Natural persons enjoy personality rights and interests in data that involves their personal information in accordance with law.
Natural persons, legal persons, and unincorporated organizations enjoy property rights in data they obtained through legal methods and data products and services formed through the lawful handling of data in accordance with law.
Natural persons, legal persons, and unincorporated organizations exercising rights and interests related to data shall comply with laws and regulations, respect public morality and ethics, and observe commercial ethics, and be honest and trustworthy; they must not endanger national security and the public interest, and must not harm the lawful rights and interests of others.
Article 13: (Rights and Interests for Data collection)
Natural persons, legal persons, and unincorporated organizations may collect personal data that the person has disclosed or data that has otherwise been legally disclosed, but must not violate laws and administrative regulations or infringe on the lawful rights and interests of others.
Natural persons, legal persons, and unincorporated organizations may collect other data through contracts or other lawful and proper means, but shall do so within the purposes and scope provided by laws and administrative regulations, and must not exceed the minimum necessary.
Article 14: (Rights and Interests in the Use and Processing of Data)
Natural persons, legal persons, and unincorporated organizations may lawfully use and process data that they collect or produce themselves in accordance with law.
Article 15: (Rights and Interests in Data Transactions)
Natural persons, legal persons, and unincorporated organizations may lawfully conduct transactions in data they obtained through legal methods as well as data products and services formed through the lawful handling of data in accordance with law.
The city is to protect the property rights of natural persons, legal persons, and unincorporated organizations obtained through data transactions.
Article 16: (Data Collection in Emergency Incidents)
The city and district people's governments and relevant departments may request that natural persons, legal persons, and unincorporated organizations provide data needed to handle emergency incidents in accordance with law, in order to respond to natural disasters, accidents, public health incidents, societal safety incidents, and other emergencies.
When relevant departments request that natural persons, legal persons, and unincorporated organizations provide data, they shall clarify the purpose, scope, and methods for the data usage. The data obtained must not be used for matters unrelated to efforts to handle the emergency, and must not be provided to third parties without the consent of the party providing the data.
Section 2: Special Protections for Personal Information
Article 17: (Knowledge and Consent)
Where collecting, using, processing, or transacting in data that involves natural persons' personal information, the natural persons' right to know shall be safeguarded in accordance with law.
Where natural persons' data that has not been disclosed is collected, the natural person shall be informed in an effective manner, and their consent obtained. Where data involving natural persons' disclosed personal information is handled, it shall comply with the use at the time the data was disclosed and where the reasonable scope related to that use is exceeded, the natural persons' consent shall be obtained. Except, however, as otherwise specified by laws and administrative regulations.
Article 18: (Corrections and Deletions)
Where natural persons discover that their information is inaccurate or incomplete, they have the right to request that data handlers correct or supplement it and the data handlers verify and address it promptly.
Where natural persons discover that data handlers have handled data involving their personal information in violation of laws, regulations, or agreements, they have the right to request that the data handlers delete it; and the data handlers shall verifying and confirming it and then immediately delete the data. Where laws and administrative regulations provide otherwise, those provisions control.
Article 19: (Prohibition on Excessive Collection)
Where a natural persons' consent has been obtained, data that involves their personal information may be collected. Data handlers shall ensure that natural persons have full knowledge to give consent and give explicit consent, it must be obtained through misdirection, tricks, coercion, or other methods that go against their true will.
In the following situations, the natural persons' consent is not necessary to collect data involving personal information in accordance with law:
(1) As necessary to conclude or perform on a contract to which the natural person is a party, or as necessary for carrying out human resource management in accordance with lawfully formulated labor rules systems and lawfully concluded collective contracts;
(2) As necessary for the performance of legally-prescribed duties or obligations;
(3) As necessary to respond to public health incidents or to protect natural persons' security in their lives, health, and property in an emergency;
(4) Handling personal information within a reasonable range in order to carry out acts such as news reporting and public opinion oversight in the public interest;
(5) For a reasonable scope of handling of personal information that has been disclosed by the natural person or otherwise already legally disclosed in accordance with state law;
Data involving personal information must not be collected where there are no provisions of law or administrative regulations or situations provided for in the preceding two paragraphs.
When data handlers handle data involving personal information, they must not refuse to provide related products or services on the grounds that the natural persons did not consent, unless that personal information is necessary for the provision of the products or services.
Article 20: (Data Handlers Obligation to Give Effective Notice)
When data handlers handle data involving personal information, they shall notify natural persons of the following matters:
(1) The organization or personal name of the data handlers;
(2) the goals and methods of handling personal information;
(3) The type of personal information handled, and period it will be stored;
(4) the rights that natural persons enjoy in accordance with law as well as the methods and procedures for exercising them;
(5) Other matters on which laws and administrative regulations provide that notice shall be given.
When data handlers give notice to natural persons of the matters in the preceding paragraph, they must not use obscure, verbose, or difficult to understand language. Where notice is given through online means, a simplified Chinese language version is to be provided and the size, color, resolution, and other styles shall be easy to read, with convenient access.
Article 21: (Protection of Biometric Information)
Where handling data that involves natural persons' biometric information, there shall be a specific purpose and sufficient necessity, and the natural persons' independent consent shall be obtained.
Where handling data that involves natural persons' biometric information, alternative methods for achieving the purpose of handling shall be provided at the same time to fully safeguard the natural persons' rights of selection.
Article 22: (The Scope of Use for Facial Recognition Technology)
Where data handlers install facial recognition equipment in public places in this city such as stores, supermarkets, parks, scenic areas, public culture and sports venues, hotels, and residential compounds or office buildings, it shall be as necessary to preserve public safety.
Where facial recognition equipment is installed in public places and related areas, natural persons' right to know shall be fully safeguarded, with conspicuous signs and clear notice given in writing, audio, or other methods of information such as the entity responsible for the use of facial recognition equipment, the purpose, methods, and scope of the use, the storage period, and the contact methods of those using the technology.
The handling of biometric information obtained through facial recognition technology shall be limited to the scope of the notice, and must not be conducted beyond the scope either by oneself or by retaining a third party.
Article 23: (Regulation of Automated Decision Making)
Data handlers carrying out user profiling, algorithmic recommendations, or other automated decision making shall follow the principles of legality, propriety, necessity, and good faith, and ensure the transparency of decision making and the fairness and equity of the outcomes of the handling. Automated analysis and assessment of natural persons' behavioral habits, hobbies and interests, or economic, health, and credit status must not be done through computer programs, to carry out unreasonable differential treatment of natural persons in transaction requirements such as prices.
Where information pushing and commercial marketing are conducted through automated decision-making to natural persons, natural persons shall also be provided with options that do not target specific personal characteristics or with convenient means of refusing.
Chapter III: Public Data
Section 1: Ordinary Provisions
Article 24: (Responsible Departments)
The city-level departments responsible for a system and for management of industry public data (hereinafter city-level responsible departments) shall draft a public data resource plan for that system or industry public data on the basis of their operational functions, improve management systems and standards specifications, and organize carrying out that system's or industry public data's collection, aggregation, governance, sharing, openness, and use and related quality and security management. Where the management of public data involves multiple departments or where responsibility is unclear, the city government's general office is to designate a city-level responsible department.
The departments in charge of public data that are designated by district people's governments are responsible for planning the carrying out of that administrative region's efforts on public data management and are to accept operational guidance from the city governments' general office.
Article 25: (Big Data Resource Platform)
The municipal big data resource platform and district branch big data resource platforms (hereinafter jointly the big data resource platform) are the uniform infrastructure for relying on the e-governance cloud to implement the entire city's aggregation, integration, sharing, opening, and use of public data, and the municipal big data center is responsible for it's unified planning.
The city's public management and service bodies for fiscal fund guarantees must not newly establish interdepartmental or cross-level public data resource platforms or channels for sharing and opening public data resources; where they are already constructed, they shall be integrated in accordance with relevant provisions.
Article 26: (Public Data Catalogs)
The city is to establish a unified public data catalog management system. Data collected and produced by public management and service bodies during the lawful performance of public management and services, and data collected and produced by entrusted third parties, shall be included in the public data catalog.
The general office of the municipal people's government is responsible for drafting specifications for catalog composition. The city-level responsible departments shall follow the principle of data corresponding to operations, compiling public data catalogs for the corresponding system or industry, making clear factors such as the sources, update frequency, security level, and sharing or openness type of public data. District departments in charge of public data may sort public data that has not been included in city-level responsible departments' public data catalogs, and compile a supplemental district catalog.
Article 27: (Categorical Management of Public Data)
The city is to implement categorical management of public data. The municipal big data center shall draft rules and standards for the classification of public data based on the public data's common usage, fundamental nature, and importance, as well as the nature of the data sources, to clarify management requirements for different types of public data and to adopt different management measures for the entire lifecycle of public data.
The city-level responsible departments shall determine the category of public data based on the public data classification rules and standards, and implement the differentiated management measures.
Article 28: (Collection and Storage of Public Data)
Public management and service bodies' collection of data shall comply with that unit's legally prescribed duties, and comply with the principles of legality, propriety, and necessity. Public data may be obtained through sharing, and must not be repetitively collected.
Where it is necessary to rely on relevant district departments to collect public data that has a large volume or is strongly time-sensitive, such as from video or the internet of things, the district departments in charge of public data are to carry out the collection based on the requests of the city-level responsible departments, and store them through the district branch big data resource platform.
Article 29: (Return of Public Data)
Public data governed through the municipal big data resource platform may be sent to branch big data resource platforms based on the region to which it belongs, and support is to be given to each area in applying in utilizing the data.
Article 30: (Purchasing Data)
In order to perform their duties in accordance with the law, the city's public management and service bodies operating the fiscal fund safeguards may apply to purchase non-public data.
The general office of the municipal people's government is responsible for planning the requests to purchase non-public data from city-level public management and service bodies, to be uniformly implemented through the municipal big data center. The municipal big data center is to compile a catalog of purchased non-public data through the big data resource platform, and share it with the departments and units requesting it.
District departments in charge of public data management are responsible for planning purchase requests that are individualized to that administrative region and organize the purchases themselves.
Article 31: (Aggregation of Public Data)
The city's state organs, public institutions, and organizations authorized to have duties on the management of public affairs in accordance with law shall promptly aggregate public data on the big data resource platform. The public data of other public management and service bodies may be aggregated in a logically centralized or physically dispersed manner, but public data that has applications in public management and services shall be aggregated on the big data resource platform.
As required for the categorical management of public data, the municipal big data center is to implement uniform aggregation of relevant data, ensuring the timeliness, integrity, and accuracy of data aggregated on the big data resource platform.
In circumstances such as where public data that has already been aggregated changes or becomes invalid, the public management and service bodies shall promptly update it.
Article 32: (Construction of Databases)
The municipal big data center shall plan and organize the implementation of the construction of foundational databases such as on natural persons, legal persons, natural resources, and spatial geography.
The city-level responsible departments shall plan and construct specialized databases for use in corresponding systems and industry operations, and collaborate with relevant departments to plan and construct subject matter databases on key industries and fields.
Article 33: (Quality Management)
The big data center shall organize and carry out quality oversight of public data, conduct real-time monitoring and periodic appraisals of data quality, and establish management systems for objections and corrections.
The city-level responsible departments shall establish and complete management systems for public data in the corresponding system or industry, and strengthen the management and control of data quality.
Article 34: (Oversight Inspections and Evaluation Assessments)
The general office of the municipal people's government shall establish mechanisms for oversight inspections of the routine management of public data, carrying out oversight inspections of public management and service bodies' compilation of public data catalogs, public data quality management, sharing, openness, and so forth.
The general office of the municipal people's government shall periodically organize evaluations and assessments of the efficacy of city-level responsible departments' and each districts' implementation of public data efforts, and the results of the evaluation assessments are to be included in the annual performance evaluations for all levels of leadership group and for leading cadres.
Article 35: (Costs Assurances)
Expenses involved in the collection, aggregation, governance, sharing, and opening of public data and for quality and security management carried out by the city's public management and service bodies operating fiscal fund safeguards are to be included in the municipal and district fiscal budgets.
Section 2: Public Data Sharing and Openness
Article 36: (Principles and Mechanisms for Data Sharing)
Sharing of public data shall be the rule, and not sharing the exception between public management and service bodies. Public data shall be shared through the big data resource platform.
As needed to perform duties, the public management and service bodies shall submit a list of data requests; clarify a responsibility list of data that the unit may share based on legally prescribed duties; and include data that laws or regulations clearly provide cannot be shared in a negative list after review by the general office of the municipal government.
The general office of the municipal government shall establish a public data sharing mechanism based on the data requests lists, responsibility lists, and negative lists.
Article 37: (Convenient sharing)
Where public management and service bodies submit requests for sharing, they shall make clear the scenario for its usage and make pledges regarding its honesty, compliance, and security. Public data that is not listed in a negative list may be directly shared, but must not exceed the scope necessary to perform duties in accordance with law; for public data that is not listed in the public data catalog, within 15 working days of receiving a request to share it, the city-level responsible departments shall confirm it and then enter it in the public data catalog and share it.
Where public management and service bodies share the data of other bodies outside of the range necessary for the performance of duties in accordance with law, the municipal big data center shall immediately stop them from sharing data being the necessary scope.
Article 38: (The Use of Shared Data)
When public management and service bodies providing services to natural persons, legal persons, and unincorporated organizations need to use other departments' data, they shall use the latest data provided by the Big Data Resource Platform.
Public management and service bodies shall establish mechanisms for managing data sharing, public data obtained through sharing shall be used as needed by the unit to perform duties in accordance with law, and must not be provided to third parties in any form, and must also not be used for any other purpose.
Article 39:(Opening by Category)
The city is to rely on the Big Data Resource Platform to make public data open to the public.
Public data is divided into three categories in accordance with its type: unconditionally open, conditionally open, and not open. That which involves commercial secrets, personal privacy, personal information that can identify specific natural persons, or which laws and regulations provide must not be made open, are included in the 'not open' category; public data which has relatively high requirements for security and handling capacity, is more time-sensitive, or needs to continuously obtained, is included in the 'conditionally open' category; other public data is included in the 'unconditionally open' category.
Where public data in the "not open" category is declassified, processed to remove sensitivity, or where the relevant rights holder agrees to make it open, it may be included in the 'unconditionally open' or 'conditionally open' categories.
Article 40: （Open Lists）
The city-level responsible departments, district people's governments, and other public management and service bodies are responsible for opening the public data of the respective system, industry, administrative region, or unit, and shall draft a list of open public data within the scope of the public data catalog, clarifying the data's scope of openness, openness category, conditions for openness, update frequency, and so forth, and publish it on the municipal Big Data Resource Platform.
Section 3: Authorization of Public Data Operations
Article 41: (Mechanism for Authorizing Operations)
The city is to establish mechanisms for authorizing public data operations. The general office of the municipal government is to use competitive methods to determine entities for authorized operations, authorizing them to carry out public data operations in a marketized fashion for a set period of time and within a set scope, to provide data products and data services, and obtain income. Authorization agreements shall be signed for authorized operations, determining the relevant rights and obligations.
The general office of the municipal government shall organize the drafting of management measures for authorized public data operations, clarifying the standards, requirements, and specific procedural requirements for authorization, and establishing mechanisms assessing and ending authorized operations. The municipal Big Data Center shall carry out routine oversight and management of authorized public data operations.
Where the data for authorized operations includes personal information, the handling of that data shall comply with laws, administrative regulations, and the provisions of article 17 of these Regulations. Except for where the information contained in data no longer constitutes personal information following anonymization processing.
Article 42: (Regulation of development and Use)
The entities authorized for operations are to plan application scenarios based on market demand, and are to carry out public data development and use after the general office of the municipal organizes an assessment by the industry regulatory departments and the data experts committee. Development and use activities shall comply with the conduct norms provided for in the public data operations authorization measures and authorization agreement.
Article 43: (The Development and Use of Data and the Provision of Products and Services)
Those with supply or demand for data products and services may make deals, sign contracts, and settle business through the public data operations platform; and where they sign contracts through other channels, they shall record it on the public data operations platform.
Article 44:(Pricing of Data Products and Services)
The general office of the municipal people's government shall organize the data experts committee's drafting of a Guide on Assessing Prices for Data Products and Services, and authorized operators shall reasonably determine the prices of data products and services on the basis of the pricing appraisal guide.
Article 45:(Platform Service Fees)
Where authorized operators provide services using the municipal Big Data Resource Platform, they shall pay corresponding platform service fees to the platform builders. Measures for fee collection are to be separately drafted by the relevant municipal departments.
Chapter IV: Data element market
Section 1: Ordinary Provisions
Article 46:（Purpose of Establishment）
The munipal people's government shall deepen the reform of marketizing configuration of data elements in accordance with state requirements, drafting promotional policies and cultivating a data market that is fair, open, orderly, and honest; establishing market operation systems such as for asset appraisal, registration and settlement, making deals, and arbitrating disputes; to promote the lawful and orderly flow of data elements.
Article 47:(Data Circulation and Use）
The general office of the municipal government shall draft policies encouraging and guiding market entities to carry out data sharing, openness, transactions, and cooperation in accordance with law, and promoting the flow and use of data across regions and industries.
Article 48:（Cultivation of Market Entities）
The city is to draft relevant policies to encourage and guide natural persons, legal persons, and unincorporated organizations to participate in the establishment of a data element market; promoting the development of data element market entities in the entire industry chain, such as data collection, cleaning, mining, use, asset management, data governance, compliance consultation, and security assessment.
The city is to encourage market entities to research and develop data techniques, strengthen exchanges and cooperation on data, and advance the use of data, deeply mining the value of data and forming data products and services through substantive processing and innovative labor.
Article 49: (Data Asset Appraisal)
The city is to explore building a system of data asset appraisal indexes, establishing a data asset appraisal system, and carrying out data asset appraisal certification pilots, to correctly reflect asset values in the data elements market.
Article 50:(Statistical Accounting of the Production Data Elements)
The relevant municipal regulatory departments shall establish and complete a statistical index system and assessment and appraisal guidelines for data element allocation, to scientifically assess the extent of each district's, department's, and sector's data's contribution to economic and social development.
Article 51:Obligations of Market Entities)
Market entities shall strengthen the management of data quality, ensuring the truthfulness, accuracy, and integrity of data.
Market entities shall obey the principles of fair competition in using data, and must not use a monopoly position in data to engage in activities such as market manipulation or setting up exclusory cooperation clauses; they must not use big data analysis and other technological techniques to encroach on the lawful rights and interests of consumers by establishing unfair transaction requirements based on data on individual spending and spending habits.
Section 2: Data Transactions
Article 52:(Data Transaction Service System)
The city is to support the orderly development of data transaction service bodies providing third-party assessments of data assets, data compliance, data compliance, and so forth for data transactions, as well as professional services such as deal-making, transaction representation, professional consultation, data experience, and data payments,
The city is to establish and complete management systems for data transaction service bodies, strengthening the regulation of service bodies and standardizing the professional conduct of service personnel.
Article 53:(Requirements for Data Transaction Service Bodies)
Data transaction service bodies shall establish a service environment that is regulated and transparent, secure and controllable, and trackable; draft transaction service processes, internal management systems, and institutional self-discipline rules; and employ effective measures for protecting individual privacy, commercial secrets, important data, and core national data.
Article 54:(Content of Data Transactions)
Market entities may lawfully trade data obtained through legal methods as well as data products and services formed through the lawful handling of data, except in any of the following circumstances:
(1) it includes personal information for which authorization was not obtained in accordance with law;
(2) it includes public data that has not been made open in accordance with law;
(3) Other situations where laws or administrative regulations prohibit transactions.
Article 55:(Transaction Pricing)
Market entities engaging in data transaction activities may set their own prices in accordance with law.
The relevant market regulatory departments shall organize related industry associations and the like in drafting guidelines for data transaction pricing, establishing pricing and appraisal indexes for transactions.
Chapter V: Data Resource Openness and Applications
Article 56:(Data Resource Openness and Application Plans)
The municipal people's government shall compile a plan for developing the development and application of data resources from all of society in consideration of the advancement of the digital transition, and clarify policy measures. District people's governments shall include the development and application of data in citizens' economic and social development plans.
Article 57:(The Establishment of Data Resource Facilities and Platforms)
The city is to encourage the construction of data infrastructure in key fields and industries; laying out a comprehensive innovation platform that integrates data, algorithms, and computing power; building industry data centers, and promoting data interconnectivity in industry and supply chains.
The city is to promote the construction of national and local big data laboratories; develop industry innovation centers, technical innovation centers, engineering research centers, and enterprise technology centers oriented towards the development and use of data resources; and research, develop, and transition functional platforms to form new research and development organizations and other vehicles for innovation.
Article 58:(Innovation and Development of Data technology and Digital Industry)
The city is to support basic data research and research on key technologies, create high-quality data sets, and develop high-end data products and services through policy supports and setting standards.
The city is to cultivate and expand core data industries such as data collection and storage, data processing and handling, and data transactions and circulation; develop related industries such as cloud computing, artificial intelligence, blockchain, high-end software, the Internet of Things, and quantum communications; and support the development of the new online economies such as digital trade, digital medicine, and digital office work; to increase the extent to which the development and application of data resources contribute to and radiates through digital industry.
Article 59:(Data-enabled Digital Transition of Industry)
The city is to advance the deep integration of data technology and the real economy, encouraging the integration and application of all types of enterprise, accelerating model innovations in fields such as manufacturing, scientific and technological research and development, commercial trade circulation, shipping, and logistics, and agriculture; and promoting the linked development of the Internet for industry and for consumers.
The city is to establish a two-way data openness enabling mechanism to promote innovation in the integrated application of public data and enterprise data, promoting the digital transition of enterprises, and advancing cost reductions, quality improvements, and increased efficiency.
Article 60:(Digital Transition for Data-enabled living)
The city is to promote the deep integration of data technology and the service industry, promoting the development and application of data resources in basic sectors for the people's lives, such as public health, medicine, education, eldercare, and occupations; and use digitalization to promote the linked, refined, and full development of public services.
The city is to strengthen data integration and use in each sector, such as in government, enterprise, and society; promote the digital transition in quality-of-life fields such as commerce, entertainment, sports, and travel; Innovate new business models, increase the high-quality and personalized experience of digital life.
The city is to set up policy supports to promote the elimination of the "digital divide". Digital transformation of websites, mobile applications, smart terminal facilities in public venues, and so forth for disabled persons and the elderly is to be supported.
Article 61:(Data-enabled Digital Transition of Governance)
The city is to rely on the development and application of the entire society's data resources to promote the establishment of systems for economic, social, and urban governance that are scientific, precise, and intelligent.
The city is to promote the overall planning of governance for big systems and big platforms, promoting the deep use of digital technology in fields such as full-cycle enterprise services, comprehensive economic movement, and comprehensive regulation, to increase the digital capacity of basic governance, individual services, and establishing the rule of law; and constructing a comprehensive digital application system that covers urban planning, construction, management, and operations.
Article 62:(Spacial Media)
The city is to establish a digital transition demonstration zone, innovating business models that comprehensively utilize data resources; reshape the spatial media of urban economics, life, and governance; and lead the creation of an "international digital capital" with global influence.
Support the synchronized planning of critical information infrastructure in the New City and other key districts; improving mechanisms for the full life-cycle management of data resources such as for urban spaces, industrial spaces, and living spaces; organizing the implementation of the construction guidelines for "universal perception, total fusion, fulltime responsiveness, and panoramic empowerment" to promote the transformation of the region as a whole.
Based on the layout of the city's industry functions, the municipal and district people's governments shall promote the overall digital transformation of special industrial parks, encourage the development of regions where the data industry is concentrated, develop industrial parks for the development of digital industries such as artificial intelligence, intelligent production, the online economy, and big data.
Chapter VI: Data Reforms in The Pudong New District
Article 63:(Innovation and Exploration)
The city support's the Pudong New District's high-level reform and opening and creation of a leading area for socialist modernization and is to advance the setting of standards and construction of systems such as for defining data ownership, openness and sharing, transactions and circulation, oversight and management.
Article 64:(Thorough Sharing of Public Data)
The city is to support the Pudong New District in exploring the establishment of data sharing mechanisms with relevant state departments such as for customs, statistics, taxation, the People's Bank of China, banking and insurance oversight, and securities regulation, to realized real-time sharing of public data in the Pudong New District through methods such as interface calls. The Pudong New District shall submit a list of data use scenarios requirements in consideration of major reform and innovation efforts such as major risk prevention, improving the business environment, and optimization of public services.
The Pudong new district shall complete mechanisms for sharing public data between district-level public management and service bodies.
Article 65: (Data Exchange)
The city is to establish a data exchange in the Pudong New District in accordance with state requirements and carry out substantive operations.
The data exchange shall follow the provisions of laws, administrative regulations, and relevant departmental provisions to provide a centralized forum and facilities for data transactions, and organize and regulate data trading.
The data exchange shall draft rules for data transactions and other relevant business rules, explore the establishment of new forms of mechanisms for comprehensive big data trading that are divided by type and level, and organize compliance checks, registration and settlements, and information disclosures for data transactions, to ensure that data transactions are fair and orderly, secure and controllable, and can be fully tracked.
The Pudong New District is to lead natural persons, legal persons, and unincorporated organizations in conducting transactions through the data exchange in accordance with law.
The government departments and state-owned enterprises of the Pudong New District shall conduct data purchasing and circulation transactions through the data exchange.
Article 66:(Construction of an International Data Port)
Based on state allocations, the city is to advance the construction of an international data port, focusing on the Lingang New Area of China (Shanghai) Pilot Free Trade Zone (hereinafter simply Lingang New Area) to build new infrastructure such as dedicated internet routes for international internet and functional data centers, to create a platform hub for the convergence and circulation of global data.
Article 67:(Cross-border Data Flow)
The city is to follow relevant laws and regulations to explore drafting a catalog of low-risk data for cross-border flow in the Lingang New Area, to promote the secure and free flow of data across borders.
Natural persons, legal persons, and unincorporated organizations lawfully carrying out cross-border activities in the Lingang New Area shall report relevant information as required.
The city is to establish an offshore data center in the Lingang New Area, bringing in foreign data in accordance with international agreements and laws, and is to support enterprises in carrying out related data handling activities.
Article 68:(Industrial Development)
The city is to employ relevant measures in accordance with national requirements to support the Pudong New District in fostering an internationalized data industry, introducing related enterprises and projects.
The city is to support the Pudong New District strengthening applied and basic research, orderly relaxing restrictions on data development and use in application fields, and promoting the development of special industries in the Pudong New District.
The city is to support the Pudong New District in establishing a system of standards for the assessment of algorithms, promoting the protection of intellectual property rights in algorithms.
The city is to support the Pudong New District in establishing industry data hubs, creating infrastructure and platforms to promote data interconnectivity between industrial and supply chains.
Article 69:(Digital Confidence Systems)
The city is to support the Pudong New District in establishing digital confidence systems for data transactions, innovating and integrating digital technologies such as big data, block chain, and zero trust, in building a digital confidence infrastructure and ensuring reliable data transaction services.
Chapter VII: Data Cooperation in the Yangtze River Delta
Article 70:(Establish a Yangtze Delta Data Hub of the National Unified Big Data Center System)
In accordance with national allocations, the city is to coordinate with other provinces in the Yangtze Delta to establish a Yagtze Delta hub of the National Unified Big Data Center System, optimizing the layout of data centers and storage and computation resources, bringing on the intensified, scaled, and green development fo data centers; promoting resource intensification and service innovations in computing power, data, and applications; and fully supporting the digital upgrade and industrial digital transition in each industry in the Yangtze Delta.
Article 71:(Yangtze Delta Data Standards and Specifications System)
In conjunction with other provinces in the Yangtze Delta, the city is to strengthen the establishment of the data standardization system in the Yangtze Delta, jointly establishing a data resource catalog, basic database, topic databases, data sharing, data quality and security oversight, and other basic standards and specifications as needed for data sharing in the region, to promote the sharing and use of data resources.
Article 72:(Data Sharing in the Yangtze River Delta)
The city is to rely on the national unified government service platform to establish a unified data sharing and exchange platform for the Yangtze Delta, supporting the establishment of data sharing and joint use, operational coordination, and scenario applications in the Yangtze Delta, to promote the effective flow, development, and use of data.
In conjunction with the other provinces in the Yangtze Delta, the city is to establish a data sharing mechanism for the Yangtze Delta based on the request lists, responsibility lists, and data sharing resource catalogs.
Article 73:(Yangtze Delta Data Quality Management)
In conjunction with the other provinces in the Yangtze Delta, the city is to establish cross-region mechanisms for verifying and handling complaints on data and data reconciliation, ensuring that the data provided by each provincial-level administrative region is consistent with the data on the Yangtze Delta Data Sharing and Exchange Platform, and making it so that data can be reconciled, verified, and checked, and that problems can be tracked and addressed.
Article 74:(Data Authentication and other Cross-Regional Collaboration)
In conjunction with the other provinces in the Yangtze Delta, the city is to promote cross-region interconnectivity such as digital authentication systems and electronic licensing and support cross-regional coordination on government service and urban operations management.
Article 75:(Cooperation on Digital Development in the Yangtze Delta)
In conjunction with the other provinces in the Yangtze Delta, the city is to promote the use of technologies for secure data circulation such as blockchain and privacy computing, establish cross-regional mechanisms for data integration, development, and use, and give play to the innovative driving role of data in coordinated cross-regional development.
Chapter VIII: Data Security
Article 76:(Entities Responsible for Data Security)
The city is to implement a system of responsibility for data security in which data handlers are the entities responsible for data security.
Where data concurrently has multiple handlers, each data handler separately bears their respective responsibility for security.
Where the data handlers change due to mergers, divisions, sales, and other such means, the new data handlers are to continue bearing responsibility for protecting data security.
Article 77:(Data Security Protection Obligations)
The following obligations shall be fulfilled in carrying out data handling activities, to safeguard data security:
(1) establish and complete systems for data security management through all processes in accordance with laws and regulations;
(2) Organize and carry out education and training on data security;
(3) Employ corresponding technical measures and other necessary measures to ensure data security, and prevent data leaks, alteration, or loss;
(4) Strengthen risk monitoring, and when data security flaws, vulnerabilities, or other risks are discovered, remedial measures shall be immediately employed;
(5) When data security incidents are discovered, measures to address them shall be adopted immediately, users shall be promptly notified as provided, and reports made to the relevant regulatory departments;
(6) use the internet or other information networks to carry out data handling activities shall be done on the basis of the multi-level protection system for cybersecurity, and carry out the data security protection obligations described above;
(7) other obligations provided by laws and regulations.
Article 78:(System of categorical and hierarchical data protections）
The city is to establish and complete a categorical and hierarchical data protection system in accordance with national requirements, promoting efforts on data security governance in this region.
The city is to establish a catalog management system for important data, carrying out key protections for data entered into the catalog. The general office of the municipal government is to compile the specific catalog in collaboration with relevant departments.
Article 79:(Security for Important Data)
Those handling important data shall clarify the persons responsible for data security and the management bodies, periodically carrying out risk assessments of data handling activities and making risk assessment reports to the relevant regulatory departments, the municipal internet information department, and public security organs.
The handling of important data shall be conducted in accordance with laws, administrative regulations, and relevant state provisions.
Article 80:(Special Provisions on Security Management for Public Data)
The city-level responsible departments shall formulate a security management system for public data in the corresponding system or industry, conduct security grading of the public data on the basis of the national and this city's related standards and specifications, and bear responsibility for security in every operational stage such as data collection, use, and personnel management.
Where it is within the scope of the municipal big data center's informatization work, the municipal big data center shall bear responsibility for the security of technical steps such as the transmission, storage, and processing of public data, and provide security protection measures based on the security grade.
Article 81:(Monitoring and Early Warnings)
The city is to follow the uniform national allocations to establish and complete data security risk assessment, reporting, information sharing, monitoring, and early warning systems to strengthen the acquisition, analyses, assessment, and early warnings for information on data security risks.
Data handlers shall strengthen risk monitoring, and when data security flaws, vulnerabilities, or other risks are discovered, remedial measures shall be immediately employed.
Article 82:(Emergency Response for Security Incidents)
The city is to establish and complete a data security emergency response and handling mechanism in accordance with the uniform national allocations. In conjunction with the public security organs, the municipal internet information department shall employ the corresponding emergency response and handling measures to prevent the harm from increasing and eliminate security risks in accordance with the emergency response plans, and promptly issue relevant alerts to the public.
Article 83:(Security Testing, Assessment, and Certification)
The city is to support professional bodies carrying out data security testing, appraisals, and certification service activities.
The city is to support relevant departments, industry organizations, enterprises, educational or scientific research bodies, relevant professional bodies, and so forth in carrying out collaboration in areas such as assessments, prevention, and handling of data security risks.
Chapter IX: Legal Responsibility
Article 84:(Guiding Provisions)
Where the laws or administrative regulations have provisions on the handling of violations of the provisions of these Regulations, follow those provisions.
Article 85:(Legal Responsibility of Public Management and Service Bodies)
Where state organs and public institutions performing public management and service functions, and their staff, have any of the following conduct, the people's government of the same level or the competent department at the level above is to order corrections; where the circumstances are serious, the directly responsible managers and other directly responsible personnel are to be given sanctions in accordance with law by an organ with authority:
(1) failing to specify the purpose, scope, and methods for using the data required for emergency handling or using the data in accordance with Article 16 of these Regulations;
(2) Violating paragraph 2 of article 25 of these Regulations by establishing new interdepartmental or cross-level data resource platforms or channels for sharing, exchanges, and openness, or failing to conduct integration in accordance with provisions;
(3) Failing to follow the provisions of article 26 of these Regulations on compiling a public data directory;
(4) Failing to follow the provisions of articles 28, 31, 36, 37, 38, and 40 of these provisions in the collection, aggregation, sharing, and opening of public data;
(5) Failing to follow the provisions of paragraph 2 of article 33 of these Regulations to perform quality management obligations for public data;
(6) Failing to open legally-prescribed channels for opening public data or authorizing operations through the public data.
Article 86:(Punishment for Setting Up Unfair Trade Conditions)
Market entities that violate paragraph 2 of article 51 of these Regulations by abusing technical methods to set up unfair trade conditions infringing on consumers' lawful rights and interests are to be ordered to make corrections by the market regulatory departments and have unlawful gains confiscated; where they refuse to make corrections, a fine of between 100,000 and 1,000,000 RMB is to be given; and where the circumstances are serious, a fine of up to 5% of their annual income is to be given with a minimum of 1,000,000 RMB and a maximum of 50,000,000.
Article 87:(Punishment for Data Trading in Violation of Provisions)
Where market entities trade data in violation of article 54 of these Regulations, the municipal department for market regulation or other relevant departments in charge of industry is to order corrections in accordance with their respective duties and confiscate unlawful gains; where the amount of the transaction is less than 10,000 RMB, a fine of between 50,000 and 200,000 RMB is to be given; and where the amount of the transaction is greater than 10,000 RMB a fine of between 200,000 and 1,000,000 RMB is to be given.
Article 88:(Credit Penalties)
Where personal information is infringed upon, data monopolies are formed, or there are other violations of prohibitions in these Regulations, the relevant information is to be included in the municipal Public Credit Information Service Platform, and relevant departments are to carry out joint penalties.
Article 89:(Public Interest Litigation)
Where data handlers violate the provisions of these Regulations and infringe on the rights and interests of a large number of individuals, the People's Procuratorate, and organizations designated by the internet information department may file a lawsuit in the people's court in accordance with law.
Chapter X: Supplemental Provisions
Article 90:(Enforcement by Reference)
In addition to the public management and service bodies provided for in item (4) of Article 2 of these Regulations, operating expenses may be implemented in accordance with the provisions on public data for all types of data collected or produced in the course of the lawful performance of public management and service duties by any level of municipal fiscal safeguard unit, management units stationed in the city by central state organs, as well as units such as for communication, civil aviation, and railways. Where laws and administrative regulations provide otherwise, those provisions control.
Article 91:(Implementation Period)
These Regulations are to take effect on XXXX, X, X.