Shanghai and Shenzhen: Municipal-level Data Regulations Indicate A Trend of China’s Data Governance

January 13, 2022

By Donnie Dong

Shanghai and Shenzhen, the two economic hubs of China, implemented their respective “Data Regulations” on a same day January 1, 2022. These municipal-level legislations attempt to balance the interest of stakeholders in the utilization of public data, data sharing and privacy protection. The local governments apparently plan to use these regulations staying ahead in the data-related industries among Chinese cities.

In China, local governments’ attitudes to data varies from city to city. In addition to adjusting business activities pursuant to the laws and regulations issued by the central government, companies should seek advice on municipal-level regulations, by which a clear and accurate big picture of data governance in China could be established. Economic hubs like Shanghai and Shenzhen have led the reform of Chinese regime for a few decades, forward-looking businesses are recommended to monitor their practices closely.

The following is a brief overview of the two cities’ data regulations.

“Property Interests” in Data & Permission of Data Transaction

The Shanghai Regulations recognize that companies have certain “property interests” in the datasets they acquire and generate during their business operation. Companies also have property interests in the data sets they collect after cleansing and filtering the raw personal data. Because Chinese local authorities are not entitled to add statutory property rights, Shanghai Regulations use the phrase “protect statutory or contractual property rights and interests” to deliberately maintain the ambiguity. However, it is obvious that Shanghai Regulations encourage the transfer of de-identified and anonymized data.

The Shenzhen Regulations also state that the local authorities will protect the property interests as provided by law.

The Shanghai Regulations clearly state that it encourages data transaction and support the development of data transaction service agencies. The Shenzhen Regulations also stipulate that the products or services formed by companies’ legitimate data processing can be traded, excluding unauthorized personal data and public data not opened by law.

Data Exchange Agencies

Both Shanghai and Shenzhen encourage the establishment of data transaction service agencies, i.e., the institution of “Data Exchange”. In fact, the government-backed Shanghai Data Exchange has officially started business on November 25, 2021. In addition to providing venues and facilities for data trading, the Shanghai Data Exchange will also organize and supervise the data transaction. We noted that the Shenzhen government is also actively promoting the establishment of a Data Exchange institute, which will be announced in near future.

Facilitating Cross-border Data Transfer

Chinese national-level laws are generally open to the cross-border data transfers, but it is unclear as to what data can be transferred outside of China. The ambiguity leaves law enforcement agencies with a possibility of selective enforcement and creates uncertainty for business operators.

To address this issue, Shanghai Regulations proposed a “low-risk cross-border data catalog” to inform companies what datasets are allowed to be exported. Once it is published, the catalog may help businesses in designing their data processing solutions. Unfortunately, the Shenzhen Regulations do not have specific provisions on cross-border data transfers.

Sharing and Utilization of Public Data

Both regulations provide for the sharing and utilization of public (government) data at a large length. For example, the regulations confirm that data controlled by government agencies should be shared between each other as a principle. Besides, Shanghai Regulations specifically provide penalties for government departments and their personnel who neglect to compile a public data catalog (to facilitate the sharing of data).

Companies who offer data processing services to government agencies should hire data lawyers to analyze the local data regulations and monitor their implementation, so that they can tailor their business and compliance strategies.

Protection of Personal Information

The Shenzhen Regulations contain a few provisions detailing the obligations of data controllers during their course of collection, processing, and use of personal information. These obligations are generally consistent with the provisions of China’s Personal Information Protection Law, but more detailed for certain specific data processing practices. For example, except for the listed exceptions, companies are required to de-identify the personal data they collected before sharing same. Also, data controllers should store the de-identified data separately from the original data. Moreover, Shenzhen Regulations provide further requirements over information security issues.

The Shanghai Regulations also have numerous provisions on personal information protection. These provisions address issues like surveillance systems in public areas, automated decision-making systems and biometric information.

*    *    *    *    *

Author: Dr. Donnie Dong. Admitted to practice in China and New York State, the author is a Certified Information Privacy Manager (CIPM) by the International Association of Privacy Professionals (IAPP). Dr. Dong is also a member of the steering committee for Digital Asia Hub, a non-profit think tank collaborating leading scholars and practioners of digital society in Asia.

This communication is provided as a service to FuJae Partners’ clients and contacts. It is intended for informational purposes only. It is not intended to create an attorney-client relationship or to constitute any form of advertisement.

Please contact Donnie Dong,, or visit our website,, to view other contents.