On April 25, 2023, the state-backed Guiyang Big Data Exchange (GYDE) announced that it has facilitated and supervised the unprecedented floor trading of personal data in China. To date, no provisions have been put in place to specifically address the compliance requirements for data sales at the national level. With this context and the vague language of the trading frame of GYDE, this case will greatly inspire other market players who intend to be engaged in data sales involving personal data in China.

Below we briefly discuss the key facts of this unprecedented case, in light of relevant GYDE trading rules.

How does GYDE frame the data sales

Entities, either as a data vendor or data buyer, should register with GYDE and completed the compliance review by GYDE to launch and trade data products, data services, algorithm resources, and algorithm tools on GYDE. GYDE will closely consider if the entity implements any compliance control over data processing and organizational data security management, that is commensurate with the intended data trading on GYDE.

    • What data has been sold by Hao Huo on GYDE?

Hao Huo (Guizhou) Network Technology Co. Ltd. (“Hao Huo”) operates a job-matching platform driven by digital technologies like big data, cloud computing and blockchain. Through Hao Huo’s platform, users can discover job vacancies/labor demands, and contract with the relevant employers. In addition to the positions already posted on Hao Huo’s platform, users may select to upload their personal resumes and authorize Hao Huo to further market and sell their resumes to potential employers. Such users will gain a share of Hao Huo’s revenue from those potential employers.

Hao Huo’s data product launched on GYDE is developed based on these personal resumes. While, as noted by GYDE, the data product sold by Hao Huo on GYDE is not the original personal resumes, but rather the privacy computing results of these raw personal resumes.

    • What is the legal basis for Hao Huo to sell data?

Following our review of Hao Huo’s job-matching platform, we note that Hao Huo sets up a separate consent checkbox for seeking users’ consent on Hao Huo’s collection and provision of their personal resumes (including the information generated therefrom) to appropriate employers for a fee based on their users’ backgrounds. Prior to offering this consent, Hao Huo requests the users to go through a separate notification, namely the Agreement for Determining the Ownership of Personal Information, which specified that (1) the users own the property right towards their personal data and resume, (2) users can withdraw their consent to Hao Huo at any time (e.g. delete the personal resume or turn off the function of relevant devices) to restrict further processing by Hao Huo, and (3) Hao Huo commits to sharing a portion of profits from the sale of data based on users’ personal resume.

Based on the foregoing, it appears that Hao Huo has obtained consent for its processing and external provision of users’ personal resumes and the derived data.

    • What is the procedure to sell data in GYDE?

In addition to the registration and compliance review of data vendor/buyer as discussed at the beginning, the data vendor needs to apply for the third-party compliance review on their data products prior to the listing on GYDE. A compliance review on the specific transaction will be further implicated at the time when the data buyer reaches the cooperation intention with the data vendor, which will focus on the trading purpose, national security concerns, as well as the key terms of the contractual agreements between the parties. GYDE will monitor the performance of the data trading agreement and deal with the considerable security incidents that may affect the national/social interests and/or legitimate interests of other individuals.

As disclosed by GYDE, a local law firm (as certified by GYDE) performed the third-party compliance review over Hao Huo’s data product, Hao Huo’s data product derived from personal resumes meets the requirement under applicable laws and regulations, in terms of privacy protection, data security, and general compliance. Specifically, the responsible person of this law firm confirmed that Hao Huo’s data product is collected and processed based on legal grounds and is eligible for subsequent trading on GYDE.

    • Where did Hao Huo’s data product destinate to and any onward transfer?

As part of the third-party compliance review on data products, GYDE requires the data vendor to lay out and restrict the application scenario of its data product (e.g. for facilitating the job-matching service in the current case). Following this restriction from the data vendor’s side, GYDE further prohibits the onward transfer/share of data products by data buyers, unless they create new data products above and beyond the original data product (not raw data) they bought from the data vendor.

As outlined by GYDE, employers (unspecified) reached cooperation intention with Hao Huo through GYDE and purchased Hao Huo’s data product under the supervision of GYDE, which also helped transfer the employer’s payment to Hao Huo.

Lessons from GYDE’s trading rules for the data trading in China

Notably, the trading rules by GYDE have been built into several local legislations in terms of data sales, and reflect the key concerns of applicable PRC data protection laws in force. Entities that intend to trade data products in China are suggested to refer to GYDE’s data trading rules and procedures, especially those outlined below, to better understand the key control points:

    • The legal grounds for the provision of the data product should be evaluated: for example, if the data involved is authorized and consent by relevant data subjects for trading (individuals/entities) through any written forms? Or, if the data involved is collected from public resources in a lawful manner and within the reasonable use scope? Important data is tradable: although the coverage of the important data is not specified by PRC authorities, it is tradable but shall complete the risk assessment and obtain approval from competent authority prior to any specific trading.

    • The traded data shall be generated from the data vendor’s special processing and has gained new value beyond and above the original data.

    • The data product shall exclude (i) the direct identifier, sensitive, and private information, and the financial information of individuals, unless otherwise authorized; and (ii) the customer data and trade secret of enterprises, unless otherwise authorized, etc.

    • The traded data should be properly secured: e.g. necessary encryption; identity authentication mechanism; access control and monitoring mechanism; separate storage of identifier and de-identified personal data; specified purpose, scope, retention period and necessity for the use of data product if any information regarding government affairs/common resources and personal information involved; etc.

Looking Forward

China is accelerating the development of a comprehensive property rights regime over personal data. Several municipal governments formulated their draft data sales regulations following the framework of GYDE’s data sale rules. It is expected that the right to hold data, the right to process data and the right to operate data products would be separated to facilitate the data flow and promote the data economy in China.