ALB Legal Guide to the Greater Bay Area 2024

52 53 CHAPTER 2 At present, accounting institutions still have different interpretations of the way to enter data into financial statements, but it can be believed after comparison and summary that the primary premise of the technical process of turning data into an asset (or data assetization) is the “legal holding or control of data resources by enterprises”, that is, confirming enterprises’ ownership of specific data resources. Although laws have not yet determined the nature of rights and interests of data, the “20 Opinions on Data” has creatively proposed the structural design of separation of three rights based on the characteristics of data factors. Based on this design idea and from the perspective of legal structure, the confirmation of rights is to answer the following question: What right and interest over what data is owned by who by what means? 1. Compliance demonstrates the qualifications of subjects of data rights and interests First of all, different qualification requirements apply to subjects who have the right to process different data due to data security, industry management standards and other factors. For example, a subject collecting specific public data should be subject to the requirements of the Guidelines of the State Council on Strengthening the Development of Digital Government to “apply one standard to one piece of data from one source to realize the inventory management of data resources”. Since public management subjects are limited from independently collecting data, the data they have the right to collect by virtue of their administrative functions vary from those to be used in the performance of their functions. For instance, public security organs generally have no right to independently collect citizens’ bank account information, and if needed for case handling, they usually retrieve such information from the People’s Bank of China and other institutions through the interactive management system. Furthermore, considering that a subject having the right to hold data also takes the responsibility for data security, it is subject to different requirements for data security, network security and information security management capabilities, such as the qualification requirements as set forth in the Regulations on Protecting the Security of Critical Information Infrastructure, the Guidelines on the Classification of Security Protection Level of Information Computer Systems and other applicable laws and regulations as well as technical norms. From the perspective of entry into financial statements as a result of confirmation of rights of data, asset value of data resources can be recognized on the premise that “data resources have been transformed by enterprises into real economic benefits”. In other words, the confirmation of rights will not be initiated until data are both held and applied while holding data only is just a state of fact. The application of data requires not only static qualifications but also dynamic and circulating data governance and management capabilities to be established by enterprises. Nowadays, lots of certifications are used to demonstrate this dynamic capability of circulation and application, and together with the original static proof of legal origin, are used to answer the question “what right and interest over what data is owned by who by what means”. 2. Compliance defines the scope of rights and interests according to objects of rights and interests From the angle of the structure of separation of three rights, however, the question “what right and interest over what data” cannot be answered completely only through the proof of subject’s qualifications. Based on the sources of data confirmed by subject qualification, we can indeed define the boundaries of specific rights and interests, such as authorized storage, purchase and processing, and authorized operation. For example, when selecting cooperative partners for research and development of human genetic information, we may have to consider excluding foreign-controlled companies. In consideration of differences in objects of rights and interests, the realization process of data value will be further limited. For example, data above the important level that is used for outbound application requires prior approval and strict security compliance management, leading to higher marketization costs. From a legal point of view, compliance governance must be conducted in a targeted way depending on different data, that is, data classification and grading. In short, compliance is the key to turning data resources to assets. Only when compliance is ensured, subjects can meet the qualification requirements of specific data resources and have the ability to promote the application of such resources, and the results of application can be legally recognized and have realizable value. • Example: A subject has the right only to hold, process and use a specific data resource, but not to operate and trade it. It is found upon subsequent analysis that the subject has the right to operate the new data product formed after processing the original data resource, which may be circulated through the confirmation of rights as above. III. COMPLIANCE PROTECTS TRANSACTION: HELPING REALIZE THE ASSET VALUE OF DATA At the end of 2022, the State Council of China issued the Notice on Issuing the Overall Plan for the Comprehensive Pilot Reform of Market-oriented Allocation of Factors which states that “by 2025, the pilot task will be basically finished, and the reform of marked-oriented allocation of factors will achieve marked results, setting an important example for improving the national factor market system”. According to the Notice, more governments at all levels and enterprises should shift their focus from “data popularity” to “data GDP” and “data KPI”, and should begin to prepare for official entry into the data factor market. How to prepare? Confirmation of rights is just a starting point towards circulation in the market and value realization like all property rights. In the above technical process of turning data into an asset, in addition to confirming the rights of data, it is also required that “economic benefits associated with the data resources are likely to flow into enterprises, and the cost or value of the data resources can be reliably measured”. The most intuitive path to this end is to turn data resources into products and put them into the market. Obviously, data circulation is closely associated with data assetization. The change from sporadic, auxiliary data transactions or those difficult to ensure the legitimacy of transaction process and outcome in the grey zone in the past to regular, independent and legally recognized ones is a key step to promote the transformation of potential value and use value to real value and market value of data. Therefore, paying attention to data transaction rules and participating in the transactions of data exchanges have become the first choice for most market players to understand how to turn data factors to assets and realize the value of trial operation data in the asset market. At present, local data exchanges apply different review standards, and have their own characteristics in terms of depth of review, ecological infrastructure of transactions, and supervision approaches taken by local governments for different rights and interests in the reform of data factor transaction. Data compliance, however, is still an essential way for review by data exchanges. They conduct legal and technical reviews of sellers and buyers of products available in the market, source of data, product form, transaction scenario and purpose, transaction mode and path of delivery. Some of them even request risk assessment of transaction scenario application. As to some special data and scenarios, additional documents such as data protection impact assessment (DPIA) report or legal risk impact assessment report are required. It’s not hard to see that data exchanges take confirmation of rights and compliance as the starting point of review, and put forward dynamic compliance requirements for scenario, delivery and other aspects involved in transactions. Therefore, it is fair to say that compliance runs through the whole course of transaction. • Example: A data product involving personal information can eventually enter the market in compliance by demonstrating the legitimacy of its source of data and usage scenario and setting qualification requirements for the buyer. From the national policy layout and the construction of law and regulation system, to the supervision paths of the data factor market in all links, it can be seen by taking into consideration the asset characteristics of data factors and the national structural design of separation of three rights for data that compliance is a baseline running through the governance and development of the whole data factor market, and is also an evitable way for data factors to connect with the real industry governance and play its positive role. In a word: Compliance empowers data and supports data assetization. CHAPTER 2

RkJQdWJsaXNoZXIy MjA0NzE4Mw==