From a Chinese perspective, data is a production factor on par with land, labour and capital. Shanghai’s first data exchange is one of the earliest examples of this new production factor being implemented. It aims at making the collection and sale of data transparent and at enabling companies which collect data to maximize the value and productivity of their business. The goal is to put data in the hands of entrepreneurs who can use it most efficiently – just as Western stock and bond markets allocate savings to the companies that can generate the highest risk-adjusted returns. Since artificial intelligence (AI) is the engine of the fourth industrial revolution, data is its fuel. Will there soon be a data exchange in Europe so that the EU can keep up in the field of AI?
In the latest of her Duet interviews, Dr Caldarola, author of Big Data and Law, and IT-Expert Prof. Dr Dennis-Kenji Kipker talk about the new data commerce in Shanghai’s data exchange.
China opened its first data exchange on November 26, 2021. What is it exactly and how does it work? What opportunities and challenges are involved in this venture? Are personal data and non-personal data being traded there?
Prof. Dr Dennis-Kenji Kipker: The People’s Republic of China has been working on a uniform data strategy for several years now, and the establishment of the first Chinese data exchange represents the culmination of this development. In particular, the Data Security Law and the Personal Information Protection Law have together created an appropriate legal framework to facilitate the exchange of data through centralized regulations. Numerous data products from a wide range of categories that offer data-intensive services are being traded on the Shanghai Data Exchange. The financial sector is affected, for example, as are the communications and transportation sectors. What is unique is that all data transactions take place in real time which is intended to ensure maximum data transparency and traceability. The concept of data being traded on a data exchange has been broadly defined so personal as well as non-personal data can be involved. And the goal of the data exchange is quite simple: Ultimately, it is not just about generating added value in economic terms through the broadest possible use of data across all sectors. First and foremost, the aim is to create new innovations, increase efficiency, develop new technologies and business models, and, in this way, use the data as fuel for China’s economic development. One need only think of the regulation of autonomous traffic, the optimization of communications infrastructure, or questions of housing planning and environmental protection. The challenges and goals are manifold.
Are corresponding data exchanges to be expected in the EU, the USA or in other locations?
In the USA, a model for monetizing personal data has been under discussion for quite some time. Strictly speaking, the debate about the monetization of personal data in America began even before the corresponding developments in China and the EU that we are currently witnessing. And it is certain that the EU will follow suit when it comes to data use – if only to avoid losing the economic connection and to offer companies the opportunity to remain competitive.
My opinion is:
Prof. Dr Dennis-Kenji Kipker
„The race for data has recently started, and those who do not begin to address the issue will eventually lose out, and not just in economic terms.”
After all, the handling of non-personal data in particular has been positively neglected in recent years, whereas the regulation of personal data, in contrast, seems to be omnipresent in the EU and presents companies with considerable challenges in a transnational context. Even if we cannot assume that we will immediately get a data exchange of Chinese proportions in the EU, the course is nevertheless already being set for an even more digitized European single market as part of the European digital strategy. The legal developments surrounding the Data Act and the Data Governance Act clearly demonstrate this quite clearly. With the new EU data legislation, the Commission wants to promote a fair and competitive European data market and make new digital innovations feasible. The core elements here are consumers and companies, and this is where we also clearly differ from the Chinese data market, which clearly focuses on companies, the state and thus the common good. For example, the Data Act explicitly stipulates that consumers and companies have access to the data generated by devices. Consequently, it is also a matter of ensuring that I, as a consumer, am not merely reduced to the status of an object of digital information generation, but can exercise my own rights of co-determination. A position that will also be the guiding principle for the digital transformation in this new decade. Europe is currently undergoing a transformation process toward a comprehensive and ubiquitous digital society.
Furthermore, I am more than certain that, for economic reasons alone, countries around the world will follow suit. The race for data has recently begun, and those who do not begin to address the issue now will sooner or later lose out- and not just in economic terms.
Data can be copied at little expense and can be used simultaneously by different data consumers without affecting the use of still other data consumers so they are not rivals. Are only raw or original data being traded or are processed data and data copies also included on Shanghai’s data exchange? If a customer of the data exchange is “buying” data at the Shanghai Data exchange, does this set of data belong to the customer and can s/he then perceive the data as his or her property and thus enjoy all the legal privileges associated with ownership? Under the GDPR, personal data “belongs” to data subjects and technical data to device owners. Who is offering the data on the Shanghai Stock Exchange and who can buy it? Does China’s handling of stock data correspond to the legal understanding of the GDPR?
Data trading in Shanghai is not limited to raw data sets alone, as all kinds of data types that offer economic or technical added value are being traded there, such as flight information from China Eastern Airlines or a wide variety of data sets from the telecommunications network.
The transactions are monitored by an expert committee made up of members from the fields of compliance, finance, the data industry and data security. More than 100 companies have already participated in data trading in Shanghai, including foreign companies such as PricewaterhouseCoopers – access to Chinese data trading by foreign players is thus basically in place.
However, just because the data is now being traded on a data exchange does not mean that all restrictions are lifted for the user and s/he can do whatever s/he wants with it. It is no coincidence that the People’s Republic of China is still one of the countries with some of the strictest legal requirements for data localization in the world, and foreign companies are of course not exempt from these requirements if they participate in data trading.
This is especially the case when data is related to national security, which can be broadly interpreted, or involves the processing of information about Chinese citizens. Even on the data exchange, it can therefore be assumed that data with a certain degree of abstraction may then have a higher value in terms of its usability. Likewise, it is certain that special types of data will be excluded from data trade because they affect fundamental national security interests.
Despite all this, China of course does not offer a level of data protection comparable to the GDPR. This is simply because there is a lack of corresponding constitutional guarantees for data protection. Data protection in China should be viewed more in terms of alignment with European legal requirements for the purpose of being able to open up new markets as easily as possible in global competition.
It is no coincidence that the Chinese state is largely exempt from the requirements of Chinese data protection laws with regard to its data processing. In this respect, the actions of the data exchange in Shanghai cannot be measured against the requirements of the GDPR.
Personal data exists in a trade-off between informational self-determination (a personal right) and a monetary asset because companies want and need data in order to expand competitively in the field of AI. Does Shanghai’s Data stock Exchange only consider monetary aspects while disregarding personal rights?
I would not go that far because, as described above, there is a certain amount of data protection legislation in the People’s Republic of China – even if it is not comparable to European requirements.
Nevertheless, it is quite clear that economic and national developments outweigh the interests of the individual in data protection – and data protection in China has not played a particularly important role among private individuals and companies in the past, as numerous privacy breaches have proved.
This was also a reason for the Chinese state creating a minimum set of data protection requirements. The fact is, however, that Shanghai’s Data Stock Exchange is not primarily about all these individual interests – neither about corporate interests in monetizing data, nor about individual protection interests.
It is hoped that the state will gain considerable advantages in international competition by offering a broader access to useful datasets, and China is well on the way to doing so in a global comparison, as the effectiveness of individual protection regulations is clearly limited. We in the European Union will probably have a much more difficult time setting up a comparable model of such an unlimited data exchange platform – and not only for legal reasons – because the monetization of our data still seems relatively foreign to us in here.
If data can be the subject of mutual contracts in the EU – as proposed by the EU directives for trade of digital services and digital goods – is then data itself as property being traded on a European data exchange or is then consent for a usage permit being traded? According to the GDPR, the use of data must be linked to a purpose and a legal ground that must exist before actual use can begin. How would these requirements be taken into account? How would other conditions be considered, such as revocation or deletion, if the legal ground no longer applies etc.?
This is precisely the problem in international competition that I addressed in the previous question: We in the EU have higher data protection requirements, which of course restrict us in our use of data compared to other foreign players. Nonetheless, the new digital laws have definitely opened a path toward data trading. Here, however, it is not just a matter of the legislator, but also of how practicable the new proposals actually prove to be and whether they are accepted by consumers and companies. There are several digitization projects in the EU that have not necessarily gone as politically envisioned.
But that is also fitting because here in the EU, most people could not be expected to have their data monetized without limit for economic purposes and traded on a data exchange without any rights whatsoever.
However, a European data exchange must also comply with European laws. Insofar as personal data is being collected by the trade, this also inevitably includes the GDPR. The EU Commission communicated this clearly when it presented the Data Act. Nevertheless, we also have comprehensive regulations for non-personal data and should therefore not be guided solely by data protection law in the discussion about an EU data exchange. Of course, we run into serious problems when non-personal data is initially being freely traded and it subsequently turns out that at least parts of it are personal after all. We all know that in the age of AI and data warehousing, it is no longer technically possible to guarantee absolute and unlimited anonymity. From a data protection perspective, therefore, there is an obligation for those responsible for data processing to include the risks of such de-anonymization from the outset, insofar as data sets are being traded. Possible solutions would then be a partial blocking of data sets, or explicitly obtaining consent for further processing against payment of an additional fee. However, the discussion is still in its infancy and many problems will certainly arise at a later date.
It is important that in the future we sensibly layer but also define risk classes of data that will be traded on such a data exchange. After all, unlike data trading in China, we definitely require the acceptance of European citizens and economic operators, which is a good thing. Not every category of data can and should be traded at any price. Ultimately, it will also only be possible to build user trust where the necessary transparency and legal certainty exist to generate comprehensive and consistent data sets.
And if people see added value for themselves or their community, they are quite willing to share their data. This was clearly illustrated during the recent pandemic. In this respect, I would not consider the data protection-related rights guaranteed by the GDPR to be an obstacle because it has been possible to develop a reasonable and globally competitive digital economy in the European Union without having to make any significant cuts to data protection.
While it has long been a dream to build up our own data economy here in Europe, that dream also requires us to legalize data use in a way that actively involves citizens as consumers. This condition is also a very important and central element because regulation is still the key to public trust. With the new legal framework of the European Union, we are surely on the right track.
Prof. Kipker, thank you for sharing your insights in China’s new data stock.
Thank you, Dr Caldarola, and I look forward to reading your upcoming interviews with recognised experts, delving even deeper into this fascinating topic.