Chi­na has giv­en the start­ing sig­nal! The race for data econ­o­my is on!

Prof. Dr Den­nis Kip­ker – Pho­to: Jas­min Lindenthal

From a Chi­nese per­spec­tive, data is a pro­duc­tion fac­tor on par with land, labour and cap­i­tal. Shang­hai’s first data exchange is one of the ear­li­est exam­ples of this new pro­duc­tion fac­tor being imple­ment­ed. It aims at mak­ing the col­lec­tion and sale of data trans­par­ent and at enabling com­pa­nies which col­lect data to max­i­mize the val­ue and pro­duc­tiv­i­ty of their busi­ness. The goal is to put data in the hands of entre­pre­neurs who can use it most effi­cient­ly – just as West­ern stock and bond mar­kets allo­cate sav­ings to the com­pa­nies that can gen­er­ate the high­est risk-adjust­ed returns. Since arti­fi­cial intel­li­gence (AI) is the engine of the fourth indus­tri­al rev­o­lu­tion, data is its fuel. Will there soon be a data exchange in Europe so that the EU can keep up in the ​​field of AI?

In the lat­est of her Duet inter­views, Dr Cal­daro­la, author of Big Data and Law, and IT-Expert Prof. Dr Den­nis-Ken­ji Kip­ker talk about the new data com­merce in Shanghai’s data exchange.

Chi­na opened its first data exchange on Novem­ber 26, 2021. What is it exact­ly and how does it work? What oppor­tu­ni­ties and chal­lenges are involved in this ven­ture? Are per­son­al data and non-per­son­al data being trad­ed there?

Prof. Dr Den­nis-Ken­ji Kip­ker: The Peo­ple’s Repub­lic of Chi­na has been work­ing on a uni­form data strat­e­gy for sev­er­al years now, and the estab­lish­ment of the first Chi­nese data exchange rep­re­sents the cul­mi­na­tion of this devel­op­ment. In par­tic­u­lar, the Data Secu­ri­ty Law and the Per­son­al Infor­ma­tion Pro­tec­tion Law have togeth­er cre­at­ed an appro­pri­ate legal frame­work to facil­i­tate the exchange of data through cen­tral­ized reg­u­la­tions. Numer­ous data prod­ucts from a wide range of cat­e­gories that offer data-inten­sive ser­vices are being trad­ed on the Shang­hai Data Exchange. The finan­cial sec­tor is affect­ed, for exam­ple, as are the com­mu­ni­ca­tions and trans­porta­tion sec­tors. What is unique is that all data trans­ac­tions take place in real time which is intend­ed to ensure max­i­mum data trans­paren­cy and trace­abil­i­ty. The con­cept of data being trad­ed on a data exchange has been broad­ly defined so per­son­al as well as non-per­son­al data can be involved. And the goal of the data exchange is quite sim­ple: Ulti­mate­ly, it is not just about gen­er­at­ing added val­ue in eco­nom­ic terms through the broad­est pos­si­ble use of data across all sec­tors. First and fore­most, the aim is to cre­ate new inno­va­tions, increase effi­cien­cy, devel­op new tech­nolo­gies and busi­ness mod­els, and, in this way, use the data as fuel for Chi­na’s eco­nom­ic devel­op­ment. One need only think of the reg­u­la­tion of autonomous traf­fic, the opti­miza­tion of com­mu­ni­ca­tions infra­struc­ture, or ques­tions of hous­ing plan­ning and envi­ron­men­tal pro­tec­tion. The chal­lenges and goals are manifold.

Are cor­re­spond­ing data exchanges to be expect­ed in the EU, the USA or in oth­er locations?

In the USA, a mod­el for mon­e­tiz­ing per­son­al data has been under dis­cus­sion for quite some time. Strict­ly speak­ing, the debate about the mon­e­ti­za­tion of per­son­al data in Amer­i­ca began even before the cor­re­spond­ing devel­op­ments in Chi­na and the EU that we are cur­rent­ly wit­ness­ing. And it is cer­tain that the EU will fol­low suit when it comes to data use – if only to avoid los­ing the eco­nom­ic con­nec­tion and to offer com­pa­nies the oppor­tu­ni­ty to remain competitive.

My opin­ion is:

„The race for data has recent­ly start­ed, and those who do not begin to address the issue will even­tu­al­ly lose out, and not just in eco­nom­ic terms.”

Prof. Dr Den­nis-Ken­ji Kipker

After all, the han­dling of non-per­son­al data in par­tic­u­lar has been pos­i­tive­ly neglect­ed in recent years, where­as the reg­u­la­tion of per­son­al data, in con­trast, seems to be omnipresent in the EU and presents com­pa­nies with con­sid­er­able chal­lenges in a transna­tion­al con­text. Even if we can­not assume that we will imme­di­ate­ly get a data exchange of Chi­nese pro­por­tions in the EU, the course is nev­er­the­less already being set for an even more dig­i­tized Euro­pean sin­gle mar­ket as part of the Euro­pean dig­i­tal strat­e­gy. The legal devel­op­ments sur­round­ing the Data Act and the Data Gov­er­nance Act clear­ly demon­strate this quite clear­ly. With the new EU data leg­is­la­tion, the Com­mis­sion wants to pro­mote a fair and com­pet­i­tive Euro­pean data mar­ket and make new dig­i­tal inno­va­tions fea­si­ble. The core ele­ments here are con­sumers and com­pa­nies, and this is where we also clear­ly dif­fer from the Chi­nese data mar­ket, which clear­ly focus­es on com­pa­nies, the state and thus the com­mon good. For exam­ple, the Data Act explic­it­ly stip­u­lates that con­sumers and com­pa­nies have access to the data gen­er­at­ed by devices. Con­se­quent­ly, it is also a mat­ter of ensur­ing that I, as a con­sumer, am not mere­ly reduced to the sta­tus of an object of dig­i­tal infor­ma­tion gen­er­a­tion, but can exer­cise my own rights of co-deter­mi­na­tion. A posi­tion that will also be the guid­ing prin­ci­ple for the dig­i­tal trans­for­ma­tion in this new decade. Europe is cur­rent­ly under­go­ing a trans­for­ma­tion process toward a com­pre­hen­sive and ubiq­ui­tous dig­i­tal society.

Fur­ther­more, I am more than cer­tain that, for eco­nom­ic rea­sons alone, coun­tries around the world will fol­low suit. The race for data has recent­ly begun, and those who do not begin to address the issue now will soon­er or lat­er lose out- and not just in eco­nom­ic terms.

Data can be copied at lit­tle expense and can be used simul­ta­ne­ous­ly by dif­fer­ent data con­sumers with­out affect­ing the use of still oth­er data con­sumers so they are not rivals. Are only raw or orig­i­nal data being trad­ed or are processed data and data copies also includ­ed on Shang­hai’s data exchange? If a cus­tomer of the data exchange is “buy­ing” data at the Shang­hai Data exchange, does this set of data belong to the cus­tomer and can s/he then per­ceive the data as his or her prop­er­ty and thus enjoy all the legal priv­i­leges asso­ci­at­ed with own­er­ship? Under the GDPR, per­son­al data “belongs” to data sub­jects and tech­ni­cal data to device own­ers. Who is offer­ing the data on the Shang­hai Stock Exchange and who can buy it? Does China’s han­dling of stock data cor­re­spond to the legal under­stand­ing of the GDPR?

Data trad­ing in Shang­hai is not lim­it­ed to raw data sets alone, as all kinds of data types that offer eco­nom­ic or tech­ni­cal added val­ue are being trad­ed there, such as flight infor­ma­tion from Chi­na East­ern Air­lines or a wide vari­ety of data sets from the telecom­mu­ni­ca­tions network.

The trans­ac­tions are mon­i­tored by an expert com­mit­tee made up of mem­bers from the fields of com­pli­ance, finance, the data indus­try and data secu­ri­ty. More than 100 com­pa­nies have already par­tic­i­pat­ed in data trad­ing in Shang­hai, includ­ing for­eign com­pa­nies such as Price­wa­ter­house­C­oop­ers – access to Chi­nese data trad­ing by for­eign play­ers is thus basi­cal­ly in place.

How­ev­er, just because the data is now being trad­ed on a data exchange does not mean that all restric­tions are lift­ed for the user and s/he can do what­ev­er s/he wants with it. It is no coin­ci­dence that the Peo­ple’s Repub­lic of Chi­na is still one of the coun­tries with some of the strictest legal require­ments for data local­iza­tion in the world, and for­eign com­pa­nies are of course not exempt from these require­ments if they par­tic­i­pate in data trading.

This is espe­cial­ly the case when data is relat­ed to nation­al secu­ri­ty, which can be broad­ly inter­pret­ed, or involves the pro­cess­ing of infor­ma­tion about Chi­nese cit­i­zens. Even on the data exchange, it can there­fore be assumed that data with a cer­tain degree of abstrac­tion may then have a high­er val­ue in terms of its usabil­i­ty. Like­wise, it is cer­tain that spe­cial types of data will be exclud­ed from data trade because they affect fun­da­men­tal nation­al secu­ri­ty interests.

Despite all this, Chi­na of course does not offer a lev­el of data pro­tec­tion com­pa­ra­ble to the GDPR. This is sim­ply because there is a lack of cor­re­spond­ing con­sti­tu­tion­al guar­an­tees for data pro­tec­tion. Data pro­tec­tion in Chi­na should be viewed more in terms of align­ment with Euro­pean legal require­ments for the pur­pose of being able to open up new mar­kets as eas­i­ly as pos­si­ble in glob­al competition.

It is no coin­ci­dence that the Chi­nese state is large­ly exempt from the require­ments of Chi­nese data pro­tec­tion laws with regard to its data pro­cess­ing. In this respect, the actions of the data exchange in Shang­hai can­not be mea­sured against the require­ments of the GDPR.

Per­son­al data exists in a trade-off between infor­ma­tion­al self-deter­mi­na­tion (a per­son­al right) and a mon­e­tary asset because com­pa­nies want and need data in order to expand com­pet­i­tive­ly in the field of AI. Does Shang­hai’s Data stock Exchange only con­sid­er mon­e­tary aspects while dis­re­gard­ing per­son­al rights?

I would not go that far because, as described above, there is a cer­tain amount of data pro­tec­tion leg­is­la­tion in the Peo­ple’s Repub­lic of Chi­na – even if it is not com­pa­ra­ble to Euro­pean requirements.

Nev­er­the­less, it is quite clear that eco­nom­ic and nation­al devel­op­ments out­weigh the inter­ests of the indi­vid­ual in data pro­tec­tion – and data pro­tec­tion in Chi­na has not played a par­tic­u­lar­ly impor­tant role among pri­vate indi­vid­u­als and com­pa­nies in the past, as numer­ous pri­va­cy breach­es have proved.

This was also a rea­son for the Chi­nese state cre­at­ing a min­i­mum set of data pro­tec­tion require­ments. The fact is, how­ev­er, that Shang­hai’s Data Stock Exchange is not pri­mar­i­ly about all these indi­vid­ual inter­ests – nei­ther about cor­po­rate inter­ests in mon­e­tiz­ing data, nor about indi­vid­ual pro­tec­tion interests.

It is hoped that the state will gain con­sid­er­able advan­tages in inter­na­tion­al com­pe­ti­tion by offer­ing a broad­er access to use­ful datasets, and Chi­na is well on the way to doing so in a glob­al com­par­i­son, as the effec­tive­ness of indi­vid­ual pro­tec­tion reg­u­la­tions is clear­ly lim­it­ed. We in the Euro­pean Union will prob­a­bly have a much more dif­fi­cult time set­ting up a com­pa­ra­ble mod­el of such an unlim­it­ed data exchange plat­form – and not only for legal rea­sons – because the mon­e­ti­za­tion of our data still seems rel­a­tive­ly for­eign to us in here.

If data can be the sub­ject of mutu­al con­tracts in the EU – as pro­posed by the EU direc­tives for trade of dig­i­tal ser­vices and dig­i­tal goods – is then data itself as prop­er­ty being trad­ed on a Euro­pean data exchange or is then con­sent for a usage per­mit being trad­ed? Accord­ing to the GDPR, the use of data must be linked to a pur­pose and a legal ground that must exist before actu­al use can begin. How would these require­ments be tak­en into account? How would oth­er con­di­tions be con­sid­ered, such as revo­ca­tion or dele­tion, if the legal ground no longer applies etc.?

This is pre­cise­ly the prob­lem in inter­na­tion­al com­pe­ti­tion that I addressed in the pre­vi­ous ques­tion: We in the EU have high­er data pro­tec­tion require­ments, which of course restrict us in our use of data com­pared to oth­er for­eign play­ers. Nonethe­less, the new dig­i­tal laws have def­i­nite­ly opened a path toward data trad­ing. Here, how­ev­er, it is not just a mat­ter of the leg­is­la­tor, but also of how prac­ti­ca­ble the new pro­pos­als actu­al­ly prove to be and whether they are accept­ed by con­sumers and com­pa­nies. There are sev­er­al dig­i­ti­za­tion projects in the EU that have not nec­es­sar­i­ly gone as polit­i­cal­ly envisioned.

But that is also fit­ting because here in the EU, most peo­ple could not be expect­ed to have their data mon­e­tized with­out lim­it for eco­nom­ic pur­pos­es and trad­ed on a data exchange with­out any rights whatsoever.

How­ev­er, a Euro­pean data exchange must also com­ply with Euro­pean laws. Inso­far as per­son­al data is being col­lect­ed by the trade, this also inevitably includes the GDPR. The EU Com­mis­sion com­mu­ni­cat­ed this clear­ly when it pre­sent­ed the Data Act. Nev­er­the­less, we also have com­pre­hen­sive reg­u­la­tions for non-per­son­al data and should there­fore not be guid­ed sole­ly by data pro­tec­tion law in the dis­cus­sion about an EU data exchange. Of course, we run into seri­ous prob­lems when non-per­son­al data is ini­tial­ly being freely trad­ed and it sub­se­quent­ly turns out that at least parts of it are per­son­al after all. We all know that in the age of AI and data ware­hous­ing, it is no longer tech­ni­cal­ly pos­si­ble to guar­an­tee absolute and unlim­it­ed anonymi­ty. From a data pro­tec­tion per­spec­tive, there­fore, there is an oblig­a­tion for those respon­si­ble for data pro­cess­ing to include the risks of such de-anonymiza­tion from the out­set, inso­far as data sets are being trad­ed. Pos­si­ble solu­tions would then be a par­tial block­ing of data sets, or explic­it­ly obtain­ing con­sent for fur­ther pro­cess­ing against pay­ment of an addi­tion­al fee. How­ev­er, the dis­cus­sion is still in its infan­cy and many prob­lems will cer­tain­ly arise at a lat­er date.

It is impor­tant that in the future we sen­si­bly lay­er but also define risk class­es of data that will be trad­ed on such a data exchange. After all, unlike data trad­ing in Chi­na, we def­i­nite­ly require the accep­tance of Euro­pean cit­i­zens and eco­nom­ic oper­a­tors, which is a good thing. Not every cat­e­go­ry of data can and should be trad­ed at any price. Ulti­mate­ly, it will also only be pos­si­ble to build user trust where the nec­es­sary trans­paren­cy and legal cer­tain­ty exist to gen­er­ate com­pre­hen­sive and con­sis­tent data sets.

And if peo­ple see added val­ue for them­selves or their com­mu­ni­ty, they are quite will­ing to share their data. This was clear­ly illus­trat­ed dur­ing the recent pan­dem­ic. In this respect, I would not con­sid­er the data pro­tec­tion-relat­ed rights guar­an­teed by the GDPR to be an obsta­cle because it has been pos­si­ble to devel­op a rea­son­able and glob­al­ly com­pet­i­tive dig­i­tal econ­o­my in the Euro­pean Union with­out hav­ing to make any sig­nif­i­cant cuts to data protection.

While it has long been a dream to build up our own data econ­o­my here in Europe, that dream also requires us to legal­ize data use in a way that active­ly involves cit­i­zens as con­sumers. This con­di­tion is also a very impor­tant and cen­tral ele­ment because reg­u­la­tion is still the key to pub­lic trust. With the new legal frame­work of the Euro­pean Union, we are sure­ly on the right track.

Prof. Kip­ker, thank you for shar­ing your insights in China’s new data stock.

Thank you, Dr Cal­daro­la, and I look for­ward to read­ing your upcom­ing inter­views with recog­nised experts, delv­ing even deep­er into this fas­ci­nat­ing topic.

About me and my guest

Dr Maria Cristina Caldarola

Dr Maria Cristina Caldarola, LL.M., MBA is the host of “Duet Interviews”, co-founder and CEO of CU³IC UG, a consultancy specialising in systematic approaches to innovation, such as algorithmic IP data analysis and cross-industry search for innovation solutions.

Cristina is a well-regarded legal expert in licensing, patents, trademarks, domains, software, data protection, cloud, big data, digital eco-systems and industry 4.0.

A TRIUM MBA, Cristina is also a frequent keynote speaker, a lecturer at St. Gallen, and the co-author of the recently published Big Data and Law now available in English, German and Mandarin editions.

Prof. Dr Dennis Kipker

Prof. Dr Dennis-Kenji Kipker studied law and computer science at the University of Bremen. Due to his expertise in computer programming, Professor Kipker became involved with digitalization and technology assessment issues at an early stage in his career. He is a professor for security and law in Bremen and is also a member of the Board of the European Academy for Freedom of Information and Data Protection (EAID) in Berlin. In addition, Prof. Dr Kipker is a Legal Advisor for the Association for Electrical, Electronic & Information Technologies (VDE) in Frankfurt am Main.

Dr Maria Cristina Caldarola

Dr Maria Cristina Caldarola, LL.M., MBA is the host of “Duet Interviews”, co-founder and CEO of CU³IC UG, a consultancy specialising in systematic approaches to innovation, such as algorithmic IP data analysis and cross-industry search for innovation solutions.

Cristina is a well-regarded legal expert in licensing, patents, trademarks, domains, software, data protection, cloud, big data, digital eco-systems and industry 4.0.

A TRIUM MBA, Cristina is also a frequent keynote speaker, a lecturer at St. Gallen, and the co-author of the recently published Big Data and Law now available in English, German and Mandarin editions.