International Open Access Journal Platform

Against the backdrop of the digital economy becoming a new engine for global economic growth, the value of data as a key factor of production is increasingly prominent. According to the Digital China Development Report (2023), China’s total data volume reached 32.85 zettabytes (ZB) in 2023, up 22.44 percent year on year, with cumulative data storage volume reaching 1.73 zettabytes (ZB) (National Data Administration, 2024). However, from both theoretical and operational perspectives, conflicts persist in data rights protection mechanisms. Traditional mechanisms can no longer meet the unique requirements of data. For instance, in areas such as data anonymization, openness, and the complexity of infringement proceedings, traditional tort law cannot fully cover privacy interests inherent in data. Meanwhile, as data involves the interests of individuals, enterprises, and the state, existing rules for protecting personality rights cannot effectively safeguard data as a new type of right, and the protection of personal rights may inadvertently hinder the circulation value of data.

This study focuses on the reconstruction of the underlying logic of the digital age, attempting to penetrate the theoretical fog surrounding data rights. From the declaratory provisions on data property rights in the Civil Code of the People’s Republic of China (Civil Code) to the “rights-first” model of the European Union’s (EU) General Data Protection Regulation (GDPR), and the elastic, sector-specific self-regulation in the United States, the global landscape of data rule of law is undergoing rapid evolution. This paper proceeds from the juridical justification of data rights, analyzes their triple attributes of personality, property, and sovereignty, constructs a “share-control” balance mechanism, and explores a Chinese solution for data marketization. By clarifying the scope of objects, subject boundaries, and the system of rights content, this research aims to provide an innovative institutional path to resolve the predicament of data factor circulation, helping China secure a moral high ground in international rule-setting and building a legal foundation for the healthy development of the digital economy.

1 Normative Construction of Data Rights

Driven by the rapid advancement of 5G and Artificial Intelligence, society has transitioned into an intelligent era. The prosperity of the data industry has brought forth a series of discussions regarding data-related issues, which have become a new focus for academia and government sectors. To protect data, one must first clarify whether data can be linked to “rights”, which necessitates a specialized discussion on the juridical justification of data rights.

1.1 Basic Connotation of Data

1.1.1 Privacy, Personal Information and Data

The Civil Code stipulates the protection of the right to privacy. Article 1032 of the Civil Code stipulates that natural persons enjoy the right to privacy. No organization or individual may infringe upon the privacy rights of others by means of spying, harassment, disclosure, or publication. Privacy means the tranquility of a natural person’s private life and their private space, private activities, and private information that they do not wish others to know.

Violations of privacy include: disturbing another person’s private life through telephone, text message, email, etc.; photographing and spying on another person’s residence; and photographing, spying on, and processing another person’s private parts. The right to privacy is characterized by “secrecy” and “privacy”. Once disclosed, personal privacy becomes “non-disclosure”. Privacy and personal information, especially sensitive personal information, overlap. Personal information can be secret and non-public, or it can be open and public, such as educational background, contact information, and physical characteristics. Personal information emphasizes only “identifiability”, that is, whether the information can identify a specific individual. The Civil Code dedicates a chapter under the section on personality rights to specifically protect privacy and personal information rights. However, while the Civil Code treats data as an object of property rights, it only provides brief provisions for data protection within the section on property rights. Anonymization refers to processing that makes personal information non-identifiable and non-restorable. Both the inability to identify and the inability to restore are indispensable. Data includes both personal information and non-personal data. Anonymization is an important method to convert personal information into non-personal data, but it is not a prerequisite for data rights. The key distinction lies in identifiability, rather than a binary division between data and personal information.

1.1.2 Classification of Data

In today’s information-saturated world, data processing and analysis have become increasingly important. To manage these data resources more effectively, academia has carefully categorized data across different dimensions.

Data can be classified in various ways based on different criteria.

First, data collection can occur through various channels: for example, collecting user data directly from personal devices or online platforms; exchanging data with third-party partners; or even data from internal corporate systems. Therefore, based on the source of collection, data can be divided into personal information, enterprise data, and public data.

Second, data should be classified according to different dimensions rather than mixed within the same hierarchy. By importance level, data may be divided into general data, important data, and core data. By identifiability, data may be divided into personal information and non-personal data. Sensitive personal information belongs to a subcategory of personal information and should not be placed in the same classification hierarchy as important data. Such a distinction is more consistent with China’s legal framework on data classification and graded protection.

Finally, based on the different industry sectors from which the data originates, the data can be categorized into different sectors. For example, the financial industry might strictly separate transaction data from customer data, as these directly reflect consumers’ financial situations. At the same time, educational institutions might focus on students’ academic performance and behavioral patterns. This categorization helps regulatory agencies understand the data protection needs and challenges of different industries, thereby enabling the provision of more customized legal frameworks and guiding principles.

Through these different classification standards, we can not only more accurately identify the nature of the data and its protection needs, but also promote the flow and rational use of data while safeguarding the privacy rights of data subjects. This requires us to find a balance that ensures data security and privacy protection while allowing data to be used reasonably under the premise of protecting user rights, ultimately maximizing data value and improving overall social well-being.

1.2 Response of Current Laws to Data Entitlement

1.2.1 Provisions in Chinese Law

At present, a basic legislative system for data law has taken shape in China, centered on the Cybersecurity Law of the People’s Republic of China (CSL), the Data Security Law of the People’s Republic of China (DSL), and the Personal Information Protection Law of the People’s Republic of China (PIPL), supplemented by regulations such as the Provisions on the Regulations on Network Data Security Management (RNDM). At the foundational level, the CSL elevates data security to the level of a “national strategy” and imposes strict security-assurance obligations on operators. The DSL took the lead in establishing a “data classification and graded protection system”, defining key data and providing corresponding rules. The PIPL, on the basis of the principle of informed consent, grants individuals rights such as access, correction, and deletion, thereby strengthening personal control over information.

In addition, the Provisions on the RNDM further optimize the mechanism for cross-border data flows, clarify the obligation to declare important data, and prohibit obtaining user consent through misleading or fraudulent means. In the exploration of data-rights systems, concepts such as the structural separation of the data resource holding right, data processing and usage right, and data product operation right were proposed in the Opinions on Building Basic Data Systems to Better Give Play to the Role of Data Elements (the “Twenty Data Measures”), thereby breaking through the traditional ownership framework. Judicial practice has also regulated data scraping through the Anti-Unfair Competition Law of the People’s Republic of China (AUCL), thereby indirectly recognizing enterprises’ interests in data. With respect to cross-border flows and important data management, the Regulations integrate rules on outbound data security assessments and the filing of standard contracts, establish a special national working mechanism for outbound data security management, and clarify that data not listed as important data may be exempted from outbound assessment filing. At the same time, they require regions and industries to formulate catalogs of important data covering data related to national security, economic operation, and other fields, and require processors to conduct periodic risk assessments and submit reports.

Nevertheless, several problems remain in practice. First, although academic debate continues over the legal nature of data-related rights and interests—including the real-rights theory, the intellectual-property theory, and the new-type rights theory—Article 127 of the Civil Code already provides a foundational civil-law basis for the recognition and protection of data-related interests. The current difficulty lies not in the absence of legal support, but in the need for further clarification and concretization in legislation and practice. Second, data-related interests are protected through a systematic legal framework composed of the CSL, the DSL, the PIPL, and related regulations, which together define the boundaries of rights and obligations. Within this broader framework, the AUCL plays a supplementary role in addressing unfair data-related conduct. Third, tensions remain between data circulation and data security. Progress in formulating catalogs of important data has been uneven; some industries still lack sufficiently clear compliance standards, and technical rules on anonymization and related data-processing methods remain underdeveloped. Finally, emerging technologies continue to create new regulatory challenges. In particular, issues concerning the attribution and protection of interests in AI-generated outputs have become increasingly prominent. At the same time, existing legal rules remain insufficiently specific and judicial responses still rely heavily on traditional intellectual-property frameworks.

1.2.2 Foreign Legal Provisions

Data protection has long been an important field of study abroad, where relevant legislation emerged relatively early and has developed in a comparatively mature manner. Developed countries generally tend to adopt a rights-based model for data protection. Their legislation has gradually formed two distinct patterns: the EU model, which legislatively constructs data rights through a unified framework, and the U.S. model, which adopts a composite approach to the construction of data rights. These two models differ in many respects.

The European Union has established a unified regime for data protection and, through instruments such as the GDPR and the Regulation on the Free Flow of Non-Personal Data, provides differentiated protection for personal and non-personal data. In addition, the Regulation on Harmonised Rules on Fair Access to and Use of Data was adopted on 9 November 2023. It sets harmonized rules on fair access to and use of data, focusing on data utilization and sharing, rather than establishing a unified data rights protection framework. Together with the GDPR and related instruments, it contributes to the broader EU data governance framework. At the same time, the EU attaches great importance to personal data rights. EU legislation consistently adheres to the primacy of data rights and creates user data rights centered on individual control. From the Data Protection Directive to the GDPR and related regulations, it has continuously strengthened individuals’ control over and decision-making authority regarding their data, established principles such as purpose limitation and data minimization, ensured the security and confidentiality of personal data, and provided normative guidance to data processors so that data processing is carried out within a lawful framework.

The United States has not enacted a comprehensive nationwide data protection law; instead, it has established a framework for the protection of data rights through state legislation and sector-specific legislation. For the public sector, there are laws such as the Freedom of Information Act and the Privacy Act. For the private sector, different laws govern financial data, medical data, children’s privacy, and other fields, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Children’s Online Privacy Protection Act (COPPA). Individual states also have their own legislation on data rights, such as the California Consumer Privacy Act (CCPA), which provides targeted protection for data in different industries and fields. At the same time, the United States actively emphasizes guiding industry self-regulation so as to realize the free flow of information (Liu, 2018). Industries usually establish associations and standard-setting organizations, formulate industry standards and self-regulatory norms, build self-regulatory mechanisms and procedures, and adopt guidance documents such as codes of conduct or privacy standards. Enterprises and organizations also cooperate and share data-protection practices and experience, while consumers are guided to protect their own data, thereby promoting the circulation and use of data.

2 Necessity of Data Rights Protection

2.1 From the Individual Perspective

From an individual standpoint, safeguarding data rights serves as a fundamental prerequisite for protecting personal privacy and human dignity. In today’s digital era, personal information is widely collected, stored, and used. In the absence of effective protection of data rights, personal privacy may be disclosed and abused, leading to risks such as identity theft, nuisance calls, and targeted fraud. For example, once sensitive information such as an individual’s health data, financial condition, or movement trajectory is obtained by criminals, that person’s normal life may be seriously disrupted, and individuals may incur financial losses and psychological distress. Protecting data rights, therefore, helps prevent the exposure and abuse of personal privacy, safeguard individual dignity and autonomy, and enable individuals to enjoy the convenience brought by technology in the digital world without having to worry that their private lives will be excessively pried into or disturbed.

2.2 From the Enterprise Perspective

The protection of data rights also conforms to the needs of industrial development. Against the background of the vigorous development of the digital economy, data has become an important factor of production with enormous economic value. From the generation and collection of data to its processing and circulation, data has generated considerable economic benefits. For example, by analyzing users’ consumption data and browsing histories, Internet enterprises are able to implement targeted marketing strategies, improve the conversion rate of advertising placement, and thereby obtain substantial profits. At the same time, the reasonable use of data helps optimize products and services, promoting innovation and industrial upgrading. However, if data rights are not effectively protected, the willingness of enterprises and individuals to collect and use data may be undermined, because they may fear that their data assets will be infringed upon or that they may face legal risks. This would impede the healthy development of the data industry and suppress the vitality of the digital economy. Strengthening the protection of data rights and building a sound data-rights protection system helps clarify the ownership of and rules for using data, safeguard the legitimate rights and interests of data subjects, create a favorable environment for the innovative development of the data industry, and promote sustainable economic growth.

2.3 From the Social and National Perspective

From the social and national perspective, the protection of data rights is an important measure for safeguarding national security and social stability. With the widespread application of information technology, data has become an important basis for national governance and strategic decision-making. Critical information infrastructure and government data relate directly to national security and stability. If core data is attacked, leaked, or tampered with, the economy, social order, and national defense will be seriously affected. In addition, large-scale data breaches may cause social panic, undermine public trust in digital technology, and thereby affect social harmony and stability. Strengthening the protection of data rights can effectively prevent data-security risks, ensure the confidentiality, integrity, and availability of key national data, and safeguard long-term national stability and the normal functioning of society

3 Dilemmas and Challenges in the Protection of Data Rights

3.1 The Position on Whether Data Rights Can Exist as an Object of Rights Remains Unclear

At present, there are two principal views in academia. One holds that data itself is special: its special character lies in the fact that it depends on the existence of certain subjects and lacks independent economic value, while its intangibility also makes it difficult to determine whether data rights are truly independent. This is one reason why scholar Mei Xiaying argues that data rights cannot serve as the object of rights (Mei & Luo, 2019). Some scholars further contend that specific coding rules merely constrain data and should not be protected by legal means. Zhang Yang points out that enterprise-acquired data is highly complex, with this complexity reflected not only in the pluralization and decentralization of subjects, but also in the relative independence between object and subject; accordingly, there are certain problems in attempting to regulate enterprise data solely through the protection of personal data rights (Zhang, 2016).

In sharp contrast, another view holds that data can indeed serve as the object of rights. Data holders possess a certain degree of control over data, and processors also acquire their own interests after processing it. Because such processing can be regarded as labor expended on a particular object, those who perform that labor should receive certain entitlements—an argument grounded in the theory of labor-based empowerment. More scholars, however, treat data rights as rights that ought to receive active protection. Although data rights involve many factors concerning subjects and objects, they maintain that data rights are a compound form of rights (Wu, 2023), and this point should be affirmed. Some scholars even argue that data rights should be placed on an equal footing with property rights and intellectual property rights, receiving equal protection and being directly defined as “data rights”. Only by clearly defining the nature and attributes of data rights, they argue, can the boundaries among different rights be clarified and corresponding methods of protection be formulated.

3.2 The Tension Between the Protection of Data Rights and the Value of Data Circulation

Professor Mei Xiaying argues that, as a composite resource distinct from traditional rights, data itself contains a certain economic value. In contrast, traditional rights-protection mechanisms are difficult to match and urgently require the construction of a new protection mechanism—namely, the “sharing-control” theory (Mei, 2019). Professor Long Weiqiu points out that between the subjects and objects of enterprise data, there exists an interwoven and complex relationship, accompanied by a cluster of multiple functions. Whether enterprises can maximize data rights directly affects the development of the digital economy, while a single property-rights approach cannot adequately protect external coordination (Long, 2018). Since enterprise data can generate economic benefits only through circulation, it faces more complex dual coordination dilemmas at the structural and functional levels. To promote the flow of data elements in the market and stimulate their value, legislation must play a regulatory role so as to achieve a balance between the protection of rights and their utilization.

3.3 The Intertwined Separation of Data Rights, Personal Information Rights, and Intellectual Property Rights

Data rights, personal information rights, and intellectual property rights each embody distinct values and therefore should be treated separately. Given that the sources of data rights and personal information overlap, original data owners may not infringe on users’ private rights in the course of using data. That is, not only must they ensure users’ “confirmation +
consent”, but they must also facilitate users’ access to, use of, and disposition over their personal information. In the generation of derivative data, users’ information must moreover be de-identified. On this basis, Professor Ye Jiamin, from the perspective of data interests, proposes constructing citizens’ rights to know and rights of supervision concerning the use of data, thereby addressing the legality and legitimacy of data collection (Ye, 2022).

4 Constructing a New Type of Data Rights Protection Mechanism

4.1 Clarifying the Nature of Data Rights

In recent years, the economic value of data has become increasingly prominent, and academic discussion on the nature of data rights has mainly crystallized into three views: the personality-rights theory, the property-rights theory, and the new-type property-rights theory. The personality-rights theory emphasizes the personal attributes of personal data and argues that personal data should be protected within the framework of personality rights (Zhang, 2020). The property-rights theory, by contrast, proceeds from the economic attributes of data and advocates granting data a property nature, but encounters interpretive limitations within the traditional frameworks of real rights and intellectual property (Mei & Wang, 2021). The new-type property-rights theory proposes moving beyond traditional civil-law theories of property and constructing a new category of property rights to protect data rights (Mei & Wang, 2021).

In view of the unique attributes of data—such as intangibility and non-scarcity—as well as its important position and complex interest structure in modern society, this article argues that a new-type property-rights approach should be adopted to protect data rights. This path not only accords with the practical needs of data and has jurisprudential support, but also conforms to the value orientation of China’s current legal system. Accordingly, this article advocates defining data rights as a new type of property right that simultaneously possesses the attributes of personality rights, property rights, and state sovereignty, so as to balance the circulation and use of data with the protection of personal information and other competing interests.

4.2 Establishing the Basic Principles of Data Rights

In the digital age, the importance of data is self-evident. Still, its extensive circulation and use have also brought challenges, such as the protection of personal information and data security. Accordingly, the construction of data rights should be guided by the following basic principles. First, data security must be ensured. Data processors must: (a) strictly safeguard the confidentiality, integrity, and availability of data; (b) prevent unauthorized access, leakage, and destruction; (c) ensure data security at every stage of processing, transmission, and storage. Second, there is the principle of personal information and privacy protection. This principle emphasizes that, in pursuit of specific purposes, data processors should follow the principles of legality, propriety, and necessity, minimize the collection and use of personal information as far as possible, and adopt privacy-protective approaches to ensure data subjects’ control over their personal information, including rights of access, correction, and deletion. Finally, the principle of promoting data circulation and utilization aims to realize the value of data while protecting rights and interests. It requires that, when constructing data rights, the mobility and usability of data be safeguarded, that a balance be found between the rights of data sources and the rights of data processors, and that the secure circulation and efficient use of data be realized through legal regulation and technical means.

4.3 Distinguishing the Subjects of Data Rights

The reasonable allocation of data entitlements is of great importance for releasing the vitality of data and cultivating the market for data elements. On the basis of distinguishing different types of data, the rights subjects for different categories of data should be clearly identified. Personal data should be allocated to individuals, enterprise data to enterprises, and public data to state organs and public service institutions (Chen & Ma, 2022). At the same time, in the dynamic process of data processing, it is also necessary to distinguish between data sources and data processors and to clarify the status and boundaries of their rights (Zhang & Cao, 2023). Data subjects are entitled to priority rights, while the boundaries of data processors’ rights are usually defined by agreements with data sources, laws and regulations, or terms of service, and must respect the prior rights of data sources, such as the right to informed consent and the right to privacy.

4.4 Defining the Object of Data Rights

The object of data rights is data itself, rather than other derivative concepts. Data possesses unique attributes—such as intangibility, non-rivalry, non-exclusivity, and non-exhaustibility—which make it an object of rights under a new type of property-right framework. In the context of the digital economy, making finer distinctions among types of data is of great significance for the protection of data rights. Clear differentiation among data types and more detailed categorization of data objects can provide the basis for legal protection in terms of value, normativity, and dispute resolution, while also promoting the reasonable circulation and use of data.

4.5 Allocating the Content of Data Rights

The content of data rights consists of specific acts—the process by which rights holders realize their rights within the scope permitted by law. Data personality rights involve the right to informed consent regarding data, the right to decide on the processing of personal information (Article 44 of the PIPL), and the right to data portability, all centered on personal data and emphasizing the proactive role of individuals in data processing as well as the protection of their personality interests. Data property rights, by contrast, are refined around the control, processing, disposition, and income from data, specifically including the right to control data, the right to process data, the right to dispose of data, and the right to benefit from data.

Given the complexity of data content and the composite nature of the interests involved, while defining the content of data rights, it is also necessary to determine the scope of rights enjoyed by different data subjects and thereby establish an order of value among them. Because both enterprise data and government data may contain personal data, overlaps may arise in the relevant rights content, generating many disputes. This requires clarifying the relationship between these two categories of data and personal data. To achieve a balance between data circulation and the protection of personal information, the boundaries between the rights of data providers and those of other data processors must be clarified, and the limits on the exercise of rights by data subjects should be defined from the negative side.

5 Conclusion

In the current wave of the digital economy sweeping the globe, the construction of a rights protection mechanism for data, as a new key factor of production, has become a core issue in the construction of the digital rule of law. This study finds that data rights possess attributes of personality rights, property rights, and sovereignty. Their unique characteristics necessitate moving beyond the traditional civil law framework and exploring new protection paths adapted to the marketization of data elements. By clarifying the nature of data rights as a new type of property right, establishing three principles—data security, personal information protection, and the promotion of circulation—and distinguishing the rights holders, defining the scope of objects, and configuring the content of rights, it is possible to effectively balance the contradiction between the value of data circulation and the protection of personal privacy, thereby releasing the potential of data elements.

Against the backdrop of intensifying global competition in data governance, my country should seize the moral high ground in international rule-making by innovating its data rights protection mechanism. On the one hand, it needs to learn from the advanced experiences of the EU’s unified legislative framework and the US’s industry self-regulation model; on the other hand, it should base itself on its national conditions, explore specific rules for the classification and grading of data protection, promote the separation of data resource ownership, processing and use rights, and product operation rights, and build an open, fair, and secure data element market ecosystem.

Looking ahead, with the deep integration of emerging technologies such as artificial intelligence and blockchain, data rights protection mechanisms will need continuous iteration and upgrading. We expect to build a data governance model that combines Chinese characteristics with a global perspective through improved legislation, optimized judicial practices, and strengthened international cooperation. This will inject legal impetus into the sustainable development of the digital economy, allowing data elements to flow freely and release their value within a safe and controllable framework, jointly shaping a better future for the digital age.

References

[1] Chen, B., & Ma, X. (2022). A typological study on the allocation of rights and interests in data elements. Science, Technology and Law, (7), 1-9.

[2] Liu, H. (2018). Research on Data Protection Law in the Era of Big Data (p. 132). China University of Political Science and Law Press.

[3] Long, W. (2018). Revisiting the propertization path for the protection of enterprise data. People’s Court Daily, (3), 50-63.

[4] Mei, X. (2019). Between sharing and control. Peking University Law Journal, 31, 845-870.

[5] Mei, X., & Luo, Y. (2019). The legal attributes of data and its positioning in civil law. Social Sciences in China, 40, 82-99.

[6] Mei, X., & Wang, J. (2021). A theoretical response to the debate over “data monopoly”. Tribune of Political Science and Law, 36, 94-103.

[7] National Data Administration. (2024). Report on the Development of Digital China (2023). https://www.szzg.gov.cn/2024/xwzx/szkx/202406/P020240630600725771219.pdf.

[8] Wu, H. (2023). Legislative choices for granting property rights in data. Legal Science, 41, 44-57.

[9] Ye, J. (2022). Constructing the rights to know and to supervise in data interests. CASS Journal of Law, (5), 34-50.

[10] Zhang, C. (2020). Research on the Regulation of Personal Information Security in the Era of Big Data (p. 103–109). Shanghai Academy of Social Sciences Press.

[11] Zhang, X., & Cao, Q. (2023). A study on the legal mechanism for confirming and authorizing rights in public data. Journal of Comparative Law, (3), 41-55.

[12] Zhang, Y. (2016). The dilemma of the rights-ization of data and contractual regulation. Science, Technology and Law, (6), 1096-1119.