Key points of data compliance review of data resources entering the table - based on the latest Q&A interpretation of the Ministry of Finance

PART/1 Interpretation of Q&A on Implementation of Data Resource Accounting Processing

On October 31, 2024, the Accounting Department of the Ministry of Finance issued “Questions and Answers on the Implementation of Accounting for Data Resources”. The Q&A mainly clarified that the expenditure in the development stage needs to meet five conditions at the same time: “technically feasible, with the intention to use or sell, there is a market or has usefulness, has the ability to complete the development and has the ability to use or sell, and can reliably measure the expenditure” before it can be recognized as intangible assets. To be specific:

Q: For the expenditure of internal data resource research and development projects, how should we judge the conditions for the capitalization of expenditure in the development stage?

A: Expenditure on internal data resource research and development projects, According to the “Interim Provisions on Accounting Treatment of Enterprise Data Resources” (Finance and Accounting [2023] 11), “Accounting Standards for Business Enterprises No. 6 - Intangible Assets”(Finance and Accounting [2006] No. 3), “Accounting Standards for Business Enterprises No. 6 - Intangible Assets” (Finance and Accounting [2006] No. 18) and other relevant provisions, Research phase expenditure should be distinguished from development phase expenditure.

Expenditures in the research phase shall be expensed and recorded in the current profit or loss when incurred. Expenditures in the development phase can only be recognized as intangible assets if the following conditions are met:

(a) It is technically feasible to complete the data resource intangible asset so that it can be used or sold.

(2) It has the intention to complete the intangible assets of the data resource and use or sell them.

(C) data resource intangible assets generate economic benefits in a way, including can prove that the use of the data resource intangible assets produced by the existence of a market for products or data resource intangible assets themselves exist market, data resource intangible assets will be used internally, should prove its usefulness.

(d) have sufficient technical, financial and other resource support to complete the development of the intangible assets of the data resource, and have the ability to use or sell the intangible assets of the data resource.

(e) Expenditures attributable to the intangible assets development phase of the data resource can be reliably measured.

The implementation of the Q&A is a further refinement of the “Interim Provisions on Accounting Treatment related to Enterprise Data Resources”(Finance and Accounting [2023] No. 11) and other provisions, and further clarifications of relevant requirements for enterprises that intend to carry out data resources into the table.

PART/2 Significance of enterprise data resource entry

01、Optimize the enterprise financial statement indicators

Before the data resources are entered into the statement, the relevant expenses incurred by enterprises due to purchasing data or data processing can only be expensed and included in the income statement. However, after the data resources are entered into the statement, the eligible data expenses can be capitalized, resulting in great changes in the financial statements of enterprises, which can more comprehensively reflect the financial status and asset structure of enterprises.

For example, on August 15, 2024, China Unicom disclosed in its semi-annual report that the data resource account amount was 84,763,900 yuan. On October 23, 2024, China Unicom disclosed that the third quarter report showed that the amount of China Unicom data resources increased from 84,763,900 yuan to 204,037,400 yuan quarter-on-quarter, an increase of 119 million yuan quarter-on-quarter. China Unicom has become the largest A-share data resources into the table. The general manager of China Unicom said in an interview that the balance sheet will reach 500 million yuan by the end of 2024.

02、Improve enterprise credit and financing capacity

In the process of data resources entering the table, enterprises can carry out financing according to the data resources entering the table, including but not limited to pledged loans, data trusts, asset securitization and other ways of financing. According to incomplete statistics of information disclosed by mainstream financial media and other public information, as of the end of September 2024, there are 102 enterprises financing based on data resources, such as: In September 2024, Shandong Land Development Group Co., Ltd. will “industrial asset tax intelligent control data” and “merchant value management data” to the Bank of China for financing, financing amount of 24 million yuan. In August 2024, Huanggang State-owned Capital Investment Operation Group Co., Ltd. will “parking distribution model” data to Everbright Bank Huanggang branch financing, financing amount of 10 million yuan. Therefore, the entry of enterprise data resources into the table is conducive to improving the financing conditions of enterprises and obtaining bank loans.

PART/3 Data resource entry requirements for data compliance review

The entry of data resources into the statement itself is an internal action of the enterprise, and there are no laws and regulatory regulations requiring the enterprise to take mandatory actions. Only the enterprise needs to make its own judgment to confirm the ownership of its data resources, and the corresponding cost of data resources can be included in the balance sheet. However, the data resources already entered in the table must be able to withstand the audit requirements of the enterprise audit. At the same time, when the data resources further entered in the table are utilized in financialization, and when the relevant data resources are evaluated, the enterprise needs to provide proof to the asset evaluation institution to achieve legal control. Lawyers can prove the enterprise's legal control over relevant data through the compliance review of data content, data sources and data processing. The key points of lawyers review are as follows:

01、Data content compliance

In assessing whether a company has legitimate control over the relevant data, lawyers must delve into the compliance of the data content. This includes not only a careful review of the authenticity and completeness of the data, but also a rigorous assessment of the legitimacy of the data. Enterprises need to ensure that the data content is true and accurate and meets the requirements of current laws and regulations. In addition, the lawyer also needs to assess whether the specific scenario of the data application is legal and ensure that the use of the data does not violate relevant laws and regulations. Finally, enterprises should ensure that the use of data follows the minimum and necessary principle, that is, on the premise of meeting business needs, to minimize the acquisition and use of personal information and other non-essential data, in order to protect the legitimate rights and interests of data subjects.

02、Data source compliance

Lawyers need to focus on checking whether the source of the data entered in the form is compliant, and the way of data source can generally be divided into:

1. Collect data through apps, mini programs, etc

When collecting personal information and other data through apps and mini programs, it is necessary to check whether the collection of personal information is fully informed and whether the authorization and consent of the user is obtained in accordance with the Personal Information Protection Law, the Methods for Determining the illegal collection and use of Personal Information by Apps, and the Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications, etc. For example, there is no privacy policy when collecting personal information, the privacy policy is not displayed through obvious means such as pop-up window when it is first run, the privacy policy is difficult to access, the personal information is collected before the user's consent, and the user clearly disagrees with the consent of the user frequently. If the data obtained in the above circumstances is entered into the data resource table, the enterprise does not meet the requirements of legal control of the data.

2. Get data through crawlers

In practice, there are a large number of cases in which data is crawled by crawlers. When data is crawled by crawlers, it is necessary to comply with the protocols explicitly disclosed by websites such as Robots protocol to avoid crawling the data prohibited by the platform. If the platform has clearly issued relevant notice to stop data crawling, the data crawling behavior should be suspended and countermeasures should be taken in time. In addition, the crawling data needs to be within a reasonable limit, should not be frequently crawled in a short period of time, should not invade, destroy the platform's anti-climbing measures. Personal information and business secrets should not be crawled at will. Because the use of crawlers cannot avoid the collection of unnecessary personal information or personal information without the consent of the individual according to law, personal information should be deleted or anonymized. At the same time, try to avoid crawling the platform data of enterprises that constitute direct competition relations, and avoid the risk of litigation by the crawled party in accordance with the Anti-Unfair Competition Law.

3. Obtain data from a third party

The data may also be obtained through purchase from a third party, entrusted processing by a third party, or provided by a third party. The enterprise shall review the legitimacy of the third party's data sources and require the partner to issue a letter of commitment for data legitimacy for assurance. Sign data purchase/provision/processing agreement with the partner, and specify the purpose, scope and security protection requirements of data use in the relevant agreement.

In addition to the above common data source methods and compliance audits, there are also data formed through processing, analysis and mining of the original data and data collected through sensors or Internet of Things devices in practice, and lawyers also need to judge the legal compliance of the data source based on specific scenarios.

03. Data processing compliance

Data processing includes the collection, use, storage, processing, transmission, provision, disclosure and deletion of data. Specific points of concern are as follows:

1. Data collection

The collection of data shall comply with the basic principles of legality and legitimacy, and the rules to be followed in the collection of data shall be judged according to the legal attributes of the data. For example, the collection of personal information shall meet the requirements of the Personal Information Protection Law, and the collection of trade secrets shall meet the requirements of the Anti-Unfair Competition Law on the collection of trade secrets.

2. Data usage

Data use is the process of using the collected data for business and commercial purposes, either directly using the original data or using the processed data. General data use requires lawful use and contractual use, that is, data should be used in the purpose and scope prescribed by laws and regulations, and in accordance with the provisions of the relevant data use authorization agreement or other agreements.

For the use of personal information, a minimum authorization access control policy should be formulated, and an internal approval process should be set for important operations; When displaying personal information, take de-identification processing to fulfill the obligation of data display restriction; Clearly distinguish between personalized display content and non-personalized display content, and should provide options that are not targeted at their personal characteristics at the same time to fulfill the personalized display obligation; Fulfill obligations such as automated decision-making mechanisms.

3. Data provision

If data is provided to other subjects, a data provision agreement should be signed, specifying the rights and obligations of the parties. To provide data overseas, it is necessary to choose data exit security assessment, personal information protection certification (cross-border) or personal information exit standard contract filing in accordance with the Regulations on Promoting and Regulating cross-border Data Flow, Measures for Data Exit Security Assessment and other laws and regulations combined with the type, quantity and overseas receiving place of data provided overseas.

4. Data disclosure

Data disclosure is a way for enterprises to process data under their control, and data cannot be disclosed at will. If personal information is disclosed, attention should be paid to obtaining individual consent and conducting personal information protection impact assessment in advance. Where important data is disclosed, the security risks that may be brought about shall be assessed; For trade secrets and state secrets, the relevant data cannot be disclosed at will unless the consent of the relevant data subject is obtained or the relevant authorities disclose it in accordance with their functions and powers.

5. Data storage and deletion

Generally, data storage should pay attention to storage security, including storage area, security protection measures, internal access rights, encrypted storage, and de-identified storage requirements. In addition, in the process of data storage, data should also be classified and classified, important data should be distinguished from general data, and different security measures should be taken during storage. Personal information shall be stored for the shortest period necessary to achieve the purpose of processing, and personal information shall be deleted or anonymized if it exceeds the storage period. Where the deletion of personal information is technically difficult to achieve, the processing shall cease except for storage and the necessary security protection measures.

6. Data processing and transmission

Data processing is an important support measure for data use. Through data cleaning, extraction, fusion and analysis, the value of data utilization is enhanced. Data processing obligations generally refer to the need for enterprises to adopt various technical means to reduce the risk of data leakage during data processing. Data transmission generally requires enterprises to perform pre-transmission review, evaluation, authorization, encryption of data transmission channels, data content encryption, transmission mode control, flow control, storage media management and control obligations.

04. Data security management compliance

When enterprises enter data resources into the table, the data security management of enterprises is generally required to meet the basic requirements of laws and regulations. Lawyers should focus on the data security management system, data security management organization, data classification and classification management, personnel security management, cooperative outsourcing management, and security emergency management of enterprises during compliance review. For example, whether the enterprise has established a data security organizational structure, clearly defined the functions of the participating departments, whether it has designated a data security person in charge or a personal information protection person in accordance with laws and regulations, whether it has developed a data security related system and officially issued it internally, promoted its effective implementation, and regularly supervised and revised it.

In short, for enterprises, the data compliance review conducted by lawyers is an important basis and prerequisite for ensuring that their data resources can be successfully entered into the table. This process involves a comprehensive review of the enterprise's internal data management process, data collection, storage, use, transmission, processing and other links to ensure that the enterprise's data processing activities comply with the requirements of relevant laws and regulations. Through a professional review by a lawyer, companies are able to identify potential data compliance risks, thereby avoiding legal disputes and financial losses caused by improper data processing. In addition, the data compliance review can also help enterprises establish a sound data management system, improve the level of data security protection, enhance the trust of customers and partners, and enhance the overall competitiveness of enterprises and market image.