Content area
In the era of “AI plus healthcare”, personal health data has shifted from static records into dynamic and time-sequential data flow covering a full lifecycle. While it has become an important element of production in healthcare industry, it also faces new risks and challenges and the current legal framework of personal health data protection in China cannot satisfactorily address these challenges. The ambiguous rules on personal health data ownership and the ineffective individual empowerment model of data governance fail to respond to the dual needs for protection of personal health data and extraction of data value. In view of diversified and sometimes conflicting values and interests embodied in personal health data, it is therefore recommended that the agile governance model, characterized by dynamic adaptability and multistakeholders collaboration, be adopted. The bundle of rights over data should be allocated among data subjects, data processors and the government; a differentiated consent mechanism based on risk classification should be constructed; the principle of purpose limitation and minimum necessary should be reinterpreted in an expansive and generalized manner within the limits of reasonable expectation and risk control; and, anonymization measures and tort liability rules should be improved by clarifying obligations of stakeholders and balancing their rights and responsibilities. Through dynamic risk control by collaboration of multiple stakeholders, the agile governance model can reach the balance between sufficient protection and rational utilization of personal health data in data processing.
Introduction
Driven by the wave of digitization, artificial intelligence (AI) technology has infiltrated into all aspects of social life due to its powerful deep learning and data processing capabilities, and brought about the digital-intelligent transformation of traditional industries. In March 2024, Chinese Central Government introduced the AI plus initiative in its Government Work Report for the first time, indicating that empowering diversified industries with AI technology has become a key strategy to promote the construction of a modernized industrial system and the innovation of government work. In November 2024, the National Health Commission, the National Administration of Traditional Chinese Medicine and the National Disease Control and Prevention Administration jointly issued the Guidelines on Scenarios of Artificial Intelligence Application in the Healthcare Industry, which set out 84 specific scenarios of application, directing the innovation and development of integration of artificial intelligence and healthcare. The era of AI-powered healthcare has already arrived.
At present, AI technology is mainly implemented to assist diagnosis and treatment, medical decision-making, drug research and development, health management, and medical research. Relying on core technologies such as natural language processing, medical knowledge mapping and deep learning, AI in healthcare is able to rapidly mine, analyze, and integrate heterogeneous healthcare data from multiple sources, thereby effectively improving accuracy and efficiency of medical scenarios such as clinical data mining, smart diagnosis and treatment, and image recognition. AI “trains” algorithms by collecting and analyzing massive data, and its “intelligence” depends directly on the size of the personal health database.
While data have gradually become an important element for precision medicine, challenges in protecting personal health data also arises. Given the black box problem of AI, the dynamic feature of data processing and multiple stakeholders involved in data sharing and processing, the traditional data protection approach which relies on individuals’ empowerment cannot fully address the risk of personal health data infringement. How to balance the protection and the utilization of personal health data becomes a thorny and urgent issue in the era of “AI plus healthcare”. Therefore, it is of special significance to review the evolution of denotation of personal health data and how they are applied in this new era, examine the dilemmas of existing legal rules on data protection, and explore an appropriate shift in data governance model that could reach the balance in China.
Denotation and application of personal health data in the era of “AI plus healthcare”
Personal health data refer to the data that have identified or can identify the health condition of a natural person. In traditional medical scenarios, personal health data are mainly manifested as paper records kept by medical institutions in diagnosis and treatment, including outpatient records, medical image and test records, etc. They are usually stored and circulated within the closed medical system, characterized by restricted access and limited physical carriers of data.
With deep integration of AI technology and healthcare, the denotation of personal health data has been extended. First, the forms of data expand with the development of digitization and the generation/collection of data in real time. Personal health data evolve from traditional paper medical records to electronic ones, and further to dynamic biosensing data and brain-computer interface neural signals, etc. They also shift from a single modal to multi-modal fusion, covering a wide range of data types such as images, texts, voices, and omics. Second, the sources of personal health data are diversified with innovation of data collection methods. Personal health data are not only collected from traditional medical scenarios, but also from user participation scenarios, such as through mobile health Apps or wearable devices, and sensor recording by medical implants. The boundary between health monitoring and daily behavior becomes blurred. Meanwhile, with the support of big data techniques, data that were not related to personal health condition can also be converged to indirectly reveal personal health information, such as medicine e-shopping records and contact tracing during the epidemic. Third, the combination of biosensing technology and smart devices promotes the transformation of personal health data from static records to real-time and time-sequential data flow covering a full lifecycle (Li 2024). Physiological sequential signals that are collected in real time by wearable devices, such as heart rate and blood pressure, form a multi-modal data ecosystem that contains structured data tables, semi-structured text and unstructured images. These data are synchronized to the cloud platforms in real time for compilation, consolidation and analysis, thus creating a dynamic healthcare database. The database can be set open to various visitors and promote data sharing not only with traditional medical institutions, but also with algorithm developers, cloud computing service providers and other third-party organizations for them to train algorithms (Yang et al. 2025).
With the help of machine learning algorithm and big data analytics, isolated and raw personal health data from diverse sources could be transformed into visible interoperable and reliable high-quality data in a summarized form through aggregation and mining, yielding to actionable and valuable information and insights. Their value, therefore, could be magnified by multiple times. Such high-quality data have a variety of different applications in healthcare industry, including: medical diagnosis support systems aid therapeutic decisions by mining, analyzing, and consolidating a set of patient data from multiple sources; smart health management devices dynamically update personal health data and help individuals monitor their own health conditions in real time; and the efficiency and accuracy of drug research and development and infectious disease prevention and control can also be effectively enhanced through data processing (Shi and Xu 2024). Accordingly, in the era of “AI plus healthcare”, the utilization of personal health data has been upgraded from an auxiliary diagnosis and treatment record to an important driving factor for precision medicine (Yu et al. 2020).
Along with massive data processing and utilization in AI-powered healthcare, data risks grow greatly. In order to improve the accuracy of AI-assisted decision-making or training algorithms, the breadth and depth of data collection could be overly expanded. In addition to data directly related to individual health condition, AI tools may also collect the individual’s sleep patterns, living habits and other privacy data, which invariably increases the risk of data leakage and security. For instance, several Apps related to female healthcare were punished for collecting personal information unnecessary for services.1 Compared with other types of personal data, personal health data are of higher degree of privacy and sensitivity, as they carry biometric information and pathology results. The leakage or illegal utilization of such data may cause irreversible damage to the individuals’ human dignity (Leng 2014). Besides, it is possible and practical to ascertain an individual’s identity through personal health data. Anonymized data, if consolidated and analyzed, could probably re-identify a specific person, and even generate accurate portraits of that person (Wang 2022). Lastly, as the operation of AI tools is affected by both data and algorithms, it could contain hidden biases and discrimination. Training data of certain groups may be over-represented or under-represented. The design of algorithms could be shaped by its developers’ beliefs and biases, and thus affect AI tools’ output/automated decisions. As a result, personal health data may be used for discriminatory pricing and other differential treatment in healthcare services and social welfare (Pasquale 2015), which exacerbates social inequality. This problem has been found in the algorithms used by American commercial healthcare systems, which are discriminatorily developed against African patients so that they cannot join in health improvement programs (Tang 2022).
The dilemmas of personal health data protection in the era of “AI plus healthcare”
Currently, there is no special legislation in China for the protection of personal health data in the field of AI-powered healthcare, and personal health data is subject to strict regulations regarding sensitive information and general rules on personal information protection. Upon a close examination on current legal rules, it is found that they cannot effectively respond to the above-mentioned prominent challenges.
Uncertainty in personal health data ownership
In the era of “AI plus healthcare”, the generation/collection, processing and utilization of personal health data involve several parties such as patients, medical institutions, members of medical consortiums and governmental agencies, etc. However, the Civil Code and the Personal Information Protection Law (hereinafter PIPL) fails to set out rules on the allocation of data ownership. Scholars also fail to reach a consensus on this issue.
Generally, there are five main theories on the ownership of personal health data. Firstly, the proprietary rights and interests of personal health data shall be attributed to the individuals/data subjects, who have absolute and exclusive control over the processing of their data (Shen 2020). Secondly, based on Locke's labor theory of ownership, medical institutions justifiably acquire the proprietary rights of clinical data due to their labor contribution in the ongoing generation, processing and management of the data (Obermeyer et al. 2019). Thirdly, as protection of personal data through private ownership gradually fails to work under big data technology, it is proposed that personal data be regulated as public goods in order to achieve the balance between public and private interests (Wu 2016). Fourthly, the ownership of personal health data should be shared by individuals and medical institutions. The shared ownership can be further divided in two ways. The individual is entitled to the data’s nominal ownership, while the data controller such as medical institutions has the substantive ownership to possess and dispose of the data stored in the cloud (Feng and Xue 2020). Or, the individual is granted full control over original data, while the data processor, who invests capitals and creative intellectual inputs in the development, utilization and trading of data, acquires proprietary rights of derived data in the form of intellectual property rights (Tang 2021). Fifthly, the hybrid structure of data rights determines that the individual is entitled to privacy rights and economic interests in their health data; the data controller is entitled the right to hold and use data, and should distribute economic interests to individuals; and the government should act as a neutral regulator, and have the right to access to and use the data for public interests (Ji 2025).
Ambiguous rules on personal health data ownership lead to uncertainty in the allocation of rights and duties among relevant parties at different stages of data lifecycle. Accordingly, it is unclear which party should take responsibility for protecting personal health data, what kind of statutory responsibilities that party should take, and what remedies a party is entitled to in specific circumstances. Without clear expectation on other parties’ actions, data processors may shrink from sharing and utilizing personal health data, which impedes realization of data value and further development of AI in healthcare (Gao 2020). In practice, parties often resort to agreements to avoid the problem of uncertainty in personal health data ownership. Nevertheless, data processors, usually with greater bargaining power, can use this advantage to reach terms more beneficial to them.
Deficiencies in the individual empowerment model
Current personal health data protection rules emphasize the individuals’ right of information self-determination, take the informed consent principle as the basis for personal health data processing, and build a model for data governance centered on individual empowerment. This model originated from fair information practices, laid the foundation for traditional personal information protection legislation in European Union, the United States and many other jurisdictions (Ding 2019). With the advent of the “AI plus healthcare” era, the complexity of personal health data ecosystem has been increasing and the power structure between individuals and data processors has become more and more uneven. Under this background, the static individual empowerment model can no longer effectively control dynamic and emergent risks in data utilization, or respond to the need for balancing the protection of personal health data and the extraction of data value.
The ineffectiveness of the informed consent principle
According to the Civil Code and the PIPL, an individual’s explicit consent should be obtained for personal data processing,2 and a separate consent is required for processing sensitive personal information.3 Such isolated informed consent principle required at the front-end, however, cannot tackle risks arising afterwards in the dynamic application of AI in healthcare industry. It is difficult, if not impossible, for an individual to obtain actual control over his/her data through such isolated informed consent.
First of all, data processors which are obligated by the principle to inform the risks in advance (and even algorithm developers), may not fully understand the operational logic behind assisted decision-making. The black box problem of algorithms, the continuous collection of new data in AI application, and the emergence of new functions, purposes, and algorithms from AI baseline models, make precise risk notification difficulty, if not impossible (Hacker et al. 2023). In fact, it is impracticable for data processors to exhaustively list the matters to be processed that may occur or change in application of AI in healthcare.
Moreover, there is a fundamental conflict between the full lifecycle of personal health data and the static authorization of informed consent. Personal health data collected by wearable devices and other sensing devices are of dynamic and time-sequential nature, and the specific matters of their secondary utilization are unpredictable at the point of notification. The purpose and depth of personal health data processing may go beyond the initially predetermined extent, and data processors often fail to take the initiative to obtain the informed consent by individuals (Fan and Gu 2021; Zhao et al. 2022). Nevertheless, if data processors are required to strictly comply with the rule of notification of changes,4 they would theoretically need to send users a minute-by-minute request for informed consent. Regardless of its feasibility, cumbersome procedures and high costs associated with this re-notification would intimidate data processors.
Consequently, data processors tend to adopt generalized and ambiguous privacy policies, or charge higher prices for their services, i.e. collecting more personal information at a time (Xu and Yue 2025). Privacy policies become more and more lengthy and vague, and not easy to understand. Coupled with reliance on available heuristic (Thaler and Sunstein 2009), when facing hidden, cumulative and unfamiliar risks of leakage or misuse of personal health data, it is highly likely that users/individuals do not read the policies carefully or not read them at all, and fail to understand the risks and make accurate risk assessments. Data processors may even deploy this careless consent to “lawfully” over-collect personal health data, which departs from the purpose of the principle of informed consent. Worst of all, most healthcare AI tools adopt the “all-or-nothing” consent approach, requesting user authorization to collect data before providing service. Users are forced to authorize the use of their health data for algorithm training or medical research in exchange for AI services. Essentially, this approach overrides the individual’s right of information self-determination (Landau 2015). For instance, 111, Inc., a digital and mobile healthcare platform in China, was ordered by Guangdong Communications Administration to rectify its misbehavior, i.e., insufficient disclosure of purposes and ranges of data collection, and request for location and phone permissions before users use its services.5 Several healthcare service platforms, such as Helian Health, were also publicly condemned by authorities for privacy policy non-compliance. Given the information power by data processors, the informed consent principle which emphasizes individual autonomy has been reduced to remain in the formalism to some extent.
The impracticability of the purpose limitation and minimum necessary principle
As provided by the PIPL, personal data shall be processed for an explicit and reasonable purpose that has been notified to the individuals in advance, and the processing and collection of data shall be directly related to and necessary for the fulfillment of that purpose.6 Accordingly, the purpose limitation and minimum necessary principle for personal information processing has been established. However, this principle is not compatible with the characteristics of AI in healthcare and the need to utilize personal health data.
As mentioned above, the dynamic nature of AI data processing is contrary to the premise of the purpose limitation principle, i.e., the purpose of processing could be specified explicitly in advance and act as a standard of review. The pre-specified purpose may change unpredictably in the course of data processing, and it is hence difficult to review the relevance of personal health data without an identified standard. The principle of purpose limitation also prohibits secondary utilization of data which is not directly related to the initial purpose, while maximization of the value of personal data and AI algorithms depends exactly on the re-analysis of existing data. Personal health data could be used for training AI models or for data mining. For example, based on the clinical data collected by the US Department of Veterans Affairs and transferred in a de-identified format, the Google DeepMind team developed and trained a predictive model, and eventually built an applicable system that could continuously predict acute kidney injury (Tomašev et al. 2019). In this case, the purpose of data processing has exceeded the boundaries of initially specified purpose, due to the spillover effects. It is difficult to comply with the purpose limitation principle.
Besides, the minimum necessary principle requires data to be processed in a way that minimizes damages to the rights and interests of individuals. It denotes the minimum collection of data, the minimum impact on individuals, the minimum data retention time, and prompt deletion or anonymization of the data after the expiration period (Jin and Zhai 2023). Nowadays, the data has been regarded as a new element of production, and full realization of the value of data element lies in data application. Retention and reanalysis of personal health data become the norm, and the reasonableness of the minimum necessary principle is increasingly being questioned. If the principle was strictly implemented, personal health data collected by medical institutions and other medical consortiums, and service providers of wearable devices and mobile health Apps, would be generally prohibited from sharing with each other, which hinders the circulation of data and its accumulation (Wu 2021). If individuals were empowered with strong control over the subsequent use of personal health data, such as the right to request deletion after the expiration period, the continuity and integrity of data research would be affected, which is not conducive to accomplishment of public health goals (Liu and Xiong 2019).
The Limitation of the remedy rules
Under the current laws, there are two main remedies for personal data protection, namely data anonymization and tort liability, but both remedies are insufficient to protect personal health data in the era of “AI plus healthcare”. It is found that the static data anonymization measure cannot eliminate the risks of re-identification of personal health data. Anonymization refers to the process in which personal information is processed in a way that it is impossible to identify a specific natural person without the help of additional information.7 The essence of anonymization is to strip personal information of its personality nature and emphasize its economic, social and political value (Zhang 2018). Anonymized personal information is excluded from the coverage of personal information protection regulations, and a balance between the legitimate protection of personal information and its reasonable use is supposed to be achieved. Under the background of big data, powered by the ever-increasing algorithms and computational capabilities, and coupled with the access to more and more datasets, data aggregation and data re-analysis greatly enhance the possibility of re-identification of anonymized information, absolute anonymization is difficult to achieve (Pike 2020). A piece of personal health data that is not identifiable in the former scenario may become identifiable when spreading into subsequent scenario and linking with other databases. A study conducted by University of Melbourne has shown that patients can be re-identified by analyzing supposedly anonymous medical billing records (Manheim and Kaplan 2019). The current laws treat anonymization as a static concept, unable to resist the risks of re-identification with the sharing and spread of personal health data (Xia 2024). Data processors may use one-time anonymization measure to circumvent regulations on personal health data protection. From the individuals’ perspective, they consent to submit personal information in reliance on data processers’ anonymization measures. Viewed in isolation, the processing of personal health data at that time would not infringe individuals’ rights and interests, whereas it is impossible to predict how the data will be aggregated in the future, and thus fully anticipate and assess the risk in advance.
There also exists loopholes in tort liability rules. The presumed fault liability principle is recognized in the case of infringement upon rights and interests relating to personal information.8 The principle reverses the burden of proof, and to exempt from the liability, data processors need to prove that they are not at fault. To a certain extent, the principle alleviates the dilemma in compensating the injured individuals due to the non-interpretability of algorithms. Nevertheless, the individuals still have difficulty in proving causation in the era of “AI plus healthcare”. Personal health data could be utilized in diversified scenarios, involving multiple parties and operation procedures. Subject to a disadvantageous position in information and professional knowledge, it is difficult for individuals to understand the specific operation of healthcare AI on the collection, processing and circulation of personal health data, and then to find out that personal health data is illegally processed or divulged. Even if individuals become aware of the fact of infringement on personal health data, it is still difficult to ascertain the direct injurer. In practice, courts may dismiss the litigation due to the failure to prove the causality between the defendant’s behavior and the damage.9
Furthermore, it is hard to pinpoint the damage suffered by individuals. The damage resultant from personal health data infringement is often manifested as psychiatric injury, such as psychic anxiety. According to Article 1183 of the Civil Code, mental distress should reach the degree of severity in order to request compensation. This Article is under criticism for the lack of clear and uniform standards to ascertain the degree of severe seriousness. In judicial practice, courts tend to reject the plaintiff's request for compensation on the grounds that the plaintiff has failed to prove the existence of psychiatric injuries or the severity of injuries (Xie 2021). Due to the lack of clear standards, the calculation of the amount of damages is also dependent on the judge’s discretion, and the individuals encounter substantial difficulty in seeking relief. It should be noted that Article 1226 of the Civil Code places an obligation on a medical institution and its medical staff to protect privacy and personal information of patients. Unlike the traditional tort requirement on damage to bring someone to account, this Article extends the responsibility of medical institutions and staff to a preventive level, i.e., the institutions and the staff, should assume the tort liability for leaking privacy data and personal information of a patient, or disclosing medical history data of a patient without his/her consent, regardless of the patient’s sufferings and losses. This liability rule further reduces the burden of proof on vulnerable individuals, but the utilization of personal health data is not limited to medical scenarios, nor the potential injurer is limited to medical institutions or their staff. Hence, this liability rule cannot fully solve the individuals’ difficulty in proving.
The shift to agile governance model in personal health data protection
The uncertainty of personal health data ownership leaves individuals subject to private agreements, in other words subject to data controllers’ discretion. Unfortunately, the deficiencies in the individual empowerment model under the current legal framework fail to provide sufficient protection to individuals from data controllers in the era of “AI plus healthcare”. It is therefore worthwhile to question whether the prevalent individual empowerment model is an appropriate approach, and if not, to explore a preferable model for data governance in the new era.
The need for the transformation of data governance model
After personal health data has evolved from paper records stored within a closed system to a multi-modal of dynamic digital data flow, the core of data governance has undergone a fundamental shift. Traditional personal health data governance focuses on the confidentiality rules of medical institutions. Whereas electronic medical records, signals transmitted by wearable devices and mobile health monitoring AAPs and other types of data which are manifested as a multi-modal fusion fall under the scope of personal health data, the data flow chain gradually extends from medical institutions to members of medical consortiums, algorithm developers, mobile health APP platforms and other parties, and the links of the chain which can realize data value extend from clinical diagnosis and treatment to algorithm training, business development, public health management and so on. The social attributes of personal health data have gradually increased during the extension. The core of governance also gradually changes from single data protection to a dynamic balance between data protection and utilization. The individual empowerment model which emphasizes “personal rights and interests—personal control—personal responsibility” of the individuals, only focuses on private side in health data. It is this social side which determines enhancing personal empowerment in data control, even if practicable, still cannot accommodate the change of landscape of personal health data.
First of all, in the era of “AI plus healthcare”, personal health data is closely related to public interests, and promoting extraction and realization of data value is in the common interest. As a type of data element with both private and social value, personal health data carry with not only an individual’s dignity, freedom and other values as independent private human being, but also with use value for other people, organizations, and even the community in medical research, public health management and health industry development, etc. (He 2018). For example, personal health data can be used by scientific institutions to explore maps of population health state for epidemiological research and to help vaccine research and development, by algorithm developers for training to promote the development of precision medicine AI models, and by the government to improve the optimization of regional allocation of medical resources and improve the efficiency of decision-making on public health emergencies. If individuals are empowered with absolute control on health data, their decentralized decision-making will impede the formation of datasets required by medical researches, technological innovation and public health management, thus prejudice to public interest of society. It should be noted that extraction and realization of personal health data value rely on trust relationships among multiple stakeholders involved in data circulation (Tang and Zhang 2025). Due to the uncertainty in personal health data ownership, each stakeholder is in lack of clear behavioral expectations or willingness to promote data utilization, thus undermining the foundation of trust. Meanwhile, the informed consent principle and anonymization measures become ineffective in practice, and the remedy rules fail to work efficiently in redressing personal data infringements. Keeping ignoring the collapse of the individual empowerment model will trigger a trust crisis between data subjects and data processors, and undermine sustainable utilization of data and long-term prosperity of digital healthcare ecosystem (Rao 2025).
Furthermore, the legitimate protection of personal data is not only a matter of personal privacy security, but is also closely linked to the interests of society, and should not rely solely on individual control. As Regan pointed out, aside from the value to the individual, privacy in the digital world is correlated to a common value in that all individuals “have some common perceptions about privacy”; privacy is related to a public value as it is of great significance in building “a democratic political system” that safeguards citizens’ fundamental rights and freedoms; and privacy is associated with a collective value because technology and market forces make an individual’s privacy subject to “a similar collective minimum level of privacy” of all persons. Therefore, personal data is rapidly becoming a common pool resource (Regan 2002). Schwartz shares a similar view, conceiving of privacy as one of the constitutive elements of civil society, and as an important role in the construction of democratic freedom and individual autonomy on the Internet (1999). According to Cohen, privacy protection is of great significance in maintaining the vitality of society, and it can promote the development of human innovative practices (2013). The traditional individual empowerment model focuses only on the protection of and remedies to personal interests, ignores the social public attributes of personal data, allocates the main responsibility of personal data protection to individuals, and hence cannot effectively prevent against the risks in the aforementioned social sides.
The shift to agile governance model
The concept of “agile governance” was first introduced at the World Economic Forum in 2018. This transformative idea is proposed under the background of the so-called Fourth Industrial Revolution, which build on digital networks and characterized by dynamic and synergistic development of technologies, and their transnational impact, broad societal and even political implications. Agile governance refers to “adaptive, human-centred, inclusive and sustainable policymaking, which acknowledges that policy development is no longer limited to governments but rather is an increasingly multistakeholder effort” (World Economic Forum 2018). Applied in the field of personal health data, agile governance has three specific implications: firstly, based on the balance of conflicting values of multiple stakeholders, aiming to pursue mutual development of legitimate protection and reasonable utilization of personal health data; secondly, constructing a nimble, adaptive, and responsive regulatory framework, and responding to dynamic risks with flexible institutional design and technological tools; and thirdly, constructing a collaborative governance network among governments, enterprises, social organizations, and data subjects (Cui and Wang 2024).
The development of AI technology in healthcare and the complexity of health data ecosystem have rendered inadequate the traditional individual empowerment model of data governance, characterized by static empowerment and individualism. In this context, agile governance, which emphasizes dynamic adaptability and multiple stakeholder collaboration, has gradually become a rational choice for personal health data protection (Xue and Zhao 2019). On one hand, the full lifecycle of personal health data involves multiple scenarios, and potential risks are dynamic and emergent. While static regulatory methods cannot adequately address the risks, agile governance approach, which is based on risk classification and emphasizes the fluid adaptability of rule design and real-time responsiveness to risk prevention and control, can effectively answer the dual needs of data sharing and risk control. On the other hand, agile governance shifts the focus from the protection of private rights to the allocation of rights and responsibilities among individuals/data subjects, data processors and governments, and emphasizes data processors’ behavior regulation and risk control, resolving the dilemmas of limited personal digital rationality and imbalance in the allocation of responsibilities faced by individual empowerment model. It also takes into account the interests of multiple stakeholders and promotes full realization of diversified values of personal health data in the era of “AI plus healthcare”.
Improvements on personal health data protection under the agile governance model
Rapid development and deployment of AI technologies substantially change the healthcare industry. An agile governance model for personal health data can be and should be more flexible and inclusive to keep pace with technology development and allow for protection of legitimate interests of multiple stakeholders. In fact, protecting personal health data is not absolutely contradict to promotion of AI technologies in healthcare. On the contrary, reasonable and effective protection can facilitate the utilization of technologies by relieving individuals’ concerns for data sharing. Hence, the path to improve the protection of health data in the context the agile governance model should be explored, to solve the dilemmas under the current legal framework.
The bundle of rights over personal health data: synergistic governance by multiple stakeholders
Being a new type of element resource of production, personal health data manifested personality, proprietary and even social attributes simultaneously. Unlike traditional objects of property rights, they are characterized of non-competitiveness, replicability, and non-exclusiveness (Shi 2023). It is hence extremely difficult, if not impossible, to insist on the traditional sole ownership, which over-emphasizes the static belonging of property, but relatively weakens dynamic use of property (Xu 2023). It is proposed to view personal health data rights from the perspective of bundle of rights. This theory is mainly used to study various rights over a particular parcel of property: the bundle contains various set of legal interests which can be improvised by parties; when a holder of the bundle conveys one or more sets of legal interests to another person, “a part of his bundle is gone” (Merryman 1973–1974). The plasticity of the bound theory makes division and variation of rights possible, and accommodates the existence of multiple right holders, and diversified sometimes conflicting interests. The priority or inferiority of a right is guided by intrinsic value standards of the bundle (Yan 2019). It is therefore a proper perspective to analyze the rights over personal health data, which involve in different types of rights, multiple right holders, and dynamic utilization and flow. By this way, various interests of stakeholders in the generation/collection, processing, utilization and regulation of personal health data can be recognized, and the boundaries of rights exercised by stakeholders can be clarified, contributing to the construction of a collaborative and agile governance system for multiple stakeholders. Actually, the traditional property right concept based on ownership has been watered down in the Opinions of the CPC Central Committee and the State Council on Building a Basic Data System to Better Play the Role of Data Elements, which highlights rights of use and occupancy and explores a structural subdivision system from a data property right system. Starting from the attributes of rights, and based on the involvement of common stakeholders, a scheme on the bundle of rights over personal health data is suggested as follows.
Firstly, personal health data, as the carrier of personal sensitive information, is directly related to an individual’s human dignity and privacy interests, and the personality rights attached to such data are undisputedly extended to the individual. It should be noted that the personality rights over personal health data are different from privacy rights, although there are some overlaps between them. Such personality rights could be excised by individuals through both negative defense and positive utilization, while privacy rights are traditionally viewed as defensive rights and protected by remedial rules from tort law (Wang 2018). Some statutory provisions indeed demonstrate the defensive aspect of personality rights over data via privacy requirements. For example, the Civil Code straightforwardly requires the precedence of rules on privacy rights over rules on protection of personal information.10 With regard to the positive aspect, the PIPL, the US Health Insurance Portability and Accountability Act (hereinafter HIPAA) and the EU General Data Protection Regulation (hereinafter GDPR) all stipulate rules on information self-determination rights, such as rights to access and copy the protected data, direct the data to another person, request corrections, object or restrict use of data and delete/erase the data.11 The personality rights over personal health data fall within fundamental rights of citizens, which are recognized and respected by constitutional laws, and this part of the bundle should be hence given priority over the proprietary rights held by data processors. Nevertheless, because an individual lacks sufficient digital rationality and the ability to control, analyze, and use the data, it is not appropriate to grant individuals exclusive control on data. For example, according to HIPAA, organizations are not required to obtain consent by an individual to use or disclose his/her protected health information for treatment, payment or health care operation purposes.12
Secondly, as the management and utilization by data processors is the key for personal health data to flow, share and gradually transform into important element resource of production, data processors are entitled to proprietary rights over personal health data. From the perspective of data generation/collection mechanism, an individual is the source of personal health data, providing “samples” for the data, but the form of data relies on information service platforms and service management systems such as medical institutions and mobile health Apps (Gao 2020). Taking electronic medical record as an example, it not only records information about the disease from the patient’s narration, but also contains the physician’s diagnostic opinion, test report, and medical image, etc. The generation and integration of these data rely on the professional knowledge and labor input by medical staffs, and the continuous maintenance of electronic medical records also count on the investment by medical institutions in informatization. From the perspective of value addition of data elements, information service platforms and service management systems play a leading role in the evolution from pure isolated personal health data to a pool of resources. Data aggregation can produce multiplication effect. With the digitization of personal health data, the role of such data is no longer limited to purely assist in diagnosis and treatment or record health conditions. Throughout the full lifecycle of data, personal health data have constantly connected to new databases, and after being aggregated and (re)analyzed, they can be applied to smart diagnosis and treatment, disease prevention, public health management, and so on. According to Locke's labor theory, data processors have invested a lot of necessary human, material and financial resources in the process of data collection, storage, aggregation and analysis, so the proprietary right of personal health data should be given to data processors (Zhang 2023). For legitimately collected personal health data, data processors are granted the right to possess, process and use, profit from, and dispose of the data. Such proprietary rights motivate data processors to fully utilize their control on data, and to promote circulation, sharing and maintenance of datasets. Accordingly, personal health data can cross a full lifecycle with value growth from the phase they enter a set of system until the phase they leave, and the value as an element of production can be fully released. It should be noted that the exercise of proprietary rights by data processors should be subject to the protection of personality rights and interests of individuals and social public interests. Data processors should exercise proprietary rights in a safe and trustworthy manner, and bear obligations to safeguard the personality rights of individuals and to prevent risks of data leakage. Therefore, data processors should establish and improve the mechanisms for risk assessment, security control, and emergency response, and ensure that the utilization and development of personal health data are based on the premise of data compliance. For instance, regarding the potential risks arising from data collection, storage, processing and disclosure, the GDPR requires risk prevention and control measures at various levels.13
Lastly, as a data regulator, the government is granted the right to manage and use personal health data for the purpose of public interests, and this right should be given top priority due to national sovereignty. On the macro level, the government should make clear the value orientation of legal protection and reasonable utilization of personal health data, and use policy and technical tools flexibly to promote the development of data. It should not only provide legal protection for the maintenance of individuals’ human dignity and privacy rights and interests, but also create an efficient market for the sharing and utilization of personal health data. On the specific level, personal health constitutes a part of public health (Li 2020), private rights over personal health data, be it personality ones or proprietary ones, should be ceded to public interests in an appropriate manner, for the sake of public health management. In the face of public health events, medical research and other public justifications, the government has the right to use personal health data to safeguard public interest and promote public welfare. The PIPL, the HIPAA and the GDPR all recognize the lawfulness of data processing for the performance of a task carried out in the public interest.14 Nonetheless, the government should strictly follow the principle of proportionality in the use of data (Jiang 2021), comply with the procedures and scope stipulated by the law, and avoid infringement on private rights.
Reconstruction of the informed consent principle: a differentiated mechanism
In the context of “AI plus healthcare”, the existence of personal health data has shifted from a single scenario to a full lifecycle flow. As the traditional principle of informed consent is costly and unable to respond to dynamically emerging risks in the new era, the principle under the agile governance model should be reconstructed into a balanced one between the reasonable utilization and legitimate protection of personal health data based on risk classification.
First of all, the processing of sensitive personal health data by data processors should obtain a specific consent by the individual. Sensitive personal health data, such as genetic sequences and mental illness history, are highly related to personal dignity and privacy. The collection and processing of such data should be subject to strong regulation, focusing on data protection. Data processors should identify the specific purpose of processing of sensitive data and strictly perform the notification obligation.15 They should disclose relevant information in a way that the general public can reasonably anticipate the risks of collection and processing activities, should notify not only the purpose, manner and scope of data processing, but also the special sensitivity and potential risks of such data in a prominent way, and should obtain the explicit authorization and consent by the individual. If the aforementioned processing matters change during the process of personal health data processing, the notification and consent procedures shall be initiated again.
Furthermore, the processing of general personal health data should acquire the generalized consent by the individual. For non-sensitive general personal health data, such as blood pressure, heart rate and sleep condition, the collection and processing should focus on the leverage of data’s value in application, and a generalized informed consent principle will suffice in this scenario. The data processor only needs to specify an approximate and overall framework for the processing of personal health data rather than elaborate on the specific processing matters, and the individual’s consent at this moment can be extended to the future processing matters under the framework (Tian 2018). In other words, it is unnecessary to re-obtain the individual’s consent for secondary use of data under the predetermined framework. For example, when the heart rate date of an individual is collected for the first time, the individual will be prompted by a smart bracelet for the consent to the collection of data for personal health management. The further analysis of such data to generate a health monitoring report or provide personalized health advice is not required to obtain the individual’s consent again. The use of heart rate data for insurance pricing, however, requires the individual’s authorization again, as it is obviously beyond the predetermined framework.
Lastly, in special scenarios such as emergency treatment and public health events, the processing of personal health data may be exempted from consent. In emergency treatment scenarios, medical institutions and other data processors, without an individual’s consent, may still obtain his/her personal health data based on the priority of life-saving treatment, and they should supplement the record of relevant data processing matters in a timely manner after the emergency state ends. In the case of a public health event, such as epidemic prevention and control, out of protection of public interests, the government may access personal health data without obtaining the consent by the individual or by the data processor who controls the data.
The interpretation of the purpose limitation and minimum necessary principle: based on reasonable expectations and risk control
With the advent of big data, the reuse of personal health data has become the norm. The value and useful outcome of personal data can only be fully extracted only if it is repeatedly utilized (Liu 2021). In order to resolve conflicts between the unpredictability of data processing and the requirement of specific and explicit purpose limitation, when dealing with non-sensitive personal health data, a generalized and broad consent applies under the agile governance model. Accordingly, the principle of purpose limitation and minimum necessary should be interpreted on the basis of the generalized consent, namely, the consent extends to future processing within the framework.
Under the interpretation of the purpose limitation principle, the core requirement of purpose specification is appropriately relaxed. As mentioned above, processors of personal health data are only required to disclose an approximate and overall framework of the processing in consistent with the generalized informed consent principle. In other words, data processors only need to identify the meaning of a processing purpose without enumerating in detail what kind of processing falls within and falls out the purpose. This interpretation also allows for some degree of flexibility to further use of data. The value of big data lies in the consolidation of data, the massive scale and diversity of data, and the iteration of data collection and processing with improved methods. Existing data can be reused to discover new and valuable knowledge and additional purposes of data processing may arise during the original processing operations. Such further purpose, if falls under the umbrella of the per-determined framework, is exempt from additional authorization by data subjects.
To avoid unrestricted data processing through the abuse of a generalized consent, unrestricted broad consent, i.e., vague clauses such as one-time authorization for lifetime use, should be prohibited. Moreover, the framework of processing should be not stated too general and broad to be meaningless. Otherwise, the generalized consent may be distorted into a tool that overrides the autonomy of the individuals. With regard to further use, the substantive “compatible use” standard adopted by European Union gives data processers some flexibility as long as it not incompatible with the initial purpose. To assess whether a different purpose in processing operations after the time of data collection is compatible requires a case-by case review, and several common key factors to be considered in the assessment have been developed by Member States.16 It should be noted that this compatible use standard is built on the precondition of purpose specification, namely, a purpose must be detailed and precise enough to delimit the scope of processing, albeit the degree of detail and precision is dependent on particular circumstances.17 In contrast, under the generalized framework of processing, the requirement of specification is not strictly followed at the time of data collection. Nevertheless, it is learnt from the very underlying justifications for compatible use that the purpose of (re)use under the umbrella of the framework should be reasonably expected by the general public. Accordingly, the established principle of purpose limitation is relaxed to the extent of reasonable expectations of the individuals based on the specific context in which data have been collected. This interpretation can not only protect the general public’s expectation of the predictability of data processing activities and risks associated with processing, but also avoid unnecessary restrictions on the reasonable utilization of data caused by a static and detailed purpose identified in advance.
Furthermore, according to the interpretation of the minimum necessary principle under the agile governance model, a new but flexible standard of minimum risk should replace rigid restrictions by the introduction of risk assessment and monitoring mechanisms. As required by the principle of minimum necessary, data should be processed in a way that minimizes damages to the rights and interests of the individuals. On one hand, rigid restrictions such as minimum collection and minimum data retention time are not directly related to minimum damages. If the processing of personal health data puts priority on the individuals’ interests, the requirement of minimum damages has been covered by the meaning of protecting the individuals’ interests, and there is no need to impose restrictions on data processors through minimum collection and minimum data retention time. For example, medical institutions may need to store patients’ electronic medical records for a long time, for the convenience of comprehension of patients’ medical history in subsequent diagnosis and treatment, or for the sake of avoiding possible medical disputes. In this case, it is probably not appropriate to comply with the requirement of minimum data retention time. On the other hand, rigid restrictions may essentially hinder the flow and sharing of personal health data, contrary to the aim of fully realizing the value of data elements. Considering the generalized purpose identified under the framework and the ever-changing feature of the risks associated with the utilization of personal health data, there is no doubt that rigid and mandatory measures cannot effectively control the risks and minimize damages to the individuals. Data processors should therefore establish dynamic and flexible risk assessment and monitoring mechanisms to control the potential risks, especially those in secondary utilization of data, within the reasonable expectations on privacy by the individuals (Fan 2016). A possible mechanism, which draws great academic and industrial attention, is data trust. It requires the involvement of independent parties between individuals and data processors. Accordingly, independent parties (as the trustees) take into account the risks and vulnerabilities of the individuals (as the beneficiaries) in decision-making and are bound by fiduciary duties in the course of data processing (Delacroix and Lawrence 2019).
The allocation of responsibilities in remedy rules: balancing rights and responsibilities
The insufficiency of anonymization measures and tort rules in protecting personal health data is rooted in the imbalanced allocation of responsibility among multiple stakeholders involved in data processing. Consequently, this problem could be redressed by clarifying obligations of stakeholders and balancing their rights and responsibilities.
Firstly, data processors should bear a series of obligations to assess and control risks of anonymized data. Anonymization is not the end of compliance obligations of data processors. Given the risk of re-identification of anonymized data, data processors entitled to proprietary rights in personal health data must take responsible for controlling such risk and improving self-governance mechanisms. Data processors should establish pre-event, in-progress, and post-event risk assessment mechanisms (Wang 2016; Zhang 2019). In the pre-anonymization period and in the process of anonymization, data processors should assess the risk of utilizing anonymized data, choose appropriate security measures and make timely adjustments. During the sharing and utilization of data that have been anonymized, sound internal supervision and management mechanisms should be established and risk response mechanisms should be improved to monitor and detect risks of re-identification, and take active actions to prevent re-identification in subsequent processing. Accordingly, a chain of risk control through the lifecycle of data is formed based on prevention, update and response mechanisms.
Secondly, with regard to the difficulty in seeking relief by individuals under the current tort liability rules, the burden of proof on individuals should be further reduced. Although a high degree of probabilities standard, which requires clear and convincing evidence, is generally established in civil proceedings, lowering such a standard should be allowed in special circumstances, in view of the case facts that make proving extreme difficult or out of policy consideration (Wang 2024). As mentioned earlier, a number of parties are involved in the lifecycle of personal health data, and an individual in a passive and vulnerable position in data processing usually has difficulty in identifying the direct injurer who infringes the rights and interests his/her personal health data, let alone proving causality. Objectively, it is impracticable to adopt a high degree of probabilities standard to convince judges that it must be a data processor that has leaked private information of an individual. For instance, in Pang Lipeng v. China Eastern Airlines Co., Ltd. & Beijing Quna Information Technology Co., Ltd., from the perspective of financial and technical costs of collecting evidence, the appellate court held that the plaintiff, being an ordinary person, simply did not have the ability to prove whether there were loopholes in internal data management of the two defendants.18 If a high degree of probabilities standard is imposed on the individuals, the chance that they obtain fair remedies is greatly reduced, and so is the incentive for protecting their rights and interests over data. To a certain extent, infringement on the rights and interests of personal health data by data processors is encouraged by this stringent standard of proof. Given that data processors have better understanding of and greater control of data processing and data flow, it costs data processors less to collect evidence. It is hence suggested that the standard of proof in causation be lowered, and the preponderance of evidence standard be adopted, which requires a greater than 50% chance that the causation is true. If an individual can demonstrate that it is more likely than not that the defendant(s) caused damage to his/her personal health data interests, and the defendant is unable to rebut the preponderance of such infringement, the causality is successfully established. Difficulty in proving the severity of damage of mental distress could also be decreased by judicial interpretation on the judgement standard. It is proposed that the Wilburg’s flexible system theory be learnt to clarify the factors that should be taken into account, including the information carried by leaked data, the occupation and conducts of individuals, and the behavior of data processors, etc. (Koziol 2009). This will improve the predictability of judicial discretion and provide guidelines for individuals in evidence collection and compensation calculation.
Conclusion
Under the trend of deep integration of artificial intelligence and healthcare, personal health data has gradually transformed from mere diagnosis and treatment paper record to a full lifecycle of data flow, which could be extensively applied in AI-assisted diagnosis and treatment, smart health monitoring and management, and drug research and development. While gradually becoming an important element of production which drives the transformation of smart healthcare, personal health data have been facing new risks and challenges arising from excessive collection, over-processing and unrestricted abuse. How to resolve the tension between technological development, the sharing and flow of data elements and data security protection is an urgent issue requiring legal response in the era of “AI plus healthcare”. Over-emphasizing on the protection of personal health data would hinder the development of technology, and unrestricted utilization of data also violates basic requirements of protecting legitimate rights and interests of human beings. Unformattable, the current legal framework cannot provide sufficient protection to personal health data under this background. Due to theoretical divergence on the ownership structure of data, the allocation of rights and responsibilities among multiple stakeholders involved throughout the lifecycle of personal health data is confusing and uncertain. Besides, the static data governance model centered on individual empowerment is not only unable to regulate dynamic risks emerging from the application of AI in healthcare industry, but also fails to respond to the needs arising from the social attributes of data.
In this context, the agile governance model, characterized by dynamic adaptability and multistakeholders collaboration, has become a rational choice to balance the demand for risk control and reasonable utilization of personal health data in this new era. The split of data ownership structure should aim at synergistic governance by multiple stakeholders. Accordingly, the personality and proprietary rights over personal health data should be allocated to data subjects and data processors respectively, and the government should be entitled to manage and promote personal health data by policy and technical tools, and to use data for public interests. In response to the ineffectiveness of the principle of informed consent, a differentiated mechanism based on risk classification should be adopted, and depending on the type of situation, a specific consent, a generalized consent, or even no consent is required for data processing. To address the impracticability in implementing the principle of purpose limitation and minimum necessary, the framework of processing should be laid down and interpreted in an expansive and generalized manner within the limits of reasonable expectation by the general public, and rigid restrictions such as “minimum collection” should be replaced by flexible risk assessment and monitoring mechanisms to achieve “minimum risk”. With regard to the insufficiency of anonymization measures and tort rules, a balance should be reached in the allocation of responsibilities among multiple stakeholders. Data processors should undertake obligations of risk assessment and control before, in, and after data anonymization. To alleviate the burden of proof on data subjects, a preponderance of evidence standard in proving causality should be adopted, and Wilburg’s flexible system theory should be introduced in evaluating the damage.
Acknowledgements
Great gratitude to Associate Professor Mingfeng Zhou, School of Humanities, Jinan University.
Authors’ contributions
Both authors are involved in theory analysis and article writing. All author(s) read and approved the final manuscript.
Funding
The research is funded by Guangdong Planning Office of Philosophy and Social Science (Project title: Researches on Theories and Implement Mechanisms of Data Trust in Digital Economy Era; Project No.: GD22CFX08) and by 2023 “Yangcheng Young Scholars” project under the Guangzhou 14th Five-Year Plan Philosophy and Social Sciences Development (Project title: Research on Pathways and Strategies for Guangzhou to Enhance Institutional Openness Capacity Based in the Greater Bay Area; Project No.: 2023GZQN13).
Data availability
Not applicable.
Declarations
Ethics approval and consent to participate
This article does not contain any studies with human participants.
Consent for publication
Not applicable.
Competing interests
The author declare that they have no competing interests.
Cyberspace Administration of China. 2021. Reports on illegal collection of personal information by 129 Apps. https://www.cac.gov.cn/2021-06/11/c_1624994586637626.htm. Accessed 12 October 2025.
2Articles 1035 and 1036, the Civil Code; Article 14, the PIPL.
3Article 29, the PIPL.
4Article 14(2), the PIPL.
5Guangdong Communications Administration. 2021. 209 Apps were ordered to rectify or stop services by Guangdong Communications Administration (From November 2020 to December 2020). https://gdca.miit.gov.cn/xwdt/gzdt/art/2021/art_56d961693e12484d84818f92245543d1.html. Accessed 12 October 2025.
6Articles 5 and 6.
7Article 73, the PIPL.
8Article 69, the PIPL.
9See Sun XX v. Pingan Bank Co. Ltd, and Shenzhen Xinfuyuan Investment Consultation Ltd, Civil Judgment (2017) Yue 03 Min Zhong No. 7378 of the Shenzhen Intermediate People's Court of Guangdong Province (孙某某诉平安银行股份有限公司、深圳市鑫富源投资咨询有限公司隐私权纠纷案, 广东省深圳市中级人民法院 (2017) 粤03民终第7378号民事判决书).
10Article 1034, the Civil Code.
11Articles 44–47, the PIPL; 45 C.F.R. § 164.404, § 164.520, § 164.522, § 164.524, § 164.526; Articles 15–22, the GDPR.
1245 C.F.R. § 164.502(a)(1)(ii).
13Articles 32, 35, and 35, the GDPR.
14Articles 13 and 26, the PIPL; 45 C.F.R. § 164.512(b)(c)(d)(e)(f); Article 6, the GDPR.
15Articles 28 and 29, the PIPL.
16Article 29 Data Protection Working Party, Opinion 03/2013 on purpose limitation (00569/13/EN WP 203)(Adopted on 2 April 2013), at 21–24.
17Article 29 Data Protection Working Party, Opinion 03/2013 on purpose limitation (00569/13/EN WP 203)(Adopted on 2 April 2013), at 15–16.
18See Pang Li-peng v. China Eastern Airlines Co. Ltd, and Beijing Qunar Information Technology Ltd, Civil Judgment (2017) Jing 01 Min Zhong No. 509 of the Beijing First Intermediate People's Court. (庞理鹏诉中国东方航空股份有限公司、北京趣拿信息技术有限公司隐私权纠纷案, 北京市第一中级人民法院 (2017) 京01民终509号民事判决书).
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
References
Cohen, Julie. What privacy is for. Harvard Law Review; 2013; 126,
Cui, Guanyun; Wang, Pu. Risk challenges and agile governance: Personal information protection in the digital economy. Library Tribune; 2024; 44,
Delacroix, Sylvie; Lawrence, Neil. Bottom-up data trusts: Disturbing the ‘one size fits all’ approach to data governance. International Data Privacy Law; 2019; 9,
Ding, Xiaodong. On the ideological origin and basic principles of legal protection of personal information: An analysis based on “fair information practices principles”. Modern Law Science; 2019; 41,
Fan, Wei. Reconstructing the path to personal data protection. Global Law Review; 2016; 38,
Fan, Haichao, Liping Gu. 2021. Searching for a balanced approach: Practical dilemmas and revisions of the principle of informed consent in privacy protection. Journalism & Communication 28(02):70–85+127–128.
Feng, Guo; Xue, Yisa. Data trust from "right norm mode" to "behavior control mode" : Another way to construct mechanism for protecting data subject's rights. Law Review; 2020; 38,
Gao, Fuping. An entitlement of clinical data: The legal framework of clinical data sharing. Modern Law Science; 2020; 42,
Hacker, Philipp, Andreas Engel, and Marco Mauer. 2023. Regulating ChatGPT and other large generative AI models. In Proceedings of the 6th ACM conference on fairness, accountability, and transparency (FAccT 2023). 1112–1123. New York: Association for Computing Machinery. https://doi.org/10.1145/3593013.3594067.
He, Lan. The value conflicts between utilization and protection of personal health data and its governance. E-Government; 2018; 01, pp. 92-99. [DOI: https://dx.doi.org/10.16582/j.cnki.dzzw.2018.01.011]
Ji, Leilei. Theoretical reflection and reconstruction of data rights confirmation. Journal of Shanghai University (Social Sciences Edition); 2025; 20,
Jiang, Hongzhen. The normative basis and path of application of the proportionality principle: Observation from administrative law. Law Review; 2021; 39,
Jin, Longjun; Zhai, Yi. Review of the principle of minimum and necessity in personal information processing. Journal of Beijing Institute of Technology (Social Sciences Edition); 2023; 25,
Koziol, Helmut. 2009. Rebuilding the law of damages: European experiences and tendency. Trans. Yan Zhu. The Jurist (03):1–18+156.
Landau, Susan. Control use of data to protect privacy. Science; 2015; 347,
Leng, Chuanli. The research on protecting the right of legal interest of human gene: From the perspective of establishing personhood property. Modern Law Science; 2014; 36,
Li, Guangde. The theoretical coordinate and system construction of China's rule of law in public health. China Legal Science; 2020; 05, pp. 25-43. [DOI: https://dx.doi.org/10.14111/j.cnki.zgfx.2020.05.002]
Li, Yaqin. Study of institutional framework construction for the utilization of health data rights from the digital governance perspective. Journal of Hubei University (Philosophy and Social Science); 2024; 51,
Liu, Shiguo; Xiong, Jingwen. Group dimension of privacy in health and medical care big data. Legal Forum; 2019; 34,
Liu, Quan. 2021. On the principle of legality, legitimacy and necessity of personal information processing. The Jurist (05):1–15+191. https://doi.org/10.16094/j.cnki.1005-0221.2021.05.001.
Manheim, Karl, Lyric Kaplan. 2019. Artificial intelligence: Risks to privacy and democracy. Yale Journal of Law and Technology 21: 106–188.
Merryman, John Henry. Ownership and estate (variations on a theme by Lawson). Tulane Law Review; 1974; 48,
Obermeyer, Ziad et al. Dissecting racial bias in an algorithm used to manage the health of populations. Science; 2019; 366,
Pasquale, Frank. The black box society: The secret algorithms that control money and information; 2015; Cambridge, Harvard University Press: [DOI: https://dx.doi.org/10.4159/harvard.9780674736061]
Pike, Elizabeth. Defending data: Toward ethical protections and comprehensive data governance. Emory Law Journal; 2020; 69,
Rao, Chuanping. The legal dilemma and institutional reshaping of trust mechanisms in data transactions. Academic Journal of Zhongzhou; 2025; 02, pp. 73-80. CNKI:SUN:ZZXK.0.2025-02-009
Regan, Priscilla. Privacy as a common good in the digital world. Information, Communication & Society; 2002; 5,
Schwartz, Paul. Privacy and democracy in cyberspace. Vanderbilt Law Review; 1999; 52,
Shen, Weixing. 2020. On data usufruct. Social Sciences in China (11):110–131+207.
Shi, Jianzhong. Deconstruction of the concept of data and construction of the data law system: On the content and system of data law. Peking University Law Journal; 2023; 35,
Shi, Jiayou; Jingyi, Xu. Legal governance of medical artificial intelligence. Journal of Northwest University (Philosophy and Social Sciences Edition); 2024; 54,
Tang, Changle; Zhang, Xiaojuan. Building digital trust: Trust foundation, intrinsic logic, and implementation framework for the circulation of trusted data elements. Library Tribune; 2025; 45,
Tang, Yaojia. 2021. Economic analysis on data property rights. Social Science Journal (01):98–106+209.
Tang, Yingxia. 2022, June, 20. Digital technologies increases racial discrimination in US. Guangming Daily: A12.
Thaler, Richard, Cass Sunstein. 2009. Nudge: Improving decisions about health, wealth, and happiness. Trans. Ning Liu. Beijing: CITIC Press Group.
Tian, Ye. The dilemma and solutions to the informed consent principle in the era of big data: Taking example for personal information protection of biological database. Law and Social Development; 2018; 24,
Tomašev, Nenad et al. A clinically applicable approach to continuous prediction of future acute kidney injury. Nature; 2019; 572,
Wang, Rong. The legal requirements for data anonymization. Information and Communications Technologies; 2016; 10,
Wang, Liming. The nature of personality rights: From negative defense to positive utilization. Peking University Law Journal; 2018; 30,
Wang, Liming. Basic issues in the protection of sensitive personal information: Based on the interpretation of the Civil Code and Personal Information Protection Law. Contemporary Law Review; 2022; 36,
Wang, Gang. Lowering standard of proof for the substantive fact: Institutional design and regulation. Journal of Comparative Law; 2024; 02, pp. 107-119.
World Economic Forum. 2018. Agile governance: Reimagining policy-making in the fourth industrial revolution. https://www3.weforum.org/docs/WEF_Agile_Governance_Reimagining_Policy-making_4IR_report.pdf. Accessed 15 March 2025.
Wu, Weiguang. Critiques on personal data information protection in private law under big data technology. Political Science and Law; 2016; 07, pp. 116-132. [DOI: https://dx.doi.org/10.15984/j.cnki.1005-9512.2016.07.011]
Wu, Teng. Application of the principle of data minimization to the processing of personal information by online platforms. Chinese Journal of Law; 2021; 43,
Xia, Qingfeng. Reflection and improvement of personal information anonymization system. Law and Economy; 2024; 05, pp. 41-58. [DOI: https://dx.doi.org/10.16823/j.cnki.10-1281/d.2024.05.004]
Xie, Hongfei. “Damage” in the tort liability for personal information leakage: Also on the conceptualization of damage in a risk society. Journal of National Prosecutors College; 2021; 29,
Xu, Ke. From bundle of rights to right as modularity: Reflection and reconstruction of the separation of three rights in data. China Law Review; 2023; 02, pp. 22-37. CNKI:SUN:FLPL.0.2023-02-003
Xu, Zhuoyu; Yue, Yuanlei. A study of personal health information protection under automated decision making by intelligent medical algorithms. Medicine & Philosophy; 2025; 46,
Xue, Lan; Zhao, Jing. Toward agile governance: The pattern of emerging industry development and regulation. Chinese Public Administration; 2019; 08, pp. 28-34. [DOI: https://dx.doi.org/10.19735/j.issn.1006-0863.2019.08.02]
Yan, Lidong. Exploring data rights from the perspective of |“bundle of rights”. Oriental Law; 2019; 02, pp. 57-67. [DOI: https://dx.doi.org/10.19404/j.cnki.dffx.2019.02.005]
Yang, Jinming et al. Legal risk assessment and prevention in artificial intelligence-assisted health care. Journal of Sichuan University (Medical Sciences); 2025; 56,
Yu, Hui et al. Review on multi-source and multi-modal data fusion and integration. Information Studies: Theory & Application; 2020; 43,
Zhang, Tao. Legislative experience and enlightenment of anonymization of personal data in the EU. Library Development; 2019; 03, pp. 58-64. [DOI: https://dx.doi.org/10.19764/j.cnki.tsgjs.20182532]
Zhang, Xinbao. 2018. A discussion on the legislation of individual information protection of China. Jilin University Journal Social Sciences Edition 58(05):45–56+204–205. https://doi.org/10.15939/j.jujsse.2018.05.fx2.
Zhang, Xinbao. 2023. On data property rights as a new type of property right. Social Sciences in China (04): 144–163+207.
Zhao, Yang et al. Evaluating privacy policy for mobile health APPs with machine learning. Data Analysis and Knowledge Discovery; 2022; 6,
© The Author(s) 2025. This work is published under http://creativecommons.org/licenses/by/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.