Cross-Border Trade in the Age of China’s Data Security Law

Earlier this summer, China’s National People’s Congress (NPC) Standing Committee released two vital documents regarding data management: the Data Security Law (DSL) and a Personal Information Protection Law draft. In combination with the Cybersecurity Law of 2017, these legislations set the legal framework for China’s internet management in the 21st century.

Despite global regulations being infamously slow to adapt to the effects of the internet, nations are converging on an agreed-upon standard for managing data. In 2018, the European Union passed the first comprehensive set of policies in the EU General Data Protection Regulation (GDPR). The law returns control of personal information to the users, secures data when it enters nations outside of the European Union, and sets measures for how businesses must protect such exchanges.[1] Since 2018, many more countries have followed.[2]

China’s two recent laws bring the nation’s data-management rules in line with these international standards. The laws establish three crucial new standards that will require advanced compliance from data handling institutions to ensure personal data is kept private, cross-border transactions are tracked, and data flow is effectively secured. Most importantly, the new laws require a rethinking of how all information will move across borders.

Intranational Implications

The Personal Information Protection Law (PIPL) outlines how the personal data of Chinese citizens will be safeguarded in the digital sphere and by government agencies. The current draft of the law requires explicit consent for any sort of data collection (Article 13), guarantees timely and clear notice to those whose data is being used (Article 31), places strict limits on state organizations’ management of personal information (Article 34), and sets standards for how individuals can request their data be corrected or deleted (Article 47).

Most significantly, the PIPL holds data collectors accountable for collecting, storing, and using information. Article 51 requires “Personal Information handlers… adopt the necessary measures to ensure personal information handling conforms to the provisions of laws… prevent unauthorized access as well as personal information leaks or theft, distortion, or deletion.” The code places the burden of formulating international management structures, rules, and technical measures (encryption, de-identification) onto the data-handling institutions.

The Data Security Law (DSL) standardizes how data is handled, secured, and developed. More specifically, the law clarifies the role of data in national security, public interest, and commercial transactions. It more clearly assigns government departments responsible for different aspects of data handling, clarifies penalties, defines the structure of data’s importance, and requires rigorous risk assessments. Most importantly, it requires data-handling institutions to maintain an anonymous and secure record of all transactions.

International Implications

Traditional paper exchanges of documents, information, and contracts are incapable of supporting the speed of modern cross-border trade. The physical occupation of papers is still responsible for most international shipping delays, especially for shorter routes. Unfortunately, few international standards exist for moving this sensitive information between nations. Thus, government offices, banks, custodians, and customs offices have not had a reliable expectation of security to accept digital assurances. As a result, transnational trade has been one of the slowest industries to digitize.

For the first time in China, the Data Security Law outlines a vision for the cross-border management of such data. The law requires private firms to store information within China, inform citizens about how their data is used abroad, and receive permission from the State Cybersecurity and Information Department to move sensitive information outside of the country. While these standards create additional organizational burdens, they are vital to bringing cross-border trade into the 21st century.

Staying legally compliant with the new standards is risky, time-consuming, and expensive. Developing every aspect of regulatory enforcement from scratch will require months of trial-and-error, new internal management standards, and an expectation that one mistake can result in huge fines or permanent business closure. Additionally, most existing IT systems lack the capacity and technical sophistication to handle trillions of transactions under the new laws.

Blockchain for Cross-border Exchange

Blockchain’s encryption and distributed nature guarantee that on-chain transactions are permanently stored and cannot be tampered with. However, two fundamental problems still stand in the way of blockchain’s mass adoption: price and interoperability. Developing its blockchain system to process all the data flowing in and out would cost millions for each business. Even after the chains are developed, they are still at risk of being incompatible with other blockchain protocols. Additionally, because China’s legal framework only allows applications built on permissioned chains, exchanging data with countries that would enable permissionless chains is technically and legally impossible, which causes significant challenges for cross-border data transfers.

The COVID-19 pandemic has demonstrated the vulnerabilities of the global supply chain and international trade. While the structural shocks were unprecedented, they merely exacerbated existing infrastructure weaknesses that support cross-border exchange. Paper-based processes won’t be able to keep the increasing size and vulnerability of such networks.

Currently, blockchain is the only way to carry out all the necessary technical functions efficiently and securely.

Blockchain can address many of the inefficiencies in current systems. For example, while delivering documents to get goods out of a port can take days and is vulnerable to delays, the electronic bill of lading can be produced from supplier to financier within seconds, secured by state-of-the-art encryption and at a fraction of a cost. Blockchain enables firms to establish personal and secure information exchange channels recognized by customs authorities, government offices, and banks. The transactions that would typically take weeks can now take seconds with the support of the proper infrastructure. For the future stability of cross-border exchange, blockchains must be adaptable, interoperable, and bilateral.

The Blockchain-based Service Network (BSN) is the first global infrastructure designed to manage international trade’s legal and technical risks. China’s recent data management regulation adds strict requirements for institutions exchanging data with parties in other nations. The BSN provides a network upon which businesses can integrate many existing blockchain-built applications, connect to the applications of institutions in other countries, and exchange data securely. The BSN offers three essential benefits for institutions engaged in cross-border trade:

• Security

The BSN integrates applications built on different blockchain frameworks, secured via encryption of their unique protocols. When an institution in China exchanges information with another nation, the network ensures the two relevant parties can only see data. This means that neither hackers, governments nor the BSN can access this data. Additionally, the network supports zero-knowledge proof that can preserve privacy while transferring value over the network. With a few clicks, institutions themselves can ensure that even they don’t see the specifics of the data exchange while still providing the data is credible and actionable.

• Choice

Because organizations have unique operational and organizational needs, they require blockchain frameworks that apply to those specific demands. At its core, the BSN is chain-agnostic. This means that organizations can connect any blockchain to the network and exchange information internally between other applications or externally with other blockchains. Institutions do not need to rewrite all applications on one blockchain, and they are assured that they can still seamlessly exchange data with others.

• Legal Compliance

The BSN facilitates the exchange of data between permissionless and permissioned jurisdictions. While China currently only allows applications built on permissioned protocols, the BSN ensures seamless data exchange with a jurisdiction where businesses build their applications on permissionless blockchains. By translating data from permissionless chains onto a permissioned chain within China, the information is still transferred securely and in compliance with the laws of both jurisdictions.

The BSN is the key to a legally compliant and technically viable cross-border exchange of data. The BSN’s architecture gives developers the ability to build their blockchain applications at a fraction of the cost of traditional services. In addition, the BSN’s network design permits applications built on different standards to exchange data freely. Especially regarding transnational trade scenarios, Choice is the most component for dynamic and scalable global exchange. The BSN ensures every business can choose the blockchain technology best fit for their needs and protects personal information without imposing those standards on other nations. These networks will be critical for companies to be compliant with China’s new data handling regulations and the new technical challenges that will arise. The BSN sets an international standard for how transnational blockchain projects are organized, respecting local laws and individual business choices.

References:

[1] https://gdpr.eu/what-is-gdpr/

[2] https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/magazine/beyond-gdpr-data-protection-around-world