How China Governs Data
By Adil Nussipov
In China, people are protected against data processing for commercial purposes, however, the government is not bound by the rules. It wants to control every aspect of the citizens’ lives and uses advanced Artificial Intelligence technologies to monitor, track and asses their behavior.
In our previous posts, we covered EU’s ambitious plans to give its citizens better tools to manage their personal data in the single digital market. We also wrote about the U.S. federal government’s market self-regulation approach to data governance that drew criticism from various states like California. This article completes our preliminary exploration of major data governance models by focusing on China’s approach to cross-border data flows.
The Chinese government is yet to make critical choices regarding data governance although it solved some fundamental questions like data localization. Chinese citizens are protected against data processing for commercial purposes (although the Chinese government itself is not bound by these rules). In practice, the Chinese population is better protected in terms of personal data use than American citizens. The unique combination of data protection and the government’s control over data flows, characteristic for China, adds an additional layer of complexity to global data governance.
China’s Dilemma
China’s data governance framework is a part of its national digital strategy, which is implemented by the Cyberspace Administration of China (CAC). The CAC reports directly to the Central Internet Security and Informatization Leading Group that is directed by the President Xi Jinping himself. This institutional arrangement shows the significance that the government of China attaches to regulating cross-border data flows.
At its core, three key documents describe China’s approach to data governance. The foundational framework was established by Cybersecurity Law in June 2017. Other two documents are Personal Information and Important Data Cross Border Transfer Security Evaluation Measures (commonly called to as “The Measures”) and Information Security Technology — Guidelines for Data Cross-Border Transfer Security Assessment (“The Guidelines”). The Chinese government uses these regulations, along with other overlapping and sector-specific laws to govern the processing of personal and non-personal data.
One of the strongest characteristics of China’s approach to trans-border data flows is a data localization requirement, that de-facto existed from early 1990s, but that was formalized in the Cybersecurity Law. It means that any business operating within the borders of China should store all personal data of Chinese citizens and other “important data” on servers located inside the country. If a certain company needs to transfer data outside the country for business purposes, the government conducts the security assessment before allowing them to do so.
However, China’s security assessment mechanism, which is yet has to be finalized, is different from APEC’s Cross-Border Privacy Rules or EU’s General Data Protection Regulation (GDPR) as it provides much more freedom for the government to prohibit data transfer for its own political purposes. Terms referring to national security, citizens’ livelihood, public interests and economic development are specifically vague to ensure that the government has a considerable freedom in deciding on these matters. The philosophy of data localization in various forms applies to all sectors of economy that deal with any data that the government considers as important.
Despite this strong hold over data, the whole data governance framework in China is still a work-in-progress. Except for the Cybersecurity Law, many of country’s regulations are still being drafted, according to New America, a U.S. think tank. On the one hand, China needs free trans-border flows of data to upgrade its economy, but at the same time, the government is not willing to give up control over the economy and political stability.
There is an obvious economic benefit that China would enjoy if it allows free trans-border flow of data. The country is home to more than 700 million internet users, leading tech manufacturing companies like Huawei and Lenovo and growing tech giants like Alibaba, Baidu and Tencent. As its home-breed tech companies are preparing to enter the global market, restrictions on free trans-border data flows are likely to disrupt their global operations and make them less competitive.
On the other hand, the liberalization of data flows would also lead to less control over national economy. As Ferracane and Lee-Makiyama argue, the economy in China constantly operates on the edge of market failure, trying to balance market competition with political hegemony. The government’s ability to intervene and adjust the economic course is essential in keeping this balance. In the face of increasing digitization of the economy, loosening up the control would also mean less ability to investigate and understand when and where the intervention is needed.
Free flow of data has also political implications.
First, the Chinese government wants to control every aspect of their citizens’ lives. The government uses advanced Artificial Intelligence (AI) technologies to monitor, track and asses via a social credit system the behavior of citizens. The internet and unregulated flow of data has empowered citizens around the world, giving them freedom of speech and access to information, which, in the eyes of the government, endanger the political and social stability of the country. In contrast, restricting data flows allows the government to centralize its surveillance.
Second, as many other states, China strive for data sovereignty, too. The government perceives data as a resource that needs to be protected from foreign appropriation. Amidst trade wars, foreign interference and digital trade manipulations, data dependency is perceived by the Chinese government as a legitimate concern.
China in Global Data Governance
Defining data as a resource illustrates important differences in how China, the EU and the U.S. regulate data. In the EU, citizens and their rights are at the center of data regulation debates. In the U.S., despite the market-based regulation of data protection, citizens still participate through their feedback, being able to punish companies that fail to protect personal data of customers. States such as California and New York already consider state-level regulations of data.
In China, citizens are excluded from this feedback loop. Instead of three-way feedback between citizens, business and government, in China the feedback loop includes only the government and business. The government treats data as matter of extraction and monopolization rather than a privacy-related matter. By monopolizing and centralizing data flows, the government believes that it protects the personal data of citizens from hackers, terrorists, foreign governments and companies. At the same time, these strategies allow the government to prevent their tech champions from becoming too powerful and influential (as it happened in the U.S.) as that, in the long term, may present a threat to the Communist rule.
Surprisingly, such focus on data protection and data flows centralization, even with the unchecked government’s control, makes China one of strongest privacy protectors in the world. The Cybersecurity Law, the Measures and the Guidelines in combination with an array of laws and standards applied in other sectors, provide Chinese citizens strong protection against data collection for commercial purposes, but at the same time allow for government-sponsored data collection.
This paradox adds an additional layer of complications to data relations between the U.S., EU and China.
First, the focus on data protection makes China more aligned with the EU, than with the U.S. Although the EU and China mean different things when they use the term of data protection (privacy versus national security), China’s Cybersecurity framework came closest to the EU’s GDPR in terms citizen protection. It also means, ironically, that in the absence of any federal data regulation in the U.S., China provides more privacy and data protection to its population than the U.S. does.
Second, despite similarities between the Cybersecurity Law and GDPR, the EU’s officials on numerous occasions have clearly expressed the opinion that China’s approach to data governance might not be adequate under GDPR, Sacks and Sherman argue. Despite the EU’s criticism of the lack of regulation of data protection in America, EU and the U.S. stand together in their stance on China.
Third, the U.S. disputes China’s strong data protection laws with the World Trade Organization (WTO) for violating the free trade agreement. The U.S. uses international trade law to advance and protect the interests of its corporations. In its communication to the WTO, the U.S. argued that China’s Cybersecurity Law puts unnecessary costs on foreign firms’ operations as they constantly transfer data between a local branch and headquarters.
If global talks on rules governing cross-border data flows emerge, they will take place in a complex environment. Global data governance today is increasingly fragmented. Influenced by different ways of understanding data, economic interests and political motivations, major data powers stand divided. It will take gigantic efforts to see a global governance model of trans-border data flows in place any time soon.
Adil Nussipov is a researcher working on a project aiming to map the global data governance and to identify the design of the global data governance architecture. He also works on the Media Influence Matrix project at the Center for Media, Data and Society and acts as Global Governance Editor at E-International Relations. Contact him at NussipovA@ceu.edu, or Twitter: @adilnsspv
