Beyond the Worst-Case Assumptions on China’s Cybersecurity Law

There's still an internal tug-of-war over cross-border data flows
Blog Post
Oct. 13, 2017

On June 1, China’s new Cybersecurity Law went into effect. Before and since there has been intense discussion in international business circles and governments about what that means in practice. In the United States especially, there has been a tendency toward reading the law and related documents in “worst case scenario,” fueling concerns that China’s emerging digital governance regime will systematically disadvantage outside firms and champion domestic tech giants. For example, a September 25 filing by the U.S. Government with a World Trade Organization body reflected a dire interpretation of some of China’s ambiguous language.

However, a close look at what Chinese officials are actually saying suggests healthy debate within the Chinese system. While business groups have been lobbying intensely on specific provisions, often responding to early drafts, the Chinese government is still in the process of developing and issuing the regulations, standards, measures, and guidelines that operationalize the new law’s requirements. Not only is that process subject to international pressure (U.S., European, and other international interests continue to seek delays or even the scrapping of some particularly controversial provisions), it is increasingly clear that there remains a keen debate among Chinese interests on these issues. An important government office said as much late last month. Following the U.S. filing at the WTO, China’s Ministry of Public Security (MPS) Third Research Institute, which researches cybersecurity technologies and policies, issued both a Chinese translation of the U.S. letter and a short response in a WeChat post.

This response should not be taken lightly. It sends a clear message that while some interests and voices in China’s policy discussion favor uncompromising interpretations of China’s data protection measures that would significantly disadvantage global firms, other voices, especially those concerned with Chinese companies’ global expansion plans, see downsides in heavy restrictions on cross-border data transfers.

The rest of this post explores some of the nuances of the ongoing discussion with particular reference to what Chinese policy makers and thinkers are saying about it.

Chinese officials have responded through a variety of channels, calling in foreign information and communication technology (ICT) companies, trade groups, and in some cases embassy officials, for lengthy sessions where Chinese officials, typically from the Cyberspace Administration of China (CAC), present clarifications about particular regulations and take comments, oral and written, from concerned groups.

These CAC efforts to hear and be heard have not been totally successful. Or at least, it is evident that they have not been enough for the U.S. government. In the September 25 WTO filing, the U.S. government noted that although it “has been communicating these concerns directly to high-level officials and relevant authorities in China,” it nonetheless requested that China delay issuing final language or implementing measures related to one specific and complex issue—cross-border transfers of data—until its concerns are addressed. Based on Chinese drafts released for comment, the U.S. filing argued, “The impact of the measures would fall disproportionately on foreign service suppliers operating in China, as these suppliers must routinely transfer data back to headquarters and other affiliates.” In effect, the U.S. government, like so many other concerned parties, faced the uncertainty of an evolving and burdensome regime and has argued for a halt using rhetoric based on worst-case assumptions.

What the U.S. and broader international conversation has missed, however, is that the uncertainty about China’s emerging digital governance regime is not limited to foreign capitals and boardrooms. Indeed, debate and disagreement about how to interpret and implement the key provisions of the Cybersecurity Law thrives within China.

Of course, acknowledging differing views doesn’t mean international firms shouldn’t be concerned; the evolution of this regulatory regime produces tremendous regulatory and political uncertainty in ICT sectors, and that can be costly on its own. Any outcome is likely to pose new challenges for international firms eyeing the Chinese market.

But the live debate within China suggests that the eventual regulatory environment may not be as bleak as worst-case assessments would suggest. Understanding the contours of that debate is a precondition for interested parties to make more effective advocacy and for everyone to better understand the road ahead.

What is driving the concern over China’s new Cybersecurity Law and why does Beijing want a data protection regime with Chinese characteristics?

While there are numerous areas of concern for foreign ICT businesses and their governments, the recent U.S. filing at the WTO provides a good case study. It is primarily concerned with two important regulations, associated with China’s Cybersecurity Law, relating to cross-border data transfers. They are:

For Short Full Name Issuer
The "Measures" Personal Information and Important Data Cross Border Transfer Security Evaluation Measures (draft for comment) [English] 个人信息和重要数据出境安全评估办法(征求意见稿)[Chinese] (NB: These links point to a published April version; industry sources say two additional versions were quietly circulated—in May and August.) Cyberspace Administration of China (CAC)
The "Guidelines" Information Security Technology - Guidelines for Data Cross-Border Transfer Security Assessment (draft for comment) 信息安全技术 数据出境安全评估指南(征求意见稿) [Chinese] National Information Security Standardization Committee (TC260)

[Update: Links in the above table became broken at some point. Here are up-to-date links as of April 22, 2019: For the Measures, Chinese and English. For the Guidelines, Chinese (in Microsoft Word format). –Ed.]

Like any thorough digital-era data protection regime, China’s emerging rules requires different protection practices for different types of data. Unlike some data protection regimes, however, documents such as these, if implemented, would require that certain types of data be stored in China and that special rules be followed before transferring certain types of data abroad. If fully implemented, operators of the broad category of “critical information infrastructure” would be required to undergo security reviews to assess both any risks associated with transferring the data concerned and whether the recipient of the data has sufficient protections in place.

These reviews are not comparable with requirements under international regimes such as the voluntary APEC Cross-Border Privacy Rules (CBPR) or EU’s General Data Protection Regulation (GDPR). Passing one of these Chinese reviews for outbound data transfer is linked not merely to personal privacy or raw data security, but also to “national security” and broader, more ambiguous concerns like “the people’s livelihood” (Cybersecurity Law Article 31) or “economic development and social and public interests” (in the “Guidelines” referenced below).

Still, the two documents take on a challenge that many governments face and that the U.S. government hasn’t yet approached in a holistic way. They put forward a rules-based system that attempts to balance company responsibility with government mandates, recognizing that business and technological realities require allowing certain types of data to be transferred outside of China. The result so far positions China between the stricter provisions of the GDPR in Europe and the more voluntary and less stringent requirements of the APEC CBPR.

The U.S. filing with the WTO argues that “Many less burdensome options exist to achieve privacy objectives, including” CPBR. But conversations with Chinese policymakers suggest that CAC views this suggestion as a continuation by other means of efforts in the failed Trans-Pacific Partnership (TPP) to spread U.S.-preferred digital economy trade provisions—principles that many in China see as outdated and insufficient to address a country’s data protection needs. European regulators behind the stricter GDPR appear to agree that the generally more laissez-faire U.S. approach does not meet the challenge. Given that international “best practices” are incomplete at best, a leading CAC data expert noted: “Why would China not proceed from its own interests, and make an independent choice?” Even apart from any differing views on the policy goals of a data protection regime, the inadequacy of already existing international regimes explains why China’s government is unlikely to simply adopt something already out there—and why trade groups and governments asking China to scrap or halt implementation of the Measures are unlikely to succeed. Even if broader international regimes are to emerge in the future, it is unrealistic to expect China’s government not to cement its preferences before the inevitable years of negotiation.

Why a terse Chinese government response to a U.S. filing matters

The early Chinese comment on the U.S. WTO filing, expressed on an official social media account but not apparently reported in state media, goes on for only three short paragraphs, the last two of which are translated here. The final two sentences in bold below are crucial:

With the release of Personal Information and Important Data Cross Border Transfer Security Evaluation Measures (draft for comment) (个人信息和重要数据出境安全评估办法(征求意见稿) and Information Security Technology - Guidelines for Data Cross-Border Transfer Security Assessment (draft) (信息安全技术数据出境安全评估指南 (草案)) and other documents and standards, the original principles, provisions, and clauses of the Cybersecurity Law are being gradually clarified. The aforementioned draft underwent revision, adjustment, and improvement between the first and second drafts, responding in part to the main concerns of domestic and foreign enterprises. Some of these organizations’ requirements already influenced the law, for example in the amount of data required for assessment, the period of time data must be retained, etc. But the controversy and compromise has not yet been resolved, which will continue to test the technological and coordinating capabilities of the legislature.

Although the Cybersecurity Law already has formally taken effect, it is foreseeable that various stakeholders in the game will persist in the tendency to make interpretations.

These two sentences underscore that there are balancing forces in the Chinese system, forces that represent different approaches and interests. They suggest a lack of unanimity within and among the bureaucracies that will ultimately be responsible for enforcing the Measures and reporting to senior authorities on how enforcement affects multinationals operating in China. They underline that Chinese businesses, not just foreign ones, have expressed concerns. And they make explicit that interpreting the Cybersecurity Law and the eventual final Measures will continue to be necessary, numerous regulatory authorities will take on new responsibilities, and it will take time for clarity to emerge for businesses. This process of interpretation will almost surely include a prolonged period of negotiation among authorities and stakeholders, as the operational costs of the strictest interpretations may not be immediately clear to regulators.

Hence, the Chinese response to the WTO letter should not be dismissed. It signals important internal debate within China’s political system over how to develop, implement, and enforce China’s emerging data protection regime.

Competing Voices

Some of this internal debate can be observed in public sources, yet a textured understanding of the competing voices is missing from much of the U.S. public conversation. Key players in China think that cutting off cross-border data flows will hurt the country’s global economic goals. From national tech champions like Alibaba seeking global markets, to Chinese financial institutions facilitating global transactions, cross-border data flows are a core operational reality.

Key policy thinkers, not just businesses or foreign governments, are conscious of the dilemma. Dr. Hong Yanqing is an example of an authoritative figure who has written about the importance of “balancing development with security.” Hong is research director at the Internet Development Research Institute at Peking University, leads the personal data protection project for TC260, and is deputy head of the task force for the Guidelines. He writes: “A fundamental consensus has emerged today that data naturally flows across national borders, that data flows produce value, and that data flows can lead to flows of technology, capital, and talent. Therefore, data flows are the norm, and circumstances where flows are limited are the exception. This is well reflected in the Measures.” However, critically, Hong notes that “data has become a national basic strategic resource.” This means the Chinese government believes that data is on par with other natural resources such as oil and gas, and requires a protection system that provides the government with insight into what types of data are flowing across borders. Beijing’s approach therefore is more expansive than that of the European Union, which views data protection primarily through the lens of user privacy.

Chinese companies with global aspirations are also concerned about how China’s evolving approach to cross-border data transfer will affect their operations. E-commerce giant Alibaba in particular is attuned to the provisions of the Cybersecurity Law related to data flows. The company headquarters has been quiet on the issue, but one of its prominent think tanks, the Ali Data Center for Economic Research advocated for the “free flow of information and data to drive the Internet and global economy,” and argued that obstructions would create problems for Chinese Internet companies overseas. The article’s authors cite statistics saying that in 2015 Alibaba had 21.24 million cross-border export orders in over 200 countries and regions, and 30 million Chinese consumers bought imported goods. Burdensome data transfer regimes could undermine Alibaba and other Chinese tech leaders like Baidu and Tencent as they develop cloud services, artificial intelligence research and development centers, and consumer-facing services around the world.

How responsive is Beijing to these voices?

Already, some quietly circulated revisions to the rules related to cross-border data transfer reflect more nuance in how the Chinese government is approaching the issue than the dire warnings of the U.S. WTO filing would suggest. To be sure, the rules remain vague and provide ample room for political whim by Beijing to limit market access, if it chooses to do so. But the Chinese government has demonstrated a degree of responsiveness to foreign and domestic industry concerns that should be recognized.

In April, the CAC met significant backlash from both foreign and domestic industry when it released the first draft of the Measures. Article 2 of the Measures mandated that all personal information and “important data” needed to be localized in mainland China. This marked a significant expansion from the scope of the Cybersecurity Law. Article 37 of the law is more narrow: It requires only personal information and other important data gathered or produced by entities designated as operators of critical information infrastructure to be stored within China. The outcry over the change led the CAC to walk back this stipulation in a second draft of the Measures circulated in May. In addition, in that draft, CAC moved the effective compliance date for the Measures to December 31, 2018, from June 1, 2017.

In August, the Chinese government made some small tweaks to the rules in a third draft (circulated within parties affected by provisions in the Measures but not yet released to the public). Changes included eliminating the threshold of 1,000 GB of data as a trigger for regulatory assessment, and an addition regarding implied consent for personal information. Going forward, it will be important to watch the rules and standards associated with securing “critical information infrastructure.”

Calibrating the right U.S. policy Response

At this formative moment, when China’s evolving approach to the critical issue of cross-border data flows is still in flux and Chinese cloud services and payments operations are expanding overseas, it would be a missed opportunity to disregard the locus of active debate in favor of worst-case assumptions. The U.S. government seems to have committed for the moment to a more confrontational approach to bilateral trade with China, and that could interfere with U.S. advocacy on other issues.

An ongoing U.S. Trade Representative investigation into China’s industrial policies and trade practices will necessarily complicate efforts to continue industry input into China’s evolving approach to data protection and its cross-border data regime development. With the near certainty that the investigation will end in a finding that Chinese practices are unacceptable, U.S. countermeasures could tighten the room for maneuver across many issues—including cross-border data transfers. International advocates for a more pragmatic and open regime for data flows, therefore, should be especially conscious of where the debate within China remains alive.

The importance of the data flows issue for the future of global trade will remain a salient issue, and there appears to be a glaring lack of a suitable forum within which to discuss these issues bilaterally between the United States and China, or multilaterally with the EU. With the demise of TPP, multilateral trade regimes that do not include major players such as China appear to have reached a dead end for the time being. In the meantime, the Track 2 environment could provide much-needed space to explore critical emerging digital economy issues in a manner diverse economies could support. Even as governments verge on confrontational trade diplomacy, stakeholders will be best served by devoting careful attention to the ways different countries are meeting the new and evolving challenges of formulating digital policy, and by searching for approaches that allow for pragmatic interoperability online, rather than an unrealistic one-size-fits-all solution.