DigiChina Digest – June 2019

Blog Post
June 20, 2019

The DigiChina Digest includes exclusive new content and news tracking from Chinese-language sources on digital policy in China, as well as the latest from our collaborative translation and analysis work. The Digest is produced in partnership with our colleagues at the Leiden Asia Centre. This edition was compiled by Katharin Tai and Graham Webster.

Please encourage anyone interested to subscribe at DigiChina's main page.


DigiChina is Now a Joint Effort of the Stanford Cyber Policy Center and New America

Stanford University's Program on Geopolitics, Technology and Governance, part of the university's new Cyber Policy Center, and New America this month announced a new collaboration to continue and expand DigiChina's work. [Read more.]


Two Years After the Cybersecurity Law Took Effect, Authorities Release a Series of Draft Rules

As the two-year anniversary of China's June 1, 2017, implementation of the Cybersecurity Law approached, numerous important details about how the law's provisions are to be implemented remained un-clarified. DigiChina has long covered debates over draft rules, for instance on cross-border data transfers or the definitions of regulated categories such as "critical information infrastructure."

Since late May, several new drafts have surfaced, and DigiChina has translated them:

  • The "Cybersecurity Review Measures (Draft for Comment)," released May 21, are designed to implement Cybersecurity Law requirements for "critical information infrastructure" operators to undergo a national security review when purchasing network products and services that may impact national security. This new version is to replace a May 2017 "interim" rules that established what came to be known as a "black box" review, leaving vendors with great uncertainty about what would pass muster. The new draft takes a different approach, and includes specific language addressing "situations in which product or service providers are funded, controlled, etc., by foreign governments," which could affect suppliers subject to U.S. government restrictions on sales to Huawei or other Chinese companies.
  • The "Data Security Management Measures (Draft for Comment)," released May 28, advance personal information protection policy efforts, outline responsibilities for "network operators" on data protection, and provide a definition of the long-murky term "important data." The draft Measures also include rules requiring information providers who use algorithmic targeting to label targeted content and to provide the ability to opt out of targeting.
  • The "Critical Network Equipment Security Testing Implementing Measures (Draft for Comment)," issued June 4, lay out procedures for gaining approval for use of "critical network equipment" through security testing administered by the Ministry of Industry and Information Technology.
  • The "Personal Information Outbound Transfer Security Assessment Measures (Draft for Comment)," issued June 13, addresses transfers of personal data out of mainland China. It raised five questions, taken up by DigiChina in a piece by Graham Webster and Samm Sacks:
    • First, unlike the Cybersecurity Review Measures draft, which explicitly says it replaces older rules, this draft is not clear on whether it replaces earlier drafts from 2017 that DigiChina analyzed at the time. Will it replace them, or are we in for overlapping rules?
    • Second, why does the new draft apply cross-border data transfer requirements to the category of "network operators," rather than the probably more narrow set of "critical information infrastructure" operators mentioned in the Cybersecurity Law?
    • Third, foreign lobbying and a U.S. WTO filing pushed China to reconsider parts of the 2017 drafts. Have Chinese officials simply dismissed those concerns after a significant delay?
    • Fourth, these regulations target "personal information," but in this context the Cybersecurity Law pairs that with the broader idea of "important data." Will "important data" show up in a different regulation?
    • Fifth, will this whole list of draft regulations move to final form and implementation quickly, or will the story of Cybersecurity Law implementation drag on for two more years? [Read the full 'five questions' analysis.]
  • The "Provisions for Cybersecurity Vulnerabilities Management (Draft for Comment)," issued June 18, specifies procedures and responsibilities for vendors or network operators who discover a cybersecurity vulnerability. It discusses patching, countermeasures, and reporting to government vulnerability collection platforms.

Each of these drafts remains open for public comment, and there is reason to expect more draft regulations, laws, and other documents to emerge in the coming weeks and months.

Two Prominent Chinese Groups' Principles on Artificial Intelligence, Translated

China's Artificial Intelligence Industry Alliance (AIIA), formed in 2017 under Ministry of Industry and Information Technology leadership and counting China's leading tech companies and research institutes as members, released a "Joint Pledge on Artificial Intelligence Industry Self-Discipline (Draft for Comment)" on May 31. It enumerates general principles and activities for signatories, which are not yet specified. AIIA members and the public can comment until June 30.

The New Generation Artificial Intelligence Governance Expert Committee, established by the Ministry of Science and Technology, on June 17 issued "Governance Principles for a New Generation of Artificial Intelligence: Develop Responsible Artificial Intelligence."

These two documents join the Beijing Academy of Artificial Intelligence's "Beijing AI Principles," which were released with an official English version in late May.

Samm Sacks Testifies Before House Foreign Affairs Committee on 'Smart Competition' With China

New America Cybersecurity Policy and China Digital Economy Fellow Samm Sacks testified before the House on May 8, arguing that, "Beyond market access, there are also national security, supply chain, ideological, and human rights dimensions to this technology conflict with China. The decisions U.S. policymakers take at this juncture are likely to have implications for generations to come." [Read Sacks' written testimony.]


Government Research Institute Publishes Guide to Comply with Europe's GDPR Privacy Rules

On May 29, the China Academy for Information and Communications Technology (CAICT) published a guide for compliance with the European Union's General Data Protection Regulation (GDPR). CAICT teamed up with several partners for the guide, including e-commerce giant JD.com and the international law firm Covington & Burling.

The 71 page document is especially interesting for its discussion of areas where GDPR conflicts with companies’ obligations under Chinese law. For example, the report warns that Chinese data localization requirements currently seem to conflict with the investigative powers of European data protection agencies under GDPR. Moreover, the authors note, China's data protection framework currently does not meet Europe's standards for allowing data transfer from Europe to China, leading to a conflict between Europe's rules and Chinese government jurisdiction over Chinese companies and "their" data.

The report recommends that China negotiate an agreement on data transfers with the EU as soon as possible, though it does not note how serious a challenge it may be to reach such an agreement. In the case of Japan, whose data protection practices were deemed “adequate” for transfers from the EU in January, the agreement required Japan to change its data protection system to align more with the EU’s. Given the differences between Europe and China on questions of state power and individual rights, a similar deal could require concessions China's government is unwilling or unable to make.

Party's 'Voice' Publishes Strident Series of Columns on U.S. Ties, With Tech at Issue

The most authoritative Communist Party paper, the People’s Daily, published a series of daily commentaries on the ongoing U.S.-China trade and economic conflict under the pen name “Zhong Sheng” (钟声, a homophone for “voice of the center” or "voice of China" that is believed to be written by staff) from mid-May to mid-June.

While earlier Zhong Sheng commentary in late 2018 was cautiously optimistic, more recent pieces rebut narratives from the U.S. side. Examples from a compilation by journalist Simon Rabinovitch include: “The ‘U.S. Has Been Suffering’ Theory Can Be Put to Rest,” “The ‘Clash With Chinese Civilization' Can Be Put to Rest,” and “The ‘Tariffs Are Good’ Theory Can Be Put to Rest.”

One column, entitled “Tech Hegemony Harms Development: Those Refusing to Compete Will Fail,” accuses the United States of “abusing state power to target hard-working Chinese companies such as Huawei” and hindering technological advancement by undermining market competition under the banner of national security. “The U.S. side only suppresses Chinese enterprises under the excuse of 'national security' to curb China's scientific and technological development and to let U.S. companies plunder worldwide high-tech markets such as 5G [...]. Such a plot exposes the true hegemonic mentality of the United States, of only allowing itself to develop, not allowing others to progress.”