Commentary: Will China’s new data security initiative define global norms?
China’s initiative could be a useful guide for countries in developing their own legal framework, but expect pushback from the United States, says East Asia Institute’s Bert Hofman.
SINGAPORE: Data security and trade in data have become a major bone of contention between the United States (US) and China in a conflict that started as a trade tussle but is rapidly sliding towards a new cold war.
Concerns over access to data by the Chinese government has led the US to impose measures on companies that use US technologies to supply Huawei, a leading Chinese telecoms company.
It has also leaned on countries around the world to exclude Huawei from its 5G network for reasons of data security risks.
In August, the Trump Administration announced that for national security concerns, it would ban the popular video networking TikTok app.
A similar move was announced for WeChat, the popular app that allows users to perform multiple tasks, from communications to ecommerce to payments.
The argument was that both apps could divert data of US citizens to the Chinese government.
The purge of the two apps was part of the US’ “Clean Network” initiative, which, according to statements by the US State Department, has already signed up more than 30 countries though these remain as of yet unidentified.
DATA PROTECTION IS ON THE RISE
China itself tightly controls and censors its cyberspace through the Great Firewall, and has banned access of major US firms such as Twitter, Facebook and Google.
Its 2017 Cybersecurity law raised concerns about the protection of personal data, as the law requires companies in China to hand over data if requested by the authorities.
The establishment of the Social Credit Schemes aimed at providing individuals with incentives for good behaviour, and which relies on large data collection efforts, has further raised concerns regarding the protection of personal data in China.
The EU Chamber of Commerce recently raised issues with China’s overall cybersecurity legal framework. It therefore came as a bit of a surprise that on Sep 8 Foreign Minister Wang Yi announced an initiative to establish global standards on data security.
Wang Yi said that China wanted to promote multilateralism in the area at a time when individual countries were “bullying others and hunting companies”.
“Global data security rules that reflect the wishes of all countries and respect the interests of all parties should be reached on the basis of universal participation by all parties,” Wang said.
China’s initiative calls for participating countries to refrain from large-scale surveillance of other countries or illegally acquire information of foreign citizens through information technology.
It also calls for technology firms to prevent the creation of so-called backdoors in their products and services that could allow data to be obtained illegally, as well as for participants to respect the sovereignty, jurisdiction and data management rights of other countries.
Wang Yi also said that China’s government “has not and will not require Chinese companies to provide overseas data to the Chinese government in violation of the laws of other countries,” thereby countering one of the biggest arguments the US and others have used to taint data handling by Chinese companies.
WHY WE NEED INTERNATIONAL STANDARDS
There is a clear need to agree on international standards in data security. Data is becoming increasingly important for economic activity, and China is at the forefront of the digital economy, most notably ecommerce and digital finance.
At the same time, there is growing demand, even in China, for protection of personal data and information.
And there are growing concerns from governments how data, if in the wrong hands, could endanger national security. Even trickier is the movement of data across borders. This is essential for modern trade in services and innovation in manufacturing, which relies on information from users.
Keeping data strictly national or localised would impede trade and innovation.
Countries around the world have taken legal or regulatory steps to protect personal data. On last count, about 140 countries have some form of law or regulation on data protection.
The EU’s General Data Protection Regulation is one of the better known, and strictest, frameworks - increasingly becoming a model for other countries to follow. China enacted its cybersecurity law in 2018, which was skewed towards national security rather that personal data protection.
Since then, though, the country has also made efforts on protecting personal information security and data security, and a draft Data Security Law was released for comments in July. The first civil code in China, released in 2020, also specifies data privacy as a personal right.
The data security standards embedded in these laws vary considerable from country to country, as different societies have different attitudes on data protection vis-à-vis other societal goals such as development or community interest.
The debate on tracing apps to contain the COVID-19 pandemic illustrates this diverse attitude: Countries such as Singapore, Korea and China rapidly adopted or mandated tracing apps to easily find people that may have had contact with COVID-19 infected people.
In many European countries and in the US, such apps were seen to infringe on personal freedom and personal information, and they found much less widespread use.
BILATERAL AGREEMENTS COULD BE COSTLY
The digital economy is transnational in nature, and allowing data transfers from one country to another can maximise the potential and minimise costs.
At the same time, transferring data from one country to another could undermine protections granted to data subjects under national law. Therefore, data protection regimes would normally include rules on data transfer to other countries. Such rules can obviously have trade implications.
These regulations could be used to protect one’s own industry, and could become a barrier against international trade and investment. The WTO’s General Agreement in Trade in Services (GATS) contains some rules on data protection and data transfer, though these were largely formulated before the digital revolution took off in earnest.
A new multilateral agreements on data security and transfer would therefore be highly desirable, but in today’s atmosphere seems further off than ever.
Bilateral trade agreements have started to fill the gap, and the recent Singapore-Australia Digital Economy Agreement is a case in point. It aims to set “new global benchmarks for trade rules, and a range of practical cooperation initiatives, to reduce barriers to digital trade.”
At the same time, a bilateral approach to the complex issues of data protection and data transferability risks a multitude of norms and standards across jurisdictions, which could create high compliance costs for business, especially small and medium enterprises.
GETTING SUPPORT MAY BE TOUGH
It is in this context that China’s initiative proposes global standards on data security.
Such standards, once agreed on by a plurality of countries could guide individual countries in developing their own legal framework, and become a benchmark for bilateral or multilateral agreements on the topic.
Wang Yi had foreshadowed the initiative at an online G20 meeting the week before the announcement, as it seeks more support for the initiative particularly from G20 members.
China’s multilateral approach is going head to head with the US’ Clean Network Initiative.
The US initiative seems largely targeted at China: “The Clean Network program is the Trump Administration’s comprehensive approach to guarding our citizens’ privacy and our companies’ most sensitive information from aggressive intrusions by malign actors, such as the Chinese Communist Party (CCP),” a US State Department announcement on the initiative reads.
This August, the Internet Society, an industry group with members including Google, COMCAST, AT&T and Eriksson, sharply criticised the Clean Network Initiative.
“Policies like these only increase the global momentum towards a “Splinternet” — a fractured network, rather than the Internet we have built over the last four decades and need now more than ever,” the society wrote in a statement on their website.
Irrespective, little support for China’s initiative can be expected from the US at this point in time. Other countries have yet to express their views, but it seems unlikely that all G20 members would agree to discuss China’s initiative at this stage.
Nevertheless, China’s initiative could entice other countries to develop their own proposals and principles that may be supported by a broad set of countries. The superpowers could then decide whether they want to get on board with those principles in due course.
Bert Hofman is Director of the East Asian Institute at the National University of Singapore.