U.S. Can’t Pull Down China’s Data Wall

Recent protests of China's new laws about cross-border data transfer may not sway regulators given rising digital walls around the world.

On September 26, the U.S. raised concerns at the World Trade Organization (WTO) about the Chinese Cybersecurity Law which took effect in June 2017. A U.S. letter stated that measures enforced in their current form could have a “significant adverse effect on trade in services.”

It was not the first time the U.S. has raised concerns over the cyber security laws in China. Similar episodes happened in 2015 after China promulgated its IT security guidelines for the banking industry.

The banking guidelines were suspended under the pressure from the WTO as they clearly favored domestic over foreign suppliers of IT equipment used in the banking industry. The U.S. might have a harder time to block the current cybersecurity measures.

The U.S. letter said China was too broad and vague in defining circumstances that would prohibit cross-border data transfers, including when transfers would pose a risk to national security, economic development, and social public interests. The cybersecurity measures also could impose local data storage requirements on operators in "critical information infrastructure sectors," but again the terms were not clearly defined, according to the U.S.

This argument appears hypocritical to some observers. The Committee on Foreign Investment in the United States (CFIUS) requires transaction parties to notify CFIUS and allow the president to block any transaction on national security grounds. In 2008, the CFIUS regulations were expanded to include critical infrastructure. Any companies dealing with the CFIUS process would tell you that the quest for the exact meaning of “national security” or “critical infrastructure” yields nothing other than hefty legal bills and uncertainties.

In addition, the U.S. claimed China’s new requirements were too cumbersome for foreign service providers. The new China laws require network operators to demonstrate that “the purpose of the transfer meets standards of legitimacy, necessity, and justification” before transferring "important data" and "personal information." Furthermore, a network operator may be required to obtain consent from each individual before any cross-border transfer can take place.

It’s ironic the U.S. is advocating for more relaxed rules to allow personal information of Chinese citizens to be transferred to U.S. companies after the Equifax breach. Any sensible government would ask what happens to their citizens’ personal information in the hands of a U.S. company if Equifax did nothing for two months after 143 million consumers’ personal information was leaked. Edward Snowden’s revelation in 2013 that the U.S. National Security Agency had been engaged in espionage on companies, including a number of Chinese companies, would certainly make it seems wise to think twice before handing over important data.

In any event, China’s burdensome requirements apply to both domestic network operators and foreign ones. Given tight controls on foreign investment in China’s telecom sector, the burden of the country’s new law probably will be felt more by the local network operators.

In fact, so far, China has been showing more interest in enforcing the cybersecurity law on its local players. China’s Internet regulator, the Cyberspace Administration of China, has launched investigations and imposed fines on Tencent, Baidu, and Sina, citing the violation of the Cybersecurity Law.

It has become clear that the cyberspace will see more borders and higher walls going forward. Thirty-four countries have implemented some sort of data localization rules, according to an April report from the Information Technology & Innovation Foundation.

The question remains how restrictive national data transfer rules can be without violating signatory countries’ commitments under General Agreement on Trade in Services (GATS) to guarantee equal national treatment of service providers. At this point, there is hardly any consensus among the countries yet. The outbound data transfer restrictions in the Chinese Cybersecurity Law are arguably on the more restrictive end of the spectrum, but they are not entirely an anomaly.

For its part, the European Union implemented a Data Protection Directive and adopted the General Data Protection Regulation (GDPR) in April 2016. Starting in May 2018, the GDPR will require companies to adhere to the regulations in the processing of personal data of subjects in the EU as long as such companies are offering goods or services to EU citizens. The monitoring of behavior takes place within the EU, and non-EU businesses processing the data of EU citizens will have to appoint a representative in the EU.

Japan has implemented similar rules restricting outbound transfer of personal data. It seems unfair for the U.S. to allege that the Chinese cybersecurity laws violate the GATS commitment after condoning the EU and Japanese data transfer restrictions.