Data Localization vs. Data Governance: Why China Should Support Open, Clear, and Binding Rules on Data Flows and Digital Trade
Nigel Cory presented at the 2nd International Cyberspace Governance Forum hosted in Beijing, China, by Beihang University and Beijing Normal University. As part of the agenda on “The Rules of Digital Economy,” Cory addressed the topic of “Data Localization vs. Data Governance: Why China Should Support Open, Clear, and Binding Rules on Data Flows and Digital Trade.” Cory’s presentation is attached. An English/Chinese summary of his remarks follows.
Data is the lifeblood of the modern global economy. Digital trade and data-driven innovation—the use of data to create value—has become increasingly important to economic growth, competitiveness, scientific discovery, and social progress. Businesses use data to create value, and many can only maximize that value when data can flow freely across borders, obviously while still managing and protecting data as per local laws, so that these rules move with the data wherever it is transferred. Economic and firm competitiveness and innovation increasingly depends upon how firms aggregate and use data, which, in part, depends upon firms engaging in data flows and digital trade. Data will naturally move across borders unless governments enact artificial restrictions. Yet a growing number of countries (like China) are enacting barriers that make it more expensive and time consuming, if not illegal, to transfer data overseas (a concept known as data localization).
China is a world leader in digital protectionism. It has long enacted restrictions on data imports via the “Great Firewall.” It has enacted a growing range of data localization requirements, which in addition to other market access, licensing, and other restrictions, closes its digital economy off for many foreign firms wanting to engage in digital trade. Data localization and digital protectionism are misguided and short-sighted policies and strategies. For example, the glaring lack of reciprocity means that other countries will increasingly target Chinese tech firms “going global” as their own firms do not have similar access to the Chinese market.
China has not made any meaningful and binding commitments on data flows and digital trade in its trade agreements. For example, the Regional Comprehensive Economic Partnership’s ecommerce chapter did not include meaningful commitments on data flows and digital trade and it is non-binding (thus not legally enforceable). The U.S.-China “Phase 1” talks included cloud services and digital market access, but ultimately, did not include meaningful commitments. Similarly, the European Union-China Comprehensive Agreement on Investment only locked in current restrictive cloud market access rules. China’s efforts to experiment with greater digital service and data access in digital-friendly free trade zones (FTZs) in Beijing, Tianjin, Shanghai, Chongqing, and elsewhere will not be appealing, nor meaningful, for foreign firms and trading partners as digital services require broad market access that small geographic trade zones do not provide. China has signaled it wants to join both the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and new Digital Economy Agreements (involving Chile, New Zealand, and Singapore), but both initiatives contain ambitious and binding commitments on data flows and digital trade so it is difficult to see how China would show it is similarly ambitious given it hasn’t made any similar commitments. It’s great that China is part of ecommerce negotiations at the World Trade Organization. While negotiations have not yet gotten to sensitive issues like data flows, it will inevitably involve making commitments on this issue as it’s central to global ecommerce and digital trade. Commitments on data flows are a deal maker—or breaker—for Japan, the United States, and other supporters of digital free trade.
中国在其贸易协定中没有对数据流动和数字贸易做出任何有意义和有约束力的承诺。例如，《区域全面经济伙伴关系》的电子商务章节没有包括对数据流动和数字贸易的有意义的承诺，而且不具有约束力（因此在法律上无法执行）。美中 "第一阶段 "贸易谈判包括了云服务和数字市场准入，但最终并没有包括有意义的承诺。同样，欧盟-中国全面投资协议只锁定了目前限制性的云市场准入规则。中国在北京、天津、上海、重庆和其他地方的数字友好型自由贸易区（FTZs）尝试更多的数字服务和数据准入的努力，对外国公司和贸易伙伴来说没有吸引力，也缺乏实质意义，因为数字服务需要广泛的市场准入，而小型地理贸易区无法提供。中国已经表示要加入《跨太平洋伙伴关系全面进步协议》（CPTPP）和新的数字经济协议（涉及智利、新西兰和新加坡），但这两个倡议都包含了对数据流和数字贸易的雄心勃勃和具有约束力的承诺，所以很难看到中国如何在没有做出任何类似承诺的情况下显示出它的诚意。中国参与世界贸易组织的电子商务谈判是件好事。虽然谈判还没有涉及到数据流等敏感问题，但它将不可避免地涉及到在这个问题上做出承诺，因为它是全球电子商务和数字贸易的核心。对于日本、美国和其他数字自由贸易的支持者来说，关于数据流动的承诺是交易的决定因素，或者是破坏因素。
China has been enacting a comprehensive and ambitious set of laws and regulations dealing with data privacy, security, protection, and national security. However, it has applied a very broad and restrictive conceptualization of national security to its domestic approach to data governance. China’s current focus is on local data storage and control and overly broad national security measures. For China, data localization is the norm, free data flows the exception. It’s exactly the opposite for most of the rest of the world. Data flows are the norm and data localization the rare exception as part of the narrow conceptualization and application of national security concerns. China’s broad application of national security, as applied in its various laws and regulations, are not in line with emerging global norms and best practices (as evident in the CPTPP and the new digital economy agreements).
The vast majority of data and digital services do not involve national security concerns. By treating most data and digital services as a national security issue, China makes it difficult, if not impossible, to create clear, open, and predictable digital market access for foreign firms and trading partners that expect to be treated like China wants its firms treated—in a fair, transparent, and predictable manner. These are all core principles of the global trading system (via the World Trade Organization’s principles of most-favored nation and national treatment). Creating a legal framework that requires the government to pre-screen and approve firm-level data transfers is antithetical to modern business and trade and legal practice. Modern business and trade involves data transfers as a matter of course. It is a simple fact that international trade involving consumers cannot take place without collecting and sending personal data across borders—such as names, addresses, billing and payment information, etc. The same applies for modern manufacturing and services trade and their use of personal and non-personal data.
China should follow what most other countries do in applying the legal principle of accountability and responsibility. Rather than tell firms where they can store or process data, policymakers should hold firms accountable for managing data they collect, regardless of where they store or process it. China should narrowly define and apply restrictions on genuinely national security-related issues and create data privacy, protection, and other laws that ensure these legal responsibilities travel with data transfers. Beyond trade agreements, China should seek to build global data governance by pursuing sectoral agreements with counterparts to address shared and legitimate issues raised by data and data flows. For example, a sectoral agreement on health data and research would support the collection and sharing of health and genomic data to support health outcomes that would benefit everyone. Another example is updated agreements on financial regulatory oversight to ensure regulatory authorities have the access to data they need for oversight.
In an ideal world, China would be part of the WTO and other global data governance negotiations given its large and growing domestic digital economy. However, it has no track record showing it is willing to make meaningful and legally binding commitments on free data flows, digital free trade, and shared/cooperative global data governance. China needs to make reforms to bring its currently restrictive domestic data governance arrangements into alignment with emerging global norms and best practices on free data flows, data governance, and digital free trade.