On Sept. 28, China’s Office of the Central Cyberspace Affairs Commission released a heavyweight document — Public Consultation on Provisions on Regulating and Promoting Cross-border Flow of Data (Draft) — which means that China has made a breakthrough innovation in the management of cross-border data flow.
It is regarded as a bellwether for China’s digital business environment, as well as for institutional opening-up, because cross-border data is at the heart of a new round of globalization, a key area of China’s institutional opening-up and a new set of principles that we must incorporate when participating in high-standard free trade negotiations.
Competition in the digital field is not only about technology but also about rules. At present, the cross-border flow of data has become the core issue of the global multilateral and bilateral economic and trade rules and agreements. It represents the direction of evolution toward high-standard international trade rules. Major powers are seeking to gain dominance in digital rule-making, in a bid to export their own digital governance model, extend digital jurisdiction and bring together stakeholders to formulate rules, not only to protect data sovereignty but also to gain an edge in international competition.
China certainly faces its share of challenges in cross-border data governance. The first major challenge is the incompatibility of the domestic legal regime with international rules on cross-border data. Generally speaking, although the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law constitute the overarching set of commands for the management of cross-border data in China, there are still many compatibility issues to be addressed, including digital trade provisions in agreements such as the CPTPP and DEPA.
For example, restrictions on cross-border data such as local storage and outbound data transfer assessment — which are explicitly listed in the Cybersecurity Law — are not compatible with the CPTPP provisions necessary to achieve certain public policy objectives; nor are they applied in a manner that would constitute arbitrary or unjustifiable discrimination, nor a disguised restriction on trade.
Meanwhile, China has not yet acceded to a global or regional agreement on cross-border data transfer, and lacks interfaces and channels to align with international rules on cross-border data flows. So it has some catching-up to do, which will somewhat affect the flow of information, capital and trade between China and other countries and regions.
The second major challenge involves discrepancies in domestic legislation. With the successive enactment of the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law, the basic principles and institutional framework for cross-border data flow in China has taken shape, but the previously established regulatory provisions in the industry have not been revised — hence the inconsistencies between the laws, administrative regulations and departmental rules.
The third major challenge is that it’s difficult to make substantive breakthroughs in pilot regions because of the overarching laws in operation. The cross-border flow of data falls under the remit of governments at the national level and leaves limited room for authorities at the local level to practice governance. Hence, legislation such as the Cybersecurity Law, the Data Security Law and the Measures for Security Assessment of Outbound Data Transfer (once approved) will make substantive breakthroughs difficult to attain in pilot free trade zones and free trade ports.
In this context, the new data regulation to be released by the CAC, is a bold innovation in areas determining important data — the cross-border flow of non-secure data, offshore data trading and pilot cross-border data flows — that will spur breakthroughs in China’s cross-border management and reach a new balance between development and security interests, but more in favor of development.
First, it will promote the unimpeded flow of non-secure data. The proposed regulation makes it clear that for data generated in international trade, academic cooperation, cross-border manufacturing and marketing activities that do not contain personal information or important data, there is no need to declare a security assessment in the case of outbound data transfer, to enter into a standard contract for personal information or to obtain any personal information protection certification. This will greatly facilitate the sharing and flow of data in foreign-funded manufacturing, innovation and R&D in China.
Second, offshore data will be exempted from approval. The new regulation provides that personal information not collected and generated within the territory but provided outside the territory likewise will need not declare an outbound data security assessment, enter into a standard contract for personal information outbound or obtain personal information protection certification. This means that inbound personal information that is transmitted overseas will be exempted from any preemptive security vetting procedure.
Further, this will be a significant policy boon for foreign-funded businesses and global data service providers in general in the trade of offshore data outsourcing, or anyone who seeks to establish the storage, processing and trade of foreign data within the country.
Pilot free trade zones (ports) will be given greater autonomy in regulatory innovation. Under the new regulation, free trade ports may formulate their own lists of data that must be included in the scope of data exit security assessment, outbound personal information transfer contracts, personal information protection certification management and reporting to the CAC or related departments for record-keeping purposes after being approved by provincial-level cybersecurity and information affairs authorities.
This initiative may herald a change in the previous approach, in which items were reviewed one at a time and involved escalating levels of authorities. Localities are given greater autonomy to pursue reform and encourage the establishment of open platforms, such as pilot free trade zones (ports), innovation highlands and the exploration of pathways to institutional opening-up at a higher level.
The new regulation is step toward exploring the innovation system for managing cross-border data flows. In the future, it will be necessary to further implement reforms through a high level of institutional opening-up. For example, on the basis of data classification and grading, a list of cross-border data flows should be compiled, prioritizing the orderly flow of data that does not jeopardize national security or has low sensitivity and high economic benefits.
Efforts should be made to set up a white list focusing on ongoing and ex-post oversight to truly put into practice China’s “Twenty articles on data” — 20 measures to build basic systems for data that emphasize strengthening data classification and management and ensures proper data management while promoting cross-border data flow.
In addition, China should actively seek breakthroughs in regulatory innovation regarding cross-border data; cooperate with countries, regions and international organizations; promote the signing of bilateral and multilateral agreements and international rules on cross-border data flow; and leverage the strength of multilateralism to build an open, cooperative, secure and transparent global data governance system.
