The world has entered a digital age: The flow of massive amounts of data constitutes a new engine of global economic and trade growth. Because of the fluidity, diversity and replicability of digital data, as well as the increasing frequency of cross-border data flows, security risks are continually being amplified. Data has become an important realm of national security.
Recently, several Chinese internet service companies, including the leading cab-hailing service provider Didi, came under cybersecurity scrutiny by state authorities. According to the authorities, Didi is suspected of collecting and utilizing users’ private information in serious violation of laws and regulations. The company’s previous IPO in the U.S. securities market also brought significant risks to the export to foreign countries of important information. The U.S. passed the Holding Foreign Companies Accountable Act in May, which requires all companies seeking IPOs in the U.S. to undergo an audit review by the Public Company Accounting Oversight Board. The act has become a point of contention between the U.S. Securities and Exchange Commission and the China Securities Regulatory Commission, or CSRC.
For enterprises that hold large amounts of critical and sensitive data and whose main business is associated with critical information infrastructure, information disclosure no doubt raises the risk that important information could be leaked.
China is increasingly becoming a global data power. According to the IDC reports “The Digitization of the World: From Edge to Core” and “Data Age 2025,” China will own the world’s largest data sphere by 2025. In 2018, China produced a total of 7.6 ZB of data, which is expected to reach 48.6 ZB by 2025, the most in the world, accounting for 27.8 percent of the global total and far exceeding the projected 30.6 ZB of the United States.
However, as the value of data becomes increasingly prominent, data security risks are also on the rise. A state of natural monopoly in which the winners take all based on user numbers and data volume has taken shape in the internet industry. With massive data ending up in the hands of a small number of platform companies, the potential risk of large-scale data leaks has significantly increased. Such problems as illicit collection of user data, lack of necessary security precautions and abusive use — even selling — of user data have surfaced repeatedly. And the forms of fraud are changing all the time, bringing with them tremendous economic, political and social risks.
In such circumstances, there has been a pressing need to tackle the outstanding problems in the field of data security, and effectively upgrade the capacity for data security governance. Regulatory authorities have tried hard in recent years to constantly improve rules and laws on data governance. The promulgation of the Cybersecurity Law in 2016, the Law on Personal Information Protection (Draft) in 2020, and the Data Security Law in 2021 indicates that a fundamental legal framework for Chinese data governance has basically taken shape. The Cybersecurity Review Office’s scrutiny of Didi, for instance, has a very clear purpose: “to prevent national data security risks, preserve national security [and] guarantee the public interest.”
Imposing security regulations on data exports is an international practice. Considering that personal data and important, sensitive data involve different levels of risk, as well as interests, many countries have introduced regulatory mechanisms featuring by-level, by-category management to govern cross-border data flow with diverse, flexible oversight policies. For example, the French government stipulates that data about government administration, business development and taxation should be stored locally; Australia prohibits the cross-border transfer of health data; the U.S. stipulates that classified data must not be stored at any public clouds, which applies to citizens’ sensitive data.
U.S. review criteria are by no means lower than those in the European Union. Developed nations, such as the U.S. and EU members, have continuously enhanced their “long arm jurisdiction” on data exports in recent years, strengthening security reviews in an all-around manner. Contrary to its claim of “free cross-border flow of data,” the U.S. has adopted very rigid controls over data exports and exit approvals.
The U.S. government defines the scope of “important data,” which covers 17 categories, including agriculture, controlled technology information, key infrastructure, emergency management, export control, finance and geographic product information. It uses a list of controlled unclassified information. In the “Foreign Investment Risk Review Modernization Act” of 2019, the scope of covered transactions was further expanded, to involve not only companies that deal with critical technology and critical infrastructure, but also covering those with critical or sensitive data — and particularly subjecting foreign-invested companies that store or collect American citizens’ sensitive personal data to such security reviews. Strict restrictions on the collection of U.S. citizens’ personal data by foreign businesses.
It has been a global consensus that data security involves national security. Against the backdrop of countries’ intensifying wrangling over data sovereignty, it will be a tremendous challenge for regulatory authorities to balance state data sovereignty against corporate and public interests. Given the current tensions between China and the U.S., as well as their serious lack of mutual trust, the field of data security will inevitably become a new realm for China-U.S. competition.