What do China’s data export regulations mean for its trade competitiveness?
January 3, 2023
This article was first published at World Economic Forum.
By Yan Xiao & Donnie Dong
In the second half of 2022, China unveiled the details of its data export regulations, providing further explanations of its existing laws and regulations on data.
While there is no outright ban on cross-border data transfers, restrictions and procedures imposed on cross-border data transfers could create significant barriers to the cross-border flow of data for legitimate business operations.
Such restrictions could potentially discourage companies from doing business in or with China, and eventually, reduce the country’s trade competitiveness.
China’s data rules restrict cross-border data flows
Since becoming effective in 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) has been hailed as the gold standard in data protection. Perhaps surprising to many western observers, China’s Personal Information Protection Law borrowed many of the concepts and regulatory framework from GDPR.
For example, China defines personal information in a similar way to GDPR. China adopts the same consent requirement in obtaining personal data and transmitting such data abroad. China also adopts GDPR’s approach in providing standard contractual clauses to govern cross-border data transfers.
China’s following GDPR helps create regulatory interoperability around data and reduce data compliance burdens for companies having global footprints.
However, despite the similarities in certain approaches between GDPR and Chinese data laws and regulations, China’s approach towards cross-border data flows is a significant departure from GDPR’s general principles endorsing free flow of data. Here’s how:
– First, China requires the “critical information infrastructure” data and the “core/important data” be stored in the country. When it is necessary to transfer those data overseas for business purposes, the operators and the holders of those data must go through a data security review process and obtain necessary approvals. What constitutes “critical information infrastructure” or “core/important” is vaguely defined. The importance of personal data is tied to the volume a data provider plans to transfer or control (whether or not the plan is to transfer all of them).
– Second, GDPR allows market players to have the freedom to move data from the GDPR territory to a country that has adequate protection comparable to GDPR. Such broad exemption for cross-border data transfers under the “adequacy of the level of protection” is absent in China.
– Third, GDPR provides more room for companies to move data across borders, including allowing companies to freely transfer data as long as they have in place “binding corporate rules” or “code of conduct” that satisfy the requirements GDPR sets out. In China, those options are not available.
– Moreover, even for companies who are qualified to transfer data across borders, they are asked to “record their Standard Contractual Clauses and their privacy impact assessment report” with competent regulators before they can legally transfer data out of China. Such requirement creates practical obstacles for companies that have a regular need for cross-border data processing.
During the Doha Round in 2001, the most recent round of trade negotiations among World Trade Organization (WTO) members, data was not yet an important subject matter for global trade.
China’s trade obligations evolve mostly around WTO. There is no WTO rule preventing countries from making data localization rules or restricting cross-border data flows.
Since its participation in WTO, China has become the factory of the world. China’s world factory status also allows China to develop advanced manufacturing leveraging data and artificial intelligence technology.
In addition to being the manufacturing centre of goods, China also has a booming digital economy, second only to the United States in absolute terms. Chinese tech companies have benefited from the lack of foreign competition in digital services and from relaxed privacy-related rules for many years.
China’s data flow policies could work against it
However, with restrictions on data flows, China faces challenges not only to its seat as the world’s factory but also to its digital economy champion status. Policies around cross-border data flows can tilt the balance in favor of China’s trade competitors such as Vietnam or Singapore.
Data has been playing a more important role in the future of manufacturing. Since 2020, more and more companies have started moving their supply chains beyond China to countries like Vietnam to diversify supply chain risk.
While Vietnam mandates the storage of data locally, transferring data outside Vietnam is not subject to requirements as strict as in China. Vietnam endorses GDPR’s “adequacy of the level of protection” principle.
Further, China has yet to reach a treaty with major economies regarding cross-border data transfer, while Vietnam has committed to allow cross-border data transfer through its participation in the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP).
Vietnam is under the pressure from its fellow participants in CPTPP to loosen restrictions on cross-border data in areas not related to military or national security to honour its trade commitments.
Singapore recognized as a global fintech hub
Despite China’s achievements in the fintech sector, Singapore, a latecomer in the game, is viewed as a global fintech hub. Singapore has a relaxed attitude towards cross-border data transfer. Data localization is an exception rather than the rule.
Same as Vietnam, Singapore also follows GDPR’s principle of the “adequacy of the level of protection” and recognizes a broad range of countries and regions as meeting the “adequacy of the level of protection”.
For example, the Asia-Pacific Economic Cooperation (APEC) Cross-border Privacy Rules (CBPR) and Processor Privacy Recognition (PRP) systems are considered by Singapore to meet the necessary protection standards for cross-border data transfers.
An overseas data receiver that is CBPR or PRP-certified is considered legally qualified to provide comparable protection for the transferred personal data. Singapore’s embrace of the free flow of data will further help it attract talents and investments from all over the world to build its fintech empire.
The phrase “data is the new oil” has been around for some time. Data is most powerful when it is aggregated. A set of rich and diverse data helps prevent financial crimes, develop new drugs, and optimize logistics and resource allocation for manufacturing.
While the protection of individual privacy and national security are important and legitimate objectives for all countries, overly restricting cross-border data transfers imposes a heavy burden on companies with global footprints, prevents domestic start-ups from scaling globally, deters foreign direct investments and eventually reduces a country’s trade competitiveness.
While its trade competitors maintain their openness to cross-border data exchange, China is risking its current championship in both manufacturing and digital economy. As the country tries to join various multilateral trade agreements, cross-border data transfer policy and how it will be enforced in reality will be an important subject matter for it to consider.
* * * * *
License and Republishing
The views expressed in this article are those of the author alone and not the World Economic Forum.
* * * * *
This communication is intended for informational purposes only and is not intended to create an attorney-client relationship or to constitute any form of advertisement.
Author: Donnie Dong. Admitted to practice in China and New York State, the author is a seasoned lawyer focusing his practice on intellectual property and data privacy.