Chinese approaches to governing cross-border data flow
As the digital economy thrives worldwide, cross-border data flows are increasingly frequent, serving as a new engine of economic growth and a new arena for global competition. Photo: TUCHONG
As the digital economy thrives worldwide, cross-border data flows are increasingly frequent, serving as a new engine of economic growth and a new arena for global competition. To develop the digital economy and ensure data security, many countries around the world are intensifying their efforts to construct a system of rules for cross-border data flow, which is equally significant to China. This highlights the necessity to properly conceive the top-level design for governance of cross-border data flow from the perspective of advancing the rule of law in domestic and foreign-related affairs in a coordinated manner, with a view to continuously optimize China’s data governance system, and jointly build an open, inclusive, and collaborative global governance system for cross-border data flow.
China’s policies and practices
Digital trade and data security are not mutually exclusive. On March 22, 2024, the Cyberspace Administration of China unveiled the Provisions on Promoting and Regulating Cross-border Data Flows. While upholding the principle of security for outbound data transfer, the regulations moderately loosen supervision of outbound data transfer, and creatively institute several rules to facilitate data flow, further enriching and refining Chinese approaches to managing cross-border data flow. In terms of coordinating the security of data export and the development of digital trade, China has made the following institutional innovations.
First, a mechanism has been established to classify and hierarchically manage data across borders. The promulgation of such laws as the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law (PIPL) has laid the basic legal framework for the establishment of a cross-border data classification and hierarchical management mechanism in China.
According to Article 38 of the PIPL, a personal information processor that truly needs to provide personal information for a party outside the territory of the PRC for business or other reasons shall pass security assessment, conclude a standard contract, or obtain personal information protection certification. Data processors can choose to apply for security assessment, sign a contract, or pass the protection certification in accordance with the Measures for Security Assessment of Outbound Data Transfer, the Measures for Standard Contracts for Outbound Transfer of Personal Information, and the Implementation Rules for Personal Information Protection Certification.
In practice, the applicable boundaries of security assessment, standard contract, and protection certification are relatively blurred, resulting in high compliance and regulatory costs for data export. To rectify this, the Provisions on Promoting and Regulating Cross-border Data Flows optimizes the regulatory system for outbound data transfer, expanding the circumstances under which security assessments shall be exempted, standard contracts concluded, and protection certifications passed. These include scenarios in which non-personal information, or non-important data collected and generated in activities like international trade, is provided overseas, and personal information collected and generated overseas is transferred to China for processing and then provided overseas. This will boost the development of digital trade, attract more offshore data centers to China, and help concentrate global data resources in China.
Second, pilot free trade zones (FTZs) have been fully authorized to carry out pilot projects. Under the national institutional framework of data classification and hierarchical protection, pilot FTZs are allowed to explore institutional opening up in the field of data and build a new model for the management of cross-border data flow.
According to the Law on Hainan Free Trade Port, “A data flow management system shall be established in the Hainan Free Trade Port in accordance with the law to ensure the safe, orderly, free, and convenient flow of data, to open up communication resources and communication services in an orderly manner, and to expand opening up in the field of data.”
The Provisions on Promoting and Regulating Cross-border Data Flows further establishes a negative list system for pilot FTZs, which are entitled to formulate their own negative list for data export, and data beyond the negative list can flow freely, exempt from applying for security assessment, entering into a standard contract, or passing the protection certification.
On May 9, 2024, the Tianjin Pilot Free Trade Zone issued the country’s first negative list for outbound data transfer in light of the Provisions, thus facilitating the orderly and efficient law-based export of enterprises’ data.
The pilot FTZs’ exemplary role in the supervision of outbound data transfer is also reflected in the alignment with institutional arrangements for international cross-border data flows within regions. Article 42 of the Law on Hainan Free Trade Port stipulates that the state supports the Hainan Free Trade Port in exploring institutional arrangements for regional cross-border data flow. This reserves institutional room for pilot FTZs to observe high-standard cross-border data flow rules.
Third, national security reviews will be carried out in accordance with laws and regulations on activities such as cross-border data flows and foreign capital’s mergers and acquisitions that affect or may affect national security. At present, countries worldwide are highly concerned about national security risks posed by cross-border data flow and have successively clarified the legal requirements and regulatory tools for related national security reviews.
Based on laws like the General Data Protection Regulation and the Framework for the Screening of Foreign Direct Investments, the European Union has incorporated risks from cross-border data flow into the national security review scope. While emphasizing the free flow of data across borders, the United States also prevents and controls national security risks from cross-border data transmission through export control, investment screening, and other measures according to the Export Administration Regulations and the Foreign Investment Risk Review Modernization Act.
China has established a two-dimensional security review system that integrates a cybersecurity review and a data security review. Article 35 of the Cybersecurity Law and Article 2 of the Cybersecurity Review Measures mainly specify security reviews for critical information infrastructure operators and online platform operators, while Article 24 of the Data Security Law targets security reviews of data itself. The cybersecurity review and data security review shall be initiated by regulatory bodies ex officio. Together with data security assessment voluntarily declared by data processors, they constitute China’s security review and assessment system for outbound data transfer.
Fourth, China has constructed and applied a legal toolbox to deal with data protectionism and long-arm data jurisdiction. The Opinions of the CPC Central Committee and the State Council on Building a Data Foundation System to Better Play the Role of Data Factors underscores the importance of opposing data hegemony and data protectionism, and of effectively coping with long-arm jurisdiction in the field of data.
Currently, certain countries have imposed long-arm jurisdiction over overseas data through unilateral legislation, taking discriminatory data protection measures against countries including China. In this regard, China has basically formed a foreign-related legal system that is both proactive and defensive, and links public and private sectors. Where any country or region adopts discriminatory measures relating to data against China, it will take countermeasures based on actual conditions.
In addition, according to Article 12 of the Anti-Foreign Sanctions Law and Article 9 of the Measures for Blocking the Improper Extraterritorial Application of Foreign Laws and Measures, Chinese citizens and organizations shall file recovery actions in the people’s court to demand compensation from relevant subjects for losses caused by foreign discriminatory measures.
Global data governance
While improving the domestic legal system for cross-border data flow, China has also actively participated in the formulation of international rules and standards, and promoted the construction of an open, inclusive, and collaborative global data governance system. There are objective legal and regulatory differences between countries on cross-border data flows, making it difficult to bridge the gaps in the short term.
Against this backdrop, it is hard to reach a general consensus on specific models and rules for cross-border data flow. Therefore, negotiations over pertinent international rules should not aim to eliminate differences in domestic law, but should uphold the principle of extensive consultation, joint contribution, and shared benefits, and focus on ensuring a more open, inclusive, and coordinative global data governance system.
On one hand, it is essential to build a value consensus in the international community on national security as well as social and public interests through the Global Data Security Initiative. The WTO agreements, the Regional Comprehensive Economic Partnership (RCEP), the Comprehensive and Progressive Agreement for Trans-Pacific Partnership, and the Digital Economy Partnership Agreement all set terms on national security exceptions and public policy exceptions, while emphasizing the principles of trade liberalization and free cross-border data flow.
To safeguard national security or achieve public policy objectives, contracting states may adopt restrictive measures on cross-border data flow. Although the scope and conditions of applying exception clauses vary from agreement to agreement, they basically contain non-discriminatory and proportionate requirements. The restrictive measures taken by contracting states regarding the cross-border movement of data must not involve arbitrary or unjustified discrimination and must not exceed the limits necessary for realizing legitimate objectives.
Therefore, in the process of concluding and implementing bilateral and multilateral digital trade agreements, it is crucial to dedicate an institutional space to national security and public policy. Moreover, attention should be paid to guarding against the generalization and abuse of national security exceptions and public policy exceptions, opposing data protectionism and the “double standard” of cross-border data flow under the disguise of national security and public policy.
On the other hand, cooperation on the Belt and Road Initiative (BRI) and the construction of the Digital Silk Road should be leveraged to advance the joint construction of an open and inclusive cross-border data free flow circle within the BRI framework. At present, the United States stresses the free flow of data across borders based on the interests of digital enterprises, while the European Union imposes relatively strict restrictions on cross-border data flow given personal information protection requirements. In contrast, China places more emphasis on the balanced development of digital trade and data security, which represents a greater convergence of interests with BRI-related countries.
As one of the most influential economic and trade agreements along the Belt and Road, the RCEP is anchored in the free flow of business data across borders, supplemented by national security and public policy exceptions. This is highly consistent with China’s orientation in reforming rules for cross-border data flow governance.
So far, China has ratified the RCEP and promoted domestic legislation of the agreement. In the future, considerations should be given to exploring the joint construction of a cross-border data free flow circle under the BRI, while reserving a space for national security and public policy, with rules on cross-border data flow in RCEP as a blueprint. Meanwhile, flexible and precise digital economic cooperation with BRI-related countries should be prioritized to help participating countries develop the digital economy and strengthen their sense of gain and identity in jointly building the Digital Silk Road.
Xu Shu is a professor and deputy dean of the School of Law at South China University of Technology.
Edited by CHEN MIRONG