Last fall, China officially submitted its applications to join the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and the Digital Economy Partnership Agreement (DEPA), in September and November 2021, respectively. Given the announcements were made by President Xi Jinping himself, who enjoys absolute power and fully controls policy making, it seems China is determined to join these two agreements, each of which has considerable influence on international trade in the digital age. In a country where political calculation and economic considerations inevitably prevail over laws and regulations, the top leader’s engagement likely would provide enough leeway to overcome the seemingly insuperable difficulties facing China’s entry into the two treaties.
Geopolitically, China needs to join these treaties to engage in international rulemaking in the digital economy. The country has lagged in this area. The status of rules collaborator would help Beijing become more relevant when competing in the global marketplace.
That said, the difficulties facing China’s entry are considerable and will require careful calculation and tough but flexible negotiating positions, if obstacles are to be overcome. Such care and flexibility are in China’s interest, given that these talks would in effect be a dress rehearsal for later negotiations concerning digital trade at the World Trade Organization (WTO).
Another consideration is the often cited logic of ushering in external pressure to push forward difficult domestic reforms, as China did in the 1990s when negotiating to join the WTO. Such reforms are expected in the areas of state-owned enterprises; market access in service sectors such as finance, telecommunications, broadcasting and television; government procurement; intellectual property rights protection regimes and implementation; investment rules, such as the issues of forced technology transfer and requirement of local partners; cross-border data flows; and labour rights — to name a few.
Among these, cross-border data flows are one challenge that has no obvious solution if China is serious about joining the CPTPP and the DEPA. There is a long and extremely difficult road ahead before China would be in a position to meet the demands of the free flow of data across borders and to commit to ban data localization in the CPTPP and the DEPA, given the broad and strict rules on these issues in China’s current laws and regulations. These include:
- Cybersecurity Law, effective June 1, 2017;
- Data Security Law, effective September 1, 2021;
- Personal Information Protection Law (PIPL), effective November 1, 2021;
- Measures of Security Assessments for Data Export (draft for comments), released by the Cyberspace Administration of China (CAC) on October 29, 2021 (“the Measures”); and
- Regulations on Network Data Security Management (draft for comments), released by the CAC on November 14, 2021 (“the Regulations”).
The pressure brought by the CPTPP and the DEPA is expected to push China to improve its data governance in terms of the level of precision and effectiveness of its regulations.
In principle, China allows and even encourages the free flow of data across its borders. Article 11 of the Data Security Law stipulates the principle of encouraging China to participate in international rulemaking and standard setting concerning data security and to “promote the safe and free flow of data across borders.” Article 41 of the PIPL and article 36 of the Data Security Law both state that China’s “responsible agencies” should adhere to relevant laws and international agreements or treaties China has signed or joined to provide data requested by law enforcement agencies from other countries.
These articles principally nudge open the door for China to take a flexible position on implementing international regulations on the free flow of data across borders. Article 38 of the Regulations further opened the door for China to compromise on its restrictions on cross-border data flows. It stipulates that China can follow the regulations of international agreements or treaties China has signed or joined to “provide personal information outside of the territory of the People’s Republic of China.”
In practice, however, China has imposed strict and broad limits on cross-border data flows in the same laws and regulations. These strict regulations, to China’s understanding, are reasonable and justified as they follow the same spirit of the clauses of “supervision exception” or “public security exception” in the CPTPP. But China’s limits on cross-border data flows in the name of the public security exception or supervision exception are actually far stricter. The what and how of the exceptions China would make are the most difficult issues and will be left for negotiators when China steps into the negotiating process for joining the CPTPP and the DEPA.
Among these issues, a major one is that many key definitions in China’s laws are loosely or vaguely defined, such as data classification categories and guidelines on what constitutes “important data,” and “national core data” in its three data-related laws, namely the Data Security Law, the PIPL and the Cybersecurity Law.
Further specific regulations have been made in the Measures and the Regulations on the basis of these three data-related laws, to address some of the loosely or vaguely defined issues. On the crucial question of under what circumstances a national data security review should be applied before data could be exported, article 37 of the Regulations and article 4 of the Measures, plus article 37 of the Cybersecurity Law and article 40 of the PIPL, say that a review would be needed for:
- any data handler that provides important data or more than 100,000 pieces of personal information or 10,000 pieces of sensitive personal information;
- any personal information and important data collected and produced by a critical information infrastructure operator;
- any export data that includes important data;
- any data handler that handles more than one million pieces of personal information; and
- other situations defined by the CAC.
If there is a road map for the possible easing of restrictions on cross-border data flows, it is likely to be China’s past experiences in the decades of reform.
Beyond these articles, these regulations and terms are otherwise not clearly defined. The definition and scope of “important data” described in the Regulations is still far more comprehensive, covering almost all walks of life in China’s society. The definition of “core data” in the Regulations is also vaguely stated. Accordingly, restrictions on cross-border data flows are widely considered necessary in the name of supervision or public security, and applied. More flexible measures and practices are needed to smooth the way for China to join the CPTPP and the DEPA.
Two basic principles, precision and effectiveness in classification and restrictions of types of data on cross-border data flows regulations, have been suggested by Chinese researchers as a way of introducing several crucial reform measures to relax China’s restrictions in this regard.
The first recommended reform would be to create multiple means or mechanisms to facilitate cross-border data transfer: for example, by establishing independent certification bodies to regulate cross-border data flows, similar to those defined in the General Data Protection Regulation (GDPR), and by following the practice of the Standard Contractual Clauses adopted by the European Commission (tools designed to provide practical guidance on data transfer and efforts to comply with data protection laws), to build China’s own standardized and pre-approved model data protection specifications. In China’s case, perhaps standards made by quasi-state trade associations in a certain industry could be applied to regulate cross-border data flows concerning this industry.
A second reform proposed is an improved data classification management system to expand the scope of general commercial data that can flow freely without national data security review. In this regard, a once-and-for-all solution is to establish a negative list that specifies “important data” and “data on national security” such as data pertaining to national defence, geography, oceans, finance and so forth. For any data not on the list, its free flow would be allowed.
A third reform would be a streamlined national security review system for cross-border data flows, giving more weight to enterprises’ self-review and providing for mutual recognition between certain countries in terms of data security review standards. Data would be allowed to flow freely between China and these recognized countries, which would be put on the “whitelist,” a concept borrowed from the GDPR.
The fourth suggestion would be to follow the principle of the GDPR on personal information protection.
If there is a road map for the possible easing of restrictions on cross-border data flows, it is likely to be China’s past experiences in the decades of reform and opening-up policy commenced at the end of the 1970s. That is, drawing on these experiences, China might promote cross-border data flows in its free trade zones (FTZs) first, then spread these practices nationwide later. FTZs are defined as testing grounds, in which different policies and regulations are allowed in to promote economic growth. Indeed, pilot programs for cross-border data flows in the FTZs of Shanghai and Hainan are already under way. Trial programs in negotiating bilateral free trade talks with the United Kingdom or certain countries under the Belt and Road Initiative framework are also being discussed.
For the requirement of data localization, China could also use the same logic adopted in FTZs to create a special supervision zone or “digital customs territory,” in which entities such as data centres, cloud service providers and digital platforms could be treated with a “special supervision status.” For example, a data centre, cloud service provider or digital platform located in a special FTZ or in a virtual location in cyberspace could be deemed as being outside traditional customs territory, and thus enjoy the free flow of data. In this way, a “supervision exception” or “public security exception” could be created.
At present, any reforms that would enable the free or more liberalized flow of data across China’s borders are basically theoretical or proceeding extremely slowly. They will need to be accelerated by external pressure brought to bear by China’s negotiations to join the CPTPP and the DEPA. This could be an important rationale behind China’s submission to join the two treaties.
In any case, continuing strict restrictions on cross-border data flows effectively prevents Chinese digital platforms, such as Alibaba or Tencent, from becoming large international internet firms like Google or Facebook.
The stakes for member states of the CPTPP and the DEPA are high: China’s accession — or, more specifically, the compromises required of Beijing in order for it to gain entry — could help shape the future of not only the Chinese but also the global economy.
The risk for business or other entities who want to do digital trade with China is that they will have to muddle through China’s complicated system of regulations to get cross-border data transfer, even if China were to join the CPTPP and the DEPA with some key compromises.
After all, the implementation of rules is always the most difficult part of any engagement with China. Regulatory environments can change overnight due to political factors, as evidenced by the regulatory crackdown on China’s big tech since 2021 and Beijing’s latest lockdowns due to its zero-COVID-19 policy.
That said, the scale of the market is such that foreign businesses can still earn vast profits once they learn to navigate through the maze of rules to get digital business done.
