The facilitation of cross-border data transfer is no longer a mere discussion
Over the last few years, the West has undergone a vigorous development in facilitating overseas data transfers, as proven by an apparent surge of new legislations (e.g., The US CLOUD Act) and agreements (e.g., UK-US Data Access Agreement). On the other side of the globe, China has also been making strenuous efforts to manifest its position as a supporter of data exports, despite its prolonged reluctance to allow outbound transfers of data. The first chapter of the story began in 2017, when Article 37 of the Cybersecurity Law (CSL) took effect and compelled Critical Information Infrastructure Operators (CIIOs) (i.e. equivalent to data processors under the GDPR) to complete a ‘security assessment’ before exporting data. In 2021, the Data Security Law (DSL) and Personal Information Protection Law (PIPL) were promulgated and considered to be a crucial milestone for China due to its relatively higher level of specificity on the regulations of international data transfers.
The ‘Measures’
Even though commentators were optimistic about the modifications, certain ‘grey areas’ (e.g., the meaning of ‘important data’) remain under the mechanism. Thus, further clarification is deemed necessary to give corporations more certainty as to what the Chinese regulators genuinely expect in practice. In July 2022, the wait for clarification ended as the ‘Measures for Security Assessment of Data Exports’ (the ‘Measures’) was introduced by the Cyberspace Administration of China (CAC), and will take effect on 1 September 2022. The CAC stated that, due to the surge in cross-border data activity, the objective of the ‘Measures’ is to outline the detailed requirements of the Security Assessment in order to develop a healthy digital economy, mitigate the risk of data transfers, and safeguard national security plus the public interest.
In essence, the ‘Measures’ articulate that the Security Assessment (SA) applies to data processors who export important data and personal information that are stored or generated within the territory of China. Article 4 explains the conditions under which a data processor has to submit the SA in further detail, namely:
- Important data is transferred out of China;
- The entity is a (i) ‘critical information infrastructure operator’ or (ii) more than one million individuals’ personal information will be processed;
- Export of data outside China has involved the (i) personal information of 100 thousand individuals or (ii) the sensitive information of 10 thousand individuals since 1 January of the previous year;
- Other circumstances that China’s cybersecurity and information department find applicable.
Also, Article 5 of the ‘Measures’ underlines the key elements that ought to be considered when the data processor is conducting a self-assessment prior to applying for the Security Assessment, namely:
- The legality, legitimacy, and necessity of the data export and the purpose, scope, and means of the data processing by the oversea recipient;
- The scale, scope, type, and sensitivity of the data going abroad, and the risk the data going abroad could pose to national security, public interests, and the legitimate rights and interests of individuals or organisations;
- The agreed obligation, and the management and technical measures to fulfil that obligation, and the capability to ensure the safety of the data export;
- The risk of unauthorised alteration, destruction, leakage, loss, transfer or illegal access and utilisation during or after the export of data, and the effectiveness of data transfer;
- Whether the contract or legal document concluded with the oversea recipient is sufficient to provide data security protection.
Certainty at last?
The finalisation of the ‘Measures’ showed a rare willingness of China to widen the gate for international data transfers. Internally, China is brimmed with a huge sense of positivity because the ‘Measures’ are ‘unanimously’ acclaimed by Chinese propaganda and experts to be a comprehensive and holistic framework that forms a robust safety net for personal data. Also, domestic corporations are persuaded that a detailed explanation of the requisites for data outflow could enable them to identify the important standards and principles that the Chinese authority values. In other words, the red line should become more predictable. Thus, it is true that if the Chinese Authority exercises this standard in an objective and consistent manner, the ‘Measure’ could act as clear guidance for corporations to apply the Security Assessment and lower the hurdle of sharing data with foreign recipients.
However, it is still not time for celebration as corporations should not overlook the existence of wording that is open to interpretation under the ‘Measures’, in which the definition of some ‘generic’ wording might have intentionally been left open to interpretation. For instance, the meaning of ‘data processor’ is yet to be defined. Also, even though one of the key concepts ‘important data’ (i.e. data that can pose harm to national security, the economy, social stability and public health and safety’ etc) is clarified within the ‘Measures’, the scope of such (which is left for sectoral regulators to decide) remains completely unknown. As a consequence, there is a major risk that the interpretation of these controversial concepts could become fragmented among regulators and difficult to follow. Not to mention China did not have an appealing past record in terms of legal consistency. It is, therefore, reasonable to be dubious about whether the authorities would apply what they have proposed fairly and consistently. Nevertheless, since substantial examples could be available in the near future, it is wise to preserve a ‘wait-and-see’ attitude before making a bold statement as to whether China could achieve legal certainty and enhance the efficiency of trans-border data transfers.
The Position of China
Moving on to a broader context, the question is perhaps whether the implementation of the ‘Measures’ together with other frameworks, has revealed China’s readiness to embrace a similar ideology on data exports to that which the West advocates. It is important to note that data sharing is never a concept the Chinese authority is keen to add to its dictionary. Thus, in recent years, the uncomfortably high volume of data transfer has not been an ideal phenomenon that the Chinese authorities have preferred to see. Yet, the dilemma is that, in order to manifest its position as a leader in the development of internet and cloud services, as well as AI technology, participating in global data transfer is inevitable for China to blend with the rest of the world. Therefore, by making reference to the approach adopted by the EU and the US (i.e., balancing their commitment in facilitating overseas data transfer and forming a solid domestic data protection framework), it is never officially stated by the Chinese authorities, but it can be inferred that the new policies would constitute tools to lower the risk of being discriminated against by foreign legislations, like the GDPR. Also, from a national standpoint, the CSL, DSL, PIPL, and the ‘Measures’ are evidence of civilisation to safeguard the image of the CCP plus China’s national interest.
As we know from the UK to the US, from Poland to Moldova, the signing of a collaboration agreement to foster data sharing is patently an undeniable trend. During the 10th Internet Security Conference in July in Beijing, it was a good sign to see insiders like Wu Hequan (The Vice President of the Chinese Academy of Engineering) tactfully addressing the likelihood of international collaboration coming into play when China has developed a strong domestic data protection mechanism. However, even if the ‘Measures’ could really make the sharing of personal data outside of China more feasible, it is still hard to determine whether China is ready to construct a strong bonding with the rest of the western world due to diplomatic tensions.
There is a popular saying in China that “Chinese don’t pay for the trick”, expressing the idea that the Chinese will by no means accept any attempts by western countries to impose their own values or standards on China. Since cross-border data transfer is an extremely sensitive topic, the Chinese authorities could utilise the uncertain area within the Chinese legislation to obstruct any potential data transfer, even if the foreign receiver is requesting data on justifiable grounds. Out of many reasonings, ‘national security concern’ has been the most popular basis for Chinese authorities to refuse to comply with foreign regulations, as illustrated by the auditing issue of Chinese companies listed in the US. In the eyes of pessimists, the reality could be that all legislations are mere tools that expand the Chinese authorities’ oversight of domestic data. In other words, the potential consequence could be that the CSL, DSL, PIPL or the ‘Measures’ would act as ‘legitimate grounds’ for the Chinese authorities to take control over all data outflow.
Despite the fact that the situation might not be ideal, from a neutral point of view, what is at least fair to infer by now is that China is showing a willingness to open the gate for data exports, but perhaps not up to the level of being ready to enjoy the ‘data sharing party’ with the rest of the Western countries as Kissinger-liked optimists claimed to be. Thus, with all instruments and musicians in place, it is actually all up to the conductor’s interpretation.
