China data rules will exacerbate global fragmentation

China is rolling out the world’s most comprehensive data regulatory regime

China's expanding data regulatory regime is designed to give the Chinese state maximum visibility of activity on Chinese digital networks while at the same time maintaining connectivity with the outside world. However, internal and external challenges to reconciling these two objectives are growing. How other jurisdictions respond to China’s regime will have great influence on prospects for future international economic integration.

What next

As the EU and the United States develop their own regulatory regimes and begin to enforce their rules consistently, conflicts with China will be increasingly unavoidable. Data flows among these three jurisdictions are unlikely to continue at present levels, given poor political prospects for governments making the necessary compromises. This will likely reinforce a global trend towards economic regionalisation.

Subsidiary Impacts

  • Foreign entities trying to do business with China will face an increasingly complex and still relatively opaque compliance environment.
  • Incompatible data governance regimes in the EU and United States will reinforce ‘decoupling’ pressures, impairing trade with China.
  • Multinational firms will localise operations to achieve legal compliance in different jurisdictions, promoting economic fragmentation.
  • China may try to negotiate compatibility arrangements with the EU and United States, but is unlikely to achieve much success.
  • Washington is leading negotiation of an Indo-Pacific Economic Framework covering digital trade, but in economic competition with China.

Analysis

Since President Xi Jinping's accession to power in 2012 and with increasing speed over recent years, China has been rolling out a regulatory regime to govern activity on its digital networks.

This series of laws, subordinate regulations and policy measures now constitutes the world's most comprehensive system for regulating data transfers and other behaviour involving cyberspace, such as cybersecurity.

Xi himself chairs China's top data governance committee

The regime is managed through an increasingly well-defined bureaucratic division of labour, supervised by a top-level committee chaired by Xi, the Central Committee for Cybersecurity and Informatisation.

The declared goal of the regulatory expansion is to enhance national security, now treated as a coequal priority with economic development in state-led governance of digital networks.

Some pillars of this regulatory regime only took effect in 2021, notably China's Data Security Law and Personal Information Protection Law (see CHINA: Data export rules create new risks - December 2, 2021 and see CHINA: Data Security Law will have impact overseas - August 9, 2021).

They result from a long development process shaped by various influences, including evolving political priorities, bureaucratic turf wars and foreign models, notably the EU's General Data Protection Regulation (GDPR).

Ambiguity and uncertainty

Much of the regime's detail remains specified only at the most general level in the pillar legislation, and will be progressively iterated through subordinate regulation and administrative action.

For example, the category of 'important data' is critical to obligations concerning data localisation within China and cross-border data transfer. The Data Security Law does not define this term, instead directing state agencies to develop catalogues of 'important data' within their jurisdictions.

Guidance for defining and managing 'important data' will be provided by national standards being developed through multi-stakeholder technical committees and by subordinate regulation. For instance, the Ministry of Industry and Information Technology in February published interim administrative measures that devolve responsibility for cataloguing 'important data' to handlers of 'industrial data' and 'IT data', terms defined by the interim measures.

For the time being, lack of detail in this regime leaves much uncertainty in how to fulfil compliance obligations. This is a particular challenge for entities seeking to transfer data across China's borders, or to maintain confidentiality of intellectual property and other proprietary data.

Chinese authorities have wide powers to access and compel provision of privately held data, although exercise of this authority may be increasingly constrained by regulation.

Obligations such as compliance with state supervision of encryption systems and establishment of in-house cybersecurity teams vetted by China's state security agencies further raise the risks for foreign actors operating in China or doing business with Chinese entities.

Impacts on trade

The ambiguity and scope of this data governance regime risks negatively impacting China's foreign trade, especially with the United States and EU.

The EU is expanding its data regulatory regime beyond the GDPR's personal privacy protections, and the assertive role of the Court of Justice of the EU in policing implementation has already resulted in one international data transfer regime (with the United States) being invalidated twice. The Court's emphasis on foreign jurisdictions needing to provide 'essentially equivalent' protections to the GDPR and on European stakeholders determining this unilaterally leaves little ground for compromise with foreign data governance laws and administrative measures.

Current political conditions do not suggest that the EU will be prepared to compromise with Beijing over conflicting data regulation for the sake of facilitating trade. The EU's senior diplomat described the EU-China summit on April 1 as a "dialogue of the deaf".

From a US viewpoint, the growing intrusiveness of Chinese data regulation compounds a range of other pressures promoting economic 'decoupling' from China. The US-China Business Council recently called China's emerging data regulatory regime "uniquely restrictive" and warned that it risked making China a "data island".

Because China's expanding data governance regime is driven by security and political concerns, it is unlikely to be wound back despite negative impacts on foreign trade.

Security is now on par with economic development as a priority for digital policy

Beijing is trying to mitigate these effects through measures such as trial 'data free-trade' zones with less restrictive regulation of international data transfers. Chinese regulations provide for negotiated cross-border transfer arrangements, and Beijing is seeking to join multilateral agreements that address data governance, notably the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) (see CHINA: Multilateral digital trade framework may emerge - December 8, 2021 and see EAST ASIA: China tensions will obstruct FTA expansion - October 15, 2021).

Multinational businesses are responding to these challenges by localising operations to achieve regulatory compliance, a trend indicated in multiple recent surveys. This will reinforce trade regionalisation at the expense of global-scale supply chains and markets.

These effects are likely to be especially pronounced in the western Pacific region, where a secular trend towards greater economic integration with China has persisted despite countervailing political pressures.

The Biden administration is negotiating an 'Indo-Pacific Economic Framework' which will cover digital trade issues, and so will probably touch upon data governance and transfers.

However, reports to date suggest that this initiative is unlikely to outweigh Chinese economic influence and US absence from the CPTPP.

A multilateral agreement that comprehensively aligns data governance regimes is unlikely, because countries vary in their degree of development of the digital economy and have different priorities in regulating it.

Despite the obstacles presented by China's data governance system, its economic gravity means that multinational firms and many countries will pursue the necessary compromises to continue economic exchanges. This will likely lead to increasing operational localisation by firms, with concomitant economic fragmentation, and bilateral agreements with China to govern cross-border data transfers.