China’s Data Security Initiative: Universal Participation Under Digital Sovereignty

Posted by Wang, Yi on September 9, 2020

As part of China’s multilateral anti-decoupling advocacy efforts, the Chinese Foreign Minister and State Councillor Wang Yi released the Global Data Security Initiative on September 8, 2020 to encourage global rule-setting in digital supply chain. Key take-ways:

• Instead of stressing preservation or gaining technology leadership or nationalist agenda, it aims to build a more non-discriminatory environment above the fray.
• It stresses respecting digital sovereignty in extra-territorial enforcement.
• It represents significant change at top level to cope with issues arising from aggressive US enforcement on cross-border data access and the expanding sanctions against Chinese ICT companies deemed as under state influence threatening national security or foreign policy interests of US.
• Meanwhile, Beijing-specific market access deregulation and tax holidays are also kicked off to boost digital trade and foreign investment in ICT sectors.
• The Global Digital Security Initiative’s evolving nature and the associated market access measures released by China presents certain opportunities for direct investment projects or cross-border deals relating to critical infrastructure and sensitive data in both US and China.
• Companies must still thoroughly evaluate these market access opportunities and work closely with their counsels and strategic planning functions to hedge against geopolitical risks, and ensure local compliance in China, both operationally and in the event of investigations by US regulators.

Key Message from China’s Global Data Security Initiative

Key take-away includes:

• Ensure openness and stability of the global supply chain
• Respect the sovereignty and governance of data of other nations
• Respect local laws and prohibit forced data localization concerning data “generated overseas”
• Prohibit “backdoors” installed “by businesses” in their products or services
• Prohibit requesting businesses or individuals to surrender overseas data absent obtaining due permission under applicable laws of other nations
• Oppose cyber-attacks targeting critical infrastructure or sensitive data of other nations
• Prohibit data theft or privacy-infringing activities about personal data
• Prohibit abuse of information technology with mass surveillance of other nations and collection of personal data of other nations

Multilateral Consensus, Universal Access, Non-discrimination with Digital Sovereignty as Principle

Before its release, China stressed at a G20 communication meeting to attach priority to “data security and cross-border data flows to jointly create an open, fair, impartial and nondiscriminatory business environment.” In the context of the Global Data Security Initiative, China further stressed that “Global data security rules that reflect the wishes of all countries and respect the interests of all parties should be reached on the basis of universal participation by all parties.”

The Global Data Security Initiative is a policy response to US-initiated Clean Network initiative and the broader ICT ban we alerted.  It sets a more liberal regulatory position than those under the pre-existing national security regime which empowers the state with broad, to-be-defined counter-intelligence and investigatory powers to regulate a digitizing society and protect data security and privacy.

More Market Access and Subsidies for ICT Companies Deepening Presence and Operations in China

On the same day, China also announced Beijing-specific investment liberalization measures to boost digital trade including tax holidays, pilot free trade zone for sensitive sectors still restricted elsewhere nationwide, and a digital trade exchange house. We’re delighted to provide the details upon separate request.

Blocking Statute Re-stressed

Nevertheless, the Global Data Security Initiative by China reiterates blocking statute requirements against overseas administrative and criminal proceedings, as we alerted in the context of draft Data Security Law.  Specifically, it stresses digital sovereignty and reiterates that judicial assistance or prior governmental approval as prerequisite to an investigation or enforcement by foreign authorities, as quoted below:

Cross-border evidential/investigatory efforts seeking data abroad to combat crime or for law enforcement purposes by the nations shall go through the judicial assistance or inter-governmental regulatory arrangements under multilateral/bilateral agreements. Nations shall not infringe the judicial sovereignty and data security of the third countries in conducting bilateral agreements for cross-border data access.

(各国如因打击犯罪等执法需要跨境调取数据，应通过司法协助渠道或其他相关多双边协议解决。国家间缔结跨境调取数据双边协议，不得侵犯第三国司法主权和数据安全。)

Absent specific criteria and process to substantiate these principles, it remains to be seen how, at grassroots level, the latest China-initiated Global Data Security Initiative would change the legal barriers under pre-existing regulatory regime, such as those impacting inter-governmental collaboration and enforcement such as national security, data privacy, financial fraud, anti-money laundry. and those under FCPA (Foreign Corrupt Practice Act) and their local counterparts.

We continue to closely monitor trade regulation/anti-corruption developments and the impacts to risk management functions of international businesses. Should you have any questions, please do not hesitate to contact us.