China's national flag flutters at a business district in Beijing.

Blog Name

China's new rules on data flows could signal a shift away from security toward growth

Martin Chorzempa (PIIE) and Samm Sacks (Yale Law School Paul Tsai China Center and New America)

Date

Photo Credit: REUTERS/Kim Kyung-Hoon

Body

A new set of draft rules issued by China would, if finalized, roll back a key part of China’s data regulatory regime that was on course to force a disruptive data decoupling between China and the rest of the world. China still has a thicket of complex data rules and a host of other security focused laws on the books creating headaches for businesses—both Chinese and foreign. Nevertheless, the new rules may signal that the leadership under President Xi Jinping could put substance behind its rhetorical commitment to helping the private sector, even at the expense of reducing Beijing’s control and visibility over an area it considers crucial to national security.

China’s slowing growth and declining foreign investment are sparking a global debate about whether “peak China” is already behind us. In August, US Secretary of Commerce Gina Raimondo told reporters that American firms are calling China “uninvestable.”Many scholars, including Adam Posen, Sheena Chestnut Greitens, and Barry Naughton, have blamed at least in part a shift in China’s political system under Xi that has implemented policies, including a flood of regulations on data security and technology, forsacrificing growth to enhance security and Party control over the economy. China’s near term policy direction depends in part on whether its new leadership team, installed in October 2022 and March of this year, sees the current economic weakness as a need to change course and reverse some of thesecuritization of the economy to encourage growth, or will continue on the path that has damaged business confidence. It has sent many signals recently about supporting theprivate sector and welcoming foreign investment, but regaining the confidence of domestic and foreign businesses and investors will be a major challenge. The most recent move on data regulations suggests pro-business voices may have the upper hand in this key area where security overreach was particularly disruptive to business, but continued liberalization is far from assured.

Data Flows in Peril

Multinational businesses active in China, whether based there or abroad, need to transfer data generated in China outside the country to operate effectively. Staff at headquarters need a mix of personal and other data to know who their customers and employees are, manage payroll, monitor performance of subsidiaries, detect fraud, and manage cybersecurity for global operations. Data flows are particularly important and sensitive for the tech sector with its enormous databases of personal information, but all sectors of the economy rely on the movement of information across borders.

Businesses’ desire for unfettered data flows has come up against national authorities increasingly pushing for “data localization” regimes that would keep certain data from leaving their borders, not just in China but also in places like India. Adebate has been unfolding inside China’s political bureaucracy formore than half a decade between pragmatists advocating for a more pro-business, open approach, and security hardliners seeking to require more data collected in China remain on servers located inside the country. In the past two years, coinciding with but largely separate from China’s broader tech crackdown, the hardliners seemed to come out on top, creating what scholars called a “daunting compliance burden for covered organizations that seek to transfer data abroad.” China’s cybersecurity law, effective in 2017, required “critical information infrastructure operators (CIIOs)” who gather or produce “personal information” or “important data” during operations within the mainland to perform security assessments for data transferred out of China. Then in late 2021, the Cyberspace Administration of China (CAC), following requirements in the Personal Information Protection Law and the Data Security Law, expanded the requirement to include “data handler” with “important data” and certain personal data, massively expanding the net of entities affected.

When those rules took full effect in September 2022, firms were left with unclear expectations because key provisions like the definition of “important data” and whether a firm would be designated as a CIIO remained unresolved. The CAC pushed back the March 1, 2023 deadline for firms to come into full compliance, as it had publicly approved only two firms for cross-border transfers by the time the regime was supposed to be fully operational, despite months of back and forth with firms. Criticism has intensified in the last six months as the CAC rejected most of the categories of data contained in firms’ applications for outbound transfer as “unnecessary,” leading them to weigh further walling off data from their China operations or risk major penalties, contributing to a loss of confidence in China’s business environment.

Rolling Back Unworkable Cyber Rules

The CAC’s formal proposal to roll back this unworkable regime is consistent with a rumor that China’s top economic policy official, Premier Li Qiang, would push the CAC to ease this burden. If implemented, the proposed rules would reduce the pressure on companies to voluntarily localize much of their data, to the detriment of their global operations, and ease the regulatory purgatory of the security assessment process for data that require it, a process in which companies had submitted reams of documents only to have them kicked back with requirements to resubmit.

First, the transfer of data falling under broad categories like international trade, academic cooperation, transnational manufacturing, and marketing would no longer require prior approval before transferring overseas. Second, with regard to yet undefined “important data,” data transfer approval would only be required once authorities either explicitly define what categories of data constitute “important data” or if firms are directly notified their data are “important,” thus reducing the chilling effect of this part of the rules. Third, the rules lift the pre-approval requirement that firms must go through a CAC security assessment, standardized contracts, or passing personal information certification, at least for outbound transfers of some personal data, such as that involved in contracts, travel, human resources, and emergencies).

Under the previous rules that may now be superseded, the CAC ultimately determined what kind of outbound data transfers were “necessary.” By contrast, Dr. Hong Yanqing, a leading Chinese data law scholar who has helped shape China’s data governance system, has written that the most important change in the new regulation would give companies, not regulators, priority in determining what is necessary for their global business, at least for companies that process data of less than a million individuals. While the CAC would still be able to draw security redlines for more sensitive data, necessity would be more in the hands of firms to decide. Dr. Hong also singles out a “shift from ex-ante supervision to in-process and ex-post supervision,” allowing most data flows to continue while the regime’s contours are better fleshed out.

If implemented as written, the relaxation in the draft significantly lowers but does not eliminate data regulatory risk, because it further defers a decision on what constitutes important data. The CAC and other sector regulators can determine at any time that a company has “important data,” triggering the security assessment and leading to disruption and more negotiations with regulators, and yet unclear “sensitive personal information,” will be subject to more onerous restrictions under existing laws. The new rules also do not resolve two crucial areas of ambiguity: whether customer data (needed for global sales analytics) will be included in the list of allowable transfers and if compliance with US government audits or investigations would trigger a security assessment.

Still, the new draft regulations could allow many companies to continue business as usual, insulating them until the debate inside China’s political bureaucracy over data can be resolved. In doing so, China has shown a degree of responsiveness to complaints from the foreign and domestic private sector for the sake of the economy. Moreover, the leadership has signaled it will not shut off data flows or enforce regulations in an arbitrary fashion. Not only did the leadership commit to a more “transparent and predictable” approach to technology regulation in the wake of the tech crackdown, the new regulations follow directly on the State Council’s 24 measures unveiled in August, which explicitly call for free data flows. Other concrete actions to improve the business environment could flow from those measures as well.

Are the draft rules a one-off or a new direction?

It is too early to tell whether this data breakthrough for business in China portends a future shift towards prioritizing economic growth that could put China on a healthier economic trajectory and prove it is investable for domestic and foreign business alike. China’s economic success over the past decades is to a great extent due to the government getting out of the way of businesses, and reversing this has cost it dearly in growth and investment. Despite the positive news, the premier cannot intervene on every complaint of foreign business in China, and the regime will tighten again as important data is defined. Nevertheless, it is a positive signal that business concerns led China to scale back a major, unworkable security rule in a sensitive area. Hopefully it becomes a trend.

Martin Chorzempa is a senior fellow at the Peterson Institute for International Economics. Samm Sacks is a senior fellow at Yale Law School Paul Tsai China Center and New America.

Data Disclosure

This publication does not include a replication package.

More From