Data Localization vs. Data Governance: Why China Should Support Open, Clear, and Binding Rules on Data Flows and Digital Trade

Nigel Cory presented at the 2nd International Cyberspace Governance Forum hosted in Beijing, China, by Beihang University and Beijing Normal University. As part of the agenda on “The Rules of Digital Economy,” Cory addressed the topic of “Data Localization vs. Data Governance: Why China Should Support Open, Clear, and Binding Rules on Data Flows and Digital Trade.” Cory’s presentation is attached. An English/Chinese summary of his remarks follows.

Abstract

摘要

Data is the lifeblood of the modern global economy. Digital trade and data-driven innovation—the use of data to create value—has become increasingly important to economic growth, competitiveness, scientific discovery, and social progress. Businesses use data to create value, and many can only maximize that value when data can flow freely across borders, obviously while still managing and protecting data as per local laws, so that these rules move with the data wherever it is transferred. Economic and firm competitiveness and innovation increasingly depends upon how firms aggregate and use data, which, in part, depends upon firms engaging in data flows and digital trade. Data will naturally move across borders unless governments enact artificial restrictions. Yet a growing number of countries (like China) are enacting barriers that make it more expensive and time consuming, if not illegal, to transfer data overseas (a concept known as data localization).

数据已然成为现代全球经济的命脉。数字贸易和数据驱动的创新——即利用数据创造价值——对经济增长、增强竞争力、科学探索和社会进步变得越来越重要。企业利用数据创造价值，并且大部分企业只有在数据自由流动的情况下才能实现其价值的最大化。当然这还意味着各地还需要立法管理和保护数据，以便流动的数据在各地都能收到保护。经济体和企业的竞争和创新能力越来越依赖于企业如何聚合和使用数据，同时也部分地依赖于企业参与到数据流动和数字贸易的程度。数据自身能够天然地完成跨境流动，除非政府对此制定人为的限制措施。然而，越来越多的国家（例如中国）正在制造障碍，使得向海外传输数据费用高昂且耗费大量时间，甚至将某些数据出境活动定性为“非法”（即众多周知的“数据本地化”概念）。

China is a world leader in digital protectionism. It has long enacted restrictions on data imports via the “Great Firewall.” It has enacted a growing range of data localization requirements, which in addition to other market access, licensing, and other restrictions, closes its digital economy off for many foreign firms wanting to engage in digital trade. Data localization and digital protectionism are misguided and short-sighted policies and strategies. For example, the glaring lack of reciprocity means that other countries will increasingly target Chinese tech firms “going global” as their own firms do not have similar access to the Chinese market.

中国在数字保护主义方面处于世界领先地位。长期以来，它一直利用“防火墙”对导入数据进行限制。在其他市场准入、许可和限制基础之上，它制定了越来越多的数据本地化要求，关闭了许多希望从事数字贸易的外国公司联通数字经济的通道。数据本地化和数字保护主义是误导和短视的政策和战略。例如，明显缺乏互惠待遇意味着其他国家将越来越多地针对中国科技公司的“走出去”战略，因为他们自己的公司没有类似的进入中国市场的机会。

China has not made any meaningful and binding commitments on data flows and digital trade in its trade agreements. For example, the Regional Comprehensive Economic Partnership’s ecommerce chapter did not include meaningful commitments on data flows and digital trade and it is non-binding (thus not legally enforceable). The U.S.-China “Phase 1” talks included cloud services and digital market access, but ultimately, did not include meaningful commitments. Similarly, the European Union-China Comprehensive Agreement on Investment only locked in current restrictive cloud market access rules. China’s efforts to experiment with greater digital service and data access in digital-friendly free trade zones (FTZs) in Beijing, Tianjin, Shanghai, Chongqing, and elsewhere will not be appealing, nor meaningful, for foreign firms and trading partners as digital services require broad market access that small geographic trade zones do not provide. China has signaled it wants to join both the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and new Digital Economy Agreements (involving Chile, New Zealand, and Singapore), but both initiatives contain ambitious and binding commitments on data flows and digital trade so it is difficult to see how China would show it is similarly ambitious given it hasn’t made any similar commitments. It’s great that China is part of ecommerce negotiations at the World Trade Organization. While negotiations have not yet gotten to sensitive issues like data flows, it will inevitably involve making commitments on this issue as it’s central to global ecommerce and digital trade. Commitments on data flows are a deal maker—or breaker—for Japan, the United States, and other supporters of digital free trade.

中国在其贸易协定中没有对数据流动和数字贸易做出任何有意义和有约束力的承诺。例如，《区域全面经济伙伴关系》的电子商务章节没有包括对数据流动和数字贸易的有意义的承诺，而且不具有约束力（因此在法律上无法执行）。美中 "第一阶段 "贸易谈判包括了云服务和数字市场准入，但最终并没有包括有意义的承诺。同样，欧盟-中国全面投资协议只锁定了目前限制性的云市场准入规则。中国在北京、天津、上海、重庆和其他地方的数字友好型自由贸易区（FTZs）尝试更多的数字服务和数据准入的努力，对外国公司和贸易伙伴来说没有吸引力，也缺乏实质意义，因为数字服务需要广泛的市场准入，而小型地理贸易区无法提供。中国已经表示要加入《跨太平洋伙伴关系全面进步协议》（CPTPP）和新的数字经济协议（涉及智利、新西兰和新加坡），但这两个倡议都包含了对数据流和数字贸易的雄心勃勃和具有约束力的承诺，所以很难看到中国如何在没有做出任何类似承诺的情况下显示出它的诚意。中国参与世界贸易组织的电子商务谈判是件好事。虽然谈判还没有涉及到数据流等敏感问题，但它将不可避免地涉及到在这个问题上做出承诺，因为它是全球电子商务和数字贸易的核心。对于日本、美国和其他数字自由贸易的支持者来说，关于数据流动的承诺是交易的决定因素，或者是破坏因素。

China has been enacting a comprehensive and ambitious set of laws and regulations dealing with data privacy, security, protection, and national security. However, it has applied a very broad and restrictive conceptualization of national security to its domestic approach to data governance. China’s current focus is on local data storage and control and overly broad national security measures. For China, data localization is the norm, free data flows the exception. It’s exactly the opposite for most of the rest of the world. Data flows are the norm and data localization the rare exception as part of the narrow conceptualization and application of national security concerns. China’s broad application of national security, as applied in its various laws and regulations, are not in line with emerging global norms and best practices (as evident in the CPTPP and the new digital economy agreements).

中国一直在制定一套全面和雄心勃勃的法律和法规，涉及数据隐私、安全、保护和国家安全。然而，它在国内的数据治理方法中采用了非常广泛和限制性的国家安全概念。中国目前的重点是本地数据存储和控制以及过于宽泛的国家安全措施。对中国来说，数据本地化是常态，数据自由流动是例外。对于世界上大多数国家来说，情况恰恰相反。数据流动是常态，数据本地化是罕见的例外，是对国家安全问题的狭义概念化和应用的一部分。中国对国家安全的广泛应用，正如其各种法律和法规中所应用的那样，不符合新兴的全球规范和最佳做法（如CPTPP和新的数字经济协议中所显示的）

The vast majority of data and digital services do not involve national security concerns. By treating most data and digital services as a national security issue, China makes it difficult, if not impossible, to create clear, open, and predictable digital market access for foreign firms and trading partners that expect to be treated like China wants its firms treated—in a fair, transparent, and predictable manner. These are all core principles of the global trading system (via the World Trade Organization’s principles of most-favored nation and national treatment). Creating a legal framework that requires the government to pre-screen and approve firm-level data transfers is antithetical to modern business and trade and legal practice. Modern business and trade involves data transfers as a matter of course. It is a simple fact that international trade involving consumers cannot take place without collecting and sending personal data across borders—such as names, addresses, billing and payment information, etc. The same applies for modern manufacturing and services trade and their use of personal and non-personal data.

绝大多数的数据和数字服务并不涉及国家安全问题。通过将大多数数据和数字服务视为国家安全问题，中国使得为外国公司和贸易伙伴创造清晰、开放和可预测的数字市场准入变得困难，甚至是不可能的，这些公司和贸易伙伴期望得到中国希望自己的公司得到的待遇--公平、透明和可预测的对待。这些都是全球贸易体系的核心原则（通过世界贸易组织的最惠国待遇和国民待遇原则）。建立一个法律框架，要求政府预先筛选和批准公司层面的数据传输，这与现代商业和贸易以及法律实践是背道而驰的。现代商业和贸易涉及数据传输是理所当然的事。一个简单的事实是，如果不收集和发送个人数据（如姓名、地址、账单和付款信息等），涉及消费者的国际贸易就无法进行。这同样适用于现代制造业和服务贸易及其对个人和非个人数据的使用。

China should follow what most other countries do in applying the legal principle of accountability and responsibility. Rather than tell firms where they can store or process data, policymakers should hold firms accountable for managing data they collect, regardless of where they store or process it. China should narrowly define and apply restrictions on genuinely national security-related issues and create data privacy, protection, and other laws that ensure these legal responsibilities travel with data transfers. Beyond trade agreements, China should seek to build global data governance by pursuing sectoral agreements with counterparts to address shared and legitimate issues raised by data and data flows. For example, a sectoral agreement on health data and research would support the collection and sharing of health and genomic data to support health outcomes that would benefit everyone. Another example is updated agreements on financial regulatory oversight to ensure regulatory authorities have the access to data they need for oversight.

中国应该效仿其他大多数国家的做法，应用问责和责任的法律原则。政策制定者不应该告诉企业他们可以在哪里存储或处理数据，而是应该让企业对管理他们收集的数据负责，无论他们在哪里存储或处理数据。中国应该对真正与国家安全有关的问题进行严格的定义和应用限制，并制定数据隐私、保护和其他法律，确保这些法律责任随着数据转移一起跨境流动。在贸易协定之外，中国应以与同行达成部门协议的方式来解决数据和数据流带来的共同和合法问题，寻求建立全球的

数据治理。例如，关于健康数据和研究的行业协议可以支持健康和基因组数据的收集和共享，以支持有利于所有人的健康成果。另一个例子是关于金融监管监督的最新协议，以确保监管当局能够获得其监督所需的数据。

In an ideal world, China would be part of the WTO and other global data governance negotiations given its large and growing domestic digital economy. However, it has no track record showing it is willing to make meaningful and legally binding commitments on free data flows, digital free trade, and shared/cooperative global data governance. China needs to make reforms to bring its currently restrictive domestic data governance arrangements into alignment with emerging global norms and best practices on free data flows, data governance, and digital free trade.

在一个理想的世界里，鉴于中国庞大且不断增长的国内数字经济，它将成为世贸组织和其他全球数据治理谈判的一部分。然而，中国没有任何历史记录表明它愿意在数据自由流动、数字自由贸易和共享/合作的全球数据治理方面做出有意义和有法律约束力的承诺。中国需要进行改革，使其目前限制性的国内数据治理安排与新兴的全球规范和自由数据流、数据治理和数字自由贸易的最佳做法保持一致。