Most viewed articles
In the second half of 2022, China unveiled the details of its data export regulations, providing further explanations to its existing laws and regulations on data.
While there is no outright ban of cross-border data transfers, restrictions and procedures imposed on cross-border data transfers could create significant barriers for cross-border flow of data for legitimate business operations.
Such restrictions could potentially discourage companies from doing business in or with China, and eventually reduce the country's trade competitiveness.
China’s data rules restrict cross-border data flows
Since becoming effective in 2018, the European Union's (EU) General Data Protection Regulation (GDPR) has been hailed as the gold standard in data protection. Perhaps surprising to many western observers, China’s Personal Information Protection Law borrowed many of the concepts and regulatory framework from GDPR.
For example, China defines personal information in a similar way as GDPR. China adopts the same consent requirement in obtaining personal data and for transmitting such data abroad. China also adopts GDPR’s approach in providing standard contractual clauses to govern cross-border data transfers.
China following GDPR helps create regulatory interoperability around data and reduce data compliance burdens for companies having global footprints.
However, despite the similarities in certain approaches between GDPR and Chinese data laws and regulations, China’s approach towards cross-border data flows is a significant departure from GDPR’s general principles endorsing free flow of data. Here's how:
- First, China requires the “critical information infrastructure” data and the “core/important data” be stored in the country. When it is necessary to transfer those data overseas for business purposes, the operators and the holders of those data must go through a data security review process and obtain necessary approvals. What constitutes “critical information infrastructure” or “core/important” is vaguely defined. The importance of personal data is tied to the volume a data provider plans to transfer or controls (whether or not the plan is to transfer all of them).
- Second, GDPR allows market players to have the freedom to move data from the GDPR territory to a country that has adequate protection comparable to GDPR. Such broad exemption for cross-border data transfers under the “adequacy of the level of protection” is absent in China.
- Third, GDPR provides more room for companies to move data across borders, including allowing companies to freely transfer data as long as they have in place “binding corporate rules” or “code of conduct” that satisfy requirements GDPR sets out. In China, those options are not available.
- Moreover, even for companies who are qualified to transfer data across borders, they are asked to “record their Standard Contractual Clauses and their privacy impact assessment report” with competent regulators before they can legally transfer data out of China. Such requirement creates practical obstacles to companies who have a regular need for cross-border data processing.
During the Doha Round in 2001, the most recent round of trade negotiations among World Trade Organization (WTO) members, data was not yet an important subject matter for global trade.
China’s trade obligations evolve mostly around WTO. There is no WTO rule preventing countries making data localization rules or restricting cross-border data flows.
Since its participation in WTO, China has become the factory of the world. China’s world factory status also allows China to develop advanced manufacturing leveraging data and artificial intelligence technology.
In addition to being the manufacturing centre of goods, China also has a booming digital economy, second only to the United States in absolute terms. Chinese tech companies have benefited from the lack of foreign competition in digital services and from relaxed privacy related rules for many years.
China's data flow policies could work against it
However, with restrictions on data flows, China faces challenges not only to its seat as the world’s factory, but also its digital economy champion status. Policies around cross-border data flows can tilt the balance in favour of China’s trade competitors such as Vietnam or Singapore.
Data has been playing a more important role in the future of manufacturing. Since 2020, more and more companies have started moving their supply chains beyond China to countries like Vietnam to diversify supply chain risk.
While Vietnam mandates the storage of data locally, transferring data outside Vietnam is not subject to requirements as strict as China. Vietnam endorses GDPR’s “adequacy of the level of protection” principle.
Source: World Economic Forum
- National traceability system for agro-forestry-fishery products to be launched on July 1
- European Parliament backs long-awaited digital euro to reduce US dominance in payments
- A decade after Brexit, Britain weighs costs and gains as it searches for a new leader
- Combating e-invoice fraud with big data technology
- Resolution 10-NQ/TW redefines foreign capital attraction