Weekend Long Read: How China’s Data Regulations Can Meet CPTPP Requirements (Part 3)
Here is my analysis on whether China’s cross-border data flow rules comply with the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP)
1. Clause 1 of CPTPP Article 14.11
Clause 1 of CPTPP Article 14.11 states that members may formulate their own regulatory requirements for the cross-border transfer of electronic information. This clause does not contain mandatory obligations.
China’s regulatory requirements on cross-border data flows can be summarized as follows: (1) 'A limited amount of data involving national security and major public interests must be stored locally; (2) Data can be transferred out of the country if certain conditions are met in general, including that of obtaining clearances from the security assessment, personal information protection certification and the standard contract; (3) A security review must be carried out under special circumstances that involves national security threats; (4) Data transfer restrictions can be imposed on other countries if they engage in discriminatory conduct.
2. Clause 2 of CPTPP Article 14.11
Clause 2 of CPTPP Article 14.11 requires that the government allow the cross-border transfer of electronic information as long as it is for business purposes. This mandatory obligation is the core rule of the CPTPP on cross-border data flows.
Based on the above regulatory framework, China allows cross-border data flows for business purposes, and the premise of the security assessment for cross-border data transfer is that “it is necessary for the data to be transferred out of the country for business needs,” which is in line with “for the conduct of the business” mentioned in Clause 2. The data banned from being transferred overseas is limited to national core data, such as map data and population health information, while the scope of national core data needs to be clarified. In addition, various restrictions on cross-border data transfers — whether they are the security assessment, security review, personal information protection certification or the standard contract — essentially set certain conditions for cross-border data flows rather than disallow cross-border data transfer. Article 14.11 only stipulates that its members “shall allow the cross-border transfer of electronic information,” but it does not say that no conditions shall be imposed, nor does it use the term “free transfer.” Therefore, China’s framework of cross-border data transfer does not violate Clause 2 in general.
3. Exception clauses
Even if China’s regulations violate Clause 2, the exception clauses in the CPTPP can be invoked for defense.
(1) Essential security exception
The “essential security exception” can be invoked to defend the data security review and prohibition of national core data from being transferred overseas, because both restrictions are aimed at safeguarding national security and major public interests —areas that fall under the scope of “essential security.” The security exception clause in CPTPP Chapter 32 does not limit the content of “essential security,” unlike the Article 21 of the General Agreement on Tariffs and Trade (GATT), which narrowly limit the essential security to military security and international peace. The security exception in the CPTPP, therefore, can cover the need to ensure cybersecurity and data security. It is worth noting that in the World Trade Organization (WTO) e-commerce negotiations, members put forward different versions of security exceptions. China’s version was the closest to the essential security exception in the CPTPP, while those proposed by Canada, Japan, Brazil and other countries were influenced by the current GATT Article 21, and were, thus, insufficient to address issues concerning cybersecurity and data security. Hence, in the WTO e-commerce negotiation, the acceptance of the cross-border data flow rules of the CPTPP requires appropriate arrangements for security exceptions.
(2) Exception in Clause 3 of CPTPP Article 14.11
Clause 3 of CPTPP Article 14.11 can be invoked for the defense of personal information protection certification and the standard contract, and the security assessment of cross-border data transfers. The defense of the former is not difficult because it is a mechanism commonly used by many countries in the cross-border flows of personal information, and no country should even question that personal information protection certification and the standard contract violate the rules of Clause 2.
The security assessment of cross-border data transfer is a mechanism design that is relatively unique to China, which is the key issue. China can’t accept the CPTPP’s cross-border data flow rules unless its security assessment passes the test of Clause 3.
Clause 3 has three core rules.
First, it requires measures restricting cross-border data transfer to be developed to achieve legitimate public policy objectives. According to the aforementioned framework of China’s cross-border data flow system, the security assessment for cross-border data transfer applies mainly to two scenarios: either the subject (data processor) is important — for example, when the data processor is a critical information infrastructure operator or national authority, or the object (data) is important when the data to be transferred overseas is identified as important data. In either case, the security assessment is aimed at protecting important public interests, or at least the legitimate rights and interests of individuals and organizations, so it shall be a “legitimate public policy objective” as referred to in Clause 3. With regard to the scope of legitimate public policy objectives, China, Japan and Canada listed three legitimate public policy objectives in the WTO e-commerce negotiations, including safeguarding cybersecurity, protecting cyberspace sovereignty and protecting the legitimate rights and interests of citizens, legal persons and other organizations; these can cover most, but not all, of the public interests that need to be protected by the cross-border data transfer’s security assessment. Therefore, it is better not to explicitly list or limit the extension of the legitimate public policy objectives in Clause 3.
Second, the restrictive measures cannot to be arbitrary or discriminatory, or constitute disguised trade restrictions. Although the specific rules for the security assessment of cross-border data transfer have not yet been finalized, there shall be a set of objective standards for the assessment, including assessment procedures, content and key factors. These standards are objective, and the security assessment is run by the Cyberspace Administration of China in order to maintain objective and unified standards in concrete implementation. Therefore, there should be no arbitrary, discriminatory or disguised trade restrictions based on the normal application of the security assessment procedures and standards. In addition, when some countries are at a disadvantage in the security assessment due to imperfect domestic data protection rules or other reasons, it is the result of objective assessment standards being applied to a specific country and should not be considered discrimination against that country.
Some may think that setting up a security assessment for cross-border data transfers but not one for domestic transfers constitutes discrimination and trade restrictions on data receivers abroad.
In my opinion, the establishment of a specific procedure does not constitute discrimination or a trade restriction in itself, and it depends on whether the assessment standards applied to data receivers abroad are substantially higher than those applied to domestic data receivers, putting the former in a relatively disadvantageous competitive position. China’s Personal Information Protection Law, Data Security Law and other regulations set strict obligations on domestic data processors (including receivers). The Measures on Security Assessment of Cross-Border Export of Data (draft issued for public comment in October 2021) provides that the factors to be considered in security assessment include whether the data receivers abroad meet the protection level stipulated by PRC's laws, regulations and mandatory national standards. The domestic and foreign data receivers, therefore, shall meet the same set of rules in regard of data protection level. In this way, the security assessment of cross-border data transfer should not be considered discrimination or a trade restriction as long as there are no additional unreasonable requirements specifically for foreign receivers.
Third, restrictive measures shall meet the “necessity test.” Although Clause 3 of CPTPP Article 14.11 does not use the term “necessary,” it is generally considered a necessity test. The core requirement of the necessity test is that restrictions on trade shall be kept to a minimum and there shall be no alternative measures that could also achieve legitimate public policy objectives but be less restrictive. For exception clauses, the necessity test has always been the hardest to pass. But I think the security assessment of cross-border data transfer is still likely to pass the necessity test.
First, proving that restrictive measure is “unnecessary” usually requires the party questioning the security assessment to propose a less restrictive alternative that would achieve the same policy objectives as China's data security protection policy. China’s security assessment of cross-border data transfer is aimed at important data or data processed by CIIOs. The current cross-border data flow systems of various countries are mostly for personal information or cross-border data transferred for law enforcement purposes, and the cross-border data flow system that meets the policy objectives of China’s security assessment of cross-border data transfer is rarely seen in other countries. Therefore, alternative measures that can also achieve China’s policy goals are difficult to find. In this sense, China’s security assessment of cross-border data transfer is a kind of system innovation.
Even if there is an alternative measure, it will not necessarily be less restrictive to trade. The U.S. also has a category of important data similar to that of China, namely controlled unclassified information (CUI). Take the relevant regulations on sensitive safety information (SSI) regarding transportation in 800-171 and CUI categories as an example. I think U.S. regulation of the cross-border transfer of CUI has three characteristics. First, the U.S. does not have separate regulations on cross-border data transfer, so it appears that the U.S. does not restrict cross-border data transfers, which is clever in wording. However, it has strict regulations on accessing CUI, which can be done both domestically and from abroad. Thus, logically, its regulations on access cover cross-border data transfer, because accessing data from abroad is essentially a type of cross-border data transfer. Second, the core condition for accessing CUI is to be authorized; that is, only authorized people who carry out authorized business can access CUI. Such authorization cannot be obtained easily, but only by going through some kind of procedure, which is essentially similar to China’s security assessment. At the very least, China’s security assessment will publish relevant rules, standards and procedures, while the U.S. does not clarify how the authorization required to access CUI should be obtained, what the standards are and what the special requirements are for foreign nationals. Third, foreign nationals may be unable to access CUI at all. In the case of SSI, it can only be accessed by people with a need to know. Only those approved, funded, recommended or directed by the U.S. Department of Homeland Security (DHS) or Department of Transportation (DOT) to conduct traffic safety activities are “persons who have a need to know.” I am skeptical about how many foreign nationals and foreign businesses actually qualify to be approved, funded, recommended or directed by the DHS or DOT to conduct traffic safety activities, and then access SSI for the cross-border transfer of CUI. Thus, even though the U.S. seemingly has no restrictions on cross-border data transfer in most cases, its regulations on accessing CUI could essentially result in a large amount of CUI being stored in the U.S. or accessed only by U.S. businesses and individuals. It is difficult to say whether such a system is less restrictive to digital trade than China’s cross-border data transfer security assessment.
In conclusion, I am optimistic that China’s cross-border data transfer security assessment can pass the review based on the exception rule of CPTPP Article 14.11.
Finally, there is a potential problem regarding China’s reciprocal retaliation against other countries for their discrimination and restriction on data in terms of the international trade rules.
According to the general principle of the international trade rules, a country marred by other countries’ wrongdoing shall seek multilateral relief; that is, resort to the dispute settlement mechanism, rather than conduct unilateral retaliation. Reciprocal retaliation is essentially a unilateral retaliatory measure. However, the wording in Chinese law is that “measures can be taken on a reciprocal basis according to the actual situation.” This can be understood as follows: Unilateral reciprocal retaliation is just one of the policy options authorized by law to the Chinese government, which can either choose unilateral reciprocal retaliation or resort to other means, such as bilateral consultation with the other country or by proposing a settlement to the dispute. Thus, the regulation does not necessarily put China in violation of international rules.
Plan of action
If China wants to pass CPTPP requirements on cross-border data, several things can be done.
First and foremost, key rules for cross-border data transfer, especially the cross-border data transfer security assessment and the identification of important data, should be issued as soon as possible.
Somestic regulations are the basis for formulating international rules. If the details of China's domestic regulations are not clarified, it is impossible for China to participate in negotiations on international rules. Meanwhile, the less clear the details of the rules are, the more likely it is that various parties will interpret those details in the most conservative way. If domestic businesses do not dare to explore cross-border data transfer, foreigners will take advantage of this to accuse China of carrying out the worst data localization in the world, and this rumor will gradually spread among and be believed by other countries.
Additionally, when the rules for the cross-border data transfer security assessment are formulated, compliance with the international rules should be considered.
On the one hand, the security assessment should be conducted in compliance with risk analysis principles, objective criteria and the most uniform implementation standards possible for both internal and external use. On the other hand, close attention should be paid to the progress of system-related practices in other countries regarding critical information infrastructure and important data, and any system designed for cross-border data transfer that can be referenced should be referenced in a timely manner. As the case of learning from the EU’s General Data Protection Regulation on personal information protection certification and the standard contract shows, this can help prevent others from being able to claim that there exist less restrictive alternative measures.
Moreover, all sectors should sort out the current policies on cross-border data transfer in a timely manner and comply with the overall system design and wording of the governing laws. If certain data really cannot be transferred overseas, its attribute as national core data should be clarified as far as possible. If the data belong to important data but not core data, the system for cross-border data transfer should be unified in the security assessment, making it clear that due to business needs, the data can be transferred overseas after a security assessment. It must not be stated that the data should be stored in the country without giving conditions for cross-border transfer.
Tough negotiations ahead
Those at the front lines of the negotiations should learn more about the progress of legislation from Chinese domestic authorities, build up confidence in the domestic system and explain how the system actually works to the international community, especially the main negotiating partners.
Many of China’s systems may not yet be fully fledged, but they are reasonable. If we can explain the reasonableness of the systems to other countries, I believe most of them will understand. The better the international community understands China’s domestic framework and the rationality of its systems, the better the environment will be for China to negotiate international rules.
At the same time, China needs to offer public goods to the international community if it wishes to gain speaking rights in making the rules. The problems solved by the cross-border data transfer security assessment might be a concern in other countries, and they may need solutions provided by China. Thus, it is an opportunity for China to provide public good.
In addition, there should be room for negotiation on exceptions to the rules. For example, no excessively detailed limits should be placed on the content of legitimate public policy objectives. We should follow the security exceptions in the CPTPP, as those in the GATT cannot truly adapt to the current era.
Xu Chengjin is a researcher at the Center for International Economic and Technological Cooperation.
Contact editor Michael Bellart (firstname.lastname@example.org)
Download our app to receive breaking news alerts and read the news on the go.
Get our weekly free Must-Read newsletter.
- MOST POPULAR