The exchange of information is a key driver of today’s digital economy. International trade cannot be performed without business owners’ ability to transfer data across national borders, and multinational enterprises’ (MNE) internal operation relies on the ability to move data among countries where they have business presence. Accordingly, data has come to the center of countries’ regulatory concerns. A 2021 report from the Information Technology and Innovation Foundation (ITIF) found that worldwide the number of data-localization measures in force had doubled in the four-year period between 2017 and 2021. In 2017, only 35 countries had implemented 67 restrictive measures, while the number rose to 62 countries implementing 144 measures, with more under consideration, in 2021.
Data governance is also at the center of the US-China technology conflict. On the one hand, the US and China are competing to be the rule-maker in the digital age, with access to data as a decisive and deployable instrument in enhancing firms’ strategy and competitiveness. On the other hand, the position of the two countries represents the conflict between two ideologies about data governance. While China represents a more restrictive approach on cross-border data transfer (CBDT), the US has been regarded as advocating free data flows and prohibiting forced data localization. Paradoxically, however, since the second half of 2023, while China has shown signs of easing control of CBDT, the US has taken a step back from its full support of free CBDT.
I. The Evolving Landscape of Data Transfer Regulations
China is among the countries believed to have the most restrictive regimes on CBDT in the world. In 2021, China’s National People’s Congress promulgated the long-awaited Personal Information Protection Law (PIPL), stipulating the compliance requirements for companies that need to transfer large amounts of data out of China. The Chinese government has issued more detailed regulations on these CBDT mechanisms. Foreign investors and MNEs complain about these measures because they create confusion, extra burdens, and barriers to technology transfer and international trade.
The PIPL has provided data processors with four possible CBDT mechanisms:
1. Passing the official security assessment conducted by the Cyberspace Administration of China (CAC);
2. Obtaining a personal information protection certification from a recognized organization approved by the CAC;
3. Executing a standard contract with the offshore data recipient in a form prescribed by the CAC and filing the agreement together with an accompanying impact assessment with the provincial CAC; or
4. Other conditions provided by laws or regulations, or by the CAC.
The official security assessment with the CAC is the most stringent and onerous among the four. An entity will be mandated to go through the official assessment, if it (1) is recognized as a “Critical Information Infrastructure Operator”; (2) seeks to transfer “Important Data”; (3) handles personal information of more than 1 million individuals; or (4) has cumulatively transferred personal information of over 100,000 individuals or “Sensitive Personal Information” of over 10,000 individuals since January 1 of the prior year. Entities falling out of the scope of the above criteria can choose from the mechanisms freely. The terms “Critical Information Infrastructure Operator,” “Important Data,” or “Sensitive Personal Information” were defined by the CAC in its regulations.
The PIPL’s compliance mechanisms represent a restrictive approach on data governance and resemble those of the General Data Protection Regulation (GDPR) of the EU. The latter provides similar risk and impact assessment mechanisms and allows data transfer to places outside the European Economic Area (EEA) only if those places provide adequate protection. In contrast, the US recognizes the value of cross-border data flows and submitted a proposal in 2019 to the World Trade Organization (WTO) to ensure free CBDT and prohibit forced data localization in WTO member states. The conflict of ideologies demonstrates a tradeoff between digital trade and cybersecurity concerns.
Surprisingly, however, in October 2023, Office of the United States Trade Representative (USTR) Katherine Tai announced that it had dropped these digital trade demands to give Congress room to regulate big tech firms. The USTR’s action was criticized internally by senators for handing over the power to set rules for digital trade to China. Interestingly, just a month earlier, on September 28, 2023, China, moving in the opposite direction, proposed to water down some of its CBDT controls by issuing draft provisions on regulating and promoting cross-border data flows. The draft provisions exempt (1) data exported as part of international trade, academic cooperation, or cross-border manufacturing and marketing and does not contain “important personal information”; (2) personal information necessary for the performance of a contract (e.g. cross-border transactions, flight and hotel reservations, visa applications); (3) employee information necessary for human resource management; (4) personal information necessary to protect the life, health, and property safety of a natural person in an emergency; and (5) organizations that export less than 10,000 individuals’ personal information within one year, from the PIPL’s CBDT requirements.
The objective of both countries’ moves indicates the dual effect of cross-border data flows. Data localization is usually justified on the basis of cybersecurity, personal privacy, and digital sovereignty but is often attacked for impeding international trade, yielding digital protectionism, and blocking the creation of an open internet.
Cybersecurity and Personal Privacy
As noted in the Trump Administration’s 2019 WTO proposal, cybersecurity “is increasingly cited as a rationale for restrictions on the free flow of information.” Most jurisdictions implementing a rather stringent localization mechanism, including the EU and China, see cybersecurity and privacy as their top objectives. Despite their similarities, the EU’s GDPR and China’s PIPL contrasts in their approach to fundamental values and interests shaping data privacy regulations. While the EU champions data protection as a fundamental right while balancing the need for cross-border data flows, China strongly emphasizes national security in its initiatives.
China’s playbook unfolds against a backdrop of heightened national security concerns, leading to robust data export requirements and an interest in keeping data within its borders. In 2014, President Xi emphasized that “there is no national security without cybersecurity.” The recognition of data’s value and cyberattacks have only increased since then. China’s data protection initiatives are a tightrope walk for its economy as it carefully balances economic growth and national security interests to remain competitive in today’s globalized digital economy. The security concerns served as the core incentive for China’s restrictive CBDT approach from 2021 to 2022, where the PIPL and numerous accompanying regulations were published.
Digital Sovereignty and Protectionism
The concept of digital sovereignty is essentially a jurisdictional fight over data. As countries have different laws and regulations governing the use of data, whether data is subject to the laws where it is collected, stored, or where the processor resides, matters a lot. The concept is reflected in the 2018 Clarifying Lawful Overseas Use of Data (CLOUD) Act in the US, which gives the US government access to data regardless of where it is stored. The claim to digital sovereignty is therefore another rationale behind mandatory data localization requirements—by requiring data collected from domestic users to be stored within the country, governments retain ownership and control over the data, facilitating surveillance and domestic law enforcement.
There is also a pervading voice that governments now are using digital sovereignty and data localization mechanisms to favor domestic tech firms, as a form of “protectionism” in cyberspace. As an increasing number of jurisdictions, including the EU, have recognized the need for expanding digital sovereignty in the digital age, they are also scrutinized for generating digital protectionism in their policymaking. The future may see a need to safeguard data “protection” without yielding “protectionism.”
International Trade and Foreign Investment
Opponents of data localization usually emphasize that a restrictive approach has counterproductive effects and increases firms’ compliance costs. This is the primary reason why the US favors an unrestricted approach that permits free cross-border data flows. The 2019 WTO submission highlighted cross-border data flow as “the lifeblood of international trade,” citing McKinsey Global Institute research that purported cross-border data flows generated $2.8 trillion in economic value in 2014—a greater impact on world GDP than global trade in goods.
China’s relaxation of CBDT control in 2023 also signals its desire to revitalize foreign investment. Before the proposed relaxation, foreign investors and MNEs subject to the PIPL’s governance were faced with only three options to ensure compliance: to conduct the assessment, certification, or recordation procedures which incur significant costs; to build or cooperate with local data centers to store the information within the border; or to simply exit the market. The release of CBDT control in September 2023 is among the series of measures adopted by Chinese policymakers to win back overseas investors, as the previous months of 2023 had witnessed a mass capital exodus in the country. Meanwhile, the draft provisions also allow free trade zones to enact and apply separate measures to facilitate international trade.
Censorship and Surveillance
Storing data locally also facilitates censorship and surveillance from government agencies. Governments see data processed by foreign companies and stored outside their territorial reach as posing risks to uncensored information. By implementing localization requirements, they retain control over accessible information, which, consequently, may have an impact on human rights. In 2018, Apple CEO Tim Cook openly condemned the misuse of personal information by US authorities for giving rise to surveillance and demanded a comprehensive, GDPR-style, data protection law in the US. Notably, Apple was involved in a dispute with the FBI for refusing to assist the latter in breaking into the iPhone of a dead gunman in 2016, commonly referred to as the San Bernardino case.
On the other hand, the laws and regulations in China have always been handing regulators the right to censor information on the internet. The 2017 Cybersecurity Law of China (CSL) stipulates that “the State takes measures for monitoring, preventing, and handling cybersecurity risks and threats arising both within and without the mainland territory of the People’s Republic of China.” The 2021 Data Security Law (DSL), building upon the CSL, states that “the State shall…conduct national security reviews of data processing that affects or may affect national security.” The censorship is enabled by both the building of the Great Firewall, which restricts access to foreign websites and apps that provide uncensored information, and the restrictions on CBDT, which require businesses collecting data from China to store the data within its territory. Therefore, censorship and surveillance over data account for another motivation of governments’ data localization requirements.
II. Impacts on US-China Relations
Interpreting the PIPL Challenges US Courts
While the cornerstone of US-China relations is in its economic interdependence, the technology conflict between the two countries will inevitably impact Big Tech, which has an international presence. In March 2023, Congress questioned TikTok CEO Shou Chew over privacy and data security issues. As businesses navigate the fine line between using data for innovation and ensuring compliance with a country’s laws, litigation is bound to happen. Courts play a significant role in this scenario as they become forums for resolving conflicts related to data breaches, privacy violations, and differing interpretations of data protection laws.
The PIPL has already been analyzed in two cases by US federal district courts. In Cadence Design Systems v. Syntronic AB, a federal judge for the Northern District of California ordered Syntronic, a Beijing-based company, to transfer its computers to the US as part of discovery in a copyright infringement claim.
Syntronic said it could not transfer the computers outside of China due to the inability to obtain consent from the individuals whose personal information was stored in those computers. The computers contained personal information of Syntronic’s current and former employees, and the company asked the court not to compel actions that would contravene Chinese law, citing comity considerations.
The US Supreme Court held in Societe Nationale Industrielle Aerospatiale v. United States District Court that a foreign party may be ordered to produce evidence from a foreign country that is party to the Hague Evidence Convention without following the discovery procedures set out in the convention. Resorting to the convention requires balancing several factors, including US sovereign interests, the interests of foreign nations, the likelihood that resorting to the convention will prove effective, and the intrusiveness of the discovery procedures. Hence, the court had to examine the PIPL to ascertain sovereign interests.
The court in Cadence analyzed the provisions of Articles 13 and 39 of the PIPL. Article 13 presents a list of seven circumstances when personal information handlers are allowed to process personal information, including obtaining individual consent (Article 13(1)) and when such processing is necessary for performing “statutory duties and obligations” (Article 13(3)). Article 39 specifically addresses the requirements for cross-border transfer of personal information.
China has not published an official clarification regarding the interplay between the two articles. In Cadence, the court turned to the opinions of two Chinese legal experts. However, Chinese scholars are divided on the interpretation of the relationship between Article 13 and Article 39. Some argue that Article 13 does not apply to international data transfers, making Article 39 the sole legal basis for providing personal information to overseas recipients. Others contend that individual consent, as mentioned in Article 39, is necessary but not a sufficient requirement to transfer personal information to someone outside China. Article 13 outlines the general principles, while Article 39 specifies what “consent” means in Article 13(1) when transferring personal information outside of China. This perspective aligns with the court’s stance in Cadence. In the absence of official interpretations and lack of consensus among academics, the court turned to a publication edited by Heqing Yang, a legislator of the National People’s Congress, and “written by experts participating in drafting the PIPL under the leadership of Mr. Yang.” The book suggests that if providing personal information abroad relies on a non-consent basis, individual consent may not be necessary. The Cadence court found this interpretation persuasive.
Just like Cadence, in Owen v. Elastos, a federal judge for the Southern District of New York interpreted Article 13 as an exception to Article 39. In both cases, the judges grappled with whether the exception in PIPL’s Article 13(3) was restricted to obligations under Chinese law. In Cadence, the court rejected an expert’s opinion that “a foreign data privacy statute’s reference to obligations ‘under law’ was limited to the laws of that country.” The court found no indication that the exception in Article 13(3) is limited to Chinese law. Therefore, Article 13(3)’s exception for obtaining individual consent where “necessary to fulfill statutory duties and responsibilities or statutory obligations” could reasonably be interpreted to include foreign legal obligations.
Another point of contention was raised when Owen analyzed PIPL’s Article 4, which broadly defines personal information as “all kinds of information.” There, the court dismissed the argument that personal information excludes business communications, emphasizing that, in this instance, business and personal communications were intermixed. It asserted that fulfilling the discovery request would involve the “processing” of “personal information” as defined in the PIPL.
If US courts adopt the reasoning presented by Cadence and Owen, discovery requests for compliance will consistently be ordered even if Chinese parties protest that Chinese law prohibits it, regardless of where the information is stored, unless the Chinese government provides further clarification through additional regulations. Until such clarification occurs, US courts will likely approach the PIPL in a manner similar to Cadence and Owen.
Navigating a Complex Landscape
Litigation challenges aside, multinational corporations struggle to build businesses while complying with China’s regulations. Soon after the PIPL’s enactment, Grindr withdrew its app from Apple’s App Store in China, citing challenges in adhering to the fresh regulations. Two weeks after the PIPL came into force, certain domestic providers in China ceased furnishing shipping data to foreign companies, prompting new fears about global shipping disruption.
Apple and Tesla have adjusted to the new data regulations, especially data localization requirements. Apple, in response to the cybersecurity law, shifted the data of its Chinese clientele to servers owned by a state-owned company in 2017. It designated a company under the Guizhou provincial government as the proprietor of its Chinese customers’ iCloud data. It does not apply encryption technology used elsewhere on data stored in China, allowing government access when necessary. Similarly, Tesla addressed data localization demands by opening a data center in May 2021, ensuring that all data generated by Chinese customers is now stored within the country.
The US and China share common interests in regulating big data and privacy protection, driven by public demands for limitations on personal data use. Collaboration can focus on harmonizing rules for data collection, storage, transfer, usage, and consent protocols. Overcoming resistance from US tech firms requires mobilizing public support for enhanced privacy and reduced espionage risks.
Harmonizing regulations on big data and privacy aligns with recent initiatives in the EU and China, exemplified by legislation like the GDPR. The US could benefit from adopting similar measures and leveraging existing models to strengthen privacy safeguards, especially in the commercial domain.
Negotiations and dialogues between the US and China should intertwine big data, privacy, and cybersecurity, recognizing their interconnected nature and addressing data and privacy issues. Ongoing dialogues between the US and China on cybersecurity should extend to cover data collection, storage, and use. Big data, as a prime target for cyberattacks, poses risks to both commercial and security interests, necessitating comprehensive coverage of cybercrime in these discussions.
Navigating these differences involves focusing on shared priorities initially, such as the imperative to safeguard data. Establishing trust in these common areas could serve as a foundation for addressing more complex and contentious topics, offering a potential path forward in the complex landscape of data and privacy cooperation.
III. Conclusions
While the strategic importance of data has been widely noted in the digital age, the world sees a divergence in its regulation. The US takes a laissez-faire approach, seeing data as property and allowing its free flow across borders. In contrast, the EU and China take a more restrictive approach, giving rise to a data localization effect. The regulatory divergence derives from the contrasting philosophical perspectives on data and personal property among the countries. The US aligns its approach with its liberal market capitalism philosophy; Europe, which positions its GDPR as pioneering data protection, confers all rights related to personal data and privacy on individuals as fundamental human rights; and China, in addition to stressing personal privacy, adheres to the principle of cyber sovereignty, which guarantees state’s access to all data generated within the state. These fundamental differences underscore the need for nuanced discussions that account for varied legal frameworks.
The worldwide divergence on data regulation will inevitably add to the costs of MNEs on the one hand and pose challenges to domestic law enforcement on the other. Significant costs associated with building data storage centers, conducting reviews and assessments, and other related measures demand an increased budget for big tech companies to ensure compliance in their operation. However, even with all these measures, they still face substantial compliance risks, given the perceived conflict between different countries’ regulation requirements. For example, China’s PIPL has made its mark in US federal district courts, leaving a trail of unanswered questions. The legal landscape is anything but settled from the complex interplay between Articles 13 and 39 to the concept of consent. While experts debate interpretation, more cases like Cadence and Owen will arise.
Courts are responsible for resolving these conflicts by applying established legal principles, considering comity, and weighing the interests of the parties involved. These decisions have significant implications for international business and data flow, and resolving these issues can impact trade relations.
Despite the fundamental divergence, in 2023, there was a sign of convergence in countries’ attitudes towards CBDT. In September 2023, China’s CAC published a draft policy paper that exempts certain transfers from the mandatory assessment requirement for public consultation, while in October 2023, the Office of the USTR publicly abandoned its demands at the WTO, which seeks to promote free cross-border data flows among WTO member states.
Big Tech’s fate hangs in these balances but so does the future of international data governance. As the US and China navigate these uncharted waters, there’s room for collaboration. Aligning data collection, storage, transfer, and consent rules could pave the way for smoother relations.
One thing remains certain: the PIPL is just the tip of the iceberg. Data privacy, cross-border litigation, and technology’s intersection with the rule of law will continue to shape our world. How we navigate these challenges will define our path forward as both countries balance innovation and compliance.
Jingwen Liu is a PhD student at the Chinese University of Hong Kong Faculty of Law (HK) and JURIST’s Hong Kong Chief of Staff. Joshua Villanueva is a 2L at UC Law San Francisco (US) and a JURIST staff writer.