LL.M Master of International and European Law International Trade and Investment Law
An Unwilling Compromise or A Willing Show– The Change of China’s Attitude on Data Localization In RCEP
Nuo Chen 13025392 Cnuo2487@gmail.com
1 July 2022
Supervisor:Dr. Svetlana V. Yakovleva
LL.M Master of European and International Law International Trade and Investment Law
University of Amsterdam
An Unwilling Compromise or A Willing Show?
The Change of China’s Attitude on Data Localization in RCEP Nuo Chen
Over the past few years, data localization measure has proliferated in different territories as one of the regulatory tools for various policy objectives. As a country who imposes direct and explicit data localization measures in its domestic legislation, China seems to change its attitude with respect to data localization after it entered into Regional Comprehensive Economic Partnership (RCEP) in 2020. Pursuant to RCEP Article 12.14, China has committed to prohibiting adopting data localization measures, while the principle – exception provision in RCEP and the carve-out of the dispute settlement mechanism make the change more suspicious. This article examines and discusses whether China’s participation constitutes a substantive change or merely a discursive one, analyzing how the subjective standard of necessity test of the public policy exception provision, the self-judging character of essential security interest exceptions provision and a silent dispute settlement mechanism would influence the actual effect of RCEP Article 12.14.
TABLE OF CONTENT
Abstract ... 2
1. Introduction ... 4
2. China’s Domestic Legislation on Data Localization ... 8
2.1 China’s Domestic Legislation ... 8
2.1.1 Important Data ... 9
2.1.2 Personal Information ... 10
2.1.3 Security Assessment ... 11
2.2 Criticism on China’s Data Localization Measures ... 13
2.2.1 Universality of the Definition of CIIO ... 13
2.2.2 Heavy Administrative Burden ... 14
2.2.3 Excessive Domestic Discretion Power ... 14
2.2.4 Overfull Emphasis on National Security ... 16
3. An Evolution: China’s International Trade Policy on Data Localization ... 16
3.1 From Passivism to Activism: China’s International Trade Policy on Data Localization and Its Rationale ... 16
3.2 Turning Point: China in RCEP ... 22
4. Effect Analysis: An Assessment of the Binding Force ... 26
4.1 Principle – Exception Structure Under RECP ... 26
4.1.1Public Policy Exception: An Analysis on Necessity ... 27
4.1.2 Essential Security Interest Exception: A Self-Judging Provision ... 29
4.2 Dispute Settlement Mechanism: How Binding the Provision Under RCEP ... 32
5. Conclusion ... 34
Reference ... 37
Data governance is an inseparable topic in the digitalization age where the global supply chain and daily life have heavily relied on cross-border data flow. The Internet allows freely universal connectivity with the route traffic offered by the Internet provider.1 Every day, data is gathered and processes to consist the basis for big data, the internet of things (IoT), blockchain, and artificial intelligence. Data, functioning as non- physical cells, portrays a person and reflects their personality, preference, and choice.
To take it further, when various data set piles a considerable volume, it can indicate a state’s macroeconomic and social development. As a result, domestic policymakers have aware of the great importance of data, meanwhile, they concern that if a government has lost its effective control over data, its data sovereignty may be jeopardized. There is a common global trend that governments introduce intervention, including de jure and de facto data localization measure. They can define data as
“sensitive”, “critical” or “related to national security”, then following a logical course, cross-border data flow is restricted, and obliged to be maintained and processed within the geographic boundaries of its state of origin.2 The motivation behind relies on consideration from the geopolitical perspective that data sovereignty is intrinsically linked to national interests since itis a critical component of national sovereignty.
Besides, data localization measures, as a governance disposition, holds their rationality in confronting the data capitalism dominated by tech giants from Silicon Valley. In correspondence with the potential monology in the digital sector by outsourcing tasks and the expansion of technology companies’ power, rules about how to limit the cross- border data flow are designed by governments for economic reasons – even if the consequence to be accused of digital protectionism exists.3 Thus, data localization law
1 Jerome H. Saltzer, David P. Reed and David D. Clark, ‘End-to-End Arguments in System Design’ (1984) 2 ACM Transactions on Computer Systems 277.
2 World Economic Forum, ‘Data Free Flow with Trust (DFFT): Paths towards Free and Trusted Data Flows’ (May 2020) <https://www3.weforum.org/docs/WEF_Paths_Towards_Free_and_Trusted_Data%20_Flows_2020.pdf>
accessed 30 May 2022.
3 Ben Tarnoff, ‘Data is the new lifeblood of capitalism – don't hand corporate America control’ (The Guardian, 1 Feb 2018) <https://www.theguardian.com/technology/2018/jan/31/data-laws-corporate-america-capitalism>
accessed 30 May 2022.
grows into a common regulation tool, sometimes even exacerbates into an extreme form – data isolationism.4 Enterprises are obliged to store and process data on a server within the local jurisdiction rather than servers located overseas, even if the operation cost could be optimized or efficiency could be obtained from the network effect and first- mover advantage, as data localization is absolutely a bad news for countries who had enjoyed the trade surplus from digitally-enabled transactions of trade in goods and services.5 Concerns have already been presented and expressed by those countries, in particular, against China – one of the most typical advocates for strong data localization.6 Even though China is not the only country who greatly values sovereignty, harsh criticism has never been absent over China's repressive and restrictive approach on data localization (or one may say passively defensive, from China’s perspective).7 Meanwhile, there is a calling that cross-border data flow and global data governance urgently needs to establish a unified data governance structure at the international level to escape the misty dark jungle doomed by the disadvantageous fact that data capitalism and data hegemonism are purely driven by market power, even though it is against wishes of these major lobbies for data deregulation.8 Further consensus and cooperation need to be reached in order to mitigate the national digital borders, and to promote trade, supply chains and cross-border investment.9 While the question of whether data restriction forms a trade barrier under the WTO framework is still under heating debates, summits, such as ICANN and the UNITED Nations’ Internet Governance Forum, have taken place regionally or globally with respect to the legitimacy of data localization laws as a topical trade issue such as ICANN and the United Nations’ Internet Governance Forum.10 WTO regime failed to play the most
4 Richard D. Taylor. ‘Data localization: The internet in the balance’ (2020) 44 Telecommunications Policy 102003.
5 John Selby, ‘Data Localization Laws: Trade Barriers or Legitimate Responses to Cybersecurity Risks, or Both?’
(2017) 25 International Journal of Law and Information Technology 213.
6 United States International Trade Commission, Digital Trade in the U.S. and Global Economies, Part 2 (4485 August 2014) 14 <https://www.usitc.gov/publications/332/pub4485.pdf> accessed 23 May 2022.
7 Yandong Gao, ‘China needs to fully defend data sovereignty’ (Global Times, 14 July 2021)
<https://opinion.huanqiu.com/article/43vewiWitmm > assessed 16 May 2022.
8 Thomas Streinz, ‘RCEP's Contribution to Global Data Governance’ (Afronomics Law, 19 February 2022)
<https://www.afronomicslaw.org/category/analysis/rceps-contribution-global-data-governance-0 > assessed 7 April 2022.
9 Michael Spence, ‘Preventing the Balkanization of the Internet’ (Council on Foreign Relations, 28 March 2018)
<https://www.cfr.org/blog/preventing-balkanization-internet > assessed 7 April 2022.
10 Selby (n5) 217.
critical role in digital trade and E-commerce. First of all, the main core of post-war international trade law still concentrates on the liberalization of traditional trade in goods and services, while WTO system was not originally designed to solve problems arising from E-commerce and its rapidly evolving development. Second, although WTO rules are regularly under discussion for revision, few substantive progresses are concluded owing to a concern within WTO that the expansion of WTO’s realm would curtail its domestic regulatory autonomy. No further consensus has been reached since the Joint Initiative on 11th Ministerial Conference in December 2017.11 Therefore, member countries turn to regional trade agreements to articulate advanced and detailed regulations on data flow. 12 In 2018, United States-Mexico-Canada Agreement (“USMCA”) and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (“CPTPP”) were signed successively, containing provisions restricting the data localization measures. Currently, at least 70 FTAs are mentioning the content of E-commerce and digital trade.13 On 15 November 2020, 15 member states completed the signatures of the Regional Comprehensive Economic Partnership (“RCEP”) after eight years of negotiation. The RCEP states, except Cambodia, Indonesia, the Philippines, and Vietnam, are also members of the WTO Joint Statement Initiative on Electronic Commerce, which aims to negotiate a plurilateral agreement on "trade- related aspects of electronic commerce".14 Pursuant to RCEP Article 12.14, no Party shall require a defined investment, investor or service supplier to use or locate computing facilities in that Party’s territory as a condition for conducting business in that Party’s territory. Therefore, it is noteworthy that China, a typical state who bears the criticism because of its domestically persistent insistence on data localization, has entered into the binding commitment regarding data governance for the first time, which explicitly requires the principle of the general prohibition on data localization.
11 World Trade Organization, ‘Joint Statement on Electronic Commerce’ (WT/MIN(17)/60)
12 Burri Mira, ‘The Regulation of Data Flows Through Trade Agreements’ (2016) 48 Geo. J. Int'l L. 443.
13 Mark Wu, ‘Digital Trade-Related Provisions in Regional Trade Agreements: Existing Models and Lessons for the Multilateral Trade System’ (Rtaexchange.org, November 1, 2017) <https://e15initiative.org/publications/digital- trade-related-provisions-in-regional-trade-agreements-existing-models-and-lessons-for-the-multilateral-trade- system> accessed June 1, 2022.
14 World Trade Organization. ‘Joint Statement on Electronic Commerce’ (WT/L/1056)
The comparison between approaches to regulate data flows reflected on China’s domestic legislation and the commitment to RCEP reveals a plain shift in China’s attitude to data localization. Even though it requires further assessment in determining whether this so-called change is substantive, China hasn’t presented any apparent, clear-cut expression of hesitance or rejection yet as some considerable member states did.15 For instance, India, as leading power in the RCEP’s negotiation process, left the table. Although this is mainly due to concerns about the possible trade deficit, RCEP’s commitment to data flow is incompatible with India’s overtly protectionist data governance policy.16 Another example is south-east Asian countries, such as Cambodia, Lao, Myanmar, and Viet Nam, who made a reservation to not be bound by RCEP Article 12.14, maximum to eight years after the date of entry into force of this Agreement so as to buffer the strain brought by the new provision against data localization. Against this backdrop, China's acceptance of the free data flow is even too readily smooth, and it appears to be more plausible to recognize that China has shifted its position from its domestic law articulating a rather strict requirement on data localization at present, while its ASEAN competitors, compared to China, had experienced an indigestion.
There is a growing academic voice categorizing the regulation over data flow into a broader and more general concept of “data governance”, rather than the traditional sectors for which trade law could be crafted as “electronic commerce” or “digital trade”.17 However, since the main purpose of this article is to answer the question of whether China’s commitment on the prohibition of data localization under RCEP constitutes a discursive change or substantive shift, comparing to China’s domestic legislation and practice and further evaluating how the specific RCEP provision enables China to preserve its regulatory power on the movement of data flow. Therefore, the discussion regarding to the above question will still be set in a scenario of international trade law by examining the provision which is more than concrete under RCEP and looking into different FTAs. In order to reach a conclusion, the author will conduct
15 Regional Comprehensive Economic Partnership (RCEP), Art 12.14(2).
16 Pushkar Pushp, ‘RCEP and India’s Dilemma. Modern Diplomacy’ (Modern Diplomacy, 14 March 2021)
<https://moderndiplomacy.eu/2021/03/14/rcep-and-indias-dilemma> assessed 16 April 2022.
17 Thomas Streinz, “Digital Megaregulation Uncontested? TPP’s Model for the Global Digital Economy” (2019) Megaregulation Contested 312.
doctrinal legal research by analyzing the related domestic legislation, and jurisprudence, and identifying the relevant provisions under different FTAs including RCEP and CPTPP, which contain similar purposes of promoting free data flow but are construed differently in the context of exception provision and dispute settlement mechanism. The author will also rely on WTO literature and its case law as a comparison, demonstrating how far RCEP deviates from the traditional WTO jurisprudence. This thesis consists of three main chapters. After the introduction, Chapter 2 will briefly describe China’s domestic legislation concerning data localization, and the current criticism over China’s data localization measures. Chapter 3 will compare China’s international trade policy on data localization before and after its participation in RCEP. Chapter 4 will analyze the binding effect of Article 12.14 from two perspectives, the principle–exception structure and the ineffective dispute settlement mechanism.
2. China’s Domestic Legislation on Data Localization
2.1 China’s Domestic Legislation
China’s domestic legislation has been described as protectionist and interventionist because of its unique data governance measures including administrative review, audit, interview mechanisms, and the direct and explicit localization measures. European Centre for International Political Economy (“ECIPE”) has once conducted research by rating the severity of the restrictiveness from a ban to transfer or local processing requirement to local storage requirement and conditional flow regime. And concluded that China has the most restrictive policy environment for digital trade among 64 countries, followed by Russia, India, Indonesia and Vietnam.18China’s regulation focus is gradually being transferred from the hardware, later to the software and the content, and ultimately to reach the core – data.19 Since the Cybersecurity Law of the People's Republic of China (“Cybersecurity Law”) was enacted in 2016, a comprehensive data
18 Martina F. Ferracane, Hosuk Lee-Makiyama and Erik van de Marel, ‘Digital Trade Restrictiveness Index’ (ECIPE, 2018) <https://ecipe.org/wp-content/uploads/2018/05/DTRI_FINAL.pdf > accessed 5 May 2022.
19 Henry Gao, ‘Data Regulation with Chinese Characteristics’ in M. Burri (rds), Big Data and Global Trade (Cambridge University Press 2021) 252.
protection framework has been established to improve and reinforce a much stricter standard on the movement of data flow, national security was highlighted and culminated. Cybercity Law, and the subsequent Personal Information Protection Law of the people's Republic of China (“Personal Information Protection Law”) and Data Security Law of the People's Republic of China (“Data Security Law”) are central to China’s data governance framework, where data localization measures are used as one of the regulatory tools by the Chinese government to achieve regulatory objectives varying from privacy protection to national security, however, it is also observed that the lawmaker handpicked two kinds of data, namely, the important data and personal information, and put them under the strict regulation and assessment if those data need to be exported. This section will further introduce the data localization policy towards two types of data mentioned before, and the security assessment procedure.
2.1.1 Important Data
Article 37 of Cybersecurity Law stipulated that the personal information and important data collected and produced by operators of critical information infrastructure (“CIIO”) during operations within the territory of the People’s Republic of China shall be stored within the territory.20 However, how far-reaching an enterprise would be designated as CIIO remains uncertain until the Critical Information Infrastructure Security Protection Regulations (“CII Regulation”) be released five years later. Pursuant to CII Regulation, Critical Information Infrastructure refers to critical network facilities and information systems in public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense science and technology and any other critical industries and sectors that may seriously endanger national security, national economy, people's livelihood and public interests in case of the potential damage, loss of function or data leakage.21 An enterprise might transfer the aforementioned information outside of the China’s territory due to a business
20 Cybersecurity Law of the People's Republic of China 2016 (Cybersecurity Law 2016), Art 37.
21 State Council of the People’s Republic of China Decree (No. 745) Critical Information Infrastructure Security Protection Regulations (Decree No. 745), Art 2.
requirement, but it needs to be complied with a security assessment in accordance with the measures jointly formulated by the Cyberspace Administration of China (“CAC”) and other authority of the State Council.22 Incorporating the concept of data sovereignty into the rules of cross-border data flow, Article 37 of Cybersecurity law signals the commencement of the formal implementation of a legitimate restriction on cross-border data transmission. It is reiterated that Cybersecurity Law is intended to foster international collaboration rather than setting trade obstacles or stifling development, and it does not specifically target any country, area, or industry,23 however, it did not successfully decrease foreign enterprises’ concerns. The United States circulated a communication in the WTO’s Council on Trade in Services three months after the Cybersecurity Law has been implemented, requesting China to refrain from implementing this restrictive measure because it would affect China’s market access and national treatment commitment under the General Agreement on Trade in Services (“GATS”).24
2.1.2 Personal Information
In contrast to EU’s practice where GDPR imposed a significant weigh on the protection of individual privacy, China’s control on the leaked personal information is still linked to the state security. In other words, where data flow may result in a potential risk on national stability, state’s intervention and supervision should be worth introduced.
Personal Information Protection Law, which has entered into effect on November 1, 2021, explicitly stipulated three categories of personal information which shall be subject to the data localization principle and be stored on a local server.25 The first condition is where the personal information processed by state organs.26 The second condition is where the personal information processed by the CIIO, which the
22 Cybersecurity Law 2016, Art 37.
23 Fei Feng, ‘2016 World Internet Conference III Wuzhen Summit Closing Ceremony’ (World Internet Conference, 2016) < http://2016.wicwuzhen.cn/system/2016/11/18/021372773.shtml> accessed 3 March 2022.
24 World Trade Organization, ‘Communication from the United States, Measures Adopted and under Development
by China Relating to Its Cybersecurity Law’ (S/C/W/374), 2
25 Personal Information Protection Law of the People's Republic of China 2021 (PIPL 2021), Art 36, 40.
26 Ibid, Art 36.
Cybersecurity Law has a similarly overlapping provision with different emphasis.27 The third condition is where the personal information processed up to the number prescribed by the national cyberspace administration.28 Similarly, for each circumstance, the Personal Information Protection Law specially noted that where it is truly necessary to provide the information abroad, it shall be under the security assessment.29
2.1.3 Security Assessment
In principle, critical information and personal information should be subject to data localization rules, but they could be transferred conditionally after the security assessment. Both the Cybersecurity Law and the Personal Information Protection Law should be read in conjunction with relevant rules of security assessment. At present, the latest relevant rule is the draft Outbound Data Transfer Security Assessment Measures (“Assessment Measures”) issued by the CAC on 29 October 2021. The Assessment Measures comprehensively and systematically clarify the domestic security assessment requirements for outbound data transfer and have made up for the deficiencies of the 2019 Measures because it only addresses the regulation on personal information, but not the critical information, and announced the abolishment of the two previous drafts in 2017 (“2017 Measures”) and 2019 (“2019 Measures”).30
The new Assessment Measures have imposed more restrictions on the scope and requirement of cross-border data flow. For instance, in the event of critical information, the Assessment Measures requires all data processors – no matter which industry or sector it belongs to, to be subject to the security assessment as long as the outbound data is concerned with the critical information.31 For the first time, it confirms the expansion of security assessment’s application, and fills the gap between the critical information processed by CIIO and non-CIIO, namely, data processor of other kind, because the superordinate laws, i.e., Cybersecurity Law and Data Security Law, do not
27 Ibid, Art 40.
28 Ibid, Art 40.
29 Ibid, Art 36, 40.
30 Draft of Measures for the Security Assessment of Personal Information and Important Data Outbound Transfer 2017 (Assessment Measure 2017); Draft of Measures for the Security Assessment of Personal Information Outbound Transfer 2019 (Assessment Measure 2019).
31 Draft for Comment for Outbound Data Transfer Security Assessment Measures 2021 (Assessment Measures 2021).
explicitly stipulate explicitly whether the security assessment on critical information shall be applicable to all data processor.32 With respect to personal data, in response to the great concern that has been presented on the discrepancy of the text of laws and the content of the rules,33 the Assessment Measures discards the controversial requirement in the 2019 Measures which point out that security assessment shall apply to all network operator other than a much more narrow scope of CIIO.34 Additionally, it states that security assessment should be carried out where personal information processors processing of over 1 million people providing personal information abroad, or cumulative provision abroad of personal information of more than 100,000 people or sensitive personal information of more than 10,000 people.35 It is a progress, but also regress, because the number which might trigger the security assessment has shrunk to its 20% of the number in 2017 Measures. Besides, the administrative level of the national authority conducting the security assessment is gradually rising. In the 2019 Measures, the security assessment could be finished within the provincial authority,36 but in the Assessment Measures, the same security assessment shall be reverted through the provincial organ to the national authority, which is on the supreme administration level.37 The sophisticated bureaucratic procedures objectively prolong the time and enhance the cost. Seven matters shall be focused on during the outbound data transfer with respect to the potential risk to national security, the public interest, the lawful rights and interests of persons and organizations, including characteristics of outbound data transfer, the degree of sensitivity of the data transferred abroad and the potential consequence of leakage or illegal use, whether data security and personal information rights and interests are fully and effectively ensured or not, etc.38
32 PIPL, Art 2; Data Security Law of the People's Republic of China (DSL 2021), Art 4(2).
33 Samm Sacks and Graham Webster. ‘Five Big Questions Raised by China's New Draft Cross-Border Data Rules’
(DigiChina, 13 June 2019) <https://digichina.stanford.edu/work/five-big-questions-raised-by-chinas-new-draft- cross-border-data-rules/> accessed 25 April 2022
34 Assessment Measures 2021, Art 2
35 Ibid, Art 4(3), 4(4)
36 Assessment Measure 2019, Art 3.
37 Assessment Measure 2021, Art 4
38 Ibid, Art 8
2.2 Criticism on China’s Data Localization Measures
International attention has been drawn to the proposed measures on data localization and subsequent security assessment. More than 40 international companies and technical groups representing hundreds of companies around the world expressed their concern to the Chinese authorities after the adoption of the Cybersecurity Law. They considered the disputed Article 37 as an act to set up trade barriers and to damage the commercial interests of foreign companies in China.39 Unless being embedded into legislation, the government’s comfort or public press release will not alleviate investors' anxiety. After all, it is understandable for enterprises to feel insecure the reoccurrence of being required suddenly to sign up a declaration of commitment to ensure data collected in China will not be stored abroad.40 Apart from the impact of data localization measure itself, the lack of definition to a key concept, the heavy administrative burden, the excessive discretion power and the core philosophy behind of a firm grasp of data sovereignty and ensuring the national security, cumulatively leads to the uncertainty and unpredictability of China’s data localization measures, which ultimately sets itself on fire.
2.2.1 Universality of the Definition of CIIO
As mentioned in the paragraphs above, the realm of the abovementioned Critical Information Infrastructure is quite broad and universal. In this sense, any industrial sector could be interpreted as the critical information infrastructure, and the sectors listed exclusively produce the most of the gross domestic product, therefore, it should be understood as a broad data localization law rather than a narrow one even though it is applied to a limited scope of specific industry sectors.41
39 Sue-Lin Wong and Michael Martina, ‘China adopts cyber security law in face of overseas opposition’ (Reuters, 7 November 2016) <https://www.reuters.com/article/us-china-parliament-cyber-idUSKBN132049> assessed 3 June 2022.
40 Paul Mozur, ‘China Tries to Extract Pledge of Compliance From U.S. Tech Firms’ (Nytimes, 2015)
accessed 7 June 2022.
41 Anupam Chander and Uyen P Le, ‘Data nationalism’ (2015) 64(3) Emory Law Journal 677.
2.2.2 Heavy Administrative Burden
Data protection laws and regulations around the world are realizing that it is important to remove administrative barriers and obstacles to the cross-border free data flow. A more enhanced data governance obligations with ex post accountability or “white list”
mechanism is applied as alternatives.42 Generally, there are few conditions requiring such an ex-ante approval, which, for example, in the GDPR, is mostly replaced by the template contract agreed jointly by private sector and published in public.43 Free market and industry self-discipline have played a full role, thus reducing the cumbersome administrative burden. As described, under the Article 4 of the Assessment Measures, the administrative procedures to apply the security assessment have become more complex. Even if the Assessment Measure stipulates the maximum time period of 60 days for the authority to complete the assessment, it is an impractical workload for CAC, considering the sizable number of enterprises and the ongoing demand for assessment – the validity of assessment only last for two years.44
2.2.3 Excessive Domestic Discretion Power
The vagueness of language leads to the inevitable enhancement of the national authority’s discretion. There is no quantifiable, clarified definition about the key concepts, such as critical information or clear compliance guidance for network operators to apply from a practical point of view. In the Global Financial Markets Association (“GFMA”) Comments to CAC on the 2019 Measures, GFMA pointed out the current definition’s subjectivity and vagueness, and recommended CAC to clarify the definition of personal sensitive information so as to align with the EU’s standard.45 GFMA especially doubted the broad and unclear definition on the network operator because even a person who possesses two different computers could be considered as
42 General Data Protection Regulation (GDPR), Art 35(5).
43 Ibid, Art 46(2).
44 Assessment Measure 2021, Art 12.
45 GFMA, ‘Re: The Consultation Draft of the Measures for Security Assessment of Personal Information Outbound Transfer’ (Asifma, 12 July 2019),11 <www.asifma.org/wp-content/uploads/2019/07/gfma-response-measures-for- security-assessment-of-personal-info-outbound-transfer-bilingual-final-7122019.pdf> accessed 24 April 2022.
the defined network operator.46 Even though this scope has been narrowed in the Assessment Measures, but the “pocket clause” is still remained, where the CAC has the regulatory right to decide what should be categorized as additional conditions requiring security assessment, which means there is unexclusive and unknown conditions varying from a untransparent administrative decision restricting the data flow. As long as it serves the purpose to maintain the national security and public interests, the interpretation could be rather flexibly expanded. The pocket clause increases the difficulty for companies to render reasonable prediction to the assessment’s outcome, as the list is not exclusive but only illustrative. In response to the vague and uncertain wording, an increasing tendency could be noticed that enterprises decided to build and run the local data centers within China’s territory or switch to local service provider since the Cybersecurity Law has been implemented in 2017, in order to fit the data localization requirement. It is also requested that the cloud service operator must be local enterprises as well. Taking Apple for instance, its data center established in Guizhou Province is only used for storing data collected from users who are based in China; the joint owner of this data center - Guizhou-Cloud Big Data (“GCBD”) is even a Chinese state-owned-enterprise.47 Apart from IT sector, there is a growing tendency for specific traditional industries to identify important data based on the number of personal information subjects reaching a certain scale. In May 2021, Tesla, an electric vehicle company, publicly announce that it had established a data center in Shanghai to localize Chinese operation data such as factory production in order to comply with the domestic provisions on the Administration of Automotive Data Security.48
46 Ibid, 2.
47 Dan Swinhoe, ‘Apple Officially Opens Data Center in China’ (Data Center Dynamics, 28 May 2021)
<www.datacenterdynamics.com/en/news/apple-officially-opens-data-center-in-china/> accessed 1 June 2022; Lily Ren, ‘Apple: iCloud services in China to be run by GCBD’ (Pandaily, 11 January 2018) <www.pandaily.com/apple- icloud-services-china-run-gcbd/> accessed 7 June 2022.
48 Yu Zhang and Meng Xu, ‘What Is the Meaning Behind the Landing of Tesla Data Center In China?’ (Shanghai Observer, 27 May 2021) <www.jfdaily.com/news/detail?id=371375> accessed 2 May 2022; Sebastian Moss, ‘Tesla Opens Data Center in Shanghai, China’ (Data Center Dynamics, 25 October 2021)
<www.datacenterdynamics.com/en/news/tesla-opens-a-data-center-in-shanghai-china/> accessed 2 May 2022.
2.2.4 Overfull Emphasis on National Security
CII Regulation clarify the Ministry of Public Security (“MPS”) would lead and be predominately responsible for the CII security protection. Any cybersecurity incidents or threats shall not only be reported to CAC, but also to MPS.49 While other national sectoral regulators such as CAC, would only function as a coordinator role and be responsible for share information concerning cybersecurity threats, vulnerabilities and events.50 Commentators has described the overlapping as “a recipe for a bureaucratic tug-of-war” arising from authorities’ different approaches to cybersecurity.51 The consequence of the tugging is that MPS outstands from other agencies and took over the leadership, which implies that the focus on the CII regulation is far beyond a data governance issue in a purely commercial sense. Compared to United States’ similar effort on technology supply chains, mainly driven by the its Commerce Department, the dominance of MPS could better explain the overfull emphasis on national security, which leads China’s CII security protection act in a more than proactive and rigorous approach, such as adopting an ongoing monitoring and evaluation.52
3. An Evolution: China’s International Trade Policy on Data Localization
3.1 From Passivism to Activism: China’s International Trade Policy on Data Localization and Its Rationale
Different from the United States, which held the most giant online service providers and content producers, China emphases more on cross-border trade in goods enabled by the Internet and the relevant directly supporting service including online payment and transnational logistics.53 It has been reiterated in China’s communication on the
49 Critical Information Infrastructure Security Protection Regulations, Art 18.
50 Ibid, Art 23.
51 Paul Triolo, Samm Sacks, Graham Webster and Rogier Creemers, ‘After 5 years, China's cybersecurity rules for critical infrastructure come into focus’ (DigiChina, 18 August 2021) <https://digichina.stanford.edu/work/after-5- years-chinas-cybersecurity-rules-for-critical-infrastructure-come-into-focus/ > accessed 7 January 2022.
53 World Trade Organization, Work Programme on Electronic Commerce, Aiming at the 11th Ministerial Conference, Communication from the People’s Republic of China and Pakistan Revision, JOB/GC/110/Rev.1, JOB/CTG/2/Rev.1,
Joint Statement on Electronic Commerce in 2019.54 Although China had also mentioned data storage issue, while the passive response implicitly indicated a gentle avoidance for further discussion.55 Also, it is observed that China had cautiously limited the scope of data flow to only “trade-related aspects”, which means China makes every effort to avoid an overall commitment to the free flow of other types of data. This prudence is interpreted to be pre-emptive to justify the potential data flow restriction on non-trade-related sectors.56 Therefore, China has been wary about including Internet or data governance in free trade agreements. Even in a few FTAs which include e- commerce such as China-Korea FTA and China-Australia FTA, which both entered into force in 2015, the flatty commitment has never addressed Internet and data regulation issues.57 The first layer of the rationale for avoiding additional commitment could be explained, or at least could be understood as a preference with respect to policy within a certain stage of development. There are two typical comparators used to compare with China’s international trade policy on data governance – the United States which advocates for unfettered data flow to benefit businesses and the EU, which emphasizes the need of protecting personal information and customer privacy; while China’s regulatory focus is still data security, and it leads to the underestimate on the data flow.58 By elevating the issue of data security up to the realm of state sovereignty, China succeeds in building its legitimacy of the few commitments on data flow and the necessity of data localization. It also succeeds in establishing its narrative in the international forum that data flow should be subject to the precondition of security and should in compliance with Members’ respective laws and regulations.59 Although the
JOB/SERV/243/Rev.1, JOB/DEV/39/Rev.1 (16 November 2016)
54 World Trade Organization, ‘Joint Statement on Electronic Commerce, Communication from China’
56 Henry Gao, ‘Digital or Trade? the Contrasting Approaches of China and US to Digital Trade’ (2018) 21 Journal of International Economic Law 297.
57 Pasha L Hsieh, ‘The China-Australia Free Trade Agreement: A 21st-Century Model by Colin B. Picker, Heng Wang, and Weihuan Zhou (Eds), Oxford: Hart Publishing, 2018. ISBN 978 1 509 91538 5, 363pp’. (2018) 21 Journal of International Economic Law 923.
58 Gao (n 19) 246.
59 World Trade Organization (n 54); It should be pointed out that China delivered the above communication in 2019.
In the same year, the emphasis on network security and data security in China's domestic legislation reached its peak as four different relevant draft rules have been issued, i.e., Cybersecurity Review Measures, Data Security Management Measures, Critical Information Infrastructure Security Protection Regulations and Personal
second layer is intertwined with the data sovereignty, it focuses more on the potential influence on digital trade; even though it sounds like a disgraceful excuse for trade protectionism.60 Apparently China is not the only country that highlights an extreme priority on the data sovereignty, whilst it stands out as a unique presence that prioritizes the national security to an overwhelmingly dominant position. Nevertheless, under China’s narrative of data sovereignty is a “state sovereignty”, it is closely related to sovereignty in the sense of economics and politics, because of data’s essential economic value.61 Since, data war is another invisible war after ocean war, oil war and trade war.62 The possibility of an economic or political failure could go on China officials’
nerves, leading to an overreaction. However, it is not the complete picture. The aggregation effect of the platform enables the data naturally to be gathered in the countries which have more complete and advanced facilities and ability to process data.63 The United States is a typical example enjoying the advantage with its tremendous capacity – by the end of the third quarter in 2021, there are nearly 700 large data centers whose hyperscale service providers operate globally, and almost half of the capacity are operated in the States.64 Another example also nerves China and it might be easier to understand in the context of geopolitics and the subtle rivalry relationship between China and the United States. For instance, USMCA explicitly contains provisions prohibiting the restriction of cross-border transfer of information and any data localization measures.65 It is emphasized in the chapter on finance service. As long as the Party’s financial regulatory authorities have an immediate, direct, complete, and ongoing access to information processed or stored on computing facilities outside that
Information Outbound Transfer Security Assessment Measures.
60 But it is fortunate that WTO law does not explicitly regulate data localization measures as a trade barrier yet, the legitimacy of China’s act is guaranteed.
61 Henry Gao, ‘Data Sovereignty and Trade Agreements: Three Digital Kingdoms’ (2021) SSRN Electronic Journal 9 < http://dx.doi.org/10.2139/ssrn.3940508> assessed 2 April 2022.
62 Congjing Ran, ‘Global situation of data sovereignty governance and China's response’ (Rmlt, 2 March 2022)
<www.rmlt.com.cn/2022/0302/641108.shtml> assessed 5 February 2022.
63 UNCTAD, ‘Intergovernmental Group of Experts on E-commerce and the Digital Economy, Fourth session: Digital platforms and value creation in developing countries: Implications for national and international policies’ (19 February 2020) TD/B/EDE/4/2.
64 ‘Hyperscale Data Center Capacity Doubles in Under Four Years; The US Still Accounts for Half’ (Synergy Research Group, 17 November 2021) <www.srgresearch.com/articles/as-hyperscale-data-center-capacity-doubles- in-under-four-years-the-us-still-accounts-for-half-of-the-total> assessed 8 April 2022; Yi Shen and others, ‘The Clean Network Program and US Digital Hegemony’ (FDDI 2020).
65 United States-Mexico-Canada Agreement (USMCA), Art 19.11, 19.12.
Party’s territory, then the prohibition on data localization measures should be followed.66 In compliance with USMCA, Canada removed part of its data localization policies so that the data flow is facilitated into the United States.67 Data localization measures could also be a valuable method for confronting the growing tendency of data colonialism because the global data platforms are equipped with an overwhelming ability to capture and generate data. Therefore, it is understandable for China to take a restrictive approach to data localization considering the Sword of Damocles of tension caused by an overwhelming data monopoly of the United States, which has been taking action on various fronts.
China’s domestic data localization policy has caused the accusation outside the WTO regime for setting trade barriers. GATS does not prohibit data localization measures expressly, while there are constant voices calls for the WTO to expand the definition of trade barrier to embrace barriers on data flows and mandatory data localization measures so that more companies could reply on an expanded sphere and act against the WTO members who violate the agreement for the trade-distorting behaviors and activate the stagnant and blank forum.68 It is a difficult task, though, since it requires approvement from all signatory. However, many countries are beginning to set the tone and treat data localization as a trade barrier. For instance, the United States Trade Representative classified in its National Trade Estimate Report that the data localization as a foreign digital trade barrier that restrict, prevents or impeded the international exchange of goods and services.69 ECIPE also considered data localization measures as a factor when assessing a country’s digital trade restrictiveness.70
The pressure does not only come from the external condemnation but also comes from the inherent defects of data localization measures. The idea that data localization can lead to greater profits being generated and held by the state who imposes the measure
66 Ibid, Art 17.17, 17.18.
67 Nigel Cory, ‘USMCA Data and Digital Trade Provisions: Status Check’ (Wilson Center, 19 November 2021) <
https://www.wilsoncenter.org/article/usmca-data-and-digital-trade-provisions-status-check> accessed 13 May 2022
68 Daniel Castro and Alan McQuinn, ‘Cross-Border Data Flows Enable Growth in All Industries’ (ITIF, February 2015) <https://cdn.sanity.io/files/03hnmfyj/production/96fb1135bf96316b3d35f73c694a340357b9d823.pdf>
accessed 27 April 2022.
69 USTR, ‘2017 National Trade Estimate Report on Foreign Trade Barriers’ (March 2017)
<https://ustr.gov/sites/default/files/files/reports/2017/NTE/2017%20NTE.pdf> assessed 7 May 2022.
70 Ferracane (n 18).
is gradually proved to be a misunderstanding. On the contrary, it might have an opposite correlation. When data resources circulate, the free flow of data usually means a one- way flow because of the platform’s combined effect. Besides, rather than countries with complete and advanced facilities and ability to transfer data into value-added data products, most of the countries involved in the data value-chain are positioned only as a data provider.71 As a contested economic resource, data in the internet era is equal to coal and oil in the traditional industry. However, this is not a smart and precise metaphor, because data has never been dragon treasure. Who “owns” the data is immaterial, but what really matters is who has access to data and how data is controlled and used. There will not be new value created automatically if the data is merely localized within the boundary.72 From 2005 to 2019, digitally deliverable services enabled by the technology sector, including cross-border data flows, have steadily grown and constituted almost half of the total traded services trade exports.73 It is calculated that the global internet protocol traffic in 2022 will exceed all traffic up to 2016.74 Data flow, a new kind of international economic flow like capital flow, goods flow, and labor flow, plays a significant role. And it was reinforced after the Covid-19 pandemic because economic activities migrate and could only take place online. China's digital trade volume increased from US $200 billion in 2015 to US $294.76 billion in 2020, which is grew more than three times as quickly as GDP growth, and the epidemic detrimental effect caused by pandemic repression on the domestic real economy has been alleviated as a result.75 Regrettably, if there had been less restrictive measures, China would have achieved further progress. Quantitative analysis reveals the negative impact of restrictions on data flows on China’s economy, including prices, trade volume, and productivity.76 The additional economic domestic and international costs brought about
71 UNCTAD (n 63).
73 UNCTAD, ‘Digitalization of Service: What does it imply to trade and development?’ (25 Mar 2022) UNCTAD/DITC/TNCD/2021/2.
74 UNCTAD, ‘Digital Economy Report 2021: Cross-border data flows and development: For whom the data flow’
(29 September 2021) UNCTAD/DER/2021.
75 CAICT, ‘White Paper on The Development of China's Digital Economy’ (CAICT, April 2021)
<http://www.caict.ac.cn/kxyj/qwfb/bps/202104/P020210424737615413306.pdf> accessed 18 March 2022.
76 Nigel Cory and Luke Dascoli, ‘How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How to Address Them’ (ITIF, 19 July 2021) < https://itif.org/publications/2021/07/19/how-barriers- cross-border-data-flows-are-spreading-globally-what-they-cost/> accessed 1 February 2022.
by data localization measures need to be considered by domestic decision-making bodies. International digital trade is also influenced by the staggering increasing the cost of conducting business across borders, stifling the importers of data-intense service.77 Critics pointed out that trade in goods is increasing after removing data flow restriction, by contrast, the economy is deteriorating and value of cross-border data flows are decreasing due to data restriction measures.78 Because of the cross-border data flow's interference with data flow, access to and usage of digital technologies are becoming more expensive, which reduces the benefits of digital trade.79 This cost will be borne by the data exporter disproportionally, and it is an acute burden for small and medium-sized enterprises in particular.80 In addition, as accessing overseas services becomes more expensive and less efficient, it limits the innovation of ICT technology and the productivity of domestic businesses.81
In conclusion, China adopted a passive position when it formulated the international trade policy concerning data localization. Firstly, China refused to commit or discuss the possibility of committing to the obligation of free data flow beyond traditionally trade-related aspects. Secondly, China construed its narrative of national security and data sovereignty, advocating the data flow shall comply with domestic law and regulations. However, the international trade policy could not remain static. China is under pressure to change its trade policy as a result of harsh comments made by international community over its evasive position. Considering the development in the long term, China is also actively deliberating and reflecting on these cautious policy’s propriety due to the detrimental economic effects brought by the restrictive trade policy
77 Martina F. Ferracane and Erik van de Marel, ‘The Cost of Data Protectionism’ (ECIPE, October 2018) <
https://ecipe.org/blog/the-cost-of-data-protectionism/> accessed 5 May 2022.
78 Martina F. Ferracane, Janez Kren and Erik van de Marel, ‘Do Data Policy Restrictions Impact the Productivity Performance of Firms and Industries?’ (2020) 28 Review of International Economics 676; Vincenzo Spiezia and Jan Tscheke, ‘International Agreements on Cross-Border Data Flows and International Trade: A Statistical Analysis’ (OECD 2020).
79 Mona F. Badran, ‘Economic Impact of Data Localization in Five Selected African Countries’ (2018) 20 Digital Policy, Regulation and Governance 337.
80 Joshua P. Meltzer, ‘Governing Digital Trade’ (2019) 18 World Trade Review.
81 Avi Goldbarb and Daniel Trefler, ‘AI and International Trade’ (National Bureau of Economic Research, working paper No24254, 2018) <https://www.nber.org/papers/w24254> assessed 7 May 2022.
on data flow. After all, great success gained from E-commerce in China can never been due to government’s highly centralization on internet or its vigilant posture.82
3.2 Turning Point: China in RCEP
China made a historical movement in the participation of RCEP. The electronic commerce chapter represents a first and evident step that China has agreed to accept a binding data governance measure from the global level. Among the RCEP provisions, Article 12.14 formulated a general principle against data localization.
Article 12.14: Location of Computing Facilities
1. The Parties recognize that each Party may have its own measures regarding the use or location of computing facilities, including requirements that seek to ensure the security and confidentiality of communications.
2. No Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that Party’s territory
3. Nothing in this Article shall prevent a Party from adopting or maintaining:
a) any measure inconsistent with paragraph 2 that it considers necessary to achieve a legitimate public policy objective, provided that the measure is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; or
(b) any measure that it considers necessary for the protection of its essential security interests.
Such measures shall not be disputed by other Parties.
Article 12.14 consists of three paragraphs with different purposes: the first paragraph recognizes that each Party may have its measures regarding the use or location of computing facilities; the second paragraph is a prohibition provision in principle, no Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business, and the third paragraph is exception provision, where Parties are allowed to adopt or maintain data localization measures for legitimate public policy objective or the necessity in the protection of essential
82 Gao (n 19).
security interests.83 Deduced from the context, it is an astonishing breakthrough as China’s domestic legislation adopts an evidential, unequivocal data localization measures. It reminds us of the history when the United States previously refused China’s participation due to the spirit of the free data flow movement in the Trans- Pacific Partnership (“TPP”) and the rigid data localization requirement in China is incompatible.84 Years after that rejection, China had finally explored its path in RCEP.85 The unique language in RCEP makes this contrast possible because compared to other FTAs (for instance, TPP) which contain a similar provision prohibiting data localization, RECP has provided a more lenient and less ambitious structure so that member states’
normative dispositions could be fully accomplished.86 It makes sense that considering that the compilation of evolution is always protracted rather than all of a sudden. The spirit of flexibility and pragmatism is conveyed in RCEP,87 allowing countries to find the fittest “shoes” for their own, rather than squeeze them into a US model or EU model.
As a prominent role in the RCEP negotiation round, China has a reason to be considered the major driving force to constrain RCEP’s reach in prohibiting data localization measures, because it has a much more sensitive and conservative attitude, notably in terms of data protection inside its borders. However, RCEP’s wording reflects the common will of all contracting parties. First, data localization measures have proliferated in different territories. Apart from China, many ASEAN countries and India who had quitted RCEP are no exception to adopting and imposing data localization policies. Thus, a more moderate data governance framework will be more proper.88 Second, the comprehensiveness of RCEP’s scope needs to be considered. E-commerce is only one slice of the entire agreement. There are further reasons to profoundly weigh
83 It is noteworthy that the contemplation on the national security has not been depicted explicitly in the Cybersecurity Law and the Security Assessment, compared to the evident emphasis on the personal information, even though the protection is effective when the personal information is related to the state interest. Therefore, RCEP has amended and complemented the negligence, and especially emphasized the data protection from the national security perspective.
84 Shawn Donnan, ‘Pacific Trade Deal Takes Aim at Chinese Hacking’, (Financial Times, 4 November 2015) <
www.ft.com/content/89a0137a-82b1-11e5-8095-ed1a37d1e096> accessed 4 February 2022.
85 Xianbai Ji and Pradumna B. Rana, ‘A Deal That Does Not Die: The United States and the Rise, Fall and Future of the (CP)TPP’ (2019) 34 Pacific Focus 230.
86 Streinz (n 8).
87 Deborah K. Elms, ‘Getting RCEP across the Line’ (2021) 20 World Trade Review 373.
88 Benjamin Wong, ‘Data Localization and ASEAN Economic Community’ (2019) 10 Asian Journal of International Law 159.
the flexibility in a scenario of a traditional, comprehensive, complex free trade agreement as RCEP. Because even in the agreements which merely formulate a single- minded topic aiming to foster interoperability of rules and standards engaging in digital trade and electronic commerce, the flexibility of the applicability would be taken into consideration, by means of combining legally binding commitment with enforceability and also soft commitments through non-binding MOUs. For example, Digital Economy Agreements applied by countries such as Australia, Chile, Japan, Korea, New Zealand, and Singapore. It enables and facilitates trading partners to reach consensus efficiently rather than being distracted by the protracted wrangling in the traditional trade discussion.89 Otherwise, the mismatch between the absence of new rules to protect digital trade and the rapid technology development will be deepened during the eight years of negotiation among RCEP members.90 Third, member countries’ regulatory ability and economic condition is different, thus the flexibility is necessary to ensure effective enforcement within states’ paces. As the Guiding Principle documents noted that ‘Economic and technical cooperation under the RCEP will aim at narrowing development gaps among the parties and maximizing mutual benefits from the implementation of the RCEP agreement. […] Cooperation activities should include electronic commerce […]’.91
No matter it is a request to pursue the development of the information age, or in response to the external, blatant political hostility, China has already initiated an open conversation about data localization measures and expressed its acceptance of commitment. Furthermore, it has pinned its hint toward openness to data flows because the prescriptive restriction on data localization has been accepted by China and without any reservation as other contracting parties did. There are clues proving that RCEP is not a disposable promise. First, it has been corresponded to China’s newly unveiled Global Data Security Initiatives (“GDSI”). 92 Issued by China’s Ministry of Foreign
89 Cory and Dascoli (n 76).
90 Stephanie Honey, ‘Chapter 8: Asia-Pacific digital trade policy innovation’ in Ingo Borchert and L Alan Winters (eds), Addressing Impediments to Digital Trade (CEPR PRESS 2021).
91 See ‘Guiding Principles and Objectives for Negotiating the Regional Comprehensive Economic Partnership,’
<https://asean.org/wp-content/uploads/2012/05/RCEP-Guiding-Principles-public-copy.pdf> accessed 16 February 2022.
92 Paul Triolo and Graham Webster, ‘Translation: China Proposes “Global Data Security Initiative”’ (DigiChina,
Affairs in September 2020, it is a proposed framework setting rules for global data- security issues. Second, Article 38 of Personal Information Protection Law indicates that personal information data can be transferred cross-border if the international treaties or agreements that China has concluded or participated articulates related provisions on providing personal information.93 It reveals that Chinese government has the intention to discuss detailed conditions about the cross-border data flow and enhance the cooperation on the international level.94 Finally, the most interesting part is the response from China’s main competitor. After the RCEP has entered into effect in 2020, it is remarkable that in the USTR’s latest national trade estimate report on foreign trade barriers, it is the first time since 2017 when the USTR introduced the concept of digital trade barrier, that the data localization was removed from the China’s category which may increase the United States’ worries on free digital trade, while this concern remained with other main trading partners such as EU and India. 95 Nevertheless, it should be examined further against whether the commitment in RCEP constitutes a throughout shift in the real sense from its original restrictive tone on data localization. First, even though China has presented good wishes, it is observed that the current domestic legislation is still the against its expectation, or at least it does not show a clear policy overturning. Second, the exception provision in Article 12.14 acts as another fence for China to preserve its regulatory power and avoid the accompanying complaint in the future. The wording is designed sophisticatedly because under the prerequisite where WTO does not expressly define data localization measures as a trade barrier, it would be unwise to create voluntarily additional obligations which might cause legal consequences in a new FTA – and with a possibility of high incompliance, as this specific commitment is basically in contrast with its domestic policy. It will be illustrated in the following Chapter in regards to how the member states’ concern on
2020) <https://digichina.stanford.edu/work/translation-china-proposes-global-data-security-initiative/> assessed 5 June 2022.
93 PIPL 2021, Art 38.
94 Samm Sacks, Mingli Shi, Graham Webster and Paul Triolo, ‘Knowns and Unknowns About China’s New Draft Cross-Border Data Rules’ (DigiChina, 5 November 2021) <https://digichina.stanford.edu/work/knowns-and- unknowns-about-chinas-new-draft-cross-border-data-rules/> accessed 31 March 2022.
95 USTR, ‘2020 National Trade Estimate Report on Foreign Trade Barriers’ (2020)
<https://ustr.gov/sites/default/files/2020_National_Trade_Estimate_Report.pdf > assessed 9 May 2022.