Jul 19 2021
Prof. Lu Chuanying interviewed by SCMP on cross-border data flow and cyber security
By Lu Chuanying

On July 19, Prof. Lu Chuanying was interviewed by SCMP on cross-border data flow and cyber security. The report is as follows.

An outdoor installation at the China International Big Data Industry Expo 2021 in Guiyang, southwest China's Guizhou Province, May 26, 2021. Photo: Xinhua


China, with 29 data localisation policies, is the most restrictive country when it comes to cross-border data flows, according to a report by Washington-based think tank Information Technology and Innovation Foundation (ITIF).

While keeping data stored domestically is becoming a trend among governments around the world, the effort is “self-defeating” as restricting data flows would damage economies by inhibiting trade, lowering productivity and raising prices for downstream industries, the report said.

The think-tank also recommends a “Geneva Convention for Data” between US and its allies such as Canada, the UK and Japan, as a common framework for data-sharing, excluding data-restrictive countries such as China, Russia, and the European Union.

The report comes at a time when more governments are introducing rules to regulate the flow of data across their borders. The ITIF found that 62 countries have now imposed 144 data localisation measures, nearly double the number in 2017, when 35 countries enacted 67 such restrictions.

China cites sovereignty issues when imposing regulations to keep key data within its borders. US firms from Apple to Tesla are required by Chinese law to store the data of their Chinese consumers in China. Meanwhile, Washington is enhancing scrutiny over Chinese apps’ access to the data of American users.

Lu Chuanying, director of the international cyberspace governance centre at the Shanghai Institutes for International Studies, said countries around the world are imposing data borders in the name of national security as data is considered a new strategic resource.“Many countries want their data stored locally so that [it] doesn’t become other countries’ production factor for free,” Lu said.

China is ahead of the curve with 29 such measures, followed by 12 in India, nine in Russia and seven in Turkey,according to the ITIF report.

China recently released a series of laws and regulations seeking to restrict what it deems as “important data”from going abroad, citing national security reasons. The country’s Data Security Law, which was announced last month and is slated to go into effect on September 1, sets hefty punishments for such violations.

Under the law, companies that transfer the state’s “core data” overseas without approval from Beijing will face a penalty of up to 10 million yuan (US$1.5 million) and could be forced to shut down. What constitutes state “core data” has yet to be defined.

Earlier this month, Beijing also updated its Measures for Cybersecurity Review, a regulation first released last year. The update stipulates that all technology platform companies that possess personal data of at least one million users must undergo a review by authorities before launching an IPO in a foreign market.

A visitor watches a promotional video at the China International Big Data Industry Expo 2021 in Guiyang, southwest China's Guizhou Province, May 26, 2021. Photo: Xinhua


Chinese ride hailing giant Didi Chuxing became the country’s first tech giant to face a cybersecurity review earlier this month after it “forced its way” into a US IPO, which sent its stock price plunging. New rules released in April also said that companies that make internet-connected cars, which collect sensitive road data, may be required to decrypt their data for authorities before sending it outside China.

Data localisation is finding support not only among countries keen on controlling cyberspace such as China and Russia, but also in the European Union, putting the Silicon Valley tech giants that reign over European markets on alert.

In 2016, the European Parliament approved the General Data Protection Regulation (GDPR), one of the world’s strictest privacy laws, and the EU’s proposed Data Governance Act came out of the 2020 European Data Strategy.

Last week, the EU Court of Justice invalidated a mechanism called Privacy Shield that tech companies including Facebook and Google used to move commercial data from Europe to the US. The case, which could end up pressuring tech firms to use local data centres in Europe, was brought to court by privacy campaigner Max Schrems and traces its origins to the US spying campaign led by the National Security Agency (NSA) that was uncovered by whistle-blower Edward Snowden.

“It will be difficult, if not impossible, to make meaningful progress in any forum that involves China, Russia, and others that support digital protectionism and control,” the ITIF report says. “It’s hard to include Europe given its inability to genuinely engage and collaborate with counterparts unless its privacy preferences prevail over everyone else’s.




Source of documents:SCMP, July 19