The Chinese government has long pursued a security-centered approach to data. Key regulations such as the Cybersecurity and Encryption Laws place national security at the core of its data legislation objectives. The main goals so far have been to prevent cyber attacks and data leaks by upholding strict technical requirements, and exert control over Internet content and cyber infrastructure.
Now, Chinese lawmakers are pivoting towards a new goal. They want to reap the economic benefits of China’s immense data resources through a regulated data economy.
Camille Boullenois is a consultant at Sinolytics, a research-based consultancy focused on China.
China’s draft Data Security Law, issued by the National People’s Congress of China on July 3, marks a shift in China’s data strategy, away from a narrow focus on security and towards a multi-pronged approach balancing security concerns and economic benefits.
Domestically, it starts an effort to create a regulated market for data as a new commodity. Internationally, it brings data into a coordinated trade strategy, characterized by selective reciprocity and protectionism.
The draft law means more rules for players in the data space, and will kill off some unregulated trade. But for bigger players, the clarity could make it easier to participate in the market.
A vast, often grey, market
Tech companies thrive on the collection of data, both in China and abroad. Big data sets can be used to create better drugs, improve manufacturing processes, train face recognition algorithms, and offer targeted content and advertisements, to name a few examples. There’s an enormous market for this kind of data.
China is a particularly big market for data. Tech giants operate thriving data businesses. Small players are experimenting with novel ideas like using data as collateral for bank loan applications.
According to International Data Corporation estimates, by 2025, the amount of data created, collected, or copied in China will increase from 7.5 zettabytes in 2018 (a zettabyte is equivalent to about 200 billion DVDs) to 48.6 zettabytes, accounting for 27.8% of the world’s data. By comparison, the US will only account for 17.5% of the total data generated globally in the same time period.
The only problem is that much of this market is at best poorly regulated, and at worst illegal. For employees at large tech companies, hacking servers to acquire datasets is a lucrative side business. This data is then sold in Chinese and international markets.
Until 2019, data regulation focused on shutting down this illegal trade and regulating what data can be sent out of the country.
While thriving data businesses emerged, regulators has struggled to govern them. Privacy legislation has evolved significantly since 2017, but they are only aimed at protecting individuals’ personal information. The big, anonymized datasets that are traded to fuel algorithms remain ill-defined and poorly managed.
A new ‘factor of production’
It was only last fall that Chinese economic planners began to publicly recognize the potential of data trading as a legitimate business—and make concrete moves to regulate and develop this industry.
In November 2019 the Fourth Plenary Session of the Nineteenth Central Committee of the Communist Party characterized data as a “factor of production.” Four months later, experts at the National Information Center compared data to oil:
“If oil is the core resource in the era of industrial economy, then data is the most important strategic resource in the era of digital economy.”—National Information Center
The Draft Security Law is the first step in an effort to make China the Saudi Arabia of data.
According to the National Information Center, China will pursue “asymmetric advantages in this new round of global technological competition.”
Planners aim to take advantage of China’s unique population size to enable its companies to gather, use, and sell unprecedented amounts of data, both domestically and internationally.
Definitions for the new data economy
The draft Data Security Law lays out a vision for a system that replaces a wildcat market with a legitimate and consolidated industry. It promises that data will be traded “orderly and freely” as a commodity in the new digital economy.
It also provides a legal basis for “Internet+” digital government initiatives, calling for the “construction of e-government” and enhanced “capabilities to use data to serve economic and social development.”
The draft law takes the first step toward this new data economy: It defines what “data” is. It distinguishes between “information” (xinxi) and “data” (shuju), defining data as “any record of information in electronic or non-electronic form.”
“Information” belongs to the user and is the focus of privacy protections. By contrast, the legal framework governing “data” is multifaceted. It aims not only at protecting individuals’ privacy, but promoting cybersecurity practices and economic development.
This definition opens the door to legal ownership of big data products, and brings the exchange of such products under a legal framework distinct from that of privacy. But it leaves many technical details about data ownership, pricing of data, and evaluation of data assets to be resolved later.
Most important among these unresolved questions for ushering the new data economy is standardization.
Since 2014, big data trading platforms in China have experimented with hosting data transactions. Each uses a different technical framework, which makes data exchange between the platforms difficult.
Similarly, data generated by government agencies across China exists in silos. Recent difficulties in uniting local health code databases during the Covid-19 outbreak illustrated the challenges of centralized data management.
Exactly how this standardization will take place and what aspects of data collection and management it will make homogeneous is left ambiguous.
Balancing opening up with protectionism
The draft law notes that international data trade is encouraged, but does not offer provisions to make it easier. Rather, it opens the door to restrictions based on economic protectionism.
There is a lot of money to be made by selling data abroad—but China also wants to keep the most valuable data assets in the country. In March, the National Information Center article mentioned above complained: “a lot of high-value scientific data has not been fully shared and used at home but has flowed abroad.”
The 2017 Cybersecurity Law already restricts outbound cross-border flow of “critical data,” defined relative to national security considerations.
READ MORE: Dust has yet to settle two years after China’s landmark cybersecurity law
With the draft security law, China adds an economic dimension to data protectionism. The new law defines a new category, “important data,” which is assessed not only in relation to national security, but also economic and social development.
Under this law, data that is deemed valuable for China’s economic and social development would go through cumbersome export controls. A pharma company doing clinical trials in China, for example, will likely have to store all patient data in China and request approval from local authorities before transferring this data to headquarters.
We don’t know how this would be implemented, but a draft regulation (in Chinese) that has been under review since 2017 is a likely model. It would require companies planning to transfer “important data” overseas to seek approval from local Public Security authorities.
The draft also contemplates using data access as a point of leverage in trade disputes. It warns that China will adopt “corresponding measures” (author’s translation) in its trade of data assets.
Any country that adopts prohibitions or restrictions on Chinese investment or trade on the basis of China’s data practices could be subject to this tit-for-tat data diplomacy.
If you don’t want to give your data to China, China won’t give its data to you. If you don’t invest in China’s tech industry because you don’t like how China uses your data, maybe you won’t get its data either.
In practice, China might restrict data export to many Western countries under this clause. The EU, for example, has agreements with “like-minded” countries such as Japan, Canada, and Israel, which stipulate free data flows.
No such deal has been signed between the EU and China. China is not considered “like-minded” and so the flow of European data into its borders is restricted. Under the new law, the flow of China-made data into Europe would be reciprocally limited.
The law would also empower the Chinese government to use data flows to retaliate against the United States if, say, it decides to ban TikTok over fears that the app appropriates and misuses consumer data.
Data will increasingly be used as a bargaining chip in trade negotiations.
On the flipside, the law opens room for flexibility by putting regional and departmental governments in charge of deciding what constitutes “important data.”
While data export restrictions on national security grounds will likely be controlled at the central government level, other kinds of data will be subject to provincial and industry-specific decisions.
We will likely see provinces compete to attract companies by lowering restrictions on digital trade—just as some free trade zones currently experiment with tax incentives. The southern province of Hainan has already announced such a program (in Chinese).
Ultimately, whether the draft law will result in a more or less restrictive environment for digital trade in China remains to be seen. Much depends on implementation by central and local governments, which we will see in the coming months and years.
Currently, the country is at the bottom of the OECD’s Digital Trade Restrictiveness Index, which measures policy restrictions to digital trade in 64 countries in the world. The new draft law is unlikely to change this overall ranking.
But foreign companies and governments need to be aware that China is setting the rules for its data economy, looking to data as a bargaining chip, and leaving room for relaxed local restrictions. The legal landscape for data transactions is rapidly and drastically changing.