Cybersecurity & Tech Foreign Relations & International Law

Assessing U.S. Data Policy Toward China: A Proposed Framework

Samm Sacks, Peter Swire
Friday, July 14, 2023, 10:40 AM
Addressing risks posed by Beijing’s accessing Americans’ data requires first conceptualizing the trade offs in current U.S. policy approaches.
President Joe Biden shakes hands with Chinese President Xi Jinping during a visit to Beijing, December 4, 2013. (Li Jilin, https://tinyurl.com/4928zyd5; CC BY-SA 2.0, https://creativecommons.org/licenses/by-sa/2.0/legalcode)

Published by The Lawfare Institute
in Cooperation With
Brookings

Access to and use of personal data is at the forefront of the U.S.-China technology conflict. Republicans and Democrats have found common ground in the concern that unacceptable national security and privacy risks arise from Beijing’s access to U.S. persons’ data through open commercial channels. Over the past several years, U.S. policymakers have expanded their earlier focus on cyber theft and industrial espionage to grapple with new risks posed by Chinese firms handling U.S. persons’ data or data flowing to China by data brokers or other means. 

According to Director of National Intelligence Avril Haines (as cited in support of a bill requiring licenses to export certain personal data to China and other countries): “There’s a concern about foreign adversaries getting commercially-acquired information as well, [I] am absolutely committed to trying to do everything we can to reduce that possibility.”

The Biden administration and Congress are building on the effort (which started in the Trump administration) by putting forward a range of measures that aim to create new guardrails for data flows to China. These include executive orders and rules for reviewing transactions involving foreign adversaries’ access to U.S. persons’ sensitive data, bans on Chinese software applications, and creating blacklists of countries approved to receive U.S. persons’ data as an export-controlled item, among other actions. Many proposals remain in draft form, unresolved amid debate that does not map onto political party lines. 

To date, we have not seen any systematic approach to address what limits on data flows should apply and for what reasons. In a new report, published with the Cross Border Data Forum, we offer a framework to conceptualize current U.S. data policy toward China, identifying four distinct policy models and analyzing the costs and benefits of each, drawing on the perspectives of trade and economics, national security, and privacy. Rather than advocate for a particular policy solution, our aim is to inform policymaking by discussing the ripple effects of different options.

Four Models

First, the Digital Free Trade model emphasizes the benefits to the United States of having robust trade in goods and services in general, and with China more specifically. This model would place no limits on China or other countries simply because they have authoritarian political systems. This model has largely described the status quo in the U.S. The free trade perspective contributed to U.S. support for China to enter the World Trade Organization in 2001. Under the Digital Free Trade model, the main issue to address is what presumptions and showing of risk would need to be established as a basis for limiting trade. 

Second, the Blocking Adversaries model seeks to restrict data from flowing to certain countries, such as China, that are deemed foreign adversaries by the U.S. government. The stated goal is to eliminate national security harms that could result if authoritarian governments were to gain access to information about either specific U.S. persons or population-level insights. The U.S. government has sought to use the Committee on Foreign Investment in the United States process to restrict TikTok’s data flows from the U.S. to China and earlier blocked acquisition of the dating app Grindr. President Biden explained this rationale for action in the 2021 executive order entitled “Protecting Americans’ Sensitive Data from Foreign Adversaries.” Sen. Ron Wyden’s (D-Ore.) Protecting Americans’ Data From Foreign Surveillance Act would create an export control regime for bulk exports of U.S. persons’ data to certain high-risk countries such as China.  

Third, the Privacy Law model builds on the growing bipartisan consensus that the U.S. should enact comprehensive privacy legislation with the goal of addressing data processing by both domestic and foreign companies. This model is distinct from national security, because the focus is on overall protection of individuals’ data, rather than on an assessment of the risk of the data in the hands of a particular adversary. More recently, however, lawmakers have emphasized that privacy legislation can also address trans-border privacy risks, with disclosure requirements  or restrictions specifically applying to China and other adversaries.

Fourth, the Data Allies model provides a way to address specific national security and privacy risks posed by non-democracies, while retaining a willingness to engage in global trade when such risks are manageable. The Data Allies approach broadly describes the Biden administration’s current approach, as shown in the 2022 Declaration for the Future of the Internet, which the U.S. launched with 60 partnering countries and aims to “realize the benefits of data free flows with trust based on our shared values as like-minded, democratic, open and outward looking partners.” This model uses a principled basis to facilitate more data sharing with each other, while also using a stricter standard for “adversary” countries like Russia and China to access U.S. persons’ data. As discussed in more detail in our report, and in other recent writing, data ally initiatives are proceeding on a multilateral basis, at the G-7 and the Organization for Economic Cooperation and Development, and as part of the initiatives for “data free flow with trust” and the Global Cross-Border Privacy Rules. The Data Allies model has also been incorporated more formally, such as in the 2015 Judicial Redress Act, the 2018 CLOUD Act, and the current EU/U.S. Data Privacy Framework.

Trade-Offs

The four models highlight areas of tension and overlap among the three goals of national security, free trade, and privacy. Recent U.S. policy debates have highlighted ways that national security can come into conflict with the Digital Free Trade model. Both the Trump and Biden administrations have emphasized risks to national security, and personal data held by companies in China lacks rule-of-law safeguards against excessive surveillance. Our report identifies how U.S. policymakers perceive the nature of the national security risk, including combining data sets to target Americans in national security positions or with access to critical infrastructure, enabling bulk or targeted electronic surveillance, pushing out targeted misinformation, strengthening economic competitiveness of Chinese firms, and launching more effective cyberattacks.

These are legitimate national security concerns. Policy analysis should, however, recognize the ways that global trade may also advance national security and cybersecurity. Free trade can create stronger ties with potential adversaries such as China, and possibly reduce the likelihood and magnitude of conflict. Joseph Nye writes that entanglement can have a deterrent effect. He argues that the exponential increase in cross-border data flows underpinning global commerce can be a factor in cybersecurity and other forms of deterrence. For those inclined to cut ties with China, it is worth considering what conflict would look like if the U.S. were to block trade and create sanctions at the level now applying to North Korea. Some degree of trade and entanglement with China, therefore, likely supports U.S. national security. 

A stronger U.S. economy can also benefit U.S. national security in ways that extend beyond the borders of both the U.S. and China. New limits on outbound data transfers from the U.S. make it more challenging for U.S. firms to push back against rising digital sovereignty in the EU, India, and globally. It also weakens cooperation with allies by making it more difficult to effectively share data for law enforcement, intelligence, cybersecurity, health research, and other common purposes. Restrictions on data flows imposed on U.S. firms by countries beyond China undermine the competitiveness of U.S. digital industries, reducing leadership in artificial intelligence and cybersecurity-related capabilities. Limits on exports of personal data, such as the telemetry used in cybersecurity, could reduce the ability of U.S. cybersecurity companies to service the global market.

As scholars have noted, trade and privacy often seem locked “in a mortal contest” between trade-based cross-border flows and privacy-based skepticism of such flows. Historically, the U.S. has generally favored a relatively free flow of data across borders, not least in order to support U.S.-based technology companies. More recently, the Data Allies model seems a more accurate description of U.S. policy, with initiatives such as the EU/U.S. Data Privacy Framework seeking to retain robust data flows with allied nations that offer privacy protections.

As for national security and privacy, congressional privacy debates in recent years have emphasized privacy rules across the board, rather than remaining focused only on data flows to adversary countries. The 2022 privacy legislation, which passed the House Energy and Commerce Committee with a 53-2 bipartisan vote, had only modest notice requirements about transfers to China and a few other countries. More recently, there have been hearings in Congress that emphasized the specific privacy risks of data flows to China, showing more convergence between the national security and privacy goals. Nonetheless, effective overall protection of privacy would address the vast majority of data collection and use, which does not involve China or other adversaries.

Conclusion

Each of the four models clarifies what is at stake for the possible limits on transfers of U.S. persons’ data to China in pursuit of the goals of economic growth, national security, and privacy protections. 

Going forward, analysis should realistically examine the effects of a proposal on each of these important policy goals. Such analysis is consistent with the 2021 executive order, which called for a “through rigorous, evidence-based analysis.” With respect to economic growth and international trade with China, these goals likely remain in effect for many exports, imports, and across many sectors. Therefore, a blanket ban on digital trade with China would be an overreaction to concerns about national security and privacy. Further, the Data Allies model can be used as a way to conceptualize the emerging U.S. approach for international data transfers. 

With the current attention to data access by Chinese-based companies, there is a risk that ill-considered limits will have harmful spillover effects on U.S. national interests. Privacy and national security arguments to wall off U.S. persons’ data or ban platforms entirely should take into consideration the consequences of doing so—both for stated national security objectives as well as those for that go beyond a national security rationale.

While we provide a framework for analyzing these important issues, we do not presume to have all the facts needed to make comprehensive policy recommendations. One path worthy of consideration for those who do have such insight is to enact the sort of comprehensive privacy legislation that Congress has considered, perhaps with targeted provisions limiting data flows in certain circumstances and addressing the most serious risks from data brokers. Greater attention to the details of such an approach is beyond the scope of this article. Our hope is that this framework can serve as a foundation, useful to those across the political spectrum, that can help determine the most effective approach for meeting the multiple goals of U.S. policy.


Samm Sacks is a Senior Fellow at New America and Yale Law School’s Paul Tsai China Center. She is also a Senior Fellow for China Cross Border Data Forum. She has worked on Chinese tech and cyber policy for over a decade, both in the national security community and the private sector. She is writing a book (to be published by the University of Chicago Press) on U.S.-China relations through the lens of data, including the geopolitics of data privacy and cross-border data flows.
Peter Swire is the J.Z. Liang Chair in the Georgia Tech School of Cybersecurity and Privacy, and Professor of Law and Ethics in the Georgia Tech Scheller College of Business. He is Senior Counsel to Alston & Bird LLP, and Research Director of the Cross-Border Data Forum. He served as one of five members of President Obama’s Review Group on Intelligence and Communications Technology.

Subscribe to Lawfare