Cybersecurity & Tech Foreign Relations & International Law Surveillance & Privacy

China Cyber Sovereignty and Cross-Border Digital Trade

Ron Cheng
Friday, March 31, 2017, 8:49 AM

As the U.S. reexamines its trade policy, commentators following U.S.-China affairs have noted an important area that has not received as much attention as the bilateral trade in goods but may one day rival it: the digital economy. Although U.S. exports of information and communication technology-related services to China totaled $12.8 billion in 2015, e-commerce sales in China were estimated to be $672 billion in 2014 (double that of the United States).

Published by The Lawfare Institute
in Cooperation With
Brookings

As the U.S. reexamines its trade policy, commentators following U.S.-China affairs have noted an important area that has not received as much attention as the bilateral trade in goods but may one day rival it: the digital economy. Although U.S. exports of information and communication technology-related services to China totaled $12.8 billion in 2015, e-commerce sales in China were estimated to be $672 billion in 2014 (double that of the United States). It stands to reason that but for current restrictions on the Internet in China and unlawful usage in the form of intellectual property theft, the U.S. export figure could be substantially larger.

Commentators have noted that both countries could gain substantially with freer digital trade flows, including a suggestion on the China-US Focus site that implementing a bilateral agreement could have salutary effects through expansion into a free trade zone.

While general Chinese governmental statements contain suggestions that China’s policy could be consistent with what is undoubtedly a worthy goal, there are obstacles at the working level. In particular, there is China’s new Cyber Security Law, which implements the goal in the National Security Law that the Internet be “secure and controllable.”

The law stipulates that “personal information” and “other important data” gathered or produced by “critical information infrastructure operators” in their mainland operations be stored within mainland China. The law broadly deems those infrastructure operators to include public communication or information services, finance, or other infrastructures that, if destroyed or compromised, could seriously danger national welfare and the people’s livelihood or public interest.

China’s recently issued Strategy for International Cooperation in Cyberspace (available here in English and here in Chinese) reinforces this point by asserting the need to respect each country’s “own path of cyber development, model of cyber regulation and Internet public policies.”

Could there be flexibility in this Internet regulation scheme? At first blush, this approach seems to be the opposite of the Trans Pacific Partnership (TPP), whose e-commerce rules permit, with wide application, “the cross-border transfer of information by electronic means, including personal information” for the conduct of business. Reports of China’s participation in continuing meetings of the remaining TPP parties are encouraging, but whether these e-commerce provisions remain or whether China would accede to them in their present form is not clear.

There are also the Cross-Border Privacy Rules (CBPR) of the Asia-Pacific Economic Cooperation (APEC) economies. An economy participating in the CBPR appoints agents that certify companies that have compliant data privacy policies that would improve cross-border data flows. The U.S. and China are members of APEC, but they stand on different sides of the CBPR. The U.S., Mexico, Japan and Canada participate in the CBPR system. While there are reports that Korea may seek to join, as yet China has yet to express its interest to do so.

It also should be noted that negotiations for a Regional Comprehensive Economic Partnership (RCEP) among Asian countries, including China, have been continuing since 2013. It is unclear to what extent the RCEP will address cross-border data flows and digital trade, if at all.

The growing economic ties and tremendous potential for growth between the U.S. and China in digital trade and e-commerce favor a solution along the lines suggested in the TPP or APEC’s CBPR. At present, China’s new legal regime, set to become effective June 1, 2017, is causing a great deal of concern among U.S. and European businesses as to the law’s restrictive effects. While the data localization rule allows foreign companies to apply for exemptions that could allow them to provide data outside China, that process has not yet been articulated and there has been no suggestion that there may be blanket exemptions beyond whatever exemptions that are granted case by case.

As the China-US Focus commentators suggest, even some Chinese leaders have voiced that the costs of the present system of Internet control may outweigh the benefits. A vice-chairman of the Chinese People’s Political Consultative Conference (CPPCC), Luo Fuhe, introduced a measure to increase the speed for visiting foreign websites (described here, in Chinese language media, and here, in English language media), noting that accessing certain foreign websites from within China requires at least 10-20 seconds. Vice Chairman Luo also disclosed what to many in China is an open secret: Many Chinese experts and researchers must buy software to “climb over” China’s Internet firewall to visit foreign websites, with some even taking time over weekends and holidays to travel to Hong Kong to obtain online materials.

There appears, however, to have been no discussion of the measure after these reports, and it is unclear whether the CPPCC—whose actions do not result in legislation in any case—ever voted on it. Any action meaningful to outside observers will have to await discussion among diplomats and trade experts.


Now a partner at O’Melveny and a leader in the White Collar and Data Privacy practices, Ron Cheng spent 20 years as a federal prosecutor, serving in a number of roles at the Department of Justice, most recently as a key member of the Cybercrime and Intellectual Property Crimes Section at the U.S. Attorney’s Office in Los Angeles, where he has focused on criminal activity arising out of the Asia-Pacific.

Subscribe to Lawfare