U.S. Criticism of China’s Cybersecurity Law and the Nexus of Data Privacy and Trade Law

China has made rapid progress over the past two years towards developing a legal framework governing cyberspace. There are at least 14 laws, regulations, guidelines, national strategies, and standards implementing President Xi Jinping’s dictum that “without cybersecurity there is no national security.” The international business community has consistently opposed these laws and regulations, claiming that they unduly interfere with business operations. This past June, the U.S. took first steps towards joining the business community’s explicit opposition to China’s regulations.

At a regular meeting of the World Trade Organization (WTO) Services Council, the U.S. joined Japan (along with South Korea, Australia, and Chinese Taipei) to say that China’s cybersecurity law (CSL) “could prevent data from flowing freely and new suppliers from operating in China.” The U.S. followed this denunciation with a more detailed paper released last month criticizing the CSL, the National Security Law, and related implementing measures. The document alleged that these laws “would disrupt, deter, and in many cases, prohibit cross-border transfers of information that are routine in the ordinary course of business” and requested that China halt implementation.

Washington first argues that foreign suppliers of services, across a range of industries, regularly transfer data outside of China in the course of normal business operations. Chinese law, however, imposes extensive privacy mitigation and security assessment duties on the transfer of “important data” or “personal information.” The U.S. criticizes China for the overbreadth of these terms. For example, “important data” appears to be construed as any personal or business data that the Chinese government believes might endanger its national or social interests. The Cybersecurity Administration of China reviews “important data” and personal information before they can be transferred, and some types of data can never be moved across borders. Operators of “critical information infrastructure” are subject to additional restrictions on data mobility. According to a report from Paul Triolo, Rogier Creemers, and Graham Webster, draft regulations released this past July “make clear that the reach of [critical information infrastructure] will be quite expansive.”

The U.S. believes that these requirements violate China’s duties under the General Agreement on Trade in Services (GATS) to guarantee equal national treatment of service providers. The GATS, which came into force in 1995, created international trade rules for the services sector. China’s regulations on the transfer of data allow the country to effectively shirk these commitments not by explicitly restricting trade in services, but by encumbering the underlying data needed to perform these services. This argument seems to borrow from GATS Article XVII, which states that “[f]ormally identical . . . treatment shall be considered less favourable if it modifies the conditions of competition in favour of services or service suppliers of the Member compared to like services or service suppliers of any other Member.”

The debate over when legitimate privacy laws should be considered violations of the GATS is still in its infancy. No WTO member has yet instituted proceedings against another for violating the GATS based on overly burdensome data protection laws. A plain reading of the GATS, however, would seem to raise doubts about overly restrictive requirements for data transfer. In addition to Article XVII, the GATS requires that members “accord services and service suppliers of any other Member treatment no less favourable than that provided for under the terms, limitations, and conditions agreed and specified in its Schedule.” China’s Schedule outlines requirements for commercial presence (e.g., mandatory joint ventures) but does not further restrict cross-border supply or consumption of services. Notably, China explicitly listed software implementation, data processing, telecommunications, and domestic and international data services in its most recent Schedule. China might defend its laws based on GATS Article XIV bis, which provides that the agreement should not be construed to prevent any member from taking action “it considers necessary for the protection of its essential security interests.” But the next paragraph of Article XIV bis explicitly restricts this exception to three categories of national interest – provisioning the military, activities related to fissionable or fusionable materials, and measures taken in times of war or other international emergencies. China would find it difficult to justify its regulations on any one of these grounds.

This reading of the GATS may matter less, however, if the U.S. becomes an outlier in the world of data privacy. The E.U., which did not join the U.S. in criticizing China’s data laws, will begin enforcing its General Data Protection Regulation (GDPR) this upcoming May. The GDPR is very protective of privacy, covering personal data relating to behavior conducted in the E.U. that is then processed by entities (companies, research institutes, etc.) not located in the E.U. Importantly, it also regulates the transfer of data outside the E.U. Data may only be transferred if (1) a commission decides that the receiving territory “ensures an adequate level of protection” consistent with the GDPR, (2) the processing entity has provided “appropriate safeguards,” or (3) the individual concerned has provided specific consent for the transfer. The Japanese Act on the Protection of Personal Information (APPI), already in force, contains substantively similar requirements.

While both regimes may appear similar to China’s, they can be distinguished on three grounds. First, the EU and Japan have a much less capacious understanding of protected data. The GDPR and APPI are only concerned with “personal information.” In the GDPR, this covers “information relating to an identified or identifiable natural person.” The APPI is similarly concerned with information relating to a living individual, including name, date of birth, and other information by which an individual might be identified. Neither mentions data important to national security or social stability. This speaks to the core of Washington’s complaint in its letter to the WTO–overbreadth of the Chinese cybersecurity regime. Second, the degree of government involvement is quite different. While all three regimes establish a commission to oversee data privacy, only China empowers that entity to inquire into the content of data and establish additional categories of data that cannot be transferred. Lastly, the U.S. has data transfer agreements with both the E.U. (the E.U./U.S. Privacy Shield) and a variety of Pacific economies, including Japan (through the APEC Cross-Border Privacy Rules), that facilitate the transfer of data. That said, Article 15 of the CSL also provides an exemption for international data transfer agreements. Given human rights concerns over the scope of data protected in China, however, it is difficult to imagine how the U.S. could negotiate such an agreement with Beijing.

Major economies are clearly only starting to build the legal arguments reconciling domestic data privacy laws with their GATS commitments. If last month’s WTO submission was meant to articulate the U.S.’s vision for the proper balance between the free flow of data and privacy, however, a much more robust legal campaign is required. Two points demand particular attention.

First, the U.S. must get its own house in order: There is no comprehensive federal law regulating the collection and use of personal data. It is instead governed through a bevy of sector-specific legislation, such as the Financial Services Modernization Act, Federal Trade Commission Act, and Health Insurance Portability and Accountability Act. In some cases, states have enacted privacy laws that go beyond federal requirements. While the benefit of a comprehensive federal law remains unclear, at a minimum, the U.S. needs a national-level articulation of data privacy policy. Otherwise, the U.S. will continue to operate on the terms established by other countries through their own domestic privacy laws.

Second, the U.S. must widen the coalition of WTO members willing to insist on the free flow of data, focusing particularly on the E.U. This will be difficult given that the European Court of Justice struck down a prior data-sharing agreement and given the continuing concerns about U.S. commitment to data privacy expressed by Giovanni Buttarelli, European Data Protection Supervisor, just last month. At a minimum, the U.S. must ensure that E.U. member states do not lean toward China’s restrictive interpretation of the GATS to allow domestic legislation that would hasten the fragmentation of the internet. Even assuming that some data localization is inevitable, its extent matters tremendously.

The U.S. has already lost the first-mover advantage in shaping the contours of international data privacy laws. A robust legal campaign building on last month’s WTO communication is necessary to ensure it does not entirely lose a seat at the table.