China’s Data Security Cooperation Initiatives and Their Implications

At the recent “China + Central Asia" (C+C5) foreign ministers' meeting, China’s Wang Yi and his counterparts from five Central Asian countries (C5 – Kazakhstan, Kyrgyzstan, Tajikistan, Turkmenistan and Uzbekistan) signed the Data Security Cooperation Initiative of China + Central Asia (C+C5 DSCI). It is the second data security pact that China has inked in the world after it launched the Global Data Security Initiative (GDSI) in 2020; the first was China-League of Arab States (LAS) Cooperation Initiative on Data Security (China-LAS DSCI), which was launched on March 29, 2021.

Some technology analysts have argued that China’s promotion of GDSI slowed down in 2021, but the new cooperation initiative with Central Asia indicates that China is not only still building its global network on data security but it is also becoming clearer and more concrete in setting out the details of cooperation. The C+C5 DSCI puts flesh on the skeleton of the GDSI and builds on the China-LAS DSCI. It also presents more details on China’s construction of its global network on data governance and has major implications for Beijing’s engagement on the issue of global digital governance.

China’s data governance efforts: Adherence to multilateralism? 

First, unlike the previous two initiatives which focused on bilateral and multilateral cooperation centering on China, the C+C5 DSCI mentions the role of the United Nations. In their initiative, China and the C5 recognize the dominant role of the UN in cyber governance. Moreover, they express their support for the establishment of an open-ended ad hoc inter-governmental committee to shape a comprehensive international convention which was decided on in UN Resolution No. 74/247. Although China submitted the GDSI to the UN General Assembly, this is the first time that China has incorporated the UN resolution into its expanding data security cooperation framework outside the structure of the global body.

In addition, the C+C5 DSCI makes it clear that the cooperative framework is based on international law. By explicitly mentioning the UN and international law, China appears to be aiming to integrate and safeguard the UN-centered international system or at least demonstrate that intention. Beijing seems to want to reiterate its commitments to the existing multilateral order, thereby showing that China is a true defender of globalism.

• Both the GDSI and the China-LAS DSCI only note that countries cannot ask for data transfers without complying with the laws in place in the countries where the data reside. But in the C+C5 DSCI, for the first time China explicitly advocates that enterprises store data in the countries where they operate. This request should be understood as a part of China’s sovereignty-oriented cyber governance approach. Anticipating that China will overtake the United States to become the largest data-generating country in the world by 2025, Beijing needs to have a say in international norms and standard-setting with regard to data by pushing forward its concept of data sovereignty to international audiences. Meanwhile, given the high value of data as “new oil” and its “weaponization” in a world where geopolitical rivalries are intensifying, China urgently needs to make sure that its huge market size and consequent ability to produce a significant amount of data are strengths not weaknesses.
• China and the C5 vow to explore what they can do together to combat the illegal use of ICT. This implies that China still treats states as the major actors in data governance, even though China welcomes non-state actors such as non-governmental institutions, technical communities and ICT enterprises to join its efforts to promote data security.

Third, the C+C5 DSCI clearly states that China and C5 will explore the possibility of setting out a unified code of ethics to guide suppliers of ICT products and services in their respective countries. In past years, China’s efforts in constructing a Digital Silk Road have concentrated on enhancing infrastructure connectivity. Nowadays, as a part of “contributing Chinese wisdom to world development”, Beijing has made setting international norms and standards on digital governance one of the key goals in its 14th Five-Year Plan for National Informatization. In this context, the C+C5 DSCI is one of the first steps in this effort. Going beyond the international regulations ensuring the security of data and ICT-based business operations, China is more interested in shaping a moral ground on which the digital economy and newly emerging technologies should be regulated, guided by principles of governance as well as plain regulations.

Fourth, the C+C5 DSCI puts more emphasis on the protection of private property and the public interest. For instance, both the GDSI and the China-LAS DSCI assert that ICT enterprises must not force users to upgrade product systems. The C+C5 DSCI, however, adds a precondition: Those companies can push for mandatory system upgrades if it is to protect users’ private property and was in their public interest. The C+C5 DSCI adds that countries should enhance cooperation in combating ICT which threaten national political, economic and social security. With these additional terms, the C+C5 DSCI arguably indicates at least an intention to protect both individual human rights and national security at the same time. It is a manifestation of Xi Jinping’s “holistic view of national security” and an integral part of the country’s Global Security Initiative (GSI).

China’s activism for global digital governance

In recent years, China has focused on global digital governance. The number of Chinese officials in the secretariats of international standard-setting organizations has increased dramatically. China, meanwhile, has actively participated and even led in the negotiation of the Regional Comprehensive Economic Partnership (RCEP), which represents the first attempt to craft a data governance framework without the dominating presence of either the European Union (EU) or the United States. In signing the RCEP, includes a chapter on e-commerce, China has essentially departed from its longstanding hard stance on data sovereignty, making its first-ever commitment to binding prohibitions against the localization of data facilities and data.

Last year, China took further steps in this direction by filing applications for memberships in Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and the Digital Economy Partnership Agreement (DEPA), both of which are known to have even higher standards in their data and digital trade provisions than the RCEP. China’s increasing enthusiasm in existing international standard-setting organizations and the mega-FTAs is part of its efforts to influence the shaping of global digital governance, as demonstrated by Beijing’s launch of the GDSI and its pursuit of the China-LAS DSCI and the C+C5 DSCI.

When China announced the GDSI in 2020, the initiative was more of a broad and vague consensus-building framework which lacked content. Gradually, however, China has started putting substance onto the concepts, with the C+C5 DSCI one of the very first efforts to do so. It thus has important implications for Beijing’s approach to global digital governance.

Third, China will beef up its efforts to set not only international standards and regulations in technology but also norms and ethical principles. Such efforts go beyond the details of the mechanisms it negotiates and are founded on governance ideology, which is more fundamental and critical to how the new technologies and digital economy should be regulated.

Fourth, data sovereignty or cyber sovereignty will still be a major feature of China’s approach in governing digital technologies, both domestically and internationally. Beijing, however, may seek to uphold and promote this principle more smartly and less noticeably. For instance, China is no longer insisting on imposing strict data localization requirements but is advocating the principle of storing data in the countries where the data are generated.

Fifth, at least in the short term, China is unlikely to let non-state actors set the tone for the negotiations over digital governance. Although the Chinese government has been encouraging non-state actors to contribute more to digital governance, they will remain in supporting roles.

Finally, since data security is a pillar of China’s national security, expecting Beijing to make significant changes in the short term in its approach to regulating data flows would not be realistic.

China’s entry into the game has already provoked countermeasures from the West, especially the US, further complicating landscape. In May, while on a trip to Japan, American President Joe Biden announced his administration’s long-awaited Indo-Pacific Economic Framework (IPEF). One of major goals of the IPEF is to build a global network of partners and allies to compete with China’s economic influence and power in the Asia Pacific and beyond.

The IPEF, which now includes the US and 13 other countries in the region, identifies the setting of standards for cross-border data transfers and data localization and addressing issues relating to the connected economy such as privacy, discriminatory and unethical use of artificial intelligence (AI) as one of the initiative’s four major pillars. (The other pillars are supply chains, climate, and taxation and corruption.) This seems designed as a direct response to Beijing’s efforts and its achievements so far in global data and digital governance. With the China-US geopolitical rivalry heating up, Washington’s steadfast advocacy for the free flow of data and its insistence on letting market forces direct data governance will only widen the gap between the two countries on this critical issue.