In past years, China has made tremendous progress in shaping its data governance framework. In 2016, China enacted the Cybersecurity Law (CSL), the first national-level law to address data privacy protection. Building on the CSL, the Data Security Law (DSL) and the Personal Information Protection Law (PIPL) came into effect at the end of 2021. DSL pays great attention to data collected and stored in China based on their potential impact on national security. The PIPL, meanwhile, reiterates the role of national cyberspace authorities in regulating cross-border data transfers – security assessments and certification by national cyberspace authorities and other designated institutions. With the CSL, DSL and PIPL, China aims to fight against any data hegemony, particularly if claimed by the US, and is intent on safeguarding its cyber sovereignty.
India takes a similar stance. To fight against “data colonialism” – when big techs use digital infrastructure to spy on users, process their data and thus violate the data ownership rights of citizens, India puts even more restrictions on cross-border data transfers. The government of India has been actively advocating for safeguarding data sovereignty, that data generated locally, especially critical and sensitive information, should be stored locally. For example, all data related to payment systems must only be stored on servers in India. The proposed National E-Commerce Policy and Personal Data Protection Bills are expected to introduce more requirements for data localization. As the only country which has proposed a protection law for all kinds of data, not only personal data but also non-personal data, the Indian government hopes to maintain sovereignty over all the data that Indians generate. Although the Indian government has faced intense lobbying by tech giants to ease its data rules, Delhi has reaffirmed its approach of imposing data localization requirements, promising not to compromise India’s data sovereignty.
A global data governance framework?
In mapping the three groups of countries on a spectrum of levels of restriction on cross-border data transfers, market-oriented countries and national-security- and sovereignty-oriented countries sit on the two opposite extremes. Market-oriented countries prefer no restrictions, while national-security- and sovereignty-oriented countries set up many hurdles for cross-border data transfers. Sitting in the middle are the human-rights-oriented countries. To enable the free flow of data, as promoted in DFFT, it is necessary to build trust among the countries of all three categories. Trust has to be built first and foremost to allay all the major concerns about data. Only when those concerns can be properly addressed and key interests are protected will there be genuine free flow of data.
But building a global data governance architecture that bridges the divisions among the three groups will not be easy. For market-oriented countries, “trust” means removing all the barriers impeding the free flow of data. Furthermore, following and respecting the logic of market, these countries believe that governments should leave cross-border data governance to the private sector. This is the thinking behind the Cross-Border Privacy Rules (CBPR) proposed by the US within the Asia-Pacific Economic Cooperation (APEC) forum. The CPBR framework would be backed by governments but would rely on self-assessment by organizations.
For both human-rights-oriented countries and national-security- and sovereignty-oriented countries, governments should play a significant role in data governance. They also agree that there should be some requirements that need to be fulfilled before the data is allowed to cross borders. The two groups can find common ground. Based on such a consensus, the EU, India and eight other countries signed the March 2022 joint declaration noted earlier that calls for international cooperation on data protection and cross-border data transfers. But it is not yet clear to what extent such assertions of intentions to cooperate can be translated into concrete action.
Coordinating regulatory frameworks between the market-oriented group and the countries focused mainly on human rights and on national security and sovereignty will be more difficult. In criticizing China as a model of “digital authoritarianism”, the US is trying to ban Chinese companies such as TikTok, WeChat, ZTE and Huawei from the US market. Given the increasing geopolitical tensions and that countries are unlikely to compromise on national security and sovereignty, it will be very difficult for China and the US to formulate a cooperative framework on data in the foreseeable future. What is more, the continuing tug-of-war between the EU and the US on transatlantic data transfers despite a preliminary agreement, probably indicates that until market-oriented countries change their perspectives on data and data governance, cooperation on data transfers between them and human-rights-oriented countries may not be sustainable or even possible.
Although major economies have agreed on the concept of DFFT, namely that trust is an enabler for cross-border data transfers, this does not mean that the future of global cooperation on cross-border data transfers is promising. “Trust” means different things for different countries because their major concerns over data vary. A worldwide data governance architecture will take a long time to build.