China Power

Decoding China’s Approach to Data Security

Recent Features

China Power

Decoding China’s Approach to Data Security

With its restrictions on cross-border data movement, China is fracturing the global internet.

Decoding China’s Approach to Data Security
Credit: Pixabay

For centuries, an essential part of statecraft has been keeping sensitive information away from prying eyes. Though the type and quantity of information has changed as nations and their citizens enter the digital age, the desire to manage information remains. Starkly different visions for the regulation and flow of data are taking shape as the world shifts into the digital economy and grapples with governing data usage. Though the debate within and between countries is ongoing, no country is set to have a greater impact on data policy than China, home to the world’s largest number of netizens at 712 million.

Headline news on China’s activities in cyberspace have overshadowed much of the discussion on data policy. Cyber espionage, whether targeted at governments or for commercial gain, is a major issue on the U.S.-China bilateral agenda. While hacking is one aspect of concern, an equally important (and less discussed) area is China’s fracturing of the global internet, and how this behavior can damage safeguards to global information security.

Much of the conversation in China on data protection starts with an assumption that security is enhanced if consumer data is kept within a host country’s geographical borders. This approach, known as data localization or data residency, is part of an ongoing discussion around the world, including in the European Union. Analysis by the U.S.-China Business Council (USCBC) indicates that data residency restrictions in China date from at least 2004, when the China Insurance Regulatory Commission (CIRC) published measures mandating that insurance companies keep company data, financial data, and other kinds of “important data” — a term left undefined — within the Chinese mainland. The CIRC regulations were updated in 2011, and other regulations with similar data residency requirements have emerged in the banking and internet industries over the past few years.

Data localization is problematic for companies seeking to harness the power of “big data” — using large sets of data to identify trends to find new customers, tailor services to customer needs, prevent fraud, and prevent industrial accidents. Regulations mandating data localization force companies that would otherwise be able to quickly pioneer services in new markets to unnecessarily build additional servers and hire extra local talent, on top of systems and staff that already exist to serve a global market. While these regulations intend to increase the security of user data, the only result is increased costs for companies, with no corresponding increase in information safety.

The trend toward more restrictive data policies in China shows no sign of stopping. In recent years, not only have Chinese policymakers called for data localization, they are also writing laws that forbid this data from flowing overseas.

Like data localization requirements, restrictions on cross-border data flows have a negative impact on the global economy. Forcing data to remain in one place adds unnecessary costs or lead times for data processing, and is counter to the growing trend of centralizing global data to improve efficiency. Restricting data from flowing across borders in an increasingly integrated global economy prevents multinational companies from optimizing technology that maintains their international operations, provides services to international customers, and responds to security risks that could appear anywhere around the globe.

This approach diminishes what a global digital economy can offer to the world in terms of sharing ideas and innovative services, and unravels years of interconnectivity that has grown organically with the global order. It stifles the ability of global research and development (R&D) teams to collaborate on product development, curtails the deployment of global cloud solutions, and limits global monitoring teams from responding to local incidents. It also undermines security processes that require constant communication with devices in other markets – such as mechanisms that can quickly notify a credit card holder if an unexpected charge appears from another jurisdiction, indicating a potentially fraudulent transaction.

Unfortunately, Chinese policymakers continue to link geography and information security. This approach was included in China’s recent cybersecurity law, the country’s most sweeping legislation on information governance. The law mandates that operators of “critical information infrastructure (CII)” — a term that, while still undefined, has been linked to operators of public information and communications technology services, energy, transportation, finance, and other public services — ensure that all “personal and important data” collected in China remains within the country. The law also stresses that if this type of data must leave China’s shores for business purposes, it must first undergo a security audit. Unstated in the law is guidance on how such a security audit would function, what types of security qualifications would be required, or whether these audits would be required in every instance of data transmission. An approval process that interrupts or prevents the instantaneous flow of data would disrupt the framework the global digital economy. Because the types of operations that would qualify as CII is undefined, regulators could hold all industries to these regulatory requirements.

While the cybersecurity law is China’s broadest effort at information management, Chinese policymakers have also adopted sector-specific legislation. Formal restrictions on cross-border data flows are already in place in areas like financial services, healthcare, GPS monitoring, and cloud computing. Complicating the situation are informal or unwritten Chinese regulatory requirements to retain certain data within Chinese borders. Companies report receiving verbal instruction from regulators to store data locally, or being asked not to export certain data abroad, even though Chinese regulators cannot or have not explicitly cited corresponding policy mandating those restrictions. Such data may include Chinese consumer data. While no rules specifically  prohibit such data from leaving China, some companies have reported that recommended guidelines dissuaded them from moving consumer data outside of China’s shores or from moving data that might fall within the broad, but often unclear, scope of “state secrets.”

These disruptions can limit the services that companies can provide their customers and go beyond identity theft protection. For instance, international companies in the power industry can use data sent from international power plants they manage to respond to device failures or security breaches. However, Chinese regulations on network security mandate that all power plants must operate on independent networks, separate from global monitoring systems, and that data from these plants not leave the country. As a consequence, China’s regulations weaken companies’ ability to create more efficient, and ultimately safer, products.

Confusingly, this approach has emerged amongst a flurry of central and local policies that were designed to position China as an international leader for the use of big data. Some have estimated that the value of China’s big data market hit $16.57 billion in 2015, and in recent years provinces like Guizhou and large municipalities like Beijing, Shanghai, and Chongqing have peddled strategic action plans on harnessing data as a driver of economic growth. Speaking at the China Big Data Industry Summit in May 2016, Premier Li Keqiang specifically encouraged foreign companies to find local partners and help China achieve its big data ambitions. But how can innovation truly take place if China increasingly walls itself off from the global ICT ecosystem? And if China ultimately chooses the path of isolation, can it truly claim to be a global leader?

The irony in China’s handling of data issues is that the country faced a similar situation hundreds of years ago. In the early 16th century, the Ming court abruptly closed its borders after several decades of unprecedented international exchange, rejecting the knowledge that lay beyond its shores. This self-imposed isolation dislodged China from its position at the center of the world, at a time when European nations first began their global explorations. As the West began to learn and innovate, the balance of power shifted away from the East for the next several hundred years. It has been a long time since neo-Confucians held the ear of the emperor, but the dilemma is the same: if China’s 21st century policymakers want the Middle Kingdom to lead the digital frontier, they must recognize they cannot go it alone.

Nick Marro is a manager of business advisory services with the U.S.-China Business Council (USCBC), focusing on information and communications technology (ICT) and standards related policy issues in Beijing. This excerpt is part of a larger research project on China’s technology security environment, which includes a catalogue of all known data localization and cross border policies, and is available here.