11 January 2023

Big Ideas From Recent Trends in China’s Data Governance

Nanda Min Htin

Data will define China. Ever since the State Council enshrined data as a factor of production alongside land, labor, capital, and technology in 2020, the importance of regulating digital information has only continued to grow. Three big ideas have emerged in recent years: First, how China intends to leverage data to drive its economy. Second, the nuances behind increasingly intense data protection enforcement and an accountability blind spot in favor of public bodies, including questions over the Cyberspace Administration of China’s mandate. Finally, the potential influence Chinese data governance ideals have on foreign governments that have become increasingly reliant on the former.

Leveraging Data as a Factor of Economic Production

China’s 14th Five-Year Plan for National Informatization (the 14th FYP), likely the world’s first industrial policy for the digital era, endeavors to “activate the factor value of data” to “shape a strong domestic market that is innovation-driven [and] high-quality.” This should be read together with top leader Xi Jinping’s directives on economic development, which espoused the need to “regulate amidst development and develop amidst regulation.” Accordingly, China’s digital economy will rely on data not as a raw resource to be exploited by the free market, but as a regulated commodity subject to close government oversight.

There is an underlying belief that data should be directed to economic agents who can maximize the productivity of data. For one, the proactive disclosure of government data for commercial/public use has been gaining traction. China revised its Open Government Information Regulations in 2019 to maximize “the role of government information in… the people’s production and… economic and social activities.”

At the provincial level, the Guangdong government has prohibited its offices from preventing the open utilization of public data and instituted the first-of-its-kind Chief Data Officer system to oversee such initiatives.

But data sharing is a challenging proposition for widespread practice. Data has been likened to a semi-public good – non-rivalrous in that multiple actors can “consume” data without affecting its stores, but excludable in that some parties, such as incumbent firms with large data reserves, would have limited incentives to share them with competitors.

State intervention could be a catalyst in the early stages. One notable effort toward commoditizing and sharing data was the establishment of the Shanghai Data Exchange (SDE) in November 2021. This quasi-government corporation positions itself as China’s largest platform for businesses to buy and sell data with one another.

Government influence similarly cannot be understated for private firms. Ant, which is enroute to becoming a People’s Bank of China-supervised financial holding company, has promised to share all its Huabei consumer credit data with the PBOC, notwithstanding that Ant’s billion-user database has been a “key competitive advantage for the company.”

Legal instruments are also important in providing clarity around the implications of data sharing. Whereas the SDE was wary of challenges surrounding the standardization of data formats and data protection compliance (among others), the Shanghai Data Regulation was passed to provide legal basis and clarity for the SDE’s operations. More fundamental regulations were released later – such as the draft National Information Security Technology Network Data Classification and Grading Requirements of September 2022 – to facilitate the standardization of data classification and grading rules across the industry.

Enforcement of Data Regulations: The Private/Public Disconnect

The 14th FYP recognizes that China’s private tech firms shall drive all aspects of national informatization, with the caveat that the ministries will “grasp promotion, development, supervision, management… with both hands – and both hands must be strong…” This expressly empowers the government to rein in the tech market, and by extension some of the most influential data handlers.

In February 2022, the Cyberspace Administration of China (CAC) released an enforcement guidance that reiterated its campaign against illegal internet activity, within which platform companies were mentioned around a dozen times. By July, the Didi case had broken records as the nation’s largest-ever data protection penalty, a total of $1 billion shared among the company, CEO, and president.

But there is a glaring omission in the CAC’s enforcement: Public bodies have not been held to the same standards for data protection as private ones. This is despite the presence of large-scale data breaches that government bodies have been guilty of. In July, more than 1 billion individuals’ personal information held by the Ministry of Public Security (MPS) in Shanghai was disclosed and put up for sale. A month later, Shanghai’s health QR code system was hacked and 48.5 million individuals’ personal information was put up for sale. However, no official explanations were given and discussions on local social media were taken down.

Ironically, the MPS is one of the authorities jointly responsible for data protection alongside the CAC – it would be interesting to see how such top regulators regulate themselves.

Amid such risks, government-controlled data remain ever-important. Shenzhen’s new AI Industry Promotion Regulations require the establishment of a public data system, while Xi has promised to double down on building a digital government. Therefore, the need to hold government bodies accountable for data handling has never been more pronounced.

That said, it is questionable whether the CAC is up for this task, not least because the very mandate of the administration is mysterious. The CAC has no clear designation regarding whether it is a state (administrative) or Communist Party entity, and how this affects its functions and accountability. Although the CAC has been assigned administrative functions by the State Council (e.g. investigating and penalizing Didi), it has been formally placed under the CCP Central Committee ever since China’s 2018 government reshuffle.

As a party entity, the CAC is exempt from administrative law and other agency-regulating rules. As an administrative entity, the CAC’s signature moves against Didi and mobile apps have occurred with unprecedented legal authority. It is no easy task to predict what it thinks about enforcement against its sister organs (e.g. the MPS) from the public sector, or if that even is a priority at all.

International Influence

“Building a community with a shared future in cyberspace” has been Xi’s overarching internet governance goal since 2015. In November 2022, the State Council published a white paper to propound “multilateral and multiparty participation and consultation” in global internet governance, and highlight China’s role in “in strengthening international cooperation in protecting critical information infrastructure and data security.”

Instead of unilaterally prescribing formal legal standards for other governments, China has made significant strides in building a shared “community” under a brand of collaboration via, for instance, the China-ASEAN Digital Cooperation Forum and the World Internet Conference (WIC). But beyond branding and outreach, a creeping “Beijing Effect” portends the growing global influence of Chinese data governance ideals.

The Beijing Effect is built upon the Brussels Effect, which posits that law – for example, the European Union’s General Data Protection Regulation (GDPR) – may have regulatory effects outside its jurisdiction of origin. Notwithstanding whether a GDPR-esque globalization of Chinese data protection laws would occur, the Beijing Effect is essentially different than the Brussels Effect because it is not about dispersing formal law. In particular, the Chinese version entails a confluence of broader extralegal factors such as the foreign governments’ demand for technological standard-setting and digital infrastructure.

First, Chinese actors play an increasingly important role in setting international standards for digital technology. The Made in China 2025 plan, which seeks to ensure the country’s self-reliance in advanced technology sectors, has seen companies like Huawei rallying the development of global 5G standards across major markets including Africa and Europe. China’s Global Data Security Initiative (GDSI), which seeks calls for governmental consensus on “standards and rules of the global digital field” including cross-border data transfers, data security etc., has been endorsed by ASEAN, the Arab League and several other countries.

Second, with China’s Digital Silk Road, Chinese companies provide digital infrastructures for host countries, thereby shaping the conditions under which those countries transition toward their own digital economies. Made in China 2025 proposes for China to command a 60-percent share in the global fiber optics market, also a crucial component of the China-Pakistan Economic Corridor, which is in turn the largest component of the Belt and Road Initiative (BRI). Since 2020, China has been supporting cloud developments in its BRI partner countries – for instance, Alibaba penned a deal with Saudi Arabia’s largest telecoms group to build the kingdom’s cloud infrastructure in that year.

The supply of digital infrastructure depends heavily on Chinese companies, which are effectively overseen by the party-state. State-owned enterprises dominate the majority of BRI projects. Thus, when it comes to the development of domestic legal frameworks to deal with concerns over data privacy in the fiber/cloud business or broader economic goals, Beijing’s directives would be implicitly transmitted via their foreign corporate representatives.

Conclusion

Data has already started to define China. Faced with China’s stagnating economy, Xi is betting on the data-driven economy for a new lease of life. Regardless of his domestic woes, China’s international influence as a director of foreign development cannot be discounted.

No comments: