Samm Sacks, a Senior Fellow at Yale Law School’s Paul Tsai China Center and cyber policy fellow at New America, a think tank based in Washington, DC, recently made some remarks on the key pieces of Chinese legislation on cyber and data, as well as the current status of China's data governance.
Sacks' comments came in a preview of a course titled "China's Digital Governance and its Global Implications" on Policyware, which provides online public policy education.
Sacks began by making a general point that "oftentimes outsiders tend to view the Chinese political system strictly through the lens of national security," but in truth, "while national security and domestic state security is a priority for the leadership, the reality is there's a push and pull between economic development and growth objectives and national security objectives." Therefore, "it's really important to understand this effort to strike a balance between economic and security objectives."
On China's Cybersecurity Law, which is the centerpiece of China's data governance, Sacks said that it "laid out foundational concepts," such as personal information, important data, and critical information infrastructure operator, as well as cybersecurity review and security assessment for data outflows. "Despite the fact that it's now been over half a decade, we're still learning how regulators are interpreting some of these very broad and high level provisions and what they actually mean in practice for companies," she said.
When talking about the Personal Information Protection Law (PIPL) and the Data Security Law, both of which took effect in 2021, Sacks said that "in theory, the idea is any personal information will be treated as under one kind of regulatory track in the privacy law; and any information or data that's defined as vital to national security will have its own separate regulatory track under the Data Security Law." In practice, however, "the distinction between personal information and important data is much murkier and harder to define," Sacks added.
On PIPL, Sacks said that it "is essentially China's version of the European Union's General Data Protection Regulation or GDPR" as "a lot of it is cut and paste," and "you have key elements from GDPR [such as] data minimization, notice and consent, specific requirements for data handlers."
One unique aspect of the Chinese law is that "it creates the authority for the Chinese government to place any entity, any company, any organization on a blacklist that would be prohibited from handling any Chinese citizens' data," Sacks said, although "we haven't seen this blacklist actually implemented or enforced yet." Potentially, Beijing could use the list "as a way to retaliate against actions taken by the United States," but whether that will happen remains to be seen. There are also "restrictions for what so called State organs are allowed to do when it comes to data held by companies," Sacks noted, meaning that "even the Chinese state itself may in theory be subject to restrictions and limitations in terms of what it is allowed to do with data held by companies." But she further raised the question of what it actually means in practice: "Could this actually be used to embolden those various state organs in terms of their authorities and data handling?"
On the Data Security Law, which "applies not to the personal information but data that is deemed important to national security or the state," the challenge is that "there's no clear definition of what exactly is important data and there's been enormous debate about that," Sacks underscored.
Sacks also noted that "since this law took effect in fall 2021, one of the main activities that companies operating in China have done is inventory how their data assets map onto this new data classification system" created by the law. "[T]he reality is the Chinese government is limited in terms of their ability to implement and enforce these restrictions [on data] on everyone," and as a result, "I think they're leaving a lot up to self assessment of the companies, and that means that there still could be a lot of discretion," Sacks said.
Sacks also pointed out the blocking mechanism in the law, which allows the government to prevent "entities operating in China [from] sharing Chinese citizens' data with foreign law enforcement" "without the authority of specific approvals." Sacks explained the logic behind the provision as being "[f]or years the Chinese leadership have looked at Europe and the United States, ... and the idea that other governments are able to exercise so called 'long arm jurisdiction', where they could compel entities operating in China to share Chinese citizens' data abroad." So "article 36 of the Data Security Law is a backstop to that."
Regarding outbound data flows, another key element of the law, Sacks said that "Cyberspace Administration of China ... is in the process of reviewing self assessments that have been submitted by companies to receive approval for outbound transfers, and we'll be getting more information in the coming months about how the cyber regulators will make determinations about what kind of data can be sent out." But overall, she pointed out that "oftentimes we hear that all data has to be stored locally in China, none of it can be transferred out, and that's just not true. It's just not how the operating reality in China is." She further explained that "there's tremendous uncertainty for multinationals around what they exactly will be allowed to do in the future," and "many companies have made the decision on their own to be conservative, and try to store as much data on servers locally as possible in order to comply from a voluntary perspective." However, "there still is tremendous leeway, and gray zones around outbound data transfers, and that could be shifting, and it's an area to watch," she added.