A war that cannot be lost: The great power game behind data security legislation

Latest update time：2021-09-30 11:28

Reads：

One morning in May 2018, a man was jogging leisurely. He started from the parking lot, walked through the forest, and stopped in front of a white bungalow at the other end. The black Polar wearable on his wrist recorded his running speed, trajectory, and calories burned.

The man was a senior official at a U.S. nuclear weapons base. During a few hours of exercise, he accidentally "measured" a secret military base with his feet. In the Polar watch, his name, photo, route and other information were clearly recorded by the software with his consent.

Since then, an open organization has investigated the fitness data of more than 6,000 Polar users since 2014, and restored the coordinates of more than 200 "confidential areas": including 48 nuclear weapons storage sites, 18 intelligence agencies, 6 drone bases, 2 nuclear power plants, 2 royal residences, etc.

Eventually, the software was banned by many parties and forced to shut down location sharing. This was the "murder case caused by a fitness app" that shocked the world in 2018.

Even a humble piece of software is involved in such an important secret, and the data collected by other types of applications has touched the most sensitive nerves of various countries. A cross-border data supervision game centered on data, especially those related to national security and economic interests, has already begun around the world :

Relying on its leading Internet strength and adhering to the principle of "whoever mines, uses", the United States promulgated the "Clarifying Lawful Overseas Use of Data Act" in 2018, which directly changed the data jurisdiction from the "territorial principle" to the "data control" jurisdiction - as long as American companies have actual control or jurisdiction over user data, regardless of whether the users are in the country, American companies are obliged to preserve, back up and even disclose user data to the US government in accordance with regulations.

After the "Snowden incident" broke out, the European Union was dissatisfied with the repeated violations of citizens' privacy by multinational companies such as Facebook and Google. In 2018, it promulgated the "strictest data protection law in history"-the "General Data Protection Regulation" (GDPR for short) , which put personal data protection at the top priority.

Even more radical than the EU are India and Russia, which have launched a "data localization movement" and have passed legislation to erect high walls since 2015 to strictly restrict cross-border data transmission.

Compared with the legislative actions of these countries, my country's actions were not early - on June 10, 2021, the "Data Security Law", which took three years to complete, was voted and passed, and was officially implemented on September 1; on August 20, the "Personal Information Protection Law" was promulgated and will be implemented on November 1.

At this point, along with the Cybersecurity Law, which was officially implemented in June 2017, the three laws that constitute the "troika" of data protection have all appeared, forming a legal framework for cyberspace governance and data protection. For the first time, my country has systematic regulations for cross-border data supervision.

What changes will the three laws bring to my country's cross-border data supervision? How can my country gain the initiative in the global competition for data resources?

1. Data competition: an unfair battlefield

There is still a sword called "national security" hanging over TikTok's head, which may fall at any time.

Three months ago, Biden signed an executive order lifting the transaction ban on TikTok, WeChat and eight other apps.

But at the same time, the US government has a back-up plan. A new executive order was issued, authorizing a broad review of applications outside the United States to determine whether they pose a threat to US security.

As expected, the new executive order specifically highlights China as one of the main adversaries that poses an "unacceptable" risk to the United States.

According to the United States' Foreign Investment Risk Review Modernization Act of 2018, any investment transaction involving the maintenance or collection of sensitive personal data of U.S. citizens must be investigated by the Committee on Foreign Investment in the United States (CFIUS) . The legal basis for Biden to sign the new executive order comes from this.

However, the executive order did not specify what the "unacceptable" risks posed by China to the United States are, nor did it explain the specific content of the investigation. Anyone with a discerning eye can see that the United States is using security as an excuse to try to suppress the development of foreign companies .

This tactic has been tried and tested during the Trump era.

There is a special provision in the International Emergency Economic Powers Act enacted by the United States in 1977. Once the president believes that national interests are harmed, he has the right to declare a "state of emergency" and use this act to impose sanctions on specific countries, organizations and individuals.

This has become Trump's weapon to attack foreign companies. For example, he has cited the International Emergency Economic Powers Act to sign two executive orders, prohibiting any person or company under the jurisdiction of the United States from doing business with TikTok's parent company ByteDance, and also prohibiting any transactions with Tencent related to WeChat.

Under strong pressure, TikTok signed an "unequal treaty" with Oracle, allowing Oracle to obtain access to TikTok's source code and updated complete code. In other words, TikTok's global business system left a "back door" for Oracle.

The International Emergency Economic Powers Act is not the only weapon. In the pocket of "national security", the United States has a basket of executive orders to strictly guard against Chinese companies.

The "Clean Network Project" is one of them. The United States has wooed various countries to form the "Clean Network Alliance" to fight the so-called "Chinese threat" in five areas, including operators, applications, app stores, cloud and cables.

Entity List is another typical example. In 2019, DJI was included in the list, and the "crime" was "providing data on major U.S. infrastructure and law enforcement agencies to the Chinese government." After Biden took office, another 59 companies were sanctioned on the pretext of "engaging in surveillance outside China."

Behind the extreme pressure and sanctions, the US's "hegemonic" intentions are obvious. Shen Yi, a professor at the Department of International Politics, School of International Relations and Public Affairs, Fudan University, proposed a very appropriate term to describe it - "digital hegemony" .

"In the third technological revolution after World War II, the United States has a global monopoly in resource allocation, technical standards, content generation, etc. Its dominance over network resource allocation and key links in the industrial chain constitutes the foundation of the United States' digital hegemony," said Shen Yi.

Compared with China, Europe has suffered more profound persecution from "digital hegemony".

In 2015, a shocking conversation took place in a European court:

The judge asked in court: "If I am worried that my data will be held by US authorities, what advice can you give?"

The European Commission lawyer replied: "If I had a Facebook account, I might consider closing it."

Facebook's window paper was broken by Austrian student Schrems. He sent an email to Facebook, asking them to provide his information. After several months of negotiations, he received more than 1,200 pages of PDF files, which contained a large amount of personal information that he had deleted in the past three years and should not have been obtained by Facebook.

The truth was revealed: the Safe Harbor Agreement, which lasted for 15 years between Europe and the United States and once allowed the two countries to transfer data in a "legal manner", was declared invalid because it could not provide adequate protection for the data of European citizens.

The basis for invalidating the Safe Harbor Agreement is the Patriot Act enacted by the United States as early as 2001.

According to the requirements of the Patriot Act, service providers must hand over any data stored in the United States to the FBI for monitoring, regardless of whether the data belongs to Americans. In other words, a large number of European citizens use Facebook, and since their data is stored in the US cloud, the FBI has the right to monitor it. This violates the data protection clause of the Safe Harbor Agreement, making the latter a dead letter.

What is even more ironic is that in 2018, the United States passed the Clarifying Lawful Overseas Use of Data Act, which expanded the FBI's authority to obtain data from "data stored in the United States" to "data held by service providers in the United States." In other words, even if user data is stored in other countries, as long as the service provider is an American company such as Microsoft and Facebook, these companies are obligated to submit user data to the United States.

This resulted in the Privacy Shield Agreement, a data transfer agreement later signed by Europe and the United States, being ruled invalid again.

In the global competition for data resources, the United States has repeatedly used "legal weapons" to make the game unfair. A battle to defend data sovereignty is imminent.

2. The “three horses” launched a data security counterattack

Before the "Data Security Law" and the "Personal Information Protection Law", my country relied more on "guerrilla warfare" in various industries to protect data security.

Regulatory documents scattered across various industries record relevant regulations on cross-border data transfer. For example, the Regulations on Computer Information System Security Protection issued in 2005 made detailed provisions on computer system security and international network filing; the Regulations on the Administration of Credit Reporting Industry in 2013 strictly controlled the provision of data by credit reporting agencies overseas.

According to Ma Qingquan, a lawyer from Wenkang-Junyicheng Lawyers Alliance, these industry regulations are formulated by the Ministry of Industry and Information Technology and other departments, and they are "testing the waters". "When the conditions for legislation are not yet mature, we first test the waters through the regulations and management methods, discover problems and get feedback in the process, and provide support for subsequent legislation."

The Cybersecurity Law is the first law to regulate network information after years of trial use of regulatory documents such as the Computer Information System Security Protection Regulations. Apple is the first overseas company to be regulated after the law was introduced.

Apple fans should still remember this email: "Starting from February 28, 2018, the iCloud service associated with your Apple ID will be operated by "Guizhou on the Cloud"..."

This is Apple’s notification on establishing an iCloud data center in China. It was sent in July 2017, just one month after the promulgation of the “Cybersecurity Law of the People’s Republic of China”.

After this, iCloud account operation keys will no longer be stored in the United States, and Chinese regulators will no longer need to apply through U.S. courts to access users' iCloud accounts to obtain information.

According to the regulations, in cases where national security may be affected, the procurement of network products and services by "critical information infrastructure operators" must undergo national security review. At the same time, important data collected and generated in China should be stored within the country.

However, the Cybersecurity Law does not clearly define what constitutes a "critical information infrastructure operator." Apple is more like a typical case that regulators caught when the law was first introduced.

"After the promulgation of the latest two laws, the 'troika' has formed a more complete regulatory framework for cross-border data supervision. In the future, incidents such as Apple's will have clearer legal tools, and the previously vague areas have become clearer." Ma Qingquan told "Jia Zi Guang Nian".

For example, the Data Security Law has clearly included "important data" and its processors in the scope of supervision. For important data, various departments will issue specific catalogs and implement classified and graded protection. Under this "top-down" system, data supervision has clear standards to follow and is no longer a "typical" approach.

The automotive industry has already responded to such changes.

In August this year, when car autonomous driving accidents occurred frequently and disputes over driving data investigations continued, the Ministry of Industry and Information Technology issued the "Several Provisions on Automobile Data Security Management (Trial)" (hereinafter referred to as the "Provisions") , which will punish violations in accordance with the "Cybersecurity Law of the People's Republic of China", "Data Security Law of the People's Republic of China" and other laws.

The "Regulations" are like a subset and a parent set to the "Troika". The "Regulations" further refine the relevant rules in the "Troika" to the automotive industry. According to the regulations, Tesla announced the construction of a data center in China. The types, situations, purposes, and storage locations of personal information collected in my country are strictly reviewed by Chinese departments.

In addition to strengthening "entry" supervision of overseas companies, under the latest legal framework, local companies' data "outbound" will also face stricter review.

The Didi incident is a strong omen. Two months ago, after all the "Didi Enterprise Edition" related apps were removed from the shelves by the Cyberspace Administration of China, the Cyberspace Administration of China, together with six other departments, entered Didi Chuxing Technology Co., Ltd. to conduct a network security review.

Huang Kai, a partner at Beijing Tongshang Law Firm, told Jia Zi Guang Nian that shortly after the Didi incident broke out, the Cyberspace Administration of China issued the "Cybersecurity Review Measures (Draft for Comments on the Revised Draft)", which not only made revisions to the issue of overseas listings, but also supplemented the content related to data security review under the "Data Security Law". This part of the content is more targeted at reviews based on data security.

It will be more difficult for local Internet companies with a large amount of sensitive data to go public in the United States. "If Internet companies want to go public in the United States in the future, the data must be strictly reviewed and approved by my country's Internet Information Office," Ma Qingquan told Jia Zi Guang Nian.

The basis for this judgment is that the SEC requires companies listed in the United States to provide complete audit working papers, which is not allowed by my country's new regulations. The regulatory conflict between China and the United States has squeezed the practical space for companies.

The changes brought about by the law not only provide regulators with a powerful grip, but also provide exciting counter-attack clauses.

There are similar descriptions in the "Data Security Law" and the "Personal Information Protection Law": If any country or region adopts discriminatory prohibitions, restrictions or similar measures against China in terms of data utilization and development, personal information protection, etc., China may take reciprocal measures based on actual conditions .

"This means that if US companies impose sanctions on Chinese Internet companies such as TikTok, my country can also put US Internet companies operating in the country on the 'blacklist' if the Cyberspace Administration of China believes that they have violated the privacy of domestic users," Ma Qingquan told "Jia Zi Guang Nian".

3. “Too thick” or “too thin”?

Before examining my country’s legal framework, let’s first look at the legal blueprint for data protection in various countries - the controversies faced by the EU GDPR after more than three years of implementation.

First of all, there is favoritism in law enforcement .

If you pay attention to the records of GDPR fines, it is not difficult to find that most of the people on the list are "old faces" such as Google, Microsoft, Facebook, and Amazon - "Google's $57 million fine", "Facebook's $270 million fine", "Amazon's $887 million fine"... According to statistics, in 2019, Google accounted for 90% of the total GDPR fines.

Apart from these Internet giants, other companies are rarely punished, and even if they are fined, the fines are very minor. The fact is that compared to the giants, most European and American Internet companies do not have a "risk compliance" department for cross-border transactions. It is not difficult to infer that the data processing of companies that are exempted from fines does not all comply with GDPR standards.

As a result, the GDPR’s provision of “uniform rules and uniform enforcement” has been criticized as being a mere formality, and EU enforcement has been criticized for not having uniform standards.

This is due to the difficulty of law enforcement. According to EU statistics, in the one year since the implementation of GDPR, the regulatory authorities have received and handled 270,000 administrative cases. A German report pointed out that the data protection department is about to be overwhelmed by these cases, and the large number of cases has seriously hindered normal operations. Therefore, it is difficult to handle every case in detail.

In other words, although the law has clear standards, the actual enforcement is not the same thing. Due to cost-benefit considerations, the government actually "selectively enforces the law."

This kind of balance is a great test of the government's judgment. If the law is just to "kill the chicken to scare the monkey", it will damage the authority of the law. For example, Google and Amazon have appealed many times and expressed "dissatisfaction" with the EU fines, which in turn increases the cost of law enforcement; if the law enforcement emphasizes fairness too much, a large number of small and medium-sized enterprises will suffer a heavy blow. After all, a fine from the EU may bring it to the brink of bankruptcy.

China will inevitably face the same problem. In the Data Protection Law and the Personal Information Protection Law, there are unified rules for fines for cross-border data. How to grasp the enforcement strength between "big companies" and "small companies" will become a severe test in the actual implementation of the law.

The greater difficulty comes from the trade-off between "development" and "regulation", which is also a proposition that all laws cannot escape.

The report of the American Innovation Center pointed out that GDPR excessively interferes with the cooperation between cloud service providers such as Microsoft and EU companies, which has put the EU at a disadvantage in the development and use of AI. Not only are American AI companies unable to display their talents, but local EU companies are also finding it difficult to develop AI technology under strict supervision.

From May 2018 to August 2019, the demand for advertising on European platforms fell by 25% to 40%. Many US companies have stopped all their programmatic advertising on European websites, which has dealt a heavy blow to the development of many EU companies.

This issue is also worthy of vigilance in China. In the field of software, there are still many foreign companies occupying important market positions. How to make them play the role of "catfish" and help local companies develop through moderate competition is crucial for the "measurement" role played by the law.

Of course, as newly promulgated laws, the Data Security Law and the Personal Information Protection Law themselves have many details to be explored and improved. In summary, there are two types of problems: "too rough" and "too detailed".

The controversy over “too detailed” mainly comes from personal information protection.

For example, under the legal framework of my country, personal information processors, whether domestic or foreign, must inform the processor of other people's information before processing it, including the processor's name, contact information, purpose of processing, retention period and other detailed information. In contrast, the EU's most stringent data protection law, GDPR, only requires the disclosure of the type of information recipient.

This will cause problems in actual implementation. When placing precise advertisements, a piece of personal information will usually be involved in multiple parties such as APP applications, third-party data providers, advertisers, and advertising processing software within milliseconds. If detailed information is disclosed one by one in advance, big data technology may not be able to be used.

The controversy over "too rough" stems from the fact that aspects such as the division of powers and responsibilities have not yet been clarified, such as the punishment for illegal data processing.

If personal information is handled in violation of regulations or serious information leakage occurs, the information processor will be fined, suspended for rectification, or have its license revoked. However, the law does not clearly specify which departments are responsible for enforcement.

"A lack of clarity about the law enforcement departments will cause various problems. If the matter benefits multiple departments, then these departments may handle it at the same time, causing redundancy; and if the incident is very complicated, no department may be willing to take the lead." Ma Qingquan told "Jia Zi Guang Nian".

Legislation often goes through a process from abstract to concrete, from general to specific. At present, the greater significance of the "troika" lies in the construction of a comprehensive data supervision framework. This is like a big tree. The "troika" builds the trunk, and more industry supervision regulations will need to be introduced in the future to play the role of "branches" and improve the legal details.

4. Country, enterprise, and individual: where is the balance point among the three parties?

From the perspective of classical economics, through the cumbersome legal rules, if we stand at a more macro perspective, the law is nothing more than a balancer of the interests of all parties. Its ultimate goal is to balance social benefits and costs and maximize the efficiency of resource allocation.

Specifically in the context of cross-border data, relevant laws are the result of a balance of interests between three parties: national security interests, business interests, and personal privacy protection interests.

The United States’ choice is that national security and corporate interests are above the interests of personal privacy protection.

Among the top 30 global Internet companies by market value in 2020, the United States occupies 18 seats, with Apple, Microsoft, Amazon, and Google occupying the top four seats.

According to the concept proposed by sociologists Kurdry and Messias, in a society, there are three types of companies engaged in information infrastructure construction and able to "translate" social and economic behaviors into numbers and information. The first is hardware manufacturers in the mobile communications industry, the second is Internet platform operators, and the third is operators specializing in data services.

Globally, it is not difficult to find that all three types of companies are monopolized by the United States. In the hardware field, there are Apple and Microsoft, in the Internet platform, there are Facebook and Twitter, and in the data operator field, there are Oracle and other companies, each of which has occupied half of the market.

Backed by its strong information power, the United States’ primary interest is to consolidate its digital hegemony and use its power to dominate the global industrial chain.

Correspondingly, as the "weaker" party, the EU's interests clearly lean towards personal privacy protection. The severity of GDPR's data protection is almost higher than any other law in the world.

Europe has 500 million consumers and is one of the world's largest Internet markets, but it has "failed miserably" in Internet competition: among the top 30 Internet companies in the world by market value in 2020, only 4 are from Europe; according to statistics on the distribution of cloud services by the European Policy Research Center in 2019, 94% of the data in Western countries is stored on servers of American companies.

Faced with the United States' all-round "penetration" from hardware to software, from data to algorithms, Europe's emphasis on personal privacy is somewhat helpless.

According to Professor Shen Yi, GDPR's weighing of interests has two considerations: one is to restrain international giants such as Google, Facebook, and Twitter, "without feeling sorry for hitting other people's children"; the other is to protect the development of local digital industries.

Back to China, with the increasing friction in Sino-US relations, the balance between national interests, corporate interests and personal interests will test the wisdom and ability of regulators more than ever before.

The balance of interests is gradually tilting. In the past 20 years, China's Internet industry has grown rapidly and has produced a number of world-leading companies. Giants such as Alibaba, Tencent, ByteDance, and JD.com are at the top of the global Internet company market value rankings.

But at the same time, incidents such as Didi's listing in the United States, consumers being targeted by big data, users whose facial information was sold, and food delivery riders being dominated by algorithms have occurred one after another, repeatedly touching the bottom line of privacy protection and creating a huge opportunity for a leap forward in China's data governance.

The demand for personal privacy interests has increased, which is the current situation of domestic development. On the other hand, when facing external forces, national security is above all else.

China is luckier than Europe in that it has much stronger accumulation and strength in hardware infrastructure, Internet platforms and data operators.

The Digital China Development Report (2020) shows that in 2020, my country's digital economy ranked second in the world, and the added value of core digital economy industries accounted for 7.8% of GDP. In the fields of 5G, artificial intelligence, high-performance computing, quantum computing, etc., my country has become the world's largest source of patent applications, ranking 14th in the "Global Innovation Index".

However, to achieve endogenous development, appropriate "defensive" measures are also needed.

India is the best "negative example". The former CEO of Indian software company Infosys once said, "Chinese companies cannot enter the United States, and some American companies are banned by various laws and regulations in China. In the end, they all come to India."

The consequence of letting foreign companies enter is that India's local digital industry has always been difficult to develop. Since 2016, Indian netizens have launched waves of "save the Internet" campaigns, and Indian entrepreneurs have joined the "Indiatech" organization to resist companies such as Facebook. Under pressure, the Indian government revised many laws in the fields of e-commerce and finance, and issued bans on giants such as Amazon, which calmed the anger of local interest groups.

"It is hard to imagine whether there would still be room for the development of Chinese Internet companies if we had allowed companies like Facebook and Twitter to enter," said Ma Qingquan.

In 2017, The Economist wrote in its cover article that data will replace oil and become the most important resource in the new era.

Looking back at the "oil age" of the past 100 years, wars have occurred one after another over oil, the world's most important energy source, and the world's political order and economic structure have also been built on oil.

On the other hand, data, the "oil of the new era", will surely become the most valuable resource that countries will compete for in the future, and may once again determine the world's economic landscape and even the political order.

The battle for data resources, using law as a tool and the strength of the digital industry as a guarantee, is underway, and China has already entered the game.

- END -

This article is reproduced from Jiazi Guangnian, author: Amelie

(Click on the picture above to join now! 30+ daily news waiting for you!)