Blocking the Flow: Data Legislation and the EU-US-China Triangle

Evolving distinct ‘moral economies of data’ (spaces in which different rules around data control exist) within the world’s largest economic units is accelerating fragmentation of systems that developed over decades of globalisation. Whether the US and EU can reconcile their divergent priorities in data governance will influence whether they can build the basis for a new transatlantic partnership. In turn this will clarify whether they will be able to together address challenges linked to rising Chinese power, or whether Europe will instead take its own path of ‘digital sovereignty’ and ‘strategic autonomy’.

Cross-border data transfers remain largely unregulated by the World Trade Organisation (WTO) framework, although WTO negotiations on e-commerce are in process. Other initiatives promoting international harmonisation of data regulation, including treatment of data management by several regional trade agreements and regional groupings, only address a limited range of issues and do not encompass all the world’s major economies. At the same time, international trade is increasingly based upon data transfers, given the rapid growth in digital services and the digital value-added component of manufactured goods.

This is especially true in China, which is central to much global manufacturing and committed to increasing the digitalisation of its entire economy and society. The extent to which China’s evolving data governance regime facilitates cross-border transfers and effective protection against the Chinese state’s access to privately held data has major consequences for foreign firms and consumers.

This regime reflects an ongoing contest within the Chinese state between the imperatives for control and security, and those of economic and developmental needs that require cross-border data exchanges. In a political system where all functions of law and administration are subject to the Communist Party’s domination, regulation inevitably gives state agencies extensive access to digital networks. However, it also increasingly constrains the bureaucracy’s handling of private data and provides public remedies for violations.

China’s draft data security and personal information protection laws impose limits of ‘lawfulness’ and ‘necessity’ on data handling by all state organs. But this is qualified by exceptions for ‘national security’ and imposition of ‘export controls’ on data. China’s cybersecurity law mandates that ‘critical information infrastructure operators’ generating ‘personal information’ or ‘important data’ need to store that data within China, with cross-border transfers of such data subject to ‘security assessment’. All these definitional terms remain works in progress.

Despite the Chinese state’s renewed emphasis on building economic and technological autarky in the face of ‘decoupling’ pressures from the US, its latest Five Year Plan commits to ‘establishing basic systems and standards for data rights and cross-border transactions’. Trials are underway nationwide, in pilot zones for innovative services trade, to develop dedicated channels for cross-border data flows with governance arrangements prioritising international transfer.

Europe’s data governance regime is also an expanding work in progress, which has given rise to significant challenges for transatlantic relations. The General Data Protection Regulation (GDPR) imposes strict requirements on any actor transferring personal data out of the EU, including in mixed datasets. In last year’s ‘Schrems II’ decision, the Court of Justice of the European Union (CJEU) invalidated the legal arrangement facilitating data transfers between the EU and US, finding that US law does not provide protections ‘essentially equivalent’ to those of the GDPR. It made clear that regulatory actors must assess whether a non-EU jurisdiction in fact provides adequate protection for European data transferred there, and not simply assume GDPR compliance. These assessments should consider whether ‘anything in the law and practice of the third country’ would impinge on GDPR protections and is ‘comparable to those… in a democratic society’.

In a context where US law was found wanting, it is doubtful whether China’s data governance regime, even with additional formal protections, would meet European standards if the issue is tested in European courts. Even the UK’s data governance legislation, which derives directly from the GDPR, will be regularly reviewed by the EU for compliance. European Commission officials have previously ruled out a GDPR ‘adequacy agreement’ for China.

Furthermore, the European Commission and EU member-state governments are seeking to build fences around data for economic security, guided by a perceived need to close the gap with US and Chinese data-based technology leaders. The Commission’s vision for the EU’s digitalised future aims for ‘data sovereignty’ and ‘global [technological] competitiveness’, requiring steps to ensure that benefits from data generated within the EU are captured by European firms rather than foreign ones. Initiatives such as cultivation of intra-EU data markets and of a European cloud computing ecosystem add to momentum for de facto data localisation within the ‘trusted’ boundaries of EU regulation.

Partnerships with non-EU jurisdictions to advance this vision should ‘promote alignment or convergence with EU regulatory norms and standards on issues such as data protection, privacy and data flows.’ Elements in the Commission’s proposals to expand regulation of the digital economy would likely obstruct data exchanges between the EU and China. For example, the requirement in the draft European Digital Services Act for internet platforms to provide users with effective means to challenge content moderation decisions seems incompatible with the unchecked censorship powers wielded by Chinese authorities, which they already appear to exercise over foreign users of Chinese platforms.

So even as China last year replaced the US as the EU’s biggest trading partner, the European Commission, powerful member-states and the CJEU have doubled down on a European ‘moral economy of data’, and on regulating access by external parties to the emerging European data ecosystem. Distrust of China’s political system, and abhorrence of repressive uses to which the Chinese state puts digital technologies, will likely outweigh Beijing’s introduction of ‘legal checks on government authority for ordinary operations.’ Pressure on European firms in China to transfer knowledge in high-technology sectors while their access to markets there continues shrinking will only further undermine the prospects of European decisionmakers taking a benign view of data transfers to China.

Firms on both sides will likely respond by localising operations in each jurisdiction to facilitate legal compliance, as many are already doing. It remains to be seen whether Beijing will respond to rising barriers on access to the EU’s data markets with coercive pressure or reciprocal measures. China’s draft data security law provides for reciprocal action against foreign measures that discriminate against Chinese interests in ‘trade related to data, data development and use’, and for extraterritorial jurisdiction over ‘data activities that harm the national security, public interest or lawful interests of Chinese citizens or organizations’.

Yet obstacles to EU-China integration do not by themselves provide a basis for a harmonised transatlantic position vis-à-vis Beijing in the future data-based global economy. This requires addressing the transatlantic divergence represented by Schrems II and expanding EU regulation of the digital economy that conflicts with US business interests, a challenge that might well require significant changes to US law in the face of European rigidity.

And despite worsening European political relations with Beijing, Washington must still contend with continuing growth in the EU’s economic and therefore digital connections with China. The Biden administration needs to devise an approach more calibrated than its predecessor’s quest to build a ‘fortress around our citizens’ data’ against a perceived unmitigated threat from China, finding a balance in cybersecurity and economic policy which can accommodate the apparent determination of powerful actors across Europe to continue treating China as both competitor and partner.

By John Lee, Senior Analyst, Mercator Institute for China Studies (MERICS)

Article category: Technology and R&D