For over a year, businesses in China have been struggling with a vexing roadblock: how to get data out of the country. Travel agencies have had difficulty sharing hotel bookings and visa information abroad. Foreign insurers haven’t been able to access health data to calculate premiums. Some multinationals’ HR departments have struggled to manage China-based staff. 

Now, Beijing has unveiled changes aimed at alleviating what has become one of the biggest gripes for foreign companies remaining in the country. The Cyberspace Administration of China (CAC), the top internet regulator, proposed late last month waiving onerous security assessments for most day-to-day business activity involving cross-border data transfers. 

It is a significant concession from the authorities, following months of tightening enforcement around privacy and data access. Some experts see the move not just as a signal that Beijing is listening to foreign businesses’ concerns, but also as a tacit acknowledgement of missteps in the way it’s executing its data controls. 

Security hawks in Beijing see cross-border data transfers as a national security risk. But for companies, the ability to transfer data internationally is critical to doing business. Businesses need to exchange information with their vendors and customers, while multinationals have to be able to communicate internally with their international offices. As a result, China’s data restrictions have become a primary accelerant of decoupling for foreign companies, forcing many to sever their Chinese IT infrastructure from their global networks — and in some cases, sever ties to their China offices altogether.

“Data is the lifeblood of the digital economy. The cross-border rules implemented by the CAC have not only added significant transaction costs but also introduced vast uncertainties for businesses,” says Angela Zhang, director of the Centre for Chinese Law at the University of Hong Kong. “Amidst an economic downturn, there’s mounting pressure on the Chinese leadership to stimulate growth and boost employment. As a result, the CAC has no choice but to make concessions to relax these rules.”

If implemented, the recent concessions will relax China’s control over data flows, which tightened in 2021 with the passing of a new Data Security Law (DSL). The law expanded the scope of earlier legislation prohibiting the export of so-called “important data” to encompass effectively all companies. But it left out critical definitions, creating substantial uncertainty for companies and regulators alike. 

What constitutes important data? What if two pieces of non-sensitive data put together are sensitive? …This process will be ongoing for a while.

Kendra Schaefer, head of tech policy research at consultancy Trivium China

“The bottom line is that what made the DSL difficult to implement was that its enforcement was implemented out of order,” says Kendra Schaefer, head of tech policy research at Trivium China, a consultancy. “A couple of key definitions of what constitutes important data haven’t been defined. Meanwhile, the penalties are massive, up to five percent of a firm’s previous year’s revenue. So companies were really worried about it.”

Bureaucratic gridlock has exacerbated the problem. Different government agencies have been tasked with defining what constitutes ‘important’ data for their respective jurisdictions, with the CAC responsible for collating that information for enforcement. But risk-averse agencies have been slow to work out and file their definitions, leaving companies that are awaiting security approvals to transfer data effectively in limbo. 

Sector-specific regulations have so far only been issued for smart vehicle manufacturers, prohibiting them from transferring data directly abroad. Stricter rules have prompted one self-driving startup, Plus, to sever ties between its U.S. and Chinese operations. For all other companies, the ad-hoc security assessment process has meant some firms have been asked to justify their data exports in granular detail, without clear guidance as to why certain data is more sensitive than others. 

“Key policy advisors have been very outspoken about the fact that state agencies don’t know how to identify important data,” says Schaefer. “What constitutes important data? What if two pieces of non-sensitive data put together are sensitive? We’ve got forty plus state agencies with conflicting definitions. This process will be ongoing for a while.”

Following China’s big political “Two Sessions” meetings in March, Beijing did set up a new National Data Administration to, in theory, assist with streamlining the regulatory process and resolving inter-agency disagreements. 

But progress on getting the new agency running has been slow. It has yet to get its own website, while its inaugural director, Liu Liehong, previously chief executive of state-owned telecommunications company China Unicom, was only appointed in July, with his deputy director named just last week. 

Some of the new provisions announced last month will immediately benefit companies across almost all industries: for example, any company exporting the data of less than a million people per year for standard business purposes no longer has to apply for data security assessments, an increase from 100,000 under earlier rules. That will come as a significant relief particularly for smaller companies, for whom the security assessments and associated legal costs could be especially onerous.

“We appreciate the CAC’s efforts to clarify and relax requirements on outbound data flows,” Craig Allen, president of the U.S.-China Business Council, wrote in an email to The Wire. “Enabling transparency and seeking industry input has also been a welcome step.”

But the relaxed regulations will provide little relief for companies which have already received security assessments. “If the authority has previously denied a firm’s request to transfer data overseas, that decision would remain unchanged even when the new rules take effect,” says HKU’s Zhang. 

The immediate reprieve also doesn’t reverse the long term trend of tightening restrictions on data exports. “Over time, the definition of important data is still going to be tightened as each agency starts releasing its own definitions,” says Schaefer. “The thing is, that could take years.”

That makes it unlikely that the recent measures will encourage foreign businesses to reverse course on decoupling their Chinese operations from the rest of the world. Many multinationals have already begun splitting their Chinese IT systems from their global networks. In a survey this spring of over 400 multinationals by the EU Chamber of Commerce in China, almost three-quarters of respondents said they had localized their data and IT systems to some degree. 

Others have gone further and hived off their China businesses altogether. Dentons, the world’s largest law firm by employees, cited Beijing’s cybersecurity and data protection mandates in explaining its decision in August to split from its China branch.

Providers can provide high level metrics on how the compute is being used. These metrics, combined with others like user location, can be used to raise red flags.

Tim Fist, a fellow at the Center for a New American Security (CNAS)

Adding further complexity to the situation is the fact that while Beijing pursues regulations to keep Chinese data inside its borders, policymakers in the U.S. are mulling policies that would keep some Chinese data out. For security hawks in Washington, the concern has to do with China’s potential use of U.S. computing resources to develop artificial intelligence (AI). 

As the U.S. tightens its controls on the sale of powerful AI chips to China, experts predict that the growing gap in computing power between China and the West will eventually force Chinese companies to rely on resources overseas, such as cloud computing providers which rent out powerful servers for customers to store and crunch their data.

Right now, U.S. cloud computing companies such as Amazon Web Services (AWS) and Microsoft Azure control over three quarters of the market. That means that a Chinese tech company like Baidu may one day have to rely on a provider like AWS to do its AI processing. 

Some U.S. policymakers have argued that the Biden administration should ban Chinese companies from using U.S. cloud resources to ensure that American companies aren’t aiding China’s AI development — which in turn, they say, could aid its military. 

Proponents of giving China access meanwhile argue that hosting Chinese data on U.S. servers provides strategic advantages too. Tim Fist, a fellow at the Center for a New American Security (CNAS), says that doing so could help the U.S. monitor Chinese activity.  

“In the case of cloud computing, the control remains in the hands of the cloud provider,” he says. “Providers can provide high level metrics on how the compute is being used. These metrics, combined with others like user location, can be used to raise red flags.” 

When the Commerce Department announced this week its updated export controls that further tightened China’s access to AI chips, it made no mention of cutting off China’s access to overseas cloud computing. 

For China, of course, relying on U.S. cloud computing would run the risk of making proprietary Chinese data vulnerable to spying and surveillance. Still, if the gap in computing capability between China and the rest of the world grows, Chinese firms may eventually find they have no choice. Put another way, for China to keep up technologically, its regulators may have to learn to concede control.

---