What I Learned at Alibaba's Data Protection Summit
Yesterday on Capitol Hill the Senate held another hearing on consumer data privacy. Amid ongoing debate in the United States over U.S. privacy legislation, I recently traveled to Hangzhou for a summit hosted by the Alibaba Data Security Institute with the key players shaping China’s fledgling data protection system. Conversations over tea about the relationship between national security and privacy, data mining by service providers, and what is even possible in China’s system went late into the night.
While the contours of these discussions looked quite different from yesterday’s hearing in Washington and the Senate testimony just two weeks ago by executives from Google, Apple, and others on data privacy, there are important parallels as China grapples with its own data policy challenges. And as the debate in the United States unfolds, Chinese policymakers are taking note of what this could mean for China. The two systems are emerging in ways that reference each other.
Below I discuss my main takeaways from the Hangzhou event (along with other conversations in Beijing and Shanghai that same week): mounting pressure on Chinese tech companies from Beijing over how they handle personal data; the relationship between Chinese tech companies and the government when it comes to spreading the so-called “Chinese-led” internet globally; and how debate over data governance in China and the United States is not occurring in a vacuum, but informs the other’s policies.
Chinese tech companies face mounting pressure from Beijing over how they handle personal data.
The year 2018 has seen a proliferation of rules by the Chinese government focused on data protection. For detailed analysis of China’s data protection regime, what data privacy means in China, and comparisons with Europe’s General Data Protection Regulation (GDPR), please see my earlier commentaries here , here , and here . (These include exchanges with the lead drafter of China’s first data privacy standard, who was one of the hosts in Hangzhou.)
Although the government is still in early stages of developing these policies, there are already reports that Chinese authorities are arresting employees of companies for illegally collecting and selling Chinese user data as part of elaborate data broker supply chains.
But there is still much debate about what exactly data ownership means, and how to balance national security with privacy as well the commercial ambitions of Chinese private companies in data-intensive industries. So far, the way this is all playing out shows there is still a lot of disagreement and uncertainty.
Take for example the recent spat with Chinese ride-sharing company, Didi, with regulators over real-time access to its data.
After the murder of two of its passengers, Didi resisted turning over data to law enforcement authorities doing the investigation, citing privacy as a justification. In Wenzhou, where the second passenger was killed, Didi finally turned over data to inspectors after a third request by local enforcement (after two rejections). Initially when Chinese law enforcement made the request, Didi responded by turning over three boxes of data printed on paper, including 95 hard copies for authorities to review.
The issue turned out to be bigger than just this one investigation because Didi had not been in compliance with a requirement to connect its online service database (user, driver, vehicle, route data, etc.) with a government supervisory platform, flying in the face of government rules. Didi is now in the midst of a “rectification” process with the government to comply with real-time data access rules, but the process is far from complete with much controversy. One scholar pointed out that real-time data access violated consent requirements in China’s cybersecurity law.
What does this all tell us? First, the difficulty the police faced in getting data from Didi indicates that government access to data in China is not the free for all that many outside of China assume it to be. The fact that Didi finally responded to the policy by handing over its data printed out on paper in non-standard, essentially unusable form also shows a lack of sophistication in the mechanisms for data sharing between companies and the government. This shows a very different picture from what is often portrayed as a country using technology to build the most advanced surveillance system in the world.
Second, there appears to be a kind of tug of war between the government and companies over data: on the one hand the government is making arrests at companies for failing to secure consent and illegal data transfers, while simultaneously pushing companies like Didi for greater access to its data. It would not be the first time that competing interests within the Chinese bureaucracy manifest this way. But the trend also suggests there may be less space for maneuver over what the government can access for national security reasons, with more debate of the debate focused on how to balance data mining by Chinese companies with protecting user data (e.g., fraud and misappropriation).
Third, Chinese private tech companies are so-called “tizhiwai,” or outside of the government system, even as they play an important role as exemplars of President Xi Jinping’s vision for making China “science and technology superpower.” Didi’s spat with the police is not the first instance where companies are lobbying the government to shape new rules over data in ways that will be more favorable to doing business (see section below). The push-pull relationship between some of these tech companies and the government was made clear recently in a volley of articles culminating in a piece called “Going into exile in ancestors’ land,” in which the author (from a digital finance platform) argued that China’s private sector faced unfair treatment and difficulty compared with state-owned enterprises.
As Chinese companies go global, are they spreading the so-called ‘China-led internet’ model or helping to put a check on it?
Former Google CEO Eric Schmidt recent predicted that the internet will bifurcate into two distinct internets: a U.S.-led and a Chinese-led internet. As I argued in an earlier article in The Atlantic, China’s cyber policies are steadily proliferating around the word in the first challenge to the open free internet. One of the key features of the so-called China-led internet model is data localization coupled with greater access to data by local authorities.
So what is the role of Chinese tech companies in propagating Beijing’s version of the internet and the Chinese Communist Party’s policy priorities?
The answer appears mixed and warrants deeper research. A few anecdotal illustrations show the answer may not be as clear-cut as some might think. This is an area for deeper study.
In some cases, Chinese tech companies appear to put a check on Beijing’s vision for the internet as they push beyond China. For example, there are very interesting Chinese start-ups developing products that would strengthen online communications and search privacy. They are looking to launch in both the U.S. and Chinese markets. Meanwhile, Didi has expanded aggressively in parts of Asia, Latin America, Europe, and the Middle East. But it has done so in ways that flout Chinese government supervision when it comes to real-time access to data (as discussed earlier).
The government is still debating what form the pending rules over cross-border data transfer will take, but as one senior Chinese internet company executive told me, “There are no right answers to the cross-border data transfer issue.” His statement hints at the difficulty Beijing faces in balancing so-called “data sovereignty”—or tightening national control over Chinese citizen data—with demands by China’s private companies that need to send data across borders to be commercially viable in markets around the world.
These examples show how Chinese companies are often hindered by their own government.
But then you have examples where Chinese internet giants align nicely with Beijing’s policy priorities. Take for example the rising Chinese content platform Bytedance, with its homemade video app called Douyin. The company is very comfortable with content take-downs in China and abroad (it agreed to remove “negative content” in Indonesia), and the app has growing popularity in democratic countries like Australia and South Korea. The structure of the Douyin app itself reinforces a bifurcated internet. There are two versions of the app. The one for markets outside of China is called Tik Tok, and it is virtually impossible to download from within China’s internet ecosystem. Even with a VPN, users with a Chinese sim card cannot download the app. This is exceedingly rare in China where most overseas apps are accessible by VPN. It shows the lengths that Bytedance goes to in order to avoid having problematic content created outside of China viewed by domestic audiences.
Chinese policymakers are paying close attention to U.S. data policies.
Chinese policymakers’ perceptions (or misperceptions) of U.S. data policy are directly shaping China’s own data regime. At the very moment, while many different Chinese data regulations are pending in draft amid debate, the U.S. approach is undergoing major changes as well, and the drafters of China’s new data regime are taking note. Debate and policy formation on these issues are not occurring in a vacuum but referencing the other side of the Pacific.
CFIUS reform & export controls
I received a lot of questions about how a beefed-up Committee on Foreign Investment in the United States (CFIUS) review process impacts deals involving U.S. citizen data. From Chinese policymakers’ point of view, the expanded jurisdiction of CFIUS combined with tightened restrictions on technology transfer under the Export Control Reform Act generates export restrictions on U.S. data.
Following the passage of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) this past August, CFIUS now covers non-controlling investments involving sensitive personal data. Foreign government access to US citizen data (e.g., social media, health care, finance) is now a key factor in CFIUS considerations. These changes reflect growing concern over the national security risks of foreign governments, especially China, gaining access to U.S. citizen data through global mergers and acquisitions. Last year, the failed merger between Moneygram and Ant Financial (the financial affiliate of Alibaba) provided an early sign of how important data would become in the CFIUS process. Also, there is also a new interagency process of restricting export from a list of “emerging and foundational technologies,” although data is not cited specifically.
Discussion in Hangzhou centered on two questions: do these shifts contradict the U.S. free data transfer regime, and is the United States moving toward its own version of data localization? To be sure, the U.S. approach is in no way analogous to China’s restrictions on data export under the cybersecurity law. It is too early to tell what effect the U.S. reforms will have, but depending on what kind of deals get blocked, Beijing may have more justification for its own approach to “data sovereignty” if it sees this behavior mirrored in the U.S. approach.
The CLOUD Act
In March, U.S. Congress passed the Clarifying Lawful Overseas Use of Data Act (The CLOUD Act ). The CLOUD Act has led to a lot of questions (and perhaps also misperceptions) in China as policymakers are in the midst of writing regulations determining what type of data should reside in the country, and the conditions and process by which it can be sent out of China.
A follow-on article will examine in depth Chinese perspectives on the CLOUD Act and clarify what the CLOUD Act means for Chinese citizen data, U.S. companies operating in China, and Chinese companies in the United States. For example, does China’s cybersecurity law conflict with the CLOUD Act? What is the right response to those who see the CLOUD Act as justification for data localization in China? Overall, this discussion made clear that national data policies are not evolving in a vacuum but are increasingly shaped by developments globally as governments and companies grapple with defining data ownership and movement of data across borders.
Where do we go from here?
China’s data protection regime is advancing amid much internal debate (and contradiction) even as regulators step up enforcement. The Hangzhou summit should be understood as the first of what likely will be more gatherings of leaders from the private sector and government with scholars writing the standards to hash out these complex issues.
As China’s data regime is in its early stages, its leading architects are watching closely how data policy is evolving in the United States, Europe, and other countries in Asia. These regimes are advancing in reference to each other; there is a need for more exchanges with experts across regions to clarify national policy and dispel myths to promote more interoperability in global data governance. These channels are more important than ever as relations between Washington and Beijing deteriorate over trade and industrial policy.
Samm Sacks is a senior fellow with the Technology Policy Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C.
Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2018 by the Center for Strategic and International Studies. All rights reserved.