The Establishment of International Rules for Cross-Border Data Flow under Major Country Competition

Li Yan

As major country competition is becoming ever more intense, data has become a key strategic resource, making rules of cross-border data flow going beyond the business scope in a traditional sense and becoming a strategic issue concerning national development and security.Relevant parties compete against each other in three major areas of the collection of cross-border law enforcement data, cross-border flow of corporate data, and global cross-border privacy rules.In the future, the competition will become more intense, and the global cross-border data flow more complicated.But in the meantime,the practice and exploration by the international community also bode well for the establishment of international rules and order for crossborder data flow.

THE MAJOR COUNTRY COMPETITION BEHIND THE ESTABLISHMENT OF INTERNATIONAL RULES FOR CROSSBORDER DATA FLOW

Data is just like air that no one in modern world can live without.At present, major global actors are competing against each other around cross-border data flow rules from three areas, slowing down the establishment of such rules which is in its infant stage.

The first is the competition between long-arm jurisdiction and blocking laws in the collection of cross-border data.Generally, people tend to pay attention to cross-border data flows when dealing with digital trade and services, but cross-border data collection in law enforcement is an issue of importance as well.In order to establish a collection mechanism that meets its own interests, the US has extended its long-arm jurisdiction practice from entity to data,allowing itself to arbitrarily collect any data stored abroad by US enterprises.In response, other countries have introduced blocking laws in order to safeguard their data sovereignty and security.

In March 2018, the US government issued the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which stipulates that all US electronic communication service providers or foreign service providers operating within the US, regardless of their data storage in the US or not, have the obligation to save,backup, and provide data to the US government.That empowers US law enforcement agencies to access data stored on servers outside the US.CLOUD Act has become the legislative core of the long-arm collection of cross-border data for law enforcement and judicial purposes, breaking the original judicial assistance mechanism between countries.After its introduction, the EU, following the steps of the US, issued in no time the Electronic Evidence Regulation(Draft) in April 2018, to establish the mechanism of European Data Submission Order and European Data Storage Order with enforcement effect in criminal proceedings.By providing that the law enforcement or judicial authorities of EU members may directly command service providers in the EU or those with representative offices in the EU to submit or restore electronic data, regardless of the data storage within the EU or not, the Regulation constitutes longarm jurisdiction for cross-border data collection by law enforcement in the EU.

To deal with the long-arm jurisdiction of data, many countries have adopted legislative measures to block the arbitrary access to their data.For example, Switzerland,Luxembourg, and Singapore have imposed restrictions on cross-border access to financial data and imposed strict obligations on banks to keep customer information confidential.

The second is the competitionon security review of transnational enterprise data flow.At present, cross-border data flow is mainly related to scientific and technological innovation and economic competition in transnational business and technical service.Based on this,the US is prone to crack down on the digital industry of its rival countries under the pretense of data security, ratcheting up data security reviews by screening foreign investment and banning information and communication technology and service supply chain transactions, thus putting real limit on cross-border data flows.The first is to screen foreign investment.In August 2018, Trump signed the Foreign Investment Risk Review Modernization Act, ushering in a new round of legislative reforms on national security review by the Committee on Foreign Investment in the United States.The Act imposes mandatory reporting requirements on foreign investment transactions involving sensitive personal data held by US companies, with the aim of preventing foreign governments from involving in US companies’ operations through investment and obtaining US data.The second is to ban information and communications technology and services supply chain transactions.In May 2019, Trump signed the Executive Order on Securing the Information and Communications Technology and Services Supply Chain (Executive Order 13873), which explicitly prohibits “persons”and “property” under the jurisdiction of the US from involving in transactions with information and communications technology and services designed,developed, manufactured, or supplied by persons or entities owned, controlled, regulated, or directed by a foreign adversary, as long as the deal could pose “an undue or unacceptable risk to the national security of the US or the safety of Americans”.On June 9,2021, Biden signed the Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries,detailing the national emergency measures in Executive Order 13873 regarding information and communications technology and service supply chains, referring to “foreign adversaries” as “countries including China”.

On April 24, 2023, the 4th UN World Data Forum opened in Hangzhou, Zhejiang Province, China.

The third is ideological differentiation in crossborder privacy rules.Personal information and privacy protection is a key issue in cross-border data flow,and governments from many countries have tried to establish cross-border privacy protection mechanisms through legislative measures.Historically, the US has pushed for the development of the system of Cross-Border Privacy Rule (CBPR), a set of regional data rules under the Asia-Pacific Economic Cooperation.It’s fundamentally about compromising the ability of participating countries or regions to independently control cross-border data by putting in pace a cross-border data flow mechanism with lower level of protection, and expanding its own crossborder data flow rules.Since 2011, the US has kept adding its allies into its CBPR system, and in August 2020 it first proposed to separate it from the APEC framework.In April 2022, the US, Canada, Japan,South Korea, the Philippines, Singapore, and Taiwan,China jointly issued Global Cross-Border Privacy Rules Declaration, announcing the establishment of Global CBPR Forum.In August that year, Australia announced its accession.Although the forum claims to adopt a multi-stakeholder model and is open to all jurisdictions that accept the declaration, it is actually an ideologically-driven product, by which the US attempts to exclude China from global data flow and digital trade, leading to further fragmentation of global cross-border data flow rules.

Overall, cross-border data flow rules are in its early stage of exploration without a global consensus on its concept, principles and mechanisms.As for how to better maintain data security in data flow, conflicts may arise in rules as different countries have different concepts and systems.At present, free data movement advocated by the US, the individualistic governance of Europe and balance between development and security governance championed by China are most influential in the world.While other countries have their own positions, they do not carry global weight.

FACTORS INFLUENCING THE ESTABLISHMENT OF INTERNATIONAL RULES FOR CROSS-BORDER DATA FLOW

Major countries are engaged in fierce competition on the establishment of cross-border data flow rules system based on their own understanding, interests and concerns.At the same time, the imbalanced global digital development further widens global digital divide.

First, main global actors have different ideas about crossborder data flows.According to the US think tank Information Technology and Innovation Foundation, the world is now in a global policy debate on cross-border data flows and data security, which is essentially a battle of three ideologies.Namely, data liberalism represented by the US, data interventionism represented by the EU, and the so-called data nationalism represented by China, Russia and other countries.For long, the US boasts itself of the so-called “free, open,secure and credible” concept of cross-border data flow.In fact what it truly values is the economic benefits brought by the free flow of data.It aims to ensure data flow to itself and control global data as much as possible by relying on its Internet giants and industrial monopoly.

The EU believes that cross-border data flows must be based on the protection of human rights and personal privacy, which stems from its strong consciousness on human rights since modern times.In 2018, the European Union’s General Data Protection Regulation came into force.By granting specific rights to data actors, it ensures that their personal rights can be protected in real practice, thus further improving the EU’s rules on cross-border flow of personal information and data.

Countries including Russia prioritize protection and attach great importance to data security in order to safeguard national security.Russia especially emphasizes to protect domestic Internet and data security when facing cyber attacks from other countries.On this basis it encloses itself by imposing strict restrictions on data flow.China adheres to a balanced approach to data governance.On the one hand, it upholds the overall concept of national security and strives to balance data development with security.On the other, it upholds the concept of a community with a shared future for mankind, actively participates in establishing international data security rules,and strives to maintain an open, just and non-discriminatory digital environment.

Second, major international actors have different interests in cross-border data flows, which drives them to adopt dif-ferent positions and policies in real practice.

The US pursues economic interests to its utmost and global data hegemony through politicizing crossborder data flow rules.Specifically, it seeks to build an exclusive alliance for data flow rules based on political system and ideology.For example,in the cross-border flow of business data, it promotes its own concept of free data flow and tries to shut China out from its data flow circle.By establishing mechanisms such as the Global Cross-Border Data Privacy Rules Forum, it exports data governance models globally and builds a US-centered digital ecosystem.In addition, it attempts to suppress Chinese digital businesses which have overseas operations in the name of data security, which aggravates fragmentation of global cyberspace.

The EU pursues institutional power with digital sovereignty as its core on the basis of ensuring individual privacy.The EU recognizes that it is falling behind in the digital race in the fourth Industrial Revolution, which not only strains its strategic autonomy but also increases its digital security risks in the context of the Sino-US strategic rivalry.It thus becomes an important task for the EU to enhance its global competitiveness and achieve strategic autonomy.

China pursues a balance between digital development and data security, and is committed to safeguarding national and international data security.On the one hand, China regards data as an important factor of production, promotes the deep integration of digital economy and real economy, and pursues economic transformation.China has adopted the Cyber Security Law,the Data Security Law, the Personal Information Protection Law and other laws and regulations to build a comprehensive data security system.On the other hand, it puts forward the Global Data Security Initiative,calling on all countries to cooperate in international cyberspace governance according to the principle of balancing development and security, and promotes the building of a community with a shared future in cyberspace.

Third, the unbalanced global digital development will lead to differences in the willingness, capacity and resource investment of all parties regarding the establishment of digital rules, which will get in the way when it comes to reaching consensus on international rules for cross-border data flow, advancing the process and expanding the scope of application.First, the development of global digital platforms is polarized.Data shows that by the end of 2021, the top five digital platforms in the world are all US companies,accounting for about 70% of the total global market value, an increase from 2020.Second, there is still a big gap in digital infrastructure among different countries.Compared with developed countries, developing countries, especially the least developed ones, have inadequate digital infrastructure with low level of Internet access and use.According to a report by the International Telecommunication Union, two-thirds of the population in the least developed countries still have no access to the Internet in 2022 with 720 million people remaining “offline”.At present, the digital divide in the world shows no signs of narrowing yet,rather, it is further deepening due to the different development level of digital infrastructure among countries.Third, the application of digital technologies around the world is imbalanced.Many small business owners in developing countries,especially the least developed ones,lack the capacity, skills and awareness to take full advantage of digital economy, lagging far behind those in developed countries.Africa and Latin America have less than 5 percent of the world’s colocation data centers and lack the digital technologies needed to turn data into digital intelligence and to drive economy.

THE PROSPECT OF ESTABLISHING INTERNATIONAL RULES FOR CROSSBORDER DATA FLOWS

Impacted by both the intensified major country competition and the overdue technical governance rules,the international governance of crossborder data flows faces many difficulties.Yet, the silver lining is that, the practice of major international actors in the digital field will also bring opportunities for the establishment of cross-border data flow rules.

First, the competition on building cross-border data flow rules system is becoming ever more fierce.When talking about data security in cyberspace governance, topics such as data sovereignty, privacy protection, legal application and jurisdiction, and even international trade rules are often referred to.Whether it is data localization, cross-border flow restrictions,or long-arm jurisdiction, they all represent countries’ efforts to safeguard data security and tighten grips on data, and furthermore, become an integral part of national digital sovereignty.With the ongoing upgrading of new technologies and applications,especially with the development of cloud computing, the Internet of Things, and artificial intelligence,data will become more important.In the field of cross-border data flow rules, it is inevitable that all parties seek to maximize their own interests in rules establishment.For example,countries good at data application will favor free data flow, while coun-tries weak in data application are more inclined to be data defensive.

On February 1, 2023, European Commission Vice-President Vestager appeared at a press conference to say that large tech companies will be regulated by law to ensure that EU personal data is protected.

Second, it remains an arduous and long-term task to put into shape a universally accepted global system of rules for cross-border data flows.Whether it is in the field of crossborder data collection by law enforcement or rules system establishment based on privacy protection, it is difficult to form a truly international rules system with universal acceptance and binding force in a long period of time.Although the US and Europe have been coordinating in their efforts, trying to create a template of data flow rules through mechanism docking within the so-called “value community” based on the broadest consensus, and then to be accepted by more and more countries through demonstration and spillover effects,the real practice has not lived up to their expectation.Taking the US-EU data agreement as an example, the EU Court of Justice declared the EUUS Privacy Shield Framework invalid in July 2020 in terms of cross-border data transfer, and the Framework thus broke down.In October 2020, privacy regulator of Ireland introduced rules banning Facebook from transferring European users’ data to the US.Although the Biden administration,in order to address European data security concerns, signed the Executive Order on Enhancing Safeguards for US Signals Intelligence Activities to regulate US signals intelligence activities and provide corresponding institutional safeguards, it is uncertain whether it will be challenged again by the EU Court.

Third, the dynamics of geopolitical rivalry will continue to influence rule-making process.In keeping with so-called “clean data” plan targeting China, the US together with other countries further banned equipment and services from Huawei, ZTE and other Chinese telecommunications companies from entering the US,its allied countries and its overseas agencies through the Countering Untrusted Telecommunications Abroad Act.Furthermore, it uses diplomatic means to block Chinese companies from obtaining international undersea cable projects through the Undersea Cable Control Act, in order to thwart cross-border data transmission via the diversion of undersea cables through Hong Kong and other practices.Such moves of politicizing crossborder data flows by the US will add complexity and uncertainty to the future of data flow.

Although the establishment of international cross-border data flow rules faces severe challenges in the context of major country competition, it cannot be concluded that it cannot be done.It is actually long and dynamic process to form any kind of international rules, and in many cases,the process of establishing the rules even matters more for pushing forward with practice.The same is true of the establishment of international cross-border data flow rules.Going forward, it will be guided by top-down strategies and policies.To address data security concerns and build data trust,relevant governments and international organizations are taking active steps.For example, on 8 September 2020 at the international seminar on Seizing Digital Opportunities for Cooperative Development held in Beijing, China put forward the Global Data Security Initiative.At the same time, it will be shaped and calibrated as well from bottom up.Best practices and explorations in cross-border data flows will, in turn, facilitate the establishment of a system of rules.For example, in the face of privacy issues in data flows, companies and the technical community are actively exploring solutions to technically solve the compliance problem, so that data can flow effectively and address privacy or security concerns.All of this will contribute to the creation of rules for cross-border data flows.