China Economic Bulletin | No. 19 (15 August 2022)
Recent Developments of Data Governance in China and Implications for Foreign Investment – Part 1 of 4
Authors: Jasper Habicht, Isabeau Höhn, Jessica Köhler
The People’s Republic of China has introduced a comprehensive framework on data protection, data security and data management over the last few years. Already in 2017, the Cybersecurity Law entered into force laying out the legal basis for the handling of digital data. Following the enactment of the European General Data Protection Regulation in 2018, a new Civil Code and laws on the protection of personal data as well as on data security were enacted in 2020 and 2021.
At the same time, at least since 2014, the People’s Republic has gradually implemented a Social Credit System that aims to evaluate the credibility of enterprises and citizens. Such a system naturally generates massive amounts of data. At a first glance, the parallel development of the data-intensive Credit System with its complex and decentralised structure stands in stark contrast to the creation of a legal framework that aims to regulate and protect flows of information and data.
This paper aims to carve out implications for enterprises doing business with China of current regulations and policies of both the Social Credit System and the development of the various legal norms that aim to secure and protect the handling of data. By analysing the background and development of these regulations and policies, this paper also touches upon the complex relation between the protection of personal data and storage of huge amounts of data in the context of the Social Credit System and identifies certain tendencies of policy transfer between China and the world. This paper, however, cannot in depth elaborate on this multifaceted relationship and rather aims to provide an impetus for further scientific analysis.
This paper in its first part explains definitions and concepts that are important for the understanding of the following analyses of data security, data protection and social credit frameworks. It does so by briefly recalling the development of cybersecurity policy and legislation in China. We then proceed with analysing the development of the legal framework of protecting personal data by comparing the relevant Chinese norms against European standards. In the next part, we examine the Chinese Corporate Social Credit System by focusing on its application on corporate entities and looking into the development of its normative framework that is rooted in experimental legislation. In an excursus, this paper highlights certain aspects of policy and norm transfer between China and the world. Finally, this paper sums up the findings regarding the background of the development of policies and regulations concerning data security, data protection and social credit handling as well as relevant implications for enterprises in a conclusion.
Cybersecurity in China: Departing from Established Standards?
Early developments of cybersecurity in China
The People’s Republic of China (hereafter “China”) connected to the internet in 1994 under Jiang Zemin’s presidency. Already in these days, a perception of both “opportunity and threat” emerged: the overall potential of information and communication technologies was regarded as opportunity, while the internet as a platform where information can spread in an uncontrolled way was rather seen as threat (Bersick/Christou/Yi 2016: 173). The Chinese government therefore tried to ensure national security as well as societal stability by setting up a firewall that allowed for censoring sensitive content (Bersick/Christou/Yi 2016: 173). Apart from that, regulations were issued with the aim of keeping the internet “clean”, and the development of the local information and communication technology industry was promoted (Bersick/Christou/Yi 2016: 173).
Since these days, the Chinese leadership regards cybersecurity as one of the most crucial security issues that manifests in four main aspects: the stability of the Chinese political system (政治安全, zhengzhi anquan), the security of information infrastructure (信息基础设施安全, xinxi jichu sheshi anquan), economic growth (信息经济全面发展, xinxi jingji quanmian fazhan) and information sovereignty (保障信息主权, baozhang xinxi zhuquan) (Bersick/Christou/Yi 2016: 168 f.). It should be noted that most Western countries define cybersecurity as “the security of computer and information systems as physical and logical entities”, while information assurance or information security denotes the security of data and content (Raud 2016: 10). In the terminology used in China, however, both the physical information systems and the content of the information are integral parts of the concept of information security (Raud 2016: 10).
Instead of withdrawing from the international cyberspace, China rather aims to become a major player in the field by developing into a “cyber superpower” (网络强国, wangluo qiangguo) (Attrill/Fritz 2021: 3). After the adoption of the Internet in 1994, the number of Internet users grew significantly over the last 25 years to 854 million, while the number of mobile Internet users grew to over 847 million (Jiang 2020: 195). This impressive increase of connectivity is accompanied by the development of a relatively independent ecosystem which comprises a number of international companies such as Huawei, ZTE, Alibaba, Tencent, Baidu, and TikTok (Jiang 2020: 195).
The Chinese and the European approach to cybersecurity
The Chinese approach to cybersecurity has transformed from a “whole-of-government” and “whole-of-nation” approach to one that is “whole-of-systems” which characterises cybersecurity as holistic, dynamic, and open (Jiang 2020: 195). Guided by an overarching framework of cyber sovereignty, China has made several important institutional, legislative, and developmental adjustments to strengthen its belief that any state should have control over the users of cyberspace, which includes domestic as well as foreign citizens within this state’s territory. A national information security strategy was first drafted in 2003, having the primary objective to protect the security of China’s key information infrastructure (Bersick/Christou/Yi 2016: 173).
In 2006, China issued its 15-year strategy for future innovation, titled “The National Program 2006–2020 for the Development of Science and Technology in the Medium and Long Term” (国家中长期科学和技术发展规划纲要（2006—2020年）, Guojia zhong changqi kexue he jishu fazhan guihua gangyao 2006–2020 nian) which serves as the basis for all subsequent information security developments and related policies (Raud 2016: 12). While this strategy opens the door for Chinese technology giants to enter foreign markets and can help to foster “international linkages between China’s technology and global standards”, it also restricts foreign companies from investing into China’s cyber system, especially in the government sector or in sectors like banking, transportation, and other critical infrastructure (Raud 2016: 13). Foreign enterprises are required to hand over the relevant intellectual property rights to the government if their products are used by Chinese government agencies (Raud 2016: 13). In 2015, this trend was further intensified through a “cybersecurity new regime”, which proposes that the source code of foreign technology used by Chinese banks needs to be handed over and back doors into hardware and software are to be implemented (Raud 2016: 13).
Cybersecurity policy has also been on the agenda of the European Union (EU) for many years (Bersick/Christou/Yi 2016: 167). The 2013 Cybersecurity Strategy of the European Union, titled “An Open, Safe and Secure Cyberspace“, states that “freedom and prosperity increasingly depend on a robust and innovative Internet, which will continue to flourish if private sector innovation and civil society drive its growth” (European Commission 2013: 2). As economic growth is highly dependent on information and communication technology, the EU regards the protection of cyberspace as crucial to let it “remain open and free with the same norms, principles, and values that the EU upholds offline” (European Commission 2013: 2). This cyber-security strategy represents the first-ever attempt by the EU to set out clear priorities for the protection of cyberspace (Bersick/Christou/Yi 2016: 168). The EU strategy focuses on “soft cyber power” which entails developing capacities to resist and strengthening resilience against cyber-attacks as well as fighting cyber-crime (Bersick/Christou/Yi 2016: 172).
Contrary to the EU approach, which emphasises multi-stakeholderism and openness, China’s approach to cybersecurity is “driven by the central objective of establishing cyber sovereignty within China and ensuring that the respect of national sovereignty becomes one of the guiding principles governing global cyberspace” (Bersick/Christou/Yi 2016: 169). The emphasis on securing “cyber sovereign” borders illustrates how the Chinese approach to cybersecurity is based on the Chinese conceptualisation of national security: Security and control trumps the protection of rights and freedom in cyberspace (Bersick/Christou/Yi 2016: 169). The Office of the Central Cyberspace Affairs Commission declares:
Cyber sovereignty is a natural extension of state sovereignty in cyberspace and it is the supreme and independent right of a state, based on state sovereignty, over the network facilities, network subjects, network behaviours, and related network data and information within its territory (Office of the Central Cyberspace Affairs Commission 2020).
From the Chinese perspective, the aspiration of being a cyber superpower (网络强国, wangluo qiangguo) “requires the ability to shape cyberspace, to set the rules and to shape the norms” (Attrill/Fritz 2021: 8). The European Chamber of Commerce in China, however, notes that the application of this approach has led to uncertainty among businesses because it lacks “clear and consistent implementing regulations” and diverges from “common approaches under international standards” (EU Chamber of Commerce in China 2020: 1). At the World Internet Conference in Wuzhen in 2015, Xi Jinping pointed out that “China is willing to work with other countries to strengthen dialogue and exchanges, effectively manage differences, and promote the formulation of international rules in cyberspace that are generally accepted by all parties” (Attrill/Fritz 2021: 8).
The legal framework on cybersecurity in China
The Cybersecurity Law of the People’s Republic of China (hereafter “Cybersecurity Law”) was passed on 6 November 2016 and is in effect since 1 June 2017. The Cybersecurity Law defines regulations on data protection, IT security, and behaviour on the internet, and the Cyberspace Administration of China (CAC) is the primary governmental authority supervising and enforcing the Cybersecurity Law. In German law, comparable content can be found in the General Data Protection Regulation (GDPR), the IT Security Act, the regulations on the right of expression, or the Network Enforcement Act (Deutscher Bundestag 2020: 4).
The scope of the Cybersecurity Law extends to natural and legal persons who collect, process or disseminate information in the territory of China, which means that foreign companies with branches in China and foreign companies that address Chinese customers with their website, for example, are also affected and thus are threatened with the blocking of their offers in China in the event of non-compliance (Deutscher Bundestag 2020: 5).
According to Article 76 of the Cybersecurity Law, a “network” (网络, wangluo) is a system of computers or other information terminals where the gathering or processing of information takes place. “Network operators” (网络运营者, wangluo yunying zhe) are owners, managers or service providers of such a network. With this definition, a set-up of two computers that share information can already be seen as a network in theory, which makes apparent the broad scope of application of the law. Examples for critical information infrastructure (关键信息基础设施, guanjian xinxi jichu sheshi) for which the law provides specific and more strict regulations are given in Article 31 where public communication and information services, power, traffic, water resources, finance, public service, or e-government platforms are mentioned. According to the law, an important characteristic of critical information infrastructure is that its destruction or malfunction could cause serious danger to national security or public interest. This vague definition leaves room for the authorities to confine its scope in individual cases, although the law states that the State Council is to define more clearly what should be regarded as critical information infrastructure. However, since public communication services are mentioned in the law, messenger applications, for example, might count as such critical information infrastructure, too. Providers of such infrastructure need to store personal information or “important data” within the mainland territory of the People’s Republic of China (Cybersecurity Law: art. 37). Also, they are obliged to pass a state-administered cybersecurity review (Cybersecurity Law: art. 38).
While such regulations clearly aim to provide a legal framework to ensure network security, the fact that all relevant data processing technology and the data itself is kept within the jurisdiction of the People’s Republic of China also gives the government full control. Together with the regulations codified in the Counter-Terrorism Law (2015) and the Administrative Rules for the Commercial Use of Encryption (1999), a legal framework is set up that allows the state ultimate access to data since companies are obliged to hand over to state authorities data on terror suspects, and companies are also allowed to use only state-approved encryption technologies (Alsabah, 2017). While the fact that this allows the state to eventually decrypt and read any encrypted data, which surely can deter civil rights advocacy, it may also pose a problem for enterprises that wish to protect their intellectual property from access by third parties.
Practical implications for enterprises doing business with China
In a world that is more and more globally connected, data security and data protection cannot simply be regarded as an issue solely for enterprises in Western countries or for companies in China. Rather cross-border data transfer is increasing and this poses new challenges for frameworks that aim to regulate data security. China tried to ensure data security by keeping certain data within its jurisdiction, which raises concerns of enterprises that operate in different countries. Not only does this rule increase the costs for additional data storage facilities in China but it also requires mechanisms that prevent the fragmentation of data due to its storage in different places which can also easily lead to duplication of data.
While the Cybersecurity Law surely offers a comprehensive legal basis for the introduction of measures to protect data, the concrete implementation of such measures is still unclear. Only future developments will show whether and which new state authorities will be established or if new regulations will be issued in order to regulate certain aspects codified in the Cybersecurity Law. What is clear, however, is the fact that China aims to strengthen state control over data security and data flows as well as over the data itself. Undoubtedly, the Chinese approach to cybersecurity is a new approach that differs from the way the issue of cybersecurity has been tackled by Western countries until today. It could also entice other nations to implement similar policies and require companies to reconsider their operations in these countries (Descamps 2020: 7).
- Chinese original: 网络主权是国家主权在网络空间的自然延伸，是一国基于国家主权对本国境内的网络设施、网络主体、网络行为及相关网络数据和信息等所享有的最高权和对外独立权。
- Alsabah, Nabil (2017): “China's cyber regulations: a headache for foreign companies” (online at https://merics.org/en/short-analysis/chinas-cyber-regulations-headache-foreign-companies, last visited on 2 August 2022).
- Attrill, Nathan; Fritz, Audrey (2021): “China’s cyber vision: How the Cyberspace Administration of China is building a new consensus on global internet governance”, International Cyber Policy Centre, Australian Strategic Policy Institute, Policy Brief, Report No. 52/2021 (online at https://ad-aspi.s3.ap-southeast-2.amazonaws.com/2021-11/Chinas%20cyber%20vision.pdf, last visited on 12 August 2022).
- Bersick, Sebastian; Christou, George; Yi, Shen (2016): “Cybersecurity and EU–China Relations”, in Kirchner, Emil J.; Christiansen, Thomas; Dorussen, Han (eds.): Security Relations between China and the European Union: From Convergence to Cooperation? (pp. 167–186). Cambridge: Cambridge University Press.
- Cybersecurity Law of the People’s Republic of China [中华人民共和国网络安全法], adopted on 7 November 2016 (Cybersecurity Law) (English translation online at https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-cybersecurity-law-peoples-republic-china/, last visited on 18 October 2021).
- Descamps, Maud (2020): “China’s Cybersecurity Legislation: A Paper Tiger Or An Industitutionalized Theft?”, Focus Asia Perspective & Analysis, Institute for Security & Development, May 2020.
- Deutscher Bundestag (2020): “Das chinesische Internetsicherheitsgesetz”, 27 Januar 2020 (online at
https://www.bundestag.de/resource/blob/691392/01288978b39cb43b866a1240be88b4d7/WD-10-077-19-pdf-data.pdf, last visited on 7 April 2022).
- European Commission (2013): “Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace”, Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions [JOIN(2013) 1 final] (online at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52013JC0001&from=EN, last visited on 12 August 2022).
- European Union (EU) Chamber of Commerce in China (2020): “Cybersecurity Sub-working Group Position Paper 2020/2021” (online at https://www.europeanchamber.com.cn/documents/download/start/en/pdf/852, last visited on 3 August 2022).
- Jiang, Min (2020): “Cybersecurity Policies in China”, in: Belli, Luca (ed.): CyberBRICS: Cybersecurity Regulations in BRICS Countries (pp. 195–212), Berlin: Springer (online at: https://ssrn.com/abstract=3523325, last visited on 19 April 2022).
Office of the Central Cyberspace Affairs Commission [中共中央网络安全和信息化委员会办公室]: “Network Sovereignty: Theory and Practice (Version 2.0) [网络主权：理论与实践（2.0版）]”, 25 November 2020 (online at https://archive.ph/11fb6, last visited on 6 December 2021).
- Raud, Mikk (2016): “China and Cyber: Attitudes, Strategies, Organization”, NATO Cooperative Cyber Defence Centre of Excellence, August 2016 (online at https://ccdcoe.org/uploads/2018/10/CS_organisation_CHINA_092016_FINAL.pdf, last visited on 12 August 2022).