China has promised not to ask Chinese tech companies for overseas data
So Beijing will not ask ByteDance to bring back TikTok data. Also applies to Huawei, Alibaba, DiDi, Tencent, BGI, etc.
The article has been updated on July 10. The updated part is highlighted and noted.
Let me for the zillionth time underline that Pekingnology is a personal newsletter and doesn’t represent the view of anybody else.
***
Last week, I was reading Manoj Kewalramani’s Tracking People’s Daily, and this caught my eye
Page 3: The page is dominated by reporting of the third China + Central Asia (C+C5) foreign ministers’ meeting in Nur-Sultan…
The C+C5 heads of state summit mechanism was agreed upon. Also, the following documents were signed…
an initiative for cooperation of C+C5 countries in the field of data security
The data security document calls on countries and enterprises to:
Enterprises must abide by the laws of the country where they are located and domestic enterprises must not be required to store and process data generated and acquired overseas in home countries. 呼吁企业遵守所在国法律,不得要求本国企业将境外产生、获取的数据在境内存储和处理.
All countries should respect the sovereignty, jurisdiction and security management rights of other countries, and should not directly ask enterprises or individuals for data located in other countries without the permission of other countries’ laws. 各国应尊重他国主权、司法管辖权和对数据的安全管理权,未经他国法律允许不得直接向企业或个人调取位于他国的数据.
If countries need to acquire cross-border data for law enforcement purposes, such as combating crimes, they should do so through mutual legal assistance channels or this must be done in accordance with agreements signed between countries. 各国如因打击犯罪等执法需要跨境调取数据,应通过司法协助渠道或根据国家间协定解决.
IT products and services supply enterprises shall not set back doors in products and services to illegally obtain user data, control or manipulate user systems and equipment. 信息技术产品和服务供应企业不得在产品和服务中设置后门,非法获取用户数据、控制或操纵用户系统和设备.
It first struck me as news, but then I realize it is not new, as the C+C5 data security initiative is based upon
中亚各国支持中方提出的《全球数据安全倡议》。
The Central Asian states support China’s Global Initiative on Data Security
China’s GIDS was first published in September 2020 and has been mentioned on numerous occasions by its officials and media. For example, President Xi Jinping said at the 15th G20 Leaders' Summit in 2020
To address countries’ concerns on data security, the digital divide, personal privacy and ethics, we should adopt people-centered and facts-based policies to encourage innovation and build trust…Recently, China launched the Global Initiative on Data Security. We may work on that basis and join other parties for discussing and formulating rules on global digital governance.
Zhao Lijian, the Foreign Ministry’s spokesperson, said on the day of unveiling the GIDS, in Chinese and English
这一倡议也是中国为维护全球数据安全作出的承诺。
The initiative is also China's commitment to protecting global data security.
So, what’s in the GIDS?
-States should encourage companies to abide by laws and regulations of the State where they operate. States should not request domestic companies to store data generated and obtained overseas in their own territory.
-States should respect the sovereignty, jurisdiction and governance of data of other States, and shall not obtain data located in other States through companies or individuals without other States' permission.
-Should States need to obtain overseas data out of law enforcement requirement such as combating crimes, they should do it through judicial assistance or other relevant multilateral and bilateral agreements. Any bilateral data access agreement between two States should not infringe upon the judicial sovereignty and data security of a third State.
-ICT products and services providers should not install backdoors in their products and services to illegally obtain users' data, control or manipulate users' systems and devices.
In my understanding, this translates to China's pledges
It will not require its companies to store or process their data generated or acquired overseas in China.
It will not ask directly ask Chinese companies or their employees for data located in other countries without the permission of other countries’ laws.
If it needs to acquire cross-border data for law enforcement purposes, such as combating crimes, China should do so through mutual legal assistance channels or in accordance with agreements signed between countries.
It forbids, let alone asks, ICT products and services providers to install backdoors.
What does it mean if Chinese tech companies are factored in?
China will not ask ByteDance - a Chinese company - to store or process data from TikTok - which only operates overseas - in China.
China will not directly ask ByteDance or its employees for TikTok data located in the U.S., without conforming to U.S. laws.
When China needs to acquire U.S.-located TikTok data, China should do so through legal assistance channels or in accordance with bilateral agreements.
China forbids, let alone asks, Huawei to install backdoors in their telecommunication equipment and software.
I really do not think I’m spinning this. I mean, how else could you interpret the language?
To confirm that personal opinion of mine, I reached out to 吴沈括 Wu Shenkuo, a law professor at Beijing Normal University with a big profile in China’s data security field.
Prof. Wu holds titles including 中国互联网协会研究中心副主任 Deputy Director, Research Center, the Internet Society of China, and has been reported to take part in the legislation process of China’s 个人信息保护法 Personal Information Protection Law , which went into effect on November 1, 2021.
Prof. Wu said
这个问题实际上最早源自于就是境外对于中国政府强制获取境外数据的这样一种污名化的宣传,那么我们通过政府表态的方式呢,实际上把这个立场作出了澄清。
This issue actually originated from the outside defamation that the Chinese government mandates access to overseas data. So China actually clarified that through the initiative.
In an interview with Bloomberg TV in the same month, 张明 Zhang Ming, then China’s envoy to the European Union and now Secretary-General of the Shanghai Cooperation Organization, linked the initiative with not asking Chinese companies for overseas data
We never ask Chinese companies to break the laws of the host countries by handing over overseas data to the Chinese government. China recently put forward a Global Initiative on Data Security.
Not that Beijing hasn’t denied foreign allegations about harvesting overseas data from Chinese companies before - it certainly has done so on many occasions, most memorably over Huawei.
But that GIDS is a formal initiative that the Chinese government continuously promotes and invites others to join lends added seriousness and accountability, and makes it different from previous, case-by-case explanations.
[UPDATE on July 10:
Zhang Li, Vice President of China Institute of Contemporary International Relations (CICRC), in a little-noticed but detailed explanation [ENG] [CHN] of the GIDS in《外交》Foreign Affairs Journal by the Chinese People’s Institute of Foreign Affairs
Paragraph 4: “States should encourage companies to abide by laws and regulations of the State where they operate. States should not request domestic companies to store data generated and obtained overseas in their own territory.”
This paragraph responds to some countries’ concerns and doubts about where the data generated by Chinese companies in their overseas operations has gone and is stored.
Gladly, a foreign ambassador in China told me in recent days that he or she has, in a private meeting, shared it with a big Chinese company, reinforcing my confidence this is an opening that interested parties could work on.
UPDATE on July 10 ends.]
***
Let me for the zillionth time underline that Pekingnology is a personal newsletter and doesn’t represent the view of anybody else.
***
What prompts me to write this piece is that what I highlighted above seems to be lost on many - including the Chinese.
Chinese public opinion, led by its media and opinion makers, has not gone the extra mile in interpreting the GIDS as addressing foreign concerns about China - frankly, Beijing promising to tie its own hands away from Chinese tech companies’ overseas data.
The Chinese tech companies themselves, as far as I can tell, have also not taken up the GIDS in trying to defend themselves, despite being overshadowed in data concerns for years.
They, notably Huawei, have been struggling against the nearly unanimous Western interpretation of China’s 国家情报法 National Intelligence Law adopted in 2017. Two articles have been described as obliging Chinese companies and individuals to cooperate with Chinese intelligence services at the latters’ request.
第七条 任何组织和公民都应当依法支持、协助和配合国家情报工作,保守所知悉的国家情报工作秘密。
Article 7: All organizations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law, and shall protect national intelligence work secrets they are aware of.
第十四条 国家情报工作机构依法开展情报工作,可以要求有关机关、组织和公民提供必要的支持、协助和配合。
Article 14: National intelligence work institutions lawfully carrying out intelligence efforts may request that relevant organs, organizations, and citizens provide necessary support, assistance, and cooperation.
Huawei, at the time, battled the narrative. It reportedly hired two law firms to produce two legal opinions and sent them to officials of various governments around the world. To this day, Huawei maintains on its official website a Q&A Does China’s National Intelligence Law compel Huawei to plant so-called “backdoors” in telecommunications infrastructure?
Not that it’s necessarily correlated, but China’s 数据安全法 Data Security Law, passed last year, limits its jurisdiction to within the PRC territory.
第二条 在中华人民共和国境内开展数据处理活动及其安全监管,适用本法。
Article 2 This Law shall apply to data processing activities and security supervision and regulation of such activities within the territory of the People’s Republic of China.
As for now, I think ByteDance is the Chinese tech company with the most at stake. It has done a remarkable job in seeing off President Donald Trump’s forced sale of TikTok and chartering an unprecedentedly internationalized operation and expansion for the short video platform.
It’s not just ByteDance. Alibaba touts itself as the third-largest Infrastructure-as-a-Service (IaaS) provider in the world, citing Gartner numbers. That’s a lot of data in the cloud.
Shenzhen-based BGI, self-described the world's largest genome research organization, had its reputation badly damaged by a Reuters investigation last year over allegations it harvests data from millions of women worldwide.
And it’s not unforeseeable that some countries could begin to wonder if data from Didi-owned ride-hailing services within its border would end up in Beijing.
Everything is data these days. At the end of the day, “whether Beijing will force your China-headquartered parent company to move your overseas data back home” is among the fundamental questions that the Chinese companies will have to answer for years.
In that case, “China has promised not to ask Chinese tech companies for overseas data” publicly in an initiative that it has invited the international community to sign up to would be one of the most plausible talking points.
***
Beijing probably never had the illusion that its self-restraining order would be proactively received in the West. It shouldn’t.
Reuters, WSJ, and Al Jazeera dedicated a report, respectively, to the initiative on its first day, but didn’t examine the text’s implication for the Chinese government to restrain itself vis-a-vis Chinese tech companies. There appears to be no story on the day from CNN, NYT, WaPo, FT, AP, or AFP.
An article in The Diplomat sums up the Western reaction to the GIDS pretty well
China’s Bid to Write the Global Rules on Data Security
The new “Global Initiative on Data Security” is an attempt to wrest control of the data security narrative away from the U.S.
That’s certainly not wrong. As Prof. Wu Shenkuo from Beijing Normal University told me
同时也为数据跨境获取,特别是为监管、司法目的调取企业数据,提出了一个中国的规则主张。这点怎么说呢?外国政府,特别是美,西方政府都不敢或者不愿意公开承诺的。
This also put forward a Chinese proposal for cross-border access to data, especially for regulatory and judicial purposes. What can be said about this point? Foreign governments, especially the U.S. and Western governments, are afraid or unwilling to commit themselves publicly.
(I think they are mostly unwilling to play Beijing’s game, for a variety of reasons.)
But The Diplomat article did mention
These priorities include an interesting mix of China’s concerns (for example, being cut off from access to Western technology and the growing power of foreign technology companies) and attempts to address concerns about China (that Chinese ICT firms like Huawei could install “backdoors,” steal data or damage tech infrastructure at Beijing’s behest). Of course, China has its own reasons to be concerned about data security – the Snowden leaks revealed the extent of U.S. digital surveillance around the globe.
Alas, even that bit is missing from the broader China discourse.
***
Lastly, I guess somebody is bound to ask: “what if the CCP is just lying here? how do we know it will live up to its own initiative?”
Well, I understand the sentiment these days given the disastrously low trust in one another, but then what’s the point in reading and analyzing anything?
The bottom line is, in my opinion, the initiative provides an opening for Chinese actors - both government and private - to address foreign concerns in this regard, however ridiculous or even defamatory they think the concerns are. It’s for their own interests to concretize the message and own it - make it abundantly clear the text in the initiative first and foremost applies to the home country. And foreign actors do not stand to lose by engaging, enabling, and encouraging that to happen.
Fascinating, thanks for sharing this
Posts like this, especially when you point out how many western outlets have not even picked up this story at a superficial level, are great and really help those of us who would otherwise be none the wiser! Clicked the "Recommend" button to help share to my humble audience!