On cross-border data access: a Chinese summary
With China's Practice and Thinking. Plus positive response to Pekingnology's original argument.
Pekingnology today shares parts of the recent Chinese article《司法和执法数据跨境调取的国际规则发展与应对实践》Cross-Border Access to Data in Judicial and Law Enforcement: Development in International Rules and Responses.
It was published in the third issue of《中国信息安全》China Information Security in 2022. The journal is administered by the 中国信息安全测评中心 China Information Technology Security Evaluation Center.
The author, according to the journal, is Zhang Peng, a researcher with the Center for Digital Economy and Legal Innovation Studies at the University of International Business and Economics in Beijing.
The article, in my observation, doesn’t particularly advocate any major viewpoint on the important issue of cross-border data access, which has troubled tech companies and is one of the major challenges between China and the U.S.
Rather, it gives a summary of the recent developments and the PRC’s stance, including the Chinese government’s thinking - from a Chinese perspective, of course.
Relatedly, TikTok has apparently entered damage control mode after the influential Buzzfeed story in mid-June. TikTok’s initial response proved insufficient, and its Singaporean CEO Shou Zi Chew has written back to a group of GOP Senators (first reported by The New York Times).
In detailed point-on-point answers to each question from the GOP Senators, the eight-page letter says
a. Has TikTok ever disclosed any U.S. user data to respond to government inquiries from the Chinese Communist Party?
b. If the Chinese Communist Party asked you for U.S. user data, what is to stop you from providing it? Can the CCP compel you to provide this data, regardless of response? Can they access it, regardless of response?
c. Has ByteDance ever responded to CCP inquiries on TikTok's behalf?
d. Has TikTok ever shared U.S. user data with ByteDance for the purpose of responding to a CCP inquiry?
A: We have not been asked for such data from the CCP. We have not provided U.S.user data to the CCP, nor would we if asked.
You may have noticed that Pekingnology has, based on my reading of Chinese official discourse, advocated an original argument that, effectively, China has promised not to ask Chinese tech companies for overseas data via Beijing’s Global Initiative on Data Security.
The bottom line is, in my opinion, the initiative provides an opening for Chinese actors - both government and private - to address foreign concerns in this regard, however ridiculous or even defamatory they think the concerns are. It’s for their own interests to concretize the message and own it - make it abundantly clear the text in the initiative first and foremost applies to the home country. And foreign actors do not stand to lose by engaging, enabling, and encouraging that to happen.
A foreign ambassador in China told me in recent days that he or she has, in a private meeting, shared it with a big Chinese company (the ambassador agreed to this disclosure here), reinforcing my confidence the initiative might be something that interested parties could work with.
The demand for cross-border data access for national security and judicial & law enforcement actions is increasing day by day, and the traditional mechanisms of international judicial assistance and law enforcement cooperation at the present stage can hardly adapt to the higher requirements in timeliness.
Bypassing the data storage country and requesting data directly from Internet enterprises outside the country have hence risen, with the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) by the United States as a prime example. That has raised concerns about data sovereignty in various countries.
In particular, Internet companies, which control and process a large amount of data on a daily basis, are facing more collisions between one country’s data sovereignty and another’s long-arm jurisdiction.
I. The root of the problem of cross-border data access lies in the conflict of different interests
For the country requesting data overseas, maintaining national security and judicial law enforcement is a strong need, and official channels are often slow. It is easier and faster to make requests directly to the companies in charge of the data.
For sovereign countries, another country's access to data stored in its territory without consent is equivalent to foreign countries enforcing their own laws in another territory and violating their data sovereignty. If the data acquired by the other country reaches a certain volume, or if the data itself has attributes related to national security, it’s possible that the data will be analyzed and used by foreign intelligence agencies, raising security concerns.
Internet users have given their data to a company, and the company has the obligation to ensure that their personal data security and privacy are not violated. The users may also likely abandon the relevant products or services when they find that their data can be arbitrarily accessed by foreign governments.
In the scenario of cross-border data access, Internet companies that actually control the data find themselves having to adapt to various stakeholders in fighting crime, safeguarding data security, and protecting personal privacy. Internet companies also face the pressure of safeguarding national security and respecting national sovereignty when responding to cross-border data access requests.
U.S. Internet companies have taken the lead in making some attempts, with Microsoft Corp. vs. the United States being a classic case. In this lawsuit, which attracted worldwide attention, Microsoft, by suing in U.S. courts and effectively leading to the promulgation of the CLOUD Act, has to some extent prompted the U.S. to clarify the rules for cross-border data access.
However, the case did not solve the fundamental problems faced by U.S. Internet companies. As other countries have introduced “blocking statutes” against unilateral cross-border data access requests by the U.S., these companies are caught in legal conflicts in many countries and can only take limited mitigation measures in practice.
Chinese Government's Practice and Chinese Companies' Response
Based on the Chinese government's international position and domestic laws such as the《国际刑事司法协助法》International Criminal Justice Assistance Law, the《数据安全法》Data Security Law, and the《个人信息保护法》Personal Information Protection Law, companies operating in China, when receiving cross-border data access requests, should inform foreign law enforcement and judicial agencies that they should follow China’s official procedures for international cooperation, such as judicial assistance, or submit requests to the Chinese government through diplomatic channels.
From publicly available information, American courts hearing some civil and criminal cases have sometimes, in discovery procedures, requested that Chinese companies’ branches in the United States facilitate some data stored in China.
For example, in December 2017, when a Hong Kong company was investigated by U.S. prosecutors for allegedly violating U.S. sanctions on North Korea, the prosecutors, armed with subpoenas issued by the U.S. District Court for the District of Columbia, requested the U.S. branches of three Chinese banks to provide records of bank transactions between the Hong Kong company and a North Korean state-owned enterprise.
The U.S. Federal Trade Commission (FTC), the U.S. Securities and Exchange Commission (SEC), and other agencies may also want access to data stored in China by the Chinese companies in question for law enforcement or audit purposes. This creates a direct conflict with Chinese regulations that prohibit companies from transferring data outside of China.
In some cases, Chinese companies have chosen to sue in the American courts, raising the doctrine of 国际礼让 International Comity and requesting that the U.S. withdraw the data access request. For example, the three Chinese bank branches in the U.S. have argued that China's 《国际刑事司法协助法》International Criminal Justice Assistance Law and the《法人金融机构洗钱和恐怖融资风险管理指引》Guidelines for the Management of Money Laundering and Terrorist Financing Risks of Corporate Financial Institutions do not allow Chinese companies to provide relevant information to foreign countries and that the U.S. should withdraw the subpoenas under the International Comity doctrine.
However, judicial practice in the American courts shows that Chinese companies have mostly failed to assert the International Comity defense, with the only success being in the 2011 Tiffany (NJ) LLC v. Andrew.
U.S. courts have tended in recent years to hold that the U.S. government's access to relevant data through official Chinese government procedures is delayed and obstructed and that Chinese companies submitting data to the United States are not subject to severe penalties under Chinese law. American courts' record in upholding International Comity has been increasingly unfavorable to Chinese companies.
The Chinese government has historically insisted that cross-border access to data should respect national judicial sovereignty and be carried out through international cooperation mechanisms such as judicial assistance.
In 2020, China's Global Data Security Initiative clearly states that
States should respect the sovereignty, jurisdiction, and governance of data of other States, and shall not obtain data located in other States through companies or individuals without other States' permission.
Should States need to obtain overseas data out of law enforcement requirements such as combating crimes, they should do it through judicial assistance or other relevant multilateral and bilateral agreements.
China’s《国际刑事司法协助法》International Criminal Justice Assistance Law, 《数据安全法》 Data Security Law, 《个人信息保护法》Personal Information Protection Law, as well as the proposed 《网络数据安全管理条例》Online Data Security Management Regulations, clearly stipulate that domestic organizations and individuals shall not provide data stored in China to law enforcement and judicial institutions outside China without the consent of the competent Chinese authorities.
In terms of data access involved in cross-border financial supervision, the 2018 《法人金融机构洗钱和恐怖融资风险管理指引》Guidelines for the Management of Money Laundering and Terrorist Financing Risks of Corporate Financial Institutions (for Trial Implementation) require that if relevant authorities outside China request corporate financial institutions within China to provide customer, account, transaction information and other relevant information for anti-money laundering and anti-terrorist financing purposes, the corporate financial institutions shall inform them to request through diplomatic channels, judicial assistance, or financial regulation cooperation. The corporate financial institutions must not transfer the data unless approved by the competent Chinese authorities.
China’s《证券法》 Securities Law, as amended in 2019, provides that foreign securities regulatory authorities shall not directly conduct the investigation and evidence-gathering activities within the territory of the PRC. Without the consent of the securities regulatory authority under the State Council and the relevant competent department under the State Council, no entity or individual shall transfer documents and information related to securities activities outside the country without permission.
III. Solutions beyond the "CLOUD Act" model
The existing "official-to-official" mechanisms such as mutual legal assistance can hardly meet the needs of cross-border data access, and the CLOUD Act model is suspected of infringing on the sovereignty of other countries, so the international community urgently needs to find a new solution.
Existing discussions have focused on how to simplify traditional law enforcement assistance procedures by combining the characteristics of electronic data, and how to realize the online exchange of data and judicial documents to shorten the time for cross-border transfer.
At present, this seems to represent the Chinese government's thinking on how to solve the problem of cross-border data access. In 2021, the Chinese government submitted written comments to the seventh meeting of the United Nations intergovernmental expert group on cybercrime that suggest States
establish a quick response mechanism and communication channel for judicial assistance and law enforcement cooperation in combating cybercrime, and consider enabling online 11 exchange of legal documents and electronic evidence supported by electronic signatures and other technical means.
The quick response mechanism and communication channel for judicial assistance and law enforcement cooperation is in fact a summary procedure, and the essence is to appropriately simplify the internal review process of the existing official procedures based on the nature of the crime, the characteristics of the data requested, and other factors.
There are some experiences worthy of reference in this regard. For example, the 24/7 Network mechanism of the Budapest Convention [Council of Europe Cybercrime Convention of 2003] has been well received and was even heavily incorporated into the draft convention submitted by Russia to the Ad Hoc Committee of the UN Convention against cybercrime.
In November 2021, the Council of Europe adopted the Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence which introduced for the first time "video conferencing," allowing the requesting state to obtain witness testimony from witnesses or experts through videoconferencing with the participation of competent authorities from both sides, with the consent of the requested state. That is a breakthrough from the traditional mechanism of obtaining witness testimony across borders and improves the efficiency of deposition.
The exchange of judicial documents and data through the Internet, instead of transnational delivery in the form of paper documents or storage media, can undoubtedly save time in judicial assistance. Due to the security risks of the online environment and the data’s susceptibility to tampering, ensuring the originality, identity, and integrity of evidence is critical.
In this regard, blockchain provides a solution that can use technology and algorithms to act as a virtual third party to record the data…so that any changes to the data thereafter can be discovered and verified as original data, which provides a technical guarantee for data and judicial documents in the process of online transfer.
The issue of cross-border access to data in judicial and law enforcement scenarios is of great concern to all countries, but the relevant international rules have been fragmented. Different camps of countries insist on markedly different ideas. That is not conducive to safeguarding the national security of all countries nor to the global development of Internet enterprises as an important engine of the digital economy, and the international community urgently needs a better solution.
From February 28 to March 11, 2022, the Ad Hoc Committee UN Convention against Cybercrime held its First Session in New York. The meeting adopted the structure of a comprehensive international convention and the road map and mode of work of the Ad Hoc Committee. Finalization and approval of the draft text of the convention are planned by February 2024. By that time, countries are expected to have concluded institutional arrangements for cross-border data access via negotiations.
In the current international environment, the negotiation of the convention is bound to be intertwined with political and legal challenges and compromises. Solving the highly complex and sensitive issue of cross-border data access will not be easy.
In any case, it is worth looking forward to whether the Chinese government can propose a solution, in the negotiation of the convention, that can enhance the efficiency of cross-border data access while taking into account data sovereignty and data security, and find an alternative to the "CLOUD Act" model for the international community.
(This article, by Zhang Peng, was published in the third issue of《中国信息安全》China Information Security in 2022. The journal is published by the 中国信息安全测评中心 China Information Technology Security Evaluation Center.)
Again, I invite you to read Pekingnology’s original argument China has promised not to ask Chinese tech companies for overseas data, via Beijing’s Global Initiative on Data Security.