Today, China's Cyberspace Administration (CAC) released a “Global Cross-border Data Flow Cooperation Initiative” at the 2024 World Internet Conference held in Wuzhen, Zhejiang Province (Wuzhen Summit).

The Chinese government had previously released the "Global Initiative on Data Security" (GIDS). At that time, during Trump's first term, mutual trust between China and the United States in the field of data security was increasingly lacking. Multinational companies operating in both China and the U.S. faced growing distrust and regulatory pressure regarding data security in each other's countries.

In particular, clauses concerning intelligence assistance and government access to data in China's National Intelligence Law and National Security Law raised significant concerns for the U.S. government. The U.S. government believed that these laws would allow data collected overseas by Chinese companies like Huawei to fall into the hands of the Chinese government.

The root of this mistrust lies in the weakening of political mutual trust between the two sides, and significant changes in their judgments of the international strategic environment, with both emphasizing national security more. China's data legislation mainly focuses on national security. The Biden administration's national security strategy report explicitly states that China is the "most serious geopolitical challenge" facing the United States, and the next decade is the "decisive decade" for competition between the U.S. and China. In the context of U.S.-China competition, geopolitics and data security are unprecedentedly intertwined, and companies operating across borders in both countries have thus borne huge compliance and reputational costs.

In response to criticisms from the U.S. and its allies about China's data security issues, the Chinese Ministry of Foreign Affairs (MOFA) responded through spokespersons, but the effect was not good. In 2019, MOFA released the GIDS, which explicitly promised not to require Chinese companies to provide overseas data to the Chinese government. It also called on other countries to do the same, ideally implementing it as a legally binding international agreement. Subsequently, China signed bilateral joint statements with the Arab League and the African Union based on the GIDS, but Western countries almost completely did not respond.

This time, the new data initiative released at the Wuzhen Summit is not led by MOFA like the GIDS but is handled by the CAC. The initiative overlaps with the GIDS in some aspects but does not touch on the issue of government access to data. It focuses more on condensing China's legislative and enforcement practices in the field of cross-border data flow over the past few years into China's international stance. Overall, this is a carefully designed position paper, released simultaneously in Chinese and English. Although it does not propose new ideas, it systematically summarizes China's international stance on cross-border data flow issues and also showcases the CAC's ambition as China's top cyber regulator in the field of global data governance.

Below is the full text of the initiative. I will attempt to provide brief interpretations of some important provisions:

As digital technologies increasingly permeate every aspect of daily life and production, the global digital economy has experienced rapid development, with digital societies emerging as new spaces for sharing the progress of human civilization. As an essential element in the digital economy, data is playing an increasingly important role in innovative development and public governance. Cross-border data flows are vital to e-commerce, digital trade, and various aspects of global economic, technological and cultural activities. It can reduce trade cost, enhance companies' capacity to engage in international trade, facilitate trade processes, accelerate industrial digitalization, bridge the digital divide, and foster a new type of globalization driven by data flows. Currently, the international community is actively exploring and establishing global rules and order in the digital sphere. Bilateral and multilateral efforts such as the Global Digital Compact by the United Nations, negotiations on e-commerce at the World Trade Organization, the Comprehensive and Progressive Agreement for Trans-Pacific Partnership, and the Digital Economy Partnership Agreement exemplify the shared willingness of and choices made by countries and regions worldwide to promote cooperation on cross-border data flows.

The preface mainly consists of two parts. The first part highlights the importance of cross-border data flows to e-commerce, digital trade, and economic, technological, and cultural exchanges. The second part names the foras recognized by China for discussing and formulating international rules on cross-border data flows.

We noticed that, while promoting global cross-border data flows, countries are primarily concerned with risks related to national security, public interests, personal privacy, and intellectual property. We believe that the international community should fully respect the different policies and practices adopted by various countries and regions based on their specific conditions. It is crucial to pay heed to each party's concerns regarding data security and development and to work toward building consensus on cross-border data flow rules through consultation among countries and regions.

This points out the possible legitimate concerns acknowledged by China for restricting cross-border data flows: national security, public interests, personal privacy, and intellectual property protection. It emphasizes that the establishment of international rules for cross-border data flows should be based on the state practices of sovereign nations (different policies and practices adopted by various countries and regions based on their specific conditions), and the rule-making process should be based on "consultation."

We call on all countries to uphold principles of openness, inclusiveness, security, cooperation, and non-discrimination, balance the promotion of digital technology innovation, the development of the digital economy, and the advancement of digital society with the protection of national security, public interests, personal privacy, and intellectual property, and foster cross-border data flows while ensuring that each country's legitimate policy goals are met. We hope that governments, international organizations, businesses, and civil society will adhere to the principles of extensive consultation, joint contribution, and shared benefits. By playing their respective roles, they can promote global cooperation on cross-border data flow, jointly build a mechanism to ensure efficient, convenient and safe cross-border data flow and an open and mutually beneficial landscape for international cooperation in the data sphere, and ensure that the benefits of digital advancements are shared by people worldwide.

This proposes the basic principles that cross-border data flows should follow. President Xi Jinping, in his speech at the first session of the 19th G20 Summit on the topic of "Combating Hunger and Poverty," emphasized that APEC countries should "create an open, inclusive, and non-discriminatory environment for international economic cooperation."

The concepts of "legitimate public policy objectives" is from the CPTPP and "extensive consultation, joint contribution, and shared benefits" are from the idea of a community with a shared future for mankind are incorporated into the initiative.

To make this happen, we suggest the following:

——Governments should encourage electronic cross-border data transmission to meet the needs of business and social activities. This will help global e-commerce and digital trade serve as new drivers for economic growth and sustainable development.

This provision is based on Article 3 of the "Provisions on Promoting and Regulating Cross-border Data Flows": Data collected and generated during activities such as international trade, cross-border transportation, academic cooperation, transnational production and manufacturing, and marketing, which do not include personal information or important data when provided abroad, are exempt from applying for data export security assessments, signing personal information export standard contracts, or obtaining personal information protection certification.

——Governments should respect the regulatory differences of various countries and regions in cross-border data flows. They should support free data flows that do not violate national security, public interests, and personal privacy. Regulations on cross-border data flows should be permitted when they aim to achieve legitimate public policy objectives on the premise that such regulatory measures do not constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on international trade, and do not cross the limits of the goals they seek to achieve.

This provision again limits the "legitimate public policy objectives" for restricting cross-border data flows to "national security, public interests, and personal privacy." The latter sentence basically repeats the CPTPP's provisions on cross-border data flows without adding anything new.

——Governments should respect security measures taken by all countries in accordance with their laws to protect non-personal data related to national security and public interests, and ensure the secure and orderly cross-border flows of relevant non-personal data.

This provision separately raises the issue of cross-border flows of non-personal data. On August 27, 2024, China's CAC Deputy Director Wang Jingtao and Sabine Weyand, Director-General of the European Commission's Directorate-General for Trade, held a video conference to jointly announce the establishment of a China-EU exchange mechanism on cross-border data flows. The two sides also held the first meeting of this mechanism, having candid, in-depth, and constructive exchanges on specific issues concerning cross-border data flows for enterprises and regulatory frameworks for cross-border data flows.

This meeting did not involve personal data (personal information) issues but focused on non-personal data. Non-personal data includes data protected by intellectual property or trade secrets, as well as so-called "industrial data." The rapid expansion of digital services such as artificial intelligence, the Internet of Things, and 5G-supported ICT systems generates massive amounts of non-personal data. Cross-border trade between China and the EU also involves a large amount of cross-border transmission or access to such non-personal data, especially in the digital economy, e-commerce, and information technology sectors. It can be said that the cross-border flow of non-personal data is unrelated to fundamental rights such as personal privacy but is closely related to international trade, which is why the European Commission's Directorate-General for Trade, responsible for EU trade policy, took the lead in exchanges with China.

In terms of non-personal data, as the GDPR gradually establishes its status as the standard for cross-border personal data flows, the European Commission has begun to shift its attention to establishing rules for cross-border flows of non-personal data. The EU recognizes the important role of the free flow of non-personal data within the European Economic Area in achieving data-driven growth and innovation and has successively adopted the Data Governance Act and the Data Act. Although their focus differs (the former emphasizes promoting non-personal data sharing between the public and private sectors, while the latter emphasizes access rights to non-personal data for enterprises, the public sector, and consumers), the main purpose of both laws is to promote the free cross-border flow of non-personal data among member states within the EU to build a "European single market for data," enhancing the EU's overall innovation and competitiveness. Overall, the EU currently vigorously promotes and strictly restricts measures that limit the cross-border flow of non-personal data within the European Economic Area (especially within the EU Digital Single Market), while proposing some requirements for non-personal data flowing from the EU to third countries outside the European Economic Area.

China does not have the concept of "non-personal data," but the "Cybersecurity Law" and "Data Security Law" stipulate separate protection measures for "important data." Important data collected and generated within the territory of the People's Republic of China that needs to be provided abroad should undergo a security assessment organized by the national cyberspace administration.

Both Tianjin and Beijing have refined regulations on important data in specific industries (especially automotive, pharmaceuticals, civil aviation, and artificial intelligence). Notably, the management measures in the Beijing Free Trade Zone focus on five areas: automotive, medical, artificial intelligence, civil aviation, and retail. They provide precise descriptions of methods for identifying important data at the field level and even at the data field level, aiming at the most urgent and practical needs of enterprises and building on the existing management system.

On September 24, 2023, the State Council issued the administrative regulation "Regulations on the Management of Network Data Security," defining important data as "data in specific fields, specific groups, specific regions, or reaching a certain precision and scale, which, once tampered with, destroyed, leaked, or illegally acquired or used, may directly endanger national security, economic operation, social stability, public health, and safety."

On March 22, 2023, the CAC issued the "Provisions on Promoting and Protecting Cross-border Data Flows," whose Article 2 states: Data processors should identify and declare important data in accordance with relevant provisions. Data not notified or publicly released as important data by relevant departments or regions does not need to be declared for data export security assessment as important data. This provision was further absorbed by the higher-level "Regulations on the Management of Network Data Security," providing clearer guidance for enterprises' data export compliance work concerning important data.

Overall, this provision is still based on cyber sovereignty and data sovereignty, emphasizing respect for each country's regulatory authority over non-personal data involving national security and public interests.