Data is the lifeblood of the digital economy. It is also an arena of competitive maneuvering as both China and the United States seek to gain a leg-up in key data-enabled industries that will define the Fourth Industrial Revolution. President Xi Jinping has spoken of the profound changes in production processes, lifestyles and social governance methods being introduced by the revolution in data, and has emphasized the need to deepen the integration of Internet, Big Data and artificial intelligence with the real economy. For his part, U.S. National Security Advisor Jake Sullivan has alluded to data-enabled technologies as a “force multiplier” technology that will be particularly important over the coming decade. Based on the imperative to reap the benefits of digitization, both China and the United States have approached the digital frontier ambitiously. They have also approached this frontier differently. On the “3S” factors – sovereignty, supervision, and security – the are key to unlocking and securing the value of data, the approaches of China and the U.S. bear far greater dissimilarity than similarity.
China is unique in its farsighted treatment of data as a standalone “factor of production.” The approach to data governance and cybersecurity has been top-down and state-driven. It is also comprehensive and aims to strike a delicate balance between the at-times competing considerations of security, privacy, inclusion, and commerce. In the area of privacy and personal information protection, the approach has been prescriptive. While most non-personal data is more-or-less allowed to freely cross borders, personal data can only flow freely across borders if the destination State is deemed to possess a comparable data protection regime with in-built safeguards. The security assessment through which such data must pass, particularly with regard to sensitive and other ‘important data’, is also wide-ranging and stringent (although not targeted at any particular adversary country, as such). The overall goal of the central leadership on data governance and cybersecurity is to chart out the long-term parameters of a deep, liquid and open marketplace where data elements can be traded seamlessly on the basis of efficiency and trust at home and across borders while guarding against is misuse, abuse or weaponization against the state.
The United States’ approach to data governance, by comparison, has been far more laissez-faire and private sector led. On the one hand, the U.S.’ regime is fiercely protective of the right to unimpeded flows - including unimpeded cross-border flows – of data. The stance on digital market access is aggressive and the nature of regulation light-touch. Aside from narrow security and law enforcement exceptions, such as the denial of transfer of sensitive data to foreign adversaries as well as unconditional access to the data of U.S. jurisdictional subjects that maybe stored overseas, data is allowed to move unencumbered. No material distinction is made between the handling of personal and non-personal data. On the other hand, the country lacks a comprehensive data protection and privacy regime at the national level. A “patchwork” of federal and state laws exists, which - accompanied by U.S. Federal trade Commission rulings, industry-specific privacy obligations, and agency-level data protection standards - create an entanglement of data-related rules nationwide.
The differing vision, and approaches, to data governance and cybersecurity in China and the United States has stymied the development of cross-border data flow rules at the multilateral level. Until greater harmony in domestic regulatory frameworks is achieved, especially in their respective security and privacy frameworks, the effort to inscribe liberalized cross-border digital trade rules will remain a difficult proposition at the global level. In this context, regionalization is becoming the less-than-ideal alternative. Regional frameworks such as the Digital Economy Partnership Agreement (DEPA) and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) are gradually establishing themselves as the de facto ceilings in terms of rule-setting on cross-border data governance. Premised on this development, the United States and China could explore potential opportunities for collaboration in the field of cross-border data flows via third party frameworks – although it is important to point out that it will not be easy for either party to overcome the many barriers and find ways to align their approaches even on parallel platforms.
The same is true with the case of (lack of) cybersecurity cooperation. In recent years, cybersecurity has become an increasingly important component of data governance. Triggered by frequent ransomware attacks, data leakages and other security incidents, data is increasingly affecting social stability, economic development and national security directly. Organizing a global consensus around core cybersecurity rules has been hard to come by however, and the various proposals and initiatives that have been floated are typically couched in voluntary, non-binding terms. Global rulemaking on cybersecurity will, willy-nilly, have to evolve via a patchwork of rules and standards that are enforced nationally - or, at best, regionally. The overarching hope remains that, as with the case with cross-border data flows, a convergence of cybersecurity norms among the large digital ecosystems can be realized. And that in the absence of such a convergence, a rudimentary coexistence between these ecosystems could at minimum be fashioned.
Paving the way for purpose-fit data governance rules and norms that address the digital policy challenge, both at the U.S.-China level and at the global level, will remain a challenging endeavor for the foreseeable future. Given the profound importance of data to 21st century lifestyles and social, industrial and economic processes however, this search for convergence in global, regional and bilateral governance rules and norms must proceed with wisdom and determination.