An Update on Chinese Cybersecurity and the WTO
In recent years China has crafted a significant body of domestic cybersecurity laws, regulations and standards. As I have previously outlined, a number of World Trade Organization members, led by Japan and the United States, have argued that portions of China’s cybersecurity regime conflict with its commitments under the General Agreement on Trade in Services (GATS). Developments in China’s cybersecurity regime and minutes from June and October WTO Services Council meetings suggest that Chinese cybersecurity regulations deserve a second look.
China and the GATS
The GATS, which came into force in 1995, created international trade rules for the services sector. It contains a framework agreement with general rules for trade in services, and it includes specific “schedules” listing individual member commitments on access to their domestic service markets. Two principles are foundational to the GATS: market access and national treatment. First, members commit to opening their domestic services markets to foreign commercial entities. Importantly, these commitments are not intended to infringe on a member’s “right to regulate services and … do not oblige Governments to permit the entry of unlimited numbers of services suppliers.” Lawful market access restrictions under the GATS can include limits on the number of service suppliers, total value of transactions, number of employees, and types of legal entities permitted entry. Second, national treatment obligations can also be regulated by GATS members. When members open up specific services sectors to international competition, national treatment requires that foreign suppliers be treated in the same way as domestic suppliers. For sectors not opened to international competition, however, there is no such obligation. In fact, there are “no restrictions on the number or types of conditions which may be attached to national treatment commitments. A requirement that foreign banks wishing to establish in the country should set up branches in every village, for example, would also be perfectly legitimate.” When assessing a member’s compliance with GATS’ national treatment obligations, therefore, it is essential to first see if that sector has been opened for international competition in a member’s GATS schedule.
China last updated its GATS schedule in 2004. For our purposes, this most recent schedule outlines the extent of China’s market access and national treatment restrictions regarding: data process services, value-add telecommunications services, and domestic and international mobile voice and data services. Value-add telecommunications services include email, online information and database retrieval and exchange, and online information or data processing. China has specified that there are no restrictions on the cross-border supply, consumption abroad, or commercial presence of foreign data processing services. For the remaining three categories of services, China currently only requires that foreign firms form joint ventures with at least 50 percent Chinese ownership if they wish to engage in cross-border supply or be physically present in mainland China.
What does China’s cybersecurity regime have to do with it?
Criticism at the Council for Trade in Services has focused on China’s Cybersecurity Law, and in particular, definitions of and standards for handling critical information infrastructure, personal information and important data.
Relevant laws and regulations (e.g., the Cybersecurity Law and National Security Law) have identified a number of sectors included in China’s understanding of critical information infrastructure, including public communication and information services, finance, healthcare, and cloud computing. However, Samm Sacks, Paul Triolo and Graham Webster assess that “regulators appear to maintain significant freedom to interpret the reach of CII [critical information infrastructure]—likely in a very broad way.” Important data appears to be construed as any personal or business data that the Chinese government believes might endanger its national or societal security. Under the Cybersecurity Law, personal information and important data gathered or produced by operators of critical information infrastructure must be stored within mainland China. The Cybersecurity Administration of China is also charged with conducting a security assessment for firms handling personal information or important data, though the threshold for triggering this process has been increased and certain provisions for implied consent regarding personal information have been added.
WTO members have taken markedly different approaches to criticizing China’s cybersecurity regulations. Between the Council for Trade in Services’ June and October meetings, nine members spoke to China’s Cybersecurity Law, including the United States, Japan, South Korea, Australia, Taiwan, the European Union, New Zealand, India and Brazil.
The United States and Japan have been the most vocal in their criticism. Japan singled out data mobility restrictions on personal information and important data collected by critical information infrastructure operators. Its representative argued that the definition of critical information infrastructure was overly broad and vague, which could affect the operations of foreign firms operating in industries China specified as open in its GATS schedule. Japan also pointed out that, “foreign operators could be compelled to bear the additional burden of establishing a separate server inside China for the purpose of storing personal information and important data” in violation of China’s national treatment obligations. Japan also raised a number of more specific concerns, including uncertainty as to inspection criteria and the scope of responsibility for network operators. As discussed in my last post, these concerns track U.S. critiques articulated in a separate white paper released in September asking China not to implement its Cybersecurity Law.
The European Union representative had much narrower concerns. It began by noting that China’s cybersecurity law “laid out dispositions for the safety of network operations and network information, which the EU considered to be valid objectives.” Furthermore, the European Union reminded other members that, “the protection of personal data was a fundamental right that was enshrined in Article 8 of the EU Charter of Fundamental Rights. As such, her delegation considered that any member was entitled to devise measures to protect the personal data of individuals.” Given these principles, the European Union only objected to the concept of important data, which its representative found to be defined “in an overly broad manner.” Again, the concern here is that vague standards would, as a practical matter, place foreign corporations in a less competitive situation.
Other countries largely echoed some combination of these concerns. Australia, for example, noted that, “the location where data were stored did not make data more secure from disclosure.” New Zealand also found that data localization requirements “risked impacting the conditions of competition for foreign firms.” Taiwan reiterated the same concerns while also noting that all members have an obligation to promptly inform the Services Council on changes to its laws. India and Brazil made slightly different points. India, for example, stated that it “might revert to the issue with more detailed comments at a later stage” but “wished to inform the membership that Indian service suppliers faced barriers similar to the ones outlined in the US communication in some other members as well.” Brazil’s delegate said that, “it was very important to discuss whether issues such as cybersecurity, data flows or privacy could be addressed under existing WTO rules or whether new rules were needed.”
China responded to these critiques by arguing that “[s]afeguarding cybersecurity to ensure national security and protect the immediate interests of the general public was critically important and a legitimate regulatory right that any member was entitled to.” More specifically, the Chinese representative argued that the above criticism reflected widespread misunderstandings of its cybersecurity regime. For example, China pointed out that data localization was only required of critical information infrastructure; security reviews were only required for personal information or important data collected within mainland China; important data only includes data important to the Chinese State; mechanisms existed for allowing cross-border data transfers; personal information could be transferred after consent was given; and consent was presumed for international calls, emails, and cross-border purchases. Finally, China also averted to the fact that all its laws were open for comment during the drafting process and that when creating it’s cybersecurity review system “China had drawn upon the practice of other WTO members.”
Vietnam’s Cybersecurity Law
During the October Service Council meeting, a number of members also criticized Vietnam’s draft cybersecurity law. Japan objected to provisions requiring foreign firms to establish an office and local data server to operate within country, again given Vietnam’s national treatment obligations. The United States also found that “it was unclear what kinds of service suppliers would be affected or what steps they would need to take in order to comply.” In response, the Vietnamese delegation largely sidestepped the issue, arguing that, “he did not wish to prejudice the outcome of the debates at the National Assembly.” The representative did note, however, that “it was expected that all genuine stakeholders’ interests . . . would be taken into account.” A public report from Baker McKenzie suggests that significant changes are being made, though perhaps not in the direction desired by Japan or the United States. In its most recent draft (January 2018) the very broad server localization provision was replaced by a requirement that only data from Vietnamese users and “other important data” collected or generated from Vietnam’s cyber infrastructure be stored in country—quite similar to provisions in Chinese law.
Debates over China and Vietnam’s cybersecurity laws at the WTO are reflective of a global contest between starkly divergent visions for data privacy. In one camp are countries like China and Vietnam, which use an expansive understanding of cyber sovereignty to justify more restrictive treatment of cross-border data flows. In another camp are countries like the United States, which has no unified federal legal regime concerning data privacy and cybersecurity. In yet another camp are entities like the European Union that, under the General Data Protection Regulation, have increased EU citizens’ rights over their digital footprint. The fault lines between these camps are still inchoate. China’s assertion that its cybersecurity review system “draw[s] upon the practice of other WTO members” uses the EU regime to justify China’s more restrictive provisions. India’s comment that its companies faced similar obstacles in “other member” jurisdiction just as easily uses the Chinese regime to criticize the EU’s data privacy protections. Given that these debates go much deeper than adherence to their GATS schedules, it may be worth exploring whether a broader conversation on digital privacy, not masquerading in the language of trade law, is necessary.