The purpose of global free trade agreements is to create comprehensive rules of the road that transcend borders, lower trade barriers, and create new opportunities for market access and innovation. Signed on March 8, 2018, the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) is one such agreement. Currently signed by 11 Pacific-Rim countries, CPTPP covers a range of trade areas, including a significant focus on ecommerce, reflecting the growing importance of digital trade to global economic growth.
The role of data policy
The rapid proliferation of data-driven trade raises several questions for the international community. Paramount among those is the question of data management—what are appropriate standards for data storage and transferring data across borders? International agreements, along with domestic legislation, will dictate the global principles regarding the treatment of data far into the future.
The free flow of data promotes innovation, encourages global operating models, and allows for economies of scale, making it crucial to facilitating modern trade and promoting regional economic growth. Digitally-oriented provisions of multilateral agreements, including CPTPP, codify this principle. But as CPTPP is taking off, individual countries are also creating their own standards and principles regarding data, a process that has brought to light differing priorities within high tech economic development and data security. China, while not a member of CPTPP, has formally expressed interest in joining the CPTPP and other digitally oriented FTAs, while simultaneously working to implement its seminal cybersecurity, data, and privacy laws and regulations at home.
Why China’s interest in CPTPP matters
Admittance into CPTPP requires consensus among existing signatories. Several have already expressed concerns around China’s trade practices and are unlikely to agree to its admittance outright, regardless of the domestic implementation of its data regime. To be clear, China is commonly regarded as having one of the most restrictive data regimes in the world. However, China’s persistent interest in and pursuit of international trade agreements is a reflection of its attitude to international rules of the road for data governance and it is worthy of examination.
On March 1, Ministry of Commerce Vice Minister and Deputy China International Trade Representative Wang Shouwen reaffirmed China’s interest in joining the agreement and claimed that China’s Cybersecurity Law, Data Security Law, and Personal Information Protection Law—the three laws undergirding China’s burgeoning data, privacy, and cybersecurity regime—are consistent with CPTPP’s ecommerce regulations.
If China’s regime does not embrace the same data principles as CPTPP, then where does its interest in and optimism around joining CPTPP come from?
Evaluating if Wang’s assessment is accurate could provide early indicators of how China will approach key issues within its domestic data regime, which is still nascent. This includes elements that pose acute concerns for foreign businesses operating with a global operational model, particularly, data localization requirements and restrictions on the cross-border transfer of data. China directly links data with its own national security, meaning regulation is centered on the idea that the government should direct company data practices, rather than focusing on an individual’s right to control how their data is used. Companies that run afoul of China’s regime stand to not only face fines and civil penalties, but criminal charges and repercussions for individual members of leadership.
Comparing China’s data regime with CPTPP rules
CPTPP unequivocally states that open data flows and a flourishing ecommerce environment are essential to global growth. Provisions in the agreement aim to minimize cross-border data restrictions, the use of data localization, and discriminatory practices. However, the agreement allows for broad exceptions for national security, government data, and legitimate public policy purposes. The latter element has the largest room for interpretation, potentially providing China with enough leeway to argue that any and all of its data restrictions should be accepted without adjustment.
- Mandatory data localization: CPTPP prohibits requiring data localization as a precondition for doing business in a member country. With that principle in mind, China’s requirements to localize systems under its domestic multi-level protection scheme or important data systems clearly run counter to this article. However, exceptions within CPTPP allow for countries to develop their own security and confidentiality standards for computing facilities and China is likely to invoke this exception.
- Limits on cross-border transfer are vague: CPTPP member countries must allow free cross-border data flows for legitimate business purposes, but the limits on how members can screen and potentially restrict data flows are open to interpretation, leaving wiggle room for countries like China. China requires government-led assessments of cross-border transfers of personal information and important data before the fact, unless the sender and receiver of the data have signed a government-approved agreement or the sender has been certified through a government process as a party with “good” cybersecurity practices. Under CPTPP, countries can only conduct transfer reviews to achieve “legitimate” public policy objectives, and this must be done in a non-discriminatory fashion and kept to an absolute minimum. Whether Chinese legislation meets any or all of these restrictions is open to the interpretation of existing CPTPP members. Some members of the business community believe that elements of China’s data and cybersecurity regime, like volume-based restrictions on the transfer of personal information and the potentially sweeping definition of important data, fail the absolute-minimum test. In addition, as China’s system requires security reviews for cross-border data transfers but not for domestic transfers, one could argue that China’s data regime violates CPTPP’s anti-discriminatory rules.
- Security exceptions play into China’s data sovereignty narrative: Chinese regulators can also argue that the exception clauses within CPTPP legitimize any restrictions on cross-border data transfer. Chapter 32 states that an “essential security exception” can be invoked to defend data security reviews and the prohibition of data transfer. “Essential security,” as with most broad concepts of security, leaves much up to interpretation. In the Chinese context, social, economic, and political security are often considered matters of national security, which extends far beyond the conceptualization used in other contexts.
In reality, CPTPP’s cyber and data rules leave wide latitude for individual member countries to argue for exceptions based on national security needs and to serve public policy objectives. With all of these elements in mind, and simply based on the letter of the agreement, it is unlikely that China would be required to significantly adjust its legal framework around data processing and security to join CPTPP, though its ability to invoke exceptions will be determined by existing member countries. Whether or not China’s economy meets the myriad of other CPTPP requirements beyond digital trade is also an open question.
If China’s regime does not embrace the same data principles as CPTPP, then where does its interest in and optimism around joining CPTPP come from? Possible explanations include a desire to push for domestic reforms, an interest in further global economic integration and access, and/or intentions to shape global norms through China’s own participation.
CAC’s enduring influence suggests that China’s interest in CPTPP does not reflect a pro-business win over the pro-state data control camp.
There is evidence to suggest that Chinese regulators hold a diversity of views regarding the appropriate direction of cyber and data policy, with some pro business–minded camps arguing against data policy overreach. This seems to suggest that some factions are wary of the oversized reach of agencies like the Cyberspace Administration of China (CAC). However, the reality is that CAC holds a direct line to seats of power. CAC’s enduring influence suggests that China’s interest in CPTPP does not reflect a pro-business win over the pro-state data control camp.
A desire for global economic integration perhaps provides a partial explanation, but doesn’t answer the questions of “why now?” and “why digital trade?” Digital trade is clearly a priority area for Chinese economic development, with digital solutions being promoted across sectors and within government services. However, in terms of global economic participation, China has, by and large, opted for partial integration into global economic frameworks and systems like the World Trade Organization, the International Monetary Fund, and others. Additionally, much of China’s economic outreach is accomplished bilaterally or via its own trade initiatives. As a result, the argument that Chinese policymakers view CPTPP as the next answer for continued growth and development seems implausible, though it undoubtedly will provide some economic benefits.
Participating in agreements like CPTPP to shape regional and global norms and assert China’s own data rules as a counter to other models is likely another motivation. An examination of China’s data regime suggests that Chinese regulators are unlikely to push for fewer data controls given that their own approach emphasizes state engagement. China’s confidence in its compliance with the data-related elements of CPTPP reflect a shortcoming of international trade agreements. Where the text falls short, adherence to guiding principles is ultimately defined by the countries who join these agreements, a feature that China will also have to contend with.