Analysis | Will China’s new data security laws complicate Beijing’s move to join Pacific Rim trade pact?

Some members of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership are expected to demand that China modify its laws
The multilateral trade deal covers a combined market of about half a billion people and roughly 13.5 per cent of the global economy

The Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP)

Xinmei Shen

Published: 11:00pm, 21 Sep, 2021

Why you can trust SCMP

Beijing’s bid to join the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), a multilateral trade pact covering modern issues such as digital trade, could prove complicated because of China’s new data security laws that restrict cross-border flows of information, according to a government researcher.

Some members of the CPTPP are expected to demand that China modify its laws and policies to meet the trade pact’s standards, according to a recent article published on WeChat by Xu Chengjin, an associate researcher at the Ministry of Industry and Information Technology (MIIT).

China last week formally applied to join the CPTPP, which includes Australia, Canada, Japan, Malaysia, Singapore and six other countries. Established in 2018, this multilateral trade deal has commitments to labour and environmental protections, and rules to prevent market distortion by state enterprises, protect intellectual property and govern financial services in a combined market of about half a billion people and roughly 13.5 per cent of the global economy.

“Japan will almost certainly challenge China based on CPTPP’s cross-border data transfer provisions,” Xu wrote. “China can accept the CPTPP’s rules on cross-border data flows, but needs to consider compliance matters when formulating detailed security assessment rules on overseas data transfers.”

07:30

Why China is tightening control over cybersecurity

Beijing’s application to join the CPTPP comes amid China’s implementation this year of new rules and regulations restricting cross-border data flows and enforcing data localisation. These are covered by the Data Security Law (DSL), which took effect on September 1, and the Personal Information Protection Law (PIPL) that will be in force from November 1.

The PIPL, for instance, stipulates that if a company needs to move data beyond the country’s borders, it must pass a security assessment by internet watchdog the Cyberspace Administration of China. Handing data over to foreign law enforcement also requires explicit approval from the Chinese government under this law.

Whether China will be accepted into the CPTPP remains unknown, as Beijing faces a tall order to convince all 11 member-countries of this Pacific Rim trade pact.

In her article on WeChat, MIIT’s Xu wrote that China’s requirement for a security assessment before allowing data to be moved overseas is a mechanism that is unique to the country, which is expected to be tested for exceptions under the CPTPP. Still, Xu said she was “optimistic” about that mechanism passing the test.

China’s bid to join trade pact ‘may fail, but has benefits’

The CPTPP treaty recognises that each country has its own regulation concerning cross-border data transfer, but it also stipulates that all countries should allow cross-border transfer of information for conducting business.

Members can each adopt restrictive measures to achieve a “legitimate public policy objective”, except if the restrictions “constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction” or are “greater than are required to achieve the objective”, according to the trade pact.

The CPTPP’s member-countries are expected to take time negotiating the specifics around such issues in accession talks and to test the application of the agreement in practice, according to Clarisse Girot, director for Asia-Pacific at non-profit organisation Future of Privacy Forum, who said the above exceptions are likely to raise complex interpretations.

“At this stage, it is not possible to categorically conclude that China’s cross-border data policies are at odds with the CPTPP,” said Girot, while indicating that the 15-nation Regional Comprehensive Economic Partnership (RCEP) has similar provisions and exceptions that Beijing has agreed to.

03:29

RCEP: 15 Asia-Pacific countries sign world’s largest free-trade deal

The RCEP, considered to be the world’s biggest free-trade pact, is an agreement that excludes the United States and extends Beijing’s economic sway in the Asia-Pacific region.

“We can imagine that China wouldn’t make a formal announcement [to join the CPTPP] if its leaders didn’t have some sense on how to navigate these complex discussions,” Girot said.

While putting in place strong protection, China’s new data security laws also aim to facilitate the international flow of information – something that is contrary to popular perception, according to Carolyn Bigg, a partner at the multinational law firm DLA Piper in Hong Kong.

“One of the main stated aims of the PIPL is to facilitate the continued flow of data around the world,” Bigg said. “As such, I don’t see there being a conflict between the PIPL and China looking to take this step [to CPTPP membership] at all.”

She indicated that China’s new data security laws have made it more straightforward for businesses on how to share data across borders, provided that they take certain steps to ensure compliance. As an example, she cited a specific provision in the PIPL that provides certain circumstances when Chinese authorities can share personal data overseas.

“So I actually think all of these [data laws] align very nicely,” Bigg said.