China has the most restrictions on cross-border data flows, says Washington think tank
- Keeping data within borders, a growing trend among countries around the world, hurts economies, Washington think tank ITIF argues in report
- The report says that China is the most data restrictive country in the world, with 29 data localisation policies
China, with 29 data localisation policies, is the most restrictive country when it comes to cross-border data flows, according to a report by Washington-based think tank Information Technology and Innovation Foundation (ITIF).
While keeping data stored domestically is becoming a trend among governments around the world, the effort is “self-defeating” as restricting data flows would damage economies by inhibiting trade, lowering productivity and raising prices for downstream industries, the report said.
The think-tank also recommends a “Geneva Convention for Data” between US and its allies such as Canada, the UK and Japan, as a common framework for data-sharing, excluding data-restrictive countries such as China, Russia, and the European Union.
The report comes at a time when more governments are introducing rules to regulate the flow of data across their borders. The ITIF found that 62 countries have now imposed 144 data localisation measures, nearly double the number in 2017, when 35 countries enacted 67 such restrictions.
China cites sovereignty issues when imposing regulations to keep key data within its borders. US firms from Apple to Tesla are required by Chinese law to store the data of their Chinese consumers in China. Meanwhile, Washington is enhancing scrutiny over Chinese apps’ access to the data of American users.
Lu Chuanying, director of the international cyberspace governance centre at the Shanghai Institutes for International Studies, said countries around the world are imposing data borders in the name of national security as data is considered a new strategic resource.
“Many countries want their data stored locally so that [it] doesn’t become other countries’ production factor for free,” Lu said.
China is ahead of the curve with 29 such measures, followed by 12 in India, nine in Russia and seven in Turkey, according to the ITIF report.
Under the law, companies that transfer the state’s “core data” overseas without approval from Beijing will face a penalty of up to 10 million yuan (US$1.5 million) and could be forced to shut down. What constitutes state “core data” has yet to be defined.
Earlier this month, Beijing also updated its Measures for Cybersecurity Review, a regulation first released last year. The update stipulates that all technology platform companies that possess personal data of at least one million users must undergo a review by authorities before launching an IPO in a foreign market.
Data localisation is finding support not only among countries keen on controlling cyberspace such as China and Russia, but also in the European Union, putting the Silicon Valley tech giants that reign over European markets on alert.
In 2016, the European Parliament approved the General Data Protection Regulation (GDPR), one of the world’s strictest privacy laws, and the EU’s proposed Data Governance Act came out of the 2020 European Data Strategy.
Last week, the EU Court of Justice invalidated a mechanism called Privacy Shield that tech companies including Facebook and Google used to move commercial data from Europe to the US. The case, which could end up pressuring tech firms to use local data centres in Europe, was brought to court by privacy campaigner Max Schrems and traces its origins to the US spying campaign led by the National Security Agency (NSA) that was uncovered by whistle-blower Edward Snowden.
“It will be difficult, if not impossible, to make meaningful progress in any forum that involves China, Russia, and others that support digital protectionism and control,” the ITIF report says. “It’s hard to include Europe given its inability to genuinely engage and collaborate with counterparts unless its privacy preferences prevail over everyone else’s.”