Rogier Creemers: Data Protection and Reallocation
In July 2020, Think tank of the European Parliament issued a research report Digital Sovereignty of Europe, which expounds the background of the EU's proposal of digital sovereignty and the new policy of strengthening the EU's strategic autonomy in the digital field. EU digital sovereignty involves big data, artificial intelligence, 5G, Internet of Things, cloud computing, etc. Big data not only concerns personal privacy, it is also the foundation of artificial intelligence, 5G, Internet of Things, and cloud computing. Therefore, the core of digital sovereignty is actually data sovereignty.
 
Data sovereignty refers to the national sovereignty in cyberspace, which embodies the dominated position of a country on data control right. In the interview with PKU Financial Review, Rogier Creemers, Assistant Professor in Modern Chinese Studies of Leiden University, the Netherlands, states that, in some cases, the connection between personal information and national security is obvious; but in other cases, people may initially think that some personal information is not important, but in fact they play an important role or cause serious problems. Personal information and national security may be important in all aspects, many governments choose to control it more strictly and securely.

 
PKU Financial Review: Since the EU General Data Protection Regulation came into effect, more and more countries are focusing on their own privacy and security issues. This year, China has successively introduced a series of privacy protection policies. What is your comment on that? What is the biggest impact these policies will have on China's future development?

Rogier Creemers: Indeed, growing concern about data protection and privacy is a global affair: the EU has not only issued the GDPR, but data protection is also a big part of the Digital Market and Services Acts, which are currently in the legislative pipeline, as well as in recent EU consumer protection regulations. In that sense, it is not strange that China has also speeded up its own data protection legislation. But we must remember that the Personal Information Protection Law, for instance, draws back on initiatives starting as early as 2005. In this law, the legislator has tackled several concurrent issues: increasing individuals’ control over their data, seeking to curb acts by malicious actors, such as telecommunications fraud or ransomware, regulating data-enabled business models and ensuring government departments can still fulfil their responsibilities. As often with Chinese legislation, the core law provides principles, objectives and mandates, but little detail. To fully gauge their impact, we need to wait for implementing regulations to come out, where the Cyberspace Administration of China will play the key role.
One example of this will be the automobile sector, where CAC issued draft regulations earlier in August. Here, the use of data is not to enable a “surveillance capitalism”-type business model, but to enable manufacturers to monitor the performance of their cars for the sake of future improvements. Even so, these manufacturers now face increasing regulatory burdens, for instance with relation to the export of personal information. Where we deal with business models that are predominantly based on data, there will be a greater question of adaptation, although the argument could be made that if you cannot build a business model without hurting a considerable proportion of your user base, perhaps that business model should not exist.

PKU Financial Review: According to IDC forecasts, by 2025, China will have about one-third of the world's data, which is 60% more than that of the United States. Recently, China has introduced intensively policies on data, and constantly accelerated the pace of "data localization". How do you think this will affect the global data market in the future?

Rogier Creemers: This really depends on what the data market is about. The promise of big data analysis is that it will provide more effective answers to questions in multiple fields ranging from natural language analysis to traffic flows, or from energy use to consumer behaviour. In some cases, that promise will be kept. However, in others, it might not: decades of big data analysis in US elections, for instance, still has not adequately captured the complexity of voting preferences and policies, and a similar thing is true with advertising. Now, data localisation predominantly concerns the localisation of personal information. However, at the big data level, it’s perfectly possible to work with large, anonymised or de-identified datasets. Also, some information doesn’t necessarily travel very well: it’s not because you have an AI system that is good at Mandarin Chinese language recognition, that it will work well in Spanish, English or Arabic. So the impact on the big data market can only be considered on a case-by-case basis.
 
PKU Financial Review: Privacy dispute between Apple, Microsoft etc. and the US government have long been the focus of attention. For instance, the USA PATRIOT Act required Microsoft that any data stored, processed or owned in Europe or elsewhere, including emails, Web applications and archival storage, must be inspected by the US government. In China, personal information is part of national security, so it is dangerous for companies to use it at will. How do you feel about this “data sovereignty concept”? Should personal data be related to national security?

Rogier Creemers: Whether I think personal data should be related to national security is beside the point: major governments have decided it is. In some cases, that link was always obvious: the OPM hack dealt with the information of individuals who had applied for US government security clearances, and high-level retired officials from the intelligence community confirmed they saw this as a legitimate national security-related espionage target. In other cases, however, we are surprised by the possible national security consequences of personal information that we simply had not considered to be security-related. Think, for instance, about the personal information involved in the influence campaigns around the 2016 US presidential election, or the fact that the fitness app Strava enabled the identification of classified US military facilities. Given the fact we are surprised on a regular basis about novel ways for personal information to be national security-connected, many governments choose to play it safe and control more, rather than less strictly.

EU has a principle against “data sovereignty concept” among its members or trade partners. For instance, EU is considering restricting the data localization law made by Germany. If China is strengthening free trade agreement with other countries, will data localization become a reverse trend as well?
 
The EU is a bit of a double-headed bird where it comes to data. It wants to have data sovereignty towards the outside (which we see clearly with the GDPR), but a free market inside. I’m not sure this very exceptional European situation translates well to the global sphere. In any case, I think we can expect data-related provisions to become a part of free trade agreement (re)negotiations in the future. However, there will be significant headwinds. For the past decade or so, free trade has become a lot less fashionable in global public opinion, and there is less and less support for further trade liberalisation. Furthermore, trade in goods (putting things in boxes and shipping them abroad) was always easier than trade in services (which may require migration, mutual recognition of credentials and qualifications, etc.). The trade in data is more politically sensitive still, which makes it very likely that data protection provisions may well become a great barrier to the conclusion of an FTA. Negotiators might choose to leave them out at that point. 

PKU Financial Review: If there is a transnational legal dispute, will the current "data sovereignty concept" affect data disclosure among litigant subjects? What changes might data exchange rules at international level have in the future?

Rogier Creemers: Your guess is as good as mine. We see in the Chinese legislation that there are specific provisions on providing data to foreign judicial and law enforcement agencies, but we will only know how that works when implementation happens. Depending on the extent this becomes a major issue in diplomatic relations, states will be incentivised to find a structural solution, or to deal with issues on a case-by-case basis. 

PKU Financial Review: In react to data monopoly problem, a growing number of U.S. lawmakers are calling for legislation to break up monopolistic companies such as Facebook and Google. European government emphasizes users' right to control and know their data, and imposes hefty antitrust fines on companies like Google. In China, not only hefty antitrust fines are demanded, government authorities also monitor corporates through establishing joint ventures (sitting on boards of directors of certain companies). What do you think of these different ways of government behavior?

Rogier Creemers: Governments are facing a problem they have not had to deal with for quite some time: a rapid and significant expansion of private sources of power. When we look at the process of modern state formation in Europe, we see that much of it concerns taking away forms of political power from individuals or other private actors - kings, aristocrats, trade guilds, the Church, etc. - and transferring it to this newly-created collective actor called the State, which also involves a parliament and a civil service. It may well be the case that governments again will seek to remove a great deal of powers from these private big tech companies and introduce some degree of public management, if for no other reason than having a degree of democratic or political control over the decisions by these companies. However, the way that will happen, will depend greatly on national circumstances. The US obviously has a rather different view of the relationship between government and business than China.



 Rogier Creemers
Assistant Professor in Modern Chinese Studies of Leiden University


This article has been  translated and published in PKU Financial Review.