China's new data security initiative has implications for India
Earlier this month, the Chinese government announced the launch of a new Data Security Initiative. Outlining its components, Foreign Minister Wang Yi said he hoped that China can provide a “blueprint” for the formulation of international rules for digital security.
The Chinese initiative entails eight broad principles, which include a call for supply chain stability, pledges against data theft and surveillance, norms for data storage and access, and a requirement for technology companies to not abuse their market dominance.
Wang’s announcement came a month after the United States launched its new Clean Network program in early August.
The US initiative explicitly seeks to exclude Chinese telecommunications firms, apps, cloud service providers, and undersea cables from internet infrastructure used by the US and partner countries. The initiative draws upon a range of different standards, such as the Prague Proposals and the European Union’s 5G Toolbox.
Beijing is using its new proposal to push back against Washington’s efforts. A commentary in the People’s Daily after Wang’s announcement emphasised that the initiative “upholds equity and justice in data security,” ensuring that a discussion of data security is about data rather than “politicizing the matter by introducing irrelevant factors such as ideology and political systems.” This argument is directed not just at the Clean Network initiative but also at the Prague Proposals.
At the same time, China launched a new High-level Digital Dialogue with the European Union. The dialogue revealed that while approaches towards data protection remains a key point of divergence, the EU does believe that China will “play a role in defining how global technological developments will go forward.”
In this sense, Brussels appears to be adopting a pragmatic and accommodating approach towards, which diverges from Washington’s current policy.
This is perhaps also an acknowledgement of China’s expanding global technology footprint. Since the launch of the Digital Silk Road, as part of the Belt and Road Initiative in 2015, Chinese tech giants’ global reach has grown across a range of sectors, such as telecommunications, smart cities, telemedicine, internet finance, e-commerce, cloud services, and even satellite services.
This effort has been accompanied by greater R&D focus, boosting indigenous innovation, devising domestic regulation, and a planned blueprint for reshaping global technology standards by 2035.
In effect, through BRI, Chinese firms command significant market share and Beijing will be using this leverage to try to internationalise its domestic standards. When viewed in this light, it is important for countries, irrespective of the Sino-US competition, to take China’s data initiative seriously. If a significant number of BRI countries begin to adopt the standards outlined by Beijing, these will impinge on even countries like India or those in the European Union, which are not party to the initiative.
For instance, perhaps the most innocuous-sounding among Wang’s eight points is the one about cross-border data retrieval for law enforcement, which the proposal says should be addressed through judicial assistance and other channels.
Traditionally, law enforcement agencies use an international process called Mutual Legal Assistance Treaties (MLATs) to reach out to platforms for user data. However, the MLAT process has been broken for a long time. The process itself was never designed with the intention to support the volume of requests that bringing billions of people online would result in. Also, MLAT requests from law enforcement agencies have to pass through two judicial standards, one in their home country and one for the country that the information is being requested from (typically the US since most platforms are American).
The process treats each country as equal, which is bad for India thanks to its high population and crime rate, leading to a larger volume of requests than what the MLAT system can handle. Perhaps more importantly, the pendency of our judicial system acts as another pain point. Put all of this we get an average of ten months for law enforcement to receive the electronic evidence requested.
There is international recognition of the problem the nature of the MLAT system brings with it. The Budapest Convention on Cybercrime and the Clarifying Lawful Overseas Use of Data (CLOUD) Act, aimed to address it in a multilateral and bilateral manner respectively.
However, India is not a part of either of these initiatives, and there is little reason to believe that this might change in the near future.
That China aims to come up with a new standard for data flows of such nature could, therefore, be problematic for Indian law enforcement. At best, it could result in a situation similar to the status quo, with months required to deal with a single request from law enforcement.
At worst, it may require law enforcement agencies to regularly go through another set of hurdles to achieve cross-border data retrieval. Therefore, from an Indian perspective, it is clear that the government should act quickly to devise strong data policy frameworks domestically that address some of these issues.
It is only when these frameworks are in place can India negotiate effectively and shape international discussions.