bibo:abstract |
I. Introduction
II. Data Sovereignty: Current Status and Pending Issues
III. Data Sovereignty and Major Economies: Recent Trends and Responses
Ⅳ. Outlook and Implications
I. Introduction
As major countries around the world are competing for digital hegemony in the era of the 4th Industrial Revolution, the importance of data has been underscored more than ever. Major economies, in particular, are approaching the issue of data from a national security perspective; the data policies formulated and implemented by the world’s major economies with technological prowess are not only about strengthening industrial competitiveness, but also about bolstering national security – a seemingly global lurch towards the “securitization of data.”
Just as the issue of setting global standards and norms lies at the core of the discussions surrounding cyber security and the ongoing race for technological superiority, the key issue regarding data security is to set a global standard on data management system. In recent years, states, companies and individuals have been sharply divided on the matter of who exercises data sovereignty and jurisdiction and how, which all comes down to the issue of data transfer and distribution as well as the concept known as 'data localization.'
Furthermore, with a small number of U.S. tech firms and global platform companies monopolizing data, frictions are expected not only between the U.S. and China but also within the Western bloc including the U.S., and the EU.
This paper will examine the importance of discussing data security and data sovereignty from a national security perspective, and shed light on the key issues as well as the positions and policies adopted by major economies to give insights on future prospects and understand policy implications.
II. Data Sovereignty: Current Status and Pending Issues
Data can have a significant impact on nation’s national security and domestic politics, and there are a number of national, regional and global security challenges related to data looming on the horizon, such as the risks associated with the power of Big data including privacy infringement; cyberattacks and data corruption and leakage; and intensifying competition for technological hegemony and the global trend towards the securitization of data.
The growing economic and political importance of data has further facilitated discussions on 'data sovereignty' between countries, companies, and individuals. Governments, for the sake of national security and public interest, find it necessary to introduce data sovereignty measures that regulate how businesses handle data to prevent damage or misuse. Governments, at the same time, face the task of enabling better access to and a smooth flow of data to achieve economic innovation. In the case of individuals, while they have a legitimate right to control their personal information, a smooth transfer of data between companies allows their personal data to be efficiently developed to provide benefits. From a company’s point of view, data mining and collection is a matter of vital interest; companies, due to their profit-oriented nature, tend to maintain their monopolistic hold on data while emphasizing free access to it.
In most cases, data sovereignty is exercised in the form of national sovereignty against other countries, companies or individuals. Individuals, or the owners of the data, can be also granted with the right protected by the state to control the ownership, processing, movement, and distribution of personal information, the most representative case of which is the right granted by General Data Protection Regulation (GDPR). Enacted by the EU, the GDPR gives individuals a broad range of authority over their own personal information.
At the heart of the data sovereignty debates lies the concept known as “data localization.”Data localization refers to a range of measures providing for mandatory storage or processing of data within the territory of a given country. Data transfer and distribution issues are inevitably linked to data collection and utilization, some countries are in favor of the view that data accumulation and utilization can be used as basic assets to measure and mobilize their economic, social and military capabilities. There is also a view that supports the restriction on free movement of data; some countries believe that although ensuring free data flows benefits society as a whole, it is also capable of having a negative impact on national security by causing leakage of sensitive data as well as distortion and abuse of data. While the U.S. stresses the importance of cross-border transfer and distribution of data to protect the interest of tech firms, China, which treats data as a valuable national asset, upholds data security and sovereignty and is seeking to expand the scope of its data localization policy.
When it comes to data localization, the issue that deeply divides the countries around the world is whether or not the government can require companies to store data locally and give government agencies access to servers if the need arises. While the U.S. and major tech firms believe that these localization requirements restrict and distort the free movement of data, some emerging economies such as China, Russia, and India claim these requirements are based on ‘legitimate public policy objectives’and national security. Data localization is also an issue related to the transfer and distribution of data, and has recently been discussed as a key issue at the WTO and in FTA negotiations.
III. Data Sovereignty and Major Economies: Recent Trends and Responses
The United States, home to the largest global tech companies, upholds free cross-border movement of data and explicitly criticizes the measures laid out by countries like China and Russia to localize data. The U.S. has traditionally taken a market-oriented approach to data sovereignty. The country has enacted laws only in special cases, and backed the private sector’s “self-regulation”by providing a set of related guidelines. These approaches had gained significant traction after the inauguration of President Donald Trump; the U.S. on Trump’s watch signed the United States- -Canada-Mexico Trade Agreement (USMCA) and the U.S.-Japan Digital Trade Agreement which included provisions that ban restrictions on data transfers across borders and restrict data localization policies. The Trump administration even went further to consider limiting visas issued to citizens from countries adopting data localization requirements.
Japan's basic stance on data sovereignty is similar to that of the United States. In particular, Japan proposed the 'Osaka Track' at the 2019 G20 Summit to create a set of reliable international norms and guidelines for the free flow of data. The Osaka Track initiative promoted discussions on the standardization of international norms for cross-border data transfer and distribution, protection of personal data and intellectual property and on how to tax US tech giants. The Osaka Track is regarded as part of the Western bloc’s efforts to counter China’s digital protectionism and data localization policy.
China treats data as its basic strategic asset that can help stimulate the country’s development and protect national security. Beijing advocates the right to control and regulate Internet use within its national borders and has begun to assert data sovereignty. Through its “Golden Shield Project”, the Chinese government blocks its citizens’access to overseas websites and strictly restricts the collection and processing of the data of the Chinese people by foreign companies for national security reasons. On the other hand, China actively encourages domestic companies to utilize data for the sake of nurturing its data industry, developing new technologies and launching data-driven projects. Furthermore, in an attempt to strengthen the country’s control over data, the Chinese government integrated scattered regulations and rules on cyber security into the 2017 Cybersecurity Law, which came into effect in June 2017.
On September 8, 2020, Chinese Foreign Minister Wang Yi announced the 'Global Data Security Initiative' to emphasize data sovereignty, jurisdiction and governance, as well as to propose a ban on unauthorized collection of information of other States. This appears to be a move aiming at mustering international support by proposing a new set of global norms on data security as well as at countering the Trump administration’s efforts to pressure China. Moreover, China is highly likely to attempt to document the initiative by opening related discussions at the Open-ended Working Group (OEWG), the G20 and other multilateral consultative meetings.
Russia has also enacted legislation that mandates the data of its citizens to be subject to the country’s laws, and in May 2019, Russian President Vladimir Putin has signed a bill that enforces government censorship on data collected within Russian borders and transferred abroad. Furthermore, the so-called 'sovereign Internet' law, which came into force in November 2019, allows Russia's telecoms agency Roskomnadzor to shut the country off from external traffic exchange and mandates the creation of an independent internet for Russia.
As U.S. tech giants are increasingly monopolizing data in the European market, the European Union is pursuing policies strengthening data sovereignty to ensure the bloc’s economic security. The EU drafted and passed the General Data Protection Regulation (GDPR), which came into effect in May 2018, to strengthen the data sovereignty of individual EU citizens and make EU tech companies more competitive in the global market. The GDPR consists of legally binding online privacy rules that apply directly to all EU member states, which are tougher than mere policy papers or directives. The GDPR provides for the free movement of personal data within the Union, but also includes a number of data sovereignty measures; it restricts transfers of personal data to foreign servers and sets out conditions and procedures for transferring data to a third country. This new set of rules prohibits transfer of data collected from the citizens of EU member states to a country that has not received an adequacy decision from the EU. And there are fines that can be can be levied as penalties for non-compliance - up to of €20 million or 4% of annual global turnover.
Ⅳ. Outlook and Implications
Since data lies at the core of the U.S.-China trade war and the Huawei row, the ongoing battle between Washington and Beijing for technological hegemony is highly likely to morph into a competition for data hegemony. The U.S. and China will scramble to collect data within their borders and strive to gather enormous amount of data from multiple sources in the years ahead. At the same time, the two countries will launch far-reaching measures to guarantee that their data is secure from foreign governments and firms, in order to safeguard national security and maintain their own competitiveness. With China closing the technological gap with the United States, the U.S. is likely to actively keep China in check based on the belief that data is a critical source of advantage in leading the Industries of the Future, specifically the Artificial Intelligence, Big Data and quantum computing.
The rivalry between the two countries will likely intensify as they both rush to establish digital governance and norms that align with their own national interests. However, as it has been pointed out that the Trump administration's protectionist policies contradict the traditional stance of the U.S., which advocates free movement of data, it remains to be seen whether the incoming Biden administration’s approach to data sovereignty will deviate from that of President Trump. Japan may play a leading role on behalf of the U.S., as it did in proposing the Osaka Track, or join forces with like-minded countries or members of an intelligence gathering coalition like “Five Eyes (FVEY)”to put the issue of data sovereignty at the forefront and take the lead on the issue. China is expected to double down on its efforts to work together with Russia to set global standards governing data security and data sovereignty and discuss the issue at multilateral consultative meetings.
The EU's aggressive regulations targeting American tech companies, such as the GDPR, can be a source of further conflict between the EU and the U.S. as Washington sees those regulations as trade barriers. Under the pretext of promoting data sovereignty, the EU plans to levy digital tax and slap fines on and apply tougher antitrust law to U.S. tech firms. The Trump administration lashed out against these proposed plans and is considering imposing retaliatory tariffs.
Legally binding international laws on data transfer and data localization could be found in the field of trade; existing trade agreements in the field of digital trade contain provisions restricting data localization and imposing requirements on cross-border transfer of data. Transborder data flows are governed by WTO agreements, bilateral and regional agreements including FTAs and separate agreements dealing only with digital trade issues. The Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), the United States-Mexico-Canada Agreement (USMCA) and the US-Japan Digital Trade Agreement - which entered into force in December 2018, July 2020 and January 2020 respectively - all contain specific provisions related to data transfer and localization with a number of exceptions. The Digital Economy Partnership Agreement (DEPA) between Singapore, Chile and New Zealand also includes similar provisions. Efforts should be made in the years ahead to overhaul existing trade agreements, such as clarifying and hammering out the details of the national security exceptions. As it has become a common practice to allow countries to rely on national security exceptions, finding a balance between competing interests and coordinating different positions regarding this issue will be an important but especially daunting task for many countries.
* Attached the File
|