How does China’s key data security policy advisor look at TikTok hearing
And what could that mean for China’s own data security regulation regarding American companies such as Apple or Tesla?
The TikTok hearing is widely discussed in both the US and China, and has become a new focal point in the US-China rivalry. In this issue, we look at a WeChat blog article on this issue by 小贝说安全 Xiaobei Talks on Security. We believe this article is very important, as one of the “core creators” of this blog, as claimed by the blog itself, is a top policy advisor on data security, who is also a top-ranking contributor of key official documents as well as leader of expert teams for several regulatory initiatives. By walking through this article, you can have a sense of how a meaningful bloc of policy advisors and policymakers view the TikTok hearing and what it means for data security regulation in China.
The article is titled TikTok过堂，美国国会到底几个意思？The “trial” of TikTok, what does US Congress actually mean? We will help you walk through the article with both translation and summarization. As always, at the bottom of the newsletter is our own take.
This article first analyzes America’s strategic motives behind this hearing. According to the author, there are 5 aspects. #1, The United States is trying to ensure absolute control over data, when the data-driven digital economy has become a new engine for economic development. #2, Data security has become a core issue in international rules and will reshape the international political and economic landscape. Whoever gets to make rules will control the new system. #3, The US is using cybersecurity issues as a way to contain China, by hyping up data security issues and imposing sanctions on Chinese companies to maintain their global technological leadership. The US has long claimed that Chinese data security threats are a problem, politicized economic and trade issues, and attempted to completely remove Chinese elements in the IT field. #4, Internet companies are an important component of a country's soft power in competition, and the benign development of internet companies is related to the development of social science and technology and the enhancement of national strength. Therefore, the overseas development of Chinese technology companies will be continuously suppressed by the US, with data security as an excuse. #5, The success of TikTok has impacted the market position and revenue of old social media platforms in the US. Some companies are lobbying the government to sanction TikTok and criticizing it to drive TikTok out of the US market.
Next, the author provides a defense against some of the key points raised during the hearing:
The US Congress and government are not the only ones with negative feelings towards China's data security. The Western society as a whole feels resentment towards China's three laws: the National Intelligence Law, the Cybersecurity Law, and the Encryption Law. US government and Congress claim that Chinese law forces all Chinese companies and entities to transfer data collected domestically and internationally to the government. This claim is based on Article 7 of China's National Intelligence Law, which states that any organization and citizen should support, assist, and cooperate with national intelligence work in accordance with the law and keep confidential the national intelligence work they are aware of. However, Article 7 only spells out a principle, while the Western society intentionally ignores Article 8 of the National Intelligence Law which states that "national intelligence work shall be conducted in accordance with the law, respect and safeguard human rights, and protect the legitimate rights and interests of individuals and organizations."
Additionally, Western countries suggest that the National Intelligence Law may force Chinese companies to create backdoors and other security vulnerabilities in equipment and software sold overseas, allowing the Chinese government to easily access data that is not under Chinese companies' control. The Cybersecurity Law implies that China's attitude has undergone a significant change, no longer treating protecting the Chinese data system as a defense mechanism, but regarding data collection as an offensive behavior. The Encryption Law requires that any encryption system "approved" for use in China or used by companies that process Chinese data must provide its encryption keys to the Chinese government. These descriptions can easily cause panic, but they are entirely groundless.
The United States and other Western countries have taken this fear-mongering tactic to the extreme. They have focused on the rewards and punishments system in the National Intelligence Law, deliberately creating a terrifying atmosphere of "rewarding data and persecuting data." Strengthening information sharing in the handling of cybersecurity incidents to enhance joint response capabilities has been a practice in the United States for decades, but US government interprets relevant statements in the Cybersecurity Law as "China will establish a centralized program to monitor and assess risks and share data with relevant Chinese agencies."
Article 31 of the Encryption Law requires the establishment of a commercial password supervision and management information platform, which mainly publishes and queries industry supervision and management information. However, the US government frame it as "allowing the State Cryptography Administration to access commercial password systems, including accessing data protected by these systems, and as a result, the State Cryptography Administration can fully obtain any other information required to decrypt keys, passwords, and access data on commercial encryption servers. Therefore, US technology companies seeking to do business in China must surrender their intellectual property and technology."
We can refute the US and other Western countries' claims as nonsense without saying much in diplomatic situations. However, the consequences can be imagined if the Western society's population lives in this kind of public opinion environment for a long time. In this sense, the hearing is only a formality, and the US and other Western countries' hostility towards China's data security will never be eased through any hearing.
On the immediate result of this hearing, the author believes the hearing should not come as a surprise, as it is a normal part of American politics. The author believes that we cannot expect the hearing to solve any problems, as geopolitics provide the fundamental backdrop for this hearing. Finally, the author suggests that TikTok needs to make more efforts in responding to the crisis, as commercial logic cannot solve national security issues.
But when it comes to long-term impact of the hearing, the author is more serious. The author believes this hearing is a big deal, similar to when Huawei and ZTE appeared in front of the US Congress. At that time, the result was a US embargo on high-tech products from China, while the impact of this hearing may be even bigger.
According to the author, this event will affect internet services and data security broadly. The US and China will play a new game centered around data security, which will also affect diplomatic and trade relations between the two countries. If the US gets what it wants, the following may happen: First, it will hurt China's image globally, as many Americans still believe that TikTok shares data with the Chinese government. Second, the US will create a "trusted data circulation circle" that excludes China from the world economic system. Third, the decoupling between China and the US may intensify. Fourth, Chinese companies may face difficulties in expanding internationally.
What should China do in terms of her own data security
In the last part, which we believe to be the most important part of this article, the author discusses what China can learn from this hearing. Specifically, the author advocates that China should respond with equivalent policy measures:
What can we learn from this? Does America have national security demands that we do not? Does America care about data security in the way that we do not? What has America done to us in recent years? How should we counteract it? At the technical and business level, America can do what we can do, but can we do it better? At least in terms of national data security top-level design, America has established the following system for TikTok:
Second, TikTok is required to establish a “管用分离 separation of regulation and use" user data storage model to prevent American user data from flowing into China. For "protected data" such as user birthdays and phone numbers, the US requires TikTok to cooperate with Oracle Cloud service providers to store the collected American user information in the Texas data center, rather than storing it in ByteDance, the parent company located in China. Previously stored data in Singapore will be deleted entirely after the completion of the agreement with Oracle, and will be completely transferred to the Oracle Cloud server located in the United States. Access to these "protected data" can only be authorized to specific American employees, not Chinese employees. The essence of this plan is a low-risk overseas corporate data storage system established in cooperation with a US third-party company.
Third, initiate a national security review led by CFIUS and form a third-party professional technical team to evaluate TikTok's data security technology measures. Since 2019, CFIUS has been responsible for reviewing TikTok's data security issues. In the Project Texas, CFIUS is specifically responsible for the promotion and supervision of the agreement between TikTok and Oracle on data storage, and the content of the data access agreement will be cooperatively agreed by Oracle and CFIUS without TikTok's participation, in order to ensure that the two companies cooperate under the supervision of government agencies. During TikTok data security review, the term "United States Technical Services team" was mentioned many times. The US requires the establishment of a third-party professional data security team composed of Americans to evaluate TikTok's data technology measures. Only certain personnel authorized by USTS can view the "protected data" stored on the Oracle Cloud server. Anyone outside of USTS accessing American user data should be subject to strong data access agreements.
Although this issue is an attack by the US on a single enterprise with Chinese background, it shows its comprehensive approach to the data security issue concerning all of China. The US has escalated its actions and intensified the hype surrounding the data security issue, which cannot continue. How should we plan and counteract from a strategic level? Especially, facing the large amount of basic network services provided by American companies to us and the large amount of data we obtain from them, how should we prevent them [from data breach]? Even if data is "localized stored" in the United States, it still cannot resolve American concerns, and it must be "separation of regulation and use" So what should we require of American companies? How should we formulate a "localized storage" policy in the future? It is time to think deeply about these issues:
First, how should our data classification and grading system be developed? China's "Data Security Law" proposes to establish a data classification and grading system, namely, general data, important data, and core data. For this purpose, China has successively developed national standards such as the "《重要数据识别指南》Identification Guidelines for Important Data" and the "《网络数据分类分级指南》Network Data Classification and Grading Guidelines." However, in the process of formulation, many voices believed that China's standards are too strict, and even voiced concerns that the standard formulation group has expanded the interpretation of "national security." However, US "protected data" concept has established a closer relationship between national security and data security, and even personal information, such as user birthdates and phone numbers, has been given national security connotations. From a series of events such as accurate positioning of Russian soldiers by Western social media during the Russian-Ukrainian conflict, [we can see that] personal information and many other types of information in the business field have increasingly prominent national security attributes. The legislative idea of China's "Personal Information Protection Law" only considers the protection of civil rights and interests. Is this enough? Should the "Personal Information Protection Law" be revised?
Second, how to further improve the network security review system, especially to establish a data security review mechanism for foreign-funded institutions operating in China? When China's "Cyber Security Law" first proposed the network security review system, it mainly regulated the procurement of network products and services by operators of key information infrastructure. The "Data Security Law" established a data security review system for this purpose. Therefore, the National Internet Information Office revised the "Network Security Review Measures" to incorporate network data security review requirements into the network security review. Although the revised measures clearly require a review of data processing activities that may affect national security, the main regulated scenario is when Chinese companies go public overseas. That is, only Chinese companies that meet these conditions should apply for review before going public overseas. Other network security reviews will be initiated by the National Network Security Review Office without the need for application. However, what are the "other conditions"? There are no specific regulations in practice. CFIUS's foreign investment national security review has always been regarded as an important reference for China's network security review system. CFIUS's action against TikTok fully demonstrates the necessity of normalizing the review of foreign-funded enterprises' processing of Chinese data. That is, to clearly list it as a scene that must be reviewed in the "Network Security Review Measures." Moreover, CFIUS's specific review measures, such as focusing on data agreements, collaboration methods, data access modes, etc., can be used for us.
Thirdly, how to establish a sound system for local data storage? The US government requires TikTok to cooperate with American cloud service providers to store "protected data" in a Texas data center controlled by Oracle. China's practices are far behind in comparison. The "Cybersecurity Law" once proposed that important data and personal information collected by operators of critical information infrastructure should be stored in China. However, in practice, Chinese regulatory authorities have mainly focused on the security management of data exiting the country, and have not conducted further research on policies for local data storage. Moreover, the "Cybersecurity Law" only regulates the data exiting behavior of Chinese enterprises and does not involve the activities of foreign enterprises collecting and processing data within China. Now it seems that requiring some domestic and foreign companies to implement local storage can only be considered as a basic requirement. More importantly, it is necessary to ensure that data can only be stored in domestically trusted and controllable data centers, and data access should be strictly limited to Chinese personnel. Therefore, some foreign companies (such as Apple and Tesla) only go as far as storing Chinese user data in China, which is considered too weak by the US government from a national security perspective, but is actually considered by some people as a major progress in regulatory measures. Now the gap [in regulations] is obvious. Therefore, China should urgently refine the specific content of the system under the framework of local data storage, and clearly propose the requirement of "separation of regulation and use". The key point is that Chinese user data collected when conducting business in China must be entrusted to Chinese enterprises, and the data security cooperation agreement signed should be reviewed and approved by government departments, and foreign-funded enterprises should not retain or back up data. Of course, this entrustment does not apply to all foreign-funded enterprises and all data, but should be strictly limited to the national security field.