National Data Administration; New draft regulation on cross-border data transfer; Technology ethics review - China Tech Governance Review Vol.1
Welcome to "China Tech Governance Review," your essential digest focused on the evolving landscape of Chinese technology policy and regulation.
The tech sector, vital to China's economic ascent, operates within a complex and multifaceted governance system that could be elusive to policymakers, business executives, investors, and our other readers worldwide. Each edition of our series offers you an analytical snapshot of the most crucial policy shifts, regulatory updates, and key events shaping China's technological frontiers, from data and digital economy to AI and cybersecurity.
Our goal is to provide clear, insightful commentary that closes the gap between policy formulation and its tangible effects on research and development, business practices, and the commercial sector.
About the Author: This series is meticulously curated by Yu Tian. Serving as General Counsel for BigOne Lab and with a seasoned background in cross-border mergers and acquisitions and business compliance, Mr. Tian brings a wealth of knowledge to the table. He specializes in China tech law and policy, with a strong background in legal practices that specifically focus on China's technology and data sectors.
Table of Contents
Official opening of the National Data Administration
The Cyberspace Administration of China introduced a new draft of administrative regulations on cross-border data transfers
The Ministry of Science and Technology and 10 other departments jointly promulgate the interim regulations on technology ethics review
I. Official opening of the National Data Administration
Brief description:
On October 25, 2023, the National Data Administration was officially established and started to operate in Beijing. Ding Xuexiang, a member of the Standing Committee of the Political Bureau of the CCP and Vice Premier of the State Council, attended the ceremony and unveiled the plaque. In March of this year, the "Plan for the Reform of Institutions of CCP and State"(《党和国家机构改革方案》) ("Reform Plan") issued by the Central Committee of the CCP and the State Council included the establishment of the National Data Administration as one of the components of the State Council's institutional reform. It is positioned as a vice-ministerial-level agency responsible for implementing the big data strategy and promoting the development of the digital economy, and it is under the management of the National Development and Reform Commission (NDRC).
Notable info:
On July 28th of this year, Liu Liehong was officially appointed as the Director of the National Data Administration by the State Council. Liu has over 30 years of experience in the fields of electronic information and network communication, both in industry and management. He has previously served as the Chairman of China Electronics Technology Group and China Unicom Group respectively, and also has work experience in the Ministry of Industry and Information Technology and Cyberspace Administration of China. Director Liu's first public appearance after taking office was on October 18th at the "Belt and Road" International Cooperation Forum. During an interview with CCTV, he expressed his commitment to promoting the digital transformation of agriculture, manufacturing, and the service industry, aiming to achieve industrial upgrades through the development of the digital economy.
Several weeks ago, on October 11th, the State Council appointed Shen Zhulin as the Deputy Director of the National Data Administration. Shen had previously served for many years in the High-Tech Department of NDRC, where he accumulated rich experience in coordinating the advancement of strategic emerging industries and the development of the digital economy. He has also been involved in organizing and implementing the national big data strategy and has played a leading role in the formulation of significant projects such as the "Twenty Measures for Data"(see details below) and "Eastern Data and Western Calculation."("东数西算") The official appointments of the Director and Deputy Director signify the establishment of the leadership team for this agency. It is widely anticipated within the industry that the agency's "three determinations" plan (which pertains to determining the functional structure of the organization, internal institutions, and personnel) is expected to be officially announced soon by the State Commission Office of Public Sectors Reform (SCOPSR), which is a ministerial-level state agency responsible for administrative organizational reform and staffing.
According to public reports, the National Data Administration currently has dozens of staff members in place, and it is expected to further expand its workforce after its official establishment. The National Data Administration is planning to establish five departments and bureaus, each responsible for different aspects, including general affairs, data base system and policy research, data resource management and development, digital economy strategic planning, and data infrastructure construction.
As per the recruitment information released on October 14th regarding the 2024 Central Government Civil Service Examination, the National Data Administration will recruit 12 individuals. The recruitment will primarily focus on candidates with majors in electronic information, computer science, and economics management. The minimum educational requirement is a master's degree, and applicants are required to have at least 3 years of grassroots work experience. Some positions may also require experience in AI and cryptography research.
Viewpoints
At the end of last year, the Central Committee of the CCP and the State Council issued an important policy document aimed at promoting the data economy, titled "Opinions on Establishing a Data Base System to Maximize a Better Role of Data Elements" (《关于构建数据基础制度更好发挥数据要素作用的意见》 ). This document proposed 20 policy measures, laying the initial groundwork for the data infrastructure system. It outlined the direction for fostering the circulation and utilization of data elements to drive digital economic development, often referred to as the "Twenty Measures for Data."("数据二十条") In reality, these "Twenty Measures for Data" were initially drafted under the leadership of the NDRC. Following the subsequent "Reform Plan," the National Data Administration has inherited the functions previously held by the National Development and Reform Commission in coordinating the development of the data infrastructure system, orchestrating digital economic growth, and implementing the big data strategy. As a result, it is widely recognized in the industry that, after its official establishment, the National Data Administration will focus on promoting data economic development, accelerating the establishment and implementation of data economy-related infrastructure systems, and playing a role as an accelerator rather than a brake for data circulation and utilization.
In China's bureaucratic system, typically, the principal leaders in administrative agencies are primarily responsible for decision-making, overall direction, and major arrangements, while the deputy leaders are responsible for specific tasks and execution, and their roles are substantive rather than ceremonial. Moreover, due to the need for division of labor and collaboration, there are often multiple deputy officials, so it is not ruled out that additional deputy directors may be appointed in the future. From the current backgrounds of the first leaders, Director Liu and Deputy Director Shen, it is evident that the National Data Administration possesses inherent expertise and advantages in understanding the information technology industry and related economic matters, which align with its institutional positioning.
In general, the domestic data industry has three main expectations for the future works of the National Data Administration:
Addressing and improving the issue of fragmented and multi-agency regulation in data administrative management. Before the establishment of the National Data Administration, various local governments had set up various data management agencies. For example, provinces and cities like Beijing, Shanghai, Jiangxi, Sichuan, etc., established "Big Data Centers"; Fujian and Hainan set up "Big Data Management Bureaus"; Guizhou and Zhejiang set up "Big Data Development Management Bureaus." Not only do they have different names, but they also vary in administrative levels, affiliations, functions, and management methods, and their roles in relation to other administrative entities (such as industry regulatory bodies) have not been clearly defined.
Coordinating public data resources to promote the opening, circulation, and utilization of national data resources.
While the National Data Administration, as a government department, is not likely to directly become an integrator and provider of public data, it is more likely to promote the establishment or coordination of state-owned data operating entities to integrate and operate public data held by various government departments and public institutions. Currently, provinces like Shanghai, Fujian, Henan, Hubei, Jiangsu, and Sichuan have established state-owned data group corporations. It's worth noting that at the end of October last year, the General Office of the State Council released a document regarding the establishment of a national integrated administrative data system, outlining two objectives: (1) by the end of 2023, to preliminarily establish a national integrated administrative data system; (2) by 2025, to further enhance the completeness and efficiency of the national integrated government big data system, with all government data resources included in the directory management. However, there is currently no further public information about this national-level administrative data system. Whether these challenging objectives can be achieved as scheduled is to look forward.
Exploring and refining data ownership and benefit distribution mechanisms to promote data value realization and circulation, i.e. the data transactions. The "Twenty Measures for Data" propose dividing data rights into data resource holding rights, data processing and usage rights, and data product operation rights, downplaying the concept of ownership (as it can be too exclusionary, exacerbating data silos issues), and emphasizing the concept of usage rights. However, in practice, the determination of relevant data rights still primarily relies on contractual agreements between data trading parties and lacks statutory mechanisms with administrative publicity effects. This is an area where the National Data Administration can explore solutions at the national level through legislation and policy development.
Learn more about the National Data Administration: What does the newly-established National Data Bureau mean, for you?
II. The Cyberspace Administration of China introduced a new draft of administrative regulations on cross-border data transfers
Brief description:
On September 28, 2023, the Chinese regulatory authority for cyberspace and data security, the Cyberspace Administration of China (CAC), issued a draft of a legal document aimed at regulating and promoting cross-border data transfers ("Draft New Regulation") The Draft New Regulation was released for public feedback and consultation for a period of two weeks, which has already concluded.
Under China's current data security and personal information protection laws, the CAC also serves as the competent authority for cross-border data transfer security management. Before the issuance of this Draft New Regulation, the CAC had previously issued several legal documents for regulating cross-border data transfers, especially data export activities.
In August of this year, the State Council of China issued a policy for promoting and attracting foreign investments, "Opinions on Further Optimizing the Foreign Investment Environment and Increasing Foreign Investment Attraction" (《关于进一步优化外商投资环境加大吸引外商投资力度的意见》)(the "Foreign Investment Opinion") where it mentioned "exploring a more convenient mechanism for the security management of cross-border data flows." The content of this Draft New Regulation from the CAC primarily involves modifications and adjustments to China's existing cross-border data regulatory system, representing an institutional response to implementing such guidelines set forth in the Opinion. This indicates that data export regulations will provide more flexibility.
Notable info:
For data processors in China, if the data proposed to export (including data that allows access from overseas) falls into the categories of "personal information" or "important data," it may be subject to the data export regulation of CAC. As per the Draft New Regulation, a brief summary of the rule changes is as follows:
The Draft New Regulation also specifies several exemption scenarios:
Providing personal information overseas is required for entering into or fulfilling contracts in which an individual is a party, such as cross-border shopping, remittances, flight and hotel reservations, visa processing, etc.
Domestic companies may provide internal employee personal information to overseas entities for human resource management needs, provided that such transfers are explicitly included in the company's legally established labor rules and regulations.
Data exports resulting from international trade, academic cooperation, transnational production, manufacturing, and marketing activities are exempt, provided that the data does not include personal information or important data.
Personal information being exported was not collected within China.
In the above scenarios, there is no need to go through the administrative procedures related to data export (SCC+ filing, PIPC, or the Data Export Security Assessment).
Furthermore, the Draft New Regulation introduces a negative list regime for data exports from free trade zones:
Free trade zones can independently establish a negative list of data exports, restricting or prohibiting the outbound transfer of highly sensitive or high-risk data. Data outside of the negative list is allowed to flow freely from the free trade zones to overseas locations.
Viewpoints
Considering the legislative developments in China's data and emerging technology sectors this year, it's important to note that formal legal documents often undergo significant changes compared to drafts. Therefore, the content of the Draft New Regulation should be considered as preliminary and subject to potential revisions. However, in general, it can be observed from the tone of this draft that the CAC, which has a strong focus on security position, is making concessions in data export regulation to promote data flow (e.g., by specifying a negative list approach for important data regulation).
For multinational corporations and foreign companies operating in China, the good news is that the cross-border transfer of employee personal information in common human resource management scenarios will likely no longer require approval from the CAC like before. Also, the negative list approach for identifying important data should help alleviate concerns and confusion regarding whether data to be exported will be classified as important data.
Data Export Security Assessment vs. Cybersecurity Review. Due to the involvement of the CAC in both two procedures, there is a tendency for people to confuse the Data Export Security Assessment with the Cybersecurity Review that companies like Micron and Didi once underwent (as detailed in our previous articles). In fact, they are distinct data security regulatory procedures, and while the Data Export Security Assessment also involves complex and detailed processes (such as preparing extensive exaggerated-length self-assessment reports and continually submitting supplementary materials to the CAC), it is still relatively less restrictive and stringent than Cybersecurity Review. I have summarized the main differences between the two procedures from the perspective of practice in the table below:
It's necessary to note some scenarios or matters that are not exempt:
China's data security laws stipulate that domestic organizations and individuals must obtain approval from competent authorities in advance of providing domestic data to foreign judicial or law enforcement agencies. This requirement remains unchanged.
Internet platform companies that hold a large volume of personal information and intend to list overseas may still need to declare for Cybersecurity Review and Data Export Security Assessment.
Exemption from data export regulatory procedures does not mean that companies are exempt from fulfilling their personal information protection obligations under Chinese laws. These two compliance aspects are independent of each other.
For multinational corporations and overseas investors, it is worth paying attention to the negative list system for data export in free trade zones, which is similar to China's current foreign investment management approach. The negative list for foreign investment is becoming shorter, and it is expected that the negative list for data export will follow this trend. Currently, China has established 18 free trade zones, and although the Draft New Regulation does not specify which ones will introduce the negative list first, in light of the Foreign Investment Opinion mentioning "supporting pilot exploration of a general data list (positive list) that allows free flow in Beijing, Tianjin, Shanghai, the Guangdong-Hong Kong-Macao Greater Bay Area," it can be inferred that these few free trade zones are likely to be the first to introduce such lists. Furthermore, I would personally pay more attention to the progress in the free trade zones in Shanghai and the Greater Bay Area.
Learn more about views on the Draft New Regulation of CAC, and Micron Event/ China's Cybersecurity Review:
III. The Ministry of Science and Technology and 10 other departments jointly promulgate the interim regulations on technology ethics review
Brief description:
On October 8th, the Ministry of Science and Technology (MOST), the Ministry of Education, the Ministry of Industry and Information Technology, and 10 other departments of Chinese State Council jointly released a legal document speculating a set of interim regulations on technology ethics review ("Interim Measures").
The Interim Measures aim to require and standardize the establishment of technology ethics review committees by entities engaged in scientific research and technological development activities ("technology activities"). The purpose is to conduct prior assessments on technology ethics and mitigate technology ethics risks. The primary focus areas covered by this regime are emerging technology research and development activities in fields with a high potential for ethical risks, such as life sciences, medicine, and AI. Colleges and universities, research institutions, and enterprises may all potentially be responsible entities.
The Interim Measures will come into effect on December 1st of this year.
Notable info:
The Interim Measures stipulate that units engaged in specific technology activities (including colleges and universities, research institutions, medical and healthcare organizations, and enterprises) shall establish an internal technology ethics review committee ("TERC"). Such applicable technology activities include research in fields involving emerging technologies such as life sciences, medicine, and AI, whose research content involves technology ethics-sensitive areas.
The basic technology ethics review mechanism under this document includes:
In principle, the units of technology activities shall submit to their internal TERC to conduct a technology ethics risk assessment for technology activities. The TERC consists of technology experts and experts with backgrounds in ethics and law. The committee reviews the proposals and related materials for technology activities and decides by a voting process whether to approve them. The assessment is divided into regular procedures and simplified procedures (for low-risk activities or those with no significant adjustments to reviewed projects, etc.).
Implementation of an external expert review system for specific technology activities:
For technology activities included in the review list (which may be adjusted and published dynamically) by MOST, in addition to internal technology ethics review, units need to apply to the competent department to organize an external expert review. The activity can proceed only after receiving approval through the external review.
The current review list primarily includes life sciences, medicine, AI, and other technology activities that have a significant impact on human physical and mental health, consciousness and behavior, and ecological environment. Specifically, it covers significant technology activities such as the synthesis of new species with a major impact, the cultivation of human fetuses in animal uteri, gene editing, brain-computer interfaces, human-computer integration, algorithm models with the ability to mobilize public opinion and guide social consciousness (such as generative AI), and highly autonomous automated decision-making systems in scenarios involving personal safety.
Viewpoints
In the previous article on China's AIGC regulation, I mentioned in the last part that technology ethics review might become a formal administrative procedure incorporated into China's AI-generated content (AIGC) regulatory framework. The Interim Measures now make this a realistic requirement. In principle, companies engaged in To C generative AI businesses in China shall need to establish TERC and a technology ethics review system, and they may be subject to external expert reviews. However, as of now, there are no public reports indicating that domestic generative AI service providers who have been approved and are providing generative AI services to the public have fulfilled these technology ethics compliance requirements.
The regulatory logic embodied in the Interim Measures primarily focuses on the internal supervision of units engaged in ethically risky technology activities and defines areas where external supervision intervention is needed based on the review list. However, the implementation of this mechanism faces two challenges:
The Interim Measures are mainly procedural regulations, and the substantive review standards are not yet specific. They only provide broad and abstract principles such as "enhancing human well-being, respecting the rights to life, adhering to fairness and justice, reasonably controlling risks, and maintaining openness and transparency." It can be understood that research and regulation of technology ethics in these key areas are still in the early stages of exploration, and many consensuses have not yet been formed. However, since this regime has been proposed, the Chinese competent authorities should summarize and provide the society with practical paradigms and specific guidelines for technology ethics governance in various scenarios as references as soon as possible, rather than just waiting to "borrow" other jurisdictions' homework.
The competent regulatory authorities and regulatory measures are not clear. For actions that violate technology ethics standards, the Interim Measures vaguely state that they should be "punished or handled by an authority with jurisdiction in accordance with relevant laws and regulations." This means that the entity responsible for enforcing regulatory measures will still be decentralized to the administrative management hierarchy (for colleges and medical institutions) or industry regulatory hierarchy (for enterprises) to which these units belong. This may also explain why there are so many departments involved in the publication of the Interim Measures. If there is a persistent lack of cross-departmental collaborative organization, it may further hinder the formation of consensus on technology ethics governance, making related practices more fragmented and lacking consistency.
Overall, at the rule level, the technology ethics review under the Interim Measures still seems to be a skeleton but lacks flesh and blood, more like a semi-finished mechanism. Nevertheless, it is necessary for the companies engaged in AIGC or other activities listed in the external expert review list in China to keep an eye on the developments in technology ethics regulation in China.
Learn more about China's AIGC regulation: Understanding China's AIGC regulation: In-depth guide and context