How do Chinese cyber laws and regulations affect multinational companies, and US-China relations? Samm Sacks of Yale Law School walks us through the latest developments in this arena — we discuss:

• Why Chinese data policy has been on front-page news in the past few years;

• What China is hoping to gain from its new laws and regulations;

• The status of TikTok negotiations, and the prospects of a deal given today’s political climate;

• How the US and China can — yet sometimes don’t — leverage their data policy infrastructure against one another.

This week’s newsletter and podcast is sponsored by Policyware, who starting Feb 1st are hosting a course taught by Samm Sacks on China’s digital governance policies. She’s a true expert on the subject, and if you like what you hear, please head over to Policyware.org/ChinaTalk, where you can sign up for a two-week class starting February 1.

The folks at Policyware are also sponsoring five scholarships for our student listeners! Respond to this email if you’re interested in a spot.

How Data and China Got Hot

Jordan Schneider: Samm Sacks is a senior fellow at Yale Law School’s Paul Tsai China Center, a fellow at New America, and also does corporate consulting work.

Five years ago we did a show, back when Chinese data policy was deeply unsexy — but now this is a front-page story. Why does the entire world all of a sudden care about cybersecurity law or whatever else China is doing to regulate data?

Samm Sacks: I think there are two things going on.

The first indication I had that suddenly more than five people were interested in talking about Chinese cybersecurity law was when Didi, the Chinese ride-hailing app, had its big IPO debacle. The reason that the Chinese government stated, at least to the outside world, was that Didi had failed to pass the cybersecurity review and was undergoing a rectification related to its data-managing practices. And so all of the sudden, a small handful of academics and people inside companies that operate in China were trying to figure out — from a compliance perspective — how to manage this spate of laws and regulations and standards coming out. At that time, suddenly everyone was talking about the Cybersecurity Review — what is that? Because Didi was in the headlines. So I think that’s number one. 

The other thing that’s happened: we’ve seen in the past few years, starting in the Trump administration, that the heart of the US-China tech conflict is really a lot about data. And again, big-name, household-name, Chinese company TikTok has been in the crosshairs of that.

So now you have more than just you and me and a handful of others following the ins and outs of data policy in China and what it means in the bilateral relationship. 

Jordan Schneider: So Samm, before we get into the specific regulations, what are the primary motivations from the different Chinese regulatory bodies? What are they hoping to achieve when it comes to data and cyber?

Samm Sacks: Part of this story is entirely domestic. Part of it has to do with the United States and China’s place in the global data order (if there is such a thing). So let’s just talk about, domestically, what’s happening.

One of my good friends works in Shanghai, and she told me that one time she was meeting with a Chinese company, talking about one of the new laws that had just come out. They were meeting with their Chinese regulator, and one of the questions that came up was, “Who in your company manages cybersecurity?” And the answer was the baoan (保安) — the security guard. And I love this story because it is so telling. Sometimes things are very common-sense and there’s nothing nefarious — even though I think in the United States we want to make everything nefarious in China.

The Cybersecurity Law — the center of this data-governance system — at its core, comes down to the fact that the cybersecurity maturity of so many Chinese companies was so low that the baoan, the security guard, was their cybersecurity point person.

And I think there was a recognition that the digital economy is a big part of China’s model shifting from low-value-add, export-driven growth to this new economy; and particularly now, given all the economic pressure China is under, having a secure online space — where people didn’t feel like they were going to be defrauded, and being able to say that someone besides the baoan is in charge of this — matters. I think there are genuine concerns around that — for instance, Chinese consumers online have been calling for more protections around how their data is handled.

The other factor — and this comes out to the Data Security Law, which took effect in 2021 — is that I think there’s a massive organizing and inventory exercise going on: the Chinese want to understand what data assets companies actually have, because they recognize that data is what they call the “fifth factor of production” — it’s a strategic part of the economy, after land, labor, and capital. Part of the Data Security Law was just getting companies to look at what data assets they are collecting, acquiring, sharing, and with whom, just so China’s leadership could get a hold on, “We have this strategic economic asset in the form of data, but we don’t really know who has what.” And I think that was another big part of it.

There’s significant political power in the companies that have these troves of data. So at a moment, as the Xi leadership is looking to consolidate its power — particularly over the private sector — data will be a main point of focus; and these laws provide some new guardrails and authorities around that process.

Jordan Schneider: Let’s talk about the laws. Maybe we’ll do like a little power ranking — which one gets CISOs shaking in their boots most?

Samm Sacks: I like the question of what gets CISOs shaking in their boots — I think that’s a great way to look at it. Let’s hone in on the big questions around this.

There are literally hundreds — some mandatory, some recommended (but maybe actually really required, but we don’t know exactly) — of standards around data, around information systems, around network infrastructure. What are the things that, from a domestic or multinational-company perspective, are causing the most concern?

I would say one of the big questions is, “What kind of data will be required to be stored on local servers, and will the Cyberspace Administration of China — China’s all-powerful cyber regulator — allow outbound transfers of that data?”  

When the Cybersecurity Law first took effect in 2017, I think people were really worried about data localization. But the truth is, a lot of those restrictions were not fully implemented, and so many companies that operated in China were still sending a lot of data out of the country; they were really operating in that gray zone.

When the Data Security Law and Personal Information Protection Law took effect in 2021, there was a lot of gloom and doom in the corporate sector because it seemed as though that gray zone allowing outbound data transfers was going to go away — because suddenly, the requirements appeared, as written, much more strict.

We still don’t know entirely what that will look like. Just today we found out that the CAC, the Cyberspace Administration of China, has approved its first outbound data transfers: they’ve allowed, I believe, a Chinese hospital to collaborate on cancer research with an organization in the Netherlands; they will be sharing data in the context of that collaboration. That’s a big deal, because traditionally the Chinese government has treated medical data as extremely sensitive, and it was one of the first sectors where they actually put out a regulation requiring local data storage and restricting it. So that’s really interesting that they’ve allowed that collaboration. But we still don’t know, so I would just bucket — first, big issue of concern: data localization really matters for global operations for companies.

The other one has to do with whether the United States will be able to access data that is stored in China for law-enforcement purposes. From the view sitting in Washington, we often hear a lot of worries about, “Will this Chinese software app be sending American sensitive data to China?” Well, in China they’re really worried about the opposite of that — and so, one of the most significant parts of the Data Security Law is that it creates a blocking mechanism where it says, “We can actually compel companies to not share their data with foreign law enforcement.”

This has been a long-standing concern. There’s a hypothetical example that always comes up — let’s say Microsoft is the hypothetical. Microsoft China has a joint venture in China to offer cloud. If Microsoft China is collecting data on Chinese citizens, could Microsoft be compelled by the US government to share that data with law enforcement or national security? Because even though it’s held in China, under the US CLOUD Act — and I’m not going to get into too many details … anyway, you see where this is going. Both sides are looking to wall off their data access to the other. So there are a number of areas like this that I think have anyone who’s doing cross-border business a bit concerned.

TikTok’s Odds

Jordan Schneider: So Samm, maybe now’s an interesting place to get into TikTok, which I think has gotten the most press from the “data localization, where are the servers?” question over the past few years.

Are the US and Chinese just misinformed in wanting to do this? What’s your view? I think the listeners of this podcast probably have a pretty good sense of where I stand on this topic, so we don’t need to rehash that — but what’s your take, Samm, on what does and doesn’t make sense from a broader national-interest perspective when it comes to those sorts of data?

Samm Sacks: My understanding is that there is a national-security agreement that has been signed off on by very senior national-security experts as part of the CFIUS process — the Committee on Foreign Investment in the United States. I have not seen the details of that agreement, but based on my experience with how these things work and conversations I’ve had, this agreement would create a structure that would essentially allow TikTok to operate in the United States by having Oracle serve as the data controller.

The data would all reside within the Oracle cloud, and the types of data that would exit the cloud would be subject to control and monitoring, not only by Oracle, but by a number of third-party CFIUS-vetted and -nominated entities. And that data would also include things like, if you send a DM to someone in another country, or if you want your video to be looked at by someone in another country. 

There are a lot of contours of the deal, and the details have not fully been released to the public. I think the debate is, “Will this deal provide enough oversight and control of what third parties have access to the data?”

The other part of the deal has to do with the online content that the recommendation system would put forward. Oracle’s and third-party auditors — as well as an oversight board of CFIUS-vetted and -approved senior personnel who would report to a different entity, not ByteDance, not TikTok — would be verifying the recommendation system, the code, the algorithm. So a very technical, robust solution is on the table that has been negotiated for several years now.

I think the question is, “In the current political climate, is this national-security agreement, this technical solution enough to answer those political concerns?” And I’m not going to say yes or no, or that I think this is or isn’t. But what I will say is, if this goes forward, I think it’s the path of the future. If you are a TikTok, if you are a multinational company in China, if you are a multinational company operating in Europe, I think this is the blueprint for what the future looks like: in order to operate in one of these regions, you partner with a local company; that local company serves as your data controller and has complete ability to vet who’s accessing the data and where, what kind of online content is being promoted and where.

There are some similarities with, say, the Apple-Guizhou cloud agreement. There are some similarities with a Microsoft–Deutsche Telekom agreement. So I think what we’re beginning to see is this model, which is what global data flows and operating in third countries in the future will look like. And it’s a question of, “Is this the path we’re on?”

Jordan Schneider: It’s an interesting point, Samm, the idea of this model. My personal take is that TikTok is just going to be too toxic to be able to convince enough people in Congress that this is something that they can be comfortable with to move forward. But I might be wrong.

But even if TikTok isn’t able to walk through this door, there’s still the idea that something like localized data stewardship ends up being the solution for any firm operating in any other country in the world. There are some rumors about Didi having to do data localization to another state-owned Chinese firm, because the Chinese government no longer trusts its own private companies to protect it in the way they want, and they are hoping to centralize that in an SOE or something.

The idea of nation-states being uncomfortable with foreign companies — or even domestic companies — following the data controls and regulations that they’ve put out is a really interesting one. Going back to the beginning, it’s another reason why we should care about this stuff: the China-plus-data questions will end up being relevant not just for companies that are operating inside of China, but potentially — as you’ve given us a window into the future — all firms operating internationally.

Samm Sacks: I think that’s right. I will say in terms of the environment being so toxic: I agree it is very toxic, but I also understand that these very detailed negotiations with CFIUS have been ongoing, and that credentialed, serious national-security, cybersecurity people are part of informing that process.

TikTok is a massive competitor to Meta — you have a Chinese parent company serving as one of the most important competitors to a major American social-media platform at a moment when we’re really concerned about the concentration of power, we’re really concerned about misinformation online, we’re concerned about data brokers operating around the world — so, we ban TikTok, we force a sale?

That data right now is completely unregulated on other social media platforms: Meta can turn around and sell that data via an open commercial market of data brokers to any foreign adversary it likes. Meanwhile, we know that January 6 and misinformation about public health are still rampant online.

So what has happened: by funneling everything through a China national-security threat, we haven’t actually solved some of the core problems that I think are enabling social media to really destroy the fabric of American society and democracy.

Jordan Schneider: So you had a big point. I’m going to make a little point. If folks remember, Dubai Ports World was going to make an acquisition of an American port — and, it was in fact not a scary thing at all: they had run the whole due diligence behind it, and Dubai was an ally. And whoever presented it went to George W. Bush goes, “Look, we have this great scheme. There’s this really creative thing we’re going to be doing. And it’s really totally fine. It’s not a national-security risk at all to sell this port to Dubai Ports World.” And W. goes, “Sounds great. Can’t do it. Sorry. This topic is too hot. I’m just going to stop this deal.”

So Samm waht you say about how this addresses the issues may be true [I don’t think it is] but I think there’s a way in which the political maelstrom either prompts a congressional response to force the administration’s hand, or, at the end of the day, the Biden administration just decides that they don’t want to be on the side of a Chinese social-media firm when push comes to shove and they have to make a decision.

Waging Data-Policy War

Let’s talk a little about foreign firms in China. What are the special considerations that they’re having to deal with in light of new regulations over the past few years?

Samm Sacks: Something that we haven’t talked about yet is, in the Personal Information Protection Law (which took effect in 2021), there’s an obscure provision in there — which I think is one of the most important ones — that creates a blacklist in response to what would be perceived as discrimination against China by a foreign government. And what this means: multinational companies could be placed on a blacklist where they’d be prohibited from handling Chinese data. 

It hasn’t actually been implemented — I haven’t heard of any case of it being implemented yet — but what is so important about it is this could potentially impact companies that aren’t even operating in China. If you’re handling Chinese citizens’ data anywhere in the world — say, you’re servicing another company that is — you would be prohibited under this blacklist. And I think this is one of the tools that China has in its toolkit if it wanted to retaliate against the United States for a number of actions that we’ve seen or policy proposals in the so-called Tech Cold War (although we don’t want to use that term, because I know a lot of people don’t like that term). But this is something that I think would have really significant ramifications if they decided to use it.

Jordan Schneider: It’s interesting thinking about the response function. We basically haven’t seen anything post–October 7 export controls. But on the software side, I wonder, if we end up in a worst-case scenario for TikTok, what that means for US firms in China.

Samm Sacks: This is certainly something that I would look at. But to your point, it’s interesting: even in the heyday of the Trump administration when Huawei first was in the crosshairs, at one point we thought that Huawei’s lifeline with TSMC was going to be cut off. Even then, you’re talking Huawei, Taiwan, chips — it doesn’t really get more impactful than that.

Yet China didn’t use any of the retaliation tools in its toolkit: it has the Anti–Foreign Sanctions Law, the MOFCOM Blocking Statute, the Unreliable Entity List. China has not retaliated. I think that’s really interesting: in part I think it reflects, again, immense economic pressure that they’re under, and I think there’s still an interest in keeping flows of foreign investment and talent and know-how going into the country. And maybe if anyone wants to try to find a constructive solution here, that might be something to explore. 

Jordan Schneider: It is striking that there’s been a whole lot of economic coercion over the past five years, but it’s all been China relative to countries that are one-half, one-third, one-tenth its size. And it’s clear that taking that step with respect to the US is not something that there’s a consensus on within the system yet — or Xi hasn’t decided that this is the right tactic to go achieve whatever national aims he has; and that calculus may change.

But I think you’re right, Samm: there’s something there that the Chinese government doesn’t want to necessarily push into a spiral, which could get even more dramatic on the tech-war stuff — maybe just because they think they have more to lose.

Samm Sacks: But I would also say that, if you look at the tools that have been proposed in Washington as well, a lot of these have also not been implemented to their full effect. So when we talk about economic technological decoupling, there’s been a lot more bark than bite. And the October 7 export-control package, of course, is potentially a game changer, and I think it’s going to have far-reaching ramifications, no doubt. But I think there are still a lot of open questions around how far this stuff is going to go.

We thought that this fall we were going to see a new outbound Ford investment regime set up, but the administration wasn’t able to come forward with that because I think there’s still a lot of debate about, “How do you scope that? How do you define a US or a foreign investment?” In previous rounds of export controls and entity listings, there were a lot of licenses that were granted to continue doing business. And then again, on the Chinese side, these decoupling retaliatory tools haven’t actually been activated yet.

So I think both sides have put in place the policy infrastructure, but I think there’s this recognition that, at the end of the day, if we take them to their full effect, there are catastrophic effects to the global economy. I think the question is, “How far are people willing to go?” And there’s still significant debate in both capitals, between hawks and pragmatists, about where this is going to go and how far to take the policy infrastructure.

Jordan Schneider: I hear you’re teaching a course about all this stuff. 

Samm Sacks: Yes, I’m teaching a course. It comes out of over a decade that I’ve spent working on China technology and data policy, both with the national security community, the private sector, and now in the think-tank space. We’ll be talking about a lot of these same issues, so if you’re interested in what you’ve heard on this podcast, I hope you’ll sign up.

Jordan Schneider: Samm Sacks, thanks so much for being a part of ChinaTalk.

Samm Sacks: Thank you, Jordan.

Do consider checking out Samm’s class to learn more on the topic!