This webinar discusses the most recent legal and policy changes on cross border data flows in the U.S. and China.
Speakers are: Samm Sacks (Research Scholar in Law and Senior Fellow at Yale Law School’s Paul Tsai China Center), Peter Harrell (Fellow at the Carnegie Endowment for International Peace), and Peter Swire (Professor at the Georgia Tech Scheller College of Business and the School of Cybersecurity and Privacy, Research Director for the Cross Border Data Forum and Senior Counsel at Alston & Bird LLP)
Moderator is: Lee Matheson (Deputy Director for Global Privacy with the Future of Privacy Forum).
Episode Highlights:
[00:00] – Introduction and presentation of the panel experts
[01:16] – Samm Sacks’s analysis of recent legal and policy developments on cross border data flows in the U.S.
[02:30] – The Notice of Proposed Rulemaking issued by the U.S. Department of Justice to implement Executive Order 14117 of 28 February 2024 on Preventing Access to Americans’ Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern
[06:30] – New exemptions under the Notice of Proposed Rulemaking issued by the U.S. Department of Justice to allow for certain transfers of personal data to Countries of Concern such as China
[07:12] – The overhaul of the Chinese cross border data transfer framework
[09:26] – The implications and regulatory uncertainties of the new requirements of the Chinese cross border data transfer framework
[10:39] – Samm Sacks’ conclusion on cross border data transfer regimes in Beijing and Washington, D.C.
[11:35] – Follow-up questions by Lee Matheson on possible clarifications of Chinese cross border data transfer requirements by the Chinese regulatory apparatus
[15:00] – Peter Harrell’s analysis of U.S. cross border data transfer regulatory changes and recent events that raised privacy, data protection, and cybersecurity concerns
[17:56] – The rise of geopolitical competition between the U.S. and China and three types of risks the U.S. Government is trying to address with regard to U.S.-Chinese data flows
[24:38] – Follow-up questions by Lee Matheson on the most significant threat posed by U.S.-Chinese data flows and how it can drive U.S. regulatory changes
[27:40] – The importance of taking action to address the direct threats posed by U.S.-Chinese data flows
[31:30] – Peter Swire’s analysis of the dual use of technology in the U.S.
[33:00] – Peter Swire’s remarks on how to address risks of espionage and cybersecurity attacks: a U.S. national security firewall, thoughts on sanctions regimes, and U.S. soft power
[37:15] – Follow-up questions by Lee Matheson on cybersecurity attack risks
[47:25] – Follow-up questions by Lee Matheson to all panel experts on how to address concerns in concrete U.S. regulatory actions
[53:00] – Questions from the audience
Quotes:
Samm Sacks: “[Recent U.S. transfer restrictions are] very much an evolving on-going exercise and there is significant exchange happening, between industry, academic, and other experts, and the [U.S.] Department of Justice and other officials, including sector related regulators who are in the process of scoping. This is a very dynamic landscape.”
Samm Sacks: “The combination of the Notice of Proposed Rule Making and the new Department of Justice’s Program, and the Data Broker Bill, essentially mark a sea change, [regarding] the U.S. Government’s position on regulating data flows to specific destinations, with pretty far-reaching implications.”
Samm Sacks: “The response from allies and partners around the world, I think particularly coming after the U.S. trade representatives’ choc decisions withdrawal from the Joint Statement Initiative on e-commerce negotiations at the World Trade Organization has raised questions about the U.S. moving away from some of its long-standing positions on open data flows. That’s an important and interesting debate to have with experts.”
Samm Sacks: “A significant change [in China] is underway. Essentially China’s existing cross border data transfer framework [is] widely viewed as unworkable.”
Samm Sacks: “What are the remaining regulatory uncertainties in this new [Chinese transfer] regime, despite the leadership’s intent to signal market openness for foreign investments? [These] include a number of things, one of them is this long-standing ambiguity over a category of data known as “important data” that is deemed vital to national security, and [that is] subject to more strict localization requirements.”
Samm Sacks: “In some places these [cross border data transfer] regimes operate in relation to one another, but in many cases, they are operating in their own independent trajectories, and I think depending on how rules shape up in each, we can see a sort of ripple and mirror effect.”
Peter Harrell: “All these actions [restricting cross border data flows with China] – whether the Bulk Data Executive Order, and the Protecting Americans Data from Foreign Adversary Act, or these actions on Chinese devices – are being driven by the rising geopolitical competition between the U.S. and China, and in particular by policy makers here in Washington, D.C., [that] view that data flows to China and China’s control of connected devices and certain products here in the U.S. can pose [certain risks].”
Peter Harrell: “U.S. policy makers are [also] concerned about (…) the influence risk: we saw a lot of debate in Congress and out of the Biden-Harris Administration, about concerns that China could somehow covertly have TikTok influence American public opinion, by influencing the algorithm, the surface, [with] pro-Chinese or sympathetic to Chinese interest propaganda here in the U.S., (…) to try and sow division and other kinds of disinformation.”
Peter Harrell: “These concerns that have been driving [new regulatory action in the U.S.] are quite strong on a bipartisan basis: we have seen these concerns raised by both republicans and democrats in Capitol Hill. (…) I think we are going to continue to see a major focus on both the U.S.-China data flows and on the internet connected devices going forward, regardless of what happens in November.”
Peter Harrell: “The espionage risks are going to be the most important [ones] in shaping the U.S. Government policy debate over the next couple of years.”
Peter Swire: “[We] try to prevent the military stuff from going to our adversaries. That’s a very central part of U.S. law and policy.”
Peter Swire: “The U.S. has been unable to pass a general privacy law, but 500 [votes] to 0, the House of Representatives passes the Protecting Americans Data from Foreign Adversary Act. The politics is entirely different, partly fuelled by these very vivid and in some ways plausible images of [potential cybersecurity] attacks.”
Peter Swire: “You think of all of Latin America, all of Africa, all of the other countries in the world that up until now trade with the U.S. and trade with China: if the U.S. is putting super strict limits on anything dribbling through to China, then all these other countries probably will come under pressure to be locked down and not let stuff get to China.”
Samm Sacks: “China right now faces a significant data disadvantage when it comes to AI, which is that the data sets that they are working with tend to be homogenous, they tend to be taken from a demographic made up largely of Chinese speakers, Chinese citizens within China. In order to really develop globally competitive AI products and services that can work outside of China, they are going to need to get access to larger international diverse datasets.”
Peter Harrell: “Failure to have a national data privacy bill really undermines the data security goals vis-à-vis China.”
_________________________________________________________________________________________
In this webinar, Lee Matheson questions panel experts Samm Sacks, Peter Harrell, and Peter Swire on the most recent legal and policy changes on cross border data flows in the U.S. and China, and on the risks posed by the potential access by China to U.S. data.
Samm Sacks presents in the first part of the webinar the latest actions taken by the U.S. to regulate cross border data transfers, such as the adoption by the Biden Administration of the Executive Order 14117 of 28 February 2024 on Preventing Access to Americans’ Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern (EO), the Notice of Proposed Rulemaking issued by the U.S. Department of Justice to implement the EO (NPRM), and the passing of the Protecting Americans Data from Foreign Adversary Act (the Data Broker Bill). Sacks comments on the program proposed by the NPRM and explains under what circumstances certain data may still be transferred abroad.
Sacks additionally offers a comprehensive analysis of the overhaul of the Chinese data transfer framework with the adoption, by the Cyberspace Administration of China, of new cross border data flows requirements that apply to global companies that operate in China. Sacks sheds some light on the lack of clarity of certain aspects of the Chinese framework and underlines how this may affect enforcement procedures and create uncertainty for international companies.
In the second part of the webinar, Peter Harrell analyses recent events that have raised privacy and security concerns in the U.S. (e.g., Surveillance via Chinese cargo cranes at U.S. ports, the TikTok ban and the threat of major attacks via connected vehicles manufactured in China and used by American citizens). Harrell also discusses the three types of risks that can arise from the Chinese access to and control of U.S. data (the privacy and espionage risk, the influence risk, and the disruption risk) and he provides some insights on how such risks can be addressed by the U.S.
In the third part of the webinar, Peter Swire shares his thoughts on the dual use of technologies (for military and civilian purposes). Swire also complements Harrell’s descriptions of the risks posed by Chinese access to U.S. data and he provides his assessment of the possible actions that can be taken by the U.S. to mitigate those risks, such as the implementation of a U.S. national security firewall or the use of political soft power. Swire balances the opportunities and challenges of such actions and alerts on the impact of new restrictions that could harm the U.S.’s relationships with its allies but also with any other country that trades with China.
Matheson closes the debate by gathering the opinions of the three experts on the most plausible next steps that could be taken by the U.S. to address the threats posed by U.S.-Chinese data flows.
* * *
These statements are attributable only to the authors, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.
