The Chinese government is doing its utmost to maintain control over the flow of digital information, both for the sake of security and to protect its own nascent tech sector. This poses risks for Western interests – but right now, the West is in no position to fight back.
Two recent high-level meetings illustrate a worrisome divergence in cyberspace policy. The first, the April meeting of G7 information and communications technology (ICT) ministers in Takamatsu, Japan, resulted in a joint declaration, reaffirming among other points, the principles of the free flow of information, privacy, data protection, and the promotion of cybersecurity. The joint communique read: “We continue to support ICT policies that preserve the global nature of the Internet, promote the flow of information across borders…We oppose data localization requirements that are unjustifiable taking into account legitimate public policy objectives.”
Just a few days earlier in Moscow, top Chinese and Russian ICT officials met to inaugurate the bilateral “Cyberspace Development and Security Forum.” The Russian and Chinese officials promoted the concepts of information control and “cyber sovereignty,” and agreed that they could not rely on the technologies of transnational IT firms.
In other words, the G7 group’s positions on cyberspace on the one hand and those of China and Russia on the other hand remain firmly at odds. But what does this contested political framework actually mean for Western businesses and organizations operating in China?
Fixed Game
Talking cyberspace and China, multiple interconnected issues come into play – national security, commercial interests, and domestic censorship. Those are coupled with an ever-changing, often opaque regulatory framework, whose latest additions include the new Cybersecurity Law that went into effect on January 1, 2016, and additional new rules regarding online publishing by foreign companies introduced earlier this year.
In a nutshell, these new laws require foreign companies to assist the Chinese authorities in decrypting user data, ostensibly to fight terrorism, and make it illegal for them to publish a wide range of content online unless they team up with a local company and obtain government approval. While Beijing argues that these laws are necessary for reasons of domestic stability and national security, they also serve as a powerful protectionist weapon to support China’s own tech sector.
These new cyber laws fit in neatly with Beijing’s overall grand strategy, one geared toward becoming a major power on par with the United States. The pillars of this strategy include the Chinese Communist Party retaining absolute political power, enhancing and restructuring the People’s Liberation Army (modeled on the US military), and tightening domestic information control. Additionally, a key Chinese objective is to achieve technological independence from foreign companies. This approach was highlighted again by President Xi Jinping in a speech given at the Work Conference for Cybersecurity and Informatization in mid-April when he stressed that “The fact that core technology is controlled by others is our greatest hidden danger.”
While China is unlikely to achieve parity with the US in terms of military technology any time soon, Beijing has done a rather efficient job sheltering the Chinese commercial IT sector. Major international players such as Google, Twitter, YouTube, and Facebook remain partially or entirely blocked in mainland China, and domestic platforms such as WeChat have become highly successful and, technologically speaking, increasingly sophisticated.
It is true that Beijing dropped a few particularly strict provisions from the Cybersecurity Law at the behest of Washington – provisions requiring international companies to keep the data of Chinese netizens on servers physically located inside China, and to provide the Chinese authorities with back-door access to their systems. But it re-introduced these concepts at the “Cyberspace Development and Security Forum” in Moscow. Other measures in the same vein include proposed revisions to China’s domain name management law that call for the domains of websites hosted in China to be filed with a Chinese registrar. These proposed provisions again drew criticism from the US government.
Pushing for “Digital Sovereignty”
It is likely that Beijing will continue to pursue its dual goal of complete information control at home and technological independence by further promoting a breaking up of the internet and the creation of national borders in cyberspace. Experts have referred to this as the “balkanization” of the internet, and have warned of a new legal arms race that could have profound impact on the future of the web. Data localization measures such as the ones introduced by Beijing are a central force behind this alarming push for “digital sovereignty.” Spearheaded by China and supported by illiberal regimes such as Russia, Cuba, and Saudi Arabia, these policies restrict the free flow of data, hamper innovation, and threaten the transnational architecture of the internet.
At the same time, it remains to be seen how the new Chinese laws will actually be implemented. One has to suspect that the ambiguity in some of the language of the Cybersecurity Law and the online publishing regulations is actually intentional. As is customary in Chinese political and business culture, vagueness provides officials and executives with room to maneuver. It seems reasonable to assume that the Chinese authorities will give Western businesses as much space in the Chinese market as is necessary to gain access to valuable technologies and satisfy consumer demand for foreign brands. However, once there is nothing to gain – or even worse, much to lose (e.g. control of the digital media) – Western companies may get blocked from the market.
Ultimately, Western businesses have to get used to the idea of (at least partly) operating in a grey zone, which, of course, makes them vulnerable to attack. Even though they often have the option of teaming up with a local partner – as explicitly mentioned in the online publishing regulations – this is by no means a guarantee of smooth sailing either. Such arrangements do not prevent the authorities from investigating Western companies for alleged violations (e.g. Microsoft), or the partnerships with Chinese firms turning sour.
And, at least in the short term, there is a limit to the diplomat pressure the West can exert in this area. The repeal of the “safe harbor” agreement last fall showed that there are considerable differences between European and American officials on issues of privacy and data protection, and it is unclear if a new data transfer agreement will be approved by the EU member states. The Snowden revelations also gave China a powerful tool to discredit Washington’s conduct in cyberspace, and enabled Beijing to promote its own version of a “safe” and controllable “harbor.”
While Washington may indeed have lost the moral high ground, the other members of the G7 should still do their utmost to mend fences, reach a new data transfer agreement, and demonstrate unity. More broadly speaking, when it comes to internet governance, the G7 should continue pushing for a multi-stakeholder model based on international cooperation with the objective of formulating a new, transnational legal framework. A pragmatic approach to this admittedly daunting challenge would be to focus on somewhat less controversial cyber norms first, and to win the clear support of countries like India and Brazil.
In any case, it is a battle worth fighting: the G7 should not capitulate to China and let Beijing’s vision of a fractured internet become an acceptable model.