Recent U.S. 'data decoupling' rules stirs public debate in China
The U.S. and China appear to be heading in opposite directions on data sovereignty and cross-border data flows
Right after the Christmas holiday, the U.S. Department of Justice unveiled its final rule called “Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” Under the rule, the U.S. government is setting up a national security review system for any outbound transfer of U.S. citizens’ “bulk sensitive personal data” and “government-related data” to China (including Hong Kong and Macao), Cuba, Iran, North Korea, Russia, and Venezuela. Essentially, this means that the federal regulation to limit cross-border data flows of Americans’ sensitive data to China—proposed by the Biden administration back in February—is finalized at the tail end of the administration.
This federal regulation has stirred debate within the U.S. Some experts compare it to China’s own data export rules, observing that U.S. cross-border data policies are now looking more like China’s. While the U.S. is starting to curb data flows for security reasons, China is loosening its data export restrictions to fuel economic growth. People worry that America’s shift here might embolden other protectionist countries to justify their own data localization or protectionist moves, which could threaten American tech companies operating globally.
Proponents of localization in other countries can use the shift in U.S. policy to justify a new wave of protectionist localization measures. U.S. tech firms operating around the world will be the easiest target of those localization measures, with consequences for human rights and U.S. national security beyond commercial loss. As we have argued previously, localization weakens cooperation with allies by making it more difficult to effectively share data for law enforcement, intelligence, cybersecurity, health research, and other common purposes. Restrictions on data flows imposed on U.S. firms by countries beyond China undermine the competitiveness of U.S. digital industries, reducing leadership in AI and cybersecurity-related capabilities. Limits on exports of personal data, such as the telemetry used in cybersecurity, could reduce the ability of U.S. cybersecurity companies to service the global market.The DOJ obviously disagrees, arguing that America takes a “free cross-border data” stance overall, only restricting transfers when a “national security risk” is involved in a specific commercial transaction. By contrast, they say, China generally defaults to restricting data exports—fundamentally different from the U.S. approach of “only restricting certain sensitive data deals.” Even if both sides rely on some numerical thresholds, the DOJ insists you can’t equate the two.
“Limiting Data Broker Sales in the Name of U.S. National Security: Questions on Substance and Messaging”——Peter Swire, Samm Sacks
Interestingly, this concern also seems to be raised in some public comments during the rulemaking process.
The DOJ obviously rejects such a comparison, emphasizing differences between the U.S. and China. According to DOJ, the U.S. supports the principle of free data flows across borders and imposes bans or restrictions only when specific commercial transactions pose “national security risks.” China, on the other hand, defaults to restricting data exits in most cases—fundamentally different from the U.S. approach of “only restricting particular sensitive data transactions.” Even when both countries adopt certain numeric thresholds, the DOJ argues, the two systems cannot be equated.
On the Chinese side, the CAC, China’s top cyber regulator, is trying to push back against these accusations from the U.S.
Last June, an unusual piece (given the CAC’s low-key style) by HU Xiao, Head of the CAC’s Data Management Bureau, which is in charge of cross-border data flow affairs, spent a big chunk of his talk discussing this matter:
“China's cross-border data flow security management is not targeted at all data but limited to important data and personal information. Important data refers to data of national significance, not corporate or personal significance. If a security assessment concludes that the export of important data will not harm national security and public interests, it can be exported. For personal information export, personal information processors can choose to apply for data export security assessments, obtain personal information protection certifications, or enter into standard contracts for personal information export with overseas recipients. General data not involving important data or personal information can flow freely across borders under the general compliance obligations prescribed by law.”
A most recent clarify was from a press conference held by the National Data Bureau on “Promoting the High-Quality Development of the Data Industry and Facilitating Enterprise Data Use” on December 31, 2024, where WANG Qi—HU Xiao’s deputy, the DDG of the CAC’s Data Management Bureau—addressed the issue directly (full transcript attached at the end of the article).
Wang emphasized that data export security controls in China don’t target all data, only “important data” and “personal information.” If a security assessment determines that exporting important data poses no threat to national security or public interest, the export can proceed.
According to Wang, by December 2024, the CAC had completed security assessments for 285 projects and processed 1,071 filings for standard contracts on personal information exports. Out of those 285 projects, 27—fewer than 10%—failed the assessment. Apart from a few that were denied due to insufficient necessity for exporting important data or potential security risks, most of the rejections were because data handlers didn’t get proper consent from individuals in line with legal requirements.
In March 2024, the CAC introduced and implemented the Provisions on Promoting and Regulating Cross-Border Data Flows, further easing data export rules. Wang says that after the Provisions took effect, the number of security assessment applications dropped by about 60%, while filings for personal information export contracts fell by about 50%. It now takes businesses fewer than 30 working days on average to go from online application to receiving results, much quicker than the 45-day window specified in the Measures for Security Assessment of Data Export.
Besides releasing “Provisions on Promoting and Regulating Cross-Border Data Flows” aiming to relax data export control, China also started piloting “negative lists” for data exports in several free trade zones, and even set up an exchange mechanism with the EU for cross-border data flows. At this year’s World Internet Conference in Wuzhen, China rolled out a global initiative on cross-border data flow,” highlighting “collaboration”.
From the perspective of many around the world—especially in the Global South—China’s approach to balancing data flows and national security now looks more open, confident, and inclusive. Its authorities are talking more about supporting cross-border data flows and discussing ideas like building “international data ports” or cross-border data service centers at the local level.
The DOJ's newly released regulation is clearly aimed at China and shows a distinct “special treatment,” which has caught the eye of many in Chinese policy circles. Some observers point out that this is the first time in U.S. history a system has been created to review cross-border data flows for specific countries. It effectively means that the previously touted U.S. principle of “free cross-border data flows” no longer applies to China, and amounts to a discriminatory restriction.
Keep reading with a 7-day free trial
Subscribe to Geopolitechs to keep reading this post and get 7 days of free access to the full post archives.