This week:

• China’s cross-border data policy is taking shape, but are its motives political? 
• Big Tech’s use of data and pipes under the microscope
• Might personal data eventually be owned by the person?

Multinational companies are likely to face further challenges when moving data across China’s borders. The Cyberspace Administration of China released its template for cross-border data transfer agreements at the end of June, and lawyers have since been poring over it to figure out its implications. Paul Hastings LLP says the measures, effective Sept. 1, will mean that “multinational companies dealing with very sensitive data or voluminous personal information originating from China will have to act quickly to map their data and devise a long-term plan that not only complies with the Chinese rules, but also takes into account potential conflicts of law risks.” A team from DLA Piper says the draft standard contractual clauses, or SCCs, “may not provide the easy approach to cross border transfers of Mainland China personal data” they had hoped for.

While most of the initial commentary on China’s draft regulations is coming from legal teams, the underlying issue is a broader, geopolitical one: An opinion piece by Gao Yandong, research fellow at a Hangzhou-based think tank Center for Research on Zhejiang Digital Development and Governance, wrote in Beijing mouthpiece Global Times back in February that “[r]estricting ‘data export’ is Beijing’s only current means to fight Washington’s data hegemony. In the long run, China aims to promote a global view of data that is inclusive, mutually beneficial, and equal. This is the responsibility of a great power.”

After China introduced its first tranche of legislation governing personal data last year, it was seen as a necessary move by some, to better protect citizen data in line with the European Union’s General Data Protection Regulation (GDPR) while also aligning with China’s emphasis on national security. Western governments stress the latter: Richard Moore, the head of Britain’s foreign intelligence agency MI6, argued last November that China was using economic policies to lay what he called a “data trap.” Moore told the BBC, “If you allow another country to gain access to really critical data about your society, over time that will erode your sovereignty, you no longer have control over that data.” 

That’s not to say the West is in complete agreement about what data should be allowed across borders. The Irish Data Protection Commission (DPC) is moving to block data transfers by Meta from the EU to the U.S., arguing that the SCCs Meta was using did not provide “sufficient protection for personal data.” Privacy activist Max Schrems, who initiated the complaint that indirectly led to the DPC draft decision back in 2013, said that any actual ban on data transfers would likely be delayed in court.

Big tech companies may also face a tough fight in Europe over whether they should be paying for the pipes that carry their content, according to Light Reading. The European Telecommunications Network Operators’ Association, or ETNO, has called for “a fair and proportionate contribution by Big Tech companies to the network costs [its members] generate with their traffic.” ETNO, Light Reading news editor Iain Morris wrote, had not considered how much Big Tech should pay, leaving such matters to the European Union. 

The post-Brexit U.K. government, drawing up its own guidelines to help cement its hopes of becoming an “AI and science superpower,” has been accused of “appeasing Big Tech,” according to Verdict. The government’s new artificial intelligence rulebook demonstrates that it is “adopting a light touch to ensure that the sector can thrive,” the piece says, by relying on several regulators to interpret and implement the guidelines. The regulations suggest “there will be no real pressure on Big Tech to change its AI systems in the short term,” Verdict quotes Sarah Coop, thematic analyst at GlobalData, as saying. Legal firm DLA Piper offers a more nuanced assessment, concluding that “the Bill does balance a softening of the rules in certain areas with enhanced regulation in others.”  

The early months of the COVID-19 pandemic prompted extended discussion about how documentation showing an individual’s state of vaccination and immunity might take into account personal privacy. Some of that discussion involved avoiding dependence on any centralized data authority by using decentralized identifiers, or DIDs. Although such plans did not bear fruit, decentralized identifiers have become an official web standard, in theory allowing individuals and organizations to take greater control of their data, providing greater security and privacy.

The World Wide Web Consortium, or W3C, which creates technical standards for the web, compared the move to mobile phone numbers, which were originally owned by operators and only “rented” to the user.  Only later were individuals able to transfer their phone number when they changed carriers. DIDs, W3 said, would not only allow users to own their identity but also enable verification of the owner, meaning that for “individuals in particular, DIDs can put them back in control of their personal data and consent, and also enable more respectful bi-directional trust relationships where forgery is prevented, privacy is honored, and usability is enhanced.”

There is evidence, admittedly from a source that might be considered to have an interest, that users are more discerning about what data they are willing to share with companies. A survey by Permutive, a company that allows publishers and advertisers to “effectively use first-party data, without ever exposing consumers’ personal information,” found that nearly three quarters of respondents “are concerned about brands being able to view and track their online behaviour to target them with advertising,” and that only 27% “say they completely understand how their personal data is used by brands and companies to target them with advertising online.”

The value, and vulnerability, of private data was highlighted in a report by The Guardian, which found that Australia’s Border Force had seized or retained more than 1,000 mobile and other computing devices from people entering Australia in the past five years. Customs laws allow officers to examine people’s devices without a warrant when they visit or return to Australia. The process, the report said, was “shrouded in mystery,” with information about the policy only revealed as the result of freedom of information requests and parliamentary processes. 

---

Jeremy Wagstaff, formerly a technology journalist with Reuters, now works as a writer and consultant. Past clients have included Microsoft, Google, Cisco, Samsung and Facebook. He has no current clients among, or financial interest in, any companies in the Fortune 500.