About the author: Reva Goujon is a macro geopolitical strategist and director for China Corporate Advisory at Rhodium Group.
The urge to embrace an artificial intelligence-driven era of economic growth is colliding with state paranoia over data weaponization. It’s a combustible mix, stoking a geopolitical standoff between Beijing and Washington over whose data regulations reign supreme. But this cocktail could also compel a fundamental reset in the strategic competition between the U.S. and China.
A pattern has emerged in recent years. Economists model how many percentage points of gross domestic product growth can be sourced from data flows to reinvigorate the global economy. Big-name consulting firms spotlight those estimates, entreating companies to embrace the brave new digital world with tropes like “data is the new oil.” Political leaders tout the potential of the digital economy, all while steering bureaucrats toward building safeguards to mirror their nation’s culture and norms.
The growth story is alluring. But beneath it lie the dark, murky waters inhabited by compliance officers and auditors. This is a world where data stewards wrestle with questions like, can a foreign Internet-of-Things company using U.S.-based cloud servers collect real-time data without posing a national security threat? Can an AI researcher sitting in Silicon Valley access data collected from vehicle sensors halfway across the world? Does a company board have the fiduciary responsibility to divest if another country’s data security laws make it impossible to perform audits?
These questions are mounting in complexity. With a generative AI leap now underway, a geopolitical obsession with the potential—and pitfalls—of the data economy has been kicked into high gear.
China has had a rude awakening on these issues. Chinese leader Xi Jinping attaches great importance to the development of the digital economy. He sees the buildup of digital infrastructure and interconnected systems via AI, cloud computing, and the Internet of Things as the “informational arteries” powering China’s economic growth and global competitiveness.
Xi is also candid about the risks. He acknowledged in an October 2021 speech that China’s digital economy wasn’t yet competitive compared to other global players. He went on:“We must also recognize that while enjoying a spell of rapid growth, the shoots of some unhealthy and irregular trends have emerged in the digital economy. These problems have not only affected the sound growth of our digital economy, but have also run counter to our laws and regulations, posing a threat to our national economic and financial security.” Xi pledged to address those problems.
Taking cues from Europe, China’s leadership recognized early on that being a regulatory first mover in data governance could generate big geopolitical dividends. When the European Union’s General Data Protection Regulation came into effect in 2018, China had already developed a raft of proposals on personal data, critical information infrastructure, cybersecurity, and cross-border data flows. These proposals culminated in the two main pillars of China’s data security regime: the Personal Information Protection Law, modeled after the GDPR, and the more byzantine Data Security Law.
Beijing’s philosophy on data sovereignty rests on several principles: data localization requirements, state oversight and restrictions on cross-border data flows, the right to force transfers of source code, the protection of personal data, and the state’s right to sweeping surveillance powers. China assumes its economic heft will draw companies and other countries into its data security orbit. Beijing’s confidence was boosted by the U.S.’s laggard approach toward data security regulations.
But Washington may have finally gotten its wake-up call. In contrast to the EU and China, the U.S. has taken an ad hoc approach to data security. Policy makers have incrementally built on a patchwork of laws at the federal and state levels that have focused mostly on personal data protections for consumers and cybersecurity. But the U.S., jolted by its competition with China, is now plunging into the data-security debate and upsetting Beijing’s plans.
Take, for example, the Restrict Act introduced by Sen. Mark Warner (D., Va.) in March. The bill has bipartisan support and an endorsement from the White House. It calls for the U.S. to graduate from its current Whac-a-Mole approach in targeting companies like TikTok and Huawei to a comprehensive framework in assessing national security risks from information and communications technology products or services tied to China and other entities of concern. The intent behind the legislation is to look beyond today’s debate on restricting Chinese-owned social media platforms. Building on the Department of Commerce’s existing “ICTS Rules”, the Restrict Act would cover a wide range of applications, including cloud-based computing autonomous vehicles, fintech platforms, and biomanufacturing supply chains.
The U.S. is also finding ways to neutralize China’s data security regime. U.S. lawmakers often point to Article 7 in China’s National Intelligence Law and Article 28 of China’s Cybersecurity Law in arguing that Beijing’s ability to compel companies in China to share data with the state intelligence and security apparatus poses an intolerable risk to U.S. national security worthy of drastic policy measures. If Chinese companies with suspected civil-military ties try to use China’s data security laws as a shield to stymie U.S. regulators, they can end up on the U.S. Commerce Bureau of Industry and Security Unverified List. That designation is seen as a fast track to the BIS Entity List, which subjects foreign firms to strict licensing requirements. And if Chinese companies listed on U.S. public exchanges want to maintain access to the most liquid capital markets in the world, then Chinese data regulators must permit local auditors to cooperate with U.S. regulators, or else those companies will get delisted.
But Chinese regulators may have their revenge. The hissing sound of China’s deflating data security regime appears to have hit a nerve in Beijing. China bent to U.S. pressure last year in a dispute over auditing. Since then, Chinese regulators have been trying to wall off sensitive companies from U.S.-based Big Four accounting firms and the prying eyes of the U.S. Public Company Accounting Oversight Board audit inspectors. Non-China-based researchers are now restricted from using the China National Knowledge Infrastructure, the country’s biggest academic database. Questions loom over the fate of local staff from Mintz Group, a U.S.-based due diligence firm whose Beijing office was raided on March 20.
Some of these moves appear to be defensive. Beijing’s paranoia is growing over U.S. regulators gaining access to data on Chinese companies that can then be used to drum up even tighter tech and investment restrictions on China. Some are offensive, as in China’s April 1 announcement that it will conduct a cybersecurity review of major semiconductor firm Micron. That will be the first such review of a foreign firm by China’s cyber regulators.
The policy debate in Beijing may be fierce as regulators try to patch up holes in its data security regime while assessing the fallout from pushing back on the U.S. After all, the stakes are high. Multinational companies are already grappling with questions on the costs and trade-offs of deeper localization in China. Between China’s tech indigenization policies and U.S. long-arm measures in export controls, outbound investment screening, ICT cybersecurity, and industrial policy guardrails, the risk of entanglements for strategic sectors is climbing. This uncertainty may have a profound effect on China’s foreign investment climate. While Chinese official data depicts a healthier picture of sustained inbound investment in China, alternative sources—including Rhodium Group’s tracking of U.S. and European foreign direct investment—reveal that FDI into China is stagnant and investment is becoming more concentrated among a smaller number of mostly industrial firms.
Beijing is also watching warily as the U.S. tries to create a coalition among Group of Seven members to establish standards and norms to govern cross-border data flows. This is a priority theme for Japan’s G7 leadership this year, as an eager Tokyo tries to forge ahead with its Data Free Flow with Trust framework. There are still significant gaps to bridge, particularly between the U.S.’s more market-friendly approach (and fixation on China) and Europe’s more interventionist approach on privacy issues (while trying to avoid singling out China.) Negotiations like these take time, and political reticence toward binding free trade agreements heightens the challenge. But disruptive technologies are also catalyzing the conversation.
Meanwhile, deep inside multinational corporations, compliance officers are resorting to creative means to comply with competing data regimes. But that gray zone is getting tighter in this geopolitical climate. And the closer the G7 gets to a cohesive posture on data protections, the more Beijing must consider whether its own data security regime will inhibit Chinese companies’ ability to compete overseas.
This issue may be the breaking point for data security, and it’s the one to watch in the coming years. Can China bring its economy back to health, preserve foreign investment, and facilitate Chinese competitiveness abroad if its sticks to a heavily statist approach on data security rules? Or will the realities of what it takes to compete in an AI-driven global economy, U.S. tech controls, and the potential for closer G7 alignment compel a reset in Beijing? There is no one path, just the historical reminder that mounting constraints can drive big change.
Guest commentaries like this one are written by authors outside the Barron’s and MarketWatch newsroom. They reflect the perspective and opinions of the authors. Submit commentary proposals and other feedback to [email protected].
Read the full article here
