Data Sovereignty
From the Digital Silk Road to the Return of the State
Edited by ANUPAM CHANDER AND HAOCHEN SUN
Oxford University Press is a department of the University of Oxford. It furthers the University’s objective of excellence in research, scholarship, and education by publishing worldwide. Oxford is a registered trade mark of Oxford University Press in the UK and certain other countries.
Published in the United States of America by Oxford University Press 198 Madison Avenue, New York, NY 10016, United States of America.
© Oxford University Press 2023
Some rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, for commercial purposes, without the prior permission in writing of Oxford University Press, or as expressly permitted by law, by licence or under terms agreed with the appropriate reprographics rights organization.
This is an open access publication, available online and distributed under the terms of a Creative Commons Attribution – Non Commercial – No Derivatives 4.0 International licence (CC BY-NCND 4.0), a copy of which is available at http://creativecommons.org/licenses/by-nc-nd/4.0/.
You must not circulate this work in any other form and you must impose this same condition on any acquirer.
Library of Congress Cataloging-in-Publication Data
Names: Chander, Anupam, editor. | Sun, Haochen, editor.
Title: Data sovereignty : from the digital silk road to the return of the state / Anupam Chander, Haochen Sun.
Description: New York : Oxford University Press, 2023. | Includes bibliographical references and index. | Identifiers: LCCN 2023032525 | ISBN 9780197582794 (hardback) | ISBN 9780197582817 (epub) | ISBN 9780197582800 (updf) | ISBN 9780197582824 (online)
Subjects: LCSH: Internet—Law and legislation. | Data protection—Law and legislation. | Data transmission systems—Law and legislation. | Digital media—Law and legislation. | Privacy, Right of. | Computer networks—Law and legislation.
Classification: LCC K 564 C 6 D 35 2023 | DDC 343.09/944—dc23/eng/20230914
LC record available at https://lccn.loc.gov/2023032525
DOI: 10.1093/oso/9780197582794.001.0001
Printed by Integrated Books International, United States of America
Note to Readers
This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is based upon sources believed to be accurate and reliable and is intended to be current as of the time it was written. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. Also, to confirm that the information has not been affected or changed by recent developments, traditional legal research techniques should be used, including checking primary sources where appropriate.
(Based on the Declaration of Principles jointly adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations.)
You may order this or any other Oxford University Press publication by visiting the Oxford University Press website at www.oup.com.
PART II
TECHN OLOGY AND ECONOMIC
IV.
6. Taobao, Federalism, and the Emergence of Law, Chinese Style
Lizhi Liu and Barry R. Weingast
I.
II.
III. Federalism, Chinese Style: Delegation and the Origins of Chinese
IV.
A. Decentralization and the Incomplete
VI.
7. Leveling the Playing Field between Sharing Platforms and Industry Incumbents: Good
Shin-Yi
I.
B.
8. The Emergence of Financial Data Governance and the Challenge of Financial Data
Giuliano G. Castellano, Ēriks K. Selga and Douglas W. Arner
9.
PART III TR ADE REGULATION
III. Data Governance and Influences on Digital Trade Policies in India
A. The Nexus of Data Governance and Digital Trade
B Digital Trade Policies Reinforce the Data Governance Complex
in the
11. Creating Data Flow Rules through Preferential Trade Agreements
I. Introduction
II. Digital Trade Provisions in PTAs
A. Developments over Time
B. Overview of Data-Related Rules in PTAs
III. Different PTA Templates for Digital
A. The U.S. Template
B. The Digital Trade Agreements of the
PART IV D ATA LOCALIZATION
12. Personal Data Localization and Sovereignty along Asia’s New Silk Roads
Graham Greenleaf
I. Types of “Data Sovereignty” and “Data Localization”
II. China, Russia, and Near Neighbors on the New Silk Roads
A.
C. Comparison of Chinese and Russian Localizations
III. South Asia: Three Bills
E. Comparison of South Asian Provisions
IV. Central Asia: Five Laws Include Some Localizations
A. International and Regional Agreements
B. Data Localization Measures in National Laws
C. Local Processing and Storage (Loc #1 and #2)
D. Data Export Conditions and Prohibitions (Loc #3 and #4)
E. Extraterritoriality and Local Representation (Loc #5 and #6)
F. “Outsourcing Exemptions”
G. Comparison of Central Asian Provisions
Kyung
I.
III. The Influence of the Schrems II Judgment of the CJEU
A. The Starting Point: Data Localization Is Not in the GDPR’s DNA
B Calls for Data Localization After Schrems II
C. Initial EDPB Guidance: Toward De Facto Data Localization
D The New Model SCC’s and EDPB’s Final Guidance: A Degree of Room for a Risk-Based Approach?
E. Intensification of Enforcement of Schrems II by European DPAs and Rejection of a Risk-Based Approach
Introduction Sovereignty 2.0
Anupam Chander and Haochen Sun
The Internet was supposed to end sovereignty. “Governments of the Industrial World, you weary giants of flesh and steel, you have no sovereignty where we gather,” John Perry Barlow famously declared.1 Sovereignty would prove impossible over a world of bits, with the Internet simply routing around futile controls.2 But reports of the death of sovereignty over the Internet proved premature. Consider recent events:
• In late 2020, on the eve of what was to be the world’s biggest initial public offering (IPO) ever, the Chinese government scuttled the listing of fintech provider Ant Group. Before the failed offering, Ant’s CEO, Jack Ma, had made what some saw as a veiled critique of the government: “We shouldn’t use the way to manage a train station to regulate an airport. . . . We cannot regulate the future with yesterday’s means.”3 Chastened after Beijing’s intervention, Ant announced that it would “embrace regulation,” and Chinese netizens declared Jack Ma duly “tamed.”4
• In June 2021, France fined Google $593 million for failing to follow an order to negotiate with news publishers to compensate them for displaying snippets of the publishers’ news items before linking to them.5
1 See John P. Barlow, The Declaration of the Independence of Cyberspace, Elec. Frontier Found. (July 16, 2021), https://www.eff.org/cyberspace-independence.
2 As John Gilmore famously announced, “The Net interprets censorship as damage and routes around it.” See Philip Elmer-DeWitt, First Nation in Cyberspace, Time, Dec. 6, 1993, at 62.
3 Lily Kuo, “Jack Ma Is Tamed”: How Beijing Showed Tech Entrepreneur Who Is Boss, Guardian (Nov. 4, 2020), https://www.theguardian.com/business/2020/nov/04/jack-ma-ant-group-is-tamedsocial-media-reacts-after-china-blocks-ipo
4 Id.
5 See Gaspard Sebag, Google Told to Pay for News with Ultimatum and $593 Million Fine, Bloomberg (July 13, 2021), https://www.bloomberg.com/news/articles/2021-07-13/google-saidto-be-fined-593-million-by-french-antitrust-agency?sref=CrGXSfHu
Anupam Chander and Haochen Sun, Introduction In: Data Sovereignty. Edited by: Anupam Chander and Haochen Sun, Oxford University Press. © Oxford University Press 2023. DOI: 10.1093/oso/9780197582794.003.0001
• In July 2021, Luxembourg’s privacy regulator fined Amazon $887 million for data protection violations.6
• European Union (EU) authorities are simultaneously investigating Google’s ad technology, Apple’s App Store, Facebook’s Marketplace, and Amazon’s use of data from its third-party sellers.7 Even Facebook Dating receives unwanted attention from the British competition authority.8
• The technology giants are not safe even at home, as Ant discovered. In the home of most of the world’s largest Internet companies, the U.S. Federal Trade Commission (FTC) seeks to compel Facebook to divest WhatsApp and Instagram, while investigating Amazon for competing with merchants that use its platform.9 The federal government and all but two U.S. states are bringing antitrust claims against Google,10 and the U.S. Justice Department is investigating Apple’s App Store.11
• Assertions of digital sovereignty are hardly limited to Western nations. After Twitter deleted the Nigerian president’s tweets warning of a new civil war, the Nigerian government in June 2021 simply banned Twitter from the country. On the eve of an election in January 2021, Uganda went even further, ordering a complete shutdown of the Internet, with President Yoweri Museveni explaining that Facebook had deleted progovernment accounts as manipulative.12 Uganda followed the example of Zimbabwe, which responded to anti-government protests in 2019 by shuttering the Internet.13
6 See Taylor Telford, E.U. Regulator Hits Amazon with Record $887 Million Fine for Data Protection Violations, Wash. Post (July 30, 2021), https://www.washingtonpost.com/business/2021/07/30/ama zon-record-fine-europe/
7 See Sam Schechner & Parmy Olson, Google Faces EU Antitrust Probe of Alleged Ad-Tech Abuses, Wall St. J. (June 22, 2021), https://www.wsj.com/articles/google-faces-eu-antitrust-probe-of-alle ged-ad-tech-abuses-11624355128.
8 See Press Release, U.K. Competition & Mkts. Auth., CMA Investigates Facebook’s Use of Ad Data (June 4, 2021), https://www.gov.uk/government/news/cma-investigates-facebook-s-use-of-ad-data.
9 Press Release, Fed. Trade Comm’n, FTC’s Bureau of Competition Launches Task Force to Monitor Technology Markets (Feb. 26, 2019), https://www.ftc.gov/news-events/press-releases/2019/ 02/ftcs-bureau-competition-launches-task-force-monitor-technology
10 See Press Release, Dep’t of Justice, Justice Department Sues Monopolist Google for Violating Antitrust Laws (Oct. 20, 2020), https://www.justice.gov/opa/pr/justice-department-sues-monopol ist-google-violating-antitrust-laws
11 See Leah Nylen, Apple’s Easy Fide from U.S. Authorities May be Over, Politico (June 24, 2020), https://www.politico.com/news/2020/06/24/justice-department-anti-trust-apple-337120
12 See Stephen Kafeero, Uganda Has Cut Off Its Entire Internet Hours to Its Election Polls Opening, Quartz Africa (Jan. 13, 2021), https://qz.com/africa/1957137/uganda-cuts-off-internet-ahead-ofelection-polls-opening/
13 See Zimbabwe Imposes Internet Shutdown Amid Crackdown on Protests, Al Jazeera (Jan. 18, 2019), https://www.aljazeera.com/news/2019/1/18/zimbabwe-imposes-internet-shutdown-amidcrackdown-on-protests
The state (both nation-state as well as nearly every U.S. state) strikes back.14 When Thomas Hobbes imagined an “Artificial Man” in the form of a state,15 he was not picturing Facebook. But the reality is that modern leviathans like Facebook and Google, and even Reddit, Spotify, and Twitter, exercise enormous power over daily life. Increasingly, governments across the world have sought to bring these companies under their control. While China pioneered data sovereignty, it is now the demand of governments from Australia to Zimbabwe. The era of countries unsure whether they had the power to regulate the Internet is over.
Consider, for example, Vietnam’s 2018 Law on Cybersecurity, which explicitly declares as its goal the protection of “national cyberspace.” Its definition of security includes not just national security, but explicitly also “social order and safety, and the lawful rights and interests of organizations and individuals in cyberspace.”16 While there may be no official signs that one is “Now Entering Vietnamese Cyberspace” to greet visitors, the government clearly believes that Vietnamese cyberspace is not some metaphysical place outside its control.
In February 2022, Vietnam’s Southeast Asian neighbor Cambodia suspended its plans to route all Internet traffic into or out of the country through an Internet gateway. Human Rights Watch declared that the true purpose of this infrastructure plan was to “tighten the noose on what remains of internet freedom in the country.”17 Even while suspending its plans, the Cambodian government defended itself, arguing that its goals were to “strengthen national security and tax collection as well as to maintain social order and protect national culture.”18 At the same time, the government insisted, without
14 For a round-up of some recent enforcement actions faced by the biggest technology companies, see Joe Panettieri, Big Tech Antitrust Investigations: Amazon, Apple, Facebook and Google Updates, Channele2e (Dec. 24, 2021), https://www.channele2e.com/business/compliance/big-tech-antitr ust-regulatory-breakup-updates/.
15 Thomas Hobbes, Leviathan (1651) (“[A]s men, for the atteyning of peace, and conservation of themselves thereby, have made an Artificiall Man, which we call a Common-wealth; so also have they made Artificiall Chains, called Civill Lawes, which they themselves, by mutuall covenants, have fastned at one end, to the lips of that Man, or Assembly, to whom they have given the Soveraigne Power; and at the other end to their own Ears.”).
16 Vietnam Law of Cybersecurity, art. 6.
17 Human Rights Watch, Cambodia Should Scrap Rights-Abusing National Internet Gateway, May 16, 2022, https://www.hrw.org/news/2022/05/16/cambodia-should-scrap-rights-abusing-nationalinternet-gateway
18 Cambodian Ministry of Foreign Affairs, Clarification by the Spokesperson of the Ministry of Foreign Affairs and International Cooperation on the National Internet Gateway Establishment, Feb. 15, 2022, https://www.mfaic.gov.kh/posts/2022-02-15-Press-Release-Clarification-by-the-Spoke sperson-of-the-Ministry-of-Foreign-Affairs-and-International-Cooperation-o-10-50-07
evidence, that such national Internet gateways “prevail in almost all countries around the world.”
Against this backdrop, scholars are sharply divided about the increasing assertion of what is called variously “data sovereignty” or “digital sovereignty.” Some scholars see it as a natural extension of traditional Westphalian sovereignty to the 21st century.19 They are joined by other scholars, often from the Global South, who support data sovereignty in order to repulse imperial ambitions for data colonialism, a barricade against the exploitative and extractive practices of Western (and Chinese) technology giants.20 Other scholars, however, worry that data sovereignty will break the Web apart, jeopardizing its numerous global benefits.21 As Mark Lemley astutely laments, “The news you see, the facts you see, and even the maps you see change depending on where you are.”22
This introduction proceeds as follows. Part I reviews some prominent definitions of “digital sovereignty” and “data sovereignty.” Part II reviews the rise of digital sovereignty, focusing on four influential jurisdictions (the United States, China, the European Union, and Russia) and also the developing world. Part III describes some ways in which digital sovereignty is different than ordinary terrestrial sovereignty. Part IV considers the struggle for control of cyberspace that followed the Russian invasion of Ukraine. Part V concludes with a sketch of the plan for the volume that follows.
I. Defining Digital Sovereignty
At first glance, the term “sovereignty” over parts of the Internet may seem entirely out of place. After all, one of the prerequisites for the recognition of the sovereignty of a state in international law is the exercise of power over a
19 See, e.g., Andrew Keane Woods, Litigating Data Sovereignty, 128 Yale L.J. 328, 366–71 (2018) (arguing that we should “embrace [] sovereign differences” rather than opt for a single set of rules everywhere).
20 See Renata Avila Pinto, Digital Sovereignty or Digital Colonialism, 27 SUR - Int’l J. Hum. Rts. 15, 23–24 (2018); Nick Couldry & Ulises A. Mejias, Data Colonialism: Rethinking Big Data’s Relation to the Contemporary Subject, 20 Television & New Media 336, 337 (2019); cf. Julie E. Cohen, Between Truth and Power: The Legal Constructions of Informational Capitalism 51 (2019) (noting the distributive nature of the construction of a “biopolitical public domain,” where raw data is a resource to be processed).
21 See Mark A. Lemley, The Splinternet, 70 Duke L.J. 1397, 1427 (2021) (“[W]e should fight hard not to give up the Internet for an information superhighway, particularly one that’s controlled by our national governments.”).
22 Id. at 1409.
territory.23 Andrew Woods grounds his definition of “data sovereignty” in three core elements of state sovereignty: “(1) supreme control; (2) over a territory; (3) independent from other sovereigns.”24 The tension between the notion of “digital sovereignty” and the territorial foundation for sovereignty disappears when one recognizes that in order to exercise control over any territory, it is increasingly necessary to exercise control over the online activities available in that territory. This insight connects place and cyberspace. Woods writes that, in order to control data within their borders to the exclusion of other states, “states can command considerable control over the internet if only because they control the physical components of the network within their borders” through “an impressive arsenal of tools.”25 Dan Svantesson rightly observes that sovereignty should not have to be all or nothing, and so perhaps Woods’s requirement of exclusivity is unnecessarily strict for a claim of data sovereignty.26 For Woods, a state’s data sovereignty powers include powers to compel compliance (“leav[ing] companies and their users free to design and use the internet as they see fit, as long as they comply when the government comes knocking”) and powers to control the means of compliance (“the state tells internet firms how to operate”).27 It seems clear that multiple states are able to order the same firm how to operate, with occasional conflicts in approaches.28
Ke Xu divides sovereignty in cyberspace into three layers: the physical layer (sovereignty over physical Internet infrastructure and activities), the code layer (sovereignty over domain names, Internet standards, and regulations), and the data layer.29 Like Hobbes, Luciano Floridi begins by theorizing individual sovereignty, which he defines in 21st-century terms as “self-ownership, especially over one’s own body, choices, and data,”30 and
23 Article 1 of the Montevideo Convention on Rights and Duties of States provides as follows: “The state as a person of international law should possess the following qualifications: (a) a permanent population; (b) a defined territory; (c) government; and (d) capacity to enter into relations with the other states.”
24 Woods, supra note 19, at 360.
25 Id. at 360–61.
26 Dan Svantesson, “A Starting Point for Re-thinking ‘Sovereignty’ for the Online Environment,” chapter in this volume.
27 Woods, supra note 19, at 364.
28 One prominent dispute involving a possible conflict—the Microsoft dispute with the U.S. authorities over data held in Ireland—did not create a hard conflict of laws because Ireland did not explicitly claim that transferring the data to the United States would be illegal under Irish law. United States v. Microsoft Corp., 138 S. Ct. 1186 (2018).
29 Ke Xu, Data Security Law: Location, Position and Institution Construction, 3 Bus. & Econ. L. Rev. 52, 57 (2019).
30 Luciano Floridi, The Fight for Digital Sovereignty: What It Is, and Why It Matters, Especially for the EU, 33 Phil. & Tech. 369, 371 (2020).
then extends this to “digital sovereignty,” which he defines as the “control of data, software (e.g., AI), standards and protocols (e.g., 5G, domain names), processes (e.g., cloud computing), hardware (e.g., mobile phones), services (e.g., social media, e-commerce), and infrastructures (e.g., cables, satellites, smart cities).”31
Data sovereignty, as argued by Paul Rosenzweig, may also be framed as a question: Which sovereign controls the data?32 The core issue is one of jurisdiction, which is, of course, complicated by the borderless nature of the Internet.33 “In short, the question is: ‘Whose law is to be applied?’ ”34 Rosenzweig argues that physical location is, as a practical matter, critical: “Where the servers are and where the data is stored will, in the end, likely control whose law applies. As they say, ‘geography is destiny.’ ”35 Certainly, the physical control over the network made possible through Internet service providers that route data is a key to digital sovereignty, at least where foreign corporations do not comply on other grounds.
We will use the term “digital sovereignty” to mean the application of traditional state sovereignty over the online domain,36 or simply “sovereignty in the digital age.”37 Digital sovereignty should be defined broadly to cover a state’s sovereign power to regulate not only cross-border flow of data through uses of Internet filtering technologies and data localization mandates, but also speech activities (e.g., combating fake news) and access to technologies. We use the term in a descriptive way to describe efforts by governments to assert control over online activities, often instantiated through actions targeted at Internet intermediaries. Notably, academics and news media are more likely to speak in terms of “data sovereignty” than “digital sovereignty,” as a search of the database ProQuest shows:38
31 Id. at 370–71.
32 See Paul Rosenzweig, The International Governance Framework for Cybersecurity, 37 Can.-U.S. L.J. 405, 421 (2012).
33 See id.
34 Id. at 422.
35 Id.
36 This accords with the French Senate investigatory committee report, which defines digital sovereignty as the “capacity of the state to act in cyberspace.” Le Devoir De Souveraineté Numérique: Ni Résignation, Ni Naïveté, Senat (2019), http://www.senat.fr/fileadmin/Fichi ers/Images/redaction multimedia/2019/2019_Infographies/20191004_infog_Souverainete_numer ique 021019.pdf
37 Paul Timmers, Challenged by “Digital Sovereignty,” 23(6) J. Internet L. 1, 18 (2019).
38 This search run on ProQuest on July 16, 2021, updates an analysis by Stephane Couture & Sophie Toupin, What Does the Notion of “Sovereignty” Mean When Referring to the Digital?, 21 New Media & Soc’y 2305, 2306 (2019). Note that the “other” category includes newspapers, trade journals, magazines, reports, blogs, books, and working papers.
It is possible to draw a distinction between “data sovereignty” and “digital sovereignty,” where “data sovereignty” refers to control over data, including through data protection law, competition law, and national security law. This definition would make data sovereignty a subset of digital sovereignty. But the relationship between “data sovereignty” thus defined and broader issues such as content moderation quickly becomes difficult to disentangle. Stopping information from flowing across borders, for example, implicates speech and commerce, as well as data governance. Indeed, a distinction between dominion over “data” and dominion over the “digital” is hard to sustain. In framing this book, we have chosen to use both “data sovereignty” and “digital sovereignty,” recognizing that the term is sometimes used distinctly with “data sovereignty” and sometimes interchangeably. Indeed, we ourselves began the project using the term “data sovereignty,” and then adopted the broader term in the course of writing in order to ensure that we captured the breadth of the topic.
II. The Rise of Digital Sovereignty
In this part, we review the effort to attain digital sovereignty in a few key jurisdictions. The review reveals at least three different motivations for assertions of digital sovereignty. First, governments demand digital sovereignty to better protect their population— s eeking, for example, to remove material deemed illegal under their laws or to protect the rights of citizens in the digital domain. This often takes the form of regulating foreign corporations that intermediate data flows for the local population. Second, governments seek digital sovereignty in an effort to grow their own digital economy, sometimes by displacing foreign corporations, from fintech to social media. Third, governments seek digital sovereignty to better control their populations—to limit what they can say, read, or do.
A. China: Inventing Digital Sovereignty
In the mid-1990s, when the world started coming online, China’s Ministry of Public Security inaugurated its “Golden Shield Project,” 金盾工程, which has been described as “a far-ranging attempt to harness emerging information technologies for policing.”39 Henry Gao observed that Chinese digital sovereignty evolved through different phases—physical controls and then controls over the software layer and content.40 In other words, it went up the Internet stack.41 As James Fallows wrote in a classic Western account of “the Great Firewall of China,” “[i]n China, the Internet came with choke points built in.”42 China takes a multifaceted approach to exerting digital sovereignty, which includes controlling its physical infrastructure, regulating content, balancing negative economic impacts, and building international support for its conception of digital sovereignty.43 The most prominent aspect of China’s physical infrastructure innovation is the “Great Firewall,” which is used by the government to block access to content for users in China.44 However, sometimes the firewall causes collateral impact on Internet freedom beyond China’s borders through domain name system pollution, where Chinese domain name servers accidentally serve foreign users, thus inadvertently blocking access to websites by users in other countries.45
In 2010, the Chinese State Council officially declared its support for “Internet sovereignty” (wangluo zhuquan or 网络主权) in a white paper entitled “The Internet in China.” The white paper declared, “Within Chinese territory the Internet is under the jurisdiction of Chinese sovereignty. The Internet sovereignty of China should be respected and protected.”46 The link
39 Lorand Laskai, Nailing Jello to the Wall, in Jane Golley, Linda Jaivin, & Luigi Tomba, Control 192, 194 (2017).
40 Henry Gao, Data Regulation with Chinese Characteristics, in Big Data and Trade 245, 248 (ed. Mira Burri, 2021) (noting that 1996 and 1997 Chinese “regulations all focused on the Internet hardware,” while attention was paid later to software and content).
41 The architecture of the Internet is often described as consisting in stacked layers, from the physical infrastructure to the applications and uses that run atop that infrastructure. See Christopher S. Yoo, Protocol Layering and Internet Policy, 161 U. Pa. L. Rev. 1707, 1742 (2013).
42 James Fallows, The Connection Has Been Reset, Atlantic (Mar. 2008), https://www.theatlantic. com/magazine/archive/2008/03/the-connection-has-been-reset/306650/
43 Anqi Wang, Cyber Sovereignty at Its Boldest: A Chinese Perspective, 16 Ohio St. Tech. L.J. 395, 403 (2020); Protecting Internet Security, China org, http://www.china.org.cn/government/whitepa per/2010-06/08/content_20207978.htm (last visited Jan. 14, 2022).
44 See Wang, supra note 43, at 408, 439.
45 See id. at 408, 439–41; Robert McMillan, China’s Great Firewall Spreads Overseas, Computerworld (Mar. 25, 2010), https://www.computerworld.com/ article/2516831/china-s-great-firewall-spreads-overseas.html [https://perma.cc/E2U5-FBHP] (archived Jan. 9, 2022).
46 See Wang, supra note 43, at 397.
to territoriality seems to be both a nod to international law and also part of a long-standing Chinese Communist Party official approach to international relations that pledged non-interference in the internal affairs of foreign countries.47 In 2015, President Xi explained that “respecting cyber-sovereignty” meant “respecting each country’s right to choose its own internet development path, its own internet management model, its own public policies on the internet, and to participate on an equal basis in the governance of international cyberspace — avoiding cyber-hegemony, and avoiding interference in the internal affairs of other countries.”48
China escalated the tech cold war. The Cybersecurity Administration of China opened investigations into the data transfer practices of Chinese tech giant Didi immediately following that company’s New York Stock Exchange listing. It then ordered Didi removed from Chinese app stores.49 Even though Didi’s stock price plummeted, Chinese media celebrated the “rise of data sovereignty.”50
China’s conception of digital sovereignty is rooted, Anqi Wang writes, in traditional notions of territorial sovereignty51 and officially justified by concern for national and ideological security.52 China supports a “state-centric multilateralism” model of Internet governance,53 which holds that states, not private sector actors like the Internet Corporation for Assigned Names and
47 See Anupam Chander, The Asian Century?, 44 U.C. Davis L. Rev. 717, 727 (2011) (noting the Five Principles for Peaceful Coexistence, including “mutual non-interference in each other’s internal affairs”).
48 See Wang, supra note 43, at 397; Franz-Stefan Gady, The Wuzhen Summit and the Battle Over Internet Governance, Diplomat (Jan. 14, 2016), https://thediplomat.com/2016/01/the-wuzhensummit-and-the-battle-over-internet-governance/; Bruce Sterling, Respecting Chinese and Russian Cyber-Sovereignty in the Formerly Global Internet, Wired (Dec. 22, 2015), https://www.wired.com/ beyond-the-beyond/2015/12/respecting-chinese-and-russian-cyber-sovereignty-in- the-formerlyglobal-internet/ [https://perma.cc/K743-B5VD] (archived Jan. 9, 2022).
49 See Jacky Wong, Didi and the Big Chill on China’s Big Data, Wall St. J. (July 5, 2021), https:// www.wsj.com/articles/didi-and-the-big-chill-on-chinas-big-data-11625479452 (subscription required).
50 See Li Qiaoyi & Hu Yuwei, Chinese Regulator Orders App Stores to Remove Didi, Shows Resolve to Enhance Data Protection, Global Times (July 4, 2021), https://www.globaltimes.cn/page/202107/ 1227778.shtml (“Ride-hailing firms manage large amounts of data regarding national transport infrastructure, flows of people and vehicles, among other types of information that involve national security, according to Dong. The rise of ‘data sovereignty’ versus the U.S. government’s vigilance against Chinese firms ought to be a wake-up call for national security awareness to be given priority when it comes to fundraising plans in areas that might pose threats to China’s national security, Dong told the Global Times on Sunday.”).
51 See Wang, supra note 43, at 397.
52 See id. at 424 (explaining China views cybersecurity as another national security domain alongside land, sea, air, and space).
53 Id. at 443–44.
Numbers (ICANN), should be driving Internet governance.54 In contrast, the “bottom-up multi-stakeholderism” subscribed to by the United States and other Western countries55 holds that the private sector and civil society should remain key players in Internet governance.56 The Western “information freedom” approach to the Internet57 is perceived as a threat to “Chinese ideological security” and a tool of cultural imperialism.58 The Chinese government instead seeks to use the Internet to consolidate party control, maintain social order, and proliferate desirable Socialist and Confucian values such as “ ‘patriotism,’ ‘loyalty to the communist party,’ ‘dedication to one’s work,’ ‘honesty,’ [and] ‘filial piety,’ ” to “develop a cohesive, Socialist nation.”59 President Xi affirmed this vision in 2016, stating, “we must . . . strengthen positive online propaganda, foster a positive, healthy, upward and benevolent online culture, use the Socialist core value view and the excellent civilizational achievements of humankind to nourish people’s hearts and nourish society.”60
China sees U.S. Internet infrastructure hegemony as a threat to its digital sovereignty.61 In 2016, President Xi stated, “the fact that [the internet’s] core technology is controlled by others is our greatest hidden danger.”62 Accordingly, the government has been investing heavily in research and development of Internet technology63 and “territorializing critical infrastructure”64 to escape Western technical and physical network dependence. Part of this effort has been a proliferation of Critical Information Infrastructure (CII) regulations,65 including data localization regulations through the 2017 Cybersecurity Law (CSL).66 Not only does Article 37 of the CSL require that data and personal information originating in China be stored within China,
54 See id. (explaining that China opposes the current system where a U.S. corporation, ICANN (Internet Corporation for Assigned Names and Numbers), controls root ownership).
55 Id. at 399.
56 See id. at 444.
57 Id. at 400.
58 Id. at 406.
59 Id. at 407.
60 Xi Jinping Gives Speech at Cybersecurity and Informatization Work Conference, China Copyright & Media (Apr. 19, 2016), https://chinacopyrightandmedia.wordpress.com/2016/04/19/ xi-jinping-gives-speech-at-cybersecurity-and-informatization-work-conference/ [https://perma. cc/JH49-FMJM] (archived Jan. 9, 2022).
61 See Wang, supra note 43, at 404–05 (explaining that China perceives U.S. corporate and civil society control over domain names and U.S.-made infrastructure as favoring U.S. interests).
62 Id. at 405.
63 See id. at 434, 436.
64 Id. at 435.
65 See id. at 436–37.
66 See id. at 408, 456.
but CII operators must also undergo “security assessments” before that data can be transferred abroad.67 (The first such security assessment—against the ride-hailing company Didi—is described below.)
Content regulation and censorship is another integral component of China’s “information sovereignty” on the Internet.68 Though China’s approach to content regulation is more extreme than in other countries,69 it rejects accusations that its cyber sovereignty policies simply mask authoritarian control.70 Instead, the government claims to censor “subversive,” “harmful,” “obscene,” or “malicious” content while welcoming “kind criticism.”71 Content control remains a clear goal. In 2017, the Cyber Administration of China (CAC) asserted that “Online positive publicity must become bigger and stronger, so that the Party’s ideas always become the strongest voice in cyberspace.”72 The Theoretical Studies Center Group of CAC also commented in the Communist Party magazine Qiushi that “[w]e must . . . steadily control all kinds of major public opinion; dare to grasp, dare to control, and dare to wield the bright sword; refute erroneous ideas in a timely manner” to “prevent mass incidents and public opinion from becoming online ideological patterns and issues.”73
Some of the measures China takes to regulate content and maintain a “clear cyberspace”74 include blocking virtual private network (VPN) access, algorithms that divert searches, the Real Name Registration Policy,75
67 See id. at 456–57; Willem Gravett, Digital Neo-Colonialism: The Chinese Model of Internet Sovereignty in Africa, 20 Afr. Hum. Rts. L.J. 125, 130 (2020) (data on Chinese users must be hosted on Chinese mainland); Cross-Border Data Transfers: CSL vs. GDPR, Reed Smith (Jan. 2, 2018), https:// www.reedsmith.com/ en/ perspectives / 2018/ 01/ cross- border- data- transfer- csl- vsgdpr [https://perma.cc/HXT2-73TD] (archived Jan. 9, 2022); Samm Sacks, China’s Cybersecurity Law Takes Effect: What to Expect, Lawfare Blog (June 1, 2017, 10:56 AM), https://www.lawfareb log.com/chinas-cybersecurity-law-takes-effect-what-expect [https://perma.cc/2GWM-VYST] (archived Jan. 9, 2022).
68 See Wang, supra note 43, at 452.
69 See id. at 466.
70 See id. at 416.
71 Id. at 422. President Xi commented that “to build a well-functioned Internet public sphere is not to censor all negative comments and only endorse a single perspective; it is to welcome, investigate, and learn lessons from the kind criticism but reject those comments which turn things upside down, mix the black with the white, spread rumors with malicious intentions, commit crimes and override the Constitution.” Id. at 416.
72 Elsa Kania, Samm Sacks, Paul Triolo, & Graham Webster, China’s Strategic Thinking on Building Power in Cyberspace, New Am. (Sept. 25, 2017), https://www.newamerica.org/cybersecurity-ini tiative/blog/chinas-strategic-thinking-building-power-cyberspace; Wang, supra note 43, at 453; Gravett, supra note 67, at 131.
73 Wang, note 43, at 455–56.
74 Id. at 455.
75 Id. at 456; Gravett, supra note 67, at 130 (describing a 2017 law that makes social media companies register users with their real names).
