1. Introduction
Industrial policy is not new. For decades, governments have deployed such policies to foster the development of selected economic sectors or entities through a wide array of instruments.Footnote 1 Typical industrial policy instruments, such as subsidies, export restrictions, tariffs, and local content requirements, tend to generate considerable negative spillovers in both domestic and global markets due to their protective, discriminatory, and trade-distorting effects.Footnote 2 In the past, industrial policies served primarily economic goals (e.g., growing infant industries and boosting productivity and competitiveness of select industries for economic growth).Footnote 3 Recent years, however, have witnessed a dramatic shift whereby industrial policies are adopted predominantly for non-economic goals. For instance, the International Monetary Fund reported 2,500 new industrial policies around the globe in 2024: 71 per cent of them were trade-distorting while almost all were motivated by non-economic goals.Footnote 4 As Nobel laureate Professor Michael Spence has rightly observed, ‘At a time of rising geopolitical tensions and supply-chain fragmentation – when national security considerations are shaping economic policy, and the risks of war seem to be intensifying – industrial policy is all but inevitable’.Footnote 5
The new generation of industrial policy is no longer confined to consideration of economic competitiveness but embraces broader strategic, societal, and political goals. The definition of ‘industrial policy’ has evolved accordingly. Leading commentators have suggested that modern industrial policy involves ‘those … in pursuit of some public goal’, as they are increasingly motivated by multiple non-economic objectives such as ‘digitalization, the green transition … and geopolitical imperatives’.Footnote 6
The proliferation of modern industrial policies has gone hand in hand with the expansive use of ‘national security’ beyond military/defence-related interests to pursue wide-ranging economic interests.Footnote 7 Supply chain safety and technological leadership in strategic and frontier sectors, and economic competitiveness and industrialization in general, are widely viewed via a security lens,Footnote 8 rendering national security and industrial policy increasingly intertwined. In this context, governments are retreating from the conventional wisdom of free trade while using trade-distorting policies to advance domestic industrial and security interests.Footnote 9 This ongoing shift towards inward-oriented economic and security policies has exaggerated the longstanding tension between trade liberalization and domestic autonomy.
Against this backdrop, this paper explores so-called ‘digital industrial policy’ by focusing on data-related policies and regulation. As the world navigates the digital age, data regulation has rapidly fragmented. Governments have introduced and continue to experiment with a variety of regulatory approaches in pursuit of diverse and oftentimes competing policy goals. These range from promoting free flows of data for e-commerce, global business connectivity, and supply chains to protecting privacy and cybersecurity, fostering national digital capabilities, and pursuing strategic competition for technological supremacy. In particular, as states increasingly assert ‘digital sovereignty’, the intersection of industrial policy and national security has entered a new phase of legal complexity. This convergence not only challenges the integrity and predictability of the global trade regime. More broadly, it also raises systemic and fresh questions as to how to rethink security interests and their interaction with economic interests under public international law.
To contribute to the already voluminous literature on data policies and regulation, this paper focuses on examining the growing interaction between digital industrial policy and national security, using China as a case study. As explained in Section 2, digital industrial policies in major economies have been designed increasingly through a security lens. This trend generates concerns about the extent to which national security may be abused to protect or advance domestic digital industries at the cost of foreign competitors. Section 3 reviews the evolution of China’s digital industrial policy with a focus on security-related data policies and regulation. After a careful analysis of China’s data security laws and practices, particularly those relating to cross-border data transfers and data localization, we find no compelling evidence to suggest that China has used security-based measures to bolster its data sector. Rather, we show that China has sought to maintain a balanced approach by ensuring that data restrictive measures target genuine security risks and do not cause unnecessary burdens on business operations. However, the existence of major ambiguities in China’s data security laws, the well-known lack of transparency in China’s regulatory practices, etc. may provide room for abuses of national security as industrial policy in practice. To address the systemic challenges posed by the growing integration between (digital) industrial policy and national security, Section 4 discusses the inadequacies of security exceptions in existing trade or digital economy agreements in dealing with data security, focusing on the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), the United States–Mexico–Canada Agreement (USMCA), the Digital Economy Partnership Agreement (DEPA), the Regional Comprehensive Economic Partnership (RCEP) and the Joint Statement Initiative on E-commerce (JSI) under the World Trade Organization (WTO). We then propose ways to facilitate negotiations on data security issues with the aim of modernizing the security exceptions to strike a proper balance between data liberalization and security. Section 5 sets forth the conclusion.
2. Digital industrial policy via a security lens
The rapid evolution of, and intense competition in, the digital transition worldwide have led to the development of a comprehensive digital ecosystem that ranges from enabling technologies, semiconductors, digital infrastructure and networks, and data spaces to downstream applications.Footnote 10 In this intensified digital race, ‘[p]olicymakers are flying blind as they shape and nurture the digital domain’ through industrial policies to foster selected, domestic digital sectors and firms.Footnote 11 As a critical part of the new paradigm of industrial policy described above, digital industrial policy has been adopted for a mix of economic and non-economic goals. While in many cases such policies are driven by economic imperatives to bridge the digital divide between developed and developing economies and promote digital industrialization, they are also considered to be crucial for advancing strategic and security interests.Footnote 12 Accordingly, the term ‘digital security’ is no longer confined to tackling security risks in digital infrastructure, platforms, networks, technologies, and products.Footnote 13 Supply chain safety, digital sovereignty, strategic autonomy, technological leadership, etc. are now integral parts of (economic) security considerations ingrained in digital industrial policies.Footnote 14 This evolving reality adds greater uncertainty and complexity to the task of disentangling protectionist industrial policies from those underpinned by genuine security concerns.
While governments pursue different policy priorities, a common area of regulatory effort has been dataFootnote 15 due to the pivotal role data plays in digital transformation. Various forms of regulatory interventions have been introduced to build data-related capabilities such as subsidizing R&D, digital start-ups and the establishment of data infrastructures, and enhancing enabling regulatory frameworks for data-based digital businesses.Footnote 16 Such interventions have also been used to foster the competitiveness of national tech companies through mobilizing local data collection, restricting cross-border data flows, mandating data localization, promoting outbound foreign investment, etc.Footnote 17 Notably, the growing claim for data sovereignty can potentially become an all-encompassing policy that enables the deployment of industrial policy for a diverse range of economic and non-economic goals.Footnote 18
There is abundant evidence to show strengthened regulatory linkages between digital industrial policy and national security, including in the data sector. One major example concerns the surge of US industrial policy in recent times to promote US global competitiveness in critical sectors, technologies, and manufacturing capabilities.Footnote 19 These industrial policies, officially labelled as the ‘modern American industrial strategy’, have been developing noticeably through a security lens, which may involve all matters related to economic prosperity and opportunity, democratic values, US global leadership, and strategic and geopolitical competition with China.Footnote 20 To remain the world leader in critical and frontier technologies, the US industrial strategy is determined to promote advanced manufacturing where data is the backbone of many targeted sectors.Footnote 21 The Biden administration already constrained outbound data transfers to certain countries of concern which may use the data to develop strategic advantages over the US, threatening US national security and foreign policy.Footnote 22 While this restriction on data flows to selected countries is apparently driven by security concerns, the US government recognizes that data protection can serve multiple goals such as protecting US leadership and competitiveness.Footnote 23
Similar regulatory developments where industrial policy and national security become increasingly integrated are also underway in other major economies. For example, faced with geopolitical shocks and uncertainties, the EU’s ‘New Industrial Strategy’ has inevitably become multi-purpose with an emphasis on strengthening its ‘strategic autonomy’.Footnote 24 When it comes to the digital domain, the Digital Agenda for Europe is currently focused on fulfilling the EU’s technological and geopolitical goals by prioritizing critical and emerging technologies such as semiconductors and quantum computing, as well as security-related interests such as cybersecurity and digital sovereignty.Footnote 25 As such, the EU’s digital industrial policy treats digital capabilities and competitiveness as essential security interests.Footnote 26 The EU’s data strategy in particular, while maintaining a focus on the protection of individuals, sets forth a comprehensive blueprint for enhancing EU’s data-related technologies, infrastructure, and capabilities as a crucial way to safeguard its fundamental values, rights, and digital sovereignty.Footnote 27
Digital industrial policy has also gained popularity in developing economies. While these policies are aimed at advancing domestic digital sectors, including the data industry, they are also driven by non-economic goals, particularly national security and (data) sovereignty.Footnote 28 Consequently, policy tools, such as data blocking and localization, are put in place to serve multiple objectives, demonstrating the growing intersection of industrial policy and national security.Footnote 29 India has presented a more proactive case given the comprehensiveness of India’s digital industrial policy and its accomplishments in enabling the regulatory environment and mobilizing diverse resources to foster the development of its digital firms and data-related infrastructure and capabilities.Footnote 30 At the same time, India’s digital industrialization has relied on a range of laws and regulations to protect digital security, currently focusing on data security and sovereignty.Footnote 31 Data control measures such as localization requirements are employed not only as protectionist instruments but also as security instruments under India’s overarching digital industrial policy.Footnote 32
In short, as the global race for digital transformation intensifies, digital industrial policy has developed on an unprecedented scale, underpinned by both economic and security considerations.Footnote 33 This emerging trend in the development of digital industrial policy requires more detailed studies to understand how such policies now interact with security interests.
3. The evolution of China’s data regulation: National security as industrial policy?
China offers a good case study for at least two reasons: (i) China’s economic growth has relied heavily on industrial policies for decades, and (ii) the ambitious and fast-developing digital industrial policy in China has prioritized economic and security goals. Through a careful review and analysis of China’s data-related policies and regulation, we seek to expound the extent to which the development of these policies has been shaped by security concerns and how national security may be (ab)used as a disguised protectionist tool to advance China’s global leadership in digital industrialization. For this purpose, we adopt a so-called process-tracing methodology by tracing the evolution of China’s data regulatory regime based on primary sources.Footnote 34
3.1 China’s digital industrial policy in a nutshell
A brief review of the evolution of China’s overarching digital industrial policy provides an important context for understanding its regulatory framework for data. This evolution dates to the 1990s and covers at least three main phases. In the first phase, up to 2005, China’s primary goal was to foster the infant information industry, particularly the manufacturing capabilities of electronics and information products, to build the hardware foundation for the industry.Footnote 35 A well-known example was the growth of the semiconductor sector based on a wide array of subsidies and regulatory support, such as grants, tax preferences, export promotion, and government procurement.Footnote 36 More broadly, through similar supportive schemes at both central and local levels, the information industry developed rapidly to become a key pillar of the national economy by 2005.Footnote 37
Building upon the development and consolidation of basic digital capabilities and infrastructure, China’s policy priorities shifted in the second phase (2006–2015) to advance indigenous innovation and competitiveness in critical technologies.Footnote 38 In light of its technology-and-innovation-oriented development model, China allocated massive resources to advance R&D and innovation in frontier information technologiesFootnote 39 and expand supportive digital infrastructure.Footnote 40 A landmark achievement was the innovation in key technologies for network communications. China’s proprietary TD-LTE Advanced technology became one of the mainstream international standards for 4G,Footnote 41 developing a critical home-market advantage for domestic tech champions like Huawei and ZTE.Footnote 42 By leveraging the massive commercial deployment of this indigenous standard, these firms were able to achieve economies of scale and technological maturity, which facilitated their global expansion. Moreover, China’s policy shift enabled it to possess the world’s largest broadband network infrastructure as well as the world’s largest internet user base, which produces a tremendous amount of data.Footnote 43
In 2015, the Chinese government recognized data as a ‘basic strategic resource’ and since then has placed growing emphasis on the development and application of data in traditional and emerging industries to advance digital transformation.Footnote 44 Meanwhile, however, the rapid and widespread adoption of digital technologies, such as the internet, generated significant security-related challenges. Since the early 2010s, the Chinese government has taken steps to strengthen security safeguard capabilities by enhancing digital security infrastructureFootnote 45 and tightening data protection,Footnote 46 amongst other means. As China’s overarching economic policies continued to prioritize development and growth, data regulation in this phase remained piecemeal largely confined to consumer protection.Footnote 47 Nevertheless, these efforts laid the groundwork for the development of a comprehensive regulatory framework to address security concerns in the following decade.
Balancing development and security interests has been at the centre of China’s digital industrial policy in the third phase (2016 to present). When it comes to data, the Thirteenth Five–Year Plan (2016–2020) reaffirmed the vital role of data in digital transformation and stressed the need for the openness and sharing of government data, the development of infrastructure such as data platforms and centres, the advancement of data-related technologies, etc.Footnote 48 The Plan also mandated the integration of data security into digital development by establishing a comprehensive regulatory framework for strengthening data protection across the entire data lifecycle.Footnote 49 The first major milestone in this balancing act was the enactment of the Cybersecurity Law (CSL)Footnote 50 in 2016, which became the cornerstone of China’s digital security legislation.Footnote 51 Under the Fourteenth Five-Year Plan period (2021–2025), the balancing act has continued to evolve through new policy priorities and regulatory interventions.
The ‘development’ side has focused on broadening and deepening digital industrialization in both hardware and technology sectors (e.g., communication equipment, core electronic components, and critical software vs. AI, big data, blockchain, and cloud computing).Footnote 52 Data is regarded as a ‘core engine’ to drive digital industrialization, so a national data market is needed to establish a comprehensive data-related supply chain involving R&D, creation, collection, transfer, application, and storage of data.Footnote 53 For instance, new approaches have been introduced to facilitate the opening up of business data by leading digital and internet platforms and to promote cross-industry data interconnectivity and sharing through trusted data spaces collaboratively built by enterprises, research institutions, and industry organizations.Footnote 54 One of the latest developments was the establishment of China’s first state entity specializing in data integration and technology, which builds a platform for data sharing among highways, railways, waterways, aviation, and ports, thereby creating a more competitive and innovative service ecosystem.Footnote 55 These ongoing efforts to systematically integrate and exploit data resources have enabled and accelerated the development of China’s digital industry. This is most evident in the rapid rise of domestic AI entities like DeepSeek. By prioritizing data interconnectivity and establishing unified platforms, the state has granted AI innovators access to structured, large-scale datasets that were previously fragmented.Footnote 56
On the ‘security’ side, the Data Security LawFootnote 57 (DSL) and the Personal Information Protection LawFootnote 58 (PIPL) were enacted at the outset of the five-year period to provide detailed rules in specific areas of digital security, and, cumulatively, to create a comprehensive regulatory framework for safeguarding the digital ecosystem. These were followed by the promulgation of a series of implementing regulations detailing the standards and procedures of existing and new security-related measures, such as security review, standard data security contract, and personal information protection certification,Footnote 59 which are further discussed below. Overall, as data becomes a core strategic asset, security measures have not only tackled issues of data leakage and misuse for private, commercial, and defence-related interests, but have pivoted to protecting, developing, and leveraging data resources for developmental and strategic goals.
A raft of criticisms has been levelled at China’s digital industrial policy, especially the security-related measures. For example, the CSL provoked an intense debate at the WTO with major players such as the US, the EU, and Japan criticizing the law for creating protectionist and trade-restrictive instruments in the guise of cybersecurity.Footnote 60 Commentators have similarly criticized China’s security-related data localization requirements and cross-border data flow restrictions as digital protectionism which boosts Chinese tech firms at the cost of foreign competitors.Footnote 61 Has China used security-related measures to foster its digital industrialization? To answer this question, a more detailed assessment of China’s balancing act in data regulation is warranted.
3.2 Balancing development and security in data regulation
As mentioned, the CSL, DSL, and PIPL have consolidated and strengthened China’s data protection mechanisms.Footnote 62 To expound China’s balanced approach, we focus on analysing the security measures related to data localization and cross-border data flows below. This focus is aligned with the shared observation that data localization and cross-border transfer restrictions constitute major forms of digital protectionism in many jurisdictions, including China.Footnote 63 In general, the above-mentioned Chinese legislation has established a tiered risk management system for protecting data security based on the importance of data, operators, and security interests.Footnote 64 This system does not impose a blanket restriction on the cross-border flow or localization of data. Rather, it adopts different levels of regulatory checks and requirements commensurate with the severity of security risks and impacts.
3.2.1 Data localization
Data localization is required in three major situations. The first concerns personal information and ‘important data’ collected and generated by critical information infrastructure operators (CIIOs).Footnote 65 As further clarified in the implementing regulations, ‘critical information infrastructure’ refers to ‘important network infrastructure and information systems in important industries and sectors, including telecommunications, information services, energy, transportation, hydraulic engineering and water utilities, finance, public services, e-government services, national defense, science and technology, and others that once damaged or suffer a data leakage, could severely harm national security, the economy, livelihoods, or the public interest’.Footnote 66 ‘Important data’ covers ‘data that can endanger national security, economic operations, social stability, or public health and safety if manipulated, destroyed, leaked or illegally obtained or used’.Footnote 67 To provide better clarity and certainty, the DSL mandates competent authorities to formulate ‘important data’ catalogues which specify the scope of important data in specific sectors.Footnote 68 As stated by President Xi, the localization requirement targets data generated by industries of the highest economic and social importance and likely to attract the most advanced attacks.Footnote 69 Since CIIOs have greater control over data, data localization enables easier monitoring of local servers and faster responses to data leaks and cyberattacks.Footnote 70
The second situation requires non-CIIOs to localize ‘important data’.Footnote 71 Thus, this localization requirement targets the importance of data and the interests that such data may affect, rather than who controls the data. For instance, personal and business data held by private firms can be subject to this requirement if the data falls within the ‘important’ category.Footnote 72 As noted above, the development of ‘important data’ catalogues is delegated to competent authorities overseeing specific industries. One example is the automotive industry, which possesses increasingly advanced data processing capabilities and generates huge volumes of data.Footnote 73 A joint measure issued by five central authorities classifies six types of data as being ‘important’, including geographic data, pedestrian and vehicle flows in sensitive areas (e.g., defence, and military administrative zones), data related to certain segments of economic operations (e.g., vehicle flow and logistics), operational data of automobile charging networks, external video and image data (e.g., facial and licence information), and other data that may impact national security, public interests, and individual rights as decided by the authorities.Footnote 74 Therefore, while ‘important data’ may vary among industries, the localization of such data is driven by concerns about security risks associated with the exposure of sensitive information, leakage of key personnel movements, disclosure of critical national targets (e.g., locations of military and defence industrial bases, and government facilities), theft of R&D data, and damage to critical infrastructure, etc.Footnote 75
The third situation concerns personal information collected and generated by non-CIIOs that process such information where the volume is above prescribed thresholds.Footnote 76 The current thresholds involve a non-CIIO ‘cumulatively providing personal information of over 1 million individuals (excluding sensitive personal information) or sensitive personal information of over 10,000 individuals to overseas entities since January 1 of the current year’.Footnote 77 While the thresholds specifically target the cross-border transfer of data (see below), they would also trigger the localization requirement.Footnote 78 Major technology firms such as Google, Apple, and Alibaba hold vast amounts of user information. As explained by a leading Chinese expert and government advisor, if foreign entities obtain such information, they could combine the data with other datasets, using various algorithms for data mining, to extract information that could potentially threaten China’s national security.Footnote 79 Thus, this localization requirement is designed to minimize security risks associated with the transmission of personal data at a scale that may pose security risks due to the rapid development of digital firms and technologies.Footnote 80
3.2.2 Cross-border data flows
Similar to its regulatory approach to data localization, China does not prohibit data holders from transferring data abroad. The tiered risk management mechanism consists of two main layers of requirements: (i) security review and (ii) a standard contract or personal data protection certification. The circumstances that would trigger the security review are essentially those in which the localization requirement applies, namely, (i) the transfer of personal information and ‘important data’ by CIIOs, and (ii) the transfer of ‘important data’ or the transfer of personal data beyond the above-mentioned thresholds by non-CIIOs.Footnote 81 According to the Cyberspace Administration of China (CAC), the security review is based on objective criteria to address genuine security risks and balance security concerns with commercial interests by allowing data operators to transfer important data and personal information abroad when necessary for business purposes.Footnote 82 The assessment criteria involve, for example, the necessity and legitimacy of a proposed transfer, the importance of data and the scale of the transfer, the situation of cybersecurity protection, and the availability of protective measures for business and personal data in the recipient jurisdiction, etc.Footnote 83 In other circumstances, a security review is not needed before data can be transferred abroad. Where the transfer of data by non-CIIOs is below the prescribed thresholds but involves non-sensitive personal information of over 100,000 individuals, the transferring entity is asked to conclude a standard contract formulated by the CAC with the overseas recipient or obtain a personal information protection certification from a third-party accredited institution according to standards and requirements set forth by the CAC.Footnote 84 Like the security review criteria, the mandatory contractual clauses and the certification requirements seem to be focused on addressing potential security risks associated with the transfer of data overseas in accordance with China’s cyber/data security laws and standards.Footnote 85
3.2.3 Security as industrial policy? – An appraisal
Our review of China’s regulation of data localization and cross-border transfer provides little evidence to suggest an abuse of national security for digital industrialization. Rather, it depicts a balanced approach in China’s pursuit of development and security interests in data regulation. At face value, this approach appears to be aimed at establishing a delicate level of specificity and proportionality so that security measures target genuine risks and do not unnecessarily impede trade, investment or, other business activities.
There are some facts to support this observation. For instance, a survey conducted by the European Chamber in 2023 showed that a vast majority of European companies (70 per cent) were able to transfer data out of China via the standard contract path without having to undertake a security review.Footnote 86 Likewise, a recent survey conducted by the American Chamber of Commerce in China found that in 2024 only 6 per cent of responding companies experienced difficulties in gaining approval for cross-border data transfer vital to business operations, despite the escalation of US-China trade tensions.Footnote 87 In addition, China’s National Data Administration reported that by the end of 2024, the CAC completed security reviews of 285 cross-border data transfer cases, of which only 27 cases (i.e., less than 10 per cent) failed to pass the review, mostly due to procedural issues and only a few concerning important data.Footnote 88 The CAC further clarified that, as of March 2025, it had rejected only 7 out of 44 notified cases involving outbound transfer of important data.Footnote 89 These facts also provide some comfort about Chinese authorities’ application of security reviews in practice, suggesting a cautious approach to confine the scope of security-based restrictions to reasonable parameters.
To reinforce its balancing act, China has streamlined its data regulatory mechanisms. In March 2024, the CAC introduced a ‘negative list’ approach for free trade zones (FTZs), allowing those areas to develop their own catalogue of data that needs to be subject to the regulatory checks.Footnote 90 By the end of the year, Beijing, Shanghai, Tianjin, Hainan, and ZhejiangFootnote 91 released a negative list for their own FTZs to delineate the boundaries of important data within specific sectors. By confining national security oversight to a finite set of risk scenarios, the ‘negative list’ approach prevents regulatory overreach into non-sensitive commercial activities. It establishes a legal baseline for unhindered transfers of most commercial data, substantially reducing compliance burdens and uncertainty for enterprises. Moreover, to ease ongoing anxieties of foreign investors, the State Council reiterated that China is committed to facilitating ‘secure, orderly, and free flows of data across borders’.Footnote 92 On 27 June 2025, the CAC issued the third edition of Security Review Guidelines setting out detailed document lists and procedures for cross-border data transfer applications.Footnote 93 These improvements, with enhanced procedural predictability against administrative delays and regulatory opacity, are welcomed by foreign commentators.Footnote 94 While some aspects of China’s regulatory framework remain problematic (as further discussed below), China has continued to experiment with new ways of softening security checks and requirements and liberalizing data-related restrictions incrementally. China also seems willing to address concerns of foreign firms and governments about its data security regulation. For instance, Chinese authorities have consulted foreign firms in the policymaking process and have adopted some of their recommendations.Footnote 95 The China–EU Cross-Border Data Flow Communication Mechanism, established in August 2024, is further evidence of China’s willingness to collaborate with foreign governments to continuously improve the balance between security interests and the need to facilitate cross-border flows of data for trade and investment.Footnote 96
China’s balanced approach towards data security can be explained in at least four ways. The first relates to China’s ambition to advance digital transformation, which requires a market-oriented data sector to stimulate competition, innovation, and growth while maintaining government interventions, including security measures, only to the extent necessary.Footnote 97 Secondly, a market-based regulatory framework is also aligned with China’s long-term opening-up strategy, which includes attracting foreign investment by consecutively reducing regulatory restrictions and enhancing the protection of foreign investors.Footnote 98 Avoiding excessive and discriminatory requirements on data localization and cross-border data flows is key to ensuring the efficacy and attractiveness of China’s foreign investment policy in the digital age.Footnote 99 Thirdly, a balanced approach is necessary for advancing China’s global strategies and engagement, particularly its continued efforts to join more advanced trade or digital economy agreements such as the CPTPP and the DEPA.Footnote 100 These agreements, and many other free trade agreements (FTAs) concluded in recent times, require the parties to facilitate free flows of data across borders and minimize data localization requirements.Footnote 101 Using security measures for digital industrial policy would undermine not only China’s efforts to join these agreements but also its global reputation more generally, as China has long positioned itself as a proponent of the rules-based trading system and an opponent to the abuse of national security.Footnote 102 Finally, and coupled with the reasons above, the availability of and interplay between diverse policy instruments also diminishes the incentive to overstretch security reviews. Particularly, the combination of traditional policy instruments (e.g., subsidies) to boost data-driven economic growth, emerging mechanisms to promote the sharing and commercial use of data, etc. seems to have worked well for China’s digital industrialization.Footnote 103 In other words, China’s advancement of digital competitiveness and leadership seems to have primarily relied on policy instruments other than security measures.
Thus, at least at the normative level, there is no compelling evidence to suggest that China has used security-based measures to bolster its data sector. Yet, these measures have continued to attract criticisms about their (potential) asymmetric impact on foreign business. For example, a recent OECD policy paper observed that China’s data localization requirements fall within the ‘most restrictive’ category among all types of such requirements adopted by a host of economies.Footnote 104 In this connection, some have argued that the data localization requirements have increased the costs for foreign investors in China and have supported the development of local digital infrastructure and particularly data centres.Footnote 105 It has also been reported that global automakers such as BMW, Daimler, Ford, and Tesla had to set up facilities in China to store data generated by their cars locally, in order to comply with China’s data localization rules.Footnote 106 Similarly, China’s security review mechanism for cross-border data transfers, despite the positive developments discussed above, has also been subject to sustained criticisms due to certain major deficiencies in the mechanism. These deficiencies – mainly concerning ambiguities in the definitions of key terms, particularly ‘important data’ and ‘CIIOs’, the lack of progress in developing industry-specific catalogues of important data, the need to adapt to different regulatory requirements in different regions, and non-transparency of security reviews – continue to generate administrative burdens for foreign companies and potentially benefit Chinese firms.Footnote 107 These ongoing concerns are valid. While the scope of important data has been increasingly refined, especially through negative lists in the FTZs,Footnote 108 these lists vary significantly leading to continued regulatory fragmentation. The nationwide application of the negative list approach will take time, so companies in non-FTZ areas continue to face ambiguities about the boundaries of ‘important data’. Moreover, although the CAC has been optimizing the workflow for security reviews, details of completed reviews remain undisclosed to the public. The combination of these outstanding issues provides wide discretion in security reviews, which may be abused to benefit China’s data sector when needed.Footnote 109 Towards this end, it is also worth noting that, like many other economies, China adopts a broad definition of ‘national security’ in its legislative system,Footnote 110 thereby leaving considerable flexibility in its implementation, including for industrial policy goals. The current geopolitical context has only incentivized China’s application of trade restrictions for strategic purposes – often on security grounds – which effectively protect or support domestic industries while disrupting supplies for foreign stakeholders.Footnote 111 Given the global industrial policy race in the digital domain, a major way to minimize such abuse of national security as industrial policy is for all governments involved to tackle security-based data policies through concerted efforts.
4. Modernizing security exceptions in trade agreements
Global or regional efforts to establish certain legal constraints on (potential) abuses of data security measures require a proper balance between rules and exceptions. For any trade or digital economy agreements to include binding commitments on cross-border data transfer and/or data localization, they must also provide exceptions necessary to preserve policy space for governments to pursue domestic non-economic imperatives. The balancing act requires that such exceptions not be excessively restrictive or overly deferential. This balance, however, is far from being established in the context of data liberalization and security. While trade or digital economy agreements have added more discipline on data-restrictive measures, they have also maintained a range of exceptions and carve-outs for regulatory intervention on privacy, cybersecurity, and other public policy objectives.Footnote 112 To continue our core inquiry about the nexus between national security and industrial policy, this section argues that security exceptions in major trade and digital economy agreements have been overly expanded, thereby providing no effective constraints on the abuse of data security measures. Particularly, such expanded security exceptions are adopted in agreements to which China is a party (e.g., RCEP) or which China is keen to join (e.g., CPTPP & DEPA). These agreements, therefore, leave room for China to use the security measures discussed in Section 3 to protect or promote its data industry.
4.1 Constraints (or a lack of constraints) of security exceptions under the WTO and FTAs
The security exceptions under the WTO have been widely discussed. The provisions that might be applicable to data security measures are Article XXI(a) and Article XXI(b)(iii) of the GATT, as reproduced below. To date, the case law has been developed by WTO panels in four disputes, all concerning Article XXI(b)(iii).Footnote 113 Article XXI reads:Footnote 114
Nothing in this Agreement shall be construed
-
(a) to require any contracting party to furnish any information the disclosure of which it considers contrary to its essential security interests; or
-
(b) to prevent any contracting party from taking any action which it considers necessary for the protection of its essential security interests
-
(i) relating to fissionable materials or the materials from which they are derived;
-
(ii) relating to the traffic in arms, ammunition and implements of war and to such traffic in other goods and materials as is carried on directly or indirectly for the purpose of supplying a military establishment;
-
(iii) taken in time of war or other emergency in international relations; or
-
-
(c) to prevent any contracting party from taking any action in pursuance of its obligations under the United Nations Charter for the maintenance of international peace and security.
The panels’ rulings on three key legal issues for determining the scope of the security exception under Article XXI(b)(iii) were consistent. First, whether a security measure that violates WTO rules is justifiable under the exception is not self-judging. Rather, such measures must satisfy certain legal conditions, a matter that is justiciable.Footnote 115 These conditions ‘circumscribe (and limit) the circumstances in which the invoking Member may take action which it considers necessary for the protection of its essential security interests’.Footnote 116 Second, the scope of ‘emergency in international relations’ is highly restrictive and involves situations ‘of the utmost gravity’ leading to ‘a breakdown or near-breakdown’ in international relations.Footnote 117 It is limited to an exceptional state of affairs and does not encompass mere ‘tensions’ or ‘divergences’.Footnote 118 Thus, armed conflicts (e.g., Russia – Traffic in Transit) or comprehensive diplomatic crises (e.g., Saudi Arabia – IPRs) would constitute an ‘emergency in international relations’, whereas international concerns about an economic or strategic matter (e.g., global steel overcapacity in US – Steel and Aluminium Products (China))Footnote 119 or limited economic or political tensions (e.g., US – Origin Marking (Hong Kong, China))Footnote 120 do not satisfy the requisite degree of severity. Third, Article XXI(b)(iii) imposes an obligation of ‘good faith’, which in turn entails a minimum requirement of ‘plausibility’ between the means and the ends.Footnote 121 While this requirement is needed to avoid abuse of ‘Article XXI as a means to circumvent’ GATT obligations,Footnote 122 the relevant evidentiary standard is significantly lower than that of ‘emergency’, merely requiring that a contested measure is not ‘so remote from, or unrelated to’ the security interest concerned. Thus, the key constraint on policy space under Article XXI(b)(iii) pertains to the high standard imposed on what situations may amount to an ‘emergency’ in international relations. This constraint stems from the narrowness of the treaty language itself, as intended by the drafters.Footnote 123 As such, Article XXI(b)(iii) provides little room for data security measures (including those used for industrial policies) precisely because of the requirement that an ‘emergency in international relations’ must be present.
In sharp contrast, Article XXI(a) provides considerable flexibility for governments to refrain from ‘furnish[ing] any information the disclosure of which it considers contrary to its essential security interests’. The term ‘information’ is not defined or otherwise restricted and therefore has the potential to capture data. It is true that Article XXI was crafted seven decades ago when ‘digital economy/trade’ was completely unknown. However, WTO tribunals have long endorsed an evolutionary interpretation of existing trade rules to enable the application of the rules to address ‘contemporary concerns of the community of nations’.Footnote 124 The fact that all of the trade or digital economy agreements discussed below refer to ‘information’ in their cross-border data transfer provisions is strong evidence of global concerns about data trade in the digital age. Once this threshold issue is resolved, Article XXI(a), which operates independently from Article XXI(b), is not subject to any additional legal requirements such as those implicated by the subparagraphs of Article XXI(b). While it would still not permit self-judgement, the only applicable condition would be the minimum requirement of plausibility.Footnote 125 Thus, restrictions on transferring or supplying data can be justified so long as they are not implausible as measures protective of a chosen security interest. Such a minimum degree of connection between the means and the ends is not hard to establish. In addition, Article XXI(a) does not limit the entities that provide information but instead allows any measures to be taken to address security risks associated with the supply of any information by any entity. Therefore, when compared with Article XXI(b)(iii), Article XXI(a) almost goes to the other extreme for a lack of any substantive constraint on data security measures, thereby leaving room for the use of such measures for a mix of security and industrial policy goals. Nevertheless, Article XXI(a) may be refined by clarifying whether the provision or supply of data also captures data localization requirements or measures limiting access to data.Footnote 126
The WTO’s security exception has been further developed in recent trade or digital economy agreements in two major aspects. One is softening the legal conditions to allow more flexibility in invoking security exceptions in general. The other is expanding the scope of the exceptions for data regulation more specifically. For example, Article 32.2 of the USMCAFootnote 127 clarified that the disclosure of information includes not only actively transferring or supplying information but also allowing access to information (Paragraph 1(a)). This is arguably added to close the potential loophole under GATT Article XXI(a) noted above.Footnote 128 Paragraph 1(b) then removes the subparagraphs of GATT Article XXI(b), while maintaining the chapeau so that the phrase ‘it considers necessary’ is no longer subject to additional legal conditions. As discussed above, while an obligation of ‘good faith’ would continue to apply, the minimum requirement of plausibility is not hard to satisfy. Thus, the combination of the two developments significantly reduced the rigidity of security exceptions and expanded the scope of justifiable circumstances for data security measures. These developments have also been adopted in digital economy agreements such as the DEPA.Footnote 129 The enhanced policy space for data security is clearly a response to the more liberal approaches to data flows and localization adopted in these agreements, acting as a classic ‘safety valve’ to enable progressive liberalization or more advanced rules on data.Footnote 130
Among China’s trade agreements, RCEP is the first to provide a set of data-specific rules and exceptions. While incorporating standard obligations on cross-border data transfer and data localization, RCEP maintains and refines security exceptions based on the WTO model.Footnote 131 Particularly, Article 17.13(a) replicates GATT Article XXI(a), thereby allowing RCEP governments to retain broad policy space for addressing data security concerns. Article 17.13(b) adds another exempted circumstance (compared to GATT Article XXI(b)) covering security measures ‘taken so as to protect critical public infrastructures including communications, power, and water infrastructures’. Together, these exceptions provide abundant room for China to maintain and develop its data security measures in addressing key policy concerns around ‘important data’ and ‘CIIOs’.Footnote 132 Arguably, such policy space constitutes a necessary condition for China to agree to data liberalization obligations. This is evident from China’s application to join DEPA, which leaves considerable room for data security measures as noted above. Overall, China’s existing international commitments (e.g., WTO, RCEP) do not constrain its use of data security measures. China is also unlikely to pursue any future agreements which may reduce its policy flexibility. As discussed in Section 3, although China has not used data security measures for industrial policy goals, the possibility of such use remains, especially in response to geopolitical tensions and its own strategic needs. The lack of international disciplines over data security measures, however, is not only a challenge in dealing with China but a global issue, given how security exceptions have evolved in recent times to expand policy space for all governments involved.
4.2 Developing security exceptions
Proposals for constraining the abuse of national security to protect trade liberalization and a rules-based trading system have flourished since Russia – Traffic in Transit.Footnote 133 Yet, detailed discussions on how best to design security exceptions for data regulation are developing slowly.Footnote 134 Below, we offer some preliminary thoughts on how to move negotiations on security exceptions for legitimate data regulation forward.
Negotiation is the only way to address the expansion of security exceptions in trade or digital economy agreements to rebalance data liberalization and security. However, the well-known difficulties in progressing and concluding negotiations on a multilateral basis mean that alternative approaches must be taken. The WTO itself has resorted to plurilateral initiatives for negotiations on emerging issues, including digital trade, to ensure the multilateral trading system stays up to date. Via the JSI, 91 WTO members concluded ‘a stabilised text’ in July 2024,Footnote 135 with a plan to seek its adoption as a plurilateral agreement under Annex 4 of the WTO Agreement.Footnote 136 Unfortunately, the JSI text does not include the more advanced rules on cross-border data transfers and data localization adopted in the CPTPP (Articles 14.11 and 14.13), the USMCA (Articles 19.11 and 19.12), and the DEPA (Articles 4.3 and 4.4). This outcome reflects the ongoing challenges in achieving more liberalized data-related rules among a significantly larger group of governments.Footnote 137 Thus, even plurilateral negotiations will take time and need to progress incrementally.
Nevertheless, negotiations on data security can help facilitate data liberalization and constrain the abuse of security measures for industrial policy. To do so, the negotiations need to involve detailed discussions of major security-related issues to confine security exceptions to reasonably clear parameters. One threshold question is whether a categorization of data is required. Academic work has proposed ways for data classification.Footnote 138 New-generation (digital) trade agreements, including those noted above, have also drawn a distinction between different types of data (e.g., government data, personal data, etc.). What is lacking in the current practice, however, is a dedicated discussion of how such data classifications would help develop exceptions to specifically address data security issues. Another threshold question is whether a classification of data holders or providers is needed,Footnote 139 as suggested by China’s regulatory approaches relating to CIIOs. Article 17.13(b)(iii) of the RCEP, as considered above, is currently too broad and hence requires further negotiations to clarify the coverage of critical infrastructure, perhaps with a combination of a general list and country-specific lists to establish a commonly accepted baseline while allowing certain flexibility for individual economies.
These threshold issues implicate a risk-based approach concerning the likelihood or gravity of security risks vis-à-vis different types of data or data holders. Apart from China’s tiered risk management mechanism discussed in Section 3, Professor Peng has observed a general trend of governments ‘moving toward risk-based approaches to protect national security and cybersecurity’.Footnote 140 Such approaches have also been incorporated into the USMCA (Article 19.15.2) and the JSI (Article 17.3) to facilitate cooperation on cybersecurity issues. A risk-based approach should also be used to advance negotiations on data security more broadly. At a systemic level, recent studies have suggested that the so-called ‘targeting rule’ derived from the theory of distortions remains applicable to balance trade and security interests by inquiring about whether a chosen policy instrument addresses a claimed security objective at its source.Footnote 141 Accordingly, this inquiry entails two key steps: (i) identifying the policy objective(s), and (ii) assessing the appropriateness of the policy instrument(s). The identification of policy objectives necessarily involves an assessment of the security risks and the level of protection that a regulating government seeks to address or achieve. Understanding such risks and objectives provides the basis for evaluating the reasonableness of the chosen means. Where the CPTPP, USMCA, RCEP, and DEPA further liberalized cross-border data transfer and data localization requirements, they also adopted a broad exception to allow measures ‘necessary to achieve a legitimate public policy objective’ as long as they do not cause ‘arbitrary or unjustifiable discrimination’ or impose restrictions on data transfers or localization ‘greater than are necessary to achieve the objective’.Footnote 142 Since security exceptions are separate from this exception, one may argue that data security does not fall within the ambit of the undefined ‘legitimate public policy objective’.Footnote 143 Nevertheless, the legal conditions contemplated in this exception, particularly the ‘necessity’ and ‘arbitrary or unjustifiable discrimination’ tests, provide a good starting point for strengthening the connection between data restrictive measures and security goals beyond a minimum requirement of plausibility. In doing so, the intention is not to restrain the freedom of governments to address any perceived security risks or pursue any chosen security goals. Rather, negotiators should focus on developing a mutual understanding of such risks and goals raised by their counterparts as well as reasons for adopting certain data-restrictive measures. Despite the controversies over the ‘necessity’ and ‘arbitrary or unjustifiable discrimination’ tests,Footnote 144 they have been well developed through a large volume of cases and could be further refined and elaborated to ensure that data-restrictive measures target security risks and objectives as directly as feasible to minimize abuses for protectionist or other strategic goals.Footnote 145 To alleviate concerns about the potential rigidity of the ‘necessity’ test, governments may consider adopting a country-specific negative list of non-conforming measures to accommodate different regulatory preferences, capacity constraints, and other legitimate considerations.Footnote 146
As negotiations take place, governments should continue to use existing committees and other venues under the WTO to discuss data security and regulatory practices to build transparency and trust and manage unilateral actions and potential trade tensions via concerted efforts.Footnote 147 Enhanced understanding of (data-related) security goals and regulatory tools and increased trust among governments are crucial for modernizing (data) security exceptions. The development of such exceptions would provide legal clarity on the availability of policy space. To the extent that such development adds constraints on governments’ discretion in their recourse to national security, it would also provide more certainty on the enforceability of data liberalization commitments. It is from such positive spillovers of progressing negotiations on data security that progressive data liberalization may be attained and the abuse of security measures for industrial policy can be reduced.
5. Conclusion
Industrial policy is no longer confined to economic efficiency or competitiveness but has been increasingly motivated by a mix of economic and non-economic goals, particularly national security. This is especially so in the digital domain as governments compete for digital industrialization. While China’s digital transformation has embraced ambitious industrial policies and rigorous security protection, our analysis of China’s regulatory framework for data has revealed little evidence to suggest that China has (ab)used security measures to foster its data sector at the cost of foreign competitors. Rather, China’s approaches to data security have arguably sought to target security risks and incrementally streamline regulatory checks and requirements. Yet, major loopholes remain in China’s regulatory framework, which provide room for discretion and abuse in data security reviews. Faced with escalating geopolitical tensions and burgeoning security-based trade or investment restrictions, China’s recourse to data restrictions on security grounds is not a remote possibility. A looming data trade war in the name of national security would harm all economies as well as the rules-based global trading system they jointly built. The security exceptions under existing trade or digital economy agreements can hardly strike a proper balance between data liberalization and security. Governments should join forces to modernize these exceptions, ideally via the multilateral forum provided by the WTO for coordinated and inclusive discussions. Such discussions and negotiations would in turn promote progressive data liberalization by bringing about enhanced clarity and certainty on rebalanced rules and exceptions on data security measures. Policy space is essential in this balancing act, but the right balance cannot be achieved with security exceptions that are either overly deferential or excessively restrictive.