Warped standards for global data security

Is China attempting to wrest away control of the data security narrative from the United States? This could be the question any industry observer asks when they read an article in The Diplomat about China’s new Global Initiative on Data Security.

The new initiative which was reported as an attempt to contribute Chinese wisdom to international rules-making on data governance, was announced in early September. It was around that time as well that trade relations between China-US soured immensely, on the chip-making front, among others.

This appeared to be addressed by one of the initiative’s points which states, “ICT companies should not seek illegitimate interests by taking advantage of users’ dependence on their products.”

This reminds one, of the US government’s expanded clampdown on China’s Huawei by forbidding non-American companies from supplying the smartphone maker with any chips based on US technology.

Last month however, Intel received license to supply some products to Huawei, and Japan’s Sony and Kioxia have applied for license to do the same. Other companies like including Qualcomm, Micron Technology, Samsung, SK Hynix, Macronix, SMIC and MediTek, have also submitted applications, but there are no updates if these applications have been approved.

On top of that, is US’s impending ban of Chinese apps, WeChat and TikTok, due to alleged national security concerns that these apps collect citizen information.

The initiative’s press release can be found at the PRC’s Ministry of Foreign Affairs website here.

The initiative outlines 8 points as displayed below:

-States should handle data security in a comprehensive, objective and evidence-based manner, and maintain an open, secure and stable supply chain of global ICT products and services.

-States should stand against ICT activities that impair or steal important data of other States’ critical infrastructure, or use the data to conduct activities that undermine other States’ national security and public interests.

-States should take actions to prevent and put an end to activities that jeopardize personal information through the use of ICTs, and oppose mass surveillance against other States and unauthorized collection of personal information of other States with ICTs as a tool.

-States should encourage companies to abide by laws and regulations of the State where they operate. States should not request domestic companies to store data generated and obtained overseas in their own territory.

-States should respect the sovereignty, jurisdiction and governance of data of other States, and shall not obtain data located in other States through companies or individuals without other States’ permission.

-Should States need to obtain overseas data out of law enforcement requirement such as combating crimes, they should do it through judicial assistance or other relevant multilateral and bilateral agreements. Any bilateral data access agreement between two States should not infringe upon the judicial sovereignty and data security of a third State.

-ICT products and services providers should not install backdoors in their products and services to illegally obtain users’ data, control or manipulate users’ systems and devices.

-ICT companies should not seek illegitimate interests by taking advantage of users’ dependence on their products, nor force users to upgrade their systems and devices. Products providers should make a commitment to notifying their cooperation partners and users of serious vulnerabilities in their products in a timely fashion and offering remedies.

The official purpose of the initiative is to “find a path of mutual respect and shared governance for addressing the challenge of digital security.” What do YOU think?

IT BYTES BACK! says: There are at least three main approaches/thoughts around data security/privacy that I have observed so far. These are: a) what China says but likely does not do, b) what the intelligence alliance aka Five Eyes is trying to do with encryption* and, c) what the European Union is implementing (GDPR) and enforcing.

I think we can agree what the Gold Standard of Data Privacy/Security should be.


*Read more here: https://www.justice.gov/opa/pr/international-statement-end-end-encryption-and-public-safety