Hi, I’m Jovan and Post Analogue is my blog. I’m a Computer Science PhD student at the University of Cambridge, working in Security and Privacy. My work on privacy-preserving technologies also touches on law, economics, and ethics.
Also I’m a standup comedian, but you won’t find a special on your favoured streaming service… yet.
Hit me up Netflix let’s make it happen.

Big Data Moats: China and the EU are playing the long game with data sovereignty

Jovan Powar
Analysis

I just came across some notes I made over the summer about some developments surrounding data sovereignty, and now seems like a good moment to revisit them (what with trade wars and such).

At the time, I had been reading a load of news about China enacting a policy that restricts which companies can process data on Chinese citizens, as well as witnessing companies grappling with the GDPR's data transfer rules.

The narrative I was hearing from bloggers, colleagues, pundits etc. all centred around national security and espionage:

"China wants to surveil all their citizens so they need their puppet companies to handle iMessage!"

and

"the rest of the world hasn't caught up to the EU in legislating data protection, so the GDPR makes it hard to hand data over to risky non-EU entities, and forces everyone else to catch up"

and so on.

However, I think there are some interesting points that people are missing here—points that I bet will have a bigger long-term effect than you think.

Is data protection the EU's only incentive for a data border wall?

Under the GDPR, if you want to pass around EU residents' data, you face heavier restrictions if you're not an EU-based company. Non-EU based companies wishing to offer services to EU residents must nominate an EU-based representative, and are still bound by European law. Put simply, you’re going to have to jump through extra hoops, hire more lawyers to get yourself in line with EU law as well as your domestic law, and so on.

Of course, we have a very clear and convincing justification for these hurdles from a data protection standpoint; the EU is particularly aggressive with data protection legislation, and to enforce such legislation effectively, they have to make sure companies can't just circumvent the legislation by transferring data outside. (Remember, we're living in the age of the data-industrial complex, and if companies can throw your data into a black box, they will, because Johnny Law and Bonnie Ethics still can't follow it in there.)

But we should also remember that the EU is at its heart a trade organisation, and as such trade is a major influencing factor on how they act, why they act, and what effects we're going to see from their actions.

The EU is mandated to enable and strengthen trade within the Union.

Part of the EU's mission is to make it ever easier to do business across European borders—unifying data protection and rules of transfer make it seamless for a German tech company to serve Czech customers. But when faced with the task of strengthening trade in a globalised data economy, the EU is motivated to try and give European companies a competitive advantage. A secondary goal of data sovereignty efforts, then, is to make it comparatively harder for non-EU companies to operate within the EU—not just to protect data subjects, but to protect European business.

Data sovereignty and cross-border transfer is often talked about from a geopolitical/national security perspective (yes I will get to China in a minute). I’ll quickly note here that the EU doesn’t have the authority to legislate directly on national security issues—it can’t get into geopolitics like that [Maastricht Treaty Article 5(2)]. But GDPR sort of works around this in Article 45 with adequacy decisions; put simply, the Commission gets to decide when another country is sufficiently in regulatory alignment with Europe to allow the data to flow, and as part of deciding, it gets to consider factors like the other nation's attitude towards the rule of law or security concerns.

The point I’m trying to make here is that the GDPR is more than just a protective measure. It’s a tool the EU can use to build and enforce an exclusive international trade club in the new data economy.

Great job getting this far and not being scared off by all the talk about GDPR. Now onto the fun stuff.

China’s not in the surveillance business, they’re in the empire business

This year China enacted a new policy that requires companies who process the data of Chinese citizens to do that processing inside China, by paying to run operations on Chinese-owned machines (and submit to Xi's all-seeing eye) or through joint partnerships with Chinese companies (who are already on board with the eye). This legislation is even more aggressive on data sovereignty than the EU has dared to be; the message is that either you fully submit to the Party’s all-powerful rule, or you hand over operations to someone who will.

This move was almost unanimously decried internationally, and the outrage largely focused on issues of surveillance and fundamental rights, and fears over intellectual property. And though concern is always warranted when governments crack down on privacy and data protection, these crackdowns are nothing new. By focusing on the old debate, we run the risk of missing a broader strategy at play—of which intellectual property is just one piece on the game board.

China and the USA are in the midst of a trade war, and part of the American casus belli is the theft of intellectual property. Chinese companies have for a while now blatantly ripped off—and even stolen—American (and other countries’) products and technologies. But if we zoom out a little on these recent developments, we see that China seems to be borrowing from an old playbook...

Cheap as China

Why is everything you buy “Made in China”? Ask most people, and they’ll tell you it’s because it’s cheaper to make things in China. “Cheap labour!” they’ll cry. “They’ve got so many people!” etc.

These people are living in the past somewhat. Labour is cheap in lots of places, and with the expansion of the Chinese middle class, if price of labour was the reason manufacturers go to China, nowadays your iPhone would have been built in Brazil, or India, or the Philippines. And in fact, a lot of the goods you buy today are made in these places—the new sources of cheap labour. But your phone, your laptop, the control systems in your car, they’re all still made in China. Why?

🌟 🇨🇳 EXPERTISE 🇨🇳 🐉

China is very good at playing the long game; it’s probably one of the benefits of having a one-party system. Back in the 20th century, the shift in manufacturing to “Made in China” was a brilliantly executed manouvre, in which China captured global manufacturing demand with low prices, and specially structured its economy to pull in as much manufacturing investment as possible. Before long, all our goods were made in China, and the more complicated those goods got, the more sense it made to make it in China... because that’s where all the expertise was!

Want to build a factory? All the tooling is made down the road! The people who understand supply chains and logistics are all already here! Need to quickly prototype something? Someone down the street is the world-leader and the turnaround is fast. Need skilled workers to assemble tiny parts in controlled environments? The world’s most experienced hands live in the surrounding cities, specially built to house them. The industrial city cluster was born, housing tens of millions and entire industries in a few square miles. Today, Shenzhen is a tech utopia. Want an iPhone that runs Android? Someone down the market can make it for you, and he'll even let you pick which chips go into it. Got a project that needs fine machining? He’ll also sell you a handheld laser cutter. Anything you want, it’s there and easy to get started with.

So that’s why your electronics are made in China. Because if you wanted to make it anywhere else, the start-up costs would require pockets like Tim Cook.

Want to move your supply chain to Brazil? Easy, just build a city, convince all the contractors, chipmakers, and logistics companies to move as well, and train or attract top talent. Sound good? No? You're right, forget it. One ticket to Shenzhen, please.

Bootstrapping your way to market power

Amazon, Apple, Microsoft, and pretty much every cloud player has now partnered with a Chinese company to provide their services to the Chinese market. They’ve handed over their data, their code, and are working “in partnership” to run datacenters. In essence, they’ve struck a deal with the Chinese government: if they don’t want to miss out on the biggest market in the world, they have to finance and train companies to replicate their cloud infrastructure and internal processes.

And to call it copying intellectual property is an oversimplification; in cloud services, the differentiator isn’t technical secrets, it’s scale and general knowhow, and that’s exactly what Amazon Web Services (for example) would be forced to hand over to “Chinese Cloud Company”. The true price of competing in China is helping build your inevitable future competitors.

Again, China has pulled out the shrewdest move in its industry-building playbook, and it seems to be working. Make it irresistible for companies to do business on your turf, and once they’re there, leverage them to build and solidify a world-leading domestic industry.

Now, I'm not saying that we're due for big IP wars, or global shifts in legislation, or even the rise of Chinese cloud companies. If there's anything we can say about today's data markets, it's that no-one really knows what's going on, and it can all change overnight.

But the next time you see a big story about some global developments in international data protection, take a slightly deeper look. There might be a cold trade war lurking beneath the surface.

What's my PhD on?