Researchers must navigate thorny new data security laws

In mid-August, when many economists, policy-makers and researchers were expecting yet another rise in the July figures for youth unemployment in China – which includes graduate unemployment – the government announced that it was suspending the release of the data.

Analysts monitoring China, who were expecting another rise from a youth unemployment record set in June at 21.3%, have noted that other key economic indicators have become harder to find.

Tightened control of key information has become more common in China. Academics and researchers overseas said recent laws controlling access to data and data exports have made it even more difficult to independently seek out or verify statistics on the ground, if information is withheld officially.

Researchers – including China scholars seeking information about China but also researchers in scientific fields and who collaborate with Chinese partners – describe a new research environment in which even minimal connection or collaboration with China has to be handled with extreme care under several new laws.

“Researchers want regular, stable access to data,” said Alfred Muluan Wu, associate professor in the Lee Kuan Yew School of Public Policy at the National University of Singapore. “But almost all the new laws have vague or blurred lines. The effect on researchers and businesses is chilling,” he told University World News.

In part, the government’s aim in controlling data is to prevent independent analysis of public policy that contradicts the state’s own narrative, he added

The London-based Financial Times newspaper reported on 6 August that multiple local brokerage analysts and researchers at leading universities as well as state-run think-tanks in China said they had been instructed by regulators and employers to avoid speaking negatively about economic topics, and pointed to pressure to present economic news positively, amid a decline in public confidence.

It is part of a wider effort by the Chinese government to safeguard data and information, including a crackdown this year on consultancies carrying out due diligence on companies in China, given that such information is seen as being closely linked to national security.

New data security laws now require official permits in order to export any data gathered in China, which must first be stored within China, and sets out legal penalties – in certain cases making acquiring data a criminal offence.

National security and national interest

China’s new counter espionage law, which came into effect on 1 July, widened the scope of activities that can be considered espionage. Previously the law applied to state secrets but this has now been broadened to include “documents, data, materials or articles relating to national security and interests”.

Rebecca Arcesati, senior analyst at the Mercator Institute for China Studies in Berlin, Germany said: “That means that there’s a lot of uncertainty when it comes to talking to contacts in China.” She added that “punishment would follow if a foreign person ends up obtaining information which the party-state considers to be sensitive”.

Arcesati told University World News: “Securitising more and more kinds of data and information is really worrying Chinese academics because any kind of foreign contact or exchange could be used against them.”

The espionage law characterises many activities considered legitimate research in many countries, as possibly intelligence activities that negatively affects China’s national security, she noted.

“China’s new espionage law talks about China’s national interest. It does not matter if you have no intention of jeopardising China’s national interest but just want to get some data, you don’t know whether you’ll be violating that kind of interest,” Wu said.

The new counter espionage law “is the kind of law that scares everyone – business people, researchers and observers. Maybe not now, but if one day China wants to prosecute someone, then they can do that,” Wu said.

More fields seen as related to national security

Arcesati said that more fields of engagement have been securitised – seen as related to national security – quite heavily by the Chinese Communist Party. The idea being that political security affects the ability of the regime to stay in power.

“There are a number of other areas, ranging from maritime security to biological security, technological security and so on, where engaging with China can be quite tricky, because there may be information and data involved that the party-state considers to be very sensitive for its own security.

“That has been the trajectory over the past few years. I see a certain amount of [government] paranoia where the securitisation of data and information has become the norm,” Arcesati said.

Sensitive areas cover demographic, maritime, geological and medical data – including patient surveys, common in medical research. Separate laws limit medical and genetic data transfers overseas.

Strategic emerging industries – such as artificial intelligence, robotics, quantum computing and other areas of intense global research and development competition – are also regarded as sensitive. “The idea is that foreign actors, including foreign governments, particularly the United States, could get their hands on data sets and information which could negatively affect China's national security if they are mishandled,” said Arcesati.

She feels that the negative impact on research is intentional. “It’s a deliberate attempt on the part of the [Chinese] government to say, ‘we decide which connections can take place’, and in other cases they use legislation,” Arcesati said, pointing out that other extra-legal tools were also being used. These can include barring Chinese and foreigners in China from leaving the country.

National security even takes precedence over national economic development, Arcesati added, pointing to the recent clampdown on negative economic data.

The youth unemployment statistics are a case in point, where economic data routinely released by the government suddenly became sensitive during an economic downturn and was deemed related to the national interest.

According to Wu: “The government can change [its mind] rapidly, so what’s okay today might not be okay tomorrow.”

Wu, who specialises in the political economy of China, said: “I have no idea under what kind of conditions China will be thinking some data could be classified as data that they need to protect. It’s really not clear. So how can you have any idea about what kind of things you can and can’t do?”

The Data Security Law

China brought in a new Data Security law came in 2021, but new ‘trial regulations’ under that law came into effect on 1 January 2023. It requires personal information or data deemed important, which is gathered in China, and all data from state-owned bodies, including public universities and hospitals, to be kept in China, with permission required to export it.

Stricter records of sources of information will be required to prove data has been gathered from legitimate sources, which could jeopardise some kinds of anonymised research, researchers say.

The Data Security Law also provides the authorities with new powers to access electronic devices and “relevant personal data and documents” for the purposes of enforcement.

If “core state data” is mishandled or national sovereignty is endangered, a fine of up to CNY10 million (US$1.36 million) may be issued and a business licence suspended or revoked, according to the law.

But some technical categories are still being defined under the Data Security Law, which makes the outlook uncertain for some researchers in disciplines previously unaffected.

“The Chinese data export system is still developing,” said Henry Gao, professor of law at Singapore Management University, via X (formerly Twitter). “The Chinese authorities themselves are still working out the details.”

Mechanism for data export

Nonetheless: “The Data Security Law creates a much clearer mechanism for outbound data transfer assessment,” according to Arcesati.

Chinese companies and universities planning to export data must either apply for certification or, starting from June this year, have a contract with the receiving organisation that guarantees the data will be stored appropriately and processed only as specified in the contract.

“It is something that foreign companies, but also foreign scientific organisations that work with China, need to understand. If they want to collect data in China and transfer it abroad, chances are they might need to go through a security assessment before they do,” Arcesati said, noting that compliance can be “very cumbersome”.

Hong Kong, whose universities conduct a large amount of cross-border research with China, is classed as ‘overseas’ under the Data Security Law.

“Our researchers will have to apply for permission like anybody else,” Professor Joe Qin, president of Hong Kong’s Lingnan University – which conducts substantial cross-border social science research – told University World News.

If permission is refused “then they just won’t do that research” said Qin, himself a data scientist. On the other hand, Qin noted that some universities, including US universities, have found ways around this including having centres in China that store data, or research assistants on the mainland able to collect the data.

In late June the Cyberspace Administration of China (CAC), which is the main authority for digital and internet regulations, and the Hong Kong government signed a cross-border data flow agreement between Hong Kong and Southern Guangdong province “to explore effective management” of such flows.

It is mainly expected to be related to financial data as Hong Kong is a regional financial hub, though according to Qin, who was speaking in early September, exact details have not been revealed.

Not a ‘data fortress’

Nonetheless, China has been keen to publicise the first case of security assessment for data export approved by the CAC in January this year between Beijing Friendship Hospital and Capital Medical University in China and the University of Amsterdam Academic Medical Centre in the Netherlands.

Granting the permit under the CAC’s Security Assessment of Data Exports measures was heavily promoted as facilitating international medical research cooperation. These measures were issued by the CAC on 7 July 2022 and implemented from 1 September 2022.

Experts said it was an important signal that data rules did not mean a blanket ‘no’ by the authorities. “It’s better to think of China’s data governance regime as creating a data island, rather than a fortress,” Arcesati said.

A medical researcher in Guangzhou, speaking to University World News on condition of anonymity, suggested the Chinese authorities did not want to completely eliminate cross-border data flows, fearing tit for tat measures from foreign companies and governments that could stop important data, including medical data, going to China.

Arcesati noted that China “has no interest in completely shutting down connections and data flows with the rest of the world, because they themselves benefit tremendously economically, scientifically and technologically from those flows”.

However, the government wants to monitor such flows coming in, which it may censor, and data leaving China.

“It isn’t a blanket ban to keep all information in China. But the process of administrative approvals can take a long time, and in some cases it has affected collaboration in important fields, like medical research,” Arcesati said, noting that restrictions on medical data have been in place for a few years.

Data taken offline

Arcesati pointed to a trend towards ‘data obfuscation’. “A lot of datasets which China researchers and other actors used to access with relative ease, like company registries, repositories of academic articles and academic literature, have been taken offline. And that means that understanding China has become a lot more difficult,” she said.

Foreign China scholars were shocked when China’s largest database of academic papers, China’ National Knowledge Infrastructure (CNKI), in March this year temporarily terminated overseas access to some of its data sets, including all PhD and masters theses, the National Population Census and China’s statistical yearbooks.

CAC announced a cybersecurity review of the CNKI database in June 2022 aimed at “preventing national data security risks, maintaining national security and protecting the public interest”.

Denis Simon, an expert on international business and technology pertaining to China, formerly at the University of North Carolina in the United States, sees some of the new laws in part as a reaction to US trade and technology sanctions against China.

Simon pointed to “a heightened sense of xenophobia” in China “in part due to the ‘decoupling’ and de-risking situation with the US and other Western countries, which it sees as undermining China’s leadership.

“Xi Jinping is committed to the notion that China’s interest and the [Communist] party’s interests are one and the same. That has led to the national security law, espionage law, data protection law etc – all examples of a tightening up in response to what they believe are efforts to suppress China or maybe even go further than that,” Simon told University World News.

For researchers this means “there needs to be a process of making sure that everything is without problems if you’re going to pursue certain kinds of research”.

Anyone engaging with China “needs to understand the rules of the game,” said Simon. “And if you understand that, there’s probably no problem. Unless you touch an ‘electric fence’ or ‘radioactive area’ that are the most sensitive areas of the system, then you are going to encounter problems.”

Simon is concerned about younger researchers who are less experienced in dealing with China. “Those people are going to face a lot of hurdles, because they're not going to understand what's doable, and what’s not doable.”

Nonetheless, he added that China “has to be careful not to throw the baby out with the bathwater, and not put in such oppressive regulations that they make it impossible for foreigners to do what they need to do on the ground in China”.

There may still be ways around the onerous rules.

Wu noted that some researchers travelling to China for field research may not do it openly and may have different channels to conduct research, while some overseas professors still have affiliations with Chinese universities.

“I don’t think China can totally prevent people from getting data from China. It really depends on China’s law enforcement and future actions,” said Wu. It may just be that China wants to deter people, he said, but: “If law enforcement really cracks down seriously, then people will have trouble getting any data from China.”