When asked about the failure of trade’s negotiation between China and the USA, Chen Zhiwu, director of the Asian Global Institute in Honk Kong explained it was due to a « cultural gap ».
More than cultures, there are two opposing conceptions of law competing. While American law focusses on its citizen’s interest, Chinese law concentrates on the State’s power. And here, we don’t even talk about European’s outlook which connects law with a territory. Often, China and the European Union explain to the USA, that they can’t lay down their laws to the world. In fact, it’s even a jus cogens norm recognized by the United Nations, the right of people to self determination. Actually, extraterritoriality can be perceived as colonialism. We understand why, as past colonial powers or victims of colonization, it may be a sensitive subject. For the USA, the Roosevelt Corollary justifies the resort to US law every time their citizens’ interests are at stake. Taxes and corruption for example have an impact on America so FATCA and FCPA are legitimate.
With the 2001 attacks, the USA reinforced their defense. The USA PATRIOT ACT was voted to erase the juridical distinction regarding investigations led by external intelligence agencies (CIA) and federal agencies as soon as they involve foreign terrorists. The ACT of CONGRESS allow security services to gain access to computer data held by private individuals and companies without any previous authorization and without informing the users. The global surveillance scandal disclosed by Edward Snowden revealed the expense of privacy violations made by the NSA. After that, some companies like Microsoft refused to communicate the data stocked in centers located outside of the US to the Department of Justice if they only have a simple warrant (Section 3703 warrant). The main reason is if they grant the access to the UD, Microsoft fears they will have to obey to any warrant coming from any state even if it is Russia or China and if the data is located on US territory. The CLOUD ACT resolves this problem. Companies have to communicate the data stored on their data center in or outside the US:
- if the issuing jurisdiction is competent
- if the recipient has « custody, control or possession» over the data*
- If the recipient is an electronic communication service in the scope of the CLOUD ACT
You are right in thinking that it is kind of looked down upon. The European Commission explained : « Any domestic law that creates cross-border obligations — whether enacted by the United States, the European Union, or another state — should be applied and interpreted in a manner that is mindful of the restrictions of international law and considerations of international comity. »** An example of application of this principle can be found in France : the article 57–1 of the Code of Criminal procedure allows the authorities to grant access to data stored outside of French territory if it does not violate any international law. The USA are trying to compromise with its partners so as to seek a win-win deal. Sadly, in the meantime, you can’t have a direct order coming from the USA that is in contradiction with EU law.
As a matter of fact, Article 48 of the GDPR warns : « Any judgment of a court or tribunal and any decision of an administrative authority or a third country requiring a controller or processor to transfer or disclose personal data may only be recognized or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer. » So as to get compliant with both US law and EU law, companies will have to modify their organization. They should ensure that non US-data is stored outside of the USA territory and that it cannot be accessed and controlled by an US entity. We can suggest to companies working with sensitive data such as confidential information, personal data, to use encryption whose keys won’t be communicated to US cloud service unless it is specifically permitted by the foreign controller of the data.
EU published a map allowing people to visualize the different level of data protection in the world. While the USA are stated as adequate if the service provider has agreed to the privacy shield***, China isn’t at all. Actually, China isn’t working with the world on the data protection matter. Google, Facebook, Whatsapp have been forbidden in the Chinese market for many years. They have their own systems which the government can control as much as it likes. Nevertheless, we must acknowledge the clarification of Chinese politics concerning data protection. The legal basis for private companies to collect data about Chinese people is the consent and in that, they’re not too far from EU standards. The user/consumer must opt in to agree to data collection and treatment and the company can’t refrain him from accessing to the services if he doesn’t. Then, businesses have to be able to provide Chinese authorities proof of compliance with the regulation. Know that at the moment, businesses working with and in China don’t have to be compliant to pursue their trade but with the people’ awakening about data privacy, it is recommended to set up a system in international companies compliant and tailored to each country.What we can prescribe, since Chinese regulation has so many things in common with GDPR and GDPR can easily be reconciled with US law, it is to adopt GDPR as a world standard.
With data privacy, EU has made a big step forward in becoming the world regulator for AI and innovation more globally. More than that, with its current debates in the European commission, the EU might also impose their own standards in ethical artificial intelligence. If they manage, there will be big fines as well as EU will become an unavoidable partner for every states even if they are way bigger than it economically.
* CLOUD Act. § 103(a) (to be codified at 18 U.S.C. § 2713)
** European Commission on Behalf of the European Union as Amicus Curiae in Support of Neither Party, United States v. Microsoft (№17–2), 2017 WL 6383224, at *5 (13 Dec. 2017).