Risk intelligence (12/03/2021) - China

Our risk intelligence specialists, led by Ian BETTS, take a 24/7 coverage approach to local, regional and global emerging threats and occurrences. Below is a small sample of our reporting, and you can discuss gaining comprehensive material through our risk intelligence function, and by using our 247 App.

INDUSTRIAL POLICY OF THE 14TH FIVE-YEAR PLAN, AND POTENTIAL IMPLICATIONS FOR DATA SECURITY POLICY

On Thursday, 11 March, the National People’s Congress (NPC) adopted the “Outline of the 14th Five-Year Plan (2021-2025) for National Economic and Social Development and the Long-Range Objectives Through the Year 2035,” or the 14th Five-Year Plan (14FYP), at the conclusion of the annual “Two Sessions” meeting in Beijing.

The document contained few, if any, surprises – the key principles and content were previewed at the 5th Plenum last October – but significantly clarified the path charted for the next five years. In this analysis, we aim to provide an initial reading of what we perceive to be the most important takeaway for major multinationals: the possible implications for data security policy.

Broadly speaking, the content of the 14FYP is influenced by four motivating factors: general economic progress; 15 years of experimentation and development in industrial policy; the perception on the part of the state that China is in a historically unique position not just to “catch up” to leading industrial nations, but take the lead in emerging industries; and the sense of urgency generated by the US’s adoption of a much tougher China policy during the Donald Trump Administration, set to continue under Biden.

While the plan is comprehensive in its treatment of national development, Hill & Associates view three sections in particular as core to the Party’s ambitious plan to transform the economy and vault China into the “New Development Stage,” the 14FYP’s central guiding concept, and a defining concept of the Xi Jinping era.

- Part 2 continues the pursuit of “Innovation-driven Development,” which places scientific and technological independence as a strategic part of national development;

- Part 3 focuses on “Accelerating the Development of a Modern Industrial System,” which seeks to “accelerate the construction of a strong manufacturing nation” via “in-depth integration of advanced manufacturing and modern service industries, the strengthening of the supporting and leading role of infrastructure, and building of the real economy”;

- Part 5 prioritizes “Accelerating the Development of Digitalization and Building a Digital China,” which aims to “drive the transformation of production methods, lifestyles and governance” through widespread network integration and the use of data.

In our view, the goal to “build a digital China” is perhaps the deepest, most transformative part of the 14FYP, and it partly underpins the other two sections we highlight here, especially the “development of a modern industrial system.”

The plan aims to digitize not just factories, but entire supply chains, regions, the government and society. It also plans to improve the sharing, exchange and use of data, partly through the creation of data markets. All of this is, of course, to take place with security at the forefront, built into all levels.

The elements of the digitization plan may sound familiar because they are also key tenets of the Data Security Law (DSL), released in July 2020 in draft form and expected to be passed this year. In the initial clauses of the first article, the draft DSL states the intention “to ensure data security, [and] promote data development and use,” and later underlines that the state “firmly places equal emphasis” on both.

This dual concern toward data in the DSL and 14FYP stems from a 2019 decision, related to the declaration of a “New Development Era,” to name data as a so-called “factor of production,” alongside the traditional land, labour and capital, as well as knowledge, technology and management included by the CCP.

Since the release of the draft DSL, the attention of the foreign business community has largely focused on the technical security aspects in anticipation of serious compliance challenges. To be sure, this is of vital importance: definitions are vague; apparent overlaps exist with the Cybersecurity Law (CSL) and MLPS 2.0, as well as the National Security Law; and the call for regions and regulators to develop their own “important data” catalogues seemingly runs counter to developing a national framework.

But what the 14FYP makes clearer is that data will likely be governed not only by the security agencies (CAC, MPA) and sectoral regulatory agencies, but also by the development agencies (NDRC, MIIT, MST), as well as administrative regions.

As indicated above, the latter is mentioned in the DSL, and has been a source of concern and confusion for multinationals who view the law through that technical compliance lens – this is likely too narrow a perspective.

The adoption of the 14FYP initiates a period of planning among provincial governments and ministries. Given the greater commitment toward industrial planning, not to mention the momentousness of “New Development Era” language and the pressure of geopolitical competition, we anticipate that these plans will be backed by more resources than ever before in what will be a vigorous whole-of-government implementation effort.

These plans will include their own individual visions for data development, tailored to local or ministerial needs, which, while moving in a single general direction, are bound to conflict due to differing motivations. The MPS, after all, has an entirely different orientation than MIIT does, although it seems they will have equal stake.

As implementation proceeds over the coming five years and these expected conflicts come to light, the truly difficult questions will begin to be addressed in earnest: “How is security balanced against the need for development? How is centralized guidance balanced against market forces in this uniquely sensitive area?”

Complicating things further, this conversation will by its nature involve esoteric matters of cybersecurity, the practical challenges of breaking ground of never-before-implemented concepts like centralized data markets, and intensifying geopolitical competition.

Hill and Associates predictions

Although it is early, Hill & Associates predict that adapting to the emerging digitally networked economy as it dynamically addresses the “development plus security” problem (our phrase) described here will be among the top challenges for foreign companies in the 14FYP period. For multinational companies to adequately meet this challenge will require an effort to identify a full range of digital policy stakeholders beyond the obvious security and regulatory agencies, and developing an understanding of their visions for implementation.

It will also require a clear picture of the digitization state-of-play across various industries and locations, which will deeply influence the pace and depth of policy rollout, and potentially catalyse substantial market change in some segments.

Companies should also prepare themselves for a period of experimentation, the outcome of which is unknown, a process that could complicate strategic business decisions, not to mention cyber/data security decisions.

While the precise unfolding remains to be seen, it is crucial that multinationals transition from what has up until now been a primarily preventive/defensive posture toward data security policy, to one that is more strategic and competitive.