← Back · ← Home · ← Back to list
[EAI Commentary] <Response Strategies for Global Digital Governance> US-China Data Norm Competition and Korea: Implications of the European Union's 'Data Sovereignty Theory'
Editor's Note
This is the second report in the special commentary series "Digital Global Governance and Diplomatic Strategy." This commentary by Professor Sangbae Kim of Seoul National University examines the 'data sovereignty theory' amidst the US-China competition over data norms. The author argues that while the US pursues international norms that ensure the transnational flow of data, and China counters by pursuing a 'national data sovereignty theory' to protect its domestic data market, there is a need to contemplate the concept of data sovereignty itself. Starting from the question of the validity of 19th-century geopolitical notions of sovereignty in approaching the issue of data flow in the 21st-century cyberspace, this commentary focuses on the European Union, which addresses data issues from the perspective of 'sovereignty as an idea.' Analyzing the EU's case, the author predicts that future national data response strategies will likely involve reconfiguring domestic data utilization environments and seeking data-related legislation, considering national circumstances, amidst the competing US and China data discourses. In this context, the author suggests that Korea's pursuit of 'data sovereignty theory' should be based on the concept of 'complex sovereignty,' which grounds the rights over data in the rights of individual citizens or the collective populace rather than the state, while simultaneously enabling businesses that utilize data and reflecting the state's role in ensuring data publicness.
The 'Data Round' of US-China Competition and Korea
The heat of the US-China trade war is intense. Looking at the landscape of advanced industries, the dispute goes beyond mere trade and economics, extending to national security. The variables of technological competitiveness and technological security lie behind these fierce struggles. In particular, the US has wielded export and import regulations in advanced industries under the guise of technological security. At the center of this unfolding situation is Huawei, a Chinese telecommunications equipment company. For over a year, the US has exerted multifaceted pressure on China, including economic and diplomatic measures, citing cybersecurity concerns related to Huawei's equipment. Observing this so-called 'Huawei incident' leads to discussions about the US-China technological hegemony competition. However, peeling back another layer of this US-China competition reveals the issue of data security.
What the US fears is the national security problem that could arise from data leaked through backdoors in Huawei's products. The G20 Summit in Osaka in June 2019 showed signs that the focus of the US-China technological hegemony competition was shifting from the 'Huawei round' to the 'data round.' The 'Osaka Track,' proposed by Japan at the G20, reflects the intentions of the US and other Western nations targeting China's digital protectionism and data localization policies. In response to the US offensive, China has also invoked data sovereignty as a rationale for regulating American companies operating in its market. While the US brandished protectionist measures under the pretext of security in the Huawei issue, it advocates for a trade environment that ensures the free transnational flow of data.
The unfolding of these events is anticipated to affect Korea as well. The recent Huawei incident has become an issue of alliance diplomacy for Korea, rather than a simple matter of technological choice. In June 2019, the US Ambassador to Korea publicly urged Korea to join the sanctions against Huawei. Similarly, the issue of transnational data movement could potentially strain US-Korea relations in the future. In 2016, the Korean government refused Google's request to export domestic map data at a scale of 1:5000, citing national security concerns. In October 2018, a bill was introduced in the National Assembly to impose an obligation on US internet companies like Google and Amazon to establish data centers in Korea, prompting the US Ambassador to Korea to request that Korea avoid 'data localization measures that hinder the advantages of the cloud'.
Korea boasts a data production volume that ranks fifth globally, making it a 'data-advanced nation.' However, approximately 70% of the domestic cloud market is dominated by US companies such as Amazon Web Services (AWS), Microsoft, and Google. Recognizing the potential of the Korean data market, Google has announced plans to establish a data center in Korea early next year, while Microsoft is already constructing its third data center. Oracle plans to establish an additional data center within a year, following the opening of its data center in May. AWS and IBM established domestic data centers as early as 2016 to operate cloud services. With domestic companies' cloud businesses lagging, concerns are rising about the potential outflow of vast amounts of data produced in Korea due to excessive reliance on US cloud companies.
Rethinking 'Data Sovereignty Theory'
In response to these changes, discourse based on data sovereignty theory has recently gained traction in Korea. For instance, the Ministry of SMEs and Startups is actively supporting data infrastructure development projects led by domestic companies under the banner of safeguarding data sovereignty. Concurrently, there is growing interest in Naver, a domestic internet company that is taking steps to construct a second data center. Furthermore, proposals have emerged for the government to create a domestic enterprise-friendly environment, given that small and medium-sized enterprises (SMEs), unlike large corporations, cannot afford to build their own data infrastructure. The plan is to create a national platform for SMEs' data centers. The discourse mobilized in these efforts is data sovereignty theory.
While welcoming these initiatives, which recognize the importance of data, I hope they do not regress into an overly backward-looking data sovereignty theory. Even when advocating for data sovereignty, an approach where the state intervenes to control data flow, as seen in China, is anachronistic. We must also consider how our data sovereignty theory will establish its relationship with the discourse of free data flow advocated by the US and other Western nations, as represented by the 'Osaka Track.' In a situation where the US-China competition front is expanding into the data sector, it is necessary to closely monitor when and how the fallout might affect US-Korea or China-Korea relations. Just as the US-China competition is evolving into complex patterns, our own deliberations in the interim are bound to deepen.
In particular, there is a need to contemplate the concept of data sovereignty itself. As the importance of data as a strategic resource grows, discussions on data sovereignty are emerging, but the depth of consideration regarding what 'sovereignty' actually means is shallow. Generally, when 'sovereignty' is mentioned, it often refers to the concept of 'state sovereignty' as understood in the modern sense. However, is it appropriate to apply the modern concept of sovereignty, formed on the premise of the territorial state, to an era of transnational data flow? When discussing data flow in cyberspace in the 21st century, is it right to revert to a concept of sovereignty conceived in the 19th-century geopolitical space?
Based on this critical perspective, this paper aims to examine the evolving landscape of the US-China hegemony competition, focusing on the competition over data norms. Specifically, it seeks to elucidate the conceptual characteristics of the data sovereignty theories underpinning the data strategies of both the US and China, how these discourses are reflected in their respective data-related legal systems, and how they will be incorporated into the formation of future international norms. The ultimate interest of this paper is, of course, to gauge the direction of data strategy that Korea should pursue in response to this 'structural transformation.' To this end, it will pay close attention to the implications of the 'data sovereignty theory' recently proposed by the European Union in the data sector.
The United States: Discourse on Transnational Data Flow
The US position can be summarized as advocating for the free transnational movement of data, except in highly sensitive areas affecting privacy. The argument is that if issues such as personal information leakage, distortion, or misuse arise during the free cross-border transfer of data, the responsible company should be held liable. The US primarily protects specific data in sectors such as healthcare, finance, and information and communication technology, and responds within the legal frameworks of individual states or corporations rather than at the national policy level. This stance leads to the conclusion that it is not possible to perfectly control the transnational movement of data under the name of national sovereignty, nor is it desirable to do so.
This discourse on transnational data flow is based on the perception that national sovereignty is weakening today. The concept of sovereignty assumed here refers to governmental 'policy sovereignty,' understood as the ability to control activities beyond the boundaries of territorial states. It is argued that this policy sovereignty is increasingly weakened by the advancement of globalization today, and this is also the case in the data sector. The US data discourse, therefore, represents the logic and interests of American multinational corporations seeking to maximize the value of data globally through transnational flow. Consequently, the US's actions to advocate for the free flow of data and seek international norms that guarantee it are expected to intensify with the development of the digital economy.
Indeed, the US and Japan have been discussing rules for the international flow of personal data and big data since the latter half of 2018. In this context, the aforementioned 'Osaka Track' is a noteworthy event. The Osaka Track is expected to discuss not only the standardization of international data flow rules but also the strengthening of personal information and intellectual property protection, cybersecurity, and the establishment of taxation standards for American internet companies. In particular, with the agreement to establish standards for digital taxation, known as the Google tax, by 2020, taxes on various streaming and cloud-based services such as video and games are expected to increase. These issues raised at the G20 level are expected to be replicated and expanded in similar configurations during bilateral, multilateral, and regional negotiations.
This US discourse has recently expanded across borders, linking with the logic of security in the context of counter-terrorism strategies. For example, in March 2018, the US announced the Cloud Act, or the 'Clarifying Lawful Overseas Use of Data Act,' which grants US law enforcement agencies the authority to access emails, documents, and other communication data stored on overseas servers of US internet companies such as Google, Microsoft, Amazon, and Apple. Once this law is implemented, wiretapping will be possible even without a warrant from a US court, and the collection of necessary personal information-related data will be feasible regardless of where the data is stored. This move signifies the projection of a form of 'imperial sovereignty' based on the notion of data security, and friction with the relevant countries is anticipated.
China: Discourse on National Data Sovereignty
China's principle is to restrict the transnational movement of data. The sense of crisis regarding US data surveillance following the Snowden incident also contributed to strengthening China's stance. The regulation mandates that all companies operating in China must store data collected within its borders domestically. To transfer data abroad, companies must obtain permission from Chinese authorities and undergo a security assessment procedure according to Chinese regulations. Furthermore, if requested by the Chinese government, companies must provide data decryption information; refusal can result in business suspension and fines. China's Cybersecurity Law, implemented in June 2017, contains these provisions.
The concept of sovereignty invoked by China, which restricts the transnational movement of data, is 'legal-political national power (國權)' as an authority at the state level. This is related to the issue of control by territorial states. If asked who has the authority to regulate transnational data flow, the answer is that existing state actors must step forward, citing public interest and national security. The concept of data sovereignty or cyber sovereignty advocated by China is a representative example of this invoked concept of sovereignty. It is the inherent right of a sovereign state to censor and control data that harms public interest and to regulate the outflow of data collected in China. This national power as sovereignty aligns with the 'principle of non-interference in internal affairs' assumed by the modern concept of sovereignty of territorial states.
The Cybersecurity Law includes provisions for security reviews and safety assessments of critical information infrastructure, the introduction of real-name registration for online services, mandatory local storage of personal information related to critical information infrastructure on servers within China, explicit provisions for internet censorship and government intervention, obligations for businesses to block and report illegal information, and regulations on internet-related products or services. In particular, provisions related to data localization and internet security reviews are contentious. If designated as a 'critical information infrastructure operator' of a higher tier, data servers must be located in China, and only network equipment and services designated by the Chinese government can be used. The Chinese government can then continuously inspect and monitor the security level.
While the Cybersecurity Law ostensibly aims to protect personal information and ensure national and public safety, it is understood to be aimed at protecting domestic industries and strengthening the control and censorship of internet content. In practice, the Cybersecurity Law has exerted pressure on American multinational corporations. Amazon Web Services (AWS) sold its Chinese business assets in November 2017. In early 2018, Microsoft and Amazon moved their respective data to data centers in Beijing and Ningxia. Furthermore, immediately after the implementation of the Cybersecurity Law, Apple transferred all personal information and management rights of its Chinese users to the local government of Guizhou Province, and in February 2018, announced plans to build a second data center in the Inner Mongolia Autonomous Region.
The European Union: Discourse on Citizen Data Sovereignty
Amidst the competition between movements seeking international norms that ensure transnational data flow and efforts to protect domestic data markets based on data sovereignty, the recent actions of the European Union have attracted attention. Historically, the EU has taken steps such as the conclusion and subsequent invalidation of the Safe Harbor Agreement and the introduction of Privacy Shield, culminating in the implementation of the General Data Protection Regulation (GDPR) in May 2018. In this process, issues such as data transfer abroad and localization, the effective utilization of data and protection of personal information, the recognition of individual data rights in a manner distinct from ownership, and the imposition of the so-called Google tax have been discussed as contentious points.
The concept of sovereignty discernible in the EU's actions is 'sovereignty as an idea' shared at the level of the nation, serving as the collective entity embodying the exercise of sovereignty. This concept of sovereignty aligns with the concept of citizens' rights, or civil rights, and more specifically, it is a form of 'citizen sovereignty' in the sense of collective rights of the populace based on the rights of individual 'citizens.' When applied to the data sector, this concept of sovereignty manifests as the right to protect data containing the sensitive information of the populace, understood as a collective of individuals, or the personal information of citizens as individual users. This is a concept of sovereignty raised from the perspective of collectively understanding the rights of individuals who constitute the state.
A prime example of the EU's citizen sovereignty theory is GDPR. GDPR applies not only to EU member states but also to all global companies that have a business presence within the EU or offer goods or services online. Violations of the regulation can result in fines of up to 4% of global annual revenue or up to 20 million euros (approximately 26.8 billion Korean won). GDPR stipulates rights such as the right to erasure (right to be forgotten), data portability, and the right to object to profiling, in addition to existing rights of access and rectification. Furthermore, by legally regulating the use of pseudonymized data, it enhances user trust in data utilization and related services. Individuals can file lawsuits if their data transferred to overseas servers is compromised.
Regarding regulations on cross-border data transfers, GDPR stipulates that data can only be freely transferred abroad if it passes an 'adequacy or equivalence decision,' proving that the destination country has a data protection system equivalent to that of the EU. However, data transfer is still possible even if the data protection level does not meet the standard, provided there is consent from the data subject, if it is necessary for contract fulfillment, or if legal cooperation is required. The EU's case offers a model where the basis for the right to protect data is sought not at the national level but at the individual level, with the state (the EU) providing a legal framework to guarantee these rights.
Korea: Seeking 'Complex Sovereignty'?
As seen in the EU case above, future national data response strategies are expected to involve reconfiguring domestic data utilization environments and seeking data-related legislation, considering national circumstances, amidst the competition between the distinct data discourses of the two camps represented by the US and China. In this process, efforts will be made to form bilateral, multilateral, and regional data international norms that reflect national interests in some form. This is where the advent of the aforementioned 'data round' is anticipated. If so, what 'data sovereignty' discourse, strategy, and system should Korea seek in the face of these changes? Interestingly, all three forms of data discourse mentioned above are currently showing signs of emergence in Korea.
First, in June 2018, the government announced plans to pilot MyData, a data utilization system centered on data subjects. MyData is a data utilization method that allows data subjects to directly access and utilize or share their data obtained from institutions. The implementation of MyData, reminiscent of the US data discourse, is significant given that the right to data portability for individuals is not explicitly stated in Korea's Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection. It is expected to be implementable without revising laws and to overcome the limitation of reduced data utility due to de-identification measures. The goal is to promote server business and participation starting with sectors that directly benefit citizens, such as healthcare (health management), finance (asset management), and telecommunications (plan recommendations).
Second, in September 2018, a bill to amend the Act on Promotion of Information and Communications Network Utilization and Information Protection was introduced in the National Assembly, mandating IT companies of a certain size to establish servers in Korea. This bill includes provisions for technical measures to ensure stable service utilization and imposes penalties of up to 3% of revenue for violations. It specifically aims to secure a basis for taxation by obligating global internet companies to install domestic data servers. The intention is to rectify the 'uneven playing field' in Korea's internet industry. According to this amendment, information and communication service providers of a certain scale must install servers in Korea to ensure stable service utilization for users. This is intended to strengthen data sovereignty.
Finally, in July 2019, the Ministry of SMEs and Startups announced a mid-term roadmap to build national infrastructure platforms that SMEs can freely utilize, such as data centers. The plan aims to enable SMEs to achieve cloud-based AI manufacturing innovation. Based on the assessment that Korea has been too slow in cloud industry investment, the government intends to create a platform for SMEs to reduce their expenses for data analysis and storage. This can be evaluated as a plan based on the concept of national sovereignty. This initiative raises concerns about the infringement of data sovereignty if the storage of data generated in Korea relies entirely on multinational corporations. The idea is to foster competitiveness among domestic cloud service providers by preventing all domestic data from being stored solely by companies like Amazon and Google, which would lead to data dependency.
The data discourse currently discussed in Korea mixes concepts that cater to the demands of individual users as data subjects with those that aim to protect the data market and promote related industries at the national and corporate (especially SME) levels. These aspects may appear somewhat conflicting and, at times, may reflect differences in approach between government ministries overseeing data or between the government and the National Assembly. However, conversely, considering the complex nature of the data sector, which cannot be resolved by relying on any single discourse, this situation could potentially serve as an advantageous condition depending on the efforts made to find common ground. Ultimately, the concept of sovereignty for resolving transnational data issues cannot rely solely on the traditional concept of sovereignty of a single territorial state.
From this perspective, the data sovereignty theory that Korea should pursue in the future should be based on a complex concept that incorporates ① the protection of individual rights, specifically privacy, ② the recognition of the rights of corporations seeking to maximize the value of data as a global public good, and ③ the rights of the state to ensure the publicness of data. In other words, when discussing 'sovereignty,' rather than positioning the state as the subject of rights over data, a concept of 'complex sovereignty' is needed, which is based on the rights of individual citizens and the collective populace, while simultaneously enabling the activities of companies that utilize this data and recognizing the state's role in serving the public interest. ■
■ Author: Sangbae Kim_ Professor of Political Science and International Relations at Seoul National University. He graduated from the Department of Political Science at Seoul National University and obtained a Ph.D. in Political Science from Indiana University in the United States. His main research areas include information, communication, and networks in international relations. His major works include "Virtual Walls and Net Shields: Cyber Security in World Politics and Korea" (2018), "Arachne's International Politics: Challenges in Networked World Politics Theory" (2014), "Information Revolution and Power Transformation: A Networked Political Science Perspective" (2010), and "Standard Competition in the Information Age: Intelism and the Japanese Computer Industry" (2007).
■ Managed and Edited by: Junil Yoon, EAI Research Fellow
Inquiries: 02 2277 1683 (ext. 203) I junilyoon@eai.or.kr
■ EAI Issue Briefing is a series designed to provide a platform for discourse where experts from various fields can offer in-depth analysis and policy recommendations on major domestic and international issues. Please cite the source when quoting. EAI is an independent research institution independent of any partisan interests. The views and opinions expressed in reports, journals, and books published by EAI are not affiliated with EAI and solely represent the author's personal views.
*This text is an AI translation of an original written in Korean. Some translations or nuances may be inaccurate.