The ‘Digital Silk Road’ as part of China’s Belt and Road Initiative- An analysis of the EU GDPR in light of its effectiveness in personal data protection

(1)

The ‘Digital Silk Road’ as part of China’s Belt and Road Initiative- An analysis of the EU GDPR in light of its effectiveness in personal data protection

Candidate number: 9005 Student number: 643967

Submission deadline: 1^st December 2021 Supervisor: Nancy Liu

Number of words: 14,545

(2)

List of Abbreviations

BRI Belt and Road Initiative CIA Central Intelligence Agency CAIH China-ASEAN Information Harbor

CCP Chinese Community Party

DPO Data Protection Officer

DSR Digital Silk Road

EU European Union

FinTech Financial technology

GDPR General Data Protection Regulation

MoU Memorandum of Understanding

MIIT Ministry of Industry and Information Technology NIL National Intelligence Law of 2018

NSA National Security Agency

OBOR Initiative One Belt and One Road Initiative

OTT Over-the-top

PEACE Pakistan East Africa Connecting Europe PLA People’s Liberation Army

(3)

PRC People’s Republic of China SCCs Standard contractual clauses

UK United Kingdom

US United States

US FISA US Foreign Intelligence Surveillance Act

(4)

Acknowledgement

The completion of this thesis could not have been possible without the assistance of a number of people. I wish to extend my deep sense of gratitude to them.

It is my privilege to acknowledge the able guidance and support provided by my supervisor, Nancy Liu. Right from choosing the approach to adopt while addressing the research question, till the final conclusion of my thesis, Nancy has been supportive and has always encouraged me to keep doing better. She has always provided me her valuable feedback and resolved my queries in a timely manner.

I am also grateful to my family and friends for their constant support.

I would also like to acknowledge the help of those people who directly and indirectly supported me in my research study.

(5)

Table of contents

1. INTRODUCTION………1

1.1. Background………..1

1.2. Research Questions………..………3

1.3. Methodology………..…………..3

1.4. Structure………..……….4

2. IMPACT OF THE DIGITAL SILK ROAD INITIATIVE ON PERSONAL DATA PROTECTION……….5

2.1. Digital Silk Road under the Belt and Road Initiative………..….…5

2.1.1. Expansion of the BRI to the digital space- The conceptualization of the Digital Silk Road……….…..5

2.1.2. Various facets of the Digital Silk Road……….………7

2.2. The current status of Digital Silk Road projects………..8

2.3. Challenges posed by the DSR on cyber security………10

2.3.1. Challenges posed by the DSR on cyber security……….10

2.3.2. The Digital Silk Road- The cybersecurity angle………..11

2.3.3. The risks associated with the Digital Silk Road- A possibility or a reality?...12

2.4. The Digital Silk Road- The European angle………..…………15

2.4.1. Increasing investments in Europe………...………15

2.4.2. The impact of the Balkan countries……….……16

2.4.3. Concerns……….16

2.4.4. Analysis of the situation in Europe………..18

3. PROCESSING OF PERSONAL DATA UNDER THE DIGITAL SILK ROAD- OBLIGATIONS IMPOSED BY THE GDPR………..….20

3.1. Applicability of the General Data Protection Regulation………..20

3.1.1. Important definitions………...20

3.1.2. Scope- Material and Territorial………...22

3.2. Obligations imposed on data controllers and processors………23 3.2.1. The difference in the obligations imposed on data controllers and data

(6)

processors………...…23

3.2.2. Specific obligations……….…25

3.3. Consequences in case of non-compliance………..…27

3.4. Effectiveness of general provisions of processing under the GDPR to address the potential cyber security risks posed by the DSR initiative……….29

4. REGULATION OF TRANSFER OF PERSONAL DATA TO CHINA UNDER THE DIGITAL SILK ROAD INITIATIVE……….31

4.1. Ways of data transfer outside the EU……….31

4.1.1. On the basis of an adequacy decision………..31

4.1.2. Subject to appropriate safeguards………...32

4.1.3. In pursuance of an international agreement………32

4.2. Transfer of data to China………33

4.2.1. The Adequacy requirement……….33

4.2.2. Appropriate safeguards………...34

4.2.3. Access to personal data by public authorities in China- An important factor to consider……….34

4.3. Analysis of the adequacy of the GDPR vis-à-vis transfer of personal data to China under the DSR initiative………37

5. CONCLUSION………..……….39

TABLE OF REFERENCE……….41

(7)

1

1. Introduction 1.1. Background

The term ‘Silk Road’, though gained popularity in recent times, has its origin in the past and derived its name from the route used by traders in Eurasia in the pursuit of silk, spices and other commodities.¹ Although it has been more than 600 years since the original Silk Road was closed down, the People’s Republic of China (“PRC”) is again making efforts to revive the same as part of the Belt and Road Initiative (“BRI”).²

The BRI is a massive transcontinental investment project aimed at infrastructural development and economic integration of the countries in Asia, Europe and Africa, along the route of the historic Silk Road.³ Initially, the BRI had only two components- the Silk Road Economic Belt (the Belt), comprising of six development corridors, and the 21^st century Maritime Silk Road (the Road).⁴

Taking into account the significance of and the growing reliability on information and communications technology in the present world, in 2015, a joint white paper was released by PRC’s National Development and Reform Commission, Ministry of Foreign Affairs, and Ministry of Commerce. It emphasised the significance of creating an ‘Information Silk Road’

for improving international communications connectivity.⁵ Soon, the Digital Silk Road (“DSR”) became a part of the PRC’s mainstream BRI.⁶

The DSR aims to cover three basic sectors- over-the-top platforms (e-commerce, e- governance, FinTech), services (smart city, security information system, data centres) and infrastructure (fibre optic cables, telecom, 5G network, satellite tracking ground stations).⁷ Furthermore, in 2018, the Ministry of Industry and Information Technology’s (“MIIT”)

1 Silk Road, HISTORY (Sep. 26, 2019), history.com/topics/ancient-middle-east/silk-road.

2 Belt and Road initiative, BELT AND ROAD INITIATIVE, https://www.beltroad-initiative.com/belt-and-road/

(last visited June 9, 2021).

3 Id.

4 Id.

5 Keshav Kelkar, From silk threads to fibre optics: The rise of China’s digital silk road, ORF ONLINE (Aug. 8, 2018), https://www.orfonline.org/expert-speak/43102-from-silk-threads-to-fiber-optics-the-rise-of- chinas-digital-silk-road/.

6 It has been promoted at key international gatherings such as the first Belt and Road Forum, the 4th World Internet Conference at Wuzhen, and the 8th Ministerial meeting of the China-Arab States cooperation Forum (CASCF).

7 Meia Nouwens, China’s Digital Silk Road: Integration into national IT infrastructure and wider implications

for western defence industries, IISS (Feb. 2021),

https://admin.govexec.com/media/china_digital_silk_road_-_iiss_research_paper.pdf.

(8)

2

‘Implementation Opinions on Standardisation Work in Industrial Sector and Communications Industry Serving Belt and Road Initiative’ clearly defined certain focus areas for the DSR within the three sectors- 5G mobile network technology, smart cities, the Beidou satellite and numerous telecommunications projects.⁸ By covering these sectors and focus areas, the DSR, on the one hand, supplements the BRI’s physical infrastructure and on the other hand, establishes common technical standards in participating nations, most of which lack rudimentary internet facilities.⁹ The prospect of acquiring quality products at a much lower price than its western counterparts, combined with the financing arrangements offered through the DSR, have created a great opportunity for the participating countries.¹⁰

Although the DSR is aimed at catalyzing global digitalization, it has been brought under scrutiny, time and again, from the point of view of its impact on cybersecurity in the participating countries. A 2018 report by the cybersecurity firm FireEye identified the potential cybersecurity risks associated with the DSR initiative.¹¹ A similar fear was also highlighted by a Council on Foreign Relations report, which stated that the BRI could act as a means for the PRC to insert ‘backdoor mechanisms’ to aid its intelligence services within the BRI telecom infrastructure in the participating countries.¹²

The most discussed cybersecurity threat that could be posed by the DSR initiative is that of data protection¹³. The DSR initiative, by covering the sectors of over-the-top platforms, services and infrastructure, gives PRC the access to personal information of individuals. This access, if left unchecked, could create a potential threat of cybersecurity in the BRI participating countries.

8 Implementation Opinions of the Ministry of Industry and Information Technology on Standardization Work in Industrial Sector and Communications Industry Serving Belt and Road Initiative, No. 231 (2018) of the

Ministry of Industry and Information Technology,

http://lawinfochina.com/display.aspx?id=29390&lib=law (last accessed on Oct. 20, 2021); Ajay Lele and Kritika Roy, Analysing China’s digital and space belt and road initiative, IDSA Occasional Paper No. 55, Nov. 2019, https://idsa.in/system/files/opaper/china-digital-bri-op55.pdf.

9 David F Gordon, et al., Beyond the myths- Towards a realistic assessment of China’s Belt and Road Initiative:

The Security dimension, IISS (Sep. 2020).

10 Id.

11 Eduard Kovacs, China’s ‘Belt and Road Initiative’ drives cyber spying, SECURITY WEEK (Aug. 17, 2018), https://www.securityweek.com/chinas-belt-and-road-initiative-drives-cyber-spying.

12 Kieran Green, Securing the Digital Silk Road, CCP WATCH (Feb. 11. 2019), https://www.ccpwatch.org/single-post/2019/02/11/Securing-the-Digital-Silk-Road; Nyshka Chandran, Surveillance fears cloud China’s ‘Digital Silk Road’, CNBC (July 12, 2018), https://www.cnbc.com/2018/07/11/risks-of-chinas-digital-silk-road-surveillance-coercion.html.

13 Supra note 11; Id.

(9)

3

This thesis is limited to analyzing the legal framework in the European Union (“EU”) vis-à- vis its efficacy in addressing the possible impact of the DSR initiative on personal data protection in the European participating countries. The General Data Protection Regulation (“GDPR”) acts as the legal framework in the EU that governs personal data protection.

1.2. Research Questions

In light of the above observations, this thesis aims to identify the possible impact of the DSR initiative on personal data protection in the EU and analyze the efficacy of the EU GDPR in addressing the same. Therefore, the current study aims to address the following main research question-

Whether the EU GDPR is adequate in addressing the potential impact of the Digital Silk Road initiative on personal data protection in the European participating countries?

To achieve the essential aim, this thesis will address the following sub-questions-

i. What is the potential impact of the DSR initiative on data protection in the EU participating countries?

ii. Whether the general provisions of data processing under the EU GDPR are adequate in addressing the potential cyber security risks posed by the DSR initiative?

iii. How the GDPR is addressing the issue of transfer of data to China as part of the DSR initiative?

1.3. Methodology

Since the present study is limited to analyzing the provisions of the EU GDPR with respect to its adequacy in addressing the possible impact of the DSR initiative on personal data protection, this thesis adopts the doctrinal method of research to fulfil the desired objectives.

The thesis uses relevant primary sources of data (i.e. the original sources of law like legislations, precedents, international conventions etc.) and secondary sources of data (like reports, books, journals, online journals, newspapers and online sources).

(10)

4

For the purpose of relevant facts and figures used in the present study, this thesis relies on secondary sources of data based on the research carried out by various governmental and non-governmental agencies.

1.4. Structure

The thesis is divided into five sections, inclusive of introduction (Section 1) and conclusion (Section 5). Section 2 analyses the aims that the DSR initiative seeks to achieve, and the strategies adopted by the PRC’s in achieving the desired aims. It further identifies and analyzes the potential impact of the DSR initiative on personal data protection, specifically in the EU participating nations. Section 3 examines how the EU GDPR governs general processing of personal data. It further analyses the effectiveness of the same in addressing the potential cyber security risks posed by the DSR initiative. Finally, section 4 critically analyses the provisions relating to transfer of data to third country vis-à-vis their applicability to the Chinese companies working under the ambit of the DSR initiative.

(11)

5

2. Impact of the Digital Silk Road Initiative on personal data protection

2.1. Digital Silk Road under the Belt and Road Initiative

Trade in China, in ancient times, happened along the silk route which was a trade route that connected China and the Far East with the Middle East and Europe through land as well as sea routes. This trade route derived its name from the major product that was traded across the route- Silk. The Silk route remained in use for a long time, until the Ottoman Empire boycotted trade with China and closed it.

In 2013, the People’s Republic of China (“China”) reincarnated the ancient silk route with the aim to connect China with the rest of Asia, Africa and Europe by launching the One Belt and One Road Initiative (“OBOR Initiative”). The OBOR Initiative was renamed as Belt and Road Initiative (“BRI”) in 2016.

The BRI originally comprised of two initiatives-

a. The Silk Road Economic Belt (i.e. the ‘Belt’ in BRI)

b. The 21^st Century Maritime Silk Road (i.e. the ‘Road’ in BRI)

2.1.1. Expansion of the BRI to the digital space- The conceptualization of the Digital Silk Road

Dependence on digital technology and information and communication technologies (“ICTs”) has been increasing since the last decade and it has only skyrocketed after the onset of the COVID-19 pandemic.¹⁴ This trend has a lot of significance for a country like China whose companies are successfully competing worldwide in the ICT products and services. As per the statistics released in 2021 Global Digital Economy Conference, China’s digital

14 Economic impact of COVID-19 on digital infrastructure, ITU (July 2020), https://www.itu.int/en/ITU- D/Conferences/GSR/2020/Documents/GSR-20_Impact-COVID-19-on-digital-

economy_DiscussionPaper.pdf (last accessed on Oct. 25, 2021).

(12)

6

economy was worth nearly 5.4 trillion USD in 2020, ranking second in the world. A year-on- year growth of 9.6% was reported, being the fastest in the world.¹⁵

Taking into account the growing relevance of digital space in the present day, and acknowledging the potential it holds, China decided to extend the BRI to the digital space.

This led to the inclusion of the Digital Silk Road (“DSR”) under the ambit of the BRI.

A reference to the present day DSR was made in 2015 in ‘Visions and Actions on Jointly Building Silk Road Economic Belt and 21st Century Maritime Silk Road’¹⁶, which talked about the development of an ‘Information Silk Road’ for constructing cross-border optical cables and other communications trunk line networks and improving international communications connectivity.¹⁷ The formal conceptualization of the DSR was, however, done at the World Internet Conference in Wuzhen in 2015¹⁸. The DSR gained further political support at the Belt and Road Forum for International Cooperation in 2017 where the Chinese President Xi Jinping laid emphasis on the significance of digital connectivity and information sharing, and proposed to “pursue innovation-driven development, to intensify cooperation in frontier technological areas such as digital economy, artificial intelligence, nanotechnology and quantum computing, and to advance the development of big data, cloud computing and smart cities so as to turn them into a digital silk road of the 21st Century”.¹⁹ Since 2017, the DSR has been mentioned, time and again, in official Chinese government speeches²⁰, which highlights its growing significance.

With an objective to promote the DSR, China organized the 7^th World Internet Conference (Wuzhen Summit)²¹ in 2020. The Summit witnessed participation and display of cutting-edge scientific achievements of over 130 well-known enterprises/institutions such as Alibaba,

15 China’s digital economy worth nearly $5.4 trillion in 2020, CHINA DAILY (Aug. 8, 2021), https://global.chinadaily.com.cn/a/202108/03/WS6108d583a310efa1bd6664f3.html.

16 Vision and actions on jointly building Silk Road Economic Belt and 21^st century Maritime Silk Road in March

2015, BELT AND ROAD FORUM (Apr. 10, 2017),

http://2017.beltandroadforum.org/english/n100/2017/0410/c22-45.html.

17 Id.

18 Wang Keju, Digital Silk Road strengthening commerce ties, CHINA DAILY (Nov. 9, 2018), https://www.chinadaily.com.cn/a/201811/09/WS5be506ada310eff303287ac8.html.

19 Winston Ma, Could a Digital Silk Road solve the belt and Road’s sustainability problem?, WE FORUM (Sep.

19, 2018), https://www.weforum.org/agenda/2018/09/could-a-digital-silk-road-solve-the-belt-and- roads-sustainability-problem/.

20 The Digital Silk Road: Expanding China’s digital footprints, Eurasia Group (Apr. 8, 2020).

21 7^th World Internet Conference (Wuzhen Summit) 2020 on digital development for a better future, UN PAN (Nov. 22, 2020), https://unpan.un.org/node/1170.

(13)

7

Huawei, Tencent, Baidu, Epson and Infosys, among others.²² Such efforts by China highlight its objective of harnessing most from the digital transformation happening around the world.

2.1.2. Various facets of the Digital Silk Road

The Ministry of Industry and Information Technology in China issued ‘Implementation Opinions on Standardisation Work in Industrial Sector and Communications Industry Serving Belt and Road Initiative’ in 2018, which defined six key areas for the DSR, including fifth generation (“5G”) mobile network technology, smart cities, the Beidou satellite and telecommunications projects.²³

The DSR projects can be categorized into the following 4 types, based on their nature²⁴- a. Digital infrastructure- fibre optic cables, telecom, 5G network, satellite tracking

ground stations

b. Telecommunications carrier services c. Data centers, cloud services, smart cities

d. Over-the-top (“OTT”) service providers- e-commerce, e-governance, financial technology (“FinTech”)

With respect to digital infrastructure, Chinese companies like Huawei and ZTE are closely involved in developing 5G technology networks, including but not limited to submarine and overland cable networks. Huawei has a substantial presence in the European and other third- world markets.²⁵ State-owned Chinese companies like China Mobile, China Telecom and CITIC Telecom, on the other hand, are primarily responsible for improving telecom coverage and broadband availability under DSR projects related to telecommunications carrier services.²⁶

With respect to data centers, cloud services and smart cities, Huawei is in talks with various countries in Central and Southeast Asia and Africa, to promote smart city projects and security information systems (by means of Safe City projects). The Chinese company

22 Ji Jing, Wuzhen Internet conference highlights the importance of digitalization and cooperation in

cyberspace, BEIJING REVIEW (Nov. 29, 2020),

https://www.bjreview.com/Nation/202011/t20201129_800228389.html.

23 Implementation Opinions of the Ministry of Industry and Information Technology on Standardization Work in Industrial Sector and Communications Industry Serving Belt and Road Initiative, Supra note 8.

24 Supra note 20.

25 Supra note 9 at 19-23.

26 Id.

(14)

8

Alibaba, on the other hand, has more than 22 oversea data centers outside China and has partnered with Singtel, in Singapore and SK Group, in South Korea, to provide cloud services. It is also involved in providing OTT services, along with companies like Tencent and JD, by means of leveraging its position in providing data and cloud centres services.²⁷ An analysis of the key facets of the DSR highlights its aim of providing market access to leading Chinese companies like Huawei, Alibaba, ZTE, Tencent etc. and various state-backed telecom carriers like China Mobile, China Telecom, and China Unicom. The resultant market access can enable such companies to compete in emerging markets with its leading US competitors, thereby giving leverage to the Chinese digital economy.²⁸ The DSR also provides a pathway to various developing and under-developed countries to undergo the much-needed digital transformation without much expenditure. This highlights how, prima facie, the DSR initiative is a win-win situation for both the parties to the DSR Memorandum of Understanding (“MoU”²⁹).

2.2. The current status of Digital Silk Road projects

After the official announcement of the ‘Digital Silk Road’ being part of the BRI, countries from Asia, Europe and Africa have been zealous in finalising DSR agreements with Chinese companies.

By 2019, as part of the DSR, Chinese companies had installed fibre optic cables in 76 countries, surveillance systems in 27 countries and supplied telecom equipment to 21 countries and internet connection appliances to 27 countries.³⁰

The China-ASEAN collaboration on the technological forefront has been one of the key highlights of the DSR. In 2016 itself, the China-ASEAN Information Harbor (“CAIH”) project was launched under the umbrella of BRI for enhancing digital connectivity between China and ASEAN.³¹ As a result, CAIH Co. Ltd., an info-tech company, was specifically

27 Supra note 20, pp. 4-6.

28 Unpacking China’s Digital Silk Road, CLIGENDAEL (July 27, 2020), https://www.clingendael.org/publication/unpacking-chinas-digital-silk-road.

29 Beijing has already signed 16 Memoranda of Understanding (MoUs) with various countries, out of which 12 have begun actionable implementation.

30 Sheridan Prasso, China’s Digital Silk Road is looking more like an iron curtain, BLOOMBERG (Jan. 10, 2019), https://www.bloomberg.com/news/features/2019-01-10/china-s-digital-silk-road-is-looking- more-like-an-iron-curtain.

31 Ngeow Chow Bing, The Digital Silk Road: From South-China to Southeast Asia, https://asia.fes.de/news/digital-silk-road (last accessed on Oct. 23, 2021).

(15)

9

created for the establishment and operation of CAIH.³² In 2020, the China-ASEAN digital cooperation gained an increased momentum as the year was declared as China-ASEAN Year of Digital Economy Co-operation³³.

With respect to Europe, Germany, Czech Republic, Hungary, Poland and Serbia have signed DSR-related MoUs with China.³⁴ Around 38 DSR-related projects are being carried out in Germany, including but not limited to, data centres, 5G telecom networks, e-commerce, fintech, security and smart city related services.³⁵ In 2020, out of a total of 91 global contracts of Huawei’s 5G services, 47 came from Europe itself.³⁶

DSR projects are also being successfully carried out in the African continent. In June 2021, Senegal became the first African country to replicate the Chinese model of implementing local domestic servers and data centres, with the objective of strengthening its digital sovereignty.³⁷ The national data centre is being financed by a loan from China and is being built with the technical support of Huawei.³⁸ Earlier in 2020, Ivory Coast had signed a deal with Huawei to design its national digital economy strategy and establish a broadband strategy.³⁹ About 70% of Africa’s 4G infrastructure is developed by Huawei, which shows the dominance Huawei enjoys in the African continent.⁴⁰

China is also aiming to create the shortest direct internet route between Pakistan, Africa and Europe by installing the Pakistan East Africa Connecting Europe (“PEACE”) cable in the Indian Ocean and the Mediterranean. This project is being handled by the Hengtong Group,

32 China-ASEAN Information Harbour, http://www.caih.com/subpage_141.html (last accessed on Oct. 21, 2021).

33 The 2020 ASEAN-China Digital economy cooperation conference successfully held in Chengdu, ASEAN CHINA CENTER (Nov. 9, 2020), http://www.asean-china-center.org/english/2020-11/5474.html.

34 The Impact of the Digital Silk Road on European Countries and Companies in the Shadow of COVID-19: A European Perspective on the Belt and Road Initiative, INDER SCIENCE, https://www.inderscience.com/info/ingeneral/cfp.php?id=5358 (last accessed on Oct. 25, 2021).

35 Supra note 7.

36 Huawei leads in 5G commercial contracts, over half from Europe, PR NEWS WIRE (Feb. 22, 2020), https://www.prnewswire.com/il/news-releases/huawei-leads-in-5g-commercial-contracts-over-half- from-europe-807370957.html.

37 Senegal aims for digital sovereignty with new China-backed data centre, REUTERS (June 22, 2021), https://www.reuters.com/article/senegal-datacenter-idINL5N2O44D3.

38 Melissa Govender, The West looks on as Africa opts for China’s Digital Silk Road Programme, ACCESS PARTNERSHIP (July 18, 2021), https://www.accesspartnership.com/business-day-the-west-looks-on- as-africa-opts-for-chinas-digital-silk-road-programme/.

39 Id.

40 Id.

(16)

10

which is one of China's leading fiber optic and power cable makers.⁴¹ The PEACE cable will drastically reduce the time taken to transfer internet data.

There has been an upward trend in the number of DSR projects being finalized in various continents, especially after the onset of the COVID-19 pandemic. However, there have also been several instances where various countries have shown reluctance to be a part of the technological advancement being carried out by certain Chinese companies, as part of the DSR. The next section highlights the concerns of different jurisdictions in this regard.

2.3. Challenges posed by the DSR on cyber security

2.3.1. Digital Silk Road- A gateway to control the digital economy

As discussed in the previous section, the primary objective behind the DSR initiative, from the point of view of China, is to provide market access to Chinese companies like ZTE, Huawei, China Telecom etc. Be it through infrastructural developments, providing 5G technology services, or building data centres/smart cities, these companies are penetrating into the digital backbone of several countries and becoming an indispensable part of the developing and under-developed economies.

The extent of digital connectivity created by China through the DSR is evident from its involvement in the development of submarine cables in the Asia-Pacific region. Submarine cables carry about 98% of international internet data and telephone traffic. By becoming a landing point, owner and supplier of about 11.4% of submarine cables globally and about 24% of planned cables, China aims to become a key player in digital connectivity infrastructure by upgrading east and west internet connections across the BRI regions, and to complement the same with Chinese servers and data centres.⁴²

The projects being carried out under the DSR initiative give certain leverage to China in the form of increased access to data of all types. This data access only increases with the increasing number of the DSR projects.

41 Mifrah Haq, China builds Digital Silk Road In Pakistan to Africa and Europe, NIKKEI ASIA (Jan. 29, 2021), https://asia.nikkei.com/Spotlight/Belt-and-Road/China-builds-Digital-Silk-Road-in-Pakistan-to-Africa- and-Europe.

42 Richard Ghiasy and Rajeshwari Krishnamurthy, China’s Digital Silk Road: Strategic implications for the EU and India, IPCS (Aug. 2020), https://leidenasiacentre.nl/wp-content/uploads/2021/01/LAC-IPCS-DSR- Report-Aug-2020.pdf.

(17)

11

China’s aim to become the digital backbone of several economies through its technological development tool- the DSR, coupled with the increasing amount of data it is getting access to through various projects which are being carried out under the ambit of DSR, give China an opportunity to misuse data.

The example of the United States (“US”) with regard to the revelation made by Edward Snowden in 2013⁴³ about the surveillance programme carried out by the United States National Security Agency (“NSA”) is of specific significance here. It highlights the issue with controlling the digital backbone of an economy and thus, having unrestricted access to data of individuals and organizations. Such a situation often leads to a continuous, massive and invisible surveillance of the data flows.

As China moves forward with the DSR initiative by financing and building fibre optic cables, 5G networks, data centres etc., it becomes imperative to understand the implications of such digital transformation vis-à-vis unauthorised data access and data misuse.

2.3.2. The Digital Silk Road- The cybersecurity angle

As soon as China officially included the DSR initiative as part of the BRI, various academicians and cyber security experts raised concerns about the risks associated with China’s involvement in the digital economy of other nations. Some of these risks are mentioned below-

i. Creating backdoor mechanisms in network infrastructure to carry out disruptive cyber-attacks and,

ii. Information security-

a. Unauthorised data access- of data concerning both individuals and national critical infrastructure

b. Unauthorised data use- of data concerning both individuals and national critical infrastructure

43 Edward Snowden: Leaks that exposed US spy programme, BBC NEWS (Jan. 17, 2014), https://www.bbc.com/news/world-us-canada-23123964.

(18)

12

The above-mentioned security risks were also indicated in a 2018 report by a cybersecurity firm, FireEye, which identified the potential cybersecurity risks associated with the DSR initiative.⁴⁴

As China’s influence over the cyber space grows because of the DSR, countries like the U.S.

criticize the same because of the threat it poses to the existing technological standards and established doctrines of internet governance. However, this issue is more of a political one than legal.

Before getting into the detail of the two potential cyber security risks mentioned above, it is important to first understand the meaning of “backdoor mechanism”. Backdoor in a network infrastructure is not a general security vulnerability. There are two essential ingredients to it- first, specific intent, and second, exploitability. Specific intent refers to the deliberate creation of vulnerabilities in the system so as to create an opening for a third party to infiltrate into the infrastructure. Exploitability, on the other hand, implies that the backdoors are known to certain third parties and they are thus, capable of exploiting the same to their advantage.

It is also pertinent to note that backdoors in a network infrastructure can either be open to any third party for exploitation, or can only be identified and exploited by certain specific third parties. The former case makes it very easy for any third party to identify the deliberate cyber security lapses in the system. However, in the latter case, the exploitation by a specific third party might happen for a long period of time without being noticed by someone.

The creation of a backdoor mechanism facilitates the commission of a cyber-attack, unauthorised access to data and misuse of data available on the network. However, misuse of data can happen without any backdoor mechanism. As mentioned earlier, Chinese companies already have access to large quantities of data as a result of the DSR projects they have undertaken/ are undertaking. Such data access only increases with the increasing number of DSR projects, thus, providing an opportunity to misuse such data on the platter.

2.3.3. The risks associated with the Digital Silk Road- A possibility or a reality?

The concerns raised by various academicians and cyber security experts about China’s growing involvement in digital transformation through the DSR projects are not baseless. A few of the Chinese companies which form a part of the DSR initiative have been accused of

44 Supra note 11.

(19)

13

conducting espionage activities for the Chinese government under the blanket of

‘technological advancement’. There have been several reports backing the same.

A 2005 report linked private Chinese tech companies like Huawei to state-backed research institutions and the People’s Liberation Army (“PLA”), the regular armed forces of China, describing the three as the ‘digital triangle’.⁴⁵ In 2013, Michael Hayden, the former head of the Central Intelligence Agency (“CIA”) and National Security Agency (“NSA”), accused Huawei of linking with the Chinese Community Party (“CCP”) and involving in CCP- directed espionage activities.⁴⁶ It is pertinent to note that Mr. Hayden merely inferred to the existence of classified evidence supporting this accusation. There is nothing in the public domain to support such claim.

The U.S., in August 2018⁴⁷, took a firm step to propose a ban on the use of Huawei in the networks in America through Defence Authorisation Act.⁴⁸ The same was confirmed by a presidential executive order in May 2019.⁴⁹ This move was backed by the testimony of several experts including the directors of CIA, FBI and NSA before the Congress stating that Huawei could conduct “undetected espionage” using backdoors in its software if its equipment was used in the US networks.⁵⁰ A similar fear was expressed in a report by the Council on Foreign Relations which directly targeted the BRI and alleged that China could use the BRI to insert certain ‘backdoor mechanisms’ to aid its intelligence services.⁵¹ On several occasions, the US has also warned its allies about the possibility of making critical systems vulnerable to disruption and espionage, as a result of increased reliance on Chinese tech companies.

45 Evan Medeiros, et al., A new direction for China’s Defence Industry, RAND.ORG (2005) https://www.rand.org/content/dam/rand/pubs/monographs/2005/RAND_MG334.pdf (last accessed on Oct. 21, 2021).

46 Katherine Jacobsen, Former head of CIA: Huawei engaged in espionage for Chinese state, CS MONITOR (July 19, 2013), https://www.csmonitor.com/Technology/2013/0719/Former-head-of-CIA-Huawei- engaged-in-espionage-for-Chinese-state.

47 John S. McCain National Defense Authorization Act for Fiscal Year 2019, https://www.congress.gov/bill/115th-congress/house-bill/5515/text (last accessed on Oct. 21, 2021).

48 Jacob Kastrenakes, Trump signs bill banning government use of Huawei and ZTE tech, THE VERGE (Aug.

13, 2018), https://www.theverge.com/2018/8/13/17686310/huawei-zte-us-government-contractor-ban- trump.

49 https://www.theverge.com/2019/5/15/18216988/white-house-huawei-china-equipment-ban-trump-executive- order.

50 Colin Lecher, White House cracks down on Huawei equipment sales with executive order, THE VERGE (may 15, 2019), https://www.cnet.com/tech/mobile/5g-will-change-the-world-and-china-wants-to-lead-the- way/.

51 Supra note 12.

(20)

14

The US is not the only country which has issues with the conduct of Huawei. The ongoing security concerns led to Huawei’s ban from participating in the national 5G network roll-outs in Australia, the United Kingdom (“UK”) and Japan in 2018.⁵² The UK government further declared that all Huawei’s equipment will be removed from the UK’s networks by 2027, citing security concerns.⁵³

In 2019, another report by the cybersecurity firm Finite State analyzed Huawei’s products and came to a conclusion that they had unprecedented number of vulnerabilities. The report also alleged that the company consistently used outdated software with numerous known vulnerabilities.⁵⁴ However, the report also stated that until now, little evidence is available to support or refute the claims of Huawei maintaining backdoor access to networks.⁵⁵

Apart from these reports and claims, which are mere accusations and lack conclusive evidence, there have been a few instances which highlight some serious security lapses on the part of Huawei, indicating its ‘alleged’ involvement in the creation of backdoor mechanisms for China. In 2020, a cyber security incident occurred in a data centre built in Papua New Guinea by Huawei. Certain confidential government details were exposed to theft.⁵⁶ As per the report, the security systems created by Huawei were not at par with the planned design and provided an easy gateway to interception.⁵⁷ However, the report merely suggested and not conclusively state that Huawei's poor cybersecurity systems were intentional.⁵⁸

It is pertinent to note that most of the security concerns were raised against one Chinese company- Huawei. These incidents highlight that the cyber security threat angle of the DSR

52 Joe O’Halloran, UK mobile operators warn removing Huawei tech would cost ‘low billions’ and take five

years, COMPUTER WEEKLY (July 10, 2020),

https://www.computerweekly.com/news/252485974/UK-mobile-operators-warn-removing-Huawei- tech-would-cost-low-billions-and-take-five-years.

53 Greg Heffer, Huawei blocked: Tech must be stripped from UK's 5G network by 2027, SKY NEWS (July 15, 2020), https://news.sky.com/story/huawei-blocked-tech-must-be-stripped-from-uks-5g-network-by- 2027-12028177.

54 Stephanie, One eve of 5G rollout, FINITE STATE report finds cybersecurity vulnerabilities embedded within Huawei devices, FINITE STATE (Jane 25, 2019), https://finitestate.io/news/2019/06/26/report- finds-cybersecurity-vulnerabilities-embedded-within-huawei-devices.

55 Id.

56 Chinese-built data centre in PNG exposed weakness, RNZ (Aug, 12, 2020), https://www.rnz.co.nz/international/pacific-news/423341/chinese-built-data-centre-in-png-exposed- weakness.

57 Sebastian Moss, Australia: Huawei's Papua New Guinea data center security "openly broken," making potential spying easy, DATA CENTER DYNAMICS (Aug. 12, 2020), https://www.datacenterdynamics.com/en/news/australia-huaweis-papua-new-guinea-data-center- security-openly-broken-making-potential-spying-easy/.

58 Id.

(21)

15

is not just a possibility, but a reality. Although these incidents highlight the lapses on the part of companies like Huawei to provide adequate cyber security protection, as discussed earlier, an important element of creating backdoor mechanisms is ‘intention’. In the absence of concrete evidence highlighting Huawei’s intention to create backdoor mechanisms for the purpose of China’s espionage activities, it is wrong to assume the same.

2.4. The Digital Silk Road- The European angle

2.4.1. Increasing investments in Europe

The European region has not played a major role in the DSR projects as yet. This can be attributed to the fact that the European countries are mostly developed economies. However, the affordability factor coupled with China’s investment scheme makes the DSR initiative an attractive project to be involved in. Therefore, China’s involvement in the technological advancement process of certain European nations is gradually increasing.

The National Development and Reform Commission and Ministry of Industry and Information Technology (MIIT) of China have invested USD 170 billion in internet projects to improve broadband and mobile network coverage services between East Asia and Europe.

As a result, 34 cross-border cables and international sea cables connecting Asia, Africa and Europe have been planned.⁵⁹

In 2019, many cities in Ukraine, Azerbaijan, Malta, Germany, France, and Italy were reported to use the services offered by Huawei. Around 29 European countries currently accept Alipay, a Chinese online payment platform established by the Alibaba Group.⁶⁰ Alipay has partnered with digital wallets such as Vipps (Norway), Bluecode (Austria), ePassi and Pivo (Finland), Momo Pocket (Spain), Pagaqui (Portugal), and has a minority stake in Klarna

59 Digital silk road forging ahead, INSIGHT (Mar. 2018) https://www.prysmiangroup.com/staticres/insight-3- 2018-en/tracking-the-future/digital-silk-road-forging-ahead.html (last accessed on Oct. 20, 2021).

60 Elizabeth Schulze, Alipay has tripled its merchants in Europe amid ‘booming’ Chinese tourism market, CNBC (June 4, 2019), https://www.cnbc.com/2019/06/04/alipay-has-tripled-its-merchants-in-europe- amid-booming-chinese-tourism-market.html.

(22)

16

(Sweden).⁶¹ With these partnerships, Alipay has created a cross-platform deal to adopt a unified Alipay-supplied QR code. This enables inter-operability within the European mobile payment sector, and between European and Chinese mobile payment sectors.

2.4.2. The impact of the Balkan countries

The Balkan countries of Serbia, Bosnia, Herzegovina, Montenegro, North Macedonia, Albania, and Kosovo have become important participants of the DSR initiative by China with an objective to improve digital connectivity. Projects like safe city, smart city and establishment of data centres by Chinese companies are becoming a reality in the Western Balkan nations.

The involvement of the Balkan nations with China in the form of DSR projects is of specific significance to the European Union (“EU”) as the Balkan region is firstly, its immediate neighbour and secondly, first in line for future EU membership. Therefore, China’s influence on these Balkan nations can be potentially transferred to the EU, as and when these nations become its part.

2.4.3. Concerns

The concerns relating to the security risks posed by Chinese companies by virtue of their involvement in digital connectivity among nations are not new in Europe. The last three years have shown the reluctance of certain European nations to depend on Chinese companies, especially Huawei.

In December 2018, the French telecom company ‘Orange’ had put an effective ban on the use of Huawei equipment for core 5G technology. This was followed by the statement issued by Deutsche Telekom, a German telecom company, that it is seriously considering its partnership with Huawei.⁶²

The year 2019 is of specific significance with regard to several European nations’ stand against Huawei. It all started in January 2019 when an executive of Huawei was arrested by the law enforcement agency of Poland based on the allegation of spying a Polish citizen.

61 Alipay teams up with European mobile wallet operators, FINEXTRA (June 10, 2019), https://www.finextra.com/pressarticle/78728/alipay-teams-up-with-european-mobile-wallet-operators.

62 Charles Riley, Doors are slamming shut for Huawei around the world, CNN BUSINESS (Dec. 14, 2018), https://edition.cnn.com/2018/12/14/business/huawei-deutsche-telekom-orange/index.html.

(23)

17

While the Polish security services claimed that the allegations were related to the individual and not directly linked to Huawei, this incident brought the attention of European authorities towards the security glitches that might be associated with the use Huawei’s technology and equipment.⁶³ As soon as the incident of arrest happened in Poland, the country’s internal affairs minister called a joint EU-NATO statement on the future of Huawei in North America and Europe.⁶⁴ This resulted in the exclusion of Huawei from the telecom operators on 5G technology. The President of Poland, in an interview, expressed his willingness to cooperate with companies from Europe or the US and his reluctance to work with tech companies from Asia to provide 5G technology.⁶⁵

Ever since the incident in Poland took place, several European governments have started to consider reviewing the role played by Chinese companies in building their network. This was also partly a result of the US’s pressure to condemn questionable practices by China’s tech companies, especially Huawei. The digital chief of the European Union also drew the attention of the member states to the new amendment to the National Intelligence Law of China⁶⁶ which mandated Chinese private organizations and citizens to assist intelligence agencies⁶⁷ and asked them to re-evaluate their partnership with Huawei in light of this amendment.

In April 2019, Vodafone reported that it discovered vulnerabilities in the network infrastructure and consumer routers between 2009-11, which was supplied by Huawei.⁶⁸

63 Charles Riley and Antonia Mortensen, Huawei fires employee arrested in Poland on spying charges, CNN BUSINESS (Jan. 12, 2019), https://edition.cnn.com/2019/01/11/tech/poland-huawei-exec- arrest/index.html.

64 Poland calls for 'joint' EU-Nato stance on Huawei after spying arrest, THE GUARDIAN (Jan. 13, 2019), https://www.theguardian.com/world/2019/jan/12/huawei-sacks-chinese-worker-accused-of-spying-in- poland-wang-weijing.

65 Joanna Plucinska and Anna Koper, Poland set to exclude China's Huawei from 5G plans, REUTERS (Jan. 24, 2019), https://www.reuters.com/article/us-poland-security/poland-set-to-exclude-chinas-huawei-from- 5g-plans-idUSKCN1PI2B7.

66 National Intelligence Law of the People's Republic of China (2018 Amendment), Art. 7, available at http://en.pkulaw.cn/display.aspx?cgid=313975&lib=law.

67 Id.

68 Daniele Lepido, Vodafone Found Hidden Backdoors in Huawei Equipment, BLOOMBERG (Apr. 30, 2019), https://www.bloomberg.com/news/articles/2019-04-30/vodafone-found-hidden-backdoors-in-huawei- equipment.

(24)

18

However, there was no evidence of data being compromised.⁶⁹ In July 2019, a Czech Huawei employee was reported to pass client information directly to the Chinese embassy.⁷⁰

In light of the repeated incidents of discovered vulnerabilities in the equipment supplied by Chinese tech companies, in January 2020, the European Commission released a roadmap⁷¹ for its member states to limit their dependence on foreign vendors and focus on supporting domestic alternatives.

These developments led to the ban of Huawei and ZTE from 5G networks in Sweden in October 2020 on security grounds. The ban was a result of the new legislation which stipulated an examination by the armed forces and security service of Sweden “to ensure that the use of radio equipment in these bands does not cause harm to Sweden's security”.⁷²

Thus, Chinese companies are now under strict scrutiny in the European nations owing to the potential security risks associated with the use of technology and equipment provided by such companies.

2.4.4. Analysis of the situation in Europe

The analysis of the possible cyber security implications of the DSR initiative, as discussed in the earlier section, highlights two possibilities- access to data by Chinese companies through the projects being carried out under the ambit of digital ‘connectivity’, and the deliberate creation of backdoor mechanisms by certain Chinese companies. Both of these possibilities can lead of misuse of data for espionage and intelligence activities by China, and the latter possibility could specifically lead to increased vulnerability of the network infrastructure and thus, increased cyber-attacks on certain critical information infrastructure. These two possible risks come under the ambit of two separate legislative frameworks. On one hand, the access to data is regulated by the data protection framework in the country, on the other hand, the

69 Jon Porter, ‘Hidden backdoors’ were found in Huawei equipment, reports Bloomberg, THE VERGE (Apr. 30, 2019), https://www.theverge.com/2019/4/30/18523701/huawei-vodafone-italy-security-backdoors- vulnerabilities-routers-core-network-wide-area-local.

70 Former Huawei employees say client information was discussed at Chinese embassy, RADIO PRAGUE INTL. (July 22, 2019), https://english.radio.cz/former-huawei-employees-say-client-information-was- discussed-chinese-embassy-8125334.

71 Cybersecurity of 5G networks- EU Toolbox of risk mitigating measures, https://wayback.archive- it.org/12090/20200703135735/https://ec.europa.eu/digital-single-market/en/news/cybersecurity-5g- networks-eu-toolbox-risk-mitigating-measures

72 After United Kingdom, Sweden bans Huawei from upcoming 5G networks, WIONEWS (Oct. 20, 2020), https://www.wionews.com/technology/after-united-kingdom-sweden-bans-huawei-from-upcoming-5g- networks-336623.

(25)

19

creation of ‘backdoor mechanisms’ is prohibited by the cyber security framework. However, it is pertinent to note that these two framework are not mutually exclusive. The data protection framework of any country has certain aspects of cyber security. It obligates entities to adopt technical and organizational measures to ensure a minimum standard of protection of data held by these entities, to ensure a cyber secure environment.

The most important aspect of this paper is to understand the readiness of Europe to take advantage of the ‘digital connectivity’ promised by China, without actually compromising its standards of data protection. An analysis of the previous section helps us to draw two conclusions- first, Europe is eager to collaborate with China under the scheme of digital silk road, especially in the fintech sector, and second, it is also cautious of the security implications of such collaboration. The increasing investment of China in the European digital market is an indication of the earlier conclusion and the ban imposed on Huawei, and ZTE, in certain European countries, is an indication of the latter. The balance between the two can be achieved by way of a legal framework which aims to restrict the use of data by, and the transfer of data to, the Chinese companies.

In light of the above conclusion, it becomes imperative to understand the readiness of European countries to address the data protection concerns arising out of the collection, use, disclosure and transfer of “personal data” by the Chinese companies as part of the DSR initiative. Therefore, the coming chapters analyse the provisions of the General Data Protection Regulation (“GDPR”) with respect to its applicability in case of the DSR projects being carried out/proposed to be carried out in the member states of the European Union.

(26)

20

3. Processing of personal data under the DSR- Obligations imposed by the General Data Protection Regulation, 2016 3.1. Applicability of the General Data Protection Regulation

The General Data Protection Regulation (“GDPR”)⁷³ [Regulation (EU) 2016/679] came into force on 25^th May 2019. It repealed the Data Protection Directive 95/46/EC, and provided a comprehensive data protection regulation in the EU. The GDPR is aimed at protecting the fundamental rights of natural persons with respect to the processing to their personal data⁷⁴, on one hand, and on the other hand, stipulating rules for the free movement of personal data within the EU⁷⁵. Thus, the GDPR allows free flow of personal data within the EU, without compromising the rights of natural persons in the process.

Before understanding the role played by the GDPR in regulating the DSR, it is imperative to understand certain important definitions provided under the Regulation.

3.1.1. Important definitions

The scope of the GDPR is limited to the protection of ‘personal data’ of natural persons. For this purpose, it defines ‘personal data’ as- “any information relating to an identified or

73 The General Data Protection Regulation, Regulation (EU) 2016/679.

74 Art. 1(2).

75 Art. 1(3).

(27)

21

identifiable natural person (data subject)”.⁷⁶ The identifiable natural person is called the

‘data subject’. Therefore, data relating to any artificial/juridical person, like name and contact details of any legal person, cannot be protected under the Regulation.⁷⁷ It also provides a non- exhaustive list of information which can be termed as ‘personal data’ for the purpose of the GDPR. It includes name, identification number, location data, health and physiological information etc.⁷⁸

The term ‘processing’ has been defined as- “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means”⁷⁹. It, therefore, inter alia includes collection, storage, alteration, retrieval, use, disclosure, dissemination, erasure, destruction etc. within its ambit. It is pertinent to note that the definition of ‘processing’ has been deliberately made very broad so as to include any activity carried out using personal data, whether in paper format (manual processing) or in electronic format (automated processing).⁸⁰

With respect to the protection of personal data, the GDPR puts obligations on two types of entities- data controllers and data processors. ‘Data controllers’ have been defined as- “a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of the processing of personal data”.⁸¹ This implies that if an entity enjoys an overall control over the purpose and means of processing, such entity is a data controller for the purpose of the GDPR. The data controller sometimes processes the data using its own processes. However, in certain situations, it employs a third party and specifically delegates the work of processing of data to such third party. This third party is called ‘data processor’ which only acts in accordance with the instructions of the data controller. The GDPR defines data processor as- “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.⁸² An example of a data processor would be a company providing IT services like cloud-based servers to other organizations. The company providing the IT services becomes ‘data processor’ and the organization to whom such services are being provided becomes ’data controller’. Although both data controllers and data processors have to comply with the

76 Art. 4(1).

77 Recital 14.

78 Id.

79 Art. 4(2).

80 Recital 15.

81 Art. 4(7).

82 Art. 4(8).

(28)

22

provisions of the GDPR, data processors do not have the same level of GDPR compliance requirements as the data controllers. The difference in responsibilities will be discussed in detail in the next section.

Lastly, ‘personal data breach’ has been defined as- “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.⁸³

3.1.2. Scope- Material and Territorial

The GDPR is applicable to the processing of personal data by data controllers or data processors, whether done manually or automatically. However, there are certain situations where the GDPR does not apply. These include the processing of personal data⁸⁴-

i. In the course of an activity outside the scope of the EU;

ii. By the member states of the EU under Chapter 2 of Title V of TEU;

iii. By a natural person in the course of purely personal or household activity;

iv. By competent authorities for prevention, investigation, detection or prosecution of offences or execution of criminal penalties.

Taking into account the nature of trade and commerce activities which are being carried out in the present day, post-globalization and digitalization, the GDPR has extra-territorial application. This was necessary to ensure that the rights of data subjects situated in the EU are protected irrespective of the location of the data controller or processor. Therefore, the GDPR is applicable to-

i. The controller and processor of personal data established in the EU, without regard to the processing of data being carried out outside the EU.⁸⁵

83 Art. 4(12).

84 Art. 2(2).

85 Art. 3(1).