(Yicai) April 14 -- Cross-border data flow has become the fundamental vehicle for globalization of the digital economy and a core area of institutional competition and regulatory game among countries. The understanding of cross-border data governance has long been fixed on traditional issues such as whether data is transferred across borders, is stored locally, and has undergone a security assessment, forming a governance paradigm centered on physical flow and territorial jurisdiction.

Under this framework, China has established a governance system centered on data outbound transfer, with complete institutional tools and clear regulatory paths, providing stable expectations for the safe and orderly flow of data.

But a major transformation is underway: The core bottleneck faced by companies in global operations has shifted from "whether data can be legally exported" to "whether overseas data, systems, services, and computing power can be continuously accessed, stably called on, and used over a long period". Remote access, cloud operation management, application programming interface calls, system control, and other operations are becoming new regulatory focuses and restricted objects.

Global cross-border data governance is shifting from regional transmission control to permission-based access regulation. This transformation is not merely a technical adjustment but a comprehensive reconfiguration of the rules, jurisdictional logic, and risk assessment, profoundly changing the fundamental conditions for market access, supply chain security, overseas operations, and global cooperation.

In the process of international rule restructuring, China not only needs to grasp the global pattern at the macro level, clarify core contradictions and respond to forefront shifts, but also needs to come up with practical solutions that are feasible, verifiable, and promotable at the meso and micro levels.

Through the systematic exploration of data cross-border service centers and international data economic industrial parks, the Lingang Special Area, a key testing ground for economic and trade policies within the Shanghai Free Trade Zone, has opened up an innovative path that connects the national legal system, aligns with global high-standard rules, and serves companies' real needs. It has provided China with first-hand institutional samples and practical answers to seize the initiative and leadership in the global cross-border data governance transformation.

Global Data Governance Transformation

Global cross-border data governance has fully entered an era of strong regulation based on security, with sovereignty as the boundary, access as the tool, and data access as the lever. Data has been elevated to a core strategic asset by various countries, including critical infrastructure data, bioinformatics, precise location, financial health, and government-related data, with all having been incorporated into the national and supply chain security review systems.

The highly fragmented international governance landscape and the "coterie rules" shaped by regional trade agreements have led to significant differences in data localization, cross-border licensing, government access, algorithm regulation, and remote operation and maintenance among nations. Multinationals are facing pressure from multiple jurisdictions, multiple standard conflicts, and high compliance costs.

This has led to regulatory focus shifting from whether data crosses country borders to who can access it, with what permission, and who controls it. Access authority, control chains, and supply chains have become new regulatory hubs, with remote operations, cloud consoles, key management, system updates, and other aspects included in the regulatory scope. Geopolitical factors have become heavily embedded in technical compliance judgments.

Faced with this global trend, the United States, Europe, and China have presented distinct institutional logics. The US, based on Executive Order 14117 and the Department of Justice's Preventing Access to US Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, has built a national security model centered on access capabilities and control chain penetration. It achieves full coverage of overseas affiliated parties through "covered persons" and implements targeted restrictions under the guise of national security, with prominent politicization.

The European Union uses the General Data Protection Regulation as the global benchmark for data protection, combining it with the Data Governance Act, the Data Act, and the Cybersecurity Act 2.0 to form the most rigorous and globally influential rule system. Through the high-risk supplier mechanism, it achieves market access regulation and focuses on preventing non-technical risks, such as "the influence of a third country," while continuously exporting regulatory standards to the rest of the world.

Based on the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law, China has established a security order system centered on data outbound transfer. It incorporates the access to domestic data from overseas into unified supervision, emphasizes territorial boundaries, and pre-regulation with clear and steadily implemented rules. Institutional response to issues such as restrictions and service disconnections targeting Chinese entities from overseas still needs to be strengthened.

The rapid restructuring of global cross-border data governance has exposed multiple incompatible structural contradictions. The increasingly strengthened data sovereignty claims of countries fundamentally conflict with the inherent demand of the digital economy for cross-border free flow; the high-standard privacy protection rules led by the US and Europe are significantly out of balance with the actual demands of developing countries for seeking digital development rights; compliance requirements based on technological neutrality are constantly being eroded by politicization exclusion based on nationality and identity; traditional governance rules centered on transmission have generated normative misalignment with the emerging access boundary regulations; and the arbitrary use of unilateralism and long-arm jurisdiction has formed a sharp contradiction with the fair ideals of multilateral governance. 

These contradictions overlap and reinforce each other, jointly promoting a profound paradigm shift in global cross-border data governance.

The transformation presents four key changes: the focus of cross-border data governance is shifting from the transfer boundary to the access boundary, where regulation no longer merely considers whether data is flowing, but rather examines access capabilities, control authorities, and system impacts.

The jurisdictional basis has shifted from territorial to control chain penetration jurisdiction. The connection point has shifted from the storage location and the place of behavior to the ownership structure, where the organizational control chain and chain of command achieve actual global coverage. The regulated objects have shifted from data itself to system assets and control rights, from personal information and important data to cloud platforms, operation channels, keys, updates, API services, and computing power capabilities. Governance tools have shifted from post-regulation to entrance-based, admission-based, and continuous control, while authentication, procurement, licensing, and investment review become the pre-entrance gates, and compliance capability directly determines whether a firm can participate in the global market.

Practice Sample for China

China should neither close itself nor passively follow suit with changes in the global landscape, rules, and competition. It should instead adhere to open governance, with the basic policy of "internal compliance and external routinization," firmly resist politicization and discriminatory exclusion while acknowledging reasonable security concerns, improve the legal framework at the macro level, promote institutional innovation at the meso level, implement practical exploration at the micro level, and actively strive for the initiative in rules and governance leadership.

In this process, the pioneering and pilot work of the Lingang Special Area has provided a practice sample that can be implemented, verified, and promoted nationwide.

The Lingang Special Area, as the forefront of the country's institutionalized opening up, has launched the Data Cross-Border Service Center since 2024, the first service hall in the nation specifically providing data cross-border services for companies. It integrates policy consultation, business guidance, material submission, and ecosystem connection, covering the entire service ecosystem of security compliance, data technology, infrastructure, industry application, and foreign-related compliance.

The Lingang Special Area has formed benchmark cases in multiple scenarios, including green trade carbon data cross-border, global supply chain logistics visualization, international shipping vessel inspection, intelligent connected vehicle global after-sales, cross-border asset management internal control collaboration, and biopharmaceutical drug surveillance, solving practical pain points for companies going global.

The practical experience of the Lingang Special Area has shown that safety and openness are not mutually exclusive, and regulation and convenience can collaborate with each other, as well as that China can adhere to the bottom line of safety while integrating at a high level with new trends in global governance.

Looking ahead, China can accelerate the improvement of cross-border access governance rules based on the Lingang experience to promote the transition from single data outbound transfer governance to an "outbound transfer + access" dual-drive complete system, speed up the construction of national digital compliance infrastructure to provide firms with unified standards, attestation/assurance, evidence preservation, and other public products to reduce global compliance costs, use the legal framework to address the pressure of control chain penetration, support companies' stable global operation, actively participate in the construction of multilateral and regional rules, and propose Chinese solutions on global platforms, improve the procedural countermeasures and legal remedies mechanisms, and bring politicization exclusion back to the legal track of procedural justice and principle of proportionality.

With the continuous deepening of the pioneering and pilot work in the Lingang Special Area, more institutional innovation achievements will move from the "experimental field" to the "productive field," from the "Lingang model" to a national plan, providing solid support for China to win the initiative, discourse, and leadership power in global cross-border data governance, promoting the building of a new order for cross-border data governance that is safe and controllable, open and inclusive, fair and efficient, and beneficial to all parties, so that data elements can better serve global digital economic development and the common well-being of humanity under the premise of safety and order.

The author of this article is Fang Shishi, director of the Institute of Journalism's Internet Governance Research Center under the Shanghai Academy of Social Sciences.

Editor: Martin Kadiev