Controlling cross-border data flows is part of China’s decoupling. Beijing wants to avoid losing control over data in the digital world and thus forfeiting digital sovereignty, i.e. strategic autonomy and room to maneuver. Innovative Western companies are also hesitant when it comes to cross-border digital networking with Chinese companies – for example, in the internationalization of Industry 4.0.
However, digital sovereignty cannot be regionalized in international business. When we work with global value chains, data flows cannot stop at national borders. Autonomy does not necessarily mean exclusion or isolation; data sovereignty does not necessarily mean data residency. Digital sovereignty is not created by regional compartmentalization, but via encryption and external key management. When data is transferred across borders, encryption is done in such a way that keys are held outside a platform. This means that key holders have full control over the data and can safely benefit from scalability. Thus, the geographic location of data is not the only way to establish digital sovereignty; the location of keys can also be the answer to the digital sovereignty question. Technical limitations can make geographic boundaries obsolete.
Beijing has significantly liberalized the use of commercial cryptography. Restrictions on foreign companies have largely been lifted, and regulations on commercial encryption have been relaxed. The PRC’s new Encryption Law encourages the use of encryption; encryption is explicitly permitted in China. The Encryption Law does not contain an explicit provision requiring companies to deposit keys with government agencies. However, they must comply with government requests for access to data, for example in the context of counterterrorism.