Executive Summary: China Finance 40 Forum (CF40), together with member institutions of the Organizing Committee of the Bund Summit, jointly held the 2nd Bund Summit, which witnessed heated discussions around the topic of digital economy and data governance. Liu Xiaochun, Vice President of Shanghai Finance Institute, said that while we earnestly explore the huge possibilities created by the development of a digital society, it is also necessary to fully understand and evaluate the risks and problems brought by data interconnection. First, the balance between eliminating isolated islands of information and protecting digital security could be broken; second, algorithm models risk driving herd behaviors; third, there is the risk that enterprises and institutions of all sorts could collect information disorderly; fourth, the winner-takes-all market for large technological platforms could pose monopoly risk.
To improve the public governance of data in a digital society, intensified efforts are necessary in the following aspects: first, provide legislative support for the classified management of data, clarify data ownership and using rights, and stipulate legal responsibilities in the use and transaction of data, or even establish a special supervisory department or mechanism; second, step up regulation on various artificial intelligence (AI) applications. A set of regulatory mechanisms is needed to manage public-oriented AI applications; third, improve management of data collection and storage, and formulate concrete regulations on the collection and use of core personal information and data by various departments and agencies based on applicable laws; fourth, develop an objective understanding of the monopoly issue of super digital platforms and establish a sound supervision and management system for such platforms.
With the accelerated construction of new infrastructures and the application of 5G and the Internet of Things (IoT), the use of digital technologies will expand from the economic sphere to the entire society, fundamentally changing people’s lifestyle and the way the society operates. While we earnestly explore the huge possibilities created by the development of a digital society, it is also necessary to fully understand and evaluate the risks posed by data interconnection and attach great importance to the public governance of data in a digital society. Digital technologies are special in nature, and the risks they bring could spread extensively with strong penetration. Given this, data-related risks can not only pose personal privacy challenges, but also cause wide-reaching damages. That requires us to plan ahead and develop prevention and coping strategies.
I. Problems and Risks Brought by Data Interconnection
(i) The balance between eliminating isolated islands of information and protecting digital security could be broken.
In an era of interconnection and digitalized social governance, the development of everything, be it supply chains, new business models or urban governance, requires the elimination of isolated islands of information. On the one hand, it is necessary to clarify who is taking the lead in data interconnection. Is it the government, tech companies or other institutions? For example, the smart city plan requires various kinds of data from different industries and departments, but who should be responsible for collecting such data? This has to be clarified. On the other hand, how to classify and manage data is also a new challenge. In the process of digitalized urban governance, all kinds of new data are being generated at all times. The building of smart cities, the industrial Internet or a digital China would all be impossible without the interconnection of data from various government departments and agencies. However, with all data going online, careless management may threaten the data security of public security and military departments, or even impact social and national stabilities. Both the government and various industrial Internet systems such as the Internet of Things system need to take public data management into consideration.
(ii) Algorithm models risk driving herd behaviors
AI technology is very important for the building of a digital society. Though the highly promising AI technology houses immense possibilities, the algorithm models on which it is built are nevertheless designed by people based on their understanding of the underlying logics. Such models incorporate only a limited number of elements, and the arithmetic logic is singular and coherent. Failure to adjust the logic or the strategies and actions flexibly in the face of unexpected situations could end up pushing the development of things to extremes.
In the financial sector, robo-advisors, quantitative investments, high-frequency trading, among others, have repeatedly torn the market from economic fundamentals; as a result, the influence of a certain piece of information could be unlimitedly amplified, driving the market to move into one single direction and ultimately leading to collapses and chaos.
In the commercial field, targeted advertising and media content deliveries are among the extreme applications of similar logic. The extensive spread of some of the videos, news and commodities are all forced communication based on algorithms, which is a far cry from traditional means of communication. Traditional communication is usually based on the conscious behavior and operation by a disseminator, while under the algorithm model, communication is done automatically and the entire process is completely divorced from the disseminator. The scope and speed of algorithm-based communication far exceed that of traditional communication, and the results are usually beyond control. Under the traditional model, we can trace the source of rumors, where they stem from, and address ensuing risks. But under the algorithm model, what information is communicated, how it is communicated and to whom it is communicated are all based on algorithms and completely unconscious. The algorithms could end up amplifying the influence of the information they are designed to disseminate and creating the herd effect, leading to massive communication that may not have been possible. The emergence of Internet celebrities is a typical example. In the dissemination of news events, a piece of news that in itself is nothing worth mentioning at all, or even a word of it, may cause unlimited impacts if it triggers an element in the algorithm. In the communication process, the word may evolve into a discourse or public opinion and result in social incidents with huge impacts, which, as it turns out in the end, happen for no meaningful cause and none should be held accountable.
(iii) Disorderly collection of information by enterprises and institutions is risky
Since the Internet economy began to emerge, enterprises and institutions of all sorts have been collecting information across an increasingly wide range. However, there is no restraint or regulation on the right to do so in China. In particular, since the outbreak of the COVID-19 epidemic, personal information has been collected more frequently without knowing which agency or who is collecting such information. Even tourists’ ID numbers, telephone numbers and facial recognition information are collected in the ticket offices of tourist sites. The use of digital technology was originally intended to boost efficiency and improve travel experience, but information collection of this type have the opposite effect by imposing extra burden on tourists, resulting in reduced efficiency and worse travel experience. In the past, losses caused by personal information leakages were usually born by the victim. Nowadays, personal information could leak out at so many various occasions and there is no way for individuals to know which departments or agencies are keeping their information, let alone whether these departments or agencies have the statutory responsibility to hold and protect such information, still less the ability to prove whether these departments or agencies have fulfilled such responsibilities.
(iv) The winner-takes-all market for large technological platforms poses monopoly risk
Though digital platforms of all types are advocating “decentralization”, they actually seek to become monopoly platforms, develop new centers, and in the end, become winners that take it all. However, “winner-takes-all” in this context is different from traditional monopolies, which typically target a product, a certain category of products, or in an industry at most. Right now, platforms are trying to monopolize all possible scopes of business that they support. More worryingly, such platforms possess massive amounts of social data, including personal, corporate, and government information in the name of innovation and connecting the isolated islands of information. In the meantime, these platforms are in themselves largely public-oriented. Even if we do not take into account the crowding-out effects of such commercial monopolies on other market participants and the distortion of market, the operational, technological and moral risks brought by such platforms could have disastrous and systematic impacts on the society, even more so than those too-big-to-fall institutions in the traditional sense. With the development of 5G and the Internet of Things, platforms of this kind are bound to increase in various fields.
II. Policy Suggestions
The risks related to the development of the digital society and data are not pure industrial risks, or corporate and business risks. They are systematic. Therefore, efforts to address such risks need to be organized at the national level based on an overall perspective.
(i) Step up legislative efforts underpinning improvements in the classified management of data
Concerned about the data privacy issue, all related parties have come up with legislative suggestions, which is necessary. Legislation is also indispensable for the sound management of the data of the entire digital society.
To begin with, it is necessary to classify data according to the nature, security level and social hierarchy of different sorts of data in the current digital economy and digital society. In the management of data classification, it is of particular importance to set out how military data, public security data, financial data and other data related to national and people’s security should be protected, interconnected and used at the state and government levels.
Second, it is necessary to clarify the ownership and using rights of data as well as the management responsibilities of data owners and users.
Third, there is the need to identify the legal obligations of related parties in the process of data use and transaction.
Fourth, social data management, a new field that emerged not so long ago, is important for national security, social stability and orderly economic growth, so a special regulatory department or mechanism should be set up.
(ii) Enhance regulation of various AI applications
A set of regulatory mechanisms is needed to manage the public-oriented AI applications. AI applications adopted by enterprises and institutions in their production, management and operation mainly serve the purpose to improve the efficiency, quality and coordination of these processes; the same is true for AI applications in most products, such as unmanned vehicles. The public-oriented AI applications, however, are often more market-oriented with a stronger tendency to proliferate and amplify, therefore more likely to cause negative impacts on the market and social order. For example, robo-advisors, quantitative investment and high-frequency trading in the financial sector, and algorithm-based, targeted advertising and media content deliveries in the commercial field are of this nature.
In the financial sector, robo-advisors, quantitative investment, high-frequency trading, and other business models are usually designed by qualified business professionals. In view of the features of these AI applications, “personified” supervision should be implemented on top of general technological security supervision measures. That is to say, each algorithm model needs to be certified by regulatory authorities before going online, just like dealers who have to pass qualification tests to obtain a certificate before taking on relevant jobs. Of course, these precautionary measures cannot fully prevent against related risks, and that’s why ongoing supervision remains necessary to ensure smooth business operations, and qualifications will be cancelled once problems are uncovered. Similarly, continuous supervision of AI algorithm models is necessary. Any irregularity that cross the regulatory red line shall be dealt with offline, with due penalties implemented on both the institution and the business model designers. Financial institutions also need to enhance internal management of their algorithm models and relevant professionals.
Commercial institutions need to fully understand applicable regulatory measures to enhance the management of their public-oriented AI algorithm models, and formulate internal administrative rules in this regard.
(iii) Management of data collection and storage
As the digital society continues to develop and flourish, many institutions and agencies will no longer need to engage in the collection of key personal data. It is therefore suggested, based on the first suggestion to step up legislative efforts, to formulate regulations on such collection activities as well as the use of the collected information and data by different kinds of institutions. Unnecessary collection of core personal information and data should be explicitly prohibited. If, due to business needs, certain departments and agencies have to collect core personal information and data, they should report to relevant departments the reasons, contents, and methods for such collection, the scope of use and storage of collected information as well as relevant internal systems. Reporting itself can be regarded as a legal commitment to information security protection.
A comprehensive clean-up of core personal information and data held by various agencies should be carried out after a system as described above has been put in place.
(iv) Establish a supervision and management system for super digital platforms
On the one hand, we need to have an objective understanding of the monopoly of super digital platforms. Different from traditional commercial and industrial monopolies, these platforms in themselves are public oriented. The concentration of platforms is not only a result of their commercial competition, but also an inevitable outcome as the platforms become increasingly capable of improving the operational efficiency of the entire society. Take third-party payment as an example. In order to ensure smooth payment, all market participants will end up gathering on the same payment platform. Similar to telecom platforms, if one telecom company cannot accommodate calls from another, only one telecom platform will survive in the end. That may also explain why only a few third-party payment platforms turn out to be successful though the regulatory authorities actually issued licenses to many more of them. In spite of a mutual blockade between different third-party payment platforms, several of them survived in coexistence even to this day. There are two reasons behind: first, there is a unified bank payment system behind these platforms; second, the aggregate services provided by some aggregate payment companies offered a solution to the mutual blockade issue. With further development of the Internet of Things and the digital society, we are bound to see more platforms of this kind emerging in various fields. We cannot simply split these platforms just because of the existence of monopolies. It should be noted that the concentration of platforms is a prerequisite for digital transformation.
On the other hand, it’s important to understand that super digital platforms are different from traditional service-oriented monopoly platforms in that not only do they provide services for registered institutions and individuals, collect and possess the massive data generated thereby, but also compete with these institutions and individuals taking advantage of such data and resources. The telecom platforms provide telecom services and collect information in the service process, but they do not engage in other types of businesses; in the meantime, as different telecom companies also compete on a larger telecom spectrum platform, they tend to be restrained in squeezing their clients. Take SWIFT as another example. The platform provides information transmission service for banks and as a result holds a large amount of banking information, but it does not handle banking transactions, nor does it run other businesses taking advantage of such information. However, some of the super digital platforms nowadays are completely different. They compete, in a monopolistic way, with their clients, thus leading to the so-called winner-takes-all phenomenon, which is harmful for the development of the digital society, especially the orderly development of the economy and market in our increasingly digital society. To a certain extent, it could cause tremendous economic turbulences.
Then, how should these super digital platforms get along with the market, other institutions and the entire society? Surely, the problem cannot be solved by simply asking the platforms to be self-disciplined. We need to set up effective regulatory agencies and supervisory systems. It is recommended to draw from the concepts and methodologies of separate supervision for financial holding groups and the financial industry, and isolate the risks and interests of different business segments within the platform groups.
In a mature financial system, there are not only separate supervision regimes and tailored supervision mechanisms for financial holding groups, but also regulations regarding the isolation of risks and interests for some special businesses within the same institution. For example, in some developed markets, banks are required to implement physical and information isolation measures when it comes to their financial market transaction segment, otherwise they may violate laws and regulations against insider trading. Take the bond business as an example: the corporate client department of a bank is allowed to invest in a client’s bonds, and the fund trading department can deal in the same bonds, but these two departments shall not share information on these bonds. The fund trading department, upon receiving negative information about the bond issuer from the market, could decide for itself whether to sell the bonds or not, but it is not allowed to share this information with the corporate client department.
Besides, various types of data collected and possessed by the platforms are largely public oriented, and therefore should not be deemed as corporate assets. Meanwhile, the way in which these platforms operate makes it difficult to sign confidentiality agreements with all individuals whose information have been collected. So, it is also necessary to include the collection, use, storage and destruction of data into the scope of supervision so as to clarify legal responsibilities. The platform companies, on the other hand, need to formulate management methods and operational processes with the approval from regulatory authorities.
