China’s Emerging Data Governance Regime: A Bid for New Norms
On September 1st, a sweeping new data security law will take effect in China, imposing new restrictions on cross-border data flows and requiring private firms to place more onerous security measures around their proprietary data. This legislation caps nearly a full year of efforts to remake China’s data governance regime. In addition to the new data security law, Beijing also recently passed the Personal Information Protection Law dictating the collection and use of citizens’ information as well as starting up the Global Initiative on Data Security, a multilateral dialogue on data protection.
Taken together, these rapid legislative and diplomatic advances suggest an effort to shape data governance standards that are favorable to China’s unique political and economic circumstances. Furthermore, China is repudiating the idea that a single set of norms can govern technological development worldwide.
China’s data governance laws are not totally anathema to those championed by Europe or the U.S. In fact, the Personal Information Protection Law explicitly drew on the EU’s General Data Protection Regulation’s (GDPR) notion of informed consent, requiring citizens to opt-in to their data being used or shared. The major area of departure from other data governance systems are caveats allowing the Chinese government to unilaterally gain access to data “for reasons of public security.”
Beijing is certainly not the only state who has carved out loopholes for infringing on citizen privacy for reasons of national security. A major concern surrounding Beijing’s new legislation, however, is that the close-knit nature of the Chinese Communist Party (CCP) could create a conflict of interest. The CCP has made a conscious effort to place Party members into high-level corporate positions, solidifying its influence over China’s commercial sector. This close relationship between Chinese tech firms and Beijing’s national security bureaucracy raises fears that firms will hand over private data to the government with little oversight.
Compounding the issue is President Xi Jinping’s expanded definition of what constitutes a national security threat. Xi’s view, institutionalized in the 2013-2014 Overall National Security Outlook factors internal dissent into vital security considerations to the point that “almost anything can be considered a security threat.” If the CCP can seize data with virtually no justification, the idea of keeping data private from state authorities may be little more than an illusion.
China’s efforts to frame itself as a first mover in citizen privacy are especially difficult to square against an established history of state surveillance. In light of efforts like China’s social credit system – which measures citizens’ trustworthiness based on jaywalking, consumption of CCP materials, time playing video games, and other social behaviors – or Project Sharp Eyes – a forthcoming surveillance program equipped with facial recognition to monitor public spaces – Beijing’s proclamations that it opposes “mass surveillance against other States and unauthorized collection of personal information of other States” seem almost laughable.
China’s new data governance regime was developed to contextualize internet security within the state’s cultural and political environment. Far from invalidating the CCP’s stance on citizen privacy, mass surveillance programs demonstrate that China’s social concerns are different from those of Western nations: While Americans and Europeans demand protection from government overreach, state surveillance is a foregone conclusion in China’s centralized authoritarianism. The CCP’s advocacy for responsible data governance is instead focused on corporate practices, seeking to prevent inadvertent leaks from lax security measures in the private sector.
The crux of China’s new system is the idea the there is no one-size-fits-all model of data governance. Their Global Initiative asks foreign firms and governments to “respect the laws of host countries” and “respect the sovereignty, jurisdiction and governance of data of other States.” At the same time, this initiative is a global one, seeking buy-in from other states outside the North Atlantic sphere of influence. And while international support for these new systems have not yet been forthcoming, the view is rosy. Globally, support for the kinds of data localization efforts China is instituting is on the rise.
China is not proposing a set of rules to replace those championed by the U.S. and EU. In fact, antagonizing these Western powers means that China risks foreign firms pulling out of Beijing if differing privacy standards are completely in conflict – a scenario that would seriously hurt China’s tech sector. Rather, China is seeking acknowledgement that as a rising power and regional hegemon it has the freedom to craft its own set of rules.