Why the U.S. should pay attention to China’s draft Data Security Law
Earlier this year, China proposed a new data security law that, if passed, could position it as a global leader in data regulation.
Over the past decade, China has been developing data legislation that attempts to juggle questions of individual privacy, security, company responsibility, and commercialization of data. The country may be getting close to a finished product. Earlier this year, China proposed a new data security law that, if passed, could position it as a global leader in data regulation. Although no date has been publicly proposed to vote on the law, it is expected to be considered early next year.
Before the draft Data Security Law (DSL), China’s premier piece of legislation related to issues of data, cybersecurity, and network management was the 2017 Cybersecurity Law. The differences between that law and the proposed Data Security Law show an evolving approach to managing the interests of private citizens, companies, and the government. But as always, national security is at the center.
“[China’s] essentially proposing a new model to the world of how countries can have strong consumer protections without limiting state surveillance,” writes MIT Technology Review senior reporter Karen Hao. “And I think that’s going to be a very persuasive and appealing proposition to a lot of countries around the world.”
Other global privacy standards, such as the European Union’s General Data Protection Regulation (GDPR), attempt to balance the commercial interests of businesses alongside the need for privacy and protection of consumer data. But the world has yet to see a law that attempts to center these traditional concerns around the concern of national security.
In particular, the U.S. currently has no comparable piece of comprehensive legislation regarding what companies can do with commercial data and cyber data. The U.S. system relies on a patchwork of statutes pieced together under many different laws and industry standards.
If the U.S. remains reactive and China continues to develop its national security-based policy toward commercial data usage, American companies may find themselves playing by China’s rules. The concern, then, is that those rules could be politically motivated.
Why is the law relevant for the U.S.?
What makes data and cybers law so difficult to implement is that they often have extraterritorial applications. Digitization and big data changed international law by introducing a new challenge: regulation of a borderless entity. When the GDPR was instituted, many businesses in the U.S. decried the extraterritorial reach of the legislation. The law impacted any entity that uses the personal data of EU citizens, which includes many U.S. companies active in the EU.
However, China’s DSL does more than just emphasize the protection of data subjects and their privacy. In fact, the Cybersecurity Law of 2017 and the subsequent Personal Information De-identification Guidelines focused much more on privacy and anonymity than the proposed DSL. The draft Data Security Law focuses more on protecting China from individuals or governments wishing to do it harm. For example, Articles 2 and 24 of the draft DSL codifies means for retaliation against any foreign government that seeks to adopt discriminatory measures against China or Chinese businesses. They read (in full):
Article 2: This Law is applicable to the conduct of data activities within the mainland territory of the People’s Republic of China.
Where organizations or individuals outside of the mainland territory of the People’s Republic of China engage in data activities that harm the national security, the public interest, or the lawful interests of citizens or organizations of the People’s Republic of China, legal liability will be investigated according to the law.
Article 24: For any country or region that adopts discriminatory prohibitions, limitations or other such measures toward the People’s Republic of China with respect to investment or trade related to data, data development and use, or technology, the People’s Republic of China may, according to the actual circumstances, adopt corresponding measures toward that country or region.
Furthermore, the proposed law offers quite an expansionary and political interpretation of “data,” rather than spelling out what compliance would look like. Without clearly defining the roles, responsibilities, and chain of command, the DSL does not manage to fill the gaps left by the Cybersecurity Law and subsequent legislation, and instead introduces new questions for companies looking to operate in the world’s second-largest national economy.
The draft Data Security law heads to uncharted waters as the central government attempts to see if three core interests — commercializing data, ensuring consumer privacy standards are high, maintaining the national security interests of China — can in fact exist harmoniously within the cybersphere. If the experiment is successful, a new model in the regulation of data and cybersecurity might have ripple effects beyond China’s borders.
How should the U.S. respond?
The U.S. must articulate a clear and comprehensive data strategy of its own. In debates surrounding TikTok and WeChat’s presence in the U.S., lawmakers are missing a key component: a comprehensive data regulation framework to judge TikTok and WeChat’s practices against. Even before attacking Chinese tech giants, Congress lacked a framework through which to view the monetization schemes of domestic internet companies like Facebook and Google. Instead of relying on morality and ethics, it is time to codify the responsibilities of all parties involved in the collection, storage, and sale of data in the U.S.
If, like China, the U.S. would start an internal conversation and attempt to define the limits of the commercialization of data and the rights of data subjects, and propose clear restrictions and guidelines around cross-border data transfers, it could have a system that provides a clearer path forward — possibly even as a way to oppose China’s heavy-handed governmental approach. Under China’s proposed Data Security Law, the government’s right to access ByteDance and Tencent’s private data is quite apparent, in line with its stated national security interests.
If the U.S. can propose an alternative model, it could become a leader in promoting responsible regulation of data markets alongside the EU. If the country misses the opportunity to clearly define its own stance, the court battles and public debates over the ethics of restricting foreign tech companies will only intensify.
