Much tension has arisen between the U.S. and China due to the issue of data privacy. The Trump administration attempted to ban Chinese social media company Tiktok in the U.S., as well as to restrict operations of WeChat and Alipay. Although the move to ban Tiktok was blocked last December, the moves by the Trump administration highlights U.S. fears of Chinese data access.
Calls for limiting Chinese firms’ access to the data of U.S. citizens have been used as a substitute for proper assessment of risks and rewards as well as for improved U.S. regulation of data flows. According to Samm Sacks, a Senior Fellow at Yale Law School’s Paul Tsai China Center, the issue of data privacy between the U.S. and China is complex. Sacks recommends that the U.S. implement data rules for all firms, both domestic and foreign, without blocking data flows to the U.S. Such rules should take into account national security and privacy concerns, considering the extent to which data collected is sensitive or risky and how the data is used.
In addition, while U.S. pundits have decried China’s government for being able to commandeer data from firms at will, Chinese firms have resisted government requests for data. Compliance is more of a negotiation between companies and officials than an inviolable instruction. This means that data housed in China is not simply universally vulnerable to government whims.
China’s own regulations on data privacy have grown. China’s data regime is protected by the Cybersecurity Law, which came into use in June 2017, and will soon be governed by the Personal Information Protection Law (PIPL), which specifically addresses China’s personal data protection. The Cybersecurity Law aims to protect citizens and organizations in the cybersecurity realm, as well as promote the development of an information society. The draft PIPL requires firms to obtain consent for sharing individual data with third parties. The law also creates stringent requirements for transferring the data of Chinese citizens outside of the country, permitting this action if companies have a specific contractual arrangement or certification to do so.
Mingli Shi, a Fellow at New America, has stated about the PIPL that, “…the language tends to be broad and vague, leaving plenty of wiggle room for interpretation and enforcement, along with the flexibility for further refinement through implementing rules and standards when the government deems the timing right.”
The U.S. does not have an all-encompassing data protection law, and relies upon a combination of federal and state laws to protect privacy. The Federal Trade Commission Act allows the U.S. Federal Trade Commission to bring actions against firms that engage in unfair or deceptive data privacy activities or that fail to provide sufficient security of personal information. Federal sector-specific laws also strive to protect personal data privacy. State laws may restrict use of personal data as well.
A federal data privacy law would address these issues as well as cross-border data flows, and collection and storage of personal information by foreign firms. This would reduce the focus on China as a strategic competitor and create a more systematic and rational means of treating data usage. While President Biden is planning to sign an executive order strengthening cybersecurity among federal agencies, the order only protects data privacy to some extent - against software vendors and contractors - and does not directly deal with the issue of data sharing.
Data privacy is closely related to the topic of data security. China implemented the Cybersecurity Law in 2017, in order to create guidelines for ensuring network security and improving the secure development of technology. Data stored in China are subject to government security checks.
In addition, the draft Data Security Law was introduced in China in July 2020. The draft law attempts to introduce a grading system for different types of data, depending on how much harm can come from abuse of that data. Regional government and sectoral regulators are given the task to determine which data repositories under their purview is considered “important data.” Furthermore, the law permits entities to pursue legal reparations for participating in data activities that harm public interests.
In the U.S., as with data privacy laws, data security laws are fragmented between federal and state regulations. Cybersecurity laws cover the financial and telecommunications sectors, but, in general, specific cybersecurity regulations depend on firms’ functional regulators and vary. Public companies are required to report cybersecurity risks and incidents to their shareholders.
Again, as in the area of data privacy regulation, China has shaped a cybersecurity law fit for rapidly rising new technologies, while the U.S. lags behind in producing an overall cybersecurity framework. A streamlined regulation is necessary in the U.S. at a federal level in order to govern data security and reduce citizens’ fears that China will violate existing technologies. Both an overarching data privacy and data security law will help to reduce tension between the U.S. and China, paving the way for greater cooperation.