Why China Could Lead on Global Data Privacy Norms
When Facebook CEO Mark Zuckerberg testified before Congress in 2018, he inferred that regulation of personal data could be to the detriment of U.S. companies in the global competition for AI supremacy. “We still need to make it so that American companies can innovate in those areas, or else we’re going to fall behind Chinese competitors and others around the world who have different regimes for — for different new features like that,” he said.
The “awakening” of Chinese consumers on data privacy has changed that calculus since. A series of high-profile privacy breaches has precipitated public anger on the collection and misuse of personal data by commercial entities in China. The payments arm of Chinese tech giant Alibaba was reprimanded by the government for automatically enrolling users into its credit-scoring scheme without their knowledge, while the search engine Baidu was sued by a consumer group for collecting data without users’ awareness. In fact, a 2018 survey by the China Consumers Association found that 85% of consumers have experienced some kind of personal data leak. The intensity of the public backlash has challenged the assumption held by Chinese tech giants that Chinese consumers are different from their Western counterparts in being ready and willing to trade privacy for convenience.
The Chinese government has heeded public calls to better protect consumers. The current legislature is developing a personal data protection law, which together with existing provisions, such as those included in the 2017 Cybersecurity Law and 2018 E-Commerce Law, will make for comprehensive protections for individual data rights. Supplementary measures such as the 2018 Personal Information Security Specification and 2019 draft Data Security Management Measures mean that, next to the European Union’s 2018 General Data Protection Regulation (GDPR), Chinese provisions are among the most comprehensive in the world against intrusive data collection today.
There is no shortage of discussion about digital privacy in the United States, with candidates for the 2020 Democratic presidential primaries pointing to the nefarious collection and misuse of consumer data as rationale for breaking up big tech. In response to public concerns, the California Consumer Privacy Act went into force in early 2020, and while there are sector-specific provisions, there has been limited progress on an overarching federal bill to protect individual data privacy in the United States.
As countries race to roll out 5G networks, this would mean the emergence of national privacy frameworks where consumers are protected from commercial exploitation of their data online.
The absence of a national mandate from the U.S. means that there are two distinct models for consumer data protection that will influence the development of global norms. There is the EU’s catch-all model as manifested in the GDPR, focused on the collection and processing of personal data in a way that balances the need for individual protection with commercial and public interests. In contrast, there is the emerging Chinese model, which seeks to build consumer trust in the digital economy, but without impinging on the government’s capacity to surveil and control. To bridge these two imperatives, data protection in China is intimately linked to national security and stability.
As countries debate and legislate on digital data privacy, they will draw inspiration from these two approaches to forge their own path forward. India, for example, is adopting a blend of the EU and Chinese models, basing its legislation on the GDPR but leaving room for government discretion on matters of national interest. The influence of the Chinese model and its provisions for national security will likely be felt globally as countries adopt legislation of their own.
As countries race to roll out 5G networks and reap the benefits of faster connectivity, this would mean the emergence of national privacy frameworks where consumers are protected from commercial exploitation of their data online, but with leeway for governments to oversee the behavior of their citizens. Domestic and multinational businesses will need to navigate the requirements and risks associated with data protection regimes that impose stringent privacy obligations on the private sector while enshrining provisions for the government to gain access to consumer data.
As in China, consumer concerns around data privacy are coming to a head in the U.S. A 2019 survey by the Pew Research Center found that 81% of the American public believe they have very little or no control over the data companies collect about them. Mr. Zuckerberg has changed tune since his 2018 testimony before Congress. “Effective privacy and data protection needs a globally harmonized framework,” he wrote in a 2019 Washington Post op-ed. “People around the world have called for comprehensive privacy regulation in line with the European Union’s General Data Protection Regulation, and I agree.” Yet, despite proposed legislation and broad agreement around the need for a federal privacy law, a U.S. counterpoint to the Chinese model is nowhere in sight.