Challenging the Party's Lead: Reframing Chinese Law & its Influence Upon American Data Privacy

Abstract

Over the last decade, the People’s Republic of China (PRC) and its data privacy regime have drawn national security concern. Adding onto the critique of Chinese authoritarianism, policy analysts fear that Chinese data privacy regulation reflects an effort to warp the developing framework of global data privacy – as opposed to an effort to promote the domestic rights of Chinese citizens. This thesis, then, aims to understand the reach of Chinese data privacy regulation. Exploring Chinese data privacy law, this thesis asks two main questions: (1) What are the implications of the PRC’s data privacy regulations? And (2) How can the United States Government build out data privacy infrastructure for American companies looking to operate within China?

To answer both of these questions, I conducted 17 expert interviews across a range of expertise in Chinese law, US-China foreign policy, and cyber and data security, speaking with law professors, lawyers, and foreign policy experts. In addition to my interviews, I based my analysis upon existing research, as well as my own translation and analysis of the PRC’s data privacy laws and official government statements. My analysis produced the following findings:

1. In line with the Chinese legal order, Chinese data privacy law (1) legislates pre-existing legal authority, and (2) serves as a signpost for future legal creation and enforcement. 2. As a result of the ambiguity intrinsic to Chinese law and regulation, American firms operating within the People’s Republic of China have encountered an emerging Chinese data privacy regulatory framework that is both vague and threatening. 3. In spite of the uncertainty of operating within the People’s Republic of China, no centralized, federal policy governs the measures that American companies must implement in order to safeguard domestic consumer data. 4. Without central regulatory guidance, American firms operating within the People’s Republic of China have taken on a fragmented, piecemeal approach to data protection. 5. The United States Government must develop federal data privacy infrastructure that alleviates the regulatory burden placed upon private American corporations and reduces the risks associated with operating within the People’s Republic of China.

These findings reveal that although operating in China presents its own hazards, Chinese data privacy regulation – as far as the law is concerned – is by no means novel. Fitting into the broader Chinese legal order, Chinese data privacy law reflects an extension of existing legal norms into the domain of data privacy. Nevertheless, as data privacy law does not encompass the PRC’s data privacy regime, the future of data enforcement remains unclear. Without the formation of an American data privacy architecture, US companies based in China are left in the dark. This thesis offers policy recommendations intended to strengthen domestic data privacy protections, and thus better situate American companies abroad.

Ultimately, this thesis argues that fears over Chinese data privacy law are misplaced. Rather than hyperfocus on the PRC’s opaque data privacy regime, the US must assess and reinforce its own data privacy infrastructure. Inspired by literature on Sino-American relations, this thesis poses a framework for pragmatic cross-border data management: acknowledging the threats presented by the PRC, the United States must safeguard both domestic and multilateral interests of maintaining cross-border data flows and corresponding economic engagement.