Tiananmen Square in China showing Chinese data laws

Chinese Data Laws and Ambitions Pose Strategic Risks

On June 10, China’s highest legislature adopted the Data Security Law of the People’s Republic of China. Set to take effect on September 1, the law outlines a system of government data oversight led by the central national security leadership agency, supervised by China’s public and national security organs, and in which all regional and departmental governments claim authority for the data collected and generated within their boundaries.

This formalizes a legal architecture for Chinese government control over domestic data; a basis for the Chinese Communist Party (CCP) to claim – and claim oversight over – information, including that of private companies. The legislation’s scope appears to cover industry, telecommunications, transportation, finance, natural resources, health and education, and science and technology.

The Data Security Law orients primarily around controlling data processing and collection within China’s borders. However, it also propels global ambitions. The law declares that: “anyone who conducts data processing activities outside of the PRC that harms the national security, public interests, or the legitimate rights and interests of citizens or organizations of the PRC shall be investigated for legal responsibility…” Article 26 notes that should any country or region respond to China’s data control with restrictions on trade or investment, Beijing may retaliate.

Nothing about the Data Security Law should be a surprise. It is a long time coming. The National People’s Congress issued a first draft in September 2018, another in June 2020. The law builds on more than two-decades of Chinese policy that has gradually established a modern data control regime. That includes the high-profile 2017 Cybersecurity Law that outlined comprehensive restrictions on data export, as well as more sector-specific data localization regulations dating back as early as 2001 that restrict export of everything from mapping to ride-share to financial information. Just a month ago, China’s Cyberspace Administration issued draft rules further to regulate overseas transfer of auto data.

In other words, the Data Security Law is part of a larger, strategic Chinese effort to shape the architecture of the emerging industrial revolution and to control its most valuable resource: Information. A Xinhua News commentary issued on Friday, in parallel with the new law, explained that “data is a basic strategic resource of a nation.”

Data as a production factor: Competing for the new industrial revolution

The world has recognized that a new industrial revolution is under way. Beijing has recognized what this means: Industrial revolutions are defined by the emergence of new production factors. Once there was land and labor, after that capital. Today, we have data. The CCP is working to control it, globally.

“Production factors are an ever-evolving historical category. Land and labor were important production factors in the era of agricultural economy,” explains a Guangming Daily article also run in Qiushi, the CCP’s journal, in May 2020. Then, “after the industrial revolution, capital became an important factor of production in the era of industrial economy.” Now, “with the advent of the digital economy, data elements have become the new engine for economic development. Data is a new production factor, a basic resource, and a strategic resource.” In 2019, the Fourth Plenary Session of the 19th Central Committee of the CCP proposed for the first time that data be considered a production factor. In April 2020, Beijing formally classified data as such alongside land, labor, capital, and technology.

With the emergence of a new production factor comes the opportunity to reshape the international hierarchy: The incumbent leader derives his power from control over last generation’s production factors. The development of new ones means his entrenched leadership can be challenged. “Every industrial revolution has reshaped the world pattern. The world structure will be reshuffled,” reads a 2020 article in China Finance. “The countries that are the first to seize the opportunity rise quickly and occupy a dominant position in the new world order.”

A two power rivalry with the United States

That article explains that today, only two players have the digital scale to seize the data opportunity: “China and the US are the only two countries capable of leading the fourth industrial revolution.” Beijing therefore finds itself in a “two-power rivalry with the United States.” The Chinese Communist Party is competing to win this “two-power rivalry.”

Beijing is doing so in a particular way, tailored to the nature of data as a production factor. As the Qiushi article points out, “data elements are characterized by sharing, duplication, and unlimited supply.” More like capital than like land or energy inputs, these production factors cannot be stockpiled. They are both cause and function of an exchange-driven world. Their value derives from that exchange. Today’s contest therefore becomes one not to capture data itself, but rather to govern, and to shape, the architectures of its exchange – building in asymmetric access from the point of design.

The CCP is developing such influence – with the Data Security Law and data localization measures, but also with a “new infrastructure” program that supports large-scale construction of 5G base stations, data centers, and the other physical structures of the digital era; with incubation of, as well as control over, platform internet companies; and with a national strategy to set emerging international standards. If Beijing succeeds, it will govern this industrial revolution’s most determinative input. It will leap to the top of the global hierarchy. And its power will be unlike any that leaders of past industrial revolutions have claimed: In an information-defined era, Beijing will be able not only to surveille, but also to shape how, where, and what things move.

Crafting a multilateral response

The US, its allies, and its partners ought to recognize as much. They ought to respond, strategically and systemically, to the Chinese Communist Party’s efforts to build the foundation of tomorrow’s global system. Such a response should not be limited to whack-a-mole lists of bad actors or influxes of money into basic research and development. Rather, the US, its allies, and its partners ought to advance a positive alternative to China’s data architecture.

This risks sounding like an impossible challenge. The US hardly excels at the public-private partnerships or effective multilateralism necessary for the task at hand. However, a ready template already exists: The European Union – America’s necessary, critical global partner – has already undertaken an experiment in cross-border data architecture. The EU has formulated a set of rules that for three years have united a diverse set of countries under a coherent, norms-based data regime. The General Data Protection Regulation (GDPR) is by no means perfect. However, it is certainly a start. It proves that liberal states are capable of cooperating to develop modern regulatory systems – and suggests that data architectures might offer the US a strategic domain in which simultaneously to advance its commitments to multilateralism and systemic competition.

Last month, the Group of Seven (G7) united over narrative, condemning China on abuses ranging from forced labor to occupation of Hong Kong to aggression in the South China Sea. On June 14, NATO leaders described Beijing as posing a “systemic challenge to the international community.” While these points are accurate, rhetoric is insufficient. The world order is changing. Washington must prove that, with its allies and partners, it is capable of continuing to lead. Only when that happens will America be back.