In the first of a four-part series, Connor Haaland, an incoming Harvard Law School student and a 2020 JURIST Digital Scholar focused on comparative data governance regimes, uses the TikTok controversy as a jumping off point to explore China's data governance policies...
To Americans, TikTok means many things. For some, it is only an onomatopoeia. To others, it is the defining social media app of their generation. For Republicans and Democrats, it may be the one foe that can actually unite the two parties. But the policy world should let it act as a catalyst for a dive into the Chinese laws regulating the company and its data in China and abroad.
One of the few Chinese laws concerning data is the Cybersecurity Law, which became effective in June of 2017. It asserts the need to protect data and personal information and calls for data localization. Data localization means that if a Chinese citizen uses Google in China, that data should be stored in China, not on an extraterritorial mainframe, even though Google is not a Chinese company. Article 37 of the Cybersecurity Law requires that “personal information and important data” gathered or produced in China by “critical information infrastructure [CII] operators” be localized. This repatriation has the effect of subjecting the acquired data to Chinese laws, which means that the central government has nearly unrestricted access to data stored within its borders and excludes foreign competitors. Indeed, the lack of a data localization law in the United States is the reason that Tiktok’s legal team can, properly, assert that it can still send data to China without violating any laws if it is purchased by an American company.
Safeguarding data in this way, though, could lead to perverse outcomes. Data that falls under the purview of the Chinese Cybersecurity Law could potentially be fed into private enterprises, creating a globally unique fusion between the state and the private sectors. Indeed, that is probably the case already, as Jeffrey Ding, a notable scholar on AI in China remarked, “the sharing [of data] among [Chinese] government agencies and companies is common.” Thus, a law designed to protect Chinese data really only stands to protect it from foreign companies and does little to shield it from the Chinese government or the private sector. Dr. Shoshana Zuboff of Harvard echoes this, noting that the Chinese government could be using the data, garnered from companies like TikTok and its Chinese version, Douyin, for overtly political outcomes like fine-tuning propaganda and cracking down on dissent.
Another piece of Chinese data governance is the Personal Information Security Specification (the Specification), released in March of 2018. According to the lead drafter of the Specification, Dr. Hong Yangqing, personal data protection as understood within the Specification refers to “autonomy and control over one’s data.” However, he also notes, that one’s personal interests in data are distinct from interests at the national level, which concern “important data affecting national security, the national economy, and people’s livelihood.” Facially, this appears to mean that the Chinese government could control data under the guise of an ambiguous “national security” standard. But this type of standard has proved problematic in the past, as it can be used at the whim of those in power with little to no justification needed. For instance, this standard was perverted by President Trump when he used a “national security” standard to arbitrarily raise tariffs and block immigrants, even ones holding visas, from countries that posed a statistically insignificant threat of terrorism. China could, under a similar “national security” rationale, expedite the dispersion of data to Chinese companies to aid in AI development or conversely to funnel sensitive data from Chinese companies, like Douyin, back to the Chinese Communist Party, running contrary to the spirit of data privacy.
Most recently, in July of 2020, China released a draft of a data security law (The Data Security Draft) for public comment. This draft is divided into seven sections with 51 articles in total and explains laws ranging from data security to legal liability for data breaches. This draft, after its public comment period, will be the most robust aspect of China’s data governance policy. The draft constitutes a forward-thinking document that seeks to clearly define the Chinese data governance structure, which should prove helpful for companies trying to comply. It also shows that China understands the value of its data, for Article 5 states “… and stimulates the development of the digital economy with data as a key factor, enhancing the people’s welfare.”
And China is right – data is extremely valuable. The CEO of Alibaba (the largest e-commerce site in the world), Ma Yun (Jack Ma) has repeatedly stressed that his company is a data company, not an e-commerce company. Further, Dr. Kai-Fu Lee, former head of Google China and CEO of an AI venture capitalist fund (Sinovation Ventures), declared that “data is the new oil and China is Saudi Arabia.” Adding to the chorus is Li Guofei, a widely respected thinker in China’s investment community, who said that Tencent (one of China’s national champions) must do two things to continue to compete with its rivals: 1) upgrade its algorithms to process better data and 2) get more data. Chinese companies are uniquely positioned to accomplish the second objective thanks to a data governance structure that vacuums up data and the largest population in the world, which is relatively tech-friendly, thus creating more data.
This confluence of lax regulatory policy and massive amounts of data seems to be bearing fruit. China has produced technology superior to the United States in mobile payments (Alipay; WeChat), food delivery services (Ele.me; Meituan), and smart cities (Hangzhou’s “City Brain”; Shanghai’s Citizen Cloud). These technologies are data-hungry and thanks to a combination of state support and lax regulatory policy, China has been able to leverage its privilege as a global leader in data generation to support its development.
Although the Chinese data governance system is friendly towards companies innovating in the AI space, this governance system has shortcomings, most notable are the ethical implications of lax a regulatory policy for data. For instance, facial recognition payment services like WeChat’s “Frog Pro” and Alipay’s “Dragonfly” have become highly efficient at facial recognition thanks to access to troves of data. This technology could be sold to, or co-opted by, malfeasant governments to aid in mass surveillance efforts. Further, the “Police Cloud” is a data aggregation system run by the Chinese government that is designed to track and predict the activities of activists, dissidents, and average citizens. It’s not hard to read between the lines to see why China might want such an AI to exist, which lays bare the tension between a data governance system that allows China to leverage its place as a data generator and fundamental civil liberties.
One remedy to such a tension would be a right to erasure or deletion. China does have a provision allowing for the right of deletion/erasure. for data held by “network operators.” However, one can only request such an erasure when laws or agreements between the network operator and end-user have been violated. Ostensibly, the government is not a network operator. Consequently, if the government itself aggregates the data, or comes into possession of the data – perhaps through data sharing with private companies – then it is probably shielded from erasure provisions.
Thus, Chinese data policies teach us two important lessons. First, a lax regulatory system will allow data to be more easily acquired, aggregated, and utilized. This can help expedite the evolution of AI, as China has shown through its supremacy in various types of AI. Second, cooperation between the government and private sectors is a crucial aspect of data governance policy, but much work should be done to ensure that civil liberties are upheld. As the world leaps into the next technological revolution, data governance will become an ever more salient topic. Indeed, the onslaught of data-driven technology will change human life as we know it. If autonomous vehicles (AVs) save even a fraction of the 1.25 million people killed annually, it will be the greatest public health breakthrough of our time. Using AI to improve cancer diagnostics, will save even more lives. AI-powered smart cities will allow humans to live more efficient, peaceful, and happy lives. TikTok algorithms may become so effective that they bring the world endless joy. However, to realize these technological breakthroughs countries must create effective data governance. As countries inevitably formulate their own strategies, Chinese data governance strategies – both their shortcomings and breakthroughs – can prove informative.
This is the first article in a four-part series exploring comparative data governance regimes. Check out the second article on the drawback of Europe’s GDPR laid bare by COVID-19 here.
Connor Haaland is a 2020 JURIST Digital Scholar. He graduated from South Dakota State University in 2019, earning degrees in Spanish and Global Studies with minors in Economics and French. Most recently, Connor was a research assistant at The Mercatus Center, where his primary research focused on the intersection of law and emerging technology. He will attend Harvard Law School this fall.
Suggested citation: Connor Haaland, The TikTok Controversy Should Be a Catalyst for a Deeper Look at China’s Data Governance Policies – Student Commentary, August 12, 2020, https://www.jurist.org/commentary/2020/08/connor-haaland-china-data-governance.
This article was prepared for publication by Megan McKee, JURIST’s Executive Director. Please direct any questions or comments to her at firstname.lastname@example.org
Opinions expressed in JURIST Commentary are the sole responsibility of the author and do not necessarily reflect the views of JURIST's editors, staff, donors or the University of Pittsburgh.