Skip to main content
  • Sections
  • Search

Center for Strategic & International Studies

User menu

  • Subscribe
  • Sign In

Topics

  • Climate Change
  • Cybersecurity and Technology
    • Cybersecurity
    • Data Governance
    • Intellectual Property
    • Intelligence, Surveillance, and Privacy
    • Military Technology
    • Space
    • Technology and Innovation
  • Defense and Security
    • Counterterrorism and Homeland Security
    • Defense Budget
    • Defense Industry, Acquisition, and Innovation
    • Defense Strategy and Capabilities
    • Geopolitics and International Security
    • Long-Term Futures
    • Missile Defense
    • Space
    • Weapons of Mass Destruction Proliferation
  • Economics
    • Asian Economics
    • Global Economic Governance
    • Trade and International Business
  • Energy and Sustainability
    • Energy, Climate Change, and Environmental Impacts
    • Energy and Geopolitics
    • Energy Innovation
    • Energy Markets, Trends, and Outlooks
  • Global Health
    • Family Planning, Maternal and Child Health, and Immunizations
    • Multilateral Institutions
    • Health and Security
    • Infectious Disease
  • Human Rights
    • Building Sustainable and Inclusive Democracy
    • Business and Human Rights
    • Responding to Egregious Human Rights Abuses
    • Civil Society
    • Transitional Justice
    • Human Security
  • International Development
    • Food and Agriculture
    • Governance and Rule of Law
    • Humanitarian Assistance
    • Human Mobility
    • Private Sector Development
    • U.S. Development Policy

Regions

  • Africa
    • North Africa
    • Sub-Saharan Africa
  • Americas
    • Caribbean
    • North America
    • South America
  • Arctic
  • Asia
    • Afghanistan
    • Australia, New Zealand & Pacific
    • China
    • India
    • Japan
    • Korea
    • Pakistan
    • Southeast Asia
  • Europe
    • European Union
    • NATO
    • Post-Soviet Europe
    • Turkey
  • Middle East
    • The Gulf
    • Egypt and the Levant
    • North Africa
  • Russia and Eurasia
    • The South Caucasus
    • Central Asia
    • Post-Soviet Europe
    • Russia

Sections menu

  • Programs
  • Experts
  • Events
  • Analysis
    • Blogs
    • Books
    • Commentary
    • Congressional Testimony
    • Critical Questions
    • Interactive Reports
    • Journals
    • Newsletter
    • Reports
    • Transcript
  • Podcasts
  • iDeas Lab
  • Transcripts
  • Web Projects

Main menu

  • About Us
  • Support CSIS
    • Securing Our Future
Photo: Tr3/Adobe Stock
Blog Post - New Perspectives on Asia
Share
  • LinkedIn
  • Facebook
  • Twitter
  • Email
  • Printfriendly.com

Who Benefits from China’s Cybersecurity Laws?

June 25, 2020

By Lauren Maranto –
 
China’s ambition to be a global leader in technology development, combined with an increasing digital reliance in day-to-day life, means that a heightened focus on data security is crucial for protecting citizens’ information. Yet the country’s regulations on data collection often fail to safeguard citizens’ privacy, instead giving the government wide leeway to interpret laws. From the deliberate ambiguity of new cybersecurity and data protection laws, public reports of data leakages, and the government’s monitoring of Chinese citizens, it’s clear that China puts a greater emphasis on government access to data than it does on protecting individual and company privacy. Because of this, Beijing will gain further control over Chinese society, while leaving the privacy and security of its citizens and foreign investors vulnerable to exploitation.
 
Policymakers in China are placing insufficient emphasis on adopting clearly defined policies to keep pace with China’s push for technological innovation. When compared to the EU’s General Data Protection Regulation (GDPR), for instance, China’s data security regulations are more vague, outlining the acceptable usage and exploitation of data in a way that does not clearly specify how companies can rightfully use consumer data. These unclear guidelines leave companies guessing where the line is drawn between appropriate and legal usage of consumer data and the unlawful exploitation of this information. This creates greater risk that companies will be penalized for the unintentional violation of consumer rights, while others may exploit loopholes to use citizens’ data for personal gain. For consumers, the lack of clear data security guidelines increases the risks of their personal information is leaked, exploited, or used in an unauthorized manner. The ambiguous language used in China’s cybersecurity laws leave companies and individuals ill-equipped to protect their information, while also creating space for government subjectivity in interpreting these laws.
 
In June 2017, the China implemented a new cybersecurity law which now acts as the baseline for China’s present day guidelines. Initially passed in 2016, the law was created to provide guidelines for maintaining network security, protecting the rights and interests of individuals and organizations, and promoting the secure development of technology. The law requires that data is stored within China and that organizations and network operators submit to government-conducted security checks. Critics of the law argue that requiring companies to submit information for spot-checks further increases the risk of a security breach or loss of information. The ambiguous nature of the law allows the government more space to request and control information, while also leading to misunderstandings within businesses as to what constitutes acceptable use of data.
 
Although China made additions to its cybersecurity and data protection laws, each new step continues to lend more power to the government and the Communist Party of China (CCP).  An extension of the 2016 cybersecurity law, the Personal Information Security Specification was adopted in May 2018 to provide guidance on how personal data should be stored and used. An article published in The Diplomat last year referred to the specification as a “compliance nightmare” due to the ambiguity between what is simply a suggested protocol for storing user data and what is the law. To address the exportation of personal information, the Cyberspace Administration of China, China’s main internet regulator, published draft regulations for limiting the transport of collected data within the borders of the PRC for public comments. These draft measures detail the methods in which the transfer of data will be regulated, including the reporting and pre-approval of external data transfers and thorough investigation measures on the types of information being handled. The updated regulations are a more extensive and invasive version of the 2016 cybersecurity law, expanding the government’s reach to investigate any organization, rather than those that potentially pose an immediate risk to national security. By demanding access to any data collected and stored in China, the updated regulations force foreign companies based in China to comply with its investigative measures, leaving intellectual property and private information vulnerable to government abuse.
 
Beijing’s insistence on complete access to citizens’ data leads to social unease when combined with the questionable collection and usage of personal information. In 2018, the advisory firm Deloitte surveyed China’s mobile consumers, asking how users feel about unauthorized usage of their data. According to the survey results, Chinese mobile users are more concerned than global users about their data being used and stored by companies and third parties. It also indicated that the online shopping and health data of users in China are “leaked more seriously than the global average.” Consumers in China are increasingly aware that their data is being collected by businesses and the government for economic gain and political control. Companies struggle to adequately protect the data they collect, allowing personal data to be stolen by “the internet gray and dark data industry for fraud, theft and sold to third parties.” Without clear regulations that protect citizens’ data from companies, third parties, and the government, individuals have little control over their own information.
 
These fears continue to be reinforced as numerous media outlets have reported widespread data leakage. Earlier this year, state media reported that 468 million pieces of personal data had been sold to small financial lenders, heightening tensions among Chinese consumers. The inadequacy of consumer protections and weak cybersecurity capabilities leaves companies more susceptible to leakages and privacy breaches, which likely breeds distrust among consumers and foreign investors. This distrust is further fueled by the increasing presence of surveillance technology across China.
 
China’s recent push for the utilization of biometric data has incited widespread social discomfort, most worryingly through Beijing’s planned installation of 626 million surveillance cameras equipped with facial recognition by 2020. While proponents of the cameras argue that they provide security benefits and cut crime, critics point out they have also been used to monitor and control the Uighur minority in Xinjiang. According to Zak Doffman, the founder and CEO of Digital Barriers, the surveillance technology acts as a “virtual cage” for Uighurs, creating a “segregated surveillance” system that collects their personal information at checkpoints around the city. In this capacity, the government uses the information it collects to profile an ethnic minority, identify those who it views as potentially extremist or separatist, and reinforce the ideals and traditions of the Communist Party of China. While it has continued to increase its surveillance capabilities, China currently has no laws to regulate the use of this technology, allowing authorities to place surveillance devices without notifying residents.
 
Thus far, China has passed unclear cybersecurity and data protection laws that risk compromising data security for the sake of increasing government accessibility to private information. The laws may protect consumer data from foreign entities, but their lack of clear guidelines gives leeway for companies to exploit citizens’ information for financial gain. These leaks violate citizens’ right to data privacy and breeds distrust between consumers and companies. The additional data security laws implemented in 2018 heightened tensions for foreign investors by demanding the centralization of data within China and requiring access to user data as the government sees fit. The CCP’s use of surveillance and personal data to discriminate against ethnic minorities demonstrates the extent to which the government will exploit privacy in favor of control over its citizens. China’s approach to cybersecurity demonstrates a higher emphasis on control and centralization as opposed to genuine concern for individual security, leaving citizens, companies, and foreign investors to wonder how the state may use their data.
 
Lauren Maranto is program coordinator for Freeman Chair in China Studies at CSIS.
 

Written By
Lauren Maranto
Program Manager, Freeman Chair in China Studies
Media Queries
Contact H. Andrew Schwartz
Chief Communications Officer
Tel: 202.775.3242

Contact Paige Montfort
Media Relations Coordinator, External Relations
Tel: 202.775.3173
Related
Asia, Asia Program

More from this blog

Blog Post
China’s Hukou Reform in 2022: Do They Mean it this Time?
In New Perspectives on Asia
April 20, 2022
Blog Post
China's Progress Towards a Central Bank Digital Currency
In New Perspectives on Asia
April 19, 2022
Blog Post
Squeezed From Two Sides: Myanmar Garment Workers Caught Between Covid and the Coup
In New Perspectives on Asia
March 31, 2022
Blog Post
Burmese Financial Holdings and U.S.-Singapore Contention
In New Perspectives on Asia
March 29, 2022
Blog Post
How are Washington and Beijing Utilizing Industrial Policy to Bolster Domestic Semiconductor Manufacturing?
In New Perspectives on Asia
March 29, 2022
Blog Post
North Korea’s Provocative and Secret Interventions in South Korean Elections
In New Perspectives on Asia
March 7, 2022
Blog Post
Strengthening Ayushman Bharat through AI adoption
In New Perspectives on Asia
February 25, 2022
Blog Post
Avoiding the Red Card: The Challenge of Separating Sports and Politics in China
By Hannah Price
In New Perspectives on Asia
February 3, 2022

Related Content

Critical Questions
Transatlantic Data Flows: Permanently Broken or Temporarily Fractured?
By William Alan Reinsch
August 31, 2020
Blog Post
How the Data Security Law Sets the Stage for the Tech Industry in China and Beyond
In Strategic Technologies Blog
August 30, 2021
Report
The Real National Security Concerns over Data Localization
By Erol Yayboke, Carolina G. Ramos
July 23, 2021
Commentary
Data: Governance and Geopolitics
January 11, 2021
Commentary
Ban TikTok (Again)
By James Andrew Lewis
February 9, 2021
Report
Digital Governance: It Is Time for the United States to Lead Again
By Daniel F. Runde, Sundar R. Ramanujam
August 2, 2021
Report
Data Protection or Data Utility?
By Alexander Kersten
February 18, 2022
Commentary
Securing the Information and Communications Technology and Services Supply Chain
By James Andrew Lewis
April 2, 2021
Footer menu
  • Topics
  • Regions
  • Programs
  • Experts
  • Events
  • Analysis
  • Web Projects
  • Podcasts
  • iDeas Lab
  • Transcripts
  • About Us
  • Support Us
Contact CSIS
Email CSIS
Tel: 202.887.0200
Fax: 202.775.3199
Visit CSIS Headquarters
1616 Rhode Island Avenue, NW
Washington, DC 20036
Media Queries
Contact H. Andrew Schwartz
Chief Communications Officer
Tel: 202.775.3242

Contact Paige Montfort
Media Relations Coordinator, External Relations
Tel: 202.775.3173

Daily Updates

Sign up to receive The Evening, a daily brief on the news, events, and people shaping the world of international affairs.

Subscribe to CSIS Newsletters

Follow CSIS
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram

All content © 2022. All rights reserved.

Legal menu
  • Credits
  • Privacy Policy
  • Reprint Permissions