Press Briefing: Previewing the NATO Summit
June 20, 2025 • 10:00 – 11:00 am EDT
Who Benefits from China’s Cybersecurity Laws?
Photo: Tr3/Adobe Stock
By Lauren Maranto –
China’s ambition to be a global leader in technology development, combined with an increasing digital reliance in day-to-day life, means that a heightened focus on data security is crucial for protecting citizens’ information. Yet the country’s regulations on data collection often fail to safeguard citizens’ privacy, instead giving the government wide leeway to interpret laws. From the deliberate ambiguity of new cybersecurity and data protection laws, public reports of data leakages, and the government’s monitoring of Chinese citizens, it’s clear that China puts a greater emphasis on government access to data than it does on protecting individual and company privacy. Because of this, Beijing will gain further control over Chinese society, while leaving the privacy and security of its citizens and foreign investors vulnerable to exploitation.
Policymakers in China are placing insufficient emphasis on adopting clearly defined policies to keep pace with China’s push for technological innovation. When compared to the EU’s General Data Protection Regulation (GDPR), for instance, China’s data security regulations are more vague, outlining the acceptable usage and exploitation of data in a way that does not clearly specify how companies can rightfully use consumer data. These unclear guidelines leave companies guessing where the line is drawn between appropriate and legal usage of consumer data and the unlawful exploitation of this information. This creates greater risk that companies will be penalized for the unintentional violation of consumer rights, while others may exploit loopholes to use citizens’ data for personal gain. For consumers, the lack of clear data security guidelines increases the risks of their personal information is leaked, exploited, or used in an unauthorized manner. The ambiguous language used in China’s cybersecurity laws leave companies and individuals ill-equipped to protect their information, while also creating space for government subjectivity in interpreting these laws.
In June 2017, the China implemented a new cybersecurity law which now acts as the baseline for China’s present day guidelines. Initially passed in 2016, the law was created to provide guidelines for maintaining network security, protecting the rights and interests of individuals and organizations, and promoting the secure development of technology. The law requires that data is stored within China and that organizations and network operators submit to government-conducted security checks. Critics of the law argue that requiring companies to submit information for spot-checks further increases the risk of a security breach or loss of information. The ambiguous nature of the law allows the government more space to request and control information, while also leading to misunderstandings within businesses as to what constitutes acceptable use of data.
Although China made additions to its cybersecurity and data protection laws, each new step continues to lend more power to the government and the Communist Party of China (CCP). An extension of the 2016 cybersecurity law, the Personal Information Security Specification was adopted in May 2018 to provide guidance on how personal data should be stored and used. An article published in The Diplomat last year referred to the specification as a “compliance nightmare” due to the ambiguity between what is simply a suggested protocol for storing user data and what is the law. To address the exportation of personal information, the Cyberspace Administration of China, China’s main internet regulator, published draft regulations for limiting the transport of collected data within the borders of the PRC for public comments. These draft measures detail the methods in which the transfer of data will be regulated, including the reporting and pre-approval of external data transfers and thorough investigation measures on the types of information being handled. The updated regulations are a more extensive and invasive version of the 2016 cybersecurity law, expanding the government’s reach to investigate any organization, rather than those that potentially pose an immediate risk to national security. By demanding access to any data collected and stored in China, the updated regulations force foreign companies based in China to comply with its investigative measures, leaving intellectual property and private information vulnerable to government abuse.
Beijing’s insistence on complete access to citizens’ data leads to social unease when combined with the questionable collection and usage of personal information. In 2018, the advisory firm Deloitte surveyed China’s mobile consumers, asking how users feel about unauthorized usage of their data. According to the survey results, Chinese mobile users are more concerned than global users about their data being used and stored by companies and third parties. It also indicated that the online shopping and health data of users in China are “leaked more seriously than the global average.” Consumers in China are increasingly aware that their data is being collected by businesses and the government for economic gain and political control. Companies struggle to adequately protect the data they collect, allowing personal data to be stolen by “the internet gray and dark data industry for fraud, theft and sold to third parties.” Without clear regulations that protect citizens’ data from companies, third parties, and the government, individuals have little control over their own information.
These fears continue to be reinforced as numerous media outlets have reported widespread data leakage. Earlier this year, state media reported that 468 million pieces of personal data had been sold to small financial lenders, heightening tensions among Chinese consumers. The inadequacy of consumer protections and weak cybersecurity capabilities leaves companies more susceptible to leakages and privacy breaches, which likely breeds distrust among consumers and foreign investors. This distrust is further fueled by the increasing presence of surveillance technology across China.
China’s recent push for the utilization of biometric data has incited widespread social discomfort, most worryingly through Beijing’s planned installation of 626 million surveillance cameras equipped with facial recognition by 2020. While proponents of the cameras argue that they provide security benefits and cut crime, critics point out they have also been used to monitor and control the Uighur minority in Xinjiang. According to Zak Doffman, the founder and CEO of Digital Barriers, the surveillance technology acts as a “virtual cage” for Uighurs, creating a “segregated surveillance” system that collects their personal information at checkpoints around the city. In this capacity, the government uses the information it collects to profile an ethnic minority, identify those who it views as potentially extremist or separatist, and reinforce the ideals and traditions of the Communist Party of China. While it has continued to increase its surveillance capabilities, China currently has no laws to regulate the use of this technology, allowing authorities to place surveillance devices without notifying residents.
Thus far, China has passed unclear cybersecurity and data protection laws that risk compromising data security for the sake of increasing government accessibility to private information. The laws may protect consumer data from foreign entities, but their lack of clear guidelines gives leeway for companies to exploit citizens’ information for financial gain. These leaks violate citizens’ right to data privacy and breeds distrust between consumers and companies. The additional data security laws implemented in 2018 heightened tensions for foreign investors by demanding the centralization of data within China and requiring access to user data as the government sees fit. The CCP’s use of surveillance and personal data to discriminate against ethnic minorities demonstrates the extent to which the government will exploit privacy in favor of control over its citizens. China’s approach to cybersecurity demonstrates a higher emphasis on control and centralization as opposed to genuine concern for individual security, leaving citizens, companies, and foreign investors to wonder how the state may use their data.
Lauren Maranto is program coordinator for Freeman Chair in China Studies at CSIS.
China’s ambition to be a global leader in technology development, combined with an increasing digital reliance in day-to-day life, means that a heightened focus on data security is crucial for protecting citizens’ information. Yet the country’s regulations on data collection often fail to safeguard citizens’ privacy, instead giving the government wide leeway to interpret laws. From the deliberate ambiguity of new cybersecurity and data protection laws, public reports of data leakages, and the government’s monitoring of Chinese citizens, it’s clear that China puts a greater emphasis on government access to data than it does on protecting individual and company privacy. Because of this, Beijing will gain further control over Chinese society, while leaving the privacy and security of its citizens and foreign investors vulnerable to exploitation.
Policymakers in China are placing insufficient emphasis on adopting clearly defined policies to keep pace with China’s push for technological innovation. When compared to the EU’s General Data Protection Regulation (GDPR), for instance, China’s data security regulations are more vague, outlining the acceptable usage and exploitation of data in a way that does not clearly specify how companies can rightfully use consumer data. These unclear guidelines leave companies guessing where the line is drawn between appropriate and legal usage of consumer data and the unlawful exploitation of this information. This creates greater risk that companies will be penalized for the unintentional violation of consumer rights, while others may exploit loopholes to use citizens’ data for personal gain. For consumers, the lack of clear data security guidelines increases the risks of their personal information is leaked, exploited, or used in an unauthorized manner. The ambiguous language used in China’s cybersecurity laws leave companies and individuals ill-equipped to protect their information, while also creating space for government subjectivity in interpreting these laws.
In June 2017, the China implemented a new cybersecurity law which now acts as the baseline for China’s present day guidelines. Initially passed in 2016, the law was created to provide guidelines for maintaining network security, protecting the rights and interests of individuals and organizations, and promoting the secure development of technology. The law requires that data is stored within China and that organizations and network operators submit to government-conducted security checks. Critics of the law argue that requiring companies to submit information for spot-checks further increases the risk of a security breach or loss of information. The ambiguous nature of the law allows the government more space to request and control information, while also leading to misunderstandings within businesses as to what constitutes acceptable use of data.
Although China made additions to its cybersecurity and data protection laws, each new step continues to lend more power to the government and the Communist Party of China (CCP). An extension of the 2016 cybersecurity law, the Personal Information Security Specification was adopted in May 2018 to provide guidance on how personal data should be stored and used. An article published in The Diplomat last year referred to the specification as a “compliance nightmare” due to the ambiguity between what is simply a suggested protocol for storing user data and what is the law. To address the exportation of personal information, the Cyberspace Administration of China, China’s main internet regulator, published draft regulations for limiting the transport of collected data within the borders of the PRC for public comments. These draft measures detail the methods in which the transfer of data will be regulated, including the reporting and pre-approval of external data transfers and thorough investigation measures on the types of information being handled. The updated regulations are a more extensive and invasive version of the 2016 cybersecurity law, expanding the government’s reach to investigate any organization, rather than those that potentially pose an immediate risk to national security. By demanding access to any data collected and stored in China, the updated regulations force foreign companies based in China to comply with its investigative measures, leaving intellectual property and private information vulnerable to government abuse.
Beijing’s insistence on complete access to citizens’ data leads to social unease when combined with the questionable collection and usage of personal information. In 2018, the advisory firm Deloitte surveyed China’s mobile consumers, asking how users feel about unauthorized usage of their data. According to the survey results, Chinese mobile users are more concerned than global users about their data being used and stored by companies and third parties. It also indicated that the online shopping and health data of users in China are “leaked more seriously than the global average.” Consumers in China are increasingly aware that their data is being collected by businesses and the government for economic gain and political control. Companies struggle to adequately protect the data they collect, allowing personal data to be stolen by “the internet gray and dark data industry for fraud, theft and sold to third parties.” Without clear regulations that protect citizens’ data from companies, third parties, and the government, individuals have little control over their own information.
These fears continue to be reinforced as numerous media outlets have reported widespread data leakage. Earlier this year, state media reported that 468 million pieces of personal data had been sold to small financial lenders, heightening tensions among Chinese consumers. The inadequacy of consumer protections and weak cybersecurity capabilities leaves companies more susceptible to leakages and privacy breaches, which likely breeds distrust among consumers and foreign investors. This distrust is further fueled by the increasing presence of surveillance technology across China.
China’s recent push for the utilization of biometric data has incited widespread social discomfort, most worryingly through Beijing’s planned installation of 626 million surveillance cameras equipped with facial recognition by 2020. While proponents of the cameras argue that they provide security benefits and cut crime, critics point out they have also been used to monitor and control the Uighur minority in Xinjiang. According to Zak Doffman, the founder and CEO of Digital Barriers, the surveillance technology acts as a “virtual cage” for Uighurs, creating a “segregated surveillance” system that collects their personal information at checkpoints around the city. In this capacity, the government uses the information it collects to profile an ethnic minority, identify those who it views as potentially extremist or separatist, and reinforce the ideals and traditions of the Communist Party of China. While it has continued to increase its surveillance capabilities, China currently has no laws to regulate the use of this technology, allowing authorities to place surveillance devices without notifying residents.
Thus far, China has passed unclear cybersecurity and data protection laws that risk compromising data security for the sake of increasing government accessibility to private information. The laws may protect consumer data from foreign entities, but their lack of clear guidelines gives leeway for companies to exploit citizens’ information for financial gain. These leaks violate citizens’ right to data privacy and breeds distrust between consumers and companies. The additional data security laws implemented in 2018 heightened tensions for foreign investors by demanding the centralization of data within China and requiring access to user data as the government sees fit. The CCP’s use of surveillance and personal data to discriminate against ethnic minorities demonstrates the extent to which the government will exploit privacy in favor of control over its citizens. China’s approach to cybersecurity demonstrates a higher emphasis on control and centralization as opposed to genuine concern for individual security, leaving citizens, companies, and foreign investors to wonder how the state may use their data.
Lauren Maranto is program coordinator for Freeman Chair in China Studies at CSIS.
Image
Lauren Maranto
Former Program Manager, Freeman Chair in China Studies