China’s privacy protection strategy and its geopolitical implications

How has China’s privacy protection strategy been developed, with its broad scope and stringent requirements for data localization and cross-border data flows? What are the broader geopolitical implications of its divergence from Western models of data privacy? This paper argues that China’s privacy protection strategy, characterized by its comprehensive regulatory framework and government access to data, is redefining the contours of global data governance and creating new geopolitical fault lines. Drawing on official documents, laws, regulations, and a case study, this paper highlights the evolution of the regulatory framework in response to emerging challenges posed by technological innovations and the wider geopolitical environment. This paper contributes to the broader discussion regarding the implications of China’s privacy protection approach, highlighting potential normative clashes with countries that favor a more open digital economy. China’s efforts in developing its own privacy protection strategy have also resulted in the formulation of global standards for data privacy.


Introduction
Data has woven itself into the very fabric of the global economy, with the digital economy further solidifying its presence in the wake of the COVID-19 pandemic.Against this backdrop, privacy protection has garnered significant attention, given its profound implications for international digital trade the geopolitical relations.How has China's privacy protection strategy been developed, with its broad scope and stringent requirements for data localization and cross-border data flows?What are the broader geopolitical implications of its divergence from Western models of data privacy?
This paper argues that China's privacy protection strategy, characterized by its comprehensive regulatory framework and government access to data, is redefining the contours of global data governance and creating new geopolitical fault lines.The landscape of global data governance is experiencing a significant shift due to the divergent privacy protection strategies adopted by China in contrast to those of the United States (US) and the European Union (EU).China's approach, characterized by a comprehensive scope, stringent data localization requirements, and a substantial allowance for government intervention, represents an alternative model to the prevailing norms of digital privacy and data management championed by the US and EU.
This paper examines the evolution of China's privacy protection strategy with a focus on the balance between individual privacy and national security.Drawing on official documents, laws, regulations, and a case study, this paper highlights the evolution of the regulatory framework in response to emerging challenges posed by technological innovations.
This paper also contributes to the broader discussion regarding the implications of China's privacy protection approach, highlighting potential normative clashes with countries that favor a more open digital economy.China's efforts in developing its own privacy protection strategy have also resulted in the formulation of global standards for data privacy.This has created a bifurcation from the norms established by the EU's General Data Protection Regulation (GDPR), leading to a fragmentation of the global data governance regime.
For China, these different normative expectations and standards may potentially deter foreign enterprises.Different privacy standards introduce complexities into international trade, posing compliance challenges for transnational corporations and influencing the dynamics of global digital trade.These complexities can, in turn, have an impact on China's economy.For the international community, the normative competition evident in China's approach reflects the broader geopolitical rivalries and may also influence developing countries as they craft their own data governance policies, looking to major rule-makers such as the EU, US, and China as models to follow.
This paper proceeds as follows.The second section will lay out a theoretical framework for discussing China's privacy protection approach, focusing on China's distinct perspective on human security and the relationship between individual privacy and national security.The third section will examine the developmental path of China's privacy regulatory framework.The fourth section focuses on the case of Didi to illustrate the changing power dynamics between regulatory authorities and digital platforms, as well as the co-evolution of technological innovation and the regulatory framework.The fifth section explores the global implications of China's approach to privacy protection.

Human security and Yinsi protection
The concept of human security is highly relevant to the discussion of privacy protection, given the perceived distinctions between "collectivist" Chinese society and "individualist" liberal democracies.This concept serves as an analytical lens for exploring the different referent objects -the state and individuals -as the subjects to whom security is being provided.
This concept also helps tease out the relationship between individual privacy and national security, offering a perspective through which the states' concern regarding data sovereignty can be further examined -a concern that different types of regimes share.Given the challenges posed by technological innovation and the increasing capabilities of using data for various governance tasks, as well as the potential security risks associated with data misuse, China is not alone in its emphasis on data sovereignty.The US's decision to invalidate the EU-US Privacy Shield and the issuance of US executive orders targeting TikTok underscore Western concerns regarding the control over data sovereignty (Hu 2021).Similarly, Canada implemented its own measures to safeguard Canadian data against the provisions of the US Patriot Act, which grant US authorities access to data stored within the US, irrespective of its source or origin (Treasury Board of Canada Government of Canada 2006).This shared concern highlights the importance of avoiding an oversimplified dichotomy between China's approach and the "Western approach" (Gao 2022a).
However, it is a challenging task to determine precisely at which point individual privacy becomes a matter of national security concern.China's regulatory framework has sought to offer clarity on this.For instance, it sets a threshold for subjecting an operator to a cybersecurity review, which is triggered by the personal information of 1 million users (Cyberspace Administration of China et al. 2022).Another example of attempting to determine the threshold for national security concerns regarding data is the categorization of data into "core data", "important data", and "other data" (Bi 2021).However, relying solely on the former quantitative approach is clearly inadequate, while the latter qualitative approach still lacks clarity in terms of its categorization criteria.
This regulatory underdevelopment in practice necessitates a more in-depth exploration of the relationship between state security and human security in the context of cyberspace governance.The debate surrounding human security reflects a shift in normative and policy focus from the state to individuals, who are now considered the primary "referent object" and "beneficiary" of security (Newman 2016).Like many other concepts, when brought into China, human security undergoes a process of Sinification, making it suitable for application in the Chinese context (Breslin 2015).Within the human security discourse as articulated in Chinese official documents, the state is portrayed as the "source of human security" (original emphasis), rather than being a potential challenge to it, thus shifting the focus from the individual as the reference point back to the role of the state (Breslin 2015, 249).Chinese scholars hold similar views.Mao and Ren argue that, from a national security perspective, the focal point of data sovereignty is the state rather than individuals.Building upon this premise, they advocate that the state should be able to control, manage, and safeguard the production, storage, flow, analysis, and utilization of data generated within the country (Mao and Ren 2023, 43).
Instead of outright rejecting the notion of human security, China has sought to engage and adapt this concept by defining "human" in a more collective sense (Jones 2022).Jones questions the interchangeable use of the terms "security" and "safety" in the translation of Chinese official documents to refer to the Chinese term "anquan" and argues that the distinction between these terms lies in the role of the state and the implications for state actions (Jones 2022).China's discourse on anquan emphasizes the role of the Chinese state as a safety provider, which helps explain the rationale behind its preference for strong government intervention.Building on Jones' argument, China's security strategy places a greater emphasis on offering "safety" as a public good, rather than solely focusing on establishing the institutional framework for security guarantees.
As such, China's approach to human security is primarily centered on the state, characterized by a fragmented and protection-oriented strategy (Zhang 2022).Through scholars' engagement with the concept of human security, China has developed sophisticated mechanisms to assimilate the idea of human security into its national security agenda (Zhang 2022).In the context of China, where the state has firmly established itself as the guarantor of individual safety and privacy, any endeavors to uphold its ongoing commitments in this regard must be undertaken in conjunction with, rather than against, the exercise of state sovereign power (Zhang 2022).
As a byproduct of the process of Sinification, the incorporation of ideas related to human security into everyday practices equips citizens with the ideational framework to understand security on both an individual and communal level.This has contributed to an increased public awareness of privacy as a contemporary concept.This development is important because the term "privacy" (yinsi) is a borrowed concept, and indigenous Chinese notions associated with it carry derogatory connotations related to unspeakable immorality, indecency or shame (Ma 2008;Zhai and Li 2008;McDougall 2004).Within the cultural context in which the borrowed concept "privacy" took root, its value is diminished and met with resistance, making it challenging to establish it as a recognized and legitimate right (Ma 2008).In this context, the act of divulging others' secrets has evolved into a widely accepted social norm, while invasions of privacy, such as searching students' dormitories and implementing surveillance cameras, have become normalized (Ma 2008).
Due to the absence of a cultural foundation in China akin to where the concept of privacy originated, primarily in the West, China's regulatory framework not only bears the burden of combating illegal privacy violations but also delineating, within the realm of morality and socially accepted norm, what should be considered acceptable and what should not.A notable example is that what is considered an expression of care for other members of the collective in the Chinese context may be perceived as intrusive in the West, such as inquiring about people's age, income, marital status and political inclination (Zhai and Li 2008).The introduction of the concept of privacy has been reshaping Chinese social norms regarding what should be regarded as yinsi.
On the other hand, McDougall (2004) rejects ahistorical conclusions, emphasizing that the absence of a directly corresponding term for "privacy" in the English language should not lead us to dismissing the existence of indigenous concepts related to privacy throughout Chinese history.While the term yinsi may have different origins, the associated notion does not emerge from nothing.
In traditional Chinese culture, yinsi possesses a collective dimension that prioritizes public and communal interests (Zhai and Li 2008).In the Chinese context, the privacy of the collective often takes precedence over that of individuals, with everything pertaining to an individual being subordinate to the collective to varying degrees (Zhai and Li 2008).The traditional idea of "yinsi protection" in China reflects a collectivist and instrumentalist mindset, the purpose of which is to maintain the harmony and stability of society as a whole, in contrast to the Western emphasis on preserving individuality and human rights (Zhai and Li 2008).
Some other studies emphasize how cultural inclinations shape individuals' attitudes toward privacy.In collectivist societies, trust tends to be higher within in-groups where significant social relationships are formed, whereas in individualist societies, social relationships are not confined to specific in-groups (Hamamura 2012).The distinctions between individualist and collectivist orientations manifest in various aspects of privacy concerns.Information privacy concerns revolve around the protection of personal data and online information, while psychological privacy pertains to feeling comfortable expressing oneself without concern about how others may judge their disclosed information (Li et al. 2022).Prior research indicates that Chinese and Koreans tend to be more concerned about psychological privacy, specifically the fear of being judged, in contrast to users in the United States, who are more inclined to express worry regarding the security of their personal information when using social media (Li et al. 2022).A 2011 study shows that Chinese users exhibited a higher level of trust in both the social network site system and its operator compared to their American counterparts (Wang, Norice, and Cranor 2011).These studies seem to suggest a distinctive cultural inclination among Chinese people in their privacy concerns.
Nevertheless, this cultural determinist approach certainly has its limitations.Some studies suggest that individuals' privacy concerns are primarily linked to the prevalence of internet usage rather than cultural distinctions such as individualism or collectivism (Engström et al. 2023).In other words, greater internet utilization is correlated with reduced levels of privacy concerns.From a Weberian perspective, the swift emergence and expansion of major technology corporations in China are bound to precipitate a heightened sense of individualism within Chinese society.
The emphasis on collectivism in Chinese culture partly explains why some citizens were willing to compromise their privacy rights during the COVID-19 pandemic.This cultural penchant is compounded by the socializing role of social media, which has cultivated more relaxed attitudes toward privacy (Tsay-Vogel et al. 2018).Despite this predisposition, the COVID-19 pandemic was a shock to Chinese society in the sense that it exacerbated the tensions between human security and state security (Zhang 2022).During the COVID-19 pandemic, China instituted a nationwide telecom data analysis platform overseen by the Ministry of Information Industry Technology (Norton Rose Fulbright 2021), which collected data even before the risks to public health and safety had been fully substantiated (Liu 2022).Nonetheless, despite individual concerns about privacy, the dissatisfaction with tracking did not result in any legal actions or lawsuits against local governments, as they retain discretionary authority to balance the interests of individuals and the collective well-being (Liu 2022).The "crisis mode" triggered by COVID-19 normalized the use of tracking technology and facial recognition.
The heightened public awareness of individual privacy prompts scholars to scrutinize the extensive use of health codes for governance, which has emboldened local governments to extend their authority into other areas, including gathering information not only on individuals' health conditions but also to monitor their behavior as responsible citizens (Zou 2023).With 900 million internet users, a thriving digital economy, and the prevalence of data theft and fraud, Chinese consumers are increasingly uneasy about unrestricted data collection by private firms (Pyo 2020).An example of this heightened awareness is the lawsuit filed by a university professor named Guo Bing, who took legal action against Hangzhou Safari Park over the use of facial recognition technology.Guo Bing accused the park of infringing upon consumer protection laws by forcibly gathering visitors' facial characteristics (BBC 2019).On 9 April 2021, this landmark case reached its long-awaited final verdict.Hangzhou Safari Park, the defendant, was mandated by the court to expunge all facial feature data collected from Guo Bing.Guo's plea against the compulsory collection of biometrics resulted in Hangzhou becoming the first city to outlaw mandatory facial recognition practices (Mo 2021).
Corroborating the growing awareness of individual privacy is the survey conducted by the Nandu Personal Information Protection Research Center, a think tank affiliated with Southern Metropolis Daily.It published the Public Survey Report on Facial Recognition in 2020.The findings revealed a significant sentiment among respondents, with 60% expressing concerns about the excessive use of facial recognition technology.Alarmingly, over 30% of those surveyed reported experiencing privacy breaches or property losses attributed to the unauthorized dissemination and misappropriation of their facial information (Fu 2020).Concerns have also emerged in relation to AI technologies, such as those used for self-driving, which rely on facial data for training purposes.Linking individual privacy concerns around facial data with national security, Zhang Xinbao, Director of the Information Law Center at Renmin University, argues that when essential traffic and pedestrian data is transmitted abroad, it might pose a national security risk (Economic Information Daily 2021).
The above discussions delineate the importance of the concept of human security and its relevance to the discussions concerning privacy protection in Chinese society, which is often characterized as collectivist.In this context, the concept of "privacy"differs somewhat from its Western origins (Creemers 2022).The concept of human security helps understand the different referent objects of security.Beyond the state/individual dichotomy, China's interpretation of privacy introduces an additional layer of analysis: security at the communal level.This layer of analysis could further facilitate the exploration of when individual privacy becomes a matter of national security concern.

China's approach to privacy protection
Scholars based in China often perceive individual privacy as an integral component of state sovereignty (Cao 2013;Que and Wang 2022).Data sovereignty is a key element in China's official discourse, emphasizing the Chinese government's authoritative control over data collection and the transmission of data across international borders.While cyber sovereignty primarily centers around protecting critical infrastructure and defending against cyber-attacks by foreign entities, data sovereignty is a more specific concept that revolves around asserting authority over inherently mobile and fragmented data.As Chen and Gao (Forthcoming) point out, cyber sovereignty is one of the core principles China has upheld in its approach to cyber governance both domestically and internationally.The nature of data itself often leads governments to seek physical control over it in an effort to govern it more effectively.Nevertheless, the degree to which territorialization of data might hinder innovation continues to be a topic of debate.
China's approach to privacy and data protection encompasses a combination of policy responses, legislative measures, and law enforcement (Jia 2023).The rapid and extensive process of datafication that China has undergone, which has surpassed many other countries worldwide, is a significant driver for the country's regulatory framework in this regard (Jia 2023).In 2019, the global digital economy reached a scale of $31.8 trillion US dollars, with China ranking second in the world with an economic scale of $5.2 trillion US dollars (China Industrial Control Systems Cyber Emergency Response Team and Huawei 2021).The ongoing evolution of regulatory framework development is shaped by the interplay of competing interests within the domestic business landscape and transnational interactions (Shen 2016).
The emergence of a data-driven economy is reallocating power dynamics, shifting power away from individuals toward organizations, from traditional businesses to datadriven enterprises, and from governments to data-driven businesses (OECD 2015, 18).Companies, by virtue of their data resources alone, can wield substantial influence, at times even surpassing that of governments.Indeed, one of the reasons behind Beijing's crackdown on Didi is to prevent the company from amassing a data reservoir that surpasses the state's control (Borak 2021;Kurth 2021).This concern is further revealed by the recent case of Jack Ma being stripped of his role as the actual controller of Alipay (Bloomberg News 2023).
China's regulatory framework for privacy protection is far from being a monolithic, coherent, and well-coordinated set of rules.Instead, it has evolved alongside technological innovations and key events that raised public concerns about the widespread use of technology that encroaches upon individual privacy.As a result, China's regulatory framework appears fragmented at times, with occasional overlapping responsibilities among different governmental departments.For example, since the Cyberspace Administration of China (CAC)'s establishment in 2014, it has been engaged in a continuous turf war with the Ministry of Public Security concerning critical infrastructure protection and various other issues (Lee 2021;Creemers 2022).While the Personal Information Protection Law (PIPL) was established as the main authority overseeing personal information protection, the Ministry of Public Security was involved in the punitive actions against Didi (Hu 2021).
Expanding upon the discussion on yinsi in the previous section, the notion of "privacy" carries a somewhat distinct connotation in China, lacking the same constitutional status linked to liberal principles of the rule of law and economic values, as seen in Europe or the US (Creemers 2022).As Creemers notes, while PIPL primarily centers on regulating the relationship between individuals and data controllers, the Data Security Law (DSL) places a greater emphasis on assessing and managing the risks emanating from data held in China.The former is primarily concerned with balancing domestic interests and mitigating tensions between individual rights and collective economic growth, while the latter primarily focuses on safeguarding Chinese interests against deliberate hostile threats originating from foreign sources.As domestic scam cases and deteriorating relations with the US fed into the policy-making processes on digital governance, the distinction between safeguarding personal information for individual interests and its potential significance for national security began to blur (Creemers 2022).
Bearing in mind the caveat regarding cultural determinism, it appears that the Sinicized concept of human security does indeed take on an added dimension of collectivism.In the context of privacy protection, this dimension becomes evident in the guidelines that determine the threshold at which the volume of data raises national security concerns.As clarified in the Cybersecurity Review Measures, operators in possession of personal information from over 1 million users are mandated to undergo a cybersecurity review before proceeding with their overseas initial public offering (Cyberspace Administration of China et al. 2022).The focus on determining the threshold at which individual privacy transitions into a national security concern reflects an implicit assumption that individual privacy protection can only be provided by a capable state that can safeguard its sovereign rights.
From the perspective of governance, the expansion of state power over data heightens the risk of abuse, which could in turn undermine the government's credibility.The massive amount of data collected is vulnerable to cyberattacks, and if leaked, could potentially threaten both individual privacy and national security (Zou 2023).A case in point is the Shanghai National Police Database breach, involving data from 1 billion Chinese residents, including sensitive information like ID numbers and criminal records (Goh et al. 2022;Ni 2022;Hurst 2022).
The commitment to protecting individual privacy helps the Chinese state to bolster its legitimacy in the face of widespread digital abuse (Jia 2023).This motivation is exemplified by recent efforts against telecom scams and fraudulent activities.According to the Supreme People's Procuratorate of China, during the initial ten months of 2023, procuratorates across the country have taken legal action against more than 34,000 individuals involved in telecom and online fraud cases, representing a substantial 52 percent yearon-year increase (Xinhua 2023).In response to criminal activities conducted abroad, China is actively seeking international cooperation to facilitate the extradition of fugitives.A recent case involving the repatriation of 2,349 individuals implicated in telecom fraud from Myanmar has garnered significant public attention (Global Times 2023).

Case study: Didi
The case of Didi serves as an example of the evolving power dynamics between platforms and the state, as well as the co-evolution between technological innovation and regulatory frameworks.Considering their role as holders of vast amounts of data, platforms function as techno-cultural constructs and integral components of the socioeconomic structure (Dijck, Poell, and Waal 2018).Platforms are subject to state governance while also functioning as rule-makers in their own right.Multinational platforms wield significant influence due to their ability to mediate social interactions and regulate public discourse through opaque content moderation processes (Helmond et al. 2019).Such influence compels governments to enhance their governance endeavors to adapt to the evolving challenges posed by the digital economy.Platforms are reshaping the boundaries and norms associated with the concept of freedom of expression (Afina 2023).
As such, "governance by platforms" and "governance of platforms" work together to shape the regulatory landscape.Research on the distinction between these two modes of governance highlights the increasing influence of platforms in decision-making in data governance (Gorwa 2019;Poell, Nieborg, and Duffy 2021).The vast amount of data facilitates smart city development and digital governance, but also shifts the power dynamic in favor of the authorities and capital, which hide behind algorithms to discipline the public and foster acceptance of injustice (Zhang 2023).
Didi's development trajectory along with China's evolving regulatory landscape highlights how government policies can both shape and incentivize data-driven innovation and vice versa.Established in 2012, Didi swiftly ascended to the pinnacle of the ridesharing industry in China, solidifying its position as the largest platform in the country following its acquisition of Uber's operations in China.By the time it prepared an initial public offering in the US, Didi had extended its services to 14 countries beyond China, amassing an estimated 50 million users in overseas markets (Chen 2021).
Didi's personalized algorithms, powered by vast datasets of user behavior, pose potential challenges regarding data-driven innovation in the service industry to both individual privacy and national security.Holding an extensive repository of consumer data, Didi's operations fall under the purview of various Chinese laws and regulations, including the DSL, Cybersecurity Law, PIPL, and Cybersecurity Review Measures (People's Daily 2022).The concern around national security was significantly amplified when Didi chose to list on the NYSE, as this move raised concerns about the potential exposure of sensitive data collected in China to foreign entities (Wang et al. 2024).
After taking down the Didi Chuxing app, on 5 July 2021, the Chinese Cyberspace Administration announced inquiries into other companies, including Full Truck Alliance and Boss Zhipin, citing concerns regarding national data security risks (Kharpal 2021).This marks the start of the government's endeavors to regain control and reshape the power dynamics in the digital governance landscape, which had long been dominated by major technology corporations.
In July 2022, CAC announced the penalties on Didi in accordance with the Cybersecurity Law, DSL, and PIPL (People's Daily 2022).This breach resulted in a substantial fine of 8.026 billion yuan, surpassing even the 743 million euros fine imposed on Amazon for its GDPR violation, setting a record as the highest fine in the global history of data protection (Goh et al. 2022).
However, it is worth noting that despite the ongoing tension between state authorities and major tech companies, their relationship has not always been contentious.In the past, Didi's data collection had been used to assist the government in matters related to security governance.As of 2017, Didi had initiated collaborations with the local governments of more than 20 cities across China on smart transportation (China Net 2017).In September 2017, Didi initiated a strategic partnership with the Traffic Police of the Guangzhou Municipal Public Security Bureau.Synergizing Didi's extensive big data and analytical capabilities with the rich traffic data reservoir of the Guangzhou Traffic Police, this collaboration helps the government understand risky driving behaviors, crack down on drunk driving, and mitigate traffic congestion (China Net 2017).In 2020, Didi bolstered its collaboration with national law enforcement agencies to enhance background checks of drivers (Didi Global 2020).By August 2020, Didi had established partnerships with more than 50 local police departments to bolster crime deterrence on its platform (Didi Global 2020).As part of its Safe Driving System, Didi employs cameras for monitoring of both the road ahead and behind the vehicle while recording GPS data (Xiao 2017).Furthermore, Didi is training its AI systems to discern particular human behaviors as indicators of driver fatigue (Xiao 2017).
Besides Didi's collaboration with law enforcement in security governance, the company's practice of collecting excessive data is also driven by public concern about the drivers.In May 2018, a 21-year-old female passenger was murdered by a Didi driver, igniting intense discussions on Chinese social media platforms.In response, Didi Chuxing announced a reward of 1 million yuan to help locate the suspected driver and actively cooperated with the Ministry of Public Security to conduct background checks on the drivers employed by the platform (BBC 2018).Following the incident, Didi implemented enhanced security measures, including a "one-click police report" feature, continuous ride recording, and mandatory driver identity verification through facial recognition (Wu 2019).
Nevertheless, there are some issues regarding these measures implemented in the name of customer safety.First, despite its name, the "one-click police report" in Didi does not directly contact the police.Instead, it sends information to an emergency contact who can then make the call (China Youth Net 2018).This is because police networks operate on a system separate from the public.The customer or their contact still needs to initiate the actual call.The act of Didi contacting the police on behalf of the customer would alter the nature of its relationship with its customers from a typical commercial relationship into that of an agent for criminal prosecution, acting on behalf of the potential victim, the legality of which remains unclear under Chinese law (China Youth Net 2018).Second, by associating the practices of ride recording and facial recognition with customer safety, these actions have become normalized despite their encroachment upon individual privacy.This normalization grants the platform significant power, which, in turn, may necessitate cooperation with law enforcement agencies in China.Third, the line between the platform and public security departments becomes blurred.It remains unclear to what extent the police can access all the data collected by Didi, and Didi's responsibility for ensuring safety has grown substantially due to its extensive data holdings.
Despite the crackdown, Didi's dominance in the Chinese market remains unshakable.In 2022, Didi further expanded its reach to cover 16 countries, including the US, India, Japan, and Australia (Wang and Xing 2023).The company also ventured into the field of autonomous driving, with the goal of achieving mass commercialization of self-driving vehicles by 2025 (Wang and Xing 2023).This implies that the Chinese government will continue to rely on and collaborate with Didi for data governance, and Didi may also have the potential to influence the international data governance landscape as the company seeks to navigate local data governance laws and regulations in its target countries.

Global implications
The governance of data carries significant global implications.According to the Organisation for Economic Co-operation and Development (OECD), "Underpinning digital trade is the movement of data.Data is not only a means of production, it is also an asset that can itself be traded, and a means through which GVCs [global value chains, author's note] are organised and services delivered" (OECD n.d.).Data has become intricately interwoven within global political dynamics as a key component of self-governance and indigenous sovereignty (Kukutai and Taylor 2016).A total of 86 World Trade Organization (WTO) member states engaged in discussions regarding cross-border data flows, while 78 developing countries abstained from participation due to concerns that data flows might potentially disrupt their development (Aaronson 2021, 5).Data governance conducted hastily risks evolving into another dimension of capitalist mechanisms that reinforce inequalities between the Global North and Global South.
At the outset of 2021, data privacy laws were in place in 145 countries, a number that had risen to 157 by mid-March 2022 (Greenleaf 2022).The fragmentation of data privacy laws across the globe results in overlapping sovereignty claims concerning the control and ownership of data.Similarly, the current regulatory landscape concerning digital platforms is also complex and fragmented (Afina 2023).The competition for discourse power in data sovereignty, with cross-border data flow governance as a key element, is emerging as a central focus in future international competition (Shen 2023).
With these advancements in legal and regulatory frameworks, various interpretations of data sovereignty are being promoted and diffused (He 2021).The EU's concept of data sovereignty aligns with its strategic autonomy and human rights agenda, whereas the US places greater emphasis on harnessing the economic potential of information and communication technology companies, accommodating the data collection and algorithm training requirements of technology giants (Broeders, Cristiano, and Kaminska 2023;Que and Wang 2022).Despite differences in the normative foundations of their respective approaches to data sovereignty, both parties share a growing concern about the location of data storage due to its implications for data sovereignty (Wang et al. 2024).
As China emerges as a frontrunner in shaping norms and regulations concerning cyberspace governance, its strategies for privacy and data protection also carry global ramifications (Gao 2022a;Segal 2020).China's approach to data privacy, as exemplified by its PIPL, encompasses a broader scope compared to that of the US and EU.While the US employs a fragmented regulatory framework consisting of state and sector-specific laws, China adopts a centralized approach involving the implementation of stricter data localization requirements and the regulation of cross-border data flows.Notably, China's approach to data privacy is intertwined with its cybersecurity laws, signifying a more pronounced emphasis on national security concerns.PIPL grants the Chinese government the authority to blacklist overseas data controllers and processors, thereby enabling it to leverage its data and privacy regulations as a means of retaliating against countries seen as engaging in discriminatory practices (Lee 2021).This reflects the broader security approach of the Chinese government, which prioritizes safeguarding and controlling the data of its citizens, providing safety as a public good.
Building upon the earlier discussions of human security and yinsi protection, China's approach to data protection places an emphasis on data sovereignty as a fundamental prerequisite for safeguarding all other rights associated with data (Cao 2013).The Chinese state has endeavored to position itself as an intermediary between citizens and technology companies in order to address the asymmetrical power dynamics that exist between them (Cai and Wang 2020;Wang 2022).
A significant distinction exists between PIPL's clear-cut mandates for data localization and GDPR's mechanisms designed to facilitate data transfers when certain conditions are met (Lee 2021).The requirement for personal information holders to store data within China's geographical borders is a key element of China's cyber sovereignty vision (Pyo 2020).This disparity poses challenges for interoperability among different data regulatory regimes (Lee 2021).The differences between China's statecentric model of cyber governance and the decentralized model prevalent in Western countries could also potentially give rise to new alliances and divisions in the realm of global cybersecurity politics.For instance, Vietnam, embracing a "sovereign and controlled" internet model, adopts China's approach to data localization, mandating the storage of specific data types in designated locations (Sherman 2019).Similarly, countries such as Zimbabwe, Djibouti, and Uganda are expressing apprehension regarding U.S. hegemony in cyberspace, which they perceive as yet another iteration of colonialism (Gao 2022b).
On the one hand, the EU's stringent requirements concerning data belonging to EU citizens might be perceived as a form of regulatory bullying, as it compels other countries to align themselves with EU standards in order to facilitate the exchange of personal data (Aaronson 2021).China's stringent privacy law requirements can potentially escalate existing tensions with countries that uphold different data protection standards, leading to strained trade relations.
On the other hand, China's data localization requirements mandate that transnational corporations must store data collected within the country itself.Foreign companies operating in China are obligated to adhere to data localization requirements, obtain consent for data processing, and collaborate with law enforcement authorities on matters related to data security.If a company has committed to regional voluntary agreements like Cross-Border Privacy Rules, it will be restricted from transferring personal information to countries with lower standards in personal information protection, which could potentially compel other countries to consider adopting China's standards (Hu 2021).
The localization requirements may also entail establishing local data centers or collaborating with local service providers to manage and process the collected data.The stringent security assessments required for cross-border data transfers might pose challenges for these corporations, impeding their global operations (Hu 2021).Multinational companies will be required to reconfigure their information technology systems to ensure compliance, which might involve seeking the guidance of local government before exporting data that was initially collected in China or is currently stored within China (Junck et al. 2021).
In order to adhere to these regulations, transnational corporations are compelled to invest in local infrastructure, adapt their data management protocols, and stay vigilant in keeping pace with evolving regulatory changes.This might necessitate the appointment of dedicated staff members to oversee these compliance efforts.As the regulatory framework and practices are still under development, it remains unclear whether the mandatory security assessment by the CAC for transferring data to other countries grants the company one-time approval for a data transfer or a license for a given period (Hu 2021).Collectively, these legal and regulatory barriers may lead to increased fragmentation in global business operations.After a period of tightening control over data generated in China, recent efforts to expedite approvals for foreign companies awaiting data transfer clearance offshore (Yu and Tham 2024), along with the implementation of the Regulations on Promoting and Regulating Cross-Border Data Flows (Guo, Li, and Feng 2024), signal a notable relaxation of policies aimed at alleviating clearance difficulties and facilitating operations in China.
As other countries seek to strike a balance between data-driven economic opportunities and privacy concerns, China's approach could potentially serve as a model, particularly for countries with significant economic ties to China, due to the need to comply with Chinese standards.China's model may appear attractive to governments seeking to retain substantial state control over individual privacy while simultaneously promoting economic growth (Pyo 2020).Furthermore, the Belt and Road Initiative (BRI) might serve to promote Chinese standards and thus advance Beijing's vision of the internet within BRI countries (Sherman 2019).
Overall, while there is little concrete evidence that other countries are directly imitating China's model, there are shared aspirations to exercise a higher level of control over their citizens' data.Countries such as Thailand (Chachavalpongpun 2023), Indonesia (Hunton Andrews Kurth 2022), Myanmar (Thean-ngarm and Oo 2023), and Vietnam (Aw 2023) are introducing stricter laws and regulations in order to exert greater control over their cyberspace.A similar effort toward data localization can be observed in Cambodia's draft data protection law (Kelliher 2023) and in Kazakhstan (Marina Kahiani and Abdukhalykova 2023), as well as in Russia (Andreeva, Kiseleva, and Neskoromyuk 2021).This signifies that countries are reshaping geopolitical faut lines as a result of shared concerns regarding data localization.

Conclusion
This paper offered an analytical perspective to understand the concept of yinsi and the intricate relationship between the individual, the community, and the state within the discourse of security and data privacy.Drawing a novel theoretical approach building on the Sinicized concept of human security and the indigenous concept of yinsi, this paper argues that China's regulatory framework for privacy protection has evolved alongside technological innovations and key events that raised public concerns about the widespread use of technology that encroaches upon individual privacy.
Given that it is still in the early stages of development, China's regulatory framework sometimes appears fragmented, with overlapping responsibilities among various government departments.Due to its emphasis on state sovereignty over individual privacy, China's approach to privacy protection tends to downplay the perspective that societies could benefit from the use, sharing, and transfer of large quantities of data.
This paper complements Chen and Gao's (Forthcoming) observation regarding a shift in China's official narratives on cyber governance concerning the transition from a primary focus on national security to an increased emphasis on the protection of digital infrastructure and the control over data flows.This paper further demonstrates that this shift has incentivized the Chinese government to regulate cross-border data flows, especially when such flows involve the data of a significant number of users.
China's approach to privacy protection carries several global implications.Firstly, it presents challenges for multinational corporations engaged in global operations, as they must incur increased operational costs to ensure compliance.The state control over the movement of data may contribute to the fragmentation of digital businesses and slow down global digital trade.Secondly, it exacerbates preexisting geopolitical tensions with other major rule-making powers such as the US and EU, as their differing normative expectations become evident in their respective approaches.Thirdly, as other countries endeavor to strike a balance between data-driven economic opportunities and privacy concerns, China's approach may be seen as a potential model for governments looking to maintain significant state control over data.