G20 Meeting Could See New Global Data Rules
Chinese law explicitly states that the government has a right to demand that companies turn over data for unspecified national-security reasons. As a result, EU officials have indicated that China may never be eligible for a legal arrangement under the General Data Protection Regulation (GDPR) called an “adequacy agreement,” which would allow for data exchange with the EU. (The GDPR, which went into effect last year, set up strict privacy rules for those handling EU citizens’ data.) Chinese companies may find that it’s impossible to comply with GDPR and China’s cybersecurity law at once. The irony is that those who drafted China’s data-privacy rules looked to GDPR as a model. But the version of GDPR they created for China’s political system—where the government has expansive surveillance authorities—makes it hard to imagine how the two systems could ever be reconciled.
Indian government has concerns about Chinese firms misusing Indian data, despite some similarities in how both countries store data locally. For example, Indian military personnel aren’t allowed to install WeChat, the Chinese social-messaging app, on their phones, but can use Facebook’s WhatsApp. The historically tense relations between the two countries is likely driving India’s caution.
Trying to find consensus on global data governance may look like an elaborate game of Twister. And some of these divides at hand may simply be insurmountable—perhaps splintering the data economy as we know it.
Against this backdrop, Abe’s government has floated “data free flow with trust.” We may learn more from Abe at the G20 meeting, but one interpretation is that if the United States, Japan, and the EU perceive that Chinese access to their citizens’ data presents some degree of risk, they could build agreements to share data only with one another (or even a subset of that group), but restrict access for Chinese firms. This could make it much more difficult for Chinese internet platforms to develop AI platforms for places and demographics outside Chinese borders by cutting off access to necessary data. But such an arrangement would likely meet resistance in the U.S. if it looks too similar to GDPR in restricting U.S. companies.
The United States, for its part, is already pushing for new restrictions that would prevent Chinese companies and the government from getting access to sensitive data on U.S. citizens. For example, in March, the U.S. government told a Chinese gaming company called Beijing Kunlun Tech that it would need to sell Grindr, the U.S. gay dating app, because of the potential for blackmail if the app’s data fell into the hands of Chinese intelligence.
Privacy legislation being debated in the United States also plays a role in brewing geopolitical competition. India, Europe, and other places will increasingly use data to constrain market access for foreign-incorporated tech firms—for instance, requiring them to store citizens’ data within the country, or to not collect it at all—if the U.S. does nothing to dispel the notion that Big Tech cannot be trusted to handle individuals’ data in ways that are not exploitative. That means the United States will need to place privacy checks on companies such as Google and Facebook if these companies are to continue to have global reach and access to data. Creating policy that understands there is not necessarily a trade-off between privacy and innovation will go a long way toward restoring trust in U.S. Big Tech at home and around the world while also helping fuel advances in AI. Rather than a race to the bottom when it comes to privacy, this may be the better way to compete against Chinese internet companies for AI leadership.
The stakes are therefore quite high in the competition to set the rules for global data governance. Abe’s ambition to find consensus on these issues may seem ludicrous, but starting a conversation that gets at the conflicting perspectives on data at the center of geopolitics could be among his most important legacies.
We want to hear what you think about this article. Submit a letter to the editor or write to firstname.lastname@example.org.