China is Full Steam Ahead on Data Privacy

On January 8th, just a week after China’s Civil Code went into effect, the Hangzhou Internet Court heard and ruled on its first data privacy case. In this case, Sun, the defendant, sold more than 40,000 personal information records to Liu, who used this data for advertising. The records contained people’s full names, email addresses, and social media IDs. The procurator (like a U.S. federal prosecutor) determined that this action constituted an offense against the new privacy protections codified in the Civil Code.

The Civil Code is a decades-long culmination of legal developments in China. It covers the full scope of civil law, such as property rights, contracts, and family law. But among these traditional pillars, the considerably large section reserved for the protection of personal information stands out. In Chapter Six of Part Four, the Civil Code defines privacy as “a natural person’s peace of life and the private space, private activities and private information which he/she is unwilling to divulge.” Essentially, individuals and organizations are prohibited from calling, texting, messaging, and emailing others without their consent. The Civil Code also grants individuals the right to request data deletion or correction from information processors (e.g., social media platforms). These rights and prescriptions build on earlier Chinese cyber-focused legislation, such as the landmark Cybersecurity Law of 2017. In contrast, the Civil Code takes a much more prescriptive approach and incentivizes private citizens to seek legal recourse against privacy incursions.

The codification of data protections in such a principal document marks China’s legislative willingness to adopt privacy as a core value, like the European Union’s General Data Protection Regulation (GDPR). By clearly defining what actions constitute as ‘data abuse,’ it limits the leverage of tech behemoths over individuals’ data. China’s meteoric rise in internet users—from 298 million in 2008 to 989 million in 2020—has necessitated guardrails on the digital economy. With personal data acting as a critical resource in the race to train artificial intelligence models, these new regulations are vital in ensuring that perverse economic incentives do not prevail.

That being said, China’s data regulation authorities have yet to fully mature (although in context, most national data protection structures are still nascent). On balance, China’s data protection framework leans towards national security, which may become a competing interest against “full privacy.” There are also several legal overlaps with previous data protection regulations. Without clear guidance from regulatory bodies, the legal ambiguity risks hindering innovation, as companies become wary of potential legal missteps. Further, it is unclear whether the protections laid out in the Civil Code supersede previous legislation or whether one should interpret them jointly.

To clear up some of these ambiguities, the Personal Information Protection Law (PIPL) is in the Chinese legislative pipeline. The current draft of the PIPL extends the information processor clauses in the Civil Code, proposing that processors must obtain individuals’ consent to share their data with 3rd parties. Almost any internet entity can fall under the “information processor” umbrella, so if this law is to be strictly enforced, it could create immense compliance burdens for technology companies. For example, many websites frequently contract with cloud providers to store and process data, which means they would have to redraft their terms and conditions and prompt users for renewed consent. But on the flip side, the PIPL disincentivizes the selling and reselling of personal data, which would strengthen privacy. Whichever side of the coin it lands on is still a long way’s off.

China’s commitment to fleshing out its data protection framework is evident. Its recent swift application points to an increase in welfare for China’s citizens. China’s convergence to the maturing GDPR framework signifies an eagerness to keep up with global privacy trends. Under the backdrop of increasing global scrutiny of large technology firms, it is worth paying attention to new data protection legislations. There are enough scarce resources in this world—privacy should not be one of them.


Tianjiu Zuo is from Hong Kong and is studying Public Policy and Economics.

Opinion: The U.S. Can And Needs To Regain Trust Through Cloud

In July 2020, the Court of Justice of the European Union (CJEU) struck down the 2016 EU-U.S. Privacy Shield. The Privacy Shield was designed to protect European data transfers to the U.S. With this ruling, one thing becomes clear. The U.S. must respect the rights of foreign citizens to preserve and grow its leadership in the cloud sector. U.S. surveillance regulations like FISA 702 and the CLOUD Act undermine its own economic interests and breed mistrust between the U.S. and its allies. Leading U.S. cloud providers will lose ground because of these regulations. America needs to take a hard look at how it can maintain global trust in its cloud services.

Amazon Web Services, Google Cloud and Microsoft Azure, three leading U.S. cloud providers, all fall under the definition of ‘electronic communications service providers.’ This means that they must comply with the Foreign Intelligence Surveillance Act (FISA), enacted to regulate U.S. surveillance of communications for foreign surveillance purposes. Specifically, Section 702 of FISA authorizes the acquisition of foreign intelligence about non-U.S. persons located outside of the U.S. FISA 702 also has no territorial limitations, meaning servers operated by U.S. cloud providers in the EU fall under its purview. In other words, personal data of non-U.S. citizens may be subject to surveillance by U.S. intelligence agencies, understandably causing concern for EU regulators. In its ruling to shutter data transfers between EU entities and U.S. cloud providers, the CJEU declared that there is a clash between EU privacy law and U.S. surveillance law, citing FISA Section 702 as evidence. It mandated that EU entities using U.S. cloud services must switch “service providers” to those in the EU or in a country with “adequate protections.” This mandate effectively put an end to the transfer of EU data to U.S. cloud providers. Currently, the top 4 cloud providers in the EU are all American (AWS, Microsoft, Google, and IBM), and shuttering their services in the EU would be catastrophic for their business, especially considering their major infrastructure investments into the EU.

To remedy their privacy concerns, the EU has embarked on an ambitious cloud project called Gaia-X. The project is a collaboration between the European Commission, Germany, France, and various other organizations. While not designed as a direct competitor to U.S. clouds, Gaia-X hopes to create a unified ecosystem of cloud services protected by European data laws. This initiative is especially promising for EU homegrown cloud services and companies wishing to lower their GDPR and the CJEU ruling compliance costs. Prior to the July ruling, Gaia-X was not considered a serious contender against well-established U.S. cloud providers. However, the recent mandate has spurred much momentum to its development, showing just how noxious U.S. surveillance regulations are to its interests.

In data privacy negotiations between the U.S. and the EU, debate over U.S. federal privacy laws and surveillance oversight has been a hot topic. Several op-eds have already commented on how the U.S. should respond to the CJEU’s ruling, ranging from aggressive U.S. government pushback to the “immediate negotiations on a successor agreement.” It is a delicate balance between allowing EU citizens to have redress against U.S. surveillance versus tipping off terrorists. But whatever future transatlantic agreement may hold, it must respect the rights of citizens of another sovereign nation–the absolute basis of cooperation and collaboration. National security concerns over intelligence collection may be paramount, but they are empty without trust between allied nations. Pragmatically, a future model where U.S. technological prowess in cloud computing is not lorded over the rights of foreign citizens may not only help U.S. cloud providers find better success in expansion, but also foster more bilateral cooperation in counterterrorism. It is the perfect opportunity for the U.S. to solidify its leadership in cloud, embodied with the good faith necessary to handle personal data.

The economic benefits bestowed by leading the cloud revolution are vast – its potential benefit to U.S. foreign policy are enormous as well. The July ruling to strike down the EU-U.S. Privacy Shield serves as a wake-up call to re-examine how the cloud fits into U.S. diplomatic designs and furthers important national missions like counterterrorism. The U.S. is well positioned to regain the trust lost after the Snowden revelations. It is also capable of doing much more.  


Tianjiu Zuo is from Hong Kong and is studying Public Policy and Economics.


Are America’s Antitrust Laws Prepared for the 21st Century?

Summary: In the twenty-first century, amidst significant changes to the American and global economy, our century-old antitrust laws may be lacking the key protections needed to regulate the giants of today’s economy, despite their past successes in breaking up monopolies.

In response to the increasing power of the Standard Oil Company, who controlled the refining of more than 90 percent of oil in the United States by 1880, Ohio Senator John Sherman proposed the Sherman Antitrust Act to preserve “free and unfettered competition as the rule of trade” by breaking up monopolies. 128 years later, a new challenge is faced as courts must decide whether or not the technology magnates of the twenty-first century are in violation of existing antitrust protection.

In addition to the 1914 Sherman Antitrust Act, the Clayton and Federal Trade Commission Acts expanded protections against “conspiracy…in the restraint of trade” and “unfair methods of competition,” respectively.

Although the Sherman Act states that “every person who shall monopolize, or attempt to monopolize, or combine or conspire with any other person or persons, to monopolize any part of the trade or commerce among the several States, or with foreign nations, shall be deemed guilty of a felony,” the definition of what defines a monopoly (or an attempt to create one) is left to the courts to decide. What percentage of a market must be controlled by a company before it is considered to be a monopoly? If a monopoly reduces inefficiencies, which benefit consumers by lowering prices, is this monopoly actually harming consumers? And the question that may be more relevant than ever: what counts as an industry? Is online shopping a distinct industry from brick-and-mortar retail?

In the 1962 Supreme Court Case Brown Shoe Co. v. U.S., the third-largest and eighth-largest shoe retailers attempted to merge, however, the Court argued that doing so would violate the Clayton Act. The Supreme Court defined the shoe companies as partaking in not just one industry, but three: men’s, women’s, and children’s shoes. The District Court found that in the vast majority of cities, competition would decrease in the shoe industry. Interestingly, the precedent of past mergers influenced the court’s decision to side against the companies.

Despite the apparent loss that Brown Shoe seemed to offer to businesses, there remained a silver lining within the court’s analysis. Such mergers could benefit consumers as long as doing so would reduce inefficiencies in an economy of scale, making the industry more competitive and beneficial to consumers.

Twelve years later, Brown Shoe was essentially reversed in the 1974 case United States v. General Dynamics Corp. The attempted acquisition of United Electric Coal Companies by the eponymous General Dynamics Corporation had much in common with that attempted by Brown Shoe Co. Both were in industries that faced an increasingly small number of companies controlling an increasingly large share of the industry, and while this acquisition would enlarge the market share of General Dynamics, the court no longer assumed that this caused a decrease in competition. In fact, the court suggested, it may actually increase competition in the industry as United Electric, who focused on strip-mining, was facing dwindling reserves and a decline in their ability to rival the other coal companies in the surrounding areas.

However, as the economy underwent significant changes with the dawn of the internet and the growth of the technology sector, which often act in ways which traditional brick-and-mortar businesses do not, there is doubt in the ability of the nation’s antitrust laws to act when needed.  Perhaps the best example of the disconnect between the tech boom and politics is the appearance of Facebook CEO Mark Zuckerberg before three Senate committees, where Utah Senator Orrin Hatch failed to understand the company’s ad-based revenue model.  If the Legislative branch cannot grasp the fundamentals of the twenty-first-century economy, what chance does the more isolated Judiciary stand in analyzing the finer details of a merger between two multifaceted tech firms?

Two recent developments make antitrust cases more difficult to fully analyze in the modern age. The first is globalization and the multiple jurisdictions in which multinational corporations operate under.  Because the different jurisdictions may be affected differently by mergers—two companies that may be relatively small in most jurisdictions may have a very large share of a certain industry in a relatively small nation—there is room for some countries to engage in protectionism under the name of antitrust laws.  The second is the “better, faster, high-tech” development of the “New Economy,” where efficiency and competition can be difficult to measure.

Although there have been calls for a legal challenge to the increasingly monopolistic control of Amazon, existing laws do not provide significant legal standing for any large-scale challenge to the e-commerce giant.  Rather than using monopolistic practices to beat its competition, Amazon simply beats them with its size, selling massive quantities on razor-thin margins to outsell its competitors. Although this is obviously terrible for plurality in the industries in which Amazon operates, it has not harmed the consumer, at least not yet. However, Amazon’s actions have shown a methodical plan to achieve such a large market share that it can monopolistically manipulate its suppliers and that gives it an unfair advantage in a seemingly fair competition with other companies.  

But for now, Amazon still stands. And it is hard to see Amazon being seriously challenged by American Antitrust Legislation without a significant reinterpretation of the Clayton Act by the Supreme Court. Although, in the past, economies of scale allowed for increasing competition, it is possible for companies to get so large that this advantage while benefiting the consumer by price, hurts them by restricting choice. And in the age in which data collection by companies such as Amazon, Facebook, and Google is more scrutinized—and more prevalent—than ever, the lack of choice over who collects our data, and what is collected, may prove to damage the consumer more than the extra money paid to keep the brick-and-mortar bookstore afloat amidst the low prices of Amazon and the rest.