The Absence of Data Privacy Law is a National Security Threat

September 8, 2023 Topic: Technology Region: Asia Blog Brand: Techland Tags: TechnologyRegulationChinaDemocracySurveillance

The Absence of Data Privacy Law is a National Security Threat

Informational technology companies’ involvement in aiding and abetting foreign intelligence activities in alleged human rights violations must continue to face scrutiny.

On April 18, 2007, a Chinese man named Wang Xiaoning filed a lawsuit at the U.S. Federal Court in the Northern District of California over his arrest by the Ministry of Public Safety for his pro-democracy activities. His detainment in China involved torture by the authorities. Despite his cautiousness in utilizing pseudonyms and publishing pro-democratic materials anonymously, the arrest was made possible through cooperation from American multinational technology company Yahoo, which handed over private email records, copies of email messages, and other content of the electronic communications. This has led to national attention in the United States. However, the case was later withdrawn after the plaintiff received an undisclosed settlement amount from Yahoo.

With the sixteen-year-old legal precedent of Xiaoning v. Yahoo!, Inc. (2007), there's been a shadowy history of U.S. businesses’ contributions to China’s mass surveillance and censorship programs. As uncovered through Doe I v. Cisco Systems, Inc. (2014), it has been an open secret that Cisco was involved in the development of China’s notorious censorship program, the Golden Shield Project, in the 1990s to early 2000s. Based on the timeline of these events, which is a decade old, these cases may no longer seem to be relevant in the present day. But as the human rights violations of Uyghurs and intelligence activities of China have been highlighted throughout the exacerbation of U.S.-China relations, the informational technology companies’ involvement in aiding and abetting foreign intelligence activities in alleged human rights violations will continue to face scrutiny.

In the case of China's human rights violations against Uyghurs and political dissidents, it has been acknowledged that the artificial intelligence (AI) and algorithms that have been used to oppress these individuals have originated from American venture capitalists’ investments in the AI industry. Also, law enforcement surveillance devices ranging from police scanners to DNA forensic devices are still being exported to China from the United States, despite the existence of regulatory efforts such as the International Trafficking Arms Regulations, National Defense Authorization Act, and Export Administration Regulations. Amid the concerns pertaining to the private sector’s technological contribution to digital authoritarianism in foreign countries, many U.S.-based companies that have been publicly identified for alleged violations have asserted that they are in compliance with the relevant U.S. bylaws and these issues are inevitable collateral damage from the complicatedness of global supply chain.

Furthermore, as demonstrated through the U.S. Supreme Court’s conservative ruling in Nestle USA, Inc. v. Doe I (2021) on the limitation and criteria of the extraterritorial applicability aspect of Alien Tort Statute (ATS)—which requires substantial conduct in the United States but doesn’t apply to foreign companies—these corporate activities have not borne any significant legal repercussions thus far since these issues have been deemed as a force majeure from the complicatedness of the global supply chain. As of July 2023, however, the Ninth Circuit has held in Doe I. v. Cisco Systems, Inc. (2014) that the claims of aiding and abetting human rights abuse by Cisco on the grounds of the Torture Victims Protection Act and the ATS, as shown by the U.S. District Court’s initial dismissal of the motion under ATS in 2014. Indeed, the motion to establish a claim for secondary liabilities of these corporate activities has been often challenged by the plaintiffs’ failure to satisfy mens rea (carried out acts that had substantial effects on the perpetration of a specific crime) and actus reus (substantially assisting the act of crimes) criteria of the court.

As shown with Russia's utilization of the global supply chain to acquire sanctioned semiconductor chips and other utilities for military operations, the limitations pertaining to sanctions are clearly evident as effective sanctions enforcement requires active multilateral cooperation at both the public and private level. Even though the high degree of interconnectedness due to globalization has created opportunities for sanction evasions, these transnational security challenges demand continued attention from the relevant authorities. These security challenges pertaining to human rights violations may seem irrelevant to many Americans, but they are becoming corrosive to U.S. national security and may leave Americans at risk of becoming victims to foreign adversaries’ intelligence gatherings.

With the absence of a singular law that protects overall data privacy, foreign intelligence agencies’ aggressive data collection activities, ranging from social media platforms to the gaming industry and including the collection of sensitive personal data through both purchase and breach of databases from data brokers, are posing a growing threat. In fact, reports indicate that massive data collection efforts may already be an effective tool for foreign intelligence operatives.

By acquiring information on targeted individuals, foreign adversaries are better positioned to infiltrate and intimidate their targets. Recent indictments from the Department of Justice have shown that the Chinese and Iranian governments have aggressively sought the expanded use of these opportunities by utilizing American private investigators for their transnational repression campaigns in the United States. Furthermore, in contrast to the United States, where the concept of governance on overall data privacy is not comprehensively adopted through a unilateral law at the national level, the legal governance of overall data privacy has become one of the most important agendas for Beijing's security apparatus.

In the case of China, subsequent to the implementation of the Cybersecurity Law in 2016, the Data Security Law (DSL) and Personal Information Protection Law (PIPL) came into effect in 2021. These privacy protections have shown that China has benchmarked Europe's General Data Protection Regulation and strengthened its protection efforts on overall data privacy. Both the DSL and PIPL have outlawed sales of personal data from China to foreign actors without prior approval from the Chinese government. The PIPL also contains an extraterritorial impact by posing legal repercussions on the entities that are complicit such as the revocation of a business license in mainland China if there were to be any issue of concern pertaining to data that has been collected in China, no matter where the location of collection was made.

Since the effectiveness and importance of open source intelligence and data collection for modern-day spycraft has been highlighted throughout the Russia-Ukraine War, China has responded to these security concerns through the enforcement of the amendments to the pre-existing 2014 Counter-Espionage Act in July of 2023—which includes a broad definition of national security and defines the collection of information pertaining to national security interests as an act of espionage. These legal devices have reinforced China’s efforts to limit the open-source intelligence capabilities of its potential adversaries. Whilst having to reinforce its legislative efforts to counter foreign intelligence’s capabilities, China’s intelligence agency, the Ministry of State Security, is known to have recently increased its investments in open-source military intelligence and data collection. 

As multilateral security cooperation in cyberspace has recently been emphasized throughout the realm of international security, the United States and traditional security allies like South Korea have been increasing their bilateral cooperation in cyberspace to counter threats that are being posed by adversaries like North Korea. However, apart from international security cooperation at the government level, the structure of these security challenges that are being posed by adversaries is more oriented toward challenging the core values of liberal democracy, and its objectives are accomplished through exploiting the legal loopholes. Thus, the active exchange of knowledge and open discussion on the concept of privacy and the extent of these cybersecurity challenges amongst the liberal democratic states are needed more than ever.

Jong Min Lee is currently a master’s candidate with a concentration in International Security and Public International Law at the Fletcher School of Law and Diplomacy, Tufts University. His main areas of interest include non-conventional warfare, neo-authoritarianism, and transnational threats. He is also a graduate of the Elliott School of International Affairs at George Washington University, where he pursued a concentration in Security Policy and Global Public Health.

Image: Shutterstock.