Governing data in China: Data rights as bounded communication rights
By Liming Liu | January 24, 2025
The Cambridge Analytica scandal uncovered a dual logic of our contemporary society: living in a data-driven world but having vulnerable data protection. Although Facebook is inaccessible in China, Chinese citizens' worries about potential data leaks are increasing, as their everyday communications involve growing amounts of data. These potential worries are echoed in the 70th anniversary of the Universal Declaration of Human Rights on advocating the protection of data against interference and attack. The declaration enshrined the concept of privacy as "a gateway right that reinforces other rights" in the past seven decades. The United Nations underscores the human right to privacy as a particular concern in the digital age. In this sense, data rights are human rights, practiced through everyday communications, highlighting the urgency and necessity of ensuring their protection.
In response to public demands, China implemented its first Personal Information Protection Law (PIPL) in November 2021. The PIPL is a comprehensive legislation that governs the collection, usage, management, and protection of personal data. Scholars have recognized the PIPL as the third model of data governance beyond the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the United States (US). This signals that when exploring data rights, communication rights and human rights, we have to understand that the Chinese approach is epistemologically distinct from Western approaches. Notably, understanding Chinese approach to data rights is crucial for comprehending the everyday data practices of approximately one-fifth of the global population in China and for enriching the broader understanding of data governance with Chinese characteristics in a global context.
Data Rights as Communication Rights, as Human Rights
When we are talking about data rights, it is essential to understand the definition of data in the digital age. Data is any piece of information that can be identified or be identifiable to an individual, often aligning with the legal term "personally identifiable information". Data rights, therefore, represent the individual's ownership and control over such data. The concept of data rights includes two key aspects: the ability to access, generate, alter, organize, or delete data; and the rights to derive benefit from, sell, or transfer these access privileges to others. Therefore, discussions on data rights should encompass the data process from data collection and storage to the commodification of data and the control of data.
Communication rights advocate for individuals to have the power to communicate, particularly through the freedom of expression, and the rights to know, impart and discuss. The nature of communication rights aligns closely with data rights, which call for autonomy on personal data, ensuring individuals have agency over how their data is used and shared. Because data rights are deeply intertwined with communication rights in today's data-driven society, data practices - sharing, trading, using and controlling data - are embedded in communication practices.
Concurrently, communication practices have encountered both benefits and challenges under the conditions of datafication and data surveillance. The mutual and dialectical relationship between data and communication practices reveals the twin existence of data rights and communication rights in the digital age. This alignment underscores that freedom-oriented power over data—enabling individuals to make autonomous decisions about their information—is part of communication rights. Significantly, these rights extend beyond legal definitions or technical aspects of data collection and usage; they represent the protection of an individual's autonomy on data against potential threats and disruption. The data rights as communication rights are expressions of human dignity and agency to serve as "fundamental human rights for all." When individuals lack data rights and decision-making power over their data, it can be harmful. For instance, Zoom faced a lawsuit for sharing user information with Facebook without informing its users during the pandemic. Therefore, protecting data rights is essential for safeguarding communication rights and for preserving the freedoms that secure human rights in contemporary society.
Data Governance with Chinese Characteristics
To understand data governance in China, two fundamental claims must be acknowledged: data regulation is state-centered, and data sovereignty is part of cyber sovereignty. PIPL defined data as personal information that "refers to various information related to an identified or identifiable natural person recorded electronically or by other means, but does not include anonymized information." This definition along with other key definitions, such as personal information processors (which refers to "an organization or individual that autonomously determines the purposes and means of personal information processing"), share a textual similarity with GDPR's. However, the interpretations are different from each other as data and personal information in China means individual consumers.
China lacked formal conceptions of data until the significant economic reforms of the 1980s, when the adoption of a market economy within its socialist system, along with globalization, introduced the concept of data and the right to privacy. As a result, the concept of data in China emerged in alignment with the market economy. This consumer-oriented perspective, however, is not explicitly laid out in the law, marking a distinction from the CCPA in clearly outlining the rights of California residents relative to businesses. Notably, the data in the Chinese context fell into two categories: consumer (or economic) and non-consumer. The emphasis on consumers resulted in the Chinese government continuously making efforts in addressing and protecting data since the 1980s, as it gradually issued laws like the Consumer Protection Law (1994) and Cybersecurity Law (2016). In non-consumer contexts, the PIPL permits government authorities to access personal data for purposes such as public health, national security, and crime prevention, but it provides no further details or explanations about these provisions. For instance, PIPL cannot directly handle data related to public interests or national security and instead refers those data to its twin regulation Data Security Law (2021).
Moreover, the PIPL specifically highlighted that data processed by state organs, "critical information infrastructure operators" and "personal information processors" have to "be stored within the territory of the People's Republic of China." While the law emphasizes the domestic storage of data and critical information, it does not provide a clear definition of "critical". This data localization has enhanced state data sovereignty by protecting the said national security and centralized data within Chinese authorities as a means for increasing state capacity in data control. The restrictions on data movement were evidenced when Chinese ride-hailing giant Didi, the Chinese version of Uber, relisted to Hong Kong when Chinese authorities grew concerned about sensitive individual location and movement data being potentially exposed to the US stock market given efforts by U.S. regulators to require Didi and other Chinese companies to disclose sensitive information. Consequently, Didi faced severe consequences beyond the said delist and relist. Didi was removed from app stores as a penalty by Chinese authorities for "serious" problems related to data collection and usage. It was subjected to an official investigation regarding its data issue, and ultimately fined $1.2 billion for "severe security risks" tied to national security in its data processing. Hence, the case of Didi here revealed that data rights in China are constrained by limited data mobility and restricted power to communicate under the country's data governance framework.
Data Rights as Bounded Communication Rights
In Chinese approach to data governance, the boundaries between individual data rights and state data sovereignty are blurred, with individual data rights being restricted and defined by state sovereignty. This blurring of boundaries reflects that, in China, rights are not defined by or derived from the individuals but rather comes from the state. PIPL, as the third pathway, has established comprehensive legislation on how individual data is governed in China and what are data rights in China. While it bears "a family resemblance" to other data governance approaches in the world, it underscores the prominent role of the state in regulating data rights. This regulation in restricting individual data rights encompasses three key aspects: understanding data primarily in a consumer context without regulations on addressing state's access to data, governing data as state- and public interest-oriented, and data protection and storage as localized with limited mobility. Together, these reflect a collectivist approach to balancing individual rights with public interests and national priorities in data governance. Hence, data rights in the Chinese context imply bounded communication rights, as the power to communicate is restricted: the unclear legal statements in knowing, imparting and discussing the data have limited the freedom of expression. This bounded approach reflects the distinctive nature that China's perspective on human rights is different from individualist Western logics, in that rights come from the Party, state and collective entities.
Therefore, China's centralized governing system has resulted in data governance with Chinese characteristics, in which the individual's data rights as bounded communication rights have to interplay between individual and state interests. Significantly, the data and communication practices were bounded within the state-defined boundaries under the PIPL and other data laws and regulations, in which is evident that such practices must not harm public health, national security, or the public interest. With the PIPL in effect for three years, China's data governance has evolved through extensive national-based broad experiments during the COVID-19 pandemic. These efforts in contact tracing and risk assessment have further blurred the boundaries between individual data rights and state data sovereignty, raising questions about whether individual data rights, such as data related to individual movements and locations, still belong to the individuals. This bounded rights experience is still ongoing and happening in China's everyday data and communication practices. These experiences provide a valuable opportunity to broaden our understanding of human rights in the digital age within contemporary China, where data rights and communication rights are closely interconnected and shaped by governance frameworks that prioritize collective and state priorities alongside individual rights.
