Over the last decade, the People’s Republic of China (PRC) and its data privacy regime have drawn national security concern. Adding onto the critique of Chinese authoritarianism, policy analysts fear that Chinese data privacy regulation reflects an effort to warp the developing framework of global data privacy – as opposed to an effort to promote the domestic rights of Chinese citizens. This thesis, then, aims to understand the reach of Chinese data privacy regulation. Exploring Chinese data privacy law, this thesis asks two main questions: (1) What are the implications of the PRC’s data privacy regulations? And (2) How can the United States Government build out data privacy infrastructure for American companies looking to operate within China?
My findings reveal that although operating in China presents its own hazards, Chinese data privacy regulation – as far as the law is concerned – is by no means novel. Fitting into the broader Chinese legal order, Chinese data privacy law reflects an extension of existing legal norms into the domain of data privacy. Nevertheless, as data privacy law does not encompass the PRC’s data privacy regime, the future of data enforcement remains unclear. Without the formation of an American data privacy architecture, US companies based in China are left in the dark. Inspired by literature on Sino-American relations, this thesis poses a framework for pragmatic cross-border data management: acknowledging the threats presented by the PRC, the United States must safeguard both domestic and multilateral interests of maintaining cross-border data flows and corresponding economic engagement.