Week 11: China & India

<aside> 💡 Since China and India are continuing to grow as influencers in the global economy, do their data protection laws ultimately serve as a way for their governments to protect themselves from different actors?

There are examples of the Chinese and Indian government protecting themselves from other foreign countries. Wodinsky points out that China’s “PIPL [Personal Information Protection Law] also has pretty strict guidelines for foreign companies doing business in the region—and that includes data-hoovering giants like Facebook that offer services to Chinese customers through obscure subsidiaries.” With India’s Personal Data Protection Bill, one of its major goals was “to develop a comprehensive data governance framework that would affect virtually any company attempting to do business in India…has a unique ability to exercise leverage over multinational tech companies” (Arindrajit and Sherman). Additionally, the bill was developed through consultation with stakeholders that had “an aversion to so-called data colonialism by large Western technology firms—a grievance against large-scale collection of Indian citizens’ data by Western companies” (Arindrajit and Sherman).

On the other hand, and most importantly, there are concerns of how these two data protection laws, under the guise of consumer protection, in actuality benefit the government over the rights of their own citizens. In regards to China’s PIPL, “It’s largely written to protect people from private companies hoovering their data, while giving state authorities a free pass to largely do just that” (Wodinsky). And in regards to India’s PDPB, “the biggest concern about the bill among academics and activists is the exemptions granted to the government for data collection.This leaves a gaping regulatory vacuum around surveillance law in India and fails to adequately protect citizen privacy, as there are no clear rules that govern government use of data (Arindrajit and Sherman).

The lines can get even blurrier. Take a global event like the Olympics as an interesting case study. How do data protection laws come into play during a global event with thousands of visitors from around the world? In anticipation for the Olympic Games Beijing 2022, the mandatory MY2022 app was intended to track COVID-19 and hold travelers’ information. However, it “failed to confirm a unique encryption signature with the server where it was transferring data. In effect, that meant hackers could intercept the data without Chinese officials necessarily knowing. Other parts of the app, like its built-in messaging service, failed to encrypt metadata, making it easy for owners of wireless networks or telecoms to detect which phone was messaging another and at what time” (Mozur and Metz). Similar data protection concerns were brought up when Japan was developing a contact tracing app for the 2021 Tokyo Olympics.

Do borders and regulatory lines even matter when transnational companies decide to work towards a global surveillance state? In Hvistendal’s “How Oracle Sells Oppression in China”, Mara highlights Oracle’s ultimate goal to become the global data broker with “claims to sell data on more than 300 million people around the world”, its partnership with China’s Ministry of Public Security, and how it has influenced other countries:

Brazil’s Citizen Base Register
United Arab Emirates’ Oyoon
Partnering with Mexico and iOmniscient
Partnering with Rio de Janeiro’s Civil Police

Ultimately, “It’s worth wondering how better U.S. government action on the data governance front could influence this global contestation over data access and regulation” (Arindrajit and Sherman).

</aside>