ArchiveOODA OriginalSecurity and Resiliency

PIPL, DSL, CSL – China Forges a Legal Path to Cyber Sovereignty

On November 1, 2021, China’s “Personal Information Protection Law” (PIPL) went into effect.  The PIPL protects the personal privacy of Chinese citizens, and perhaps more importantly, mandates that both Chinese and foreign companies that conduct business in China to comply to the rules set forth in the new legislation.  PIPL defines what constitutes personal information, sets forth regulations for handling sensitive personal information to include state authorities, establishes rules for cross-border handling of personal information, determines individuals’ rights with respect to personal information handling activities, identifies government departments and their responsibilities with respect to information protection, and addresses legal liability for those not adhering to the law.

On the surface, the PIPL is very similar to Europe’s General Data Protection Regulation (GDPR), Europe’s landmark regulation that bestows European citizens more control of how their personal information is used, processed, and protected. At the time of its enactment, the GDPR was heralded as a significant turning point for privacy protection at a time when big data and data mining has dominated all facets of society. Unsurprisingly, the appetite for such legislation has only increased with several countries like Bahrain, Brazil, Japan, Kenya, Nigeria, and South Africa, among others implementing GDPR-like laws.

While data protection is increasingly becoming an important topic for governments to address, laws can work to the advantage of those in power, especially when it comes to the control of what data is produced and handled.  In this case, while personal information protection is the goal, PIPL can be used to coerce foreign organizations into surrendering to China’s vision of how they process data, as well as the technologies used to do it.  What’s more, PIPL is not the first piece of legislation to address data.  China has also passed a “Cybersecurity Law” (CSL) in 2017, which was largely designed to safeguard China’s networks and private user information.  Coming on the heels of that, China enacted its “Data Security Law” (DSL) in 2021, which had a strong focus on national security, imposing data restrictions and protective obligations on foreign companies operating in China.

What these three pieces of legislation have in common is the control of information, which is more than just censoring what information an audience can receive and access. In a 2008 speech at China’s National Cybersecurity and Informatization Work Conference, Xi Jinping asserted that “without cybersecurity there is no national security,” an acknowledgement that extends beyond the technological aspects of defending networks.  Consistent with its preference of the term “information security,” Beijing views information through a holistic prism and further than technical mechanisms and vulnerabilities on which the West focuses, and include the data that’s created, how it’s used, and where it goes.  China understands that while network infrastructure facilitates cyber malfeasance, it is only the conduit.  Data weaponization is more than compiled malicious code; it is also content that comes in many forms including but not limited to propaganda, disinformation, traditional and social media channels, academia, and the research and development and intellectual property produced by organizations. Therefore, it is unsurprising that Xi sees Internet control as a key to a government’s stability.

While Beijing tries to position itself into helping shape global Internet rules and standards, it has been pushing the importance of cyber sovereignty, the ability to create and implement rules in cyberspace through state governance.  Beijing has long maintained its inherent right to develop and control all facets of its portion of the global Internet.  And while this continues to be debated and discussed in international fora like the United Nations, consensus on several issues remain elusive.  Case and point, 61 countries including the United Nations recently signed a Declaration for the Future of the Internet, a political “commitment” to advance “a positive vision for the Internet and digital technologies.”  The ambitious, albeit nonbinding agreement, aspires to establish a code of practice for how democratic countries will use the Internet, covering such areas as human rights, fair economic competition, and a promotion of freedom of expression, among others.

The Declaration stands in direct opposition to the cyber sovereignty championed by more authoritarian regimes like China, Iran, and Russia who are typically demonized for their repressive approaches to free speech and content control. However, such international agreements like the Declaration generally serve more as a bully pulpit than a means to affect change (remember 2021’s 25-state reaffirmation against hacking?), as many of the signatories themselves have engaged in surveillance of political opponents, Internet blackouts, censorship, and even tried to establish disinformation boards that would be able to edit social media postings. It’s evident that the Declaration may be more about getting governments to support a particular viewpoint to make a public statement than having any intention of holding them accountable for failure to adhere to these principles.

Beijing understands that its efforts to build a coalition that support cyber sovereignty will continue to be stymied by the West for the foreseeable future. As such, in order for Beijing to ensure that its cyber sovereignty interests are met, it has resorted to passing an onslaught of legislation, a strategy termed legal warfare, which is designed to exploit domestic and international laws in order to assert Chinese interests.  What’s more, through these laws compel foreign organizations to comply with them or else risk being shut out of being able to operate in the world’s second largest economy.  In this way China has implemented a fail-safe policy of becoming cyber-sovereign without ever having to get the world’s official buy in for it.  Simply, the allure of market access will be enough to entice foreign companies to conform to these laws for financial gain.

If this strategy works, China may become a prototype that other governments follow, although their degree of success will be incumbent on what those governments have to offer the global community.  Right now, Beijing’s increasing influence and generous investment is an attractive carrot that many cannot refuse, and many will readily submit to these laws as a result. The more that do only reaffirm China’s right to its own Internet management model and its own independence from foreign technologies.  But perhaps more worrisome is that the PIPL, DSL, and CSL reflect Beijing’s understanding of where the world is headed. Data privacy is a clarion call from all corners of the globe, and Beijing has jumped on it knowing full well that it can weaponize these laws while safeguarding its own interests with them.  If unchecked, this is the type of true strategic thinking that will keep Beijing one step ahead of everyone else.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation state conflict, non-nation state conflict, global health, international crime, supply chain and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member only video library. Explore The OODA Community

Emilio Iasiello

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.