Brief

The rapid development of digital technologies has brought new challenges in protecting data from misuse, loss, or unauthorised access. In liberal democracies, data security is closely linked to the right to privacy, which is governed by laws that emphasise transparency and consent. While China has benefited greatly from the digital revolution in terms of economic growth and technological progress, the Party-state also sees significant threats. As the data-driven economy has prompted a reallocation of power from governments to data-powered firms, China’s approach to data security has become closely tied to its objectives of maintaining state control.

Chinese data-related laws emphasise data localisation and strict government oversight to strengthen national security while reducing reliance on foreign technology. The Cybersecurity Law of 2017, for example, requires government approval for transferring certain data overseas. Despite a series of new laws, foreign officials and legal experts remain concerned over a lack of clarity regarding rules for the cross-border transfer of data (CBTD). 

Analysis

In 2017, The Economist declared that data had become the world’s most valuable resource, surpassing oil. In the wake of the dotcom bubble Internet companies had harnessed vast quantities of data for advertising purposes, which was being leveraged to fuel the development of AI services, creating huge wealth and power, the magazine noted.

This shift was not lost on China’s Communist Party, which viewed data not just as a commodity, but since 2019 also designated “data” as a critical factor of production alongside land, labour, capital, and technology. The state had already begun investing heavily in “informatisation” (信息化) in the 1990s, part of a programme to build digital infrastructure, strengthen the domestic tech industry, and ensure national security. Data had become a strategic asset to advance national interests.

The Party-state’s efforts to control data have been codified and made more pronounced in recent years through a series of foundational laws. The Cybersecurity Law (2017) laid the groundwork by mandating network security and requiring data localisation for critical information infrastructure operators. This was followed by the Data Security Law and the Personal Information Protection Law, both enacted in 2021. This legislation enhances state control by ensuring government access to information, mandating security reviews for cross-border transfers of “important data,” and placing strict new obligations on private firms. A further tightening occurred in April 2023 when a revised anti-espionage law banned the transfer of any data related to “national security and interests”, broad and vague terms that severely restrict international firms’ ability to conduct due diligence.

This domestic strategy is also reflected in the nation’s efforts to shape the international conversation around data. Chinese Foreign Minister Wang Yi in 2020 announced the “Global Data Security Initiative” (全球数据安全倡议), a less known precursor to Xi Jinping’s other Global Initiatives. The GDSI implicitly addressed foreign concerns about over-reliance on Chinese communications technology, stressing the need for an “objective and rational attitude,” while defending domestic requirements for data localisation.

Domestically, the casting of data as a security issue has become increasingly pronounced in China’s legal framework. Data security was formally added to a list of twenty key categories in Xi’s “Comprehensive National Security” concept in 2025, underscoring that data is now officially viewed as being on par with political, military, and economic security. This shift reflects Beijing’s concern that foreign access to data could undermine its governance and economic stability. This national security-centric approach has become a significant point of friction with Europe, with European Commission President Ursula von der Leyen calling the Chinese provisions “excessive” and expressing concern about the lack of clarity in China’s data security regulations.

As more of China’s partners in the Global South turn to communications technology and connected devices from Chinese firms, some of the data security concerns raised in the Western hemisphere are also heard in these countries. In 2018, for example, French newspaper Le Monde reported that China had installed listening devices in the African Union’s headquarters in Addis Ababa.

Thus far, however, Chinese tech is mainly hailed in Global South countries for being relatively affordable and user-friendly. For example, the proliferation in Africa and Latin America of Chinese 4G network gear and “Safe City” digital surveillance programmes is rarely openly contested in these regions.