By Melanie Kolbe-Guyot, Head of Policy, C4DT
It is no secret that we are in the midst of an intense technological rivalry among the great powers of the United States, China, and the European Union; a rivalry that encompasses economic, security, and geopolitical dimensions. The development, control, and weaponization of digital technologies has become the new frontier of power politics in domains such as data privacy and cybersecurity, semiconductors, artificial intelligence, 5G networks, satellite technology, and e-commerce and digital platforms.
This competition also extends into the area of digital governance, in which these great powers have developed distinct models for governing technology: the US American market-driven and laissez-faire model, the EU’s regulatory and liberal rights-based model, and the Chinese authoritarian and state-led model (Bradford 2023; Montero & Finger 2021). Each of these models in turn reflects their respective underlying societal values, political-economic structures, and geopolitical goals.
Accordingly, these governance models also exhibit different strategies and areas of influence in the international arena. The EU is most influential in the area of digital-norms development (Pannier 2023), as well as through regulatory globalization via the Brussels effect (Bradford 2020), whereas the US exerts influence through private-sector investment and its industry’s global dominance in digital services (Bradford 2023; Pannier 2023). China, in contrast, seeks to gain influence (in particular, in the Global South) by pursuing large physical-infrastructure projects and, increasingly, by shaping the development of technological standards through its engagement in standard-setting organizations (Bradford 2023, Teleanu 2021).[1]
These governance models present a crucible for examining the balance between innovation, regulation, and control, by highlighting the fundamental values and priorities that underpin each actor’s approach to digital technology. However, these models are not static but are themselves subject to shifts and changes influenced by the evolving landscape of international relations. Nonetheless, they have global implications due to the extraterritorial effects of regulation, the global nature of data flows, and the cyberspace’s inherently borderless realm.
In this blog post, I want to zoom in on the implications of the three governance models for data privacy and cybersecurity (for brevity, narrowly discussed in regard to software product security[2]). I do so for three reasons. First, these two issue areas sit at the heart of societal trust in the digital age, thus affecting everything from individual rights to national security. As such, they are central to the acceptability and viability of technological progress. Second, though quantum computing and, recently, generative AI have tended to dominate the technological and policy hype-cycle, the fundamental questions about the choices we make in governing data privacy and cybersecurity remain highly relevant. Therefore, they deserve a continuing and evolving engagement. And third, as digital technologies increasingly intertwine with global power-structures, analyzing these governance models’ approaches to privacy and cybersecurity becomes a lens to understand not only the current digital power dynamics but also to anticipate the future trajectory of international relations in the digital realm.
The US Model and the Consequences for Privacy and Security
Historically, the US has taken a laissez-faire approach to the governance of digital technology. For the US, digital technology has been first and foremost a matter of competition policy. This is true for their domestic industries, as well as for international markets, where the primary aim is to maintain competitive and innovative momentum among the already established “big tech” companies (Finger & Montero 2021). This does not mean that the US has not shaped digital governance in other ways, such as by championing international standards in cryptography, zero-trust architectures, and the voluntary cybersecurity frameworks developed by its National Institute of Standards and Technology (NIST). Nonetheless, with key exceptions being its role in establishing ICANN[3] and overseeing IANA[4] until 2016, the US has preferred minimal international digital governance intervention (Kurbalija 2016, 228).
However, in light of rising geopolitical tensions and the growing recognition of digital technologies’ critical importance to national security, economic stability, and public safety, the US model has started to display a gradual shift towards a broader and more interventionist stance (Bradford 2023). A key example for this is cybersecurity. Traditionally, the national security prerogatives of the US have led to a (still dominant) focus on building up offensive cyber-attack capabilities rather than on defensive ones (i.e., by enhancing cybersecurity in commercial software and IoT products) (Schneier 2018). From a security perspective, maintaining a digital space with critical vulnerabilities that can be hoarded and strategically employed (i.e., used to spy or disrupt) is highly advantageous (Schneier 2018).
However, in particular the impact of the WannaCry (2017), SolarWinds (2020), and Colonial pipeline (2021) attacks have revealed significant national security challenges inherent in lacking software product security. The passing of the 2020 IoT Cybersecurity Improvement Act, 2021 Executive Order on Improving the Nation’s Cybersecurity, and 2022 Cyber Incident Reporting for Critical Infrastructure Act, all indicate an increasing awareness that cybersecurity problems won’t be solved by market mechanisms alone. Noticeably, however, these predominantly executive advances to improve cybersecurity only apply to government contractors and critical infrastructure suppliers, not the private sector as a whole.
Further enhancement of cybersecurity in technology products still faces significant obstacles, in particular due to liability exemptions for many software products. These exemptions considerably reduce private market incentives to prioritize the implementation of more stringent security measures in software products’ development processes (Schneier 2018; Susskind 2022). However, an increasing number of experts have called for reforms in this area in order to incentivize the adoption of higher security standards and to promote accountability within the industry.
Similarly, while the US has traditionally tended to oppose binding global cybersecurity agreements (Kurbalija 2016, 228), the US’s recent engagement in the negotiations over the new UN cybercrime convention suggests that they nonetheless recognize the potential benefits of establishing international norms and frameworks for collaboratively combatting cyberthreats. However, despite these signals of a gradually changing cybersecurity governance approach, both in domestic and international terms, the US’ tradition of industry self-regulation remains a deciding factor in its digital governance.
This holds true for cybersecurity as well as data privacy. Yet, in both areas the approach of industry self-regulation is often not considered as sufficiently protective of digital consumers (Schneier 2018; Susskind 2022). Increasingly frequent reports illustrate the pitfalls of this regime: for example, on mounting privacy and data-sharing scandals, such as in the case of children’s schooling apps (2022); lacking security of consumer IoT devices, such as in the case of Ring cameras (2019); and cyber ransomware attacks, such as the case of the genetic testing company 23andme (2023).
Data privacy, even more so than product security, has remained an area with little regulatory intervention. Despite increasing political scrutiny after the 2018 Cambridge Analytica scandal, at the core, greater data-privacy protections would pose considerable challenges to the data-centric business models of US companies such as Meta, Twitter, Google, and Amazon, as well as countless startups. This would affect the US approach of ensuring economic growth and power through globally dominating technology companies. Similarly, greater data-privacy protections could also undermine the highly profitable business models of data brokers or “data analytics” companies that are in great demand among private-sector companies (e.g., insurance providers), as well as among public authorities (enforcement agencies, national security agencies) (Lamdan 2023).
The US federal government has remained reluctant to tackle the issue of data privacy, for instance, through comprehensive federal legislation. Despite several attempts at passing bipartisan privacy legislation, including the notable introduction of the “American Data Privacy and Protection Act” (ADPPA) in 2021, progress has been stymied.[5] The only recent exception where data privacy was addressed as a federal legislative priority was in 2023 in the context of the proposed ban on TikTok, a social media app owned by the Chinese company ByteDance. However, it became evident that the driving forces behind such legislation were not based solely on protecting user privacy. National security concerns over TikTok and the desire to protect domestic markets, with TikTok posing a threat to US companies, such as Meta, were chiefly at play.
All in all, the US digital governance model continues to place emphasis on innovation, economic growth, and a subsequent reliance on industry self-regulation more than it does on consumer protection and stronger data-protection regulations. This allows for corporate interests (and digital economic growth) to thrive, however, often at the expense of more stringent privacy and security safeguards. Nonetheless, the changing geopolitical climate and new national security challenges posed by lacking software product security and data privacy protections have also created first signs of a shift towards greater regulatory involvement.
The EU Model and the Consequences for Privacy and Security
In comparison to the US, the EU is renowned for its strong regulatory approach; characterized by the spearheading of a number of important digital acts, beginning mainly with the introduction of the General Data Protection Regulation (GDPR) in 2018. The strengthening of information privacy and data-protection measures provided by GDPR not only took on the globally operating US tech companies that seek to retain access to the EUs large domestic market, but it also propelled the EU through the so-called Brussels effect (Bradford 2020) to become a source of global privacy regulations for foreign jurisdictions. In just a few years, the EU has since emerged as a global regulator in the digital space, with the introduction of the Digital Services Act (DSA) and the Digital Markets Act (DMA) in 2022, the AI Act in 2024 and the upcoming Cyber Resilience Act (CRA).
Notably, these acts seek to significantly enhance both data privacy and cybersecurity. For example, the DSA and DMA strengthen internet users’ privacy and data rights by requiring online intermediaries and digital platforms to obtain user consent before collecting and processing personal data, and by providing greater transparency and accountability mechanisms (European Commission 2024a). The proposed CRA’s cybersecurity requirements for products with digital elements would also greatly enhance cybersecurity and privacy protections for end users (European Commission 2024b). The focus of the AI Act, by contrast, is on regulating artificial-intelligence systems according to their levels of risk and can also be considered as a way of safeguarding the rights of those affected by the use of AI systems, i.e., internet consumers (World Economic Forum 2023). As outlined above, the effects of these acts will, like the GDPR, extend far beyond Europe hence potentially also benefit users elsewhere. The EU’s regulatory model (and drive) thus fills in the protection gaps present in other jurisdictions, including the US governance model.
The focus on consumer protection, in all acts, complements the EU’s traditional mix of hard and soft power in international governance, including importantly the promotion of human rights (Kurbalija 2016, 229). The EU has long leveraged is role as a normative power to influence global affairs, primarily through advocating for fundamental rights, supporting free trade and technological advancements that have naturally also found their expression in the rise of digital governance as a distinct policy area (Broeders, Cristiano & Kaminska 2023).
Yet, in light of increasing geopolitical and economic competition, particularly with the US and China, and the challenges posed by global tech companies, the EU has shifted its approach to emphasizing measures that safeguard its own digital sovereignty and strategic autonomy (Broeders, Cristiano & Kaminska 2023). The promotion and protection of public interest (such as in privacy and consumer-product protection) is now increasingly intertwined with the EU’s trade and competition policy that seeks to strengthen European companies’ competitiveness and the European single market (Montero & Finger 2022; Broeders, Cristiano & Kaminska 2023).
Such “hybrid” digital policies, combining internal markets, fundamental rights and geopolitical considerations (Broeders, Cristiano & Kaminska 2023), undoubtedly strengthen data privacy and security, yet they do so with a clear objective aimed at strengthening the competitiveness of home-grown industries over non-EU tech companies. Potentially, stricter privacy and cybersecurity provisions, which will affect non-EU tech companies’ market power, might also come into conflict with economic promotion goals of Europe’s own digital industry, as some of the critiques regarding the CRA suggest.
It remains to be seen if the increasing ‘geopoliticisation’ of the European digital governance model (Broeders, Cristiano & Kaminska 2023) will manage, in the long run, to reconcile the competing objectives of economic growth, technological leadership, and the strict protection of privacy and consumer rights. However, as it stands, the EU’s digital governance model has delivered the most substantial advancements in data privacy and, should the CRA be passed and enforced, it is poised to similarly elevate product cybersecurity standards, extending its influence beyond its own borders.
The Chinese Model and the Consequences for Privacy and Security
As a third distinct type, China’s digital governance model is similar to the US and EU in its geostrategic and economic motivations, but it is more strongly state-led and focused on control over the governance of the Internet as a resource. The global Internet is a strategic space for China’s export-oriented economy (Kurbalija 2016), and a natural extension of its technology-focused industrial policy and geopolitical ambitions to become a global superpower. Unlike the US and EU model, China tightly controls its digital and technology industry.
The Chinese approach is further defined by its emphasis on asserting control over international and digital infrastructures. Most notably, China’s Digital Silk-Road initiative seeks, through strategic investments and Chinese technology company contracts, to actively provide Global South countries with technical assistance in developing their own internet and technology infrastructures (Bradford 2023; Kurlantzick & Lee Dorff 2020). Thus, the initiative fosters political ties and enables China to compete with the US for technological dominance. China’s efforts in subsea cable competition and its continuing engagement in standard-setting organizations, such as ITU, ISO, and IEC, similarly indicate a push to assert control over physical infrastructure and reshape the Internet’s architecture (Bradford 2023; Teleanu 2021).
Similarly to the United States, China regards cybersecurity as a matter of significant geostrategic importance. Therefore, like with the US, China faces few incentives to enhance global cybersecurity. China’s efforts to address cybersecurity vulnerabilities have faced scrutiny due to recurring instances of Chinese manufacturers embedding backdoors in products such as routers and smartphones. Additionally, there have been concerns raised over the Chinese government’s handling of cybersecurity-vulnerability disclosures, as in the case of Alibaba’s public disclosure of the Log4j vulnerability (as opposed to notifying the Chinese government first). This case resulted in an official reprimand of the company. Yet, definitive conclusions about the effects of these cases on the Chinese government’s cybersecurity strategies remain uncertain.
Meanwhile, China has implemented numerous domestic cybersecurity regulations, most notably the 2017 Cybersecurity Act. This legislation not only demands mandatory reporting of cyber incidents from critical infrastructure providers but also empowers Chinese authorities to carry out spontaneous audits on company network operations and to demand law enforcement access to companies’ data (Wagner 2017). China also imposed stringent cybersecurity checks (and even source-code audits) on foreign technology firms, such as Apple, that seek to enter the Chinese market. Although China reinforced its own cybersecurity measures domestically—as seen in the fortified provisions of the Chinese Cybersecurity Act’s 2021 revision—its commitment to enhancing global cybersecurity appears less pronounced. In essence, though China tightens its internal cybersecurity defenses, its approach to promoting a secure digital ecosystem abroad seems more aligned with China’s broader national interests.
Furthermore, the Chinese approach is characterized by its domestic control over its citizenry and a strict protection of its digital and cyber sovereignty (Kurbalija 2016). Through the so-called “Great Firewall”, China restricts access to Western information-platforms and to any content it deems objectionable (Kurbalija 2016). And, since 2021, it mandates the storing of Chinese data on only national servers and controlling cross-border data transfers. These provisions particularly target foreign companies and aim to keep the governments’ tight control over Chinese citizens’ data. At the same time, the government has built up an encompassing surveillance architecture to monitor speech and to maintain social, as well as moral, control.
Nonetheless, significant concerns about data privacy also exist among Chinese consumers and, in response, the government has implemented several privacy measures, leading to the 2021 GDPR-inspired Personal Information Protection Law (Roberts et al. 2021, 69; Sacks and Laskai 2019). However, these protections apply only to private and commercial data collection (including foreign companies), with no limitations for the public sector, which is arguably the greatest data collector in China (Roberts et al. 2021; Sacks and Laskai 2019). This could have considerable repercussions. Only a year after the new personal information regulations were passed, China experienced it’s largest known data-breach: Hackers leaked the personal data of 1 billion Chinese citizens; it was stolen from a poorly secured Shanghai police government database.
The described measures align with China’s relatively weak privacy legislation history, marked by its non-legally binding status and numerous loopholes, such as the justified collection and use of data deemed of “significant public interest” – a concept flexibly interpreted by the Chinese government (Roberts et al. 2021, 69). It also reveals a fundamentally different cultural/political understanding of data privacy as an object of consumer protection. Although the type of private data that should or should not be collected is contested in China (Roberts et al. 2021, 69), the motivation for privacy and consumer protection is informed by a prioritization of social stability and political security in China. This diverges significantly from the EU’s rights-based approach to data privacy (Arcesati 2020).
Chinese data-privacy regulations also feature a largely internal orientation, regulating the data collection of companies within Chinese borders. However, data privacy is comparatively less regulated (or overseen) in Chinese firms operating abroad. For example, recent US class action lawsuits, filed against TEMU, (a Chinese e-commerce company) have revealed how extensively the TEMU app has exfiltrated private data from users’ devices without their knowledge or consent.
In sum, under the Chinese governance model, increasingly stricter data-privacy protection regulations are subject to national political objectives of social control and are strictly limited to the private sector. Similarly, although a mounting focus on cybersecurity provisions can be discerned, these provisions aim mostly at protecting Chinese digital sovereignty and less so at improving product security more generally.
Conclusion
Data privacy and cybersecurity (understood as software-product security in this blog post), are significantly shaped by the underlying digital-governance models.
The US model’s continuation of digital economic promotion and reliance on industrial self-regulation impacts its efforts for sound privacy and security provisions in the digital space. However, in connection with increased geopolitical tension and national security concerns, a shift towards greater appetite for regulatory intervention can be noticed, in particular in regard to cybersecurity.
In contrast, the EU’s regulatory governance model is more effective in enhancing privacy in the digital space, and to a lesser extent cybersecurity (which might change with the passing of the CRA). Yet, the EU combines economic market safeguarding goals with liberal rights-based means to do so. The extent to which it can successfully balance both a commitment to universal rights and its economic objectives remains to be seen.
Lastly, the Chinese state-led model of governance with its strong focus on exerting control over the digital space, domestically as well as abroad, provides limited and conditional provisions for data privacy and security, despite greater regulatory output. Although data privacy has become stricter for private sector actors within China, it still enables tight governmental control over Chinese citizens via extensive data collection.
These governance models, in turn, are noticeably shaped, if not shifted, by increasing preoccupations with digital sovereignty, strategic autonomy, and national security. Both the EU and China have responded most clearly to the changing digital and geopolitical environment with regulatory measures, where the EU model has also undergone a significant shift from a liberal-rights based to a more hybrid model of digital governance (incorporating also EU market and geopolitical considerations). The US, as the dominant internet and technology player, has long relied on market instead of regulatory mechanisms, but gradual changes in its governance model also emerge as software product insecurities and data privacy are increasingly perceived as harming national security interests.
Both the governance of data rights and cybersecurity reflect these changes, as this blog post has demonstrated. For the future of privacy and cybersecurity, this means that the landscape will likely continue to evolve with varying degrees of protection and openness, depending on the strategic and political priorities of these powerful regions.
The author would like to thank Stephanie Borg-Psaila, Matthias Finger and Jean-Pierre Hubaux for their valuable comments on this blog post.
References
Arcesati, R. (2021). “Lofty Principles, Conflicting Interests: AI Ethics and Governance in China.” Merics China Monitor. Berlin: Mercator Institute for China Studies.
Bradford, A. (2020). The Brussels Effect: How the European Union Rules the World. Oxford: Oxford University Press.
Bradford, A. (2023). Digital Empires: The Global Battle to Regulate Technology. Oxford: Oxford University Press.
Broeders, D., Cristiano, F. and M. Kaminska (2023). “In Search of Digital Sovereignty and Strategic Autonomy: Normative Power Europe to the Test of Its Geopolitical Ambitions.” Journal of Common Market Studies 61(5): 1261-1280.
European Commission (2024a). “The Digital Service Act package.” https://digital-strategy.ec.europa.eu/en/policies/digital-services-act-package. Accessed 13/02/2024
European Commission (2024b). “EU Cyber Resilience Act.” https://digital-strategy.ec.europa.eu/en/policies/digital-services-act-package. Accessed 13/02/2024
Kurbalija, J. (2016). An Introduction to Internet Governance. 7th Edition. Geneva: Diplo Foundation.
Kurlantzick J. and P. Lee Dorff (2020). „Assessing China’s Digital Silk Road Initiative.” Council on Foreign Relations. https://www.cfr.org/china-digital-silk-road/. Accessed 20/01/2024
Lamdan, S. (2023). Data Cartels. The Companies That Control and Monopolize our Information. Stanford: Stanford University Press.
Montero, J. and M. Finger (2021). The Rise of the New Network Industries: Regulating Digital Platforms. New York & London: Routledge.
Pannier, A. (ed.) (2023). The Technology Policies of Digital Middle Powers. Études de l’Ifri, Paris: Ifri – Institut Français des Relations Internationales.
Roberts, H., Cowls, J., Morley, J., Taddeo, M., Wang, V. and L. Floridi (2021). “The Chinese approach to artificial intelligence: an analysis of policy, ethics, and regulation.” AI & Society, 36: 57-77.
Teleanu, S. (2021). The Geopolitics of Digital Standards: China’s Role in Standard-Setting Organisations. Geneva: Diplo Foundation.
Sacks, S. and L. Laskai (2019). “China is having an unexpected privacy awakening.” Slate. https://slate.com/technology/2019/02/china-consumer-data-protection-privacy-surveillance.html. Accessed 21/01/2024
Schneier, B. (2018). Click Here to Kill Everybody. Security and Survival in a Hyper-connected World. New York; London: W.W. Norton & Company,
Susskind, J. (2022). The Digital Republic: On Freedom and Democracy in the 21st Century. London: Bloomsbury.
Wagner, J. (2017). “China’s Cybersecurity Law: What You Need to Know.” The Diplomat. https://thediplomat.com/2017/06/chinas-cybersecurity-law-what-you-need-to-know/. Accessed 13/02/2024
World Economic Forum (2023). “The European Union’s Artificial Intelligence Act, explained.” https://www.weforum.org/agenda/2023/06/european-union-ai-act-explained/. Accessed 13/02/2024
[1] Although there are also a number of rising “digital middle powers” such as India, Brazil, Israel, Japan, and South Korea, their approaches to digital governance are (currently) often far less coherent and influential and hence not focal point of this discussion.
[2] Of course, cybersecurity can be discussed more directly in the context of cyberwarfare. Likewise, disinformation campaigns can also be considered part of the common “cybersecurity” concerns. However, in the interest of a focused discussion, these two topics won’t be further developed here.
[3] The Internet Corporation for Assigned Names and Numbers (ICANN) is a nonprofit international organization responsible for managing and coordinating the internet’s Domain Name System (DNS).
[4] The Internet Assigned Numbers Authority (IANA) is an organization responsible for overseeing the allocation of global IP (Internet Protocol) addresses, managing the DNS root zone, and administering system names and numbers for protocol designation.
[5] It should be noted that, meanwhile, several federal states have passed their own data protection laws, such as California, Colorado, Florida, and Virginia.