Wong Shue-teung, a retired insurance salesman from the U.S. city of Oakland, California, normally leaves his phone at home when he goes out. He gets robocalls and doesn’t know whether his movements are tracked on the internet.
“Hard to say,” the 73-year-old said one weekday morning while reading a newspaper in the atrium of a downtown high rise. “You’re using Facebook and whatever. You don’t know who might be listening. I don’t really carry my phone around. I have it on voicemail plugged in at home. I don’t want to answer the phone.”
Wong, like other typical American phone and PC users, is worried about tech companies surreptitiously collecting his personal data and misusing it. The United States lacks a sweeping nationwide law that limits the ways internet content providers collect and reuse people’s data.
Some states have their own internet laws, but tech firms and consumers want more uniform federal regulations to ease the “contradictory and sometimes competing requirements” of today’s rules, the think tank Council on Foreign Relations says.
The European Union and China have both established internet regulations addressing online data collection and privacy. While the U.S. is probably more familiar with the EU’s effort, it may well benefit by also studying China’s approach.
Europe vs. China regulation
On Thursday, the EU reached a deal called the Digital Markets Act, with regulations “to limit the market power” of tech giants and ensure “that combining personal data for targeted advertising will only be allowed with explicit consent to the gatekeeper,” meaning large tech platforms such as Apple, Meta, Google, Amazon and Microsoft. The new rules still need the approval of both the parliament and council.
China, however, is already curbing the collection of user data for commercial gain. On March 1, a law targeting algorithms took effect in China. Internet-based companies worldwide use recommendation algorithms driven by artificial intelligence, or AI, to sell goods and services based on a user’s personal browsing history. The Internet Information Service Algorithms Recommendation Management Regulations call for user consent before a website owner applies these algorithms.
The law follows Beijing’s regulation of the type of information that can be collected on the internet. In November, the Personal Information Protection Law took effect. It requires data handlers to get a person’s approval before collecting, storing, transferring or reusing data that could identify that person.
The law aims particularly at protecting children under age 14 by requiring parental consent for any data collection.
“I feel all companies, whether they are Chinese companies or American companies, should restrict the kind of data they collect and be more transparent about the data they collect, although they should provide ways for their users to reject a certain kind of data collection,” said Wang Yaqiu, New York-based senior China researcher with the advocacy group Human Rights Watch.
In the United States, half the population believes personal information is less secure now than five years ago, the Council on Foreign Relations estimates. A “lull” in Facebook’s popularity reflects this sentiment as the social media service steers users to make certain choices for the benefit of advertisers, said Graham Webster, editor in chief of the DigiChina Project at the Stanford University Cyber Policy Center.
Wang said that in China, netizens have become angry enough to sue. She expects Chinese internet firms will “toe the line.”
Not quite a match
U.S.-based internet service providers, their users and the country’s regulators, however, are likely to study China’s laws with as much suspicion as admiration, analysts say.
“The United States doesn’t have that (law), so many people are watching what China’s doing to see what works and also to see what might cause trouble both for regular business interests or for human rights or other issues,” Webster said.
China leads the world by creating a “thorough and all-angles regime” to regulate data, cybersecurity and innovation, Webster said. Authorities stepped up regulation of internet companies in mid-to-late 2021 to stop what they called abuse of user data and monopolistic business practices.
China’s data protection mandates could ruffle American internet companies because of tough data localization clauses, said Nigel Cory, associate director covering trade policy at the Information Technology and Innovation Foundation, a Washington-based research institute. American tech firms such as Microsoft remain active in China, though some heavyweight American peers have left, including Yahoo and LinkedIn.
The Chinese law, unlike those in other countries, still allows the government free access to personal data, Cory added.
“This is a foundational issue in global data governance as there can be no genuine privacy or data protection if such rules do not apply to the government,” he said.
China’s law remains a broad overarching document rather than a precise set of rules, said Danny Levinson, a China-based technology and cybersecurity expert. He said that status leaves questions about enforcement.
“China’s previously promulgated Cybersecurity Law covers some of the same issues, but here it’s both more specific to cover a certain demographic while still retaining the good vagueness that a law like this in China typically contains,” Levinson said. The Cybersecurity Law of 2021 also sets out to protect national security through the collection and usage of data.
The Chinese data privacy law was modeled after the European Union’s 4-year-old General Data Protection Regulation, which covers companies based anywhere that do online business in EU countries
Some Americans who know about Europe’s law may not know as much, or anything, about China’s. Many want the U.S. government to come out with its own regulations.
“The U.S. does need a stronger law for data protection because a lot of companies that collect our data and use it. They don’t really specify exactly how they’re using it,” said Carlo Gaytan, a senior at the San Francisco Bay Area high school Alameda Science & Technology Institute. He believes young people are being harmed by Facebook’s algorithms.
His colleague Moira Shur advocates learning from the EU law — and keeping real names as well as selfies off the public internet. “I think it would be pretty useful if we had a law like the EU does, where you have to consent to your data being used,” she said. “They can’t just use it and sell it without your explicit permission.”