Author's Response: Reactions to Trafficking Data Reflect Debates about Global Data Security Risk

Abstract

Author's Response:Reactions to Trafficking Data Reflect Debates about Global Data Security Risk Aynne Kokas (bio) Global data governance is highly fragmented, and policy debates about it reflect intense disagreements about the expected role of corporations, the state, and civil society. The impact of data governance practices remains unsettled both within and across nations. Most central to these policy debates, and at the core of how new technologies develop domestically and internationally, is the notion of what constitutes risk and how best to prevent or mitigate it—by either taking a precautionary approach to data governance or attempting to abate data governance problems once they occur. I feel fortunate to engage in this debate. A major focus of my book Trafficking Data: How China Is Winning the Battle for Digital Sovereignty is on how the United States, China, and other developed digital economies perceive and respond to risks differently. Whereas Trafficking Data urges a precautionary approach, the reviews of this book reflect the robust debate about when and how to address the risks inherent in our increasingly digital world. I want to thank Emily S. Weinstein, Kendra Schaefer, Paul Triolo, and Asia Policy for the opportunity to engage on the book's themes with thinkers from the academic research, consulting, and think tank worlds. The issues that Trafficking Data raises concern many people, from journalists and regulators to investors and everyday citizens. Writing about U.S.-China relations in the current moment presents a challenge due, at least in part, to heightened domestic tensions in both countries. Using critiques of the United States' data governance system first, followed by critiques of China's approach, Trafficking Data argues that both approaches exploit users in their own distinctive ways. Indeed, interactions between the tech and data oversight practices of China and the United States present a worst-case scenario for users globally. [End Page 175] One area of seeming agreement among all three reviewers and the book is the importance of more comprehensive data oversight in the United States. Disagreement about what this might look like and the appropriate level of risk underscores one of the central points of the book and, indeed, in contemporary debates about data governance: Should countries follow an approach based on risk regulation or precautionary principles when responding to data gathering, integration, and movement?1 That is, does it make more sense to prepare for potential harm or to make policies that respond to harms that have already occurred or are knowable? This is not just a difference among specialists on China's tech policy; it is a raging debate among tech analysts more broadly. Policymakers that rely on the precautionary principle, which is most common in European lawmaking, do not wait for harm to happen or for uncertainty to be resolved.2 Rather, this approach recommends, at minimum, to avoid inaction on potential risks and, at maximum, to regulate "until it is clear that there is no danger of serious harm."3 In Japan, Australia, India, and other U.S. allies and partners, there are also clear policy efforts in place to address risks of data transfer with precaution. In contrast, risk-based regulation, which is more common in the U.S. context and responsible for the current U.S. regime of surveillance capitalism, is more accepting of both known and unknown risks in exchange for economic and social benefits.4 In the book's introduction, it is no coincidence that I discuss data trafficking in relation to climate policy, one of the areas that pioneered precautionary policymaking. In climate policy, Europe, Japan, Australia, and other U.S. allies and partners have also taken a different path from the United States, acting to protect their citizens from risks rather than waiting for those risks to materialize before pursuing mitigation. This debate between precautionary and risk-based regulation in data oversight is at the core of not just U.S.-China tech relations but how the United States and other countries respond to a whole host of new technologies, from generative artificial intelligence to bioengineering, in which risks are significant but unpredictable. Although I appreciate points from two of the reviewers that the full risks posed...