An Excellent Point Lost in Execution

I n Trafficking Data: How China Is Winning the Battle for Digital Sovereignty, Aynne Kokas does what so many books addressing China’s data governance regime fail to do: she urges U.S. policymakers to “look to thine own house first.” This book’s key argument is that the failure of U.S. policymakers to pass federal, cross-sector legislation protecting the data of U.S. citizens leaves the door open for any malicious actor—state-sponsored or otherwise—to abuse and exfiltrate it. Without a federal data privacy law or a centralized, cross-agency, and cross-sector framework for oversight of data security, U.S. government bodies seeking to protect the privacy of their citizens from competing countries are left combating threats on a whack-a-mole, case-by-case basis, which is both ineffective and ultimately unsustainable. Trafficking Data successfully draws attention to these important issues and highlights a multitude of gaps in the current U.S. policy approach that are worthy of consideration by policymakers. However, Trafficking Data is less successful in accurately describing the nuances of China’s data and network policy, the mechanisms through which the Chinese state and private actors collect and employ data, and the structure and functions of the Chinese government. The result is that the specific nature of the threat presented by data trafficking may be misrepresented. One such misrepresentation made repeatedly is that China’s 2017 Cybersecurity Law requires “Chinese or foreign firms operating in China [to] legally store their data in Chinese government-run servers” (p. 4, also pp. 51 and 209). For example, the book notes: