Duncan J. McCampbell (duncan.mccampbell@metrostate.edu) is an American lawyer and Associate Professor of international business and law at Metropolitan State University, Minneapolis, Minnesota, USA.
Companies doing business in China have learned to ride loosely in the saddle, scanning the legal and regulatory horizon for course corrections required by new laws and other government actions affecting their business. For Chinese compliance professionals, 2021 will be remembered as a year of extraordinary challenge.
This article examines a distinct and growing area of compliance undergoing rapid change, not only in China but all around the world: data protection and digital sovereignty.
Many national governments have created laws aimed at protecting citizens’ personal privacy in cyberspace. The European Union (EU)—a regional government—is seen as a leader, not just in matters of data privacy but in advancing the idea of digital sovereignty. This is the notion that national or regional governments have an interest in actively regulating the use, storage, or transmission of data originating within their borders. The EU General Data Protection Regulation (GDPR) requires businesses—regardless of their physical location—to comply with the law when interacting with all “natural persons” under EU law. Businesses must grant users ultimate control over their data by explaining how the data will be processed, allowing persons to opt out from data gathering, or allowing them to delete personal data that was gathered in the past.
When data protection laws reach beyond matters of privacy and personal data protection to also take in national interests, however, we begin to enter the realm of digital sovereignty. Some governments are increasingly viewing data as both a valuable asset to be protected and a vulnerability to be managed, so they are seeking to regulate cross-border data transfers, establishing new compliance challenges for businesses.