Data security governance has become a global priority amid rising competition over data resources, with the U.S., EU, and China adopting distinct models: the U.S. favors a market-driven, security-conscious approach with public-private cooperation; the EU relies on strict regulatory frameworks like the GDPR; and China enforces centralized, party-led oversight. Despite their differences, all three aim to strengthen data security within their respective systems.
“Data is more valuable than gold and AI is more dangerous than nuclear weapons.”
— Elon Musk, CEO of Tesla
Data, as a key resource in the digital economy era, holds significant strategic importance for economic development and national security. However, data security issues have sparked global discussions, leading to the emergence of three distinct governance models in the United States, China, and the European Union (EU). These models reflect the tension between "development and security," shaped by each region's national conditions and priorities.
The U.S. Model: Free Flow with National Security Focus
As the world's leading superpower, the U.S. is home to tech giants like Google, Microsoft, Apple, and Amazon. Since 1998, the U.S. Department of Commerce has published annual reports on the digital economy, focusing on industries such as big data, AI, and blockchain. However, the U.S. also faces significant digital security risks, with data security being the largest threat to its digital economy. To maintain its competitive edge, the U.S. emphasizes free data flow and fair competition.
The U.S. prioritizes governance philosophy of national security first, particularly in protecting sensitive personal and government-related data. For example, in February 2024, then-President Biden signed Executive Order No. 14117, “Preventing Adversary Nations from Acquiring Bulk Sensitive Personal Data and U.S. Government-related Data of United States Persons.” This order restricts U.S. citizens from conducting specific data transactions with entities linked to adversarial nations, including China. The U.S. Department of Justice further detailed these measures, proposing prohibited transaction categories, defining sensitive data, and outlining exemption procedures. Similarly, the Cybersecurity and Infrastructure Security Agency (CISA) introduced stringent regulations to prevent hostile nations from accessing sensitive U.S. data.
Public-private partnerships (PPPs) are a cornerstone of U.S. data security governance, bridging the gap between regulatory oversight and industry innovation. Through collaborative frameworks like the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the federal government works closely with private sectors to develop practical and adaptable security standards. Initiatives such as the CISA Joint Cyber Defense Collaborative further enhance this cooperation by facilitating real-time information sharing and coordinated responses to cyber threats. These partnerships not only strengthen the nation’s cyber resilience but also ensure that regulatory measures align with the evolving needs of the digital economy. By leveraging the expertise and resources of both sectors, PPPs enable the U.S. to maintain a secure yet dynamic data environment, fostering innovation while safeguarding critical infrastructure.
Domestically, the U.S. strongly advocates for free data flow and opposes data localization, reflecting its commitment to maintaining a competitive edge in the global digital economy. Through legislation such as the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) and the California Consumer Privacy Act (CCPA), the federal government minimizes restrictions on data storage and location, ensuring U.S. data hegemony. These policies create a regulatory environment that encourages digital platforms to leverage big data for commercial analysis, driving innovation and fostering the growth of tech giants like Open AI and Google.
The U.S. Magnificent 7
The EU Model: Regulation and Digital Sovereignty
While the EU is a leader in the global digital economy, it lacks dominant digital companies, prompting a focus on regulatory frameworks to enhance competitiveness. In February 2020, the EU released “A European Strategy for Data,” aiming to strengthen Europe's "digital sovereignty" and promote sustainable growth in its digital market. Unlike the U.S., the EU prioritizes personal autonomy and human dignity, integrating individual empowerment with algorithm control.
The EU established the European Data Protection Board (EDPB) in 2022 to coordinate data security efforts across member states, advocating a government-led strong surveillance. The EDPB ensures uniform implementation of the General Data Protection Regulation (GDPR), resolves disputes, and guides cooperation among national data protection agencies. The European Data Protection Supervisor (EDPS) enforces data protection laws, regulating data controllers, processors, and subjects. GDPR enforces strict penalties for non-compliance. Organizations that violate GDPR rules can face fines of up to €20 million or 4% of their global annual revenue, whichever is higher. For example, in 2021, Amazon was fined €746 million for improper data processing practices. Additionally, GDPR mandates corrective actions, such as improving data protection measures or halting data transfers. These penalties aim to ensure accountability and protect individuals' privacy rights across the EU.
The EU employs long-arm jurisdiction to control data generated within its borders, requiring foreign companies to store data on EU-based servers. This restricts data flow outside the EU and increases compliance costs for foreign entities. Extra-territorial regulation, also known as long-arm jurisdiction, is the EU's strict control over data generated within Europe, requiring foreign companies to store this data on cloud servers within the EU, thus restricting the flow of data from the EU to the outside. Even companies without EU-based operations must adhere to these regulations when processing data of EU citizens or businesses. This forces foreign companies to store data in Europe, prevents the free flow or transmission of data across borders to foreign countries, and drives cloud providers to take security measures to protect customer data, thereby avoiding access by foreign governments and increasing the cost of data compliance for foreign companies in the EU.
The GDPR, enforced in 2018, is the world's strictest data security framework. It grants individuals rights to access, correct, and delete their data, while requiring companies to explain automated decision-making processes. The GDPR also introduces the "right to be forgotten" and data portability, enhancing individual control over personal data. In June 2022, the EU introduced the Digital Governance Act (DGA), emphasizing non-personal data openness and promoting data circulation within the EU's single market. Together, the GDPR and DGA form the cornerstone of the EU’s approach to data governance, ensuring robust protections for cross-border data flows and reinforcing Europe’s digital sovereignty.
China’s Model: Balancing Security and Development
Unlike the two extreme models, China has leveraged its institutional advantages to explore a uniquely Chinese model of data security governance. China has taken a dual approach: on one hand, it has established a series of institutions and regulations to prioritize data security, focusing on the cross-border data flows, personal privacy protection, and AI risks; on the other hand, it emphasizes the role of market participants in driving digital innovation, encouraging platform enterprises and government departments to open up data, thereby placing development as a key priority. Specifically:
China’s data security oversight involves party lead multi-departmental regulation, including central and local regulatory units. Central agencies, like the National Security Bureau, enforce strict controls on issues involving national interests, while local units, such as provincial Cybersecurity and Information Offices, handle regional data security incidents. The Central vertical regulatory units are directly overseen by the central government and are characterized by their non-territorial, vertical, and relatively independent nature, resulting in stronger regulatory enforcement.
China has enacted the “3 Laws + 1 Regulation” (e.g., the Data Security Law, Cybersecurity Law, Personal Information Protection Law, and the Regulation on the Security Protection of Critical Information Infrastructure). These laws balance data security with development, addressing issues like cross-border data flows and personal privacy. Additionally, sector-specific measures, such as the Interim Measures for Data Security Management in the Industrial and Information Technology Sectors, further strengthen China’s data security framework. Furthermore, various central functional departments have issued specific management measures to maintain data security.
China’s vast data resources are a key advantage in its digital economy. The National Bureau of Statistics has integrated data-driven industries into the new generation of electronic information sectors, unlocking economic potential. However, the scale of data also poses risks, necessitating measures like the “Three-Year Action Plan for 'Data Elements ×' (2024-2026)” to enhance data security and promote cross-border regulation in sectors like finance and healthcare. This involves developing local standards for cross-border data security filing, classification and grading, supervision and inspection, and security assessment. For example, the "Guangdong Province Data Element Marketization Reform Action Plan" and the "Notice from the General Office of the Guangdong Provincial Government on Conducting Pilot Work Related to Data Element Marketization Reform," guidelines for the pilot work of Qianhai data brokers (trial areas) and supporting systems have been formulated.