What happens in China stays in China—at least that’s what Chinese law says when it comes to data. On January 1, China announced amendments to its Cybersecurity Law which pose significant risks for foreign companies doing business in or with China. The amendments implicitly challenge the Trump administration’s policies of opposing foreign laws that restrict cross-border data flows. As I recently testified before Congress, China’s “Legal Great Wall” that poses a risk to Americans and firms doing business in China or with PRC-based entities. Countering China’s aggressive data sovereignty laws is an important step in protecting U.S. citizens and businesses from authoritarian overreach.
China’s Cybersecurity And Data Sovereignty Laws Raise The Stakes For Foreign Firms
The Trump administration has placed a high priority on ensuring free cross-border data flows and opposing foreign legal regimes that limit them. The administration has cited the importance of cross-border data flows for the development of AI, for winning technology competition with China, and promoting U.S. business interests abroad. Because the development of large AI models requires huge and diverse datasets for training and inference, U.S. tech companies have expressed concerns with data sovereignty. Data localization mandates typically require that data collected from citizens or businesses of a country, or data collected within a country, be stored and processed only within that country. Such laws fragment the global data pools that U.S. AI companies depend upon to grow, and require costly infrastructure and onerous legal compliance requirements. An early executive order on “Defending American Companies from Overseas Extortion and Unfair Fines and Penalties” specifically called out foreign legal regimes that limit cross-border data flows as violating American sovereignty limiting American companies’ global competitiveness, and increasing operational costs while exposing sensitive information. The Trump Administration appears poised to aggressively protect the interests of American businesses by opposing these foreign laws.
China Is Spreading Its Data Sovereignty Model
The U.S. is also concerned that China is exporting authoritarianism through its restrictive cyber and data laws. China has been offering infrastructure deals across the developing world through its Belt and Road and Digital Silk Road initiatives. In doing so, China exports its data regimes and Chinese technology that supports authoritarian aims. China’s foundational AI model is DeepSeek, which suppresses information that China does not want users to see, such as mention of the Tiananmen Square massacre, and presents Chinese Communist Party views as fact. China is not just exporting tech—it is exporting a worldview that undermines freedom.
China’s Lawfare Through Data Sovereignty, Cybersecurity, And Tech Regulation
China’s strategic use of its cyber and tech laws to achieve geopolitical influence is a form of its legal warfare, (or “lawfare”). China has built what it calls a “Legal Great Wall,” more than 20 laws passed in recent years for national security purposes, many of which have extraterritorial effects or provide a veneer of legitimacy for unlawful Chinese actions abroad. The National Counterintelligence and Security Center of the Office of the Director of National Intelligence has published a list of eight such laws that pose risks to Americans doing business with Chinese entities.
China’s Core Data Sovereignty Toolkit: Cybersecurity Law, Data Security Law, And Personal Information Protection Law
The laws expand China’s oversight of foreign companies and increase China’s control over their data. China has also applied its data protection laws to obstruct the rights of American businesses and individuals. China’s Cybersecurity Law, Data Security Law, and Personal Information Protection Law (PIPL) provide tight data localization restrictions and harsh penalties. The PIPL authorizes China to collect personal data for actions “in the public interest,” requires companies to comply with privacy reviews, controls handling of personal data within and outside mainland China when companies provide products or services to persons within China, and restricts the ability of companies operating within China to collect and retain personal data. It also authorizes China to collect personal data for actions it determines to be in the public interest. The Data Security Law subjects cross-border data flows to strict regulatory requirements and positions China to control or deny cross-border data transfers.
YIWU, CHINA – FEBRUARY 28: A foreign merchant takes a video at the Global Digital Trade Center on February 28, 2026 in Yiwu, Jinhua, Zhejiang Province of China. Merchants on February 28 kicked off the first business day of the Year of the Horse as the Yiwu International Trade City and the Global Digital Trade Center in Yiwu. New amendments to China’s Cybersecurity Law, designed to protect its data sovereignty, will affect what happens to the video on this smartphone. (Photo by Lyu Bin/VCG via Getty Images)
VCG via Getty Images
New amendments to China’s Cybersecurity Law that came into effect on January 1 compound these concerns. The law significantly increased financial penalties for violations. Most concerningly, it broadened extraterritorial reach beyond critical infrastructure to cover any overseas activity that endangers China’s cybersecurity and causes serious consequences in China. Previously, Chinese authorities could only prosecute overseas actors threatening critical infrastructure. Now, any overseas activity by a U.S. corporation—including a parent company, cloud provider, or third-party vendor—that China deems to endanger its cybersecurity could trigger sanctions, asset freezes, and penalties. This could apply even to corporations with no physical presence in China. China’s Legal Great Wall could also threaten litigation involving U.S. companies by shielding data from discovery. So far, U.S. courts have rejected attempts by Chinese businesses to refuse discovery requests based on these laws, but motions to do so stall proceedings, hampering resolution of business disputes.
How The Public And Private Sectors Can Counter China’s Aggressive Data Sovereignty Laws
China’s lawfare in the cyber and tech domains presents a strategic threat to the United States. China’s data sovereignty laws threaten the free flow of information critical to the exercise of First Amendment rights and on which the U.S. economy thrives. The U.S. should continue to develop the Global Cross-Border Privacy Rules Forum, a group established in 2022 by the U.S., Mexico, Canada, Australia, Japan, and others “to support the free flow of data and effective data protection and privacy globally.” In addition to working with the Forum, the U.S. should also work with allies and partners to educate countries about the risk of Chinese tech, and to provide low-cost alternatives to the repressive technologies that China is peddling abroad. Collaboration with the private sector will be essential to achieve these goals, and to ensure that Americans do not get ensnared in China’s data sovereignty trap.
Leave a comment