The corporate cultivation of digital resignation in policymaking: How weak US regulations enable data trafficking to China

Discussions of digital resignation (Draper and Turow, 2019; Draper and Turow, 2017), focus on the relationship between users and corporations that gather and exploit their data in exchange for services. This paper extends Draper and Turow's framework to apply to the laissez-faire regulatory attitudes toward user data protection in the US that undergird Silicon Valley's rise to power through surveillance capitalism, particularly in relation to China (Zuboff, 2019). Corporate cultivation of digital resignation exists not just as part of the user experience, but in the way that US-based companies position digital resignation as continued innovation, rejecting precautionary measures for data protection. Where the corporate cultivation of digital resignation occurs through marketing campaigns directed toward users, the corporate regulatory affairs sector directs its lobbying efforts toward shaping digital resignation among policymakers.

US digital policymakers extend digital resignation by opting for risk-based regulatory approaches. Risk-based approaches rely on consumers or policymakers demonstrating the harms of specific technologies (Kaminski, 2022). By prioritizing market growth and risk-based approaches to digital regulation over consumer data rights, the US government increases the barriers that individual consumers need to cross to address harms associated with their use of technology. Not only does this corporate-cultivated risk-based approach limit the effectiveness of digital governance in the US, it also shapes the global flow of the data for users, often without their full knowledge or consent. This commentary will focus on how the corporate cultivation of digital resignation occurs not just among users but in US data oversight. Such lax US government oversight interacts with extra-territorial Chinese digital oversight to enable data trafficking, the movement of commercial user data across borders for political gain (Kokas, 2022).

In contrast with the risk-based regulatory approach in the United States, which requires users and/or policymakers to demonstrate harms to remediate after they have occurred, China, like the European Union, deploys a precautionary approach in its digital regulations (Gellert, 2015). Precautionary oversight empowers regulators to implement laws and regulations that anticipate harms to users or the government. Users in the US rely on the idea that corporations exploit their data grounded in a system of weak US digital oversight. However, the assumption of weak digital oversight does not bear out internationally. Firms with operations in China face much more stringent data-sharing requirements with the Chinese government. What this means in practice is that assumptions by US-based users about government access to their user data fail to consider differing global pressures on corporations. Thus, the corporate cultivation of digital resignation is not just the absence of domestic oversight, but from the presence of other forms of global oversight in its place.

The Chinese government paradoxically draws on a long tradition of US-based tech firms undermining and exploiting other countries for commercial gain by asserting its national power through corporations based in the People's Republic of China (PRC). Such data trafficking occurs in the US with the aid of the laws and policies enabled by the corporate cultivation of digital resignation. The Chinese government also legalized government access to corporate data. It asserts national security interests extraterritorially via tech platforms while also supporting the growth of Chinese tech firms. Together, laissez-faire digital oversight in the United States paired with extensive government oversight in China increase the odds that citizens’ data will be moved across international borders without those citizens’ consent, violating another country's sovereignty. Such transfers of data constitute data trafficking (Kokas, 2022).

Both the US and Chinese systems exploit users in their own ways. In the US, users have limited protection from corporate data exploitation. In China, enhanced protection from corporate data oversight through mechanisms like the precautionary-based Personal Information Protection Law, still enables extensive government data access. Neither model is desirable as a way to protect user data, but when combined in global systems of data movement, they create a race to the bottom in user data protection.

In China, the building of a national data corpus for governance, also described as a data state (Cheung and Chen, 2021) reflects the government cultivation of digital resignation (Ollier-Malaterre, 2024) among citizenry (Kokas, 2022). Whereas Chinese laws offer much more protection for users from corporate data exploitation than US laws do (Maranto, 2020), the Chinese government retains much more access to the user data of Chinese nationals, and also much more significant access to the user data of individuals outside of China due to carve out requirements in China's Data Security Law (National People's Congress, 2021b) and the Hong Kong National Security Law (Xinhua, 2020). Such practices become particularly important in the case of governments like China's, where regulators are expanding digital borders through a wide range of policy measures including national security data audits for firms operating outside of China.

In paralell with expansive Chinese government data access, here I argue that digital resignation is part of the data security enforcement vacuum in national and state-level policymaking in the United States. It further contributes to an environment of global data extraction through laws and policies that are currently being pioneered by the Chinese government. As Trafficking Data (Kokas, 2022) argues, the foundation of data exploitation that built Silicon Valley is the same one that enables data-gathering by Chinese firms with close ties to the Chinese government operating in the United States. The US lacks the same clarity in defining digital sovereignty, or what scholar Johannes Thumfart characterizes as “national control over digital phenomena,” operating at the intersection of digitization, securitization, and practices of bordering (Thumfart, 2022). Thumfart notes that the idea takes on different valences in different political contexts. The US relied on its role as a digital hegemon to set international norms related to how companies gather data, particularly through the period of the Snowden revelations in 2013 (Mueller, 2017). US-based global tech firms have exploited the national data of other countries, some of whom have developed digital borders to protect their users from Silicon Valley firms (Roberts et al., 2021; Mann and Daly, 2020; DeNardis, 2014). Yet, US regulations surrounding user data lack the comprehensiveness of other developed democracies like the EU and Australia have, despite the US having built key early internet infrastructure (Mueller, 2017; Mueller and Badiei, 2016).

In contrast, the Chinese government, rather than relying on its power to use corporations to assert norms, increased global legal oversight with both national and international implications on the relationship between digital resources connected to China and the State. China's version of digital sovereignty is referred to in Chinese legal texts as network sovereignty or cyber sovereignty. Through discourse analysis of 397 Chinese government commentaries, speeches, and interviews, scholars Yu Hong and G. Thomas Goodnight argue that the Chinese government considers cyber sovereignty to be a “domestic authoritative structure for demarcating control over activities within and across borders” (Hong and Goodnight, 2020, p. 16). China's exercise of cyber sovereignty includes a range of extraterritorial laws. The Personal Information Protection Law regulates the use of personal data by all companies operating in China, including by international businesses (National People's Congress (2021a). The Hong Kong National Security Law subjects individuals around the world subject to national security oversight for their actions, including online behavior (Xinhua, 2020). Finally, China's Data Security Law makes all companies operating in China subject to oversight of their data through national security audits (National People's Congress, 2021b).

The interaction between weak US laws regarding digital sovereignty and expansive Chinese laws underscores the intersection of digital resignation and digital sovereignty. When regulations fail to take a global view of user data, users become subject not just to corporate datafication, but also subject to the global oversight of foreign governments. Corporations have cultivated the patchwork nature of US digital policymaking in parallel with the cultivation of digital resignation among users, with global, not just domestic, implications. Just as with terms of service that overwhelm users or privacy settings that create a Sisyphean journey for any user to keep up with, data governance in the US alternates between being fragmented and being expansive, yet under-resourced. Three key areas of oversight - sector-based solutions, under-resourced national oversight, and corporate bans - reflect both the overall structure of US data regulations and its major failings. Below I highlight key examples of each of these approaches to oversight to contrast them with China's national and international data oversight frameworks through the Personal Information Protection Law, the Data Security Law, and the Hong Kong National Security Law.

Sector-based solutions were among the earliest approaches to managing data security in a US context. Federal sector-based solutions have received the most attention and are the most long-standing. HIPAA, or the Health Insurance Portability and Accountability Act, is one of the most longstanding mechanisms for user data protection. The act protects personal health information (PHI) collected by “covered entities,” including insurers, employer-sponsored health plans, and medical providers (Gellert, 2015; Winter and Davidson, 2019). With a few exceptions, the law does not include other key entities that gather user health data, including smart devices, DNA testing firms, or biometric markers gathered by social media platforms.

In contrast, biodata oversight in China includes both nationwide oversight of user data in general, and of health data, in particular. China's Personal Information Protection Law offers comprehensive oversight over how health data generated by users and providers can be deployed across any context where they might be processed in China (National People's Congress, 2021a). Such laws preclude strict private sector development of health-based digital products without government oversight. In contrast, in the US context, such gaps have created entire new markets for products in the insurance and smart device industries.

COPPA, or the US Child Online Privacy Protection Act, further underscores how the limitations of sector-based digital policymaking limit policymaking (Federal Trade Commission, 2013). COPPA requires consent for children under 13 to use certain websites and consent to data gathering. Here, corporate and government cultivation of digital resignation also dovetail. First, the mechanisms for identity verification offered by corporations - and accepted under COPPA - make the act easy to circumvent. Who has not seen a child under the age of 13 verify that they can use a piece of technology they are old enough for? The second factor is the disjunction between the age of consent for using data-greedy online tools and the age of consent for most other activities. Children are being asked to consent to participate in a world demanding maturity beyond their years, a phenomenon further underscored by reporting from Facebook whistleblower Frances Haugen that the company understood the toxic effects of its app on teen girls but persisted with its product offerings (Allyn, 2021). Finally, the law assumes that parents would not violate the digital privacy of their children online through “sharenting,” or sharing representations of one's children (or one's own parenting) online (Blum-Ross and Livingstone, 2017; Ranzini et al., 2020).

COPPA stands in stark contrast to China's personal information protection law, which offers more stringent protections. PIPL processes information from all users across all firms that gather data in China. Further, the Cyberspace Administration of China has proposed banning mobile device Internet use by anyone under 18 years of age from 10 pm to 6 am (Yang, 2023), a prospect which would be untenable for US national regulators following corporate cultivation of digital resignation among users. Certain states like Louisiana (Schlegel, 2023) and California (Wicks and Cunningham, 2022) have tried to expand age verification for children using online services. While important steps toward protecting user data, both laws underscore the fragmentation of US digital policymaking and the challenging environment for passing legislation. The Louisiana act remains in place, but a judge blocked the California act (Lima, 2023). Similar Federal legislation remains stalled. As the Chinese government expresses intense skepticism about the potential damage online platforms can do to minors, Chinese firms continue to gather user data in countries like the United States with weak digital oversight.

Similarly, the scope of regional-level agreements differs. At the state level, the California Consumer Privacy Act, which took effect in 2020, exemplifies how the shared corporate and government cultivation of digital resignation work in tandem. Corporations have limited incentive to comply with the act's requirements to share any data that company has gathered about a consumer, and consumers must go through the complicated and disempowering legal process of suing if the company violates privacy guidelines - even in the absence of a data breach (California State Assembly, 2018). The act's opaque requirements for ways that consumers can access their user data have created a cottage industry of frustrating ways for users to protect their data - from unanswered request lines to failed lawsuits (McPherson et al., 2023; Rob, 2021). Yet the act's mechanism for enforcement - lawsuits by individuals - puts up an additional barrier for citizens whose data has been breached. In addition to being responsible for identifying the breach and contacting the firm through difficult-to-access tools, citizens must also suffer the considerable time and resource demands of a lawsuit to gain full protection under the law. In this case, the issue is not what firms are doing, but how it interacts with what governments are not.

Hong Kong's National Security Law, China's landmark sector-based law that applies to data oversight, presents a stricter reading of national security-related data exploitation than national regulations. Further, rather than apply to only Hong Kong, or even China, the law applies extraterritorially (National People's Congress, 2021a, 2021b). As with sector-, age-, and risk-based digital oversight, this expansive vision of what constitutes the digital realm of the state impacts not only users in Hong Kong, but also users in the US. The scope of digital resignation allowable under California's privacy laws, fails to offer any protection against the expansive scope of Hong Kong's laws.

The US approach to digital oversight has long benefited the US tech sector – firms in the US grew without comprehensive oversight. In contrast, China's digital oversight offers a much more comprehensive view of what constitutes data that is worthy of protection and oversight – and should be shielded from commercial exploitation.

Other countries and regions provide examples, however imperfect, of ways to offer more comprehensive data protection frameworks to protect users and communities. In the European Union, the Digital Services Act, passed in 2022, seeks to manage the systemic effects of data gathered by online intermediaries and platforms to protect the public interest. In Korea, three laws (the Act on the Promotion of Information and Communications Network Utilization and Information Protection, and the Credit Information Use and Protection Act) were amended in 2020 to protect and guide the use of personal data commercially (Lima, 2023). Even in China, the 2022 draft regulation on recommendation algorithms creates requirements that tech firms do not “endanger national security or the public interest (Cyberspace Administration of China, 2021; Ross et al., 2021).” 

Improved engagement at a regulatory level could draw upon the adoption of what “stabilization wedges” in the context of technology regulation, an idea borrowed from Pacala and Socolow's landmark research on climate change (2004), that advocates for the adoption of pre-existing best practices that make global data flows more predictable and transparent (Kokas, 2022). Drawn from the idea of incremental approaches to address climate change, the stabilization wedge framework acknowledges the impossibility of controlling global data flows, but instead proposes a multi-pronged approach that countries can adopt based on their needs and abilities (Kokas, 2022). A non-comprehensive list of approaches includes: internalizing the financial externalities of data leakage in insurance markets that account for the costs of lawsuits associated with poor data management, incorporating data management practices into ESG investment indices, enhanced multi-lateral and multi-stakeholder cooperation on data sharing best practices, adoption of cross-border data transfer agreements, and improved education for regulators about the risks of weak data oversight as an innovation strategy (Kokas, 2022).

Interactions with firms where China is an important market, or even more significantly, where the firm's parent company is based in China, reflects the risk of digital resignation among policymakers. TikTok CEO Shou Chew argued in his March 23rd, 2023, Congressional testimony that TikTok's data security policies were no worse than those of US-based social media companies (United States House of Representatives, 2023), and indeed, that TikTok took greater care because increased oversight. Shou Chew made a good point. TikTok's extractive policies could only exist thanks to the lack of oversight in the United States. The TikTok example underscores the ways in which laissez-faire policymaking yields near-irreparable consequences if policymakers rely on a risk-based approach. Data trafficking becomes a condoned second-order outcome.

TikTok's leadership often casts concerns about TikTok as part of a moral panic about Chinese influence in the US. However, scrutiny of the firm also revealed the systematic resignation of US policymakers to a weak and ineffectual domestic digital oversight system. Digital resignation in policymaking extends the life of policies that enable data trafficking on a range of platforms, from the Chinese social media platform WeChat (Knockel et al., 2020) to the data broker industry in the US that permits firms to sell their user data to the highest bidder. The risks presented by TikTok brought attention to an overarching resignation in the US digital regulatory system, one guided by the same principles that corporations deploy with users. Digital resignation accrues its strength from not just the corporate landscape of weak data security oversight, but also failures to address data security on a national and international scale.