As China tries harder to collect data, we must try harder to protect data

China is stepping up efforts to force foreign companies to hand over valuable data while strengthening its own defences. Some of the information it’s looking for would give it greater opportunities for espionage or political interference in other countries.

Australia and other countries need to follow the lead of the United States, which on 21 October proposed rules that would regulate and even prohibit transfers of data containing the personal or medical information of its citizens to foreign entities.

Recent developments from inside China support the idea that the country is refocusing on bulk data, both to aid its intelligence operations and to protect itself from potential adversaries.

China has reformed its domestic legal environment to both protect itself and collect information with intelligence value. A new Data Security Law allows Chinese officials to broadly define ‘core state’ data and ‘important’ data while also banning any company operating inside China from providing data stored in China to overseas agencies without government approval. Firms over a certain size must also have a cell of the Chinese Communist Party to more closely integrate ‘Party leadership into all aspects of corporate governance’, including cybersecurity and data management.

The Communist Party’s Central Committee and the State Council have decreed that the National Data Administration will manage every source of public data by 2030.

The Ministry of State Security has prohibited Western companies from receiving geospatial information from Chinese companies and required companies to take down idle devices to reduce the threat of Western espionage. And Chinese nationals will shortly be unable to access the internet without verifying their identity by facial recognition and their national ID number.

In early October, a report by the Irish Council of Civil Liberties (ICCL) exposed the world of real-time bidding data, where the ads displayed when you go online are the result of an automated bidding process based on your browsing history and precise location. The ICCL report raised concerns that these kinds of analytics could identify people’s political leanings, sexual preferences, mental health state and even the drinks they like. That data has then been sold to companies operating in China.

Beijing’s recent activities in the digital world remind us that even the most mundane and trivial data about a person can have intelligence value—for example, in recruiting agents, guessing passwords and tracking the movements of targets. China’s expansive spying regime, which mobilises countless private entities and citizens, threatens to overwhelm Western intelligence services. That spying regime now has access to more information to inform decisions.

China’s latest moves draw our attention to the peculiar vulnerability of Australia in the region, especially among the AUKUS triad. Australian privacy law does not carry the same type of protections as British and US laws. Australia has neither a constitutional nor statutory right to privacy, and its key piece of legislative protection has provisions dating back to the 1980s. Despite receiving the results of a comprehensive review of the Privacy Act more than 18 months ago, the government has been sluggish to adopt any reforms that might help protect us from China’s data-harvesting practices.

The motivation for China to collect personal data in Australia has risen since we entered the AUKUS agreement in 2021. But the government isn’t showing enough interest in securing it against foreign manipulation and theft. Consider, too, that other intelligence players, such as India and Russia, are just as likely to join in.

Australia should take a leaf out of the US playbook on countering Chinese interference in its sovereign data. Since February 2024, the United States has been keen to regulate the sharing of information with foreign entities, starting with an executive order signed by President Joe Biden. The rules that Biden proposed on 21 October would ban data brokerage with foreign countries and only allow certain data to be shared with entities that adopt strict data security practices.

Beyond that, there is a growing need for industry and especially academia to adopt stronger security postures. Posting travel plans or political views on Facebook or Instagram might seem innocuous, but if it’s done by someone in a position of power or with access to valuable information, the individual’s vulnerability to espionage dramatically increases. As a society, we all need to take a little more notice and a little more care with what we are sharing online.