The European Union treats data as a privacy right. The United States treats it as a corporate asset. China treats it as a factor of production, a national economic resource on par with land, labour, capital, and technology. That distinction, which sounds like an abstraction, is producing a data governance framework that is structurally different from anything Brussels or Washington has built, and it is the Chinese model, not the European one, that much of the developing world is watching most closely.

Since late 2025, Beijing has pursued what it calls an “AI-plus” initiative, an aggressive AI adoption strategy across industries with data at its centre. The National Data Administration, created in 2023, has organised three national data work conferences and designated seven provinces as Digital Economy Innovation Development Pilot Zones. More than 30 new standards covering public data, data infrastructure, AI agents, high-quality datasets, and data cataloguing are expected to be issued in 2026. China is not simply regulating data. It is building an entire economic infrastructure around it.

The framework

China’s data governance rests on what legal practitioners call a “3+1=4” structure: three core laws, the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law, plus one administrative regulation, the Regulation on Network Data Security Management, implemented through four sets of specific rules. The framework establishes a layered regime for cross-border data flows in which the identity of the data processor, the type of data involved, and the scale of outbound transfers determine which of three primary export mechanisms applies: security assessment, standard contractual arrangements, or personal information protection certification.

The PIPL, which took full effect in November 2021, is often compared to the GDPR. The comparison is misleading. The GDPR prioritises individual rights and transparency under a democratic legal framework. The PIPL prioritises state sovereignty and national security under a governance model in which the state’s interest in data control takes precedence over the individual’s right to privacy. Both laws regulate data. They regulate it for fundamentally different purposes.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

The EU AI Act entered into force with the ambition of setting a global standard for AI governance, and its approach, risk-based classification, transparency requirements, and fundamental rights protections, reflects the same philosophy that produced the GDPR: individual rights first, economic utility second. China’s framework inverts that priority. Economic utility first. State security second. Individual rights third. The question is which ordering the rest of the world will adopt.

The exchanges

The most distinctive feature of China’s approach is its creation of data exchanges: regulated marketplaces where data is bought and sold as a commodity. Shanghai, Shenzhen, Beijing, Guiyang, and Guangzhou all operate data exchanges where companies and government agencies list data products, negotiate prices, and execute transactions under standardised terms. The Shanghai Data Exchange listed more than 5,000 data products by 2025. The combined trading volume across China’s major exchanges was valued at 87.7 billion yuan in 2022 and is projected to reach 515.6 billion yuan by 2030.

No comparable infrastructure exists in Europe or the United States. The EU’s Data Act advances new rules to give users more control over data from connected devices, but it does not create a marketplace for trading that data. The American approach leaves data transactions almost entirely to private markets, with no federal data exchange infrastructure and no national data administration equivalent to China’s NDA. China is building the plumbing for a data economy that treats information as a tradable asset class, complete with exchanges, pricing mechanisms, standardised contracts, and regulatory oversight. It is the only major economy doing so at national scale.

The export

China’s Digital Silk Road, the technology component of the Belt and Road Initiative, has signed digital cooperation agreements with more than 16 countries and built telecommunications infrastructure, data centres, submarine cables, and 5G networks across Southeast Asia, Central Asia, Africa, and Latin America. The infrastructure carries with it a governance model. Countries that adopt Chinese-built digital infrastructure frequently adopt Chinese-influenced data governance frameworks, not because Beijing demands it but because the technology and the regulatory assumptions are designed to work together.

The Cyberspace Administration of China has provided training for partner countries on internet monitoring, content management, and data governance. Chinese technology companies operating in Belt and Road countries are required by Chinese law to store certain data on servers in China and submit to security checks, creating a de facto data sovereignty arrangement that flows in Beijing’s direction. Europe’s Digital Networks Act is attempting to build competitive digital infrastructure, but it is doing so within a framework that prioritises interoperability and openness. China’s approach prioritises control and integration with its own digital ecosystem.

For developing countries choosing between governance models, the Chinese approach has practical advantages. It comes with infrastructure funding. It comes with technology that is operational and affordable. It comes with training and institutional support. The GDPR, by contrast, is a regulatory framework without an infrastructure programme. It tells countries how to govern data but does not help them build the networks to collect, store, and process it.

The competition

Europe’s AI alliance has launched an open LLM to challenge the US-China duopoly, and the three-way competition between American, European, and Chinese approaches to data and AI governance is now one of the defining features of global technology policy. The American model relies on corporate self-regulation and sector-specific laws. The European model relies on comprehensive regulation and individual rights. The Chinese model relies on state direction, data marketplaces, and the treatment of data as national infrastructure.

Each model has blind spots. The American approach leaves individuals with minimal protection and creates a fragmented regulatory landscape that varies by state. The European approach imposes compliance costs that disadvantage smaller companies and has been criticised for slowing innovation. The Chinese approach concentrates data power in the state and raises legitimate concerns about surveillance, censorship, and the use of data governance as a tool of political control.

The UK’s data reform bill is diverging from the GDPR, suggesting that even within the Western democratic tradition, the European model is not holding as a universal standard. Countries are shopping for data governance frameworks that match their economic circumstances, political systems, and development priorities. China’s model, which offers a complete package of infrastructure, technology, regulation, and institutional support, is a compelling option for governments that want to build a digital economy without importing European legal philosophy or American corporate dominance.

The stakes

The question of which data governance model prevails is not abstract. It determines who controls the AI training data that will power the next generation of language models, autonomous systems, and decision-making algorithms. It determines whether data flows freely across borders or pools in national reservoirs. It determines whether individuals have meaningful control over their personal information or whether that control rests with states and corporations. China’s model, with its data exchanges, its treatment of data as a production factor, and its integration of governance with infrastructure, is designed to ensure that China has access to the largest, most structured, most governable data pools in the world. If other countries adopt the same framework, those pools become interconnected under Chinese-influenced standards.

The EU spent a decade building the GDPR into a global benchmark. It succeeded in making privacy-by-design a standard that technology companies worldwide must accommodate. China is attempting something more ambitious: not just setting rules for how data is protected, but building the economic infrastructure for how data is valued, traded, and deployed as a national asset. The world may not adopt China’s political system. But it may adopt China’s data governance framework, because it is the only one that comes with the roads, cables, data centres, and exchanges needed to make it work. In data governance, as in so much else, the country that builds the infrastructure sets the standard.