The internet is borderless. But in the era of technological advancement, the internet and data have become central factors in economic development, government function, and international relations. Innovation in technology can confer immense advantages to a country’s economy, but the pursuit of this development cannot be unregulated. The state is best placed to conduct the balancing act between progress and social benefit. But deciding which model of governance to adopt is a ‘deeply political act.’¹

The global picture of online governance is nowhere near finished. Governments are still figuring out what exactly their approach will be, but understanding the emerging landscape is vital. Inevitably, private actors are central to the progress being made in this space, but it is exactly this fact that complicates the international reality. Where different jurisdictions pursue different rules, with private companies holding different amounts of leverage or bargaining power in each, those companies are caught between varying standards. It is useful to first explore an overview of the current regulations.

Those to be considered most closely are the EU, China, India, the US, and international law. These are among the most technologically advanced on core metrics.² They are also the ‘norm entrepreneurs’ in online governance, meaning they are most active in establishing trends.³

The EU:

GDPR is widely considered the gold standard in data protection, and even before this the EU had the Data Protection Directive 1995, which first established the importance of personal privacy. European laws are among the most restrictive globally, designed to protect the individual rights of the user above other interests.

GDPR is constructed around data subjects, controllers, and processors. It affirms seven core rights including the right to be informed, the right of access, the right to erasure, and the right to data portability – these all give subjects the power over their own information.

A key feature is the adequacy requirement for international data transfers. The GDPR restricts the transfer of personal data outside the European Economic Area unless the receiving jurisdiction has been deemed by the European Commission to provide an ‘adequate’ level of protection. Such adequacy decisions are rare, granted to just eleven countries. This creates a precedent where states collectively prioritise personal rights over the ease of international trade.

However, this formal emphasis on privacy has drawn criticism from the corporate space. Opponents argue that the online regulation frameworks in the EU could create unnecessary trade barriers, interrupt global cooperation, and impose costs on SMEs that rely on digital services beyond the EEA.

It is often viewed therefore that the EU sets the standard that essentially must be followed by the rest of the world. These limits on interactions beyond the EEA mean that it is in the best interests of global corporations to meet or exceed the EU criteria.

China:

China’s model stands in stark contrast to the EU’s, asserting the central role of the state in controlling the flow and use of data. The nation’s importance to the world economy generally and the internet specifically has grown in recent years. Over half of the internet’s users are in China.⁴

The Chinese model is based on the promotion of Chinese tech powers, Baidu, Tencent, and Alibaba. These are private companies operating within a controlled environment in which the ruling Communist party is the dominant hand. The 2017 Internet Cyber Security Law is central to the approach.⁵ Some of its key features include data localisation, meaning mandating that copies of data must be stored locally on Chinese servers and bans the export of any data that could threaten national security or public interest. It also requires that all IT products operating in China meet national security standards, and foreign IT companies can be subjected to government spot checks, which may include demands to provide their source codes.

Yet increasingly, China also has a strong hand in the international space, for example it held the chair of the International Telecommunication Union. It also actively exports its model of regulation by investing in infrastructure abroad, such as in Tanzania and Vietnam.

The USA:

In an American fashion, the USA prioritises the commercialisation of personal data. The standard business-first approach applies. Unlike other major blocs, there is no single, all-encompassing federal data protection law in the US. Attempts to introduce one have stalled due to lack of consensus in Congress.

The California Consumer Privacy Act came into effect in 2020 and is widely considered the de facto national standard. It grants data subjects rights that are broadly aligned with the GDPR, such as the right to access personal data and the right to be erased. But there are major differences: the CCPA only applies to large, for-profit businesses meeting certain revenue or data-processing thresholds and does not place limits on what businesses can do with personal data internally.

India:

India’s developing approach represents a hybrid model, containing elements of both European and Chinese models. The Personal Data Protection Bill aims to blend protection of individual rights with assertion of data sovereignty. It also includes data localisation provisions, requiring that certain categories of ‘critical personal data’ must be stored in India and restricting cross-border transfers to only those organisations approved by the government.⁶

It remains to be seen whether the two divergent principles are compatible in practice.⁷ Critics point out that data localisation could undermine security practices like ‘sharding’ (spreading data across multiple servers) and limit choice by pricing out international service providers. If the bill proves effective, it could offer a new legislative framework that future international powers might strive to emulate.

International Law:

The global landscape is further complicated by the reality that there is no comprehensive international legal regime for data governance. Under existing laws, data transfers are typically treated as a service under GATS, but this is ill-equipped to deal with the complexities of a digital world. The WTO’s dispute settlement system is also ineffective for challenging broad data rules like China’s censorship, as it is designed to handle trade disputes rather than issues of specific goods or services.

Discussion:

These separate visions of the internet do not exist in their pure forms. The descriptions here also do not cover all aspects of the regulations. The homogeneity of the internet cannot be assumed (per Global Commission on Internet Governance 2016), and scenarios about what ‘the Splinternet’ cannot be ruled out. There could be a developing world internet, or a feminist internet, or an Islamic internet, or a caring internet, or an internet of cyborgs. With the right institutional backing, the internet is almost infinitely malleable.

Many have drawn the conclusion that the internet is a fight between China and the US.⁸ This undermines the breadth of the tensions at play. A new wave of civic discourse is continuing. Tim Berners-Lee, for example, has supported a range of initiatives, ranging from the Web We Want, to a ‘Magna Carta for the Web’, to the Solid platform, which aims to “re-decentralize” the internet guided by personal empowerment through data. He fundamentally aims to promote privacy.

The reality is, no matter how things progress, the new age of geopolitical battles will be based on the internet. This will be the new frontier. From data management to AI development, the regulations of internet spaces will be an increasingly important point of political discussion. It is not inconceivable that competing visions of the internet will become inextricably linked with the aim for international recognition and power. Given the lack of any binary outcome of win-loss for any party in this struggle, the development of this issue will undoubtedly be an interesting one to follow.

Conclusion:

Geopolitics and the digital environment cannot be separated. The internet is shifting away from the merely functional and towards the ideological, in terms of its governance and regulation. It is holistic and all-encompassing. It is everywhere and yet its management remains a mystery – a problem yet to be solved. It seems like it will continue to be a game of trial and error.