Will China’s regulatory focus bring it global AI leadership?
While the West “streamlines” AI laws, a surprising defender of regulation emerges: China.
Subscribe to FILED Newsletter
Hi there,
Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.
This month:
- The House Oversight Committee is investigating the privacy and security risks associated with 23andMe’s bankruptcy
- 4chan suffered a data breach
- Chinese officials admit to conducting cyberattacks against US infrastructure as part of Volt Typhoon.
But first,
The race for global AI leadership is not over, will China’s focus on regulation help it win?
In recent months, AI and privacy regulation as a movement appears to be in retreat. We have covered more than once the United States’ turn towards growth-friendly deregulation, and the European Union appears to be heading that way too, with the announcement that it would seek to “streamline” the GDPR. But while the West is looking at deregulating the technology, an unlikely defender of AI regulation has emerged: China.
China emerges as a global AI regulator-in-waiting
We’ve mainly covered China’s AI development in the context of its technological advancements, in particular the rise of the Deep Seek model earlier in the year. But China has quietly established itself as a force in the AI regulatory space as well (an authoritarian government setting rules, who would’ve thought?)
Since 2021, the country has introduced multiple pieces of national legislation aimed at governing AI technologies. In January 2023, China's Deep Synthesis Provisions came into effect, targeting deepfakes and other AI-generated content with specific rules for service providers. This momentum continues in 2025, as China's AI market is projected to triple from $23.2 billion in 2021 to $61.9 billion by the end of this year.
Director of the East Asia Program at the Quincy Institute, Jake Werner, recently emphasized to state-owned China Daily that "the leading countries—the United States and China—must work together to address some of the potential problems that we see with artificial intelligence". Werner specifically highlighted AI's potential threats to humanity and employment, stressing the need for a global framework to mitigate these risks. These comments appearing in the China Daily suggest they have the backing of the state.
“Strategically lenient” regulations?
But some analysis suggests China's regulatory approach may be less benevolent than Werner suggests. Professor Angela Huyue Zhang argues that China's AI legislation offers "little protective value to the Chinese public" but is set to enable industry growth. This "strategically lenient" approach may offer Chinese AI firms a competitive edge over their Western counterparts in the short term while presenting long-term risks of “regulatory lags” that could lead to AI-induced accidents.
A Western retreat from regulation
Now we’ve seen what’s happening in China, let’s check in on the West, where it appears China’s push to become a global AI regulator will encounter little competition. In the United States, the government has shown little urgency in developing comprehensive AI regulations. The Trump White House has taken steps, such as issuing new policies on federal agency AI use and procurement, which surprisingly do contain some risk management provisions, such as AI impact assessments, for "high-impact AI use cases." But significant legislative action remains stalled.
And across the Atlantic, The European Union is also grappling with how to regulate technology while adopting similar rhetoric on innovation and growth. The EU is considering “simplifying” its General Data Protection Regulation (GDPR), a move that privacy advocates fear could result in weakened protections. This proposed simplification aims to reduce compliance burdens, particularly for small and medium-sized businesses, and increase EU competitiveness in the AI race. This represents a significant shift in the EU's narrative and tone on tech regulation, moving away from its traditional focus on fundamental rights protection.
Last week, the EU announced an “AI Continent Action Plan”, with the goal of the competing with the US and China and making the EU a global leader in AI. The action includes measures to build a large-scale AI data and computing infrastructure, increase access to large and high-quality data, strengthen AI skills and talents, and – you guessed it – simplify regulation. As the EU AI Act goes into effect this year, the plan is to build on the lessons learned during the current implementation phase to identify further measures that are needed to facilitate a “smooth, streamlined and simple application of the AI Act”.
Which approach will win?
So, in one corner, we have the US and the EU, set on making innovation easy for businesses by streamlining the rules. And in the other, we have China’s regulatory approach, which leans heavily on central control and the active involvement of the state in enforcing them. Which approach will win?
In the absence of a unified global regulatory framework, China’s willingness to regulate its AI sector may make it the leader in AI governance. The question is whether China's approach represents genuine concern for AI safety or a strategy to provide the appearance of responsible governance while actually enabling aggressive industry growth. Either way, if someone has to set the rules for the world, it looks like China is the one with its hand up.
What does this mean for you?
While a lot has changed since February, when we last covered this, our advice now is the same: don’t wait for regulation to force you to do the right thing when it comes to customer data. Establish strong AI governance in your organization, which includes a combination of policies and procedures, an AI governance committee responsible for oversight, and AI training. The foundation for AI governance? Strong data governance throughout your data estate. Implement these measures, and you’ll be better positioned for your particular regulatory environment, even as it shifts. Remember, even if the regulatory environment relaxes, the risk is still there. Better to be the company prepared for it.
🕵️ Privacy & governance
An examination of the privacy implications of Elon Musk and his DOGE agency's quest for US residents' data. Spoiler: Pretty bad!
Speaking of, a whistleblower's disclosure detailed how DOGE may have taken sensitive labor data, with technical staff members alarmed about a spike in data leaving the agency following DOGE staffers gaining access. It's possible that the data included sensitive information on unions, ongoing legal cases and corporate secrets.
Google is being criticized for urging small business owners to oppose California Assembly Bill 566, a law that would strengthen consumer privacy protections in digital advertising.
Meta has resumed training its AI models using public data shared by adults across its platforms in the European Union, after the European Data Protection Board (EDPB) approved the rollout.
The House Oversight Committee has launched an investigation into the privacy and security risks associated with the bankruptcy of genetic testing company 23andMe, with CEO testimony due in May.
🔐 Security
Edgy forum 4chan suffered a data breach, with source code, moderator info, IP addresses, more allegedly swiped and leaked.
A threat actor is selling a Fortinet Firewall Zero-Day Exploit.
Hackers are exploiting a vulnerability within the popular file transfer tool Crush, according to US Federal cybersecurity officials as well as incident responders at cyber companies.
Car rental giant Hertz told customers that personal information including credit card details and Social Security numbers may have been stolen in a data breach that impacted one of the firm’s vendors.
The latest from RecordPoint
📖 Read:
Enterprises face an urgent challenge: 90% of enterprise data is unstructured, but most organizations truggle to understand and manage it. With the growth in GenAI, solving this issue has become more urgent. Read our post to learn how to overcome it.
RecordPoint's Head of Product Joe Pearce goes deep on how records management prepares you for AI.
And check out the replay of Joe's GenAI AMA last month, where he offered advice on issues like identifying the best way to safely experiment with AI in a regulated environment
Heading to IAPP GPS 2025 in DC next week? We are! See you there? Check out a sneak preview of what we’ll be sharing.
🎧 Listen:
If you need more on unstructured data, listen to last week’s podcast episode, where – once again – RecordPoint’s Head of Product Joe Pearce covers the unstructured data issue from a variety of angles, explaining why it’s urgent and what companies can do about it.
And then in an earlier episode from the season, Anthony and Kris are joined by Paul Sonntag, a 15-year veteran of the security, privacy, and compliance space, to discuss these questions and more. Stick around to learn why goons – big guys in black suits with blank expressions – are an essential component of deciding when and how to use technologies like AI.
