BIJAH LAFOLLETTE writes about China’s restrictive data security policies and how their impact on FDI signal a shift in China’s broader strategy.

For the last 40 years, Foreign Direct Investment (FDI) has been a key driving force of China’s integration into global capitalism, economic growth, and expanding technological innovation capability. Since beginning to open its economy in 1980, China has attracted $1.6 trillion in FDI contributing to an estimated third of their GDP growth, a quarter of their employment growth, and half of the nation’s exports. Recognizing its importance, the Chinese government historically cautiously embraced FDI, while still maintaining a balance of economic modernization and state control. However, in 2023, for the first time in over 30 years, China recorded a decline in FDI to $33 billion, down 82% from the prior year.

Amid escalating geopolitical tensions with the U.S., the Chinese government has redefined its strategic priorities, elevating national security over economic openness. This recalibration is most evident in China’s implementation of stringent data security policies covering international businesses operating in China, which have contributed to a significant decline in FDI. These policies raised concerns about the erosion of corporate privacy and the potential use of sensitive data by the Chinese state to give domestic firms a competitive advantage, making China a riskier destination for foreign investment. 

In this paper, I will review published literature to examine how geopolitical tensions, particularly competition with the U.S., have created internal pressures that drive Chinese leadership to prioritize data security regulation as a means of safeguarding national security.

Next, I will outline the key components of China’s data security policies, examining how they have impacted the regulatory environment for foreign firms seeking to invest in China. Finally, I will analyze how China uses these laws to enhance state control over the economy and accelerate technological self-sufficiency through economic espionage and preferential treatment for domestic firms. 

Literature Review: The Pressures Shaping China’s Threat Perception

To understand the rationale behind China’s stringent data security policies and their implications for FDI, it is essential to examine the geopolitical and domestic pressures shaping Chinese Communist Party (CCP) priorities, particularly the increasing emphasis on national security over economic development. The CCP’s changing attitude is driven by an increased internal and external threat perception to political security (Legarda, Drinhausen, 2022). On the external front, China feels besieged by the U.S. and Western countries, intent on containing China. For instance, Chinese officials point out that the emergence of the U.S.-led coalition to confront China in the Indo-Pacific and the West’s united response to Russia’s invasion of Ukraine has made China view its relationship with the United States in an increasingly black-and-white frame. China’s frustration with the U.S. boiled over in 2023, when President Xi broke from precedent and called out the U.S. by name in a party conference address: 

“Western countries led by the United States have implemented all-around containment, encirclement and suppression of China, which has brought unprecedented severe challenges to our country’s development.”

Legarda and Drinhausen point out that the formation of new U.S.-led military alliances in the Asia Pacific region makes China’s leadership feel like its national security is threatened and therefore that it has to respond with a more assertive foreign policy.

More notably, though, are the internal threat perceptions to China’s political security. The Color Revolutions in Eastern Europe in the 2000s made the CCP feel increasingly uncomfortable with Western influence in China. In these revolutions, mass protests were formulated that demanded fundamental political change: the end of long-standing authoritarian leaders and the corrupt systems they upheld. The Chinese saw those uprisings as being driven in part by Western powers’ intervention for geo-strategic reasons. 

The Color Revolutions struck the CCP so much that Zhao Kezhi, head of China’s ministry for Public Security, told a gathering of provincial security directors that “their primary focus for the year would be preventing and resisting Color Revolutions and defending the political security of the Chinese Communist Party (CCP) regime.” In essence, the Color Revolutions catalyzed a deep skepticism within the CCP toward unregulated Western influence—whether through media, businesses, or NGOs—out of fear that such influence could inspire similar uprisings within China.

The Evolution of Comprehensive National Security 

In 2014, Xi Jinping’s introduction of ‘comprehensive national security’ catalyzed a major shift in China’s governance strategy, driven by evolving perceptions of internal and external threats. Comprehensive national security now encompasses 16 types of security, up from 11, including biotech and space security. Analysis of several security speeches by President Xi led Legarda and Drinhaussen to conclude the CCP viewed national security as a precondition for economic development. In effect, the CCP once derived its legitimacy from economic growth and improving living standards. However, it now perceives unfettered growth and deeper economic ties with the West as risks to national security.

The shift in the Chinese government’s priorities is also reflected in an analysis of the annual central committee documents between 2015 and 2020 by Kalpit Manikkar in “Preserving National Security, the Xi Jinping Way.” In 2015, the CCP identified the “economic slowdown” as China’s defining challenge. However, by 2020, Manikkar’s analysis found no mention of China’s slowing economy, which continued to grow at a slower rate than before. Instead, the focus had shifted: while “quality of development” and “security” were mentioned five and 13 times respectively in the 2015 session, by 2020, the terms “security,” “quality of development,” and “innovation” appeared 22, 16, and 15 times respectively. 

The deeper meaning of ‘quality of development’ is China’s concern for how increased integration with the global economy brought by globalization makes it more challenging for China to segregate internal and external threats. This concern is encapsulated in a 2013 speech by Xi Jinping, where he emphasized that, 

“As Chinese enterprises and citizens ‘go global’ in great strides, the boundaries of China’s national security are increasingly extending outward, and maintaining and expanding ‘overseas interests’ is becoming an important task of China’s national security.” ¹¹ 

Xi’s comments highlight how globalization has pushed the CCP to view economic activities—both domestic and international—as intertwined with national security risks. Hence they require tighter control to safeguard the political security of the regime. 

The emphasis on ‘quality of growth’ is representative of a deliberate shift in priorities: economic development is now carefully calibrated to align with the party’s broader objectives of political stability and national security (Grunberg, Legarda, 2021). More specifically, in order to achieve the end goal of political security, the CCP believes it must increase the party state’s steering capacity over the economy, while also increasing technological self-sufficiency. In order to achieve this, since 2020, the Chinese government has carried out waves of private sector regulation to discipline companies and align their actions with party priorities, while also preventing the formation of power bases outside the CCP. 

To some, none of these regulations are surprising given that China fundamentally seeks to channel resources and innovation based on national security priorities . A central component of their strategy is the emphasis on civil-military fusion which they believe will help leapfrog the U.S. The connecting factor with all of the Chinese government’s view is that data is a critical “factor of production” and hence controlling it is vital to comprehensive national security. 

Section 2: China’s Specific Data Security Regulations and Their Impact 

The Chinese government’s crackdown on the technology sector is reflective of a transition to a more cautious view of foreign investment. Large tech platforms contain enormous amounts of valuable data and are hence a source of techno-authoritarian power—for surveillance, censorship, and narrative wars. To this end, the Chinese government has adapted data security policies, each increasing the government’s authority over how data is managed, accessed, and controlled. 

In 2016, the Chinese politburo passed the Cybersecurity law, a foundational piece of legislation that introduced sweeping measures to insert government control into cyberspace and data storage. The law included several main requirements that have been especially burdensome to foreign companies, including but not limited to 1) Data localization, 2) Critical Information Infrastructure (CII) Protection, and 3) Law enforcement support requirements. 

Data Localization

The data localization rules require all companies operating in China to store personal and “important data” collected within China on domestic servers. It defines “important data” vaguely, simply as anything that “may endanger national security and public interest in the event it is tampered with, destroyed, leaked, illegally obtained or illegally used.” While other jurisdictions like the US or EU justify more limited localization requirements in the name of privacy protection, China uses broad national security concerns. The data localization requirements also make it illegal for companies to transfer data internationally without the approval of the Cyberspace Administration of China (CAC). These requirements are especially burdensome for foreign companies operating in China because it requires them to build local data centers or lease data centers in China and pay for their operational costs. Further, the data localization rules restrict the global scalability of foreign companies that rely on real-time data analysis, as they must create China-specific IT systems to record data collected in China.

Critical Information Infrastructure 

The Cybersecurity Law also espoused specific requirements for companies that are considered to be CII providers, which it defines as companies that provide information infrastructure that, if damaged, lost, or breached, could seriously endanger national security  (e.g., cloud service providers or financial payment systems). The law’s broad definition of “national security” and “important data” gives authorities broad leeway to access data beyond the scope of a simple inspection or criminal investigation. The CII clauses heavily impact large American tech companies like Amazon, Microsoft, and Apple, requiring them to undergo national security reviews and disclose details about critical systems, data classification, and protections against foreign access. Even Chinese CII operators that use foreign hardware, software, or services are required to undergo a national security review, which includes providing details about data processed by their foreign vendor and sharing data or intelligence about cybersecurity threats to government-approved monitoring tools or systems. Together, these regulations raise serious concern about the potential for state surveillance and loss of control over sensitive operational data. 

Law Enforcement Support Requirements 

Finally, the cybersecurity law requires that companies operating in China actively assist government authorities in national security and law enforcement efforts even if they are in compliance with other portions of the law. Companies are obligated to disclose user data,  operation records, or financial transaction details in cases involving cybercrime or terrorism or national security threats. Further, companies are required to help the Chinese authorities in decryption of communications, and identifying specific individuals through their digital footprints. Unlike in the US and EU, there is no court system or judicial process where companies can block authorities’ requests: the laws are designed to be so vague that they cannot be challenged. 

Impact on Foreign Firms and FDI 

Complying with the Cybersecurity Law’s enforcement provisions is very challenging for foreign companies. Compliance creates legal gray zones with their home countries that limit government access to data, such as GDPR or the U.S. CLOUD Act. Further, compliance with China’s law enforcement also could harm the reputation of a company with customers in other major markets that are skeptical of the Chinese government’s growing assertiveness.

Non-compliance with China’s laws is not an option. China recently instituted the “Corporate Social Credit System” to detect misconduct and noncompliance. The European Chamber of Commerce equated the rating system to “life or death” for companies in China because low scores could result in fines, higher taxes or permit difficulties, or a blacklisting.

The cumulative challenges posed by China’s Cybersecurity Law—ranging from stringent data localization requirements to broad law enforcement provisions—have not only increased compliance costs but also fueled significant uncertainty among foreign companies. Numerous surveys and studies show that the laws have increased risk perception and dampened the likelihood of companies expanding their operations in China. In a 2023 survey by the US-China business council of mostly US headquartered firms (where half the participants generated at least $1 billion in revenue in China), companies cited data, personal information, and cybersecurity rules as their second biggest challenge, jumping from fourth in 2022. Further, 97% of survey participants said they were either somewhat or very concerned about data and cybersecurity policies and one of their biggest concerns is the ambiguity of compliance requirements and terms. The confusion over China’s newly implemented cybersecurity regime had 78% of respondents concerned about protection of Intellectual Property (IP) in China. Half of respondents plan to decrease investment in China or do not plan on expanding their operations driven partly by opaque rules on data security. 

Section 3: Domestic Competition and Economic Espionage 

Chinese authorities have used the Cybersecurity law to identify not just national security or cybercrime threats, but also threats to ‘political security’ and ‘economic security.’ Specifically, the Chinese government is using ‘national security’ as a pretense to entrench its grip on the Chinese economy by bolstering domestic firms through unevenly applying data security rules and economic espionage on foreign firms. In their eyes, economic self-sufficiency, especially in key sectors, is the basis of state control. As part of its security goals, the Chinese government uses the data security laws to support domestic firms in two key ways: the uneven application of data security laws and leveraging these laws as legal grounds for industrial espionage. 

Uneven Application of Data Security Laws 

China’s data security laws are disproportionately enforced to target foreign firms, while holding a different standard for domestic ones. The uneven application of these regulations extends to many elements of the data security policies. In 2019, China ordered all government offices and public institutions to remove foreign computer equipment and software. In 2022, China expanded this directive to include the vast number of state-backed enterprises, ordering companies to use Chinese PCs running on domestically developed operating systems (affecting 50 million PCs). This was a major blow to American tech companies like Hewlett Packard and Dell, which saw China as a major growth market. 

The Cybersecurity law also compels CII operators to meet critical network product and services requirements that meet Chinese standards and pass security reviews. Operators are often urged to use domestic vendors, which the Chinese believe would limit the use of foreign technologies that could threaten security, putting American tech firms at a distinct disadvantage. 

Separately, China does not just restrict and regulate the flow of data of CII operators, it mandates that foreign cloud providers partner with a Chinese firm to operate in the country. Amazon and Microsoft, the two largest global cloud computing providers, were forced to sell off their cloud compute physical infrastructure to a local Chinese partner. Domestic cloud computing platforms like Alibaba Cloud and Tencent don’t have these restrictions, which gives them an unfair market advantage. In telecommunications, foreign firms face insurmountable regulatory burdens for Internet Service Provider (ICP) licenses. These licenses are instead given to Chinese controlled entities like China Mobile, China Unicom, and Huawei. While the combination of the Cybersecurity law and other regulations highlight China’s top-down goals of replacing dependence on foreign firms with domestic alternatives, their emphasis on self-sufficiency extends beyond regulation. 

Leveraging Cybersecurity Laws for Economic Espionage 

Chinese authorities have systematically used the legal grounds of ‘national security’ provided by the Cybersecurity law to facilitate the extraction of proprietary intellectual property from foreign companies to accelerate domestic technological development. The FBI estimated that the annual cost to the U.S. economy of pirated software and theft of trade secrets is between $225 and 600 billion.

The data localization, security inspections, forced compliance with law enforcement, and mandatory partnerships with local firms have created an ecosystem of IP theft. In an annual survey by the European Union Chamber of Congress in China, 20% of the 585 participants said they felt compelled to transfer technology to maintain market share in China. Due to the aforementioned restrictions on investment in sectors China considers to be key to security, many firms are forced to operate through joint ventures with a Chinese partner. In the survey, some respondents cited that they were forced to transfer valuable technology to their partners that soon became competitors.

One of the most striking examples of this came when an American energy tech company American Superconductor (ASMC) partnered with a Chinese firm to provide proprietary wind turbine technology. In a separate case, Qualcomm (semiconductor and mobile chips) faced pressure from regulators to share its chip designs and technologies with Guizhou Provincial Government as part of a server chip joint venture. Proprietary information and IP were allegedly stolen through the venture and given to the Chinese firm Huawei, whose chip subsidiary HiSilicon developed an advanced chip almost identical to Qualcomm’s Snapdragon series. In industries that China deems key to national security and development, companies report higher rates of espionage pressure. 

Economic Espionage as a Development Strategy 

Fundamentally, the scale of intellectual property theft in China stems from the deeply intertwined nature of state intelligence and commerce. In 2016, President Xi Jinping called for the Party to integrate Party leadership “into all aspects of corporate governance”, including both domestic and foreign companies in the private economy. China requires all firms above a certain size to have party cells. 92% of China’s 500 largest companies have such cells. Companies in China must cooperate with intelligence services whenever requested; there is now an ecosystem whereby companies considering investing in China are fearful of unrestricted Chinese government access to their trade secrets. The Ministry of State Security and CAC have been accused of leveraging inspections and national security reviews of foreign tech companies’ data servers in China to gain trade secrets and steal intellectual property.

Conclusion: Data, Security, and Power – China’s Shift in Grand Strategy

The decline in FDI into China is being caused in part by the introduction of strict data security policies, like data localization requirements, mandatory cyber security inspections, which expose sensitive data to Chinese authorities, and cross-border data flow restrictions. These compliance burdens have created an atmosphere of heightened regulatory uncertainty where foreign companies feel vulnerable to unfair competition and intellectual property theft. The direct consequences of the Chinese government’s policies are representative of the Chinese government’s changing priorities. 

Under President Xi’s leadership, the Chinese government has increasingly viewed unfettered economic growth driven by foreign investment and technology as a potential threat to its control. Fearing that Western influence could incite domestic unrest and that China’s rise might be curtailed by foreign powers, the leadership shifted its priorities toward safeguarding national security, even at the expense of economic openness. The Chinese government considers safeguarding the party state to be the “bedrock”, while economic security is the “basis.” Said differently, in order to ensure party control and political stability, the Chinese government must enhance China’s economic resilience by promoting self-reliance in critical industries. 

In this way, data security laws, unevenly enforced to favor domestic firms and facilitate industrial espionage, are not merely regulatory tools—they are strategic tools in China’s broader effort to consolidate control over its economic and technological future. In other words, the decline in FDI is not just a result of an uncertain business climate but a signal of a realignment in China’s grand strategy– one that prioritizes comprehensive national security over unregulated integration with the global economy.  

Yet this realignment of priorities must be understood within the broader context of China’s grand strategy and the realities of 21st century economic competition. In the Information era, data is an extremely important economic resource and critical to governance, and geopolitical competition. Control over data confers immense strategic advantages—enhancing state surveillance, industrial growth, and technological innovation—while simultaneously limiting foreign influence. The Chinese government understands this – and is willing to sacrifice reduced foreign investment so long as they can control data within their borders. Ultimately, the decline in FDI is not just a symptom of challenging business conditions but a signal of a deeper realignment in China’s grand strategy—one that prioritizes control and security over integration with the global economic order.

Bijah LaFollette is a junior at Harvard University, studying Government and Economics, with a focus on international relations and economic policy. He became interested in China’s evolving economic and security strategy in 2022 as tensions between the U.S. and China escalated, sparking his research into foreign investment, national security, and economic statecraft. His interest deepened through a government course on grand strategy in foreign policy, where he explored how geopolitical competition shapes economic decision-making. In his free time, Bijah enjoys playing basketball and spending time outdoors with friends—whether hiking, exploring new places, or just being active. He can be reached at blafollette@college.harvard.edu.

---

CITATIONS
1. China Foreign Direct Investment 1979-2024.” Macro Trends. http://www.macrotrends.net/global-metrics/countries/chn/china/foreign-direct-investment.

2. Intelligence, fDi. “Xi’s China In Six FDI Charts.” The Financial Times Ltd, n.d. https://www.fdiintelligence.com/content/data-trends/xis-china-in-six-fdi-charts-81575.

3. Leng, Cheng. “Foreign Direct Investment in China Falls to Lowest Level in Decades.” Www.ft.com, 19 Feb. 2024, http://www.ft.com/content/bcb1d331-5d8e-4cac-811e-eac7d9448486.

4. Drinhausen, Katja. “‘Comprehensive National Security’ Unleashed: How Xi’s Approach Shapes China’s Policies at Home and Abroad.” Merics, 15 Sept. 2022, 

merics.org/en/report/comprehensive-national-security-unleashed-how-xis-approach-shapes-china s-policies-home-and. 

5. Bradsher, Keith. “China’s Leader, with Rare Bluntness, Blames U.S. Containment for Troubles.” The New York Times, 7 Mar. 2023, http://www.nytimes.com/2023/03/07/world/asia/china-us-xi-jinping.html.

6. Chen, Titus C. “China’s Reaction to the Color Revolutions: Adaptive Authoritarianism in Full Swing.” Asian Perspective, vol. 34, no. 2, Jan. 2010, pp. 5–51, doi:10.1353/apr.2010.0022.

7. Zhe, Tang. “Chinese Authorities Are Afraid of ‘Color Revolutions.’” Bitter Winter, 29 Jan. 2019, bitterwinter.org/authorities-are-afraid-of-color-revolutions. 

8. “Document 9: A ChinaFile Translation.” ChinaFile, 30 Oct. 2015, www.chinafile.com/document-9-chinafile-translation. 

9. Xinhua. “中央国家安全委员会第一次会议召开 习近平发表重要讲话 (The first meeting of the Central National Security Commission held Xi Jinping delivered an important speech)”. Xinhua News, April 15, 2014. http://www.gov.cn/xinwen/2014-04/15/content_2659641.htm. Accessed June 30, 2022. 10. Mankikar, Kalpit A. “Preserving National Security, the Xi Jinping Way.” Orfonline.Org, OBSERVER RESEARCH FOUNDATION ( ORF ), 4 Dec. 2023, www.orfonline.org/research/preserving-national-security-the-xi-jinping-way. 

11. Bradsher, Keith. “China’s Leader, with Rare Bluntness, Blames U.S. Containment for Troubles.” The New York Times, 7 Mar. 2023, http://www.nytimes.com/2023/03/07/world/asia/china-us-xi-jinping.html. 12. Grünberg, Nis, and Helena Legarda . “The CCP’s next Century: Expanding Economic Control, Digital Governance and National Security | Merics.” Merics.org, 15 June 2021, merics.org/en/report/ccps-next-century-expanding-economic-control-digital-governance-and-national-secu rity. Accessed 26 Apr. 2024. 

13. Cheung, Tai Ming. Innovate to dominate: The rise of the Chinese techno-security state. Cornell University Press, 2022. 

14. Emmanuel Pernot-Leplay, China’s Approach on Data Privacy Law: A Third Way Between the U.S. and the E.U.?, 8 PENN. ST. J.L. & INT’L AFF. 49 (2020). Available at: https://elibrary.law.psu.edu/jlia/vol8/iss1/6

15. “China’s Cyber Regulations: A Headache for Foreign Companies.” Merics, 22 Mar. 2017, merics.org/en/comment/chinas-cyber-regulations-headache-foreign-companies. 

16. The “Real Life Harms” of Data Localization Policies, Center for Information Policy Leadership, Mar. 2023, www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl-tls_discussion_paper_paper_i_-_the_re al_life_harms_of_data_localization_policies.pdf. 

17. Poston, Jeffrey. “Summary of the PRC Cybersecurity Law.” Crowell & Moring – Summary of the PRC Cybersecurity Law, Crowell & Moring LLP, 2017, www.crowell.com/en/insights/client-alerts/summary-of-the-prc-cybersecurity-law. Accessed 8 Dec. 2024. 18. Perez, Christian. “Why China’s New Data Security Law Is a Warning for the Future of Data Governance.” Foreign Policy, foreignpolicy.com/2022/01/28/china-data-governance-security-law-privacy/. 

19. “European Chamber Report on China’s Corporate Social Credit System a Wake-up Call for European Business in China.” European Union Chamber of Commerce in China Home, August 28, 2019. https://www.europeanchamber.com.cn/en/press-releases/3045/european_chamber_report_on_china_s_c orporate_social_credit_system_a_wake_up_call_for_european_business_in_china.

20. 2023 member survey | US-China Business Council, 2023. https://www.uschina.org/reports/2023-member-survey.

21. Yang, Yuan, and Nian Liu. “Beijing Orders State Offices to Replace Foreign Pcs and Software.” Financial Times, December 8, 2019. https://www.ft.com/content/b55fc6ee-1787-11ea-8d73-6303645ac406.

22. Sacks, Samm, and Manyi Kathy Li. “How Chinese Cybersecurity Standards Impact Doing Business in China.” CSIS, 2 Aug. 2018, http://www.csis.org/analysis/how-chinese-cybersecurity-standards-impact-doing-business-china#:~:txt=According%20to%20the%20law%2C%20CII,spot%2Dtesting%20and%20regular%20assessments. 

23. Sganga, Nicole. “Chinese Hackers Took Trillions in Intellectual Property from about 30 Multinational Companies.” CBS News, CBS Interactive, 4 May 2022, www.cbsnews.com/news/chinese-hackers-took-trillions-in-intellectual-property-from-about-30-multinationa l-companies/. 

24. Wernau, Julie. “Forced Tech Transfers Are on the Rise in China, European Firms Say – WSJ.” Wall Street Journal, 20 May 2019, www.wsj.com/articles/forced-tech-transfers-are-on-the-rise-in-china-european-firms-say-11558344240. 

25. “European Chamber Report on China’s Corporate Social Credit System a Wake-up Call for European Business in China.” European Union Chamber of Commerce in China Home, 28 Aug. 2019, http://www.europeanchamber.com.cn/en/press-releases/3045/european_chamber_report_on_china_s_corporate_social_credit_system_a_wake_up_call_for_european_business_in_china. 

26. Pham, Sherisse. “Sinovel: Chinese Wind Firm Found Guilty of Stealing U.S. Secrets.” CNNMoney, Cable News Network, 25 Jan. 2018, money.cnn.com/2018/01/25/technology/china-us-sinovel-theft-conviction/index.html. 

27. Enright, Michael. “China’s Deteriorating FDI Environment for Foreign Firms: Article.” Hinrich Foundation, 10 Sept. 2024, www.hinrichfoundation.com/research/article/us-china/rising-challenges-for-foreign-firms-in-china/. 

28. Bradsher, Keith. “How China Obtains American Trade Secrets.” The New York Times, The New York Times, 15 Jan. 2020, http://www.nytimes.com/2020/01/15/business/china-technology-transfer.html. 

29. Ciuriak, Dan. “The Digital Revolution Has Transformed Geopolitics.” Centre for International Governance Innovation, http://www.cigionline.org/articles/the-digital-revolution-has-transformed-geopolitics/.