The escalating economic and political tensions between China and the U.S have obscured a surprising and largely unrecognized area of convergence.\u00a0 China is moving toward the West on consumer data protection policy.\nA recent op ed piece in FT summed up the prevalent, but mistaken, idea that \u201cprivacy simply isn\u2019t an issue in China.\u201d Baidu\u2019s Robin Li also reflected this erroneous view with his recent comment that \u201cthe Chinese people are more open or less sensitive about the privacy issue.\u201d This cultural difference is supposed to give China an advantage over more privacy-protective regimes in developing cutting edge technologies like artificial intelligence.\nBut this bit of received wisdom just isn\u2019t so. As the Economist and the New York Times reported earlier this year, increased abuse of consumer data by Chinese companies has prompted government measures at the local and national level to protect consumers. \u00a0A thorough paper from the Center for Strategic and International Studies lays out the details of China\u2019s expanding data protection regime.\nHow does China\u2019s consumer data protection system work?\nData protection was a requirement in China\u2019s 2014 proposal for social credit systems to assess people\u2019s trustworthiness.\u00a0 Critics complained that this system could lead to an intrusive society resembling the Black Mirror episode Nosedive\nBut critics missed the proposal\u2019s explicit data protection requirements. The systems could be developed only on the basis of the \u201cprotection of personal privacy.\u201d The \u201cinfringement of personal privacy\u201d by credit service organizations was \u201cunlawful\u201d and would be subject to \u201cprosecution.\u201d\nThese were not just empty words. Pursuant to this national data protection requirement, the Beijing Municipal Government recently released regulations for its public credit scores that banned the use of irrelevant private information including religious belief, genetic details, fingerprint, blood type and medical history.\nThe separate private credit scoring systems developed by Chinese companies also protect consumers by eschewing the use of irrelevant user data. For instance, Alibaba\u2019s Sesame Credit says it tracks the "financial and consumption activities of our users\u201d but \u201cmaterials published on social media platforms do not affect our users' personal Sesame Credit score.\u201d\nTo enforces these rules, Chinese agencies oversee commercial data practices and order companies to correct abuses. For instance, in January 2018, the Cyberspace Administration of China required Ant Financial to adjust a default setting on its Alipay wallet, which granted its commercial partners automatic access to users' credit records.\nMost importantly, China\u2019s new Cybersecurity Law provides a national legal framework for consumer data protection. Companies must \u201cstrictly maintain the confidentiality of user information they collect\u201d; they must explicitly state \u201cthe purposes, means, and scope for collecting or using information, and obtain the consent of the person whose data is gathered.\u201d They are strictly forbidden from extraneous data collection \u201cunrelated to the services they provide.\u201d\u00a0\nData protection is a technological and policy challenge shared by all digital economies\nThese Chinese data protection measures mirror requirements in Europe\u2019s tough new General Data Protection Regulation that goes into effect on May 25. In fact, China\u2019s new law is even more stringent in that it \u201cmakes consent the only legal ground for collection and use of personal information data,\u201d while Europe\u2019s regulation allows multiple other legal bases for data processing.\nAll modern digital economies face the challenge of how to protect consumers from harm while allowing valuable data uses. Some commentators think Europe\u2019s regulation is too stringent, a triumph of process over genuine data protection, and they prefer the U.S system which allows greater freedom to use data for valuable purposes.\nChina is wrestling with the same dilemma. \u00a0Its specification implementing the Cybersecurity Law creates more flexibility than is in the law itself by allowing companies to collect information without consent when it is needed to complete a transaction or to protect their service or network.\nThe European, U.S. and Chinese data protection regimes might differ in their details but they share a family resemblance that reflects their origin in this common technological challenge.\nConvergence on consumer data protection policy is an important but limited development\nChina\u2019s law enforcement and security agencies will continue to monitor online activities to ensure political stability. Its developing public credit systems will enforce social control. It will maintain its successful but unorthodox industrial policy in its \u201cMade in China 2025\u201d initiative to foster domestic high-tech industries. And its governance structures will continue to rely on meritocratic methods of training and selecting its ruling elite.\nSome commentators predict more macro convergence as \u201cthe new technologies of the knowledge society both require and enable more intelligent structures of governance.\u201d\u00a0 Indeed, shared technological imperatives could foster a broader synthesis that embodies the best in our differing political and philosophical traditions.\u00a0\nBut such a synthesis is for the middle-distance future. We need not wait for the convergence of larger political institutions to recognize that on specific policy problems like data protection we have already come closer together than we had imagined and might have something to learn from each other.