Horizontalizing Insecurity or Securitizing Privacy? Two Narratives of a Rule-of-Law Misalignment between a Special Administrative Region and Its State

Data protection is generally surmised as antithetical to State surveillance and regulatory intrusiveness into the measures that businesses adopt to ensure the security of personal data. This originates in an ancient, West-rooted understanding of the 'rule of law' as the ultimate shield of 'the private' sphere against 'the public' sovereign power. Therefore, through Western lenses, data protection and State securitization of citizens' data cannot be but a dichotomy. This article challenges such a presumption, arguing that a no less legitimate view of what the 'rule of law' stands for gives rise to both a vertical and a horizontal attitude towards privacy regulation. By scrutinizing the Cathay Pacific data breach and its consequences for passengers' records in terms of corporate liability, this analysis posits that China and one of its special administrative regions, Hong Kong, display the facets of a horizontal and vertical policy approach to data protection respectively. Comparative observations demonstrate that against a context of increasingly pervasive cyberattacks, a fair degree of State oversight in corporate cyberspace regulation is not necessarily to be rejected. In fact, State 'interventionism' to prevent cyberattacks seems a legitimate outlook on data protection, which, while possibly impairing citizens' privacy vertically vis-a-vis the government, greatly enhances such a privacy horizontally by constraining exposure to data misappropriation by non-governmental (home and foreign) cybercriminals. These two 'Chinese' approaches can be synthesized and might, indeed, coalesce into an international rule of law, to be based on moderate State assertiveness to prevent data breaches in the cyberspace.