he views expressed below are those of the author and do not necessarily reflect those of the Carr-Ryan Center for Human Rights or Harvard Kennedy School. These perspectives have been presented to encourage debate on important public policy challenges.
A Commentary on Why Global AI Governance is Failing Human Rights
1. None of the Three Major Regulatory Regimes on AI Genuinely Serves Human Rights
For AI regulation to genuinely serve human rights, three conditions must be met simultaneously. First, there must be governance reach: the practical capacity to make and enforce rules over the main developers and deployers of AI—jurisdictional scope, enforcement authority, and enough geopolitical and market leverage to ensure that rules are not simply circumvented.
Second, there must be technological power: a meaningful concentration of frontier AI development, compute infrastructure, and data ecosystems within, or subject to, the regulating jurisdiction. Without this, a regulator is always chasing systems it did not build and does not fully control.
Third, there must be rights commitment: a credible, institutionally embedded dedication to human rights—privacy, non-discrimination, freedom of expression, due process, and human dignity—that is not conditional on the interests of the state or the market, but functions as a genuine constraint on both.
These three conditions are not merely desirable features of governance. They are indeed jointly necessary for AI regulation to genuinely serve human rights.
These three conditions are not merely desirable features of governance. They are indeed jointly necessary for AI regulation to genuinely serve human rights. Governance reach without rights commitment produces enforced repression. Technological power without governance produces unaccountable systems whose harms are distributed invisibly across populations. Rights commitment without technological power produces principled regulation of systems the regulator does not build and cannot fully steer.
The global landscape of AI regulation presents a troubling picture precisely because no single jurisdiction combines all three. (Also see here my 2018 piece on the urgent need for a bigger agenda around human rights and AI: this commentary is a way of taking stock of where things stand.) Looking at the three major regulatory regimes—China, the United States, and the European Union—one finds that each actor possesses at most two of these conditions, and in each case the missing element is critically damaging. This trilemma reflects deeper structural features of each jurisdiction—the political logic of party-state authoritarianism, the political economy of corporate-driven innovation, and the industrial constraints of a trade bloc without a dominant technology sector of its own.
Let me clarify why I call this phenomenon a “trilemma.” A trilemma is a situation in which there are three options or goals, and you cannot fully achieve all three at once; at least one must be sacrificed or weakened. In our case, however, the good news is that all three criteria can, in principle, be satisfied together, and for each of the three regimes one can imagine concrete steps to achieve that.
I still use the language of a trilemma because these three regimes are the main politically significant regulatory models that currently exist in the world, and this configuration is relatively stable. From the perspective of countries outside these three major blocs, the differences in AI regulation among them present a genuine trilemma. These countries must decide how to position themselves in relation to each bloc—and whatever choice they make carries real costs and trade-offs. Moreover, it will be difficult to reform any of them from within so that they fully meet all three criteria—though it is not impossible. In principle, each regime could be reformed to do so.
2. China: Governance Reach Without Rights Commitment
China has governance reach and significant technological power, but its regulatory framework is in ongoing tension with human rights—and perhaps even fundamentally incompatible with them. Over the last twenty years, China has updated its governance system to keep pace with fast-moving digital developments—but has done so in loyalty to the principle of party rule.
This is not a failure of regulatory ambition; China has enacted an extensive body of digital law, including the Cybersecurity Law (2017), the Data Security Law (2021), and the Personal Information Protection Law (2021), which on paper bears resemblance to Europe’s GDPR. But all of these instruments are explicitly subordinated to the requirements of “national security” and “social stability,” which in practice means the requirements of Communist Party control.
Regulation includes provisions preventing technology from being used for subversive purposes, meaning that rights protections exist only where they do not conflict with political control. Data protection norms apply horizontally between citizens and corporations, but vertical state access to data is preserved without meaningful independent oversight. The result is a system that provides the appearance of rights-oriented governance while maintaining the infrastructure of surveillance and control intact.
The consequences are concrete and severe. The social credit system — an interlocking set of financial blacklists, regulatory scoring, and local government experiments—makes algorithmic governance of citizens pervasive and operational. Whatever the distance between the system as it actually operates and the more lurid descriptions sometimes offered in Western media, the direction of travel is clear: automated, data-driven evaluation of citizen behavior by the state, with real consequences for mobility, employment, and access to services, and with minimal procedural safeguards or avenues for meaningful challenge.
It is worth pausing here to acknowledge that China is not a monolithic regulatory entity. Regional variation in AI governance is real and significant. Beijing, Shanghai, Shenzhen, and Guangdong function as semi-designated innovation zones with their own municipal AI frameworks and somewhat more permissive development environments. The social credit system in particular is frequently mischaracterized in Western accounts as a single, nationally unified scoring mechanism—it is in reality a collection of local experiments, sectoral corporate compliance systems, and national blacklists for specific violations, varying enormously in scope and sophistication across localities.
Acknowledging this variation is not merely a gesture toward nuance; it is analytically important. But it does not alter the structural diagnosis. Regional variation in China exists within a framework that ultimately reports to central party authority. Innovation zones are centrally authorized experiments, not independently governed spaces, and they can be redirected when political priorities demand it. No region of China has developed institutional checks on party authority over digital systems or rights protections that genuinely constrain state data access. And the direction of variation matters: localities compete to demonstrate technological leadership and alignment with central development goals, not to provide stronger rights protections.
The case of Hong Kong is the limiting illustration, and since the recent developments in Hong Kong matter greatly in the human rights community, it is worth saying just a bit more on Hong Kong. When the former British colony was handed over in 1997, Beijing promised it would give the city fifty years to keep its capitalist system and enjoy many freedoms not found in mainland Chinese cities. But this promise has not been kept. In 2020, Beijing imposed a sweeping National Security Law on Hong Kong. Since then, authorities have arrested numerous pro-democracy activists, lawmakers, and journalists, and have curtailed voting rights, press freedom, and freedom of speech. In March 2024, Article 23 was passed, an expansion of the 2020 law that broadens the definition of external interference and espionage and thereby further erodes the city’s rights and freedoms.
The structural implication is significant: where governance reach and AI capability are high but rights commitments are absent or at the very least highly uneven, regulation becomes a force multiplier for repression rather than a constraint upon it.
Media tycoon and outspoken pro-democracy advocate Jimmy Lai has become one of the best-known faces of this crackdown. Arrested in 2020, he was found guilty years later in a high-profile trial of colluding with foreign forces, namely the United States, under the national security law and sentenced to twenty years in prison at age seventy-eight.
The same legal framework used to silence Lai and restrict the press also governs data access, platform regulation, and the subordination of algorithmic tools to party authority. The trajectory of Hong Kong illustrates the same structural principle that governs China’s entire digital regulatory architecture: formal legal protections — whether for civil liberties, press freedom, or data privacy—persist only until they conflict with the requirements of party control, at which point they are overridden without meaningful institutional check.
Read more
