I think it should be sufficient for countries to put in place laws that make it illegal for tech companies to "export" personal information to jurisdictions that do not have equivalent privacy protections in place. If tech companies must comply with American law in order to serve American users, and then a company is found to break that law on behalf of the Chinese government, that would not just be an illegal action by the company, but also a diplomatic incident and perhaps an issue escalated to the WTO. Amazon, Facebook and Google have already been hit with fines for violating EU privacy law, so we know that this strategy works in principle. (I imagine the reaction would be more than a slap on the wrist if it turned out those companies were deliberately breaching EU citizens' privacy on behalf of the US government!) I think the US would be wise to adopt a similar approach, since it would show they still respect the so-called rules-based international order and aren't singling out Chinese tech companies per se.