China’s Big Tech faces wake-up call as country’s web of data protection laws becomes more elaborate
- A cybersecurity review into ride-hailing firm Didi kicked off a new era in China that prioritises data security over unfettered growth for tech companies
- Regulators in Beijing are cracking down on overseas listings, fearful that US data disclosure rules could compromise national security
By the time the CAC was created in 2011, the path for Chinese firms to sell shares in places like Hong Kong and New York was already a well-trodden route for lawyers and investment bankers. Like other administrative bodies in China, the CAC can offer suggestions to businesses, but it is not a legally binding gatekeeper of initial public offerings (IPOs).
Why China is tightening control over cybersecurity
In a further move, the cyberspace watchdog on Saturday announced a new draft proposal that would require Chinese tech firms with more than 1 million users to undergo a cybersecurity review before being allowed to list on foreign exchanges.
The web of cybersecurity regulations that ensnared Didi has been in the works for nearly two decades, according to Henry Gao, associate professor of law at Singapore Management University.
“China has attached high importance to data as President Xi believes that ‘there is no national security without data security’,” Gao said. “The emphasis is to make sure that ‘important data’ does not fall into the wrong hands, which is why Didi was investigated in the current case.”
One of the most important pieces of this puzzle is the Cybersecurity Law that went into effect in 2017. While the European Union has prioritised privacy with its General Data Protection Regulation and the US has protected commercial interests, the Chinese government has written its own interests into the Cybersecurity Law, which requires stakeholders to “safeguard cybersecurity, protect cyberspace sovereignty and national security”.
The DSL calls for the establishment of a data classification system that protects what is considered “core data” and “important data”, but it allows for less sensitive data to be used in boosting the digital economy.
“Cross-border data transfer is more sensitive,” said Robin Huang, a law professor at the Chinese University of Hong Kong. “Maybe this kind of data is not that sensitive domestically, but once it is transferred to other countries, the sensitivity level will be much higher. Because that means the Chinese government is losing control of that data.”
The Central Commission for Discipline Inspection, the Communist Party’s highest internal control organ, wrote in an article that these companies hold massive amounts of data that “directly or indirectly” reflects China’s circumstances, including population distribution, commercial hotspots, geographic mobility and business operations.
“Didi has a mass of data, which may even include the transportation records of people working for the government,” Huang said. “In the past, the data might just be a piece of paper or a chart, and people may just use [the leaked] data to sell stuff by phone. But as the technology develops, the magnitude is totally different now.”
Beijing’s turn towards national security as the main principle for managing the internet has partly been influenced by its worsening relationship with the US.
The investigation of Didi has to be read in the context of tightened scrutiny of Chinese companies listing in the US, according to Angela Zhang, director of the Centre for Chinese Law and associate professor at the University of Hong Kong.
Hong Kong and the US: how much do they rely on each other economically?
In the final months of the Trump administration, lawmakers signed the Holding Foreign Companies Accountable Act, prohibiting foreign companies from listing in the US if the company has failed to comply with audits for three years in a row. The audits, however, have caused concerns among Chinese regulators that sensitive data will be turned over to the US, which has left Beijing and Washington in a gridlock.
“The US is in the process of pressuring [Chinese companies] to turn over more data to the US regulator, including the audit working papers from the accounting firms,” Hong Kong University's Zhang said. “Chinese cyberspace regulators worried that this might lead to some potential leakage of data that could pose a threat to national security.”
The deteriorating relationship between the two superpowers has nudged regulators in China to adopt a more cautious approach in managing cross-border data.
Beijing is now discouraging listings of Chinese tech firms abroad with new rules this week on IPOs, stressing the need to protect data security.
“Tech companies will now start to mind the cybersecurity and data protection compliance in China before getting listed, and CAC will take the central role in regulating the companies in this respect,” said James Gong, a lawyer at Herbert Smith Freehills.
Regulators may soon close a loophole that tech firms have been using to avoid Chinese laws restricting foreign investment, which involved incorporating overseas as what are called variable interest entities. Under new rules, Chinese companies seeking to go public as VIEs would need approval from regulators, according to a Bloomberg report citing people familiar with the matter.
“In the past, going [for an] IPO in New York has been a significant milestone for tech companies in China, but this might not be politically correct nowadays, ” said Lee Jyn-An, a law professor at the Chinese University of Hong Kong. “Given the tensions between China and the US, Beijing certainly does not want these companies to be subject to more US influences, whether that is the US capital market regulations or US shareholders.”
Lee said data localisation requirements will certainly affect Chinese companies trying to go global. “It in essence would mean a segregation of the global information system into one distinct system for China and one for the rest of the world,” he said. “It will further isolate the domestic internet from the rest of the world, and its major impact on domestic internet companies is that they will find it harder to expand overseas.”
In place of Trump’s orders, Biden issued a new one calling for a security review of apps associated with foreign adversaries. “Foreign adversary access to large repositories of United States persons’ data also presents a significant risk,” the order reads.
Both China and the US are concerned that their citizens’ data could be used to undermine national security, said Emmanuel Pernot-Leplay, researcher in data protection and cybersecurity law at Tilburg University in the Netherlands.
While the actual legal basis differs in the US and China, both cases show that privacy concerns about the cross-border transfers of personal data can be used for objectives going beyond mere compliance with cybersecurity and privacy rules, Pernot-Leplay said.
For China’s tech companies, that means the end of an era that introduced unfettered growth for tech companies leveraging their massive troves of data, with real consequences if they fail to comply with new regulations, according to experts.
He Yuan, executive director of Shanghai Jiao Tong University’s Data Law Research Centre, indicated that many companies in China once regarded the country’s laws on data security as too abstract and only for show. New rules and actions by regulators have now shown that Beijing is not afraid to crack down on tech companies’ data practices.
“The enforcement of data regulations in China is real and can have serious consequences for companies,” said Pernot-Leplay. “Before, it was doubtful whether they were more than paper rights and obligations.”
Illustration: Lau Ka-kuen