Until recently, the Chinese Cyberspace Administration (CAC), which helps censor China’s internet behind the Great Firewall, had rarely been involved with companies’ plans to go public.
By the time the CAC was created in 2011, the path for Chinese firms to sell shares in places like Hong Kong and New York was already a well-trodden route for lawyers and investment bankers. Like other administrative bodies in China, the CAC can offer suggestions to businesses, but it is not a legally binding gatekeeper of initial public offerings (IPOs).
Do you have questions about the biggest topics and trends from around the world? Get the answers with SCMP Knowledge, our new platform of curated content with explainers, FAQs, analyses and infographics brought to you by our award-winning team.
The listing was a huge success for the company, which bested Uber in the Chinese market to dominate ride-hailing in the country. Didi pulled in US$4.4 billion in what was the largest public listing for a Chinese company this year in the world’s premier capital market. But the euphoria was short-lived. Two days later, the CAC announced its cybersecurity review into the company, sending Didi’s stock price cratering. Class action suits are now being filed in the US, and company executives have become incommunicado.
In a further move, the cyberspace watchdog on Saturday announced a new draft proposal that would require Chinese tech firms with more than 1 million users to undergo a cybersecurity review before being allowed to list on foreign exchanges.
The web of cybersecurity regulations that ensnared Didi have been in the works for nearly two decades, said Henry Gao, associate professor of law at Singapore Management University.
“China has attached high importance to data as President Xi believes that ‘there is no national security without data security’,” Gao said. “The emphasis is to make sure that ‘important data’ does not fall into the wrong hands, which is why Didi was investigated in the current case.”
One of the most important pieces of this puzzle is the Cybersecurity Law that went into effect in 2017. While the European Union has prioritised privacy with its General Data Protection Regulation (GDPR) and the US has protected commercial interests, the Chinese government has written its own interests into the Cybersecurity Law, which requires stakeholders to “safeguard cybersecurity, protect cyberspace sovereignty and national security”.
In the intervening years, China has accelerated the development of its data governance regime. Just this year, Beijing introduced the Data Security Law (DSL), which takes effect in September, and has an upcoming Personal Information Protection Law that is still under review. The haphazard patchwork of laws and regulations has turned into one of the most sophisticated regulatory frameworks in the world, with Beijing seeking to maintain a tight grip on data while unleashing its economic potential and protecting consumer privacy.
The DSL calls for the establishment of a data classification system that protects what is considered “core data” and “important data”, but it allows for less sensitive data to be used in boosting the digital economy.
Under the law, companies that transfer core data overseas without proper regulatory approval will face a penalty of up to 10 million yuan (US$1.54 million) and could be forced to shut down. Companies that hand over important data to a foreign judiciary or law enforcement agency without prior approval could also be fined up to 5 million yuan.
“Cross-border data transfer is more sensitive,” said Robin Huang, a law professor at the Chinese University of Hong Kong. “Maybe this kind of data is not that sensitive domestically, but once it is transferred to other countries, the sensitivity level will be much higher. Because that means the Chinese government is losing control of that data.”
While the classification framework has yet to be established, authorities have signalled that the data held by Didi was too important to go abroad. It came to the same conclusion for three other apps whose operators recently went public in the US – online recruiting platform Boss Zhipin and Full Truck Alliance’s truck-hailing services Yunmanman and Huochebang. All of these companies are now facing cybersecurity reviews by the CAC.
The Central Commission for Discipline Inspection, the Communist Party’s highest internal control organ, wrote in an article that these companies hold massive amounts of data that “directly or indirectly” reflects China’s circumstances, including population distribution, commercial hotspots, geographic mobility and business operations.
“Didi has a mass of data, which may even include the transportation records of people working for the government,” Huang said. “In the past, the data might just be a piece of paper or a chart, and people may just use [the leaked] data to sell stuff by phone. But as the technology develops, the magnitude is totally different now.”
Beijing’s turn towards national security as the main principle for managing the internet has partly been influenced by its worsening relationship with the US.
While the two countries have always had an uneasy relationship regarding activities in cyberspace, particularly after US whistle-blower and former National Security Agency employee Edward Snowden exposed US global surveillance operations, the two countries have been locked in an escalating tech war.
The probe into Didi has to be read in the context of tightened scrutiny of Chinese companies listing in the US, said Angela Zhang, director of the Centre for Chinese Law and associate professor at the University of Hong Kong.
In the final months of Donald Trump’s administration, lawmakers signed the Holding Foreign Companies Accountable Act, prohibiting foreign companies from listing in the US if the company has failed to comply with audits for three years in a row. The audits, however, have caused concerns among Chinese regulators that sensitive data will be turned over to the US, leaving Beijing and Washington in a gridlock.
“The US is in the process of pressuring [Chinese companies] to turn over more data to the US regulator, including the audit working papers from the accounting firms,” said Zhang. “That worried the Chinese cyberspace regulators that this might lead to some potential leakage of data that could pose a threat to national security.”
The deteriorating relationship between the two superpowers has nudged regulators in China to adopt a more cautious approach in managing cross-border data.
Beijing is now discouraging listings of Chinese tech firms abroad with new rules this week on IPOs, stressing the need to protect data security.
“Tech companies will now start to mind the cybersecurity and data protection compliance in China before getting listed, and CAC will take the central role in regulating the companies in this respect,” said James Gong, a lawyer at Herbert Smith Freehills.
Regulators may soon close a loophole that tech firms have been using to avoid Chinese laws restricting foreign investment, which involved incorporating overseas as what are called variable interest entities (VIEs). Under new rules, Chinese companies seeking to go public as VIEs would need approval from regulators, according to a Bloomberg report citing people familiar with the matter.
“In the past, going [for an] IPO in New York has been a significant milestone for tech companies in China, but this might not be politically correct nowadays, ” said Lee Jyn-An, a law professor at the Chinese University of Hong Kong. “Given the tensions between China and the US, Beijing certainly does not want these companies to be subject to more US influences, whether that is the US capital market regulations or US shareholders.”
Lee said data localisation requirements will certainly affect Chinese companies trying to go global. “It in essence would mean a segregation of the global information system into one distinct system for China and one for the rest of the world,” he said. “It will further isolate the domestic internet from the rest of the world, and its major impact on domestic internet companies is that they will find it harder to expand overseas.”
China is not alone in setting up data borders on national security grounds. TikTok, owned by Beijing-based ByteDance, lost the Indian market after a deadly border clash between the two countries in June last year. TikTok was then put on a list of 59 Chinese apps banned in India, which had previously been the app’s largest market by user base.
Soon after, then US president Donald Trump sought to ban TikTok and WeChat, the messaging app owned by Tencent Holdings, in the US by issuing executive orders, citing national security concerns. The orders were quickly challenged in court and never took effect, eventually being overturned by current President Joe Biden.
In place of Trump’s orders, Biden issued a new one calling for a security review of apps associated with foreign adversaries. “Foreign adversary access to large repositories of United States persons’ data also presents a significant risk,” the order reads.
Both China and the US are concerned that their citizens’ data could be used to undermine national security, said Emmanuel Pernot-Leplay, researcher in data protection and cybersecurity law at Tilburg University in the Netherlands.
While the actual legal basis differs in the US and China, both cases show that privacy concerns about the cross-border transfers of personal data can be used for objectives going beyond mere compliance with cybersecurity and privacy rules, Pernot-Leplay said.
For China’s tech companies, that means the end of an era that introduced unfettered growth for tech companies leveraging their massive troves of data, with real consequences if they fail to comply with new regulations, experts say.
He Yuan, executive director of Shanghai Jiao Tong University’s Data Law Research Centre, said that many companies in China once regarded the country’s laws on data security as too abstract and only for show. New rules and actions by regulators have now shown that Beijing is not afraid to crack down on tech companies’ data practices.
“The enforcement of data regulations in China is real and can have serious consequences for companies,” said Pernot-Leplay. “Before, it was doubtful whether they were more than paper rights and obligations.”
Illustration: Lau Ka-kuen
This article China’s Big Tech face wake-up call as country’s web of data protection laws grows more elaborate first appeared on South China Morning Post