On June 10, 2021, China’s Standing Committee of the National People’s Congress passed the Data Security Law (DSL). The law has been under review since June 2020 and aims to further strengthen regulation on data collection, storage, and distribution across China’s rapidly-growing digital economy. It stipulates a top-down coordination of data security practices and raises the stakes for compliance with strict fines and punishments for violators. Amidst an unprecedented regulatory crackdown that has defined the year for a wide range of Chinese industries, this law represents a broader transition for policymakers from reigning in anti-competitive practices to addressing data handling and security.
The DSL mainly focuses on two main tenets regarding the usage of data in China. Firstly, it categorizes sensitive data about national security and stipulates different data storage and exportation requirements by tier. Secondly, it advocates for anti-monopolistic collection and usage of data. In the case of Chinese ride-hailing giant Didi Chuxing Technology Co. (“Didi”), the firm’s data practices raised both flags, which led to a serious investigation that culminated in sweeping penalties. The Cyberspace Administration of China (“CAC”) and the State Administration for Market Regulation (“SAMR”) argued that Didi was anti-competitively using data for its own gain, and regulators noted that the firm’s offshore IPO in the United States could lead to the exportation of nationally sensitive data. As a result, regulators delisted the Didi app from app stores, barred new user registrations, and are planning a multi-billion dollar fine for the company. The case has drawn international attention, and, for those doing business in China, marks the beginning of a new compliance environment in China.
What Are China’s Data Security Laws?
At the moment, there are three laws related to data and information protection in China: The Cybersecurity Law of the People’s Republic of China (“Cybersecurity Law”), the Data Security Law (“DSL”), and the Personal Information Protection Law of the PRC (“PIPL”). The Cybersecurity Law was instituted in mid-2017, the DSL took effect as of September 2021, and the PIPL is set to launch in November 2021. Together, these three laws aim to build a comprehensive legal framework for data regulation.
What Does the Data Security Law Cover?
The Data Security Law is the only law of the three to focus exclusively on data and the companies and individuals that process it. Building on the framework of its predecessor, the Cybersecurity Law, the DSL continues on to construct a system that regulates nationally sensitive data. Together, the Cyberspace Administration of China and the National Security Commission now oversee the nationally standardized categories for data classification and have built systems to collect and assess the data-associated risks of organizations and individuals.
While the objective seems clear cut, the business implications are anything but. In fact, the law itself lacks a clear definition of what “nationally sensitive data” is. As a result, organizations are left with little choice but to hike compliance costs amid little understanding of which set of requirements are applicable to them. For businesses, the law threatens heavy fines for failure to comply with “national core data” rules, which include exporting data to foreign authorities, failing to comply with data requests, or failing to fulfill data security obligations. In an all-too-familiar move, the DSL also makes specific mention of anti-competitive or illegal uses or collections of data, echoing sentiments from China’s Anti-Monopoly Law. The appearance of anti-monopoly rules amongst the law allude to the blurring of regulatory lines between data security as it relates to national security and China’s mission to improve market quality through government oversight and regulation.
China’s Regulatory Crackdown and Data Security
The Rise of Anti-Monopoly Regulation
Currently, the Chinese government is in the midst of an unprecedented crackdown on some of the biggest internet companies in the world. The State Administration for Market Regulation (SAMR) has recently imposed a record fine on e-commerce giant Alibaba, initiated an antitrust probe into food delivery company Meituan, and levied fines against a multitude of other industry titans. Following the release of proposed changes to China’s Anti-Monopoly Law in early 2021, SAMR ordered these companies to conduct self-inspections for any practices that violate market regulation and warned of severe consequences for companies that did not adjust accordingly.
While these rules are severe, they mainly tackled the monopolistic practices that plague the Chinese economy. For example, regulators fined Alibaba 18 billion yuan (US$2.78 billion) in April 2021 after alleging that Alibaba had abused its market position by preventing merchants from using other e-commerce platforms. Similarly, SAMR charged Tencent with employing various anti-competitive practices across some of its business arms, notably including its exclusive control over music streaming services in China. Didi Chuxing, China’s ride-hailing giant, also fell victim to regulators as SAMR investigated whether the company attempted to squeeze out smaller ride-share rivals through anti-competitive pricing and marketing tactics.
What Is Driving China’s Clampdown on Didi and Data Security?
Across the board, these fines and restrictions have targeted anti-competitive practices. However, following the release of China’s Data Security Law, regulators began a new crackdown which focused more on corporate misuse of consumer data. This placed Didi at the center of regulatory crosshairs.
Nearly a month after the Data Security Law was passed in September 2021, officials from seven Chinese government departments visited Didi’s offices in Guangzhou to conduct a cybersecurity review. The CAC, SAMR, and five other departments visited Didi for a network security review after the CAC alleged that the ride-hailing company had illegally collected users’ data. Amid the review, Didi was required to stop new user registration and remove its app from Chinese app stores. This sent company shares flailing by over 7%. Once hailed as the most popular IPO listing of 2021, the sudden crackdown dashed Didi’s hopes for a smooth cash influx from US markets. As of October 2021, the company is still unable to register new users.
Another key risk to regulators was Didi’s overseas IPO. Given the expansive nature of Didi’s operations, the firm maintains a wide variety of Chinese user data, including user phone numbers that are linked to real names and identification. In the event of an IPO, Didi would likely have to comply with SEC policy that requires this data to be handed over for compliance audits. For Chinese regulators worried about national security and data leaks, this posed a significant threat should foreign governments have access to this information.
Looking Forward at Didi’s Future
What Are Didi’s Punishments?
In response to these violations, regulators weighed a wide range of punishments, including fines, operational suspensions, and the introduction of state-owned investors. Additionally, there was also consideration of a possible forced delisting of Didi from US markets.
Months in, regulators are still deciding Didi’s punishment and the final ruling is still uncertain. However, it is expected that Didi will face a fine similar to the record smashing US$2.78 billion penalty imposed on Alibaba. In addition, the CAC and SAMR are also expected to require that Didi hand over control of its data to another domestic auditor, such as a data security company owned by a state-owned enterprise. This body would then be able to access Didi’s servers across the entire country and track the company’s data collection, usage, and transfers operations.
Can Didi Compete Within China’s New Operating Environment?
With the investigation still ongoing, Didi’s future is dim – but not yet extinguished. Reports suggest that the company is in talks with Chinese state-owned information security firm Westone Information Industry Inc to hand over data management and monitoring responsibilities. Westone Information Industry Inc, more commonly known as Westone, would be the main third-party operator to manage Didi’s data stores. If successfully transitioned, Didi could then placate domestic regulators like the CAC and SAMR, as the burden of responsibility would be on Westone to maintain data usage in line with the regulatory requirements. Moreover, Westone is a subsidiary of the state-owned China Electronics Technology Cyber Security Co. Ltd, which gives it ties to the government and makes it an ideal candidate to take control over Didi’s data.
Didi’s current conundrum is clear representation of the consequences of Beijing’s new push to reign in privately-owned companies. After years of a relatively hands-off free market approach, Beijing is now turning to state-backed companies to assert control over private industry. It comes as little surprise that one of China’s largest tech companies would be the first casualty of regulators’ shifting priorities; after all, as the Chinese idiom goes: “kill one to warn a hundred.”