Rapidly Implementing a Chinese Data Security Regime

Publication: China Brief Volume: 21 Issue: 14

Image: A screenshot of the CAC’s announcement that it will conduct cybersecurity reviews into three companies that recently listed abroad, based on concerns that the export of Chinese data could impact “national security” and “public interest” (Source: Sohu).

The Cyberspace Security Review Office (网络安全审查办公室, wangluo anquan shencha bangongshi) of the Cyberspace Administration of China (CAC, 国家互联网信息办公室, guojia hulianwang xinxi bangongshi) launched a cybersecurity review of the Chinese ride-hailing giant Didi Chuxing on July 2, days after it had listed on the New York Stock Exchange. On July 4, the CAC announced that it had found “serious violations of the collection and use of personal information” by Didi and banned the app on online platforms. The next day, the cybersecurity review office reported that it had launched similar investigations on “national security” grounds into the logistics apps Yunmanman (运满满) and Huochebang (货车帮), as well as the recruiting app BOSS Zhipin (BOSS直聘), which had all recently listed in the U.S. (South China Morning Post, July 5).

Media reports earlier this year indicated that Chinese regulators were increasing their focus on data security, targeting the American electric vehicle company Tesla over concerns that the company’s user data collection could infringe upon privacy and national security concerns. While Tesla refuted these claims, it also promised to develop a China-based data center and increase transparency to appease the Chinese government (CNET, May 24). It now appears that, in combination with an anti-monopoly campaign that has particularly targeted financial technology (fintech) companies such as Alibaba and Tencent, data security represents the latest field in which the state is seeking to tighten its control over a sector that was once notorious for its loose regulation. Didi, along with nine other industry leaders in on-demand transport services, was also cited by the powerful State Administration for Market Regulation (SAMR) in May (Caixin, July 5).

An Evolving Legal Framework for Data Security

On July 10, the CAC released a draft revision to the Cybersecurity Review Measures ([网络安全审查办法), Wangluo anquan shencha banfa, hereafter “Measures”) (Cac.gov.cn, July 10), which laid out a system of security reviews for any products and services used by “critical information infrastructure” (关键信息基础设施, guanjian xinxi jichu sheshi) operators in China. Article 1 of the revised Measures noted that they were in accordance with the 2015 National Security Law (NSL, [国家安全法], Guojia anquan fa), the 2017 Cybersecurity Law (CSL, [网络安全法], Wangluo anquan fa), and also the Data Security Law (数据安全法, Shuju anquan fa), newly promulgated in June (Cac.gov.cn, July 10; Xinhua, June 11). In combination with the Personal Information Protection Law (PIPL, [个人信息保护法], Geren xinxi baohu fa), which is expected to be published later this year, the CSL and DSL make up the basic legal framework system for governing the Chinese Internet.

The largest change in the revised Measures came in a newly added Article 6, which clarified that companies handling the data of more than 1 million users listing in foreign markets must undergo a cybersecurity review. Apart from this, the revised Measures also included updated language about the risk that companies listing overseas could expose “core data, important data or large amounts of personal information” to being “stolen, leaked, damaged, or illegally used and exported…or [be] maliciously used by foreign governments” (DigiChina, July 12). The state’s concerns were made even more bluntly by a foreign ministry spokesperson, who recently complained about the U.S. government’s nontransparent data collection practices and concluded, “the U.S. is the biggest threat to global cybersecurity” (Global Times, July 5).

According to Lu Chuanying (鲁传颖), director of the Cyberspace International Governance Research Center at the Shanghai Institute of International Studies, while the PIPL aims to treat data security issues from an individual-centered privacy perspective, the DSL is aimed at ensuring Chinese data sovereignty from the perspective of the state. Lu argued that the implementation of the two laws would need to be closely coordinated to effectively manage China’s complex data security issues while simultaneously leaving room for the continuing development of data as an economic resource (Global Times, May 27, 2020). A State Council opinion from 2020 similarly noted that data should be considered a “fifth productive factor” necessary to stimulate market vitality and economic development, alongside land, labor, capital, and science and technology (Xinhua, April 9, 2020).

In an effort to balance the competing interests of security and development, the final draft of the DSL called for the establishment of a data classification system that protects “core” and “important” data while also allowing less sensitive data to circulate and boost the digital economy. Still, because the legal definitions of what constitutes “core” data remain vague, ambiguity remains high. The recent crackdown against Didi and other companies engaged in cross-border data transfers appears to signal that when it comes to data that is circulated outside of China, regulators have chosen to prioritize security (SCMP, July 11).[1] 

Development vs. Controllability

New guidance jointly published by the General Offices of the Chinese Communist Party (CCP) Central Committee and the State Council on July 6, titled “Opinion on Strictly Cracking Down on Illegal Securities Activities in Accordance With the Law” ([关于依法从严打击证券违法活动的意见], Guanyu yifa congyan daji zhengquan weifa huodong de yijian) (Xinhua, July 6), sought to strengthen interagency oversight and elevate the role of the CAC in overseeing Chinese technology firms with large data businesses.

A commentary published by the powerful Central Commission for Discipline Inspection (CCDI) made the document’s intentions clear: in the government’s eyes, data is closely related to national security and must be controlled. Although the huge amount of user data generated by internet companies has the potential to add economic value, issues such as cross-border data flows and data leakage also pose a major security risk to the state (Npc.gov.cn, July 7). According to Xu Ke, a law professor at the University of International Business and Economics, the free flow of data enshrined in the 2021 DSL is circumscribed by an equally important concept: the secure flow of data (Quartz, July 7). While these two concepts should ideally be balanced against one another, the early implementation of China’s data security regulations shows that they remain in conflict, causing confusion among data producers (i.e., technology companies) and consumers alike.

At the 2021 China Internet Conference, participants called data the “core production factor of the digital economy,” and a keynote speaker called on Chinese companies to also participate in data governance, noting that the coordination for data management within the existing state bureaucracy remains opaque and that the technical systems for data collection and application remain immature. As a result, one researcher noted, evaluation, including self-inspection on the part of data companies, will be a key aspect to improving the data security governance regime (People’s Daily Online, July 16).   

Conclusion

In many ways, the complex debates over data security that are taking place in China right now mirror discussions that are being held around the world. The venture capitalist Lillian Li has noted that although there is a global conversation happening about the “need to rebalance power between state, tech[nology] players and consumers [that] calls for more regulatory intervention,” China’s legal and economic frameworks are also relatively underdeveloped. As a result, Li notes, “A key theme that runs through Chinese tech is that as a developing country with under-developed institutions, technology isn’t augmenting existing institutions, but creating them” (Lillian Li via Substack, July 15).  Now Chinese regulators are still working to catch up to established Western practices even as they deal with some of the world’s most expansive data collection networks.

On some issues, such as consumer privacy, Chinese laws are at the cutting edge of global data regulatory frameworks (DigiChina, January 4), and the state’s antitrust and data security crackdowns against domestic technology companies appear to be responsive to citizens’ concerns about market competition and privacy. But China’s support for data localization and cyber sovereignty also risk splintering international free data flows, which would hurt development both inside and outside of China. In addition, although Chinese regulators are in the process of establishing a robust framework to hold companies’ data collection accountable, the extent to which its laws will apply to state organs’ data collection remains very much in question (Brookings, January 29).

China’s 14th Five Year Plan for development highlighted the importance of accelerating “informatization” and the construction of China as a “digital superpower,” which theoretically includes the sharing and public disclosure of government-held data (Cac.gov, March 15; Gov.cn, July 27, 2016). But the recent revelation that an official online database of Chinese court data inexplicably shrunk by close to 10 percent has raised concerns for activists about the transparency of China’s informatization initiatives (China Digital Times, June 29). Under CCP General Secretary Xi Jinping, the increasingly authoritarian Chinese state has worked to undermine freedom of expression, rule of law, universal human rights and civil society’s ability to hold the government accountable, often with the aid of intrusive surveillance technologies. Given this reality, it is unlikely that the state’s rapidly developing data security regime will be able to meaningfully protect citizens against government overreach and abuse.

Elizabeth Chen is the editor of China Brief. For any comments, queries, or submissions, feel free to reach out to her at: cbeditor@jamestown.org.

Notes

[1] Other governments are also wrestling with the question of determining what types of data constitute a national security concern. In the U.S., despite the government signaling last summer that it would ban the popular video-sharing app TikTok over national security concerns, a recent technical analysis by the Canadian research group CitizenLab found that TikTok did not appear to demonstrate overtly malicious behavior, and that its user data practices appeared to be in line with Western industry norms (CitizenLab, March 22).