In 2015, Time magazine included Lu Wei, then chief of the Cyberspace Administration of China, as one of the year’s 100 most influential figures, calling him “key” to the country’s future as a global cyberpower. That year, the only other Chinese official on the list was Chinese president Xi Jinping.
The accolade may as well have been a bull’s-eye.
Just one year later the flamboyant internet tsar was out of his post, swept up in Xi’s wide-ranging anti-corruption campaign. Looking back, Lu’s fall also foreshadowed the looming end of a more freewheeling period of tech regulations when authorities allowed internet firms to grow rapidly, amass massive power and even skirt the rules as long as they boosted the economy and China’s reputation. Or perhaps Chinese authorities were still unsure how to govern the quickly changing internet economy.
Since last year, however, China’s vision for the digital economy has become much clearer under a regulatory whirlwind. That has included reducing the power Alibaba and Tencent have to pick winners and losers across the economy thanks to their enormous amounts of capital, setting new rules for the enormous amounts of data that tech firms have acquired, and shutting down entire sectors that seem out of step with its plans to address inequality and other structural issues.
“It’s clear the administration under Xi’s leadership is much more ambitious with a systematic approach to centralize and restructure China’s cybersecurity policymaking,” said Min Jiang, a professor of communication studies at the University of North Carolina at Charlotte who researches internet policy in China.
The CAC had already become a powerful agency under Lu’s watch—but it has grown even more important and centralized in recent years. Its expansive powers mean it has few analogs in the world, especially in the west, where tighter regulation of Big Tech is also underway.
“Strictly speaking, neither the US nor EU has a single department that can be compared to the CAC in terms of authority,” said Xia Hailong, a lawyer with Shanghai Shenlun law firm, whose practice focuses on tech regulations. “Compared to China, whose internet regulatory power is concentrated, such power is more scattered in the US and EU.”
China, meanwhile, is proceeding at a speed and severity that has been unseen before—except in the country’s anti-graft crackdown on Communist Party officials (and Xi rivals). Now, the internet regulator is at the forefront of achieving Xi’s vision of harnessing China’s tech know-how and policy to turn the country into a “cyber great power.”
How the CAC became a super agency
Although the central government has always played a leading role in designing internet regulations, the space has also historically seen multiple agencies vying to assert their own control, a situation of “too many cooks in the kitchen,” according to a paper co-written by Jiang, the professor. The major regulatory forces shifted over time, from the Ministry of Industry and Information Technology in the 1990s to the State Council Information Office, where the forerunner of the current CAC was established in 2011 to take charge of internet content regulation. The new agency, which Lu was soon appointed to head, signified Beijing’s intention to build a “comprehensive system for cyberspace governance,” wrote Miao Weishan, a researcher from the Chinese Academy of Social Sciences, the country’s top think tank.
Over the years, the regulator has expanded its initial focus of censoring and guiding online content and news services. Along the way, Beijing has given it ever greater power, turning it one of the most feared government bodies for Chinese tech firms. While other agencies do also have considerable say over tech firms’ business operation–Ant Group’s overhaul was pushed by financial authorities, while Alibaba’s record $2.8 billion fine came from the antitrust regulator, the CAC has its sights on how tech firms manage their large pools of user data, a new regulatory sphere and a battlefront in the tech war between China and the US.
In 2014, as Xi moved to consolidate his power over the internet, the CAC was made answerable to a central cybersecurity and technology leadership group in the Communist Party under his command. During Xi’s first meeting with the oversight group, the Chinese leader famously raised the notion of China should become a “cyber superpower.” The buzzword has become a major theme in China’s internet governance and requires China to not only have its own advanced technologies but also shape the regulatory frameworks of the internet economy. Empowered by Xi’s endorsement that year, the CAC in 2014 arranged China’s first World Internet Conference, a venue for Beijing to lay out its vision for the internet, including “cyber sovereignty,” the idea that a nation’s sovereignty extends from its physical territory into cyberspace.
After the downfall of Lu, who hobnobbed with Silicon Valley leaders while vigorously defending China’s internet censorship to them, the president placed trusted aides at the helm of this important agency. Zhuang Rongwen, the CAC’s current director, had worked under Xi in the coastal Fujian province, where Xi served as a senior official. Far more low profile than Lu, Zhuang has keenly followed Xi’s instructions on how the Party should exert full control on the internet. Zhuang laid out his ambitious goals in his first major statement after assuming the role in 2018, urging officials to “safeguard national cyber sovereignty and realistically protect national security.” Under Zhuang, there are four deputy directors, two of whom have telecom and IT backgrounds.
The once fragmented authority over internet governance has been largely consolidated under the CAC, which plays the leading role of designing internet regulations and coordinating efforts with other departments to enhance the Party’s control on the internet. ”The CAC’s coverage is broad, covering things from content supervision to data security, and personal information protection—almost any areas of the internet,” said Xia, the lawyer.
Last month, the regulator dealt an unusually heavy blow to China’s ride-hailing giant Didi Chuxing, opening its first ever cybersecurity review of a tech firm, ostensibly due to concern that the company’s rushed US listing could lead Chinese user data to fall into the hands of the US. It then amended cybersecurity rules to prevent such a thing from happening again. Now, along with approval from financial or market regulators, Chinese tech companies seeking an overseas listing will have to seek approval from an office under the regulator, giving it even greater power to decide a company’s future.
The tech crackdown has sent investors running, and shaved $1.5 trillion from the combined market value of top Chinese tech firms listed in Hong Kong. Some fear that the government is hobbling a sector that has symbolized China’s rise.
But Jiang, the professor, doesn’t believe the moves signify the country is not invested in its tech firms’ continued success, as it addresses its security concerns around tech.
“Governments tend to put security concerns above other concerns,” she said. “However, most governments also do not wish to see their indigenous companies to fizzle and fail overseas, thus depriving the home country of tax revenues and cyber prowess. Every country, China included, is trying hard to strike the right balance.”
No analog in the US or Europe
For some observers, the biggest effort outside China to push back on large tech giants has been taking place in Europe, particularly in connection with user data and taxation. But given the complexities of the European Union, these efforts are far from centralized in the way Beijing’s are.
“In Europe, you have, country by country and sometimes regional regulators that are independent and can take action, but certainly not on the broad scope that set forth for the CAC,” said Justin Antonipillai, the founder and CEO of data privacy firm WireWheel, and a former Obama administration official.
Meanwhile, in the US, supervision over the internet is spread across different agencies, with the Federal Trade Commission among the most prominent. The agency has been faulted for its regulatory approach to giants like Google in the past, but looks set to take a more active role now. “We’ve seen more regulatory action from other regulators as well…but they’re very limited by contrast in what they can do,” said Antonipillai.
While the FTC mainly oversees issues like consumer protection, advertising, and antitrust, its ability to focus on the internet is limited by its range of responsibilities, noted Tom Wheeler, a visiting fellow at Brookings’ Center for Technology Innovation, making the case for a new internet-focused federal agency.” The vast scope of the FTC’s present responsibilities—as diverse as funeral director practices, robocalls, and labeling hockey pucks—means that the oversight of digital platform regulation must compete with the agency’s existing diverse responsibilities and limited resources,” wrote Wheeler earlier this year. “The scale of digital marketplace challenges simply exceeds the scope of existing regulatory agencies.”
The US’s Federal Communications Commission also shoulders some regulatory duties in the internet space, such as broadband access and spectrum.
However, unlike in China, the regulatory power of all of these US federal agencies is subject to legal review. Given the massive legal budgets of US tech giants, these court cases can drag on for months, or even years. In comparison, tech companies in China have very little room to negotiate with the CAC on its decisions. Most of the time, Chinese companies punished by the regulator quickly release statements promising to follow through with its decisions partly for fear of offending the agency.
When it comes to data security, most of the regulation in the US right now is coming from states, with California leading the way and other jurisdictions, such as Virginia and Colorado, following suit, Antonipillai told Quartz. The country has yet to have a principal data protection legislation.
Meanwhile, reflecting Xi’s focus on national security, the CAC has spearheaded the drafting of a cybersecurity review requirement for procurement that went into effect last year, and “critical information infrastructure” regulations set to go into effect next month. Last week it also passed a strict new data privacy law, aimed at curbing the intrusion of the private sector, rather than by the government. In a country that faces rising tensions with western countries and is pushing for self-reliance and security in tech supply chains and operations, the CAC will play a key role in ensuring companies fall fully in line with the government’s agendas. Zhuang, the current CAC head, has emphasized in an op-ed that data should be treated as a national asset.
“I expect the CAC to be a growing agency on the regulatory front in China,” said Antonipillai. “I certainly don’t see it slowing down.”