Beijing has a new legal architecture for sweeping control over user data

China’s vision on data governance is becoming clearer.
China’s vision on data governance is becoming clearer.
Image: Reuters/Maxim Shemetov
We may earn a commission from links on this page.

For years, China, like other countries, has been exploring ways to harness and also secure the power of the vast troves of data held by companies and government agencies. In July, when it launched a cybersecurity probe into ride-hailing giant Didi Chuxing, many saw it as the start of a new era for state control over data in China.

In the remaining months of a year that has already seen its tech regulatory crackdown intensify, China will implement no fewer than three new laws and rules governing data privacy and security, including at least one specific one for the automotive sector.

Together they paint a much clearer picture of Beijing’s vision for private data: to govern it as a key national asset within its borders, while trying to further unlock data’s potential, seen by Beijing as a business input of similar importance as land and capital.

“The hope from Beijing’s perspective is to unleash the data potential of 1.4 billion consumers, producers, and innovators, plus the mountain of industrial data that the country produces and see it yield economic fruit,” said Jacob Gunter, senior analyst with German think tank MERICS.

China’s new data security and privacy laws

China had largely allowed tech firms to develop with little oversight over how they collected or used data, apart from provisions for user information to be shared with the government in a variety of circumstances. Then in 2017, China implemented a major new legislation in the data governance space, the Cybersecurity Law, to categorize and supervise data, with data localization a key focus of that law. That was followed by companies like Apple and others setting up data centers in China.

The rules taking effect over the next three months strengthen that approach but also extend it far more broadly. At the national level, the Cyberspace Administration, which has become a “super agency” under Chinese president Xi Jinping’s watch, will coordinate with departments under the State Council, sometimes referred to as China’s cabinet, to implement the data laws.

  • The Data Security Law (in effect from Sept. 1): Arguably the most important of the new laws this year, the data security law divides private sector data into “national core data,” defined as those concerning “key national security and economic lifelines”; important data, which isn’t clearly defined at present; and general data. The regulation, which like many Chinese laws has extraterritorial reach, requires enhanced protection for the first two categories.
  • Provisions on the Management of Automobile Data Security (Oct. 1):  These provisions define “important data” for the sector, including traffic flow, maps, information about automobile charging networks, and data of people’s faces, voices, and license plates, among others, providing more specific rules for firms to follow compared to the broader data laws.
  • Personal Information Protection Law (PIPL) (Nov. 1): China’s response to growing public concern over data misuse, including the excessive collection of biometric data and companies’ enrollment of users in new programs without their consent, stipulates that processors of personal information must meet one of four major compliance requirements. These include passing a security review by China’s internet regulator, the Cyberspace Administration of China, or having a contract with the outbound recipient of the data before transferring data outside China. While the law does bring in more robust rules around consent and collection, and clearly draws on the EU’s General Data Protection Regulation (GDPR), in key ways implementation is going to be different—in large part because the balance between state power and individual rights differs so much between China and Europe.

“China is a single-party state with a monopoly on power that imposes no self-restrictions like the rule of law or checks on state power—why would their approach to data and consumer rights be any different?” said Gunter of MERICS.

A major new hurdle for overseas IPOs

The new rules will have huge implications for both Chinese companies, especially those that would like to expand or raise capital overseas, as well as multinationals that operate in China. Firms face higher compliance costs and risk millions of dollars in penalties—or the suspension of business operations—over their handling of critical types of data.

Last month, in the wake of the cybersecurity review opened into Didi following the ride-hailing giant’s US listing, China said it would require firms hold the data of 1 million users or more to go through a security review before listing overseas. Beijing is also reportedly considering requiring companies seeking US IPOs to hand over their data to third-party platforms—or could even entirely ban firms considered to have substantial and significant data stores from listing overseas.

“China’s recent sort of [data] laws give the government a much more direct role in overseeing and controlling commercial data,” said Nigel Cory, an associate director at US-based think tank the Information Technology and Innovation Foundation, which studies restrictive government rules on data flow globally.

However, Beijing still wants private firms to be “in the driver’s seat” in developing China’s digital economy, while taking on a far more direct role in overseeing exactly who has what data, and ensuring that more firms can play a role in the digital space, said Cory.

Developing a domestic marketplace for data

While one purpose of the news laws is to lay a foundation for protecting sensitive data, another major focus is to encourage the development of the economy using non-sensitive data, according to Kendra Schaefer, head of tech policy at Beijing-based consultancy Trivium China.

“If you actually read the DSL, only half of it is about data security and the other half of it outlines the state’s obligations to develop the digital economy,” said Schaefer. The data security law has provisions requiring the state to improve and establish a data trading system, regulate data trading activity, and to cultivate a data trading market.

Given the desire to use data as an economic tool, Beijing is taking an industry-by-industry approach to data regulation. The provisions on automobile data security show Beijing’s willingness to establish more granular classification schemes for data based on sectors, and will likely be followed by specific rules for other key sectors.

Important data processed by so-called critical infrastructure providers, such as companies operating in industries like finance and transport, would need to be stored in China, and those that need to transfer it abroad would have to go through security reviews, according to the DSL. These rules and reviews could force private firms to part with more of their proprietary data than they have been willing to do so far.

Companies should firewall China operations

Many details and definitions still haven’t been spelled out—and no company has yet gone through a pre-IPO data security review, so neither companies nor lawyers know just what these will entail. Another wrinkle is how different authorities in China will define important data, given this will not only be set at the national level. The data security law also authorizes regional government departments, and industries to establish their own catalogs of important data.

The laws “make the already challenging job of foreign firms that manage data in China even more difficult because they are not very detailed…and some take years to actually flesh out. So foreign firms will remain in limbo,” said Cory of the Information Technology and Innovation Foundation. Firms will need to build IT infrastructure in China that is “completely separated from” their global operations, he warns.

But one thing is already clear: The largest companies should expect the heaviest regulatory scrutiny once the new rules are fully effective.

In the case of data, that may well be Didi, already in hot water over its overseas listing. This month, it reportedly halted its expansion plans in Europe and the UK, where the firm faces questions from politicians on how it would handle their nationals’ data given China’s new rules. A recent Reuters report stated that the firm was in talks to hand over its data to a third-party entity, but Didi has denied those discussions took place. The company didn’t reply to a request for comment.

The new Chinese data rules, which classify transport as a key industry, would in theory also pose a hurdle for players like Didi to transfer data outside China as the company could be deemed a critical infrastructure provider—a concept spelled out in the 2017 cybersecurity law and more fully implemented this month.

“Regulators have limited capacity to go after every single firm…it’s much more efficient to make one big example and get everybody else into compliance,” said Schaefer, with Trivium China.