The Cyberspace Security Review Office (网络 安全 审查 办公室, wangluo anquan shencha bangongshi) of the Chinese Cyberspace Administration (CAC, 国家 互联网 信息 办公室, guojia hulianwang xinxi bangongshi) launched a cybersecurity review of Chinese ride-sharing giant Didi Chuxing on July 2, days after its IPO on the New York Stock Exchange. On July 4, the ACC announced that it had found “serious violations of the collection and use of personal information” by Didi and banned the application on online platforms. The next day, the Cyber Security Review Bureau reported that it had launched similar “national security” investigations into the Yunmanman (运 满满) and Huochebang (货车 帮) logistics apps, as well as the BOSS Zhipin (BOSS 直 聘) recruiting app, all of which had been recently listed in the United States (South China Morning Post, July the 5th).
Media reports earlier this year indicated that Chinese regulators were placing increasing emphasis on data security, targeting U.S. electric vehicle company Tesla, fearing that the collection of data on the company’s users does not undermine confidentiality and national security. While Tesla has refuted these claims, it also pledged to develop a China-based data center and increase transparency to appease the Chinese government (CNET, May 24). It now appears that, combined with an anti-monopoly campaign that has specifically targeted financial technology (fintech) companies such as Alibaba and Tencent, data security represents the latest area in which the state seeks to strengthen its control over an industry that was once known for its loose regulation. Didi, along with nine other industry leaders in on-demand transport services, was also cited by the powerful State Administration for Market Regulation (SAMR) in May (Caixin, July the 5th).
An evolving legal framework for data security
On July 10, the ACC released a draft review of cybersecurity review measures ([网络安全审查办法), Wangluo anquan shencha banfa, hereafter “Measures”) (Cac.gov.cn, July 10), which laid out a system of security reviews for any products and services used by “critical information infrastructure” (关键信息基础设施, guanjian xinxi jichu sheshi) operators in China. Article 1 of the revised Measures noted that they were in accordance with the 2015 National Security Law (NSL, [国家安全法], Guojia anquan fa), the Cybersecurity Law of 2017 (CSL, [网络安全法], Wangluo anquan fa), as well as the Data Security Act (数据 安全 法, Shuju anquan fa), newly enacted in June (Cac.gov.cn, July 10; Xinhua, June 11). In combination with the law on the protection of personal information (PIPL, [个人信息保护法], Geren xinxi baohu fa), which is expected to be released later this year, the CSL and DSL provide the basic legal framework to govern the Chinese Internet.
The most significant change in the revised measures came in a new Article 6, which clarified that companies processing the data of more than one million users listed in foreign markets must undergo a cybersecurity review. Apart from that, the revised measures also included updated wording on the risk that companies listed overseas could expose “basic data, important data or large amounts of personal information” to “being stolen. , disclosed, damaged or used and exported illegally … or [be] maliciously used by foreign governments ”(DigiChina, July 12). The state’s concerns were expressed even more clearly by a spokesperson for the Department of Foreign Affairs, who recently complained about the non-transparent data collection practices of the US government and concluded that “the United States is the biggest threat to global cybersecurity ”(World time, July the 5th).
According to Lu Chuanying (鲁传颖), director of the Cyberspace International Governance Research Center at the Shanghai Institute for International Studies, as PIPL aims to address data security issues from an individual-centered privacy perspective , DSL aims to ensure that the Chinese data sovereignty from the point of view of the state. Lu argued that the implementation of the two laws should be closely coordinated to effectively manage China’s complex data security issues while leaving room for the continued development of data as an economic resource (World time, May 27, 2020). A 2020 State Council opinion also noted that data should be seen as a “fifth factor of production” needed to boost market vitality and economic development, alongside land, labor, capital and science and technology (Xinhua, April 9, 2020).
In an effort to balance competing security and development interests, the DSL final draft called for the establishment of a data classification system that protects “essential” and “important” data while allowing less sensitive data to circulate and boost digital technology. economy. Yet because legal definitions of what constitutes “core” data remain vague, ambiguity remains high. The recent crackdown on Didi and other companies engaged in cross-border data transfers seems to indicate that when it comes to data flowing outside of China, regulators have chosen to prioritize security (SCMP, 11 July).
Development vs. controllability
New guidelines issued jointly by the General Offices of the Communist Party of China (CPC) Central Committee and the State Council on July 6, titled “Notice on the Strict Suppression of Illegal Activities in Securities According to Law” ([关于依法从严打击证券违法活动的意见], Guanyu yifa congyan daji zhengquan weifa huodong from yijian) (Xinhua, July 6), aimed to strengthen interagency surveillance and elevate the role of ACC in overseeing Chinese tech companies with big data companies.
A commentary published by the powerful Central Commission for Discipline Control (CCDI) clarified the document’s intentions: in the eyes of the government, data is closely linked to national security and must be controlled. While the huge amount of user data generated by internet companies has the potential to add economic value, issues such as cross-border data flows and data leaks also pose a major security risk to the business. State (Npc.gov.cn, July 7). According to Xu Ke, professor of law at the University of International Affairs and Economics, the free flow of data enshrined in DSL 2021 is circumscribed by an equally important concept: the secure flow of data (Quartz, July 7). While these two concepts should ideally be balanced, the early implementation of China’s data security regulations shows that they remain in conflict, causing confusion among data producers (i.e. technology companies). ) and consumers.
At the 2021 China Internet conference, attendees called data the “central production factor of the digital economy,” and a speaker called on Chinese companies to participate in data governance as well, noting that the coordination of the data management within the existing state bureaucracy remains opaque. and that technical systems for data collection and application remain immature. As a result, one researcher noted, assessment, including self-inspection by data companies, will be a key aspect in improving the data security governance regime (People’s Daily Online, July 16).
In many ways, the complex data security debates unfolding in China today mirror discussions taking place around the world. Venture capitalist Lillian Li noted that while there is a global conversation about the “need to rebalance power between state, technology[nology] players and consumers [that] calls for more regulatory interventions, ”China’s legal and economic frameworks are also relatively underdeveloped. As a result, Li notes, “A key theme running through Chinese technology is that as a developing country with underdeveloped institutions, technology does not augment existing institutions, but creates them” (Lillian Li via Substack, July 15th). Today, Chinese regulators are still striving to catch up with established Western practices, even as they deal with some of the most extensive data collection networks in the world.
On some issues, such as consumer privacy, Chinese laws are at the forefront of global data regulatory frameworks (DigiChinaJan. 4, and the state’s antitrust and data security crackdown on domestic tech companies appear to address citizens’ concerns about market competition and privacy. But China’s support for data localization and cybersovereignty also risks breaking international free data flows, which would hurt development both inside and outside China. In addition, although Chinese regulators are in the process of establishing a strong framework to hold corporate data collection accountable, the extent to which its laws will apply to data collection by state bodies remains very strong. questioning (Brooking, January 29).
China’s 14th Five-Year Development Plan emphasized the importance of accelerating “computerization” and the construction of China as a “digital superpower,” which theoretically includes the sharing and public disclosure of data held by the government. government (Cac.gov, March 15; Gov.cn, July 27, 2016). But the recent revelation that an official online database of Chinese court data has inexplicably shrunk by nearly 10% has raised concerns among activists about the transparency of China’s computerization initiatives (China’s digital time, June 29). Under CPC Secretary-General Xi Jinping, the increasingly authoritarian Chinese state has sought to undermine free speech, the rule of law, universal human rights, and the ability of civil society to demand accounts to government, often using intrusive surveillance technologies. Given this reality, the state’s rapidly developing data security regime is unlikely to be able to meaningfully protect citizens from government excesses and abuses.
Elizabeth Chen is the editor of Brief China. For any comments, questions or submissions, do not hesitate to contact her at the following address: [email protected].
 Other governments are also grappling with the question of what types of data constitute a national security concern. In the United States, despite the government announcing last summer that it would ban the popular video-sharing app TikTok for national security reasons, a recent technical analysis by Canadian research group CitizenLab found that TikTok did not appear to be exhibiting overtly malicious behavior, and its user data practices appeared to meet Western industry standards (CitizenLab, March 22).