China new cross-border data transfer rules and what it means for international firms

China new cross-border data transfer rules and what it means for international firms. (Photo by Hector RETAMAL / AFP) / TO GO WITH AFP STORY HEALTH-VIRUS-CHINA-DIPLOMACY-WUHAN,FOCUS BY DAN MARTIN

For China’s internet watchdog, data is the new battleground

  • The CAC has an ongoing crackdown on apps and online content for allegations of improper data collection and misinformation.
  • The internet watchdog did not slow down after launching a probe of ride-hailing giant Didi for allegedly violating user privacy, just days after its listing in New York.
  • Now, any company with data for more than one million users must undergo a security review before listing its shares overseas.

Beijing recently passed China’s long-awaited Data Security Law (DSL) — a comprehensive regulatory system to address the protection and processing of different types of data with an increased focus on national security. In other words, the government has opened a new battlefront with the country’s internet and technology giants, looking to target their collection and use of data.

From the cancellation of Ant Group’s US$34.5 billion listing to Alibaba’s US$2.8 billion antitrust fine, China’s internet giants have been targeted by Beijing over the last few months. The focus has very much been on anti-monopoly as well as financial technology regulation. This time, regulators are turning their attention toward data because of its importance to the tech industry, a key driver of economic growth.

What is being done by the CAC?

An agency that President Xi Jinping set up during his first term to police China’s internet is the Cyberspace Administration of China (CAC). The recently passed regulations basically require that critical information infrastructure operators go through a cybersecurity review if they acquire network products or services that may threaten national security.

To date, the Cyber Security Review Office has already announced probes into Didi, truck-hailing apps Yunmanman and Huochebang, as well as a recruiting app operated by Boss Zhipin, all on national security grounds. China’s internet watchdog in fact asked Didi Global Inc. as early as three months ago to delay its landmark US initial public offering (IPO) because of national security concerns involving its huge trove of data, according to reports.

Didi ultimately went ahead with the offering, raising US$4.4 billion in the second-largest debut by a Chinese corporation in US history. Two days later, CAC announced a cybersecurity probe of the firm and banned it from adding new users. The clampdown also ensnared two other Chinese tech companies that were recently listed in the US.

The cyberspace regulator then ordered app stores to remove Didi’s main ride-hailing app and later on announced it would remove 25 mobile apps operated by Didi from app stores. CAC even cited 105 apps operating in its country, including Microsoft Bing and LinkedIn, over allegations of illegal data collection of users’ personal information.

It was also reported by The Associated Press that CAC announced in a statement on its website that the apps, which also include Bytedance’s Douyin and short video app Kuaishou, had 15 business days to address the reported violations before they would face legal consequences.

And most recently, the watchdog proposed draft rules calling for all data-rich tech companies with over one million users to undergo security reviews before listing overseas. The security review will put a focus on the risks of data being affected, controlled, or manipulated by foreign governments after overseas listings, the CAC said, posting the proposed rules on its website.

As reported by Reuters, the security review, according to the CAC, will consider national security risks as “risk of supply chain interruption due to political, diplomatic, trade and other factors,” and risk of key data “maliciously used by foreign governments after listing in foreign countries.” The CAC is even seeking public opinion on the proposed rules.