Search
Close this search box.
Issue Brief
April 5, 2023

China’s Data Governance and Cybersecurity Regime

Balancing Control and Security with Privacy, Inclusion and Commerce

ISSUE BRIEF BY:

Picture of Sourabh Gupta
Sourabh Gupta

Resident Senior Fellow
Head, TnT Program

Key Takeaways

China is unique in its farsighted treatment of data as a standalone ‘factor of production’. The goal of the central leadership appears to be to chart out the long-term parameters of a deep and liquid marketplace where data elements can be traded seamlessly, data factors are remunerated fairly, and guardrails erected to prevent the misuse, abuse or weaponization of data against the Party and State.

The focus of regulatory action has been four-fold: (a) to rein-in fintech-linked financial instability risks; (b) to rein-in the anti-competitive practices of Big Tech and compel greater data portability across platforms; (c) to rein-in the misuse and misappropriation of personal information; and (d) to streamline processes for classification of data and network security, including for data export purposes. More lately, regulators have sought to monitor network security risks as well as tighten controls over content at social media platforms through ‘golden shares’.    

Chinese regulators have not been reticent to move fast and break things to instill order and structure to the marketplace – a far contrast to the all talk and no action mode of regulatory non-accomplishment across the Pacific. The capriciousness of regulation and the lack of due process has been disconcerting though, particularly at a time when China seeks to convey a more predictable business environment to local entrepreneurs and foreign investors.

The resemblance of China’s approach to Big Tech regulation – be it with regard to privacy and data handling, how content is treated on major digital platforms, or how gatekeeper platforms treat their smaller peers and vendors – bears significant resemblance to the EU’s General Data Protection Regulation (GDPR), Digital Services Act (DSA), and Digital Markets Act (DMA). Which in turn begs the obvious question: Can Europe and China interconnect their digital ecosystems?  

On This Page

Introduction

China’s digital development has been nothing short of astonishing – its scale having grown in leaps and bounds over the past decade. In terms of digital infrastructure buildout, China ended 2021 with 1,425,000 5G base stations, 60 per cent of the global total, and 455 million 5G users. As for the total number of internet users, it grew from 564 million in 2012 to 772 million in 2017 to 1.032 billion in 2021 – an internet penetration rate of 73 per cent. The growth of the digital economy has been just as rip-roaring. Total annual value, both in terms of ICT hardware and equipment manufacturing as well as software development and revenues, grew from RMB 27.2 trillion accounting for 32.9 per cent of GDP in 2017 to RMB 45.5 trillion accounting for 39.8 per cent of GDP in 2021 (USD/RMB = 1/6.4 in Dec. 2021). And at the foundation of these developments was the explosively growing nature of data generation. Raw data output in the Chinese cybersphere jumped from 2.3 zetabytes (ZB) in 2017 to 6.6ZB at the end of 2021, constituting more than 10 per cent of total data worldwide.

The sweep of China’s basic approach to digital development, including data governance and cybersecurity, is just as remarkable too. Much like the deep, liquid and open capital markets has been a hallmark of America’s financial preeminence, China’s approach is similarly geared to fostering a deep, liquid, and distributed data elements marketplace. Data is more than just the lifeblood of the digital economy; data generation – and more broadly its data elements resource system, its information infrastructure system, and its information technology industrial ecosystem – is sought to be woven into the fabric of the Chinese economy as a full-fledged new “factor of production,” joining land, labor, capital and entrepreneurship.

Conceiving Data Differently

With digitally transmitted information having become an integral part of human interaction today, efforts have proceeded in parallel to reimagine data (and the data economy vis-à-vis the bricks and mortar economy) differently to assess and capture its import and value to everyday life. In this conception, data has been imagined variously as a new type of raw material; as a new form of capital; as a type of labor; as a form of property; and also, more plainly as infrastructure.

As a type of (non-extractive and inexhaustible) raw material or more plainly as just infrastructure, data is seen as lending itself to assembly and processing that can add value to downstream uses and users. As a new form of capital, data is shareable, leverageable, and ultimate monetizable in unending ways and forms. That data can be seen as a type of labor should not be hard to fathom. It is the economic value of our data, after all, that is scooped up and monetized by social media companies or populates the neural networks that train artificial intelligence (AI) applications. To the extent that this data is surrendered willingly and for free to capitalists reflects the lack of bargaining power accruing to labor. Some have likened this state of affairs to the early phases of the Industrial Revolution. And finally, data as a form of property is just as easy to grasp. Landmark legislation, such as the European Union’s General Data Protection Regime (GDPR) and China’s Personal Information Protection Law (PIPL), assign a form of ownership claim over personal data to individuals. Some countries, such as Chile and Colombia, have gone further and sought to accord constitutional protections to personal data. By framing it as a factor of production, China has adopted an approach that views data not as a resource, capital, labor, property, or infrastructure but as a standalone fundamental input in its own right.

Source: For a brief but useful survey of the literature, see Susan Ariel Aaronson, “Data is Different: Why the World needs a New Approach to Governing Cross-border Data Flows,” Centre for International Governance Innovation, CIGI Papers No.197, November 2018.

The basic policy framework of China’s data elements market, expressed in a December 2022 joint guideline – “Twenty Data Measures” – released by the Party Central Committee and State Council, is composed of four pillars:

  • Establishment of a modern data property rights system, with the goal of promoting the structural separation and orderly exchange of data property rights and thereby facilitate the supply of high-quality data elements. Within this rights-based context, the differentiated, graded, and authorized use of public, private and enterprise data is to be promoted.
  • Systems to enable the circulation and trading of data elements, with the goal of promoting a trustworthy domestic and cross-border data circulation system in which the sources of data can be confirmed, the scope of use can be defined, the circulation process can be traced, and security risks can be prevented. International exchanges and participation in digital rulemaking and standards-setting bodies is to be promoted too.
  • Systems to enable competitive data markets as well as fair and equitable income distribution, with the goal of both expanding the scope of market-based exchange as well as protecting the income and livelihood of data factors that contribute their capital or labor. Large data enterprises, further, are expected to shoulder a greater share of social responsibility.
  • Establishment of a modern data security governance system, including a negative list of data transactions and a graded network security protection system based on bottom-line security and a clarified red line on supervision, with the goal of creating a secure environment for all digital social actors.

In a nutshell, privacy, commerce, inclusiveness and equity, and security reside at the heart of China’s intertwined approach to data governance and cybersecurity. No doubt, maintaining the supremacy of the Party over state and society in cyberspace is a key, cross-cutting consideration too. Within this matrix, considerations of security and sovereignty have been accorded greatest prominence, followed thereafter by detailed rules on privacy and personal information protection. With data security, data ownership, and data use rules more-or-less in place (and being updated on a frequent basis), the focus of regulatory attention has now turned to the framing of data flow rules, particularly cross-border data flows rules, that would promote international commerce.

Legal Framework of China’s Data Governance and Cybersecurity Regime

The origins and build-out of the legal framework that underpins China’s data elements marketplace and its data infrastructure system dates to the new National Security Law (NSL) of July 1, 2015. The law introduced a sweeping concept of national security, created an enabling legal infrastructure, and repealed the original National Security Law of 1993 which had been overly focused on counterespionage. A direct link between national security and economic, cultural, and social security is articulated in Article 3 of the new NSL. A subsidiary article (Article 25) calls for the need to establish a “national network and systems security safeguard system” with the objective of “achieving the security and controllability of core network and information techniques, key infrastructure, information systems in important fields and data,” “punishing unlawful and criminal activity on networks,” and “maintaining cyberspace sovereignty, security, and the development interests of the State.” A reference to the national security review process regarding prohibited foreign investment and internet or information technology products and services is contained in Article 59. A companion National Intelligence Law was adopted in June 2017, followed by an Encryption Law in October 2019. 

Laws and Regulations that Supposedly “Compel” Chinese Companies and Citizens to Assist in National Security and Intelligence Work, as per the U.S. Government

Senior U.S. national security and Justice Department officials have from time-to-time issued alerts and advisories stating that China is the greatest counterintelligence threat to the United States. In this overwrought view, “every Chinese citizen and company,” ranging from “ostensibly private companies, graduate students and researchers” – let alone China’s intelligence services and state-owned enterprises – is “compel[led]” by law to “assist in national security or intelligence work”. To buttress its point, a list of offending provisions in China’s security and intelligence laws have been trotted out. These are:

Article 35 of Data Security Law of June 2021: “Public security organs and state security organs collecting data as necessary to lawfully preserve national security or investigate crimes shall follow relevant state provisions and complete strict approval formalities to do so, and relevant organizations and individuals shall cooperate.”

Article 7 of National Intelligence Law of June 2017: “Any organization or citizen shall support, assist, and cooperate with state intelligence work in accordance with the law, and maintain the secrecy of all knowledge of state intelligence work.”

It bears pointing out in the same breath though that the very next article, Article 8, stipulates that the national intelligence service should carry out its work according to law, respect and protect rights, and safeguard the legal rights and interests of individuals and organizations.

Article 28 of Cybersecurity Law of November 2016:Network operators shall provide technical support and assistance to public security organs and national security organs that are safeguarding national security and investigating criminal activities in accordance with the law.”

Article 11 of National Security Law of July 2015: “All citizens of the People’s Republic of China …. shall have the responsibility and obligation to maintain national security.”

The list is neither unique nor eye-opening. All major countries have a variety of similar statutes on the books to assist law enforcement agencies in their investigations. The global principle that a company subject to a country’s jurisdiction can be required to produce data the company controls, regardless of where it is stored at any given point of time, is not new. The U.S.’ CLOUD (Clarifying Overseas Use of Data) Act, for example, can compel a communications service provider to hand over a user’s content and metadata stored in a foreign jurisdiction in response to a valid legal process, without having to follow that country’s privacy laws. China’s extension of this principle to its citizens, too, may at first glance appear to be troubling, but the more disturbing feature in fact is the scope for abuse of these laws by secretive and often-times semi-accountable intelligence agencies. Instances when agencies have routinely violated statutory and court-ordered limits to access data as well as coerced tech firms to hand over source code in civil cases are unfortunately not entirely rare.

The November 2016 Cybersecurity Law (CL) is the centerpiece of China’s cyber regulation and enforcement regime. The CL derives from the National Security Law. The Law is composed of 79 articles spread over seven chapters. The key highlights of this overarching “fundamental law” can be subsumed under a number of heads. They are:     

  • Advocating the Principle of Cyberspace Sovereignty, by creating a framework to regulate the Internet within China’s borders as well as ensure the secure and controllable development of technologies to enhance cybersecurity.
  • Mandating Security Obligations of Network Operators and Providers of Network Products and Services with regard to disruption, damage or unauthorized access as well as data leakage, theft or tampering. “Critical Network Equipment and Network Security Products” are to undergo a higher level of accreditation.
  • Protection of Critical Information Infrastructure (CII), defined broadly as “infrastructure that, in the event of damage, loss of function, or data leak, might seriously endanger national security, national welfare or the livelihoods of the people, or the public interest”. CII operators are to sign security and confidentiality agreements with suppliers when procuring “network products and services”.
  • Protection of Personal Information by imposing obligations on network operators, including: (a) not disclosing, tampering with, or damaging citizens’ personal information that they collect, (b) not providing citizens’ personal information to others without consent, and (c) deleting unlawfully collected information and amending incorrect information. The law also sets forth principles for the online protection of minors.
  • Regulating the Cross-Border Transfers of Data, by imposing the necessary security assessment checks as well as requiring CII operators to store within Chinese territory “citizens’ personal information and important business data” collected or generated during operations.
  • Network standardization and Interoperability, including the participation of enterprises, institutions, and universities in the formulation of network security standards.

As a basic law, the Cybersecurity Law has a broad and overarching flavor. Two waves of implementing regulations (Measures for Cybersecurity Review) have been issued by the primary cybersecurity regulator, the Cyberspace Administration of China (CAC), to breathe life into the law’s broad provisions (the other players in this regulatory space are the industry regulator, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the Ministry of State Security). The most recent of these Measures was issued by the CAC in conjunction with 12 other agencies in January 2022 and specifies the network security risk-review factors to be considered by network platform operators that are in possession of more than one million users’ personal information, and plan to list their shares abroad – a measure that was occasioned by the unsanctioned listing of shares on the New York Stock Exchange by ride-hailing giant, Didi Chuxing, in June 2021.

The Rectification of Didi Chuxing

On Wednesday, June 30, 2021, despite prior informal requests from Chinese officials to delay its listing and conduct an examination of network security, the American Depositary Shares (ADS) of the Chinese ride hailing giant Didi Global began trading on the New York Stock Exchange. Official comeuppance was swift in arriving. On July 2, the Cybersecurity Review Office (CRO), an office established under the Cyberspace Administration of China (CAC), initiated a cybersecurity review of Didi – the first publicly announced review against a major company by CRO – and blocked the company’s app from accepting new users. On July 4, the app was ordered pulled from mobile app stores on the ground that it was “illegally collecting and using personal information.” Two days later, the General Office of the CPC Central Committee issued an Opinions on Strictly Combating the Illegal Securities Activities, followed four days later (July 10) by CAC’s issuance of a Draft New Measures for Cybersecurity Review. Later that October, Draft Data Export Security Assessment rules were also issued by CAC.

It is unclear what Didi’s real failing was. It was investigated under Article 35 of the Cybersecurity Law and required, as per the June 2020 Measures on Cybersecurity Review, to undergo a security review of its “network products and services,” which included its “core network equipment, high capability computers and servers, high-capacity data storage, large databases and applications, network security equipment, cloud computing services,” and other network products or services that had an important impact on critical information infrastructure (an expansive remit, to say the least). It was speculated at the time that Didi’s lapses may have pertained to its server equipment – that is, equipment that could be vulnerable to security breaches upon their identification in Didi’s U.S. Securities and Exchange Commission-required “material contracts” disclosure. Be that as it may, when CAC did in fact announce the result of its investigation in July 2022, the mention of Didi’s NYSE IPO was nowhere to be found, and the company was fined for (the mundane offense of) overcollection of personal data under the Personal Information Protection Law (PIPL) – a law that had not yet been passed at the time (it was at the second draft stage) of the investigation’s initiation. Not until January 2023 was Didi cleared to relaunch its main app and resume signing new users.

The Data Security Law (DSL) complements China’s November 2016 Cybersecurity Law as the second of the three basic pillars of China’s data governance regime. The purpose of this 54-article law is to regulate data processing activities that could have a national security implication. The key articles of the DSL are:

  • Article 21, which establishes a data categorization and classification protection system to govern data, depending on the importance of different types of data to the national economy, national security and public interest. The article introduces a new category of data called “national core data” (that sits hierarchically above “important data”) and refers to data that are related to “national security, lifeline of the national economy, and important people’s livelihood and vital public interests.”
  • Article 26, which permits the adoption of reciprocal measures against countries and regions that impose discriminatory measures against China with respect to matters such as investment and trade related to data, data development, and technology use.
  • Article 27, which requires data processing entities to comply with the data security requirements of the Multi-level Protection Scheme (MLPS) that classifies networks physically located in China according to their relative impact on national security. The Multi-level Protection Scheme was first introduced in the 2016 Cybersecurity Law.
  • Article 36, which forbids organizations and individuals on Chinese soil from providing data stored in China to foreign judicial or law enforcement agencies without the approval of the competent Chinese authority.
  • Articles 45 and 46, which enumerate stiff fines for violating requirements related to the protection of “national core data” as well as violating rules related to the cross-border transfer of “important data” by CII and non-CII data processing entities.

The Data Security Law was enacted on June 10, 2021, just prior to the outbreak of the Didi Chuxing fracas, and came into effect on September 1st, 2021. The DSL also establishes a National Data Security Coordination Mechanism to coordinate the cataloguing of “important data” across government agencies as well as promote data security risk information sharing. 

The final pillar of China’s basic data governance regime is the Personal Information Protection Law (PIPL) of August 2021. It is similar to the EU’s General Data Protection Regulation (GDPR) in its extraterritorial reach and focuses on protecting the personal information of individuals and organizations based on Chinese soil. The PIPL provides a legal basis for processing personal information related to cross-border transfer (i.e., where data processing activities are carried out outside the territory of China), based on a “standard contract” published by the CAC. Jurisdiction is enforced extraterritorially based on the source of the data rather than its location of storage or processing.

The PIPL enumerates a number of data privacy and protection principles that personal information handlers and data processors must abide by. These range from lawfulness, fairness, necessity, and good faith (Article 5); purpose limitation and data minimization (Article 6); openness and transparency (Article 7); accuracy and completeness (Article 8); security and accountability (Article 9); and limited data retention (Article 19). And, relatedly, it accords various rights to “data subjects” with regard to the handling of their private information. Large-scale internet platform operators bear additional responsibilities which are outlined in Article 58. Finally, remedies available to individuals and organizations for PIPL-related violations, and the ensuing allocation of the burden of proof during litigation, is outlined in the concluding articles.

EU-China Digital Connect: Can Brussels and Beijing Co-Link their Standalone Data Governance Frameworks?

That there is a rich kernel of overlapping rights and duties in the EU’s General Data Protection Regulation (GDPR) and China’s Private Information Protection Law (PIPL) should not come as a surprise. The PIPL borrows heavily from the GDPR’s approach, after all, on privacy and data handling. The significant core of overlapping norms in the GDPR and the PIPL includes “the basic rights to access, correct, and delete personal information; special protections for children and sensitive data; the right to data portability, data minimization, data retention limitations, accountability for violations, and risk-based cybersecurity requirements.”

Beyond the GDPR and its privacy focus, the resemblance of China’s approach to Big Tech regulation – be it how content is treated on major digital platforms or how gatekeeper platforms treat their smaller peers and business partners and vendors – bears significant resemblance to the EU’s Digital Services Act (DSA) and Digital Markets Act (DMA). Indeed, the Cyberspace Administration of China (CAC) gargantuan 75-article omnibus Draft Network Data Security Management Regulation covers the gamut from personal information protection (chapter 3) to the security of “core data” and “important data’ (chapter 4), to the security management of cross-border data flow (chapter 5), to the obligations of internet platform operators, including checks on anti-competitive behavior (chapter 6), to the supervision and legal responsibility of data processors, network managers and state regulators (chapter 7 and 8). The Regulation is a veritable bundling of the GDPR, DSA and DMA into a single rule.

This considerable overlap between the European and Chinese approaches vis-à-vis governance of their respective data ecosystems begs the obvious question: can these two major economic behemoths interconnect their digital ecosystems? More specifically, can the two sides pair the seamless transfer of cross-border data across their ecosystems, and thereby do their part in upholding a globally secure, peaceful, inter-connected and prosperous digital environment? 

The EU’s regime for cross-border transfer of personal data is based on a broad adequacy or ‘essential equivalence’ standard (GDPR Article 45). That standard involves a comprehensive assessment of the third country’s data protection framework, both in terms of protections available to personal data and the relevant oversight and redress mechanism available. Transfers are also possible in instances when the data protection framework is not up to snuff; in such instances, Articles 46 and 49 of the GDPR list the appropriate situations and safeguards on the basis of which bespoke transfers are possible, such as in the case of the EU-U.S. Data Privacy Framework.

China’s regime for cross-border transfer of data, while sharing elements in common, takes a more stringent security and sovereignty-conscious approach. It involves hierarchies of security assessment and information protection certification prior to data export. Usefully, in terms of comparability of framework with the GDPR, China’s regime assigns accountability to data controllers and empowers authorities (the CAC and various departments of the State Council) to ensure compliance. Unhelpfully, in terms of comparability of framework with the GDPR, China’s political system – and thereby its data governance regime – fundamentally lacks an in-built separation of powers, and therefore lacks reasonable guardrails against arbitrary “access of public authorities to personal data” (GDPR Article 45(2)(a)) – incidentally, a failing of a type that is different from but not unrelated to the U.S.’ signals intelligence surveillance practices which occasioned the EU-U.S. Data Privacy Framework pact.

The European Commission and China established a High-Level Digital Dialogue in September 2020, which went into hibernation soon thereafter due to the outbreak of COVID-19. With COVID receding in the rear-view mirror, both Brussels and Beijing should consider re-starting their dialogue to draw up a bespoke framework – call it, perhaps, EU-China Digital Connect – to enable the seamless and trusted cross-border flow of business and personal data across their respective jurisdictions. 

Source: For a side-by-side analysis of the similarities between the PIPL and the GDPR, see Anupam Chander, “Convergence and Divergence in Global Data Privacy Law: Comparing the GDPR, PIPL, and CCPA”. In Pascal Lamy et al., “Global Governance for the Digital Ecosystems: Preserving Convergence and Organizing Co-Existence,” Centre on Regulation in Europe, November 2022.

Much Thunder, Much Rain: Recent Developments on the Regulatory Front

On October 24, 2020, in an indulgent ‘blue sky think’ speech at the Bund Finance Summit in Shanghai, Alibaba Group Holding founder and Alipay owner Jack Ma took aim at the risk-averse inclinations of China’s financial regulators. With the rise of big data, artificial intelligence, blockchain and cloud computing, Mr. Ma observed that new models of internet-powered could reshape the financial ecosystem. Users’ digital behavioral imprints could be recorded on a technology platform, the relevant information cross-shared on the cloud, and machine learning utilized to boost the speed and accuracy of granular lending decisions. Regulators with their ‘pawnshop’ mentality however would rather live in yesterday’s old school collateral and capital buffers-based world, he charged, to manage the future – hindering the prospects for development of a vibrant and ultra-modern fintech sector.

The speech did little to soften the ground for Ant Financial’s November 2020 blockbuster $37 billion initial public offer (IPO); to the contrary, the IPO was suspended and Ant was ordered by regulators in April 2021 to sever the links between Alipay, the company’s mobile payment superapp, and Ant’s smaller loan (Jiebei) and virtual credit card (Huabei) businesses that were on an explosive growth tear. Ant was also required to set up a financial holding company, reduce the size of its money market investment vehicle Yu’E Bao, and turn over the user data that underpinned its lending decisions to a new and partly state-owned credit-scoring joint venture. Financial regulators argued that fintech, still being finance, needed to be treated according to the principle of “same business, same rules”, and a balance needed to be struck between encouraging fintech development and preventing financial risks. Fees earned on loans to users without having to take on the accompanying credit risk was, in particular, a recipe for disaster. New rules mandated that Ant’s (and other online lenders’) joint lending with partner banks through the internet could account for no more than half of any bank’s total loan book and that online lenders needed to have ‘skin in the game’, i.e., self-fund 30% of each loan.

At this time, the government-commanded revamp of Ant grinds on. And as for Mr. Ma, he disappeared entirely from public view, re-emerging only in March 2023 to support his successor’s reorganization of Alibaba Group into six independent businesses. In January 2023, he ceded his majority control of Ant for a 6% share, as per an Ant Group statement. Clearly, it has been a difficult few years for Jack.

Jack Ma, founder of Alibaba Group, speaks during 2020 China Green Companies Summit on September 29, 2020 in Haikou, Hainan Province of China. (Photo by Liu Yang/VCG via Getty Images)

Ant’s fate is emblematic of the broader approach of the central leadership and regulators in their quest to tear down the high walls erected by Big Tech. Regulators have not been reticent to ‘move fast and break things’ to instill order and structure to the marketplace – a far contrast to the ‘all talk and no action’ mode of regulatory non-accomplishment across the Pacific. The focus of regulatory action has primarily been four-fold: (a) reining-in fintech-linked financial instability risks; (b) reining-in the anti-competitive and deceptive practices of Big Tech as well as compel greater data portability across major platforms; (c) reining-in the misuse and misappropriation of personal information, including its overcollection; and (d) streamlining processes for classification of data and network security, including for data export purposes.

In quick succession after the General Office of the CPC Central Committee issued its Opinions on Strictly Combating Illegal Securities Activities in the wake of the Didi Chuxing imbroglio, the Cyberspace Administration of China (CAC) released a draft new cybersecurity measures rule as well as a draft data export assessment rule. On January 4, 2022, the final New Measures for Cybersecurity Review rule was issued, followed on July 7, 2022, by the final Measures for Security Assessment of Data Export rule. Data processors that provide ‘important data’ overseas; are critical information infrastructure operators and provide the personal information of 1 million or more people overseas; or are data processors who have provided the personal information of 100,000 people or the ‘sensitive’ personal information of 10,000 people overseas since January 1, 2021, are required to submit to a data export security assessment. The rules came into effect on September 1, 2022 and, as of end-February 2023, the six-month target date set by the government, 48 foreign and domestic entities, including Amazon.com Inc., JPMorgan Chase & Co. and Toyota Motors and Volkswagen AG had filed for government reviews. The export assessment security rules amount to a massive organizing and inventory exercise at the Chinese government’s end, and an equally challenging internal data flow mapping and compliance exercise on the part of large Chinese as well as multinational firms. In January 2023, CAC approved the first such outbound data transfer – one related to a Chinese hospital’s collaborative cancer research study with the Netherlands’ Amsterdam University Medical Center.

More recently, on February 17, 2023, the China Securities Regulatory Commission (CSRC) published a long-awaited rule on international listings. The rule, which took effect at end-March, provide the first unified regime for keeping tabs on companies that float their securities overseas. In keeping with the CPC Central Committee’s July 2021 Opinions, companies that offer securities overseas must submit to a national security review (NSR), if necessitated by the listing; are to abide by national secrecy laws; and are prohibited from offering and listing securities in overseas markets where the intended securities offering falls under specific clauses in national laws or the proposed negative list system to be created. On a more positive note, the shadowy variable interest entity (VIE) structure that has hitherto been instrumentally utilized by China’s major platform companies to draw investors abroad is now newly codified. The new rules, while expected to streamline the path for offshore listing for China-based companies, is seen as benefiting Hong Kong and Chinese markets over Wall Street. More importantly, the new listing rules also imply that the corner has been turned on the crackdown on deals in China’s internet and information technology sectors.      

China’s recent breakneck pace of digital regulation might leave the impression that the leadership and senior bureaucracy is overly focused on demonstrating its resolve to maintain the network security of important data systems and the integrity of personal information protection at home. This is not an incorrect reading; these are certainly very important considerations. But it is also an insufficient reading. An underlying premise of the comprehensive, hierarchical and systematic classification of domestic data and network security is to also develop a more granular basis to ensure not just which (essential) data elements must be stored securely and controllably within China’s jurisdiction but also to ensure that all other (non-essential) elements can be freely transferred abroad. In that sense, this classification system also doubles as a negative list system to ensure the robust and trustworthy cross-border flow of data elements, and thereby facilitate international commerce in digital goods and services.

Typically, the trigger threshold for a stricter assessment of network or data security in the various rules and regulations is linked to:

  • a data processor being an “important data” handler;
  • a data processor seeking to list overseas;
  • the party/processor/platform operator being a provider of cloud computing services to state organs or an operator of critical infrastructure;
  • the processor/platform operator being a “large-scale internet platform operator”, i.e., platform operator with 100 million daily users;
  • the platform operator being a user of new technologies, such as AI, Virtual Reality, and Deep Learning to carry out data processing activities.

At this time, multiple regulatory lines of effort are proceeding in tandem. Line ministries tasked with determining what counts as “important data” in their jurisdictional fiefs have initiated rule drafting-related inquiries. A new National Data Bureau tasked with developing China’s data resources is expected to put together a legal framework governing data property rights. Work-streams are under way to develop rules for artificial intelligence (AI) applications, algorithmic recommendation engines, including an algorithm registry or filing system, and against the propagation of deepfakes. And with a view to more uninterruptedly monitor network security risks as well as tighten censorship and controls over content, regulators have more lately taken to snapping up ‘golden shares’ – or “special management shares” in the local parlance – at platform and other major Chinese internet companies. 

Concluding Thoughts

China is unique in its farsighted treatment of data as a standalone “factor of production.” The approach to data governance and cybersecurity has been top-down and state-driven in a concerted fashion. The approach is comprehensive and aims to strike a delicate balance between the competing considerations of control, security, privacy, inclusion, and commerce. For all its farsightedness, the concerted state-led approach is not without its share of pitfalls. These primarily stem from the arbitrariness of regulation and the poor communication between the regulators (including the central leadership) and the regulated. Granted, that Big Tech in China has outgrown its ‘regulatory sandbox’ age and warrants careful oversight. But the belated swiftness and severity of the recent regulatory reckoning  has been disconcerting, to say the least. Multibillion dollar IPOs have had to be scrapped, Didi was forced to delist after its ADRs had started trading on the NYSE, a host of other big (the food delivery platform, Meituan) and smaller (the online recruiting app, Kanzhun) players were subject to bruising cybersecurity probes, and some of the named penalties were applied retroactively.

The capriciousness that underlay this lack of due process has understandably left a sour taste in the mouth of investors – particularly, at a time when China seeks to convey a more predictable environment to foreign investors. Besides, as China seeks to transition to a new growth model based on high quality growth, the penalization of innovation and private sector risk-taking risks sending the wrong signals to investors at home and abroad. After all, if Beijing cannot instill predictability, confidence and trust among its home-grown players, how can it instill confidence in data flow with trust or in its larger business operating environment vis-à-vis its international counterparts.

The pioneering strides made in the development of its data governance and cybersecurity regime notwithstanding, there is much careful work that yet remains to be done in building-out China’s national data elements market and date infrastructure system, going forward. The Building Digital China strategy and the National Data Bureau, newly established at the recent March 2023 ‘Two Sessions’ meeting, are key pointers in this regard.