The Chinese Communist Party’s focus on building a governance regime for cyberspace has resulted in the rapid introduction of several new laws and regulations on data governance, cybersecurity, the digital economy, and online media content. The targeting of the digital sector with so many new restrictions, laws and regulations is motivated primarily by the state’s security and control concerns. Whatever it’s causes, it is a major pullback from the last 20 years of opening up, and is intended to reassert the Communist Party’s supremacy over cyberspace. Below, we break down the regulatory action and its implications for data and platform governance in China.
Regulating Competition in Digital Economy
On August 17, China’s antitrust watchdog, the State Administration for Market Regulation (SAMR), proposed new rules to curb unfair competition among big internet firms. The rules come after antitrust action earlier this year which culminated in a record fine on e-commerce giant Alibaba. China has also tightened supervision of the sharing economy resulting in a series of fines or restrictions for Tencent, Didi, Meituan, and Pinduoduo for suspected anti-competitive behavior.
These latest rules prohibit a range of anti-competitive behaviors, including discriminatory pricing, the use of data, algorithms, or other technical means to disrupt, limit traffic or restrict users from accessing other platforms, products and services. Fabricating statistics or information about products, sales, consumer views, and user reviews to mislead customers or hurt the reputations of rivals is also forbidden. The enforcement mechanisms and fines are yet to be finalized and the draft rules are open for public comments until September 15.
Solidification of the Cybersecurity Law
On August 17, the State Council released the Critical Information Infrastructure Security Protection Regulations (CII Regulation), effective from September 1, 2021. The CII Regulation is an implementing rule of the Cybersecurity Law (CSL) which went into effect in June 2017. The CSL governs a broad range of issues from the construction, operation, maintenance of networks to requirements for the collection, storage and use of data inside China to procedures for transferring information out of China.
One of the most significant concepts introduced by the CSL is what is referred to as “critical information infrastructure” (CII). Entities classified as operators of CII are subjected to stricter rules for data security, procurement, cross-border data flows, and other areas. Although the CSL and subsequent regulations addressed which sectors are considered critical, there is no clear definition of CII. The lack of clarity about CII has led to uncertainty amongst domestic and foreign companies. The government has utilized the ambiguity to go after private platforms.
In July, just two days after DiDi Chuxing began trading on the New York Stock Exchange, an investigation was launched against the company under the Cybersecurity Review Measures that only apply to CII. The action indirectly classified ride-hailing platforms as CII and has fueled speculation on which companies or sectors may be next. The government is in the process of revising the cybersecurity measures to require CII operators holding information of more than 1 million users and want to list on foreign stock exchanges to submit to a cybersecurity review.
Given the significance of being designated as a CII operator in China, the CII regulations move us towards a narrower definition of CII. CII refers to “network and IT systems that are critical to important industries and sectors, and whose destruction, loss of functionality, or data leakage may gravely harm national security, economy and the public interest.” The regulations do not include details on which network or IT systems qualify as CII operators across different sectors. Relevant government authorities will evaluate and designate CII for their sector on a case-by-case basis.
Personal Data Protection Law Adopted
On August 20, the Standing Committee adopted the Personal Information Protection Law (PIPL), which will take effect on November 1. The new law sets forth a range of principles, rights, obligations, administrative guidelines, and enforcement mechanisms for “handling” of “personal information” (PI).
PI refers to “all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons.” PI that has been anonymized to “make it impossible to distinguish specific natural persons and impossible to restore” is excluded from the scope of the law. Handling of data refers to the “collection, storage, use, processing, transmission, provision, disclosure, deletion etc.” and “handlers”, “joint handling” and “entrusted parties” handling data on behalf of the handlers fall within scope of the law. The law applies to processing activities in both the private and public sectors. However, it is not clear whether these privacy regulations will affect the broad rights to government surveillance created by the 2017 National Intelligence Law, which states that “any organization or citizen shall support, assist and cooperate with the state intelligence work in accordance with the law.”
Modelled in many ways upon Europe’s GDPR, the PIPL stipulates principles to be followed when processing PI including sincerity and good faith; purpose limitation; collection and storage limitation; data minimization; openness and transparency; accuracy and accountability. Processing activities that endanger national security or public interest and the illegal collection, use, processing, transfer, sale, provision or publication of PI is prohibited under the law.
PI can be processed only after obtaining the individuals’ informed consent, i.e. given by individuals “under the precondition of full knowledge” and “in a voluntary and explicit statement of wishes”. The law stipulates parental consent to process PI of children younger than 14. Handlers must obtain specific consent to disclose the details of processing activities or when processing publicly available PI for different purposes other than for which they were published.
Although consent is an important tenet of the PIPL, the law goes beyond the consent-centric framework to include other legal grounds for processing. PI can be processed when necessary for the execution of a contract, fulfilling statutory duties and obligations, responding to emergencies and for public interest activities like news reporting, public opinion supervision. PI publicly disclosed by an individual can also be processed unless the individual expressly refuses or if such processing is detrimental to individual rights and interests.
The PIPL grants individuals the right to know, decide, refuse, and limit the handling of their PI, to access or copy, to correct or complete inaccurate PI and to delete PI. Individuals have the right to withdraw consent and service providers are not allowed to deny services if an individual does not consent to the processing of PI or withdraws their consent, (although exception for services where PI is “necessary”). Individuals also have a right to obtain explanation, and a right to data portability to a designated handler.
Obligations for processors include setting up mechanisms for individuals to exercise their rights, adopting appropriate technical security measures, and undertaking regular compliance audits. In the event of a data breach, processors are obliged to notify government agencies and the affected individuals, as well as undertake remedial measures.
The PIPL creates additional obligations for processing of “sensitive personal information”, which includes data relating to race, ethnicity, religious beliefs, individual biometric features, medical health, financial accounts, and individual location tracking. Sensitive PI can be processed for a specific purpose and when sufficiently necessary, taking strict protection measures including seeking informed consent and conducting impact assessments. These enhanced protections are based on the recognition that sensitive data once leaked or illegally used may cause discrimination against individuals or grave harm to personal or property security.
The law also includes additional obligations for processors that provide important Internet platform services, have a “large number of users”, and carry out “complex” business activities. Such processors must put in place comprehensive compliance systems, formulate platform protection standards, restrict access of providers of illegal content and publish social responsibility reports.
Algorithms and automated decision-making are explicitly addressed by the PIPL. Handlers using PI to conduct automated decision-making must ensure the transparency and fairness of decision-making. The PIPL addresses discriminatory pricing behaviors and stipulates that handlers shall “not impose unreasonable differential treatment of individuals in trading conditions such as trade price, etc.” Processors that use automated decision-making for “information push delivery or commercial sales to individuals” must provide options that are not specific to an individual’s characteristics, or provide the individual with a convenient method to refuse. Individuals have the right to seek explanation of automated decision-making, and the right to opt-out of automated decision-making methods.
PI handled by state organs, critical infrastructure operators, and other handlers reaching a specific volume of data (to be specified by the state) must be stored within the territory of China. Apart from data, Individuals and organizations are not allowed to provide personal data stored within China to foreign law enforcement authorities without the prior approval of the relevant regulatory authorities in China.
The law allows transfers of PI outside the borders of China if the handlers meet certain conditions. Handlers must take measures to ensure the activities of overseas recipients in processing PI protection standards set forth under the PIPL. Prior to overseas transfer, handlers are required to obtain certification from a specialized body, submit to a security assessment by relevant authorities, or any other conditions provided for under other legislation or regulations, or those set by relevant authorities from time to time, provide notice and obtain specific consent from individuals. Additionally, cross-border transfers are permitted if concluding a contract with the foreign receiving side in accordance with a standard contract formulated by the relevant agencies.
The PIPL includes strict penalties for violations. Authorities may issue a rectification order or warnings, and confiscate any illegal proceeds of companies found to be in breach of the law. Companies could also have their services suspended or terminated, their business operations and certificates cancelled and face fines of up to 50 million Yuan, or 5% of annual revenue. Processors can be liable for civil and criminal liabilities, and designated consumer organizations may bring suit on behalf of a class of individuals that have been harmed.
The implementation of the rules, rights, and obligations under the PIPL has repercussions for not only entities engaging in domestic and cross-border operations within the country but throughout the world. China’s approach to regulating the personal data and cross-border data flows will shape how other countries approach the same.
Prohibiting Companies from Listing Offshore
On August 27, the WSJ reported China is contemplating rules to make it mandatory for Chinese companies with large amounts of sensitive consumer data to obtain formal approval from a cross-ministry committee (yet to be established) before listing overseas. The proposed rules appear to be a response to regulatory pressures from the U.S..and stems from the Chinese leadership’s growing concern about data security.
These rules are also in keeping with recent action against domestic companies trying to list overseas. In many ways, the suspension of Ant Group’s IPO in November 2020, following Alibaba CEO Jack Ma’s speech comparing global banking regulators to “an old man’s club” kicked off the regulatory crackdown that is still ongoing. Since then regulators have ordered Ant Group to restructure as a strictly regulated financial holding company and spin off its consumer credit data operations.
The Financial Times reports the Chinese leadership is contemplating creating a separate app for Ant’s loans business which accounted for 39 per cent of the group’s revenues. Regulators had previously ordered Ant to separate its lending units from its main business and bring them into a new entity. State-owned companies have a majority stake in the new business. Now regulators want to break up Ant’s mega-app Alipay, so the new businesses can have their own independent app.
The plan will see Ant turn over the consumer data to a new credit scoring joint-venture, which will be partly state-owned. The move to “share” data with government-backed credit agencies is significant as it breaks Tencent and Ant’s duopoly over mobile and digital payments data in China. Alipay collects data from more than two-thirds of China’s 1.4 billion people, many of them young and without credit cards or sufficient credit records with banks, as well as from 80 million merchants.
Management of Algorithms
On August 27 the Cyberspace Administration of China (CAC) released a draft of the “Internet Information Service Algorithmic Recommendation Management Provisions” for public comment, with submissions due September 26. The legislation lays down principles and obligations for “internet information services” that use “algorithmic recommendation technology” to provide search results, rankings, selections, push notifications within China. The broad definition of information covers all sorts of private platforms and services including food delivery or ride-hailing apps, ecommerce platforms, search engines, or social media companies.
In keeping with China’s controlled media environment, algorithms must be used for “good or to disseminate positive energy.” Service providers are required to “establish”, “strengthen” and “perfect” information management to ensure content conforms to “mainstream value orientations” especially in key segments such as front pages, main screens and search terms. Algorithmic models that “go against public order and good customs”, “harm national security”,”upset the economic order or social order” are prohibited.
The regulations address consumer harms that could arise from the use of algorithms. Serving up information to minors that could lead to “unsafe conduct”, “acts violating social morals”,”harmful tendencies”,”online addiction” is explicitly prohibited. Additionally, service providers must periodically review, evaluate, verify, assess, and check their algorithms, to ensure they are not leading users to “leading users to addiction or high-value consumption.” Service providers are required to increase transparency of algorithms and intervene when needed to “avoid creating harmful influence on users, or triggering controversies or disputes.” The regulations also mandate the protection of PI of users including minors.
The draft includes provisions aimed at specific business practices of technology companies. Service providers are prohibited from using algorithms to carry out “unreasonably differentiated treatment” of consumers based on characteristics like consumer habits, preferences or transaction history. Use of algorithms to “falsely register users, illegally trade accounts, manipulate user accounts” or “carry out flow falsification or flow hijack”, “shield information, over-recommend, manipulate topic lists or search result rankings, or control hot search terms or selections” are also prohibited. The rules also prohibit self-preferential treatment, unfair competition, influencing online public opinion, or evading oversight using algorithms.
Other provisions focus on empowering consumers and granting them more control over their information. Consumers have the right to choose, revise, or delete user tags and opt-out of algorithmic recommendation services. Users have the right to seek an explanation as well as an obligation for service providers to notify users of “the situation of the algorithmic services including the basic principles, purposes, motives and operational mechanisms.” Importantly, consumers can file complaints and seek remedy if algorithms have a major influence on their rights and interests.
The regulation establishes a categorised and graded management of providers of algorithmic recommendation services on the basis of factors like the types and sensitivity of content, the scale of users, the degree of interference in users’ activities, their public opinion properties and social mobilization capability.
Service providers using algorithms deemed to have “public opinion properties or social mobilisation capabilities” must comply with additional obligations. Providers must register within 10 working days of providing services, submit an “algorithm self-assessment report”, conduct “security assessment according to relevant state regulations” and “perfect algorithmic recommendation service management mechanisms”. Information records must be preserved for six months, and shared with law enforcement agencies when requested. The penalties for violations range from a mere warning and order of rectification to fines ranging from 5,000 to 30,000 yuan and suspension of services.
Migration of Data to State-owned Cloud System
On August 27, Reuters reported that China is in the process of setting up a state-backed cloud system which will be completed by next year. The Chinese city of Tianjin had asked municipally controlled companies to migrate their data from private operators like Huawei, Alibaba and Tencent to “guoziyun” or “state asset cloud” by September 30, 2022. Companies have also been instructed to not sign new contracts with third-party cloud platforms, or continue cloud resource rental agreements. The Tianjin State-owned Assets Supervision and Administration Commission (SASAC), which issued the orders, said it was following instructions given by China’s cabinet. It is not clear whether other provinces are adopting similar measures.
Restrictions on Online Gaming
On August 30 the National Press and Publication Administration (NPPA) issued the “Notice of Further Preventing Minors from Indulging in Online Games” restricting online gaming for users under the age of 18 to three hours a week. The guidance requires gaming companies to take measures to prevent minors from accessing online game services in any form outside of the stipulated hours (from 20:00 to 21:00 every Friday, Saturday, Sunday, and holidays). Gaming companies must have a real name verification system in place to ensure the new rules are enforced.
The government has justified the ban on the grounds that it is designed to reduce addiction among young people and protect their physical and mental health. The NPPA regulator told Xinhua it would increase the frequency and intensity of inspections for online gaming companies to ensure they were putting in place time limits and anti-addiction systems. Regulators are closely following the implementation of the new rules and have temporarily suspended approvals of new online games in China.
Amending the e-Commerce Law
On August 31, the SAMR announced it is revising China’s ecommerce law. The amendments enable SAMR to fine, restrict operations and revoke licences of ecommerce companies that fail to curtail infringement of intellectual property (IP) rights by vendors selling through their platform. The amendments are open for public review until October 14.
Data Security Law Kicks In
The Data Security Law (DSL) came into effect on September 1. The DSL updates the existing regime, and introduces new mechanisms for data security in China. Data security is broadly defined and the law regulates a wide range of data processing activities, including “collection, storage, use, processing, transmission, provision and disclosure” of data in both electronic and non-electronic forms. The DSL has extraterritorial reach as it applies to both data processing activities within China as well as activities outside of China that could be detrimental to national security, public interest or the rights of Chinese citizens or organizations.
The DSL categorizes data into three classes, namely “important”; “national core” and “general” based on its sensitivity and importance to economic development, national security, public interest and individuals’ and entities’ legitimate rights and interests. It is not clear what constitutes “important” data in China. The DSL empowers regional and industry authorities to catalogue “important data” for their regions and industries and formulate specific measures for its security. Processors of important data must undertake periodic risk assessments, appoint officers and management bodies for data security. Importantly, the DSL mandates data localization as service providers must store important data within China.
“National core data” is a new category and is broadly defined as “data related to national security, the lifeline of the national economy, important aspects of people’s livelihoods, and major public interests”. and outlines strict penalties for non-compliance. The DSL implements a “stricter management system” for companies processing such data. Non-compliance could result in fines up to RMB 10 million, cancellation of licence, and even criminal penalties.
The DSL mandates compliance with the multilevel protection scheme (MLPS) set up by the CSL. The MLPS grades companies (on a scale of 1-5) based on their impact on national security, social order, and economic interests if they are damaged or attacked. Companies classified as level 2 are required to take technical and administrative measures.The DSL expands these obligations and outlines measures for data security. Companies are required to take technical and other measures like setting up management systems, or enhancing risk supervision to ensure data security and prevent data breaches. Non-compliance with these obligations could result in individual fines up to RMB 2 million and operations being suspended.
Significantly, the DSL includes provisions to regulate the commercial “transaction” of data and creates duties for data transaction agents. Agents “shall require the data provider to explain the source of data”, “review and verify identities of both parties” and “maintain records of the verifications and transactions.” Failure to comply could lead to penalties for data transaction agents. These include “request for rectification, confiscation of the unlawful gains, cancellation of business licenses,” and a fine of up to 10 times the value of the unlawful gains or a fine of up to RMB 1 million if there are no unlawful gains. Additionally, the directly responsible person will be subject to a fine of up to RMB 100,000.
The DSL establishes a system for “data security reviews” to examine any data activities that may be deemed to pose risks to national security. The law also empowers the government to impose export control measures on data related to the protection of national security and interest and China’s performance of international obligations.
The DSL also places restrictions on sharing data with foreign judicial and law enforcement agencies. Organizations and individuals must obtain approval from the authorities before providing data stored within China. Entities found to be sharing data without approval could face fines of up to RMB 5 million, cancellation of business licenses, and the directly responsible person may be subject to a fine of up to RMB 500,000
The PIPL together with the DSL and the CSL serve as the fundamental laws regulating cybersecurity and data in China. These three laws and various supporting legislation like the CII regulations, form an increasingly complex regulatory framework for companies doing business in or with China. These regulations have been in the works for several years and stem China’s concerns about surveillance by adversaries that were accelerated by the Snowden revelations. China’s push to secure its data led to the formation of the CAC and the introduction of the CSL. DSL, PIPL and other supplementary legislation have added immensely to its powers.
Besides strategic competition with foreign adversaries, another reason why these different regulations have been introduced simultaneously could be because Chinese regulatory agencies are competing with one another. Implementation of these new laws including assessment functions and setting up enforcement controls are assigned to different ministries. The political dimension of the changes was captured well by the Indian publication The Diplomat:
Encouraged by the momentum of strengthening the role of the government in the economy, multiple government agencies began waving their sticks against tech companies to gain greater political clout. For example, it was the central bank and other financial regulators that halted Ant Group’s IPO. For Meituan, the General Administration of Market Supervision was the investigator. In the case of DiDi, the company initially received mixed signals from different regulators regarding its IPO decision, and eventually it was the Cyberspace Administration that picked on DiDi, implying an uncoordinated cross-agency regulation. How these power struggles will reshape the landscape of the Chinese tech sector remains to be seen.
From Big Tech to Big Government
The regulations on algorithms, online gaming or the more recent action against online celebrity and fan culture, the Chinese government is venturing into new and uncharted aspects of internet governance. There are many theories about why China is doing this and one of the most popular ideas is the concept of “common prosperity”. The concept has been around for several years, and is generally understood as “as moderate wealth for all, rather than just a few”. Last month, President Xi Jinping highlighted “common prosperity” as an essential requirement of socialism and an important feature of Chinese modernization.
There are reasons why the vague slogan is being revived to frame recent regulatory interventions. First, leadership cannot ignore growing inequality. As the Brookings Institute notes:
In launching a recent wave of actions to redress social inequality and economic disparity, China’s leaders may view themselves as correcting some of the excesses of Deng’s decision to “let some people get rich first.” Such efforts align with Xi’s efforts to recast himself from a princeling to a populist leader. As some of the initial awe of Xi’s anti-corruption efforts begins to fade, his efforts to champion greater equality, including by soaking the rich, presents Xi a new opportunity to align with the people against the powerful. Such efforts also have a corollary benefit of chastening China’s new oligarchs against challenging his authority or that of the Chinese Communist Party in governing China.
This explains why policymakers across ranks have been advocating for “the prevention of disorderly expansion of capital” or why Chinese companies are rushing to align themselves with the “common prosperity” agenda.
Second, China’s technology companies have grown rapidly and engage in intense competition and predatory business practices to gain dominance. Many of these competitive strategies have contributed to growing resentment towards technology platforms in China. The framing of “common prosperity” allows the government to target private platforms while appearing to be responding to public sentiment. In December 2020, the Chinese leadership signalled the strengthening of its anti-monopoly stance and vowed to protect consumers’ interests, particularly in the regulation of domestic internet giants. Viewed from the broader vision of “common prosperity” it is easy to see why the recent regulations target some of China’s most profitable companies and individuals or why they enjoy public support.
To be fair, some aspects of these laws are nominally good for consumers, as they strengthen and create rights and avenues for users to bargain with platforms. But these regulations do not necessarily stem from a well-intentioned desire for protecting consumers. On the contrary, they are rooted in the CCP’s desire to shift control from the private sector into the hands of the state. Common prosperity, Xi has said, is “not just an economic issue, but a significant political one that matters to the Party’s basis to rule.”
Shift to Strategic Industries
Another popular idea is that these regulations stem from China’s efforts to redirect the country’s efforts toward other strategic technologies for geopolitical reasons. From this view online gaming, ecommerce and ride-sharing technologies, however popular and successful, are not core technologies that will enable China to emerge as a leader in technology. As noted by SupChina:
In this top-down view, the government has decided that it wants its economy to be heavy on manufacturing and hard tech — semiconductors, batteries, “industrial internet,” and biotechnologies — and light on the consumer internet. The move is a tacit indictment of the U.S. economy, which has been running largely on the digital fumes of Silicon Valley. “Big Tech continues to find new and profitable ways to sell ads and cloud space,” wrote Derek Thompson in The Atlantic last year, “but it has failed, often spectacularly, to remake the world of flesh and steel.” China is making sure its economy doesn’t make the same mistake.
But everything we know about economic evolution indicates that this materialist preoccupation of the Chinese is more likely to be a mistake. The migration of advanced economies from hardware to services and towards a greater role for consumption is a long term trend across the board, and has happened in Hong Kong, South Korea and Japan as well as the United States.
Changing Concept of National Security
IGP believes that another important but less discussed aspect of these regulations is the conceptualization of data and platform governance from a national security perspective. The CSL and DSL focus on supervision and protection of “important”, “critical” and “national core data” relating to national security. The DSL also signals the rise of extraterritorial application of national security laws. Both the DSL and the provisions on recommendation algorithms also reveal that China is expanding notions of security to include social and economic stability. The reconceptualization of data and platform regulation as a matter of national security is happening not just in China but around the world.
While there are no absolute answers for what is driving these regulations in China, one thing is certain: the implementation of these laws is likely to spark even more controversies. Many of the laws only provide a general framework and several of the regulations are proposals that may end up nowhere.