National security is also a concern when examining firm behaviour in cross-border exchanges of data. The probe into Didi Global was grounded in China’s National Security and Cybersecurity Laws, under which IPO-related cross-border activities require critical infrastructure operators to first seek evaluation from ad hoc Chinese regulators to pre-empt national security risks.
Millions of users
Two more companies came under scrutiny on the same grounds. Both control the personal data of millions of Chinese users and were recently listed in the US sharemarket. One of the companies, like Didi, manages large amounts of data on user identification and contact information, flow of vehicles and people and China’s transportation infrastructure.
Chinese regulators made revisions to the Cybersecurity Review Measures days after investigations into Didi. These made it compulsory for operators handling the data of over 1 million users to register with the cyberspace regulator for safety-related reviews before listing overseas. The cyber security examination will be undertaken by 14 Chinese regulators, and the securities regulator is the latest addition to this mechanism. The revisions referred to the Data Security Law, which will come into effect in September 2021.
When it comes to national security, countries often decide that it is better safe than sorry.
The revisions are a typical case of policymaking lagging behind developments in industry. But when it comes to national security, countries often decide that it is better safe than sorry, as evidenced by the escalating screening of foreign investment in critical infrastructure by the United States, Japan, Australia and the European Union.
Didi’s treatment sent a ripple through the tech industry. Some tech companies like Meicai chose to delay their planned overseas IPOs to adjust to the new compliance requirements. Venture capitalists may have second thoughts over regulatory risks when investing in Chinese tech start-ups and see it as a hurdle for cashing in on their initial investments through IPOs. Chinese tech companies may be less favoured after foreign investors were spooked by the consecutive drops of Didi’s share price. Some firms may choose to instead list on the Hong Kong stock exchange.
Despite the chaos, there are some positives. The regulations restrain tech companies from illegal collection and use of data. Since May 1, 2021, companies have been prohibited from collecting data without consent beyond defined basic personal information. Big firms are more careful about monopolistic practices. The rival Chinese super platforms, WeChat and Alipay, are reported to be considering opening their ecosystems to each other and ending some inter-platform choice restrictions for users.
Firms have put more effort into data governance and privacy protection. The development of technical solutions, such as Privacy-Preservation Computation, is accelerating safer cross-border data sharing. Companies will learn to consult Chinese regulators to minimise regulatory risks. Hopefully, the regulators will gain experience in providing a more controlled process for firms to meet compliance needs.
China’s rapid legislation on data sovereignty is partly driven by its competition with the United States.
Though China is the world’s largest e-commerce market and home to numerous tech unicorns, its data legislation is relatively undeveloped compared with places such as Europe, Singapore and Australia. Its soon to come into effect Data Security Law serves both development and safety purposes. China’s rapid legislation on data sovereignty is partly driven by its competition with the United States. Since the US–China trade war, the United States has issued entity lists, executive orders and legislation targeting China.
Data is the key factor of production in the digital economy. With China focusing increasingly on the quality of economic development rather than just numeric GDP growth figures, tech firms are expected to rein in disorderly expansion of capital and follow fair market practices.
Juan Du is a research scholar at the University of Sydney Business School and was formerly with The Economist Intelligence Unit. This article is part of a series from East Asia Forum (www.eastasiaforum.org) at the Crawford School in the ANU’s College of Asia and the Pacific.