Chinese companies face uncertainty as data security hawks gain power

Long before China’s cyberspace agency warned Didi to slow its successful $ 4.4 billion public offering in New York City, the country’s data security hawks had started preparing their legal arsenal to do so. in the face of another perceived threat from the United States.

In March 2018, the United States passed the Cloud Act, allowing law enforcement to request data stored outside its territory. Later that year, Canada arrested Meng Wanzhou, Huawei’s chief financial officer and daughter of its founder, on the basis of a US extradition request. US courts have forced HSBC to testify to Meng’s presentations at the bank.

As tensions between the United States and China increase, legal experts close to Beijing regulators say the series of events in 2018 put data security at the top of China’s political agenda and linked data to national security. Beijing was quick to create legal barriers against what it saw as “long arm” tactics used by foreign governments to access data.

The resulting rise of data security hawks in China has elevated daily business procedures, such as listing or transferring data overseas, to a national security concern. Lawyers warn companies are caught in the vast legal gray space at the whim of agency discretion, while businesses say they fear being subjected to the kind of miscommunication between agencies that has clouded the introduction in Didi purse.

“27 dragons rule a patch,” said Xu Ke, director of the Internet Law Research Center at Beijing University of International Affairs and Economics.

This month, the Cyberspace Administration of China slumped Didi’s share price days after its $ 4.4 billion public offering in New York City with a ban on new users. The CAC has now proposed measures allowing it to veto any company with more than one million registered users abroad.

Local CAC branches have little knowledge of the new rules and how best to implement them

Seven government agencies posted staff inside Didi on Friday to conduct what appears to be a multi-month cybersecurity review. It was also the first public announcement about China’s secret spy agency, the Ministry of State Security, sending personnel to a company.

The Didi case comes as China prepares a sweeping new data security law, which expands the scope of data that cannot be transferred outside of China without prior approval. The drafting of the law, which will be presented in September, was pushed by the Ministry of State Security, according to several people familiar with the matter.

“It is a legal remedy against the misuse of the long arm of the state by a small number of countries – and it protects data in our country’s territory from being improperly acquired by foreign judicial or executive agencies.” said an explanation reposted by the ACC on the data security law.

China’s heightened concern for data security is not in isolation: its adversaries agree. In 2019, the United States imposed trade sanctions on Huawei. The following year, the United States threatened to ban TikTok, while India banned Chinese mobile apps. All of these sanctions were taken in the name of national security.

“Currently, all the police tend to be more careful [around national security]. It is a problem of transferring attitudes from the external situation to the internal situation, and from above [of the government] down, ”said Li Tianhang, cybersecurity lawyer at Hui Ye law firm in Beijing.

Conflicting legal requirements at the international level could put multinationals at risk. According to an article by Hong Yanqing, one of the main drafters of China’s data protection laws, China, the EU and the United States are putting in place mutually incompatible legal regimes on “blocking and taking data. “, And multinationals are caught in the” game of laws “.

Beijing’s growing data fears have prompted some of its agencies to take on expanded roles. In the aftermath of the Didi investigation, the hitherto little-known CAC proposed a mandatory security review for all companies with more than one million users seeking IPOs overseas, giving it thus a grip on Chinese tech start-ups, whose fundraising is largely in USD funds seeking out New York City.

However, the ability of the CAC to carry out audits itself is limited. The agency was established in 2014 primarily to monitor online speech and is largely made up of former propaganda officials. The emphasis on data security is recent; in this area, it acts as a coordinator between various agencies with greater executive power.

“Local CAC branches have little knowledge about the new rules and how best to implement them,” said a data protection officer who works for a Guangdong-based internet finance company. “Sometimes they refuse our data review requests because they don’t understand what counts as sensitive data. “

But since the law required the company to follow the procedure, the officer added, his company resorted to sending data to the agency by registered mail so that the agency could not reject it under any circumstances.

In the aftermath of the Didi case, however, lawyers and former officials predict that responsibility will shift from pro-business regulators to government security factions.

“As soon as something gets elevated to the level of national security, it’s hard for another regulator to say anything. No one wants to take the risk of a national security incident happening on their own turf, ”said a person familiar with regulators.

Additional reporting by Nian Liu