Long before China’s cyber space agency warned Didi to slow down its blockbuster $4.4bn public offering in New York, the country’s data security hawks had started preparing their legal arsenal to face another perceived threat from the US.
In March 2018, the US passed the Cloud Act, allowing law enforcement to request data stored outside its territory. Later that year, Canada arrested Meng Wanzhou, Huawei’s chief financial officer and the daughter of its founder, based on a US extradition request. US courts compelled HSBC to give evidence on Meng’s presentations to the bank.
As tensions between the US and China grow, legal experts close to Beijing’s regulators say that the series of events in 2018 shot data security to the top of China’s political agenda, and intertwined data with national security. Beijing rushed to create legal barriers against what it saw as “long-arm” tactics used by foreign governments to access data.
The resulting rise of China’s data security hawks has elevated everyday business procedures, such as listing or transferring data abroad, to the status of national security concerns. Lawyers warn that firms are being caught in the vast legal grey space at the whim of agencies’ discretionary power, while companies say they fear being subject to the kind of inter-agency miscommunication that muddled Didi’s IPO.
“It’s 27 dragons ruling one patch,” said Xu Ke, director of the internet law research centre at the University of International Business and Economics in Beijing.
This month the Cyberspace Administration of China sent Didi’s share price plummeting days after its $4.4bn public offering in New York with a ban on new users. The CAC has now proposed measures that allow it to veto any company with more than 1m users listing abroad.
On Friday, seven government agencies stationed staff inside Didi to carry out what looks to be a multi-month cyber security review. It also marked the first public announcement about China’s secretive spy agency, the Ministry of State Security, basing staff inside a company.
The Didi case comes as China is preparing a sweeping new Data Security Law, which broadens the scope of what data cannot be transferred outside of China without prior approval. The drafting of the law, which will be introduced in September, was pushed by the Ministry of State Security, according to several people familiar with the matter.
“It’s a legal remedy against the abusive use of the long arm of the state by a small number of countries — and it protects our country’s in-territory data from being improperly acquired by foreign judicial or executive agencies,” said an explanation reposted by the CAC on the Data Security Law.
China’s heightened concern with data security is not isolated: its adversaries are thinking along similar lines. In 2019, the US slapped trade sanctions on Huawei. The following year, the US threatened to ban TikTok, while India banned Chinese mobile apps. All these sanctions were made in the name of national security.
“Right now, all law-enforcement agencies are tending towards being more cautious [around national security]. It’s a problem of attitudes being transferred from the external situation to the domestic, and from the top [of the government] to the bottom,” said Li Tianhang, a cyber security lawyer at Hui Ye Law Firm in Beijing.
Conflicting legal demands on an international level could put multinationals at risk. According to a paper by Hong Yanqing, a lead drafter of China’s data protection laws, China, the EU and the US are building out mutually incompatible legal regimes over “blocking and taking data”, and multinationals are being caught in the “game of laws”.
Beijing’s growing data fears have pushed some of its agencies into expanded roles. In the aftermath of the Didi investigation, the previously little-known CAC has proposed a compulsory security review for all companies with more than 1m users who seek foreign IPOs, giving it a hold over China’s technology start-ups, whose fundraising is largely from USD funds seeking New York exits.
Yet the capacity of the CAC to carry out audits itself is limited. The agency was created in 2014 mostly to control online discourse, and is largely staffed with former propaganda officials. Its focus on data security is recent; in this arena it acts as a co-ordinator between various agencies with more executive power.
“Local CAC branches have little knowledge about what the new rules are and how best to implement them,” said a data protection officer who works for Guangdong-based internet finance firm. “They sometimes turn down our data review requests as they don’t understand what counts as sensitive data.”
But since the law forced the company to go through the procedure, the officer added, his company was resorting to sending data to the agency via registered mail so that there was no way the agency could reject it.
In the aftermath of the Didi case, however, lawyers and former officials predict that the onus will swing from pro-business industry regulators to the security factions of the government.
“As soon as something becomes elevated to the level of national security, it’s hard for any other regulator to say anything. Nobody wants to take the risk of a national security incident happening on their own turf,” said one person familiar with the regulators.
Additional reporting by Nian Liu