Opinion: How Did Western Pundits Get China’s Data Security Rules Wrong?

The rapid movement of data security regulations and the Didi crackdown has come as a “surprise” to most in the West. But China’s data protection regime has been in place and evolving for almost two decades.

Beginning in 2004, formal rules starting with the Resident Identity Card Law, which influenced the Consumer Rights Protection Law in 2014, and provided a foundation for the Cybersecurity Law in 2017, which in turn was a foundational pillar of the Data Security Law in June of this year. These are just a few of the regulations that have evolved and influenced each other since the early 2000’s.

In 2015, I ran a large manufacturing company in China, and was advised by regulators that if we were involved in local projects like infrastructure, the data must be kept in China. This was viewed with bewilderment by senior management overseas, but we maintained a China-only server, not connected to the outside world, to be in compliance. Data security concerns by the government are nothing new.

In March, a surprise statement by the People’s Liberation Army stated that Teslas could no longer be parked in, or around, military bases and related housing complexes. When you delve deeper into the reasoning, the regulations had a clear and pragmatic purpose. Tesla’s data is taken and stored on servers, and also sent to its center in California. This is a huge issue for China, as the U.S. government could access the data and understand who comes and goes, when they do so, how they do it, etc.

In April, Meituan and Tencent, along with 30 other companies, were warned by regulators to clean things up, and comply with regulations. In this environment Didi, which has hundreds of times the data that a Tesla car would have, by listing in the U.S., runs the risk of having critical data leaked to a foreign government. So they, along with other companies in the country, should understand the necessity to heed the guidance of regulators.

Does this mean the Chinese government “hates” business or “wants to control everyone and everything” as stated by Western media and pundits? No, it doesn’t. The U.S. has similar controls on technology and data called export controls and the entity list, which significantly affects businesses. It shouldn’t come as a surprise that China would act in a similar way, and the release of its data is a security risk to the country. For example, the U.S. government implemented property restrictions on purchases and travel to and around U.S. military bases, as well as ITAR regulations to keep certain information and products out of the hands of various entities, such as a foreign government. In the U.S., companies must be compliant with its rules and regulations, and the same goes for businesses in China. Both countries are concerned about knowledge, data, expertise, and each other. It comes as no surprise that restrictions are evolving and addressing newfound industries and security risks on both sides.

Since 2017, data localization and sovereignty concerns that started with the financial industry have been a point of emphasis by regulators. The new personal information protection law passed on August 20 is a further evolution, by stipulating that before any data can be sent overseas, it has to follow multiple steps. The first is the law specifies that any entity sharing data overseas must first get permission from each individual whose data will cross borders. While this may be easy enough for companies to secure as consumers downloading an app from the store usually press the “accept” button with regard to releasing the company from restrictions, the next part is tricky. The data and company must go through a cybersecurity review, then be certified by an institution approved by the government, then a contract with the overseas receiver needs to be entered into that stipulates the responsibilities of both parties. It’s safe to assume that many users do not want their data, such as daily commuting routes, tracked or used, especially overseas. This is even more so with a government which does not want parties outside of its purview to know about daily activities, purchasing habits, or other information that can be gleaned from such data.

How will this impact consumers and companies?

With the 2017 law, the Cybersecurity Review Measures issued in 2020, along with a warning prior to its IPO of the need for a data security review, Didi chose to ignore the warning signs and regulations. Some have argued it is common for the government to discuss issues prior to an IPO and while “recommendations” are made, there is a level of flexibility to complete them within an allotted timeframe. While perhaps valid in some areas, when it comes to data security, this has not been the case for some time. The failure of this recognition falls on Didi management, the board, and the bankers who wanted to sell the IPO.

During the process of creating and designing new guidelines, regulators have asked for feedback and ideas from industry players, such as the draft period of the Cross-border Transfer of Personal Information and Important Data regulations released in April of 2017. A feedback period was in place and updated regulations came out in June of 2019. Has this process changed recently? No. Was Didi not aware of this or that regulations were being created and implemented? It’s impossible that a company such as Didi, with the data it accumulates, wouldn’t know these regulations are in place.

So when data laws are put in place, companies are aware of them, what they are meant to do, and how the business should ensure compliance. When a government entity “advises” or “recommends” a course of action, a company must review and take it to heart, especially in areas with national security implications, such as data. Regulators are acutely aware that businesses need to be aware of changing regulations, as stated in the meeting with the banking industry on July 28.

So don’t buy the “things have changed” mantra being said by many. Those aligned with the country’s priorities and who are actively engaged with regulators should not run afoul of them. Whether its data security, national security concerns, or even education policy, companies involved in the process are not surprised when regulators make changes, or crack down when laws are not followed.

Cameron Johnson is a partner at Tidwalwave Solutions and adjunct faculty at New York University in Shanghai.

The views and opinions expressed in this opinion section are those of the authors and do not necessarily reflect the editorial positions of Caixin Media.

If you would like to write an opinion for Caixin Global, please send your ideas or finished opinions to our email: opinionen@caixin.com

Download our app to receive breaking news alerts and read the news on the go.

Get our weekly free Must-Read newsletter.