Long before the Chinese cyberspace agency warned Didi to delay its blockbuster $4.4 billion public offering in New York, the data security hawks had begun preparing their legal arsenal to counter another perceived threat from the to face the United States.
In March 2018, the US passed the Cloud Act, which allows law enforcement to query data stored outside its territory. Later that year, Canada arrested Meng Wanzhou, Huawei’s chief financial officer and the founder’s daughter, based on a US extradition request. US courts forced HSBC to testify about Meng’s presentations to the bank.
As tensions mount between the US and China, legal experts close to Beijing’s regulators say the series of events in 2018 has put data security at the top of China’s political agenda, interweaving data with national security. Beijing rushed to put up legal barriers against what it saw as “long arm” tactics used by foreign governments to access data.
The resulting rise of China’s data security hawks has elevated everyday business procedures, such as offering or transferring data abroad, to the status of national security concern. Lawyers warn that companies are being trapped in the vast legal gray space by the arbitrariness of agency discretion, while companies say they fear being subjected to the kind of inter-agency miscommunication that has confused Didi’s IPO.
“It’s 27 dragons that rule over one patch,” said Xu Ke, director of the Internet Law Research Center at the University of International Business and Economics in Beijing.
This month, China’s Cyberspace Administration sent Didi’s stock price just days after New York’s $4.4 billion public offering banning new users. The CAC has now proposed measures that make it possible to veto any company with more than 1 million users abroad.
On Friday, seven government agencies stationed staff in Didi to conduct a multi-month cybersecurity investigation. It also marked the first public announcement about China’s secret spy agency, the Ministry of State Security, which bases personnel in a company.
The Didi case comes as China prepares a sweeping new data security law that broadens the scope of what data cannot be transferred outside of China without prior approval. The drafting of the law, which will be introduced in September, was pushed by the Ministry of State Security, according to several people familiar with the matter.
“It is a remedy against the illicit use of the long arm of the state by a small number of countries — and it protects our country’s borders from unlawful acquisition by foreign judicial or executive agencies,” said a statement reposted by the CAC on the data security law.
China’s heightened concerns about data security are not isolated: its opponents think along the same lines. In 2019, the US issued trade sanctions against Huawei. The following year, the US threatened to ban TikTok, while India banned Chinese mobile apps. All these sanctions were made in the name of national security.
“Right now, all law enforcement agencies tend to be more cautious [around national security]. It is a problem that attitudes are transferred from the external situation to the domestic and from the top [of the government] to the bottom,” said Li Tianhang, a cybersecurity attorney at Hui Ye Law Firm in Beijing.
Conflicting legal requirements at the international level can put multinationals at risk. According to a paper by Hong Yanqing, a leading drafter of China’s data protection laws, China, the EU and the US are building mutually incompatible legal regimes over “blocking and taking data”, and multinationals are caught in the “game of laws”. ”.
The growing fear of data in Beijing has pushed some of its agencies into more elaborate roles. In the wake of the Didi investigation, the previously little-known CAC has proposed a mandatory security assessment for all companies with more than 1 million users seeking foreign IPOs, putting its grip on Chinese tech start-ups, whose fundraising comes largely from USD funds seeking exits from New York.
However, the CAC’s capacity to conduct its own audits is limited. The agency was established in 2014 primarily to control online discourse and is largely staffed with former propaganda officials. The focus on data security is recent; in this arena, it acts as a coordinator between different agencies with more executive power.
“Local CAC offices have little knowledge of what the new rules are and how best to implement them,” said a data protection officer who works for the Guangdong-based internet finance company. “Sometimes they reject our data review requests because they don’t understand what counts as sensitive data.”
But since the law forced the company to go through the procedure, the officer added, his company resorted to sending data to the agency via certified mail so that the agency had no way of refusing it.
However, in the wake of the Didi case, lawyers and former officials predict that responsibility will shift from pro-business regulators to government security factions.
“Once something is elevated to the level of national security, it’s hard for another regulator to say anything. No one wants to risk a national security incident on their own property,” said a person familiar with the regulators.
Additional reporting by Nian Liu