Chinese business and financial updates
Sign up to myFT Daily Digest to be the first to know about Chinese business and financial news.
The shockwaves that have wiped billions of dollars from Chinese stocks in recent days are part of a regulatory assault expected to extend beyond technology to all private sector business sectors in the country.
What initially started in November with the suspension of the $37 billion IPO of billionaire Jack Ma’s fintech, Ant Group, has expanded this month to an investigation into data security at ride-hailing app Didi Chuxing and devastating restrictions on the tutoring industry.
Experts and companies warn that the turbulence shows no signs of easing as the Chinese government rolls out a sweeping new legal framework for how companies collect and use data.
“We tell our clients that you are facing two to three years of extreme uncertainty,” said Kendra Schaefer, a technical analyst at Beijing-based consultancy Trivium.
What are the new laws?
Chinese companies — and potentially anyone who does business in China or trades with the world’s second-largest economy — face a range of data laws.
Best understood is the Cybersecurity Act, which came into effect in 2017 and covers network and equipment security. It has an assessment process in place to determine which companies are handling so-called “critical information infrastructure,” or data that could potentially harm Chinese security or pose a risk to the country’s citizens.
In September, China will introduce a new data security law. This will help regulators determine what data can be transferred outside of China without state authorization and what is prohibited.
The Chinese government is also expected to issue a personal data protection law, similar to the European General Data Protection Regulation, early next year. The law is expected to have far-reaching implications for China’s vast digital economy, including establishing processes for data audits of apps like Didi.
Ernan Cui, a Chinese consumer analyst at Gavekal Dragonomics, said the waves of regulatory action in Beijing were essentially a “battle for control of data” between the government and the private sector.
What are the main gray areas?
Trivium’s Schafer said it was unclear whether Beijing planned to disclose which companies had been designated as operators of critical information infrastructure and would therefore be subject to closer scrutiny.
“That’s the big problem . . . companies just don’t know yet,” she says. “What was actually quite remarkable about the CAC [Cyberspace Administration of China, the internet regulator] after Didi came, that’s how we found out that they are ‘critical infrastructure’.
On cross-border data transfers, the CAC has said that any data requested by foreign authorities needs Chinese approval.
“It’s not just about tech companies. It’s about any company that ships something from China,” Schafer said.
While few foreign companies provided critical information infrastructure — such as telecom networks — many foreign groups would become entangled selling services and products to Chinese customers, said Andrew Gilholm, head of China analysis at Control Risks, a consulting firm.
“[Chinese] companies are asked, ‘Who are your foreign suppliers?’, or ‘Where do you depend on foreign entities in your supply chain?’ he said.
Who are the regulators targeting now?
Analysts expect Beijing to move slowly from sector to sector, region to region, to decide which data is sensitive and therefore needs approval to leave the country.
A pharmaceutical company in China’s Jiangsu province said it was already subject to unpredictable CAC assessments over the transfer of data to its research and development lab in the US.
“Officials have suggested that it would be better to move our lab back to China as regulations are likely to become stricter,” said a representative, who asked not to be identified for security reasons.
Sam Radwan, director of Enhance International, a consulting firm that advises Chinese companies, said industries such as insurance and healthcare should step up surveillance because they were involved in massive data-gathering programs.
For example, car insurance companies have conducted extensive trials in China that digitally track driver behavior and locations. Telemedicine has also boomed in China. Such sectors have accumulated data that is “richer” and “even more sensitive” than Didi’s, Radwan noted.
The Chinese branches of foreign companies should also prepare for a “struggle” with regulators over sending basic business information out of China, analysts warned.
“Let’s say you’re a Japanese company contracted by a major Chinese company to build a new subway in Chongqing, and you have some data related to the project that you’re transferring to Tokyo – these are the kinds of things where companies have troubling gray areas because it’s a normal part of business,” said Gilholm, the risk analyst for China.
The outlook further complicates his questions about which regulators will monitor the new data governance regime.
“Turf wars are a natural result of new regulatory processes,” Schafer added.
Additional reporting by Nicolle Liu in Hong Kong