China announces new regulation on data security sanctions

Written on 14 Jul 2021

Ride-hailing app Didi Chuxing's Wall Street IPO has prompted a probe from China's internet regulators amid an overhaul of national privacy and data security measures

The Cyberspace Administration of China (CAC) has opened an unprecedented investigation into Didi Chuxing and published a draft regulation to revamp privacy and data security sanctions only two weeks after the world’s largest app-based ride-hailing services company's initial public offering (IPO) on the New York Stock Exchange (NYSE).

Didi’s major shareholders include SoftBank Vision Fund and Tencent. It raised $4.4 billion in the IPO, the largest by a Chinese company on a US exchange since 2014. It is estimated that Didi provides 20 million rides a day in China and collects user location and route data on 100 billion kilometres of Chinese roads per year.

This business scale, however, has raised the CAC's concerns over the sharing of information by Didi with US regulators. The app company's IPO is perceived by the Chinese internet regulator as potentially compromising both in terms of user privacy and national security, particularly in the context of the recent trade tension between the world’s two largest economies.

Draft cyber-regulations

The CAC is currently making its draft regulation available for public comments over the next fortnight until 25 July 25. For the technology sectors, the proposed regulation has three noteworthy features.

Firstly, the draft regulation introduces a new centralised cyberspace security review agency under the direct supervision of the CAC. This new agency will work with 12 national sector regulators to implement the cyberspace reviews and sanctions. These reviews can be initiated either by volunteer filling or by the new agency under its defined authority (including receipt of complaints from the public or the competitors of the complained).

The new regulation also asks China-based companies that purchased (domestic or imported) network products and services to give a “pre-assessment” to determine whether their use of such products and services may bring national security risks. The products and services that are subject to the cyberspace security review look to be wide – including core network equipment, key communications products, high-performance computers and servers, mass storage devices, large databases and application software, network security equipment, cloud computing services as well as “other network products and services that has a significant impact on the critical information infrastructure”. It is expected that the finalised regulation should clarify how to define these products in technical terms.

Thirdly, Chinese companies that have collected more than one million users’ data must receive a cyberspace security clearance before they can go for an IPO on an overseas stock exchange. This will make IPOs on NASDAQ and NYSE potentially less lucrative for the institutional investors of private equity (PE) and venture capital-backed unicorns in China’s technology sector.

Osborne Clarke comment

Regulators in China used to take an “experiment first, regulate later’” approach to cultivate its technology sectors. This gave innovators in the digital, fin -tech and e-health business plenty of room for experiment and opportunities for trial and error. This regulatory position promoted entrepreneurial spirit in the technology sectors and arguably created momentum for the global PE industry (and sovereignty funds) as a whole in the past decade. As a result, the added value of China’s digital economy has grown to amount to 38.6% of its GDP in 2020 (according to a white paper published in April by China’s Academy of Internet and Communication Technology).

The sanction on Didi for data breaches and national security concerns (as well as China’s recent antitrust enforcement against Tencent and Alibaba) appeared to suggest that the Chinese regulator has chosen to join its counterparts in the West to enhance regulations and sanctions on tech giants. It raised controversy whether this should be seen as a crossroad for institutional investors to start to carefully review their portfolio in China’s technology sectors.

However, the enhanced sanctions on tech giants also introduce room and opportunities for technology companies who used to be shadowed by the tech giants. For example, five days after sanction on Didi was published, Meituan re-launched its stand-alone ride-hailing app, which was suspended in 2019 after its unsuccessful first launch aimed at Didi. Clearly, the regulatory storm in China continues to grow, so is the competition in its digital sectors.