As data security hawks gain power, Chinese companies face uncertainty
Long before the China Cyberspace Administration issued a warning Didi will slow down its $4.4 billion blockbuster public offering In New York, the country’s data security hawks have begun to prepare their legal weapons in response to another obvious threat from the United States.
In March 2018, the United States passed the Cloud Act, allowing law enforcement agencies to request data stored outside its borders. Later that year, Canada arrests Meng WanzhouAccording to the US extradition request, the daughter of Huawei’s chief financial officer and its founder. The U.S. court compelled HSBC to provide evidence on Meng’s statement to the bank.
As tensions between China and the United States intensify, legal experts close to Beijing’s regulators said that a series of events in 2018 put data security at the top of China’s political agenda and intertwined data with national security. Beijing is eager to set up legal barriers to the “long-arm” strategy used by foreign governments to obtain data.
The subsequent rise of China’s data security hawks has elevated daily business procedures, such as listing or transmitting data abroad, to the status of national security issues. Lawyers warn that the company is falling into a huge legal gray space due to the whim of institutional discretion, while the company said that they are worried about the impact of poor inter-agency communication, which has made Didi’s IPO chaotic.
Xu Ke, director of the Internet Law Research Center of Beijing University of International Business and Economics, said: “This is a patch for 27 dragons to rule.”
This month, the National Internet Information Office sent Didi’s share price plummeted for a few days After the public offering of $4.4 billion in New York and banning new users. CAC now proposes some measures to allow it to veto any company that has more than 1 million users listed abroad.
On Friday, seven government agencies stationed personnel within Didi to conduct a multi-month cyber security review. This also marks the first time that the Ministry of National Security, China’s secret spy agency, has publicly announced the placement of staff in a company.
At the time of the Didi case, China was preparing a comprehensive new data security law that expanded the scope of data not being transmitted outside of China without prior approval. According to several people familiar with the matter, the drafting of the law was promoted by the Ministry of National Security, and the law will be promulgated in September.
“This is a legal remedy for a few countries to abuse the country’s long-arm – it protects our country’s territorial data from being improperly obtained by foreign judicial or enforcement agencies,” the agency reposted an explanation. CAC Regarding Data Security Law.
China’s high attention to data security is not isolated: its opponents are also thinking about similar issues. In 2019, the United States imposed trade sanctions on Huawei. The following year, the United States threatened to ban TikTok, while India banned Chinese mobile applications. All these sanctions are carried out in the name of national security.
“Now, all law enforcement agencies tend to be more cautious [around national security]. This is a question of attitude shifting from the outside to the domestic and from the upper echelons [of the government] In the end,” said Li Tianhang, a cyber security lawyer at Beijing Huiye Law Firm.
Conflicting legal requirements at the international level may put multinational companies at risk. The paper by Hong Yanqing, the main drafter of China’s data protection law, stated that China, the European Union and the United States are establishing mutually incompatible legal systems for “intercepting and obtaining data”, and multinational companies are caught in a “legal game.” “.
Beijing’s growing concerns about data have prompted some of its institutions to play a greater role. After Didi was investigated, the previously little-known CAC proposed to conduct mandatory security reviews on all companies seeking overseas IPOs with more than 1 million users, thereby controlling Chinese technology start-ups. Its funding mainly comes from funds seeking to withdraw from New York in US dollars. .
However, CAC’s ability to conduct audits is limited. The agency was established in 2014 to control online speech and is mainly composed of former propaganda officials. Its focus on data security is recent; in this area, it acts as a coordinator between various agencies with greater administrative power.
“The local CAC branch knows very little about the content of the new regulations and how to best implement them,” said a data protection officer who works at Guangdong Internet Finance Corporation. “They sometimes refuse our data review request because they don’t understand what sensitive data is.”
But the official added that because the law compelled the company to pass the procedure, his company was resorting to sending data to the agency by registered mail, so the agency could not refuse it.
However, after the Didi case, lawyers and former officials predicted that responsibility would shift from the pro-commercial industry regulator to the government’s security faction.
“Once something rises to the level of national security, it is difficult for any other regulatory agency to say anything. No one wants to risk a national security incident on their own territory,” said a person familiar with regulatory agencies.
Additional report by Liu Nian