|End-of-day quote - 07/23|
China's New Power Play : More Control of Tech Companies' Troves of Data
|06/11/2021 | 10:15pm|
By Lingling Wei
Shortly after rising to power in late 2012, Xi Jinping made his first company visit in his new job as China's Communist Party chief, to Tencent Holdings Ltd. There, he raised a topic that has become both an opportunity and a challenge for his rule: the vast troves of personal data being gathered by the country's technology companies.
Mr. Xi complimented Tencent's founder, Pony Ma, on the way the company was accumulating information from millions of users, and harnessing that data to drive innovation. He also suggested that data would be useful to Beijing.
"You have the most sufficient data, then you can make the most objective and accurate analysis," he told Mr. Ma, according to state media accounts. "The suggestions to the government in this regard are very valuable."
More than eight years later, those suggestions are becoming demands. The government is now calling on big tech companies like Tencent, online retailing giant Alibaba Group Holding Ltd. and TikTok owner ByteDance Ltd. to open up the data they collect from social media, e-commerce and other businesses, according to official documents and interviews with people involved in policy-making.
The complex new web of laws and regulations around sharing digital records is being driven by the huge growth in data held by China's tech giants -- and a belief that the government should be able to access it. The efforts are also part of Mr. Xi's quest to rein in the increasingly powerful tech sector, which has pushed back on some of Beijing's previous data-sharing efforts. The most recent law, passed Thursday, will make it harder for companies to resist such requests.
China's leaders worry that the country's tech giants could be using their extensive personal and corporate digital records to build alternative power centers in the one-party state. That concern led Mr. Xi to halt a planned initial public offering by Jack Ma's financial-technology behemoth Ant Group Co. late last year.
Chinese government entities involved in the effort to regulate data, including the State Council and the Cyberspace Administration of China, didn't respond to requests for comment.
Beijing is also intensifying the pressure on foreign firms operating in China to keep records gathered from local customers inside the country, so the government has more authority over the records. Western companies have long complained such "data-localization" requirements could stifle innovation in their global operations or enable Chinese authorities to steal their proprietary information.
U.S. electric-car maker Tesla Inc. pledged in late May to build more data centers in China and to keep information generated by the vehicles it sells there within Chinese borders. In a statement posted on Chinese social media, Tesla said it was "honored" to participate in an industry discussion on the matter.
Tesla didn't respond to requests for comment.
Many countries are wrestling with how to regulate digital records. Some economies, including in Europe, emphasize the need for data privacy, while others, such as China and Russia, put greater focus on government control. The U.S. currently doesn't have a single federal-level law on data protection or security; instead, the Federal Trade Commission is broadly empowered to protect consumers from unfair or deceptive data practices.
Behind China's moves is a growing sense among leaders that data accumulated by the private sector should in essence be considered a national asset, which can be tapped or restricted according to the state's needs, according to the people involved in policy-making.
Those needs include managing financial risks, tracking virus outbreaks, supporting state economic priorities or conducting surveillance of criminals and political opponents.
Officials also worry companies could share data with foreign business partners, undermining national security.
Beijing's latest economic blueprint for the next five years, released in March, emphasized the need to strengthen government sway over private firms' data -- the first time a five-year plan has done so.
A key element of Beijing's push is a pair of laws, one passed on Thursday and the other a proposal updated by China's legislature in April. Together, they will subject almost all data-related activities to government oversight, including their collection, storage, use and transmission. The legislation builds on the 2017 Cybersecurity Law that started tightening control of data flows.
The new Data Security Law, which will take effect on Sept. 1, includes a goal of classifying private-sector data according to its importance to state interests. The vaguely worded clause, analysts and legal experts say, gives authorities considerably more leeway to control data deemed essential to the state, while making it harder for businesses, both Chinese and foreign, to say no.
The law will "clearly implement a more stringent management system for data related to national security, the lifeline of the national economy, people's livelihood and major public interests," said a spokesman for the National People's Congress, the legislature.
The proposed Personal Information Protection Law, modeled on the European Union's data-protection regulation, seeks to limit the types of data that private-sector firms can collect. Unlike the EU rules, the Chinese version lacks restrictions on government entities when it comes to gathering information on people's call logs, contact lists, location and other data.
"Less invasive private-sector data collection anywhere is a good thing," says analyst Ryan Fedasiuk at Georgetown University's Center for Security and Emerging Technology. "But China's push for data privacy strikes me as yet another move to strengthen the role of the government and the party vis-à-vis tech companies."
Authorities are taking action even before the laws take effect, as part of the tech clampdown.
In late May, citing concerns over user privacy, the Cyberspace Administration of China singled out 105 apps -- including ByteDance's video-sharing service Douyin and Microsoft Corp.'s Bing search engine and LinkedIn service -- for excessively collecting and illegally accessing users' personal information. The government gave the companies named 15 days to fix the problems or face legal consequences.
Bytedance, Microsoft and LinkedIn didn't respond to requests for comment. It's unclear how the companies responded to the government's request.
Two weeks earlier, the government ordered 13 firms, including the financial arms of food-delivery giant Meituan, ride-sharing provider Didi Chuxing Technology Co. and e-commerce firm JD.com Inc., to adhere to tighter regulation of their data and lending practices.
Meituan, Didi and JD.com all said they had agreed to rectify their business practices as required.
Beijing's pressure on foreign firms to fall in line picked up with the 2017 Cybersecurity Law, which included a provision calling for companies to store their data on Chinese soil. That requirement, at least initially, was largely limited to companies deemed "critical infrastructure providers," a loosely defined category that has included foreign banks and tech firms.
In private meetings with American firms, Chinese officials have dismissed concerns that the rule could allow China to take proprietary information, while saying the data needs to be stored in China for security and regulatory purposes, according to people familiar with the discussions.
To comply with tough Chinese cybersecurity rules, Apple Inc. in 2017 pledged to store all cloud data for its customers there with a government-owned company. It has built a data center in China for customers of its iCloud service, for data including photos, documents, messages, apps and videos uploaded by Apple users throughout the mainland. Apple declined to comment.
Since last year, Chinese regulators have formally made the data-localization requirement a prerequisite for foreign financial institutions trying to get a foothold in China. Citigroup Inc. and BlackRock Inc. are among the U.S. firms that have so far agreed to the rule and won licenses to start wholly-owned businesses in China.
Citigroup and BlackRock declined to comment.
The data-security laws promise to broaden the requirement to include more types of foreign companies. Regulators are also rolling out sector-specific rules to strengthen control over data considered important to state interests.
Tesla's Gigafactory in Shanghai has sparked some new rules. China's leadership greenlighted the U.S. car maker's plan to set up the wholly-owned production facility in 2018.
Senior officials have publicly likened Tesla to a "catfish" rather than a "shark," saying the company could uplift the auto sector the way working with Apple and Motorola Mobility LLC helped elevate China's smartphone and telecommunications industries.
To ensure Tesla doesn't become a security risk, China's Cyberspace Administration recently issued a draft rule that would forbid electric-car makers from transferring outside China any information collected from users on China's roads and highways. It also restricted the use of Tesla cars by military personnel and staff of some state-owned companies amid concerns that the vehicles' cameras could send information about government facilities to the U.S.
In late May, Tesla confirmed it had set up a data center in China and would domestically store data from cars it sold in the country. It said it joined other Chinese companies, including Alibaba and Baidu Inc., in the discussion of the draft rules arranged by the CyberSecurity Association of China, which reports to the Cyberspace Administration.
(MORE TO FOLLOW) Dow Jones Newswires