Almost all China’s tech giants have now felt the crack of Beijing’s regulatory whip. Vincent Brussee says a new phase is beginning for big tech – it has to get to work for the country.
The Cyberspace Administration of China (CAC) on July 21 announced an 8 billion CNY (1.2 billion EUR) fine on tech giant Didi, the outcome of a year-long cybersecurity review initiated two days after Didi’s initial public offering (IPO) in the United States. The fine – worth over four per cent of Didi’s annual revenue – is the first time the CAC has shown its teeth as a guardian of citizens’ personal data. Yet its real motivation appears to be protecting national (cyber-)security, which is perhaps why the CAC remains secretive about the details of the case.
The CAC has publicly emphasized Didi’s “despicable” violations of personal information regulations as the reason for the mega-fine. These include the collection of nearly twelve million screen captures from users’ mobile phones and the storage of millions of personal ID numbers in unencrypted plain text. The regulators emphasis on violations of China’s newly-enacted Personal Information Protection Law (PIPL) is convenient, as it allows the CAC to impose higher fines than it could have imposed under older cyber-related laws.
But it’s also inconvenient, as the PIPL does not give the CAC any powers to enforce regulatory action regarding PIPL-breaches, only allowing it to act as a coordinator. The CAC also sidestepped the Ministry of Industry and Information Technology, with which it has jointly conducted the already well-established inspections of information collection by mobile apps. It was able to do so by turning personal-information protection into a matter of national security, giving the cyberspace regulator near-limitless discretion to take action by itself.
The CAC last year reportedly asked Didi to stop its much-watched share-listing on the New York Stock Exchange in light of data security concerns – a request Didi refused. The Chinese regulator appears to have been worried that US law enforcement agencies would have the power to force Didi to hand over data about citizens of the People’s Republic of China. A little over a year later, Didi joins Alibaba, Tencent, Baidu, and Meituan by becoming one of the last tech giants in China to be formally penalized as part of a tech rectification campaign.
“Normalizing” the new order for tech companies
Didi’s plight will most certainly not be the last Chinese regulatory action in cyberspace. But it does seem to mark the beginning of a new phase in Beijing’s campaign. In the eyes of China’s leadership, new laws have been enacted and the authorities have shown each of the tech giants they mean business. With the public humbling of China’s big tech nearing completion, a recent Politburo meeting emphasized its next goal would be to “normalize” the new order for tech companies established during the campaign.
The plans for this normalized phase are no secret. Beijing wants to nudge digital-platform companies in a direction it deems sustainable and healthy. Digital technologies must support the “real economy” – fun the internet might be, but it’s not valuable if its gains remain virtual, too. For the country to profit, data must flow freely domestically, between companies and from companies to government and vice versa (insofar national security allows). And financial risks must be controlled and monopolistic behavior banished.
Balancing national security and economic development
The State Council, China’s cabinet, took a first concrete step in this direction at the end of July, when it announced an inter-ministerial coordination mechanism that would focus on the tech sector’s development. Unsurprisingly, the CAC was ascribed an important role, presumably as top cybersecurity watchdog, second only to the National Development and Reform Commission, which is in charge of economic planning. Yet the CAC’s action against Didi raises the question whether it can fulfil Beijing’s economic-developmental goals.
Compared with other fines slapped on other tech companies, the CAC has been conspicuously tight lipped about the Didi case. Its secrecy is a direct consequence of the CAC’s unique nature. It is an organization of the Chinese Communist Party (CCP) – not the state – and is under control of the Central Cyberspace Affairs Commission led by party and state leader Xi Jinping. This means the CAC is also not bound by the same disclosure and procedural rules as state organs and may enjoy an almost supra-legal status. Given its pursuit of secrecy and security, it remains to be seen whether the CAC can balance Beijing’s imperatives of national security and economic development.