Spotlight on the Emerging Chinese Data Protection Framework: Lessons Learned from the Unprecedented Investigation of Didi Chuxing

As China is making headlines with its ramped up efforts to build a comprehensive data protection, privacy and cybersecurity legal framework with broad extraterritorial effects, a recent landmark enforcement action of the Cyberspace Administration of China (CAC) against one of the largest tech companies in the country shines a light on how the future privacy regulator and the Chinese government are approaching enforcement of data-related laws. 

On July 2, 2021, CAC announced the launch of a cybersecurity review of Didi Chuxing (Didi), two days after the Chinese ride-hailing leader’s $4 billion IPO in New York. This is the first time the CAC has publicly initiated this type of review, likely making the Didi investigation the highest profile case launched under China’s emerging data protection framework. 

The “cybersecurity review” is a relatively new enforcement tool in CAC’s regulatory toolbox, introduced by the Cybersecurity Review Measures (CRM) in June 2020. It addresses “critical information infrastructure operators”, who must anticipate potential national security risks of network products and services. If the operator determines that these products and services influence national security, the operator must submit a cybersecurity review to the CAC. Upon receiving the review, the CAC then determines whether to launch a formal administrative audit to test for compliance and security – and this is the first time it publicly decided to do so.   

The consequence? The CAC demanded that Didi prevent new users from signing up to its service until completion of the review. Following this, regulators also issued a notice requesting the company remove its 25 related apps from the app-store and announced reviews of three more Chinese companies. These measures were imposed before the investigation is completed, making them some of the toughest preliminary measures in data-related investigations from digital regulators around the world. 

Below we consider the high level takeaways of the decision and its implications for data protection in China going forward, considering that the CAC is designated as the enforcer of the future Personal Information Protection Law (PIPL) which is at its second reading and is expected to pass by the end of this year, and of the 2017 Cybersecurity Law (CSL).

1. “Critical Information Infrastructure Operators” could mean any tech company, including ride hailing service providers

Some of the most consequential provisions of the CSL and of the future PIPL are applicable to “Critical Information Infrastructure Operators”, a notion that has been surrounded by certain ambiguity since it was introduced in China’s legal framework. Article 37 of the Cybersecurity Law (CSL) requires these operators to store in China personal information and “important data” collected and generated by their operations within China. If they need to send such data abroad due to business necessity, they must additionally undergo a security assessment by competent authorities. 

Since the enactment of the CSL in 2017, the vague wording of the article has generated a lot of confusion as to what constitutes “critical information infrastructure”, as many have raised concerns that the open-ended nature of the definition could theoretically encompass all types of data processing activities. In part, the CRM aims to streamline this process and provide a mechanism for these operators to undergo mandatory security reviews under the CSL.

Additionally, the draft PIPL also includes specific rules for Critical Information Infrastructure Operators, in particular with regard to international data transfers. The draft law requires that where such operators need to provide personal information abroad, they must “pass a security assessment organized by the State cybersecurity and informatization department” (Article 40), softening thus the strict data localisation requirement. This seems to be the same type of security audit performed in the Didi investigation, making this case relevant to understand how the CAC and Chinese authorities approach such an assessment.

The fact that Didi, a ride-hailing company, is treated as a Critical Information Infrastructure Operator indicates that the authorities indeed take a broad view of what “critical infrastructure” means, creating more uncertainty with regard to what entities are subject to this enhanced level of scrutiny. 

2. There is a link between mobility data, including location data, and national security, making it an ideal candidate for “important data” 

While a detailed motivation for the “cybersecurity review” of Didi has not been published beyond announcing that it is happening pursuant to the CRM, considering the nature of data processed by a ride hailing company like Didi indicates that the authorities see a link between mobility data, data localization requirements and national security.   

Chinese regulators have recently published draft rules for privacy and security in the connected vehicles industry through the Draft Several Provisions on the Management of Automobile Data Security, which require operators to block cross-border data transfers when the “management and legal systems are imperfect.”  While ambiguous, this provision leaves open the possibility that insufficient compliance provides a ground for strict localization.  Because access to data is critical for success in this industry, the Chinese government has attached significant importance to mobility relevant data.

In fact, through this investigation, the authorities may also be signaling to the market that such data could qualify as “important data” — a concept used in many data protection laws in China to refer to information that implicates national security. Indeed, the intertwining of national security with personal information protection is becoming one of the key features of China’s data protection regime. 

The use of the CRM process to crack down on Didi indicates that Beijing is taking the disclosure of such information very seriously. Reports indicate that the CAC requested Didi to alter its mapping function prior to its IPO in the United States. Didi’s mapping function is primarily responsible for organizing complex location data, including pickup and drop-off locations of rides. Given some mandatory disclosure requirements under U.S. securities law for companies that want to be publicly traded, particularly the recently enacted Holding Foreign Companies Accountable Act (HFCAA), the Chinese government may have been overcautious in wanting to prevent disclosing any sensitive information to US authorities – even though, in fact, US law does not require Didi to disclose this type of user information. 

3. The new data protection framework will likely not be a paper tiger

Removing all connected apps from the app store and preventing any new users from registering with the company are measures that have very serious consequences on a tech company and its business. These measures have been requested by the CAC as preliminary measures to be implemented for the duration of the review concerning Didi. They also confirm a radical turn in the government’s attitude towards enforcement and compliance in the digital market, following a trend that has been visible already for a while.

The increased pressure to comply stands in contrast with the previous approach the Chinese government took towards the growth of Internet companies. In the past, emerging tech firms were allowed to adopt a laissez-faire approach to their growth strategies and often pursued aggressive data collection and processing methods to compete with other tech giants and their global competitors while downplaying the importance of compliance. With the emergence of broad cybersecurity and data protection measures like the Data Security Law (DSL) – which will enter into force this September, the draft PIPL and the 2017 CSL, Chinese regulators are signaling that non-compliance will result in real penalties. 

The Didi decision also exposes some ambiguity in China’s regulatory system and in the way it is enforced. Particularly, it is difficult to pinpoint exactly where the review was initiated in China’s complex administrative bureaucracy. 12 ministries help coordinate cybersecurity reviews under the CRM, each with their own offices, personnel, and regulatory competences. In many instances, these competences may conflict as regulators attempt to assert their own prerogatives and priorities over particular tech companies. The CAC announced in mid-July that more than six Chinese agencies had initiated investigations into Didi regarding its planned IPO.  While Internet regulation is largely centralized through the CAC, specific decisions are carried out by a range of other government bodies, sometimes in coordination with each other and sometimes not. 

Administrative clarification could help produce more certainty in the system but without guidance from the very top, agencies and government offices within China’s bureaucracy often take their own initiative to demarcate regulatory boundaries. Domestic backlash in China against large tech companies has also fueled recent regulatory developments and provided the Chinese government a popular mandate to strengthen national control over the platform economy.

4. Data protection, understood broadly, seems to be used as a lever to effectuate broader policy goals

Data protection seems to be understood broadly in China as encompassing cybersecurity, data governance, data localization as much as, or even more than privacy considerations and fair information practices with regard to personal information. 

As stated above, the Didi review is the first public announcement of an investigation under the CRM since its formal enactment in June 2020. In many ways unprecedented, the Didi investigation is a consolidating step in China’s emerging data protection framework. This framework includes a range of regulatory tools designed to strengthen control over the digital economy and reign in the influence of large platforms in China. Chinese regulators view the solidification of these regulatory tools as the next stage in the evolution of data governance and the digital economy more broadly.  

It also looks like this consolidated regulatory regime is becoming a tool for Chinese regulators to assert their economic interests both at home and abroad and to effectuate broader policy goals in the geopolitical arena. For example, Didi’s cybersecurity review may be more directly related to other regulatory goals, such as incentivizing Chinese tech companies to host public offerings in Hong Kong or Shanghai rather than foreign markets. Indeed, in the past few weeks, many Chinese companies have followed suit and halted their IPO prospects in the face of cybersecurity audits. 

This cybersecurity probe complements recent actions taken by the Chinese government to impose more oversight on overseas listings. For instance, the Data Security Law, which will go into effect in September, requires that Chinese entities not provide data stored within China to “foreign justice or law enforcement bodies” without permission from regulatory authorities. The CAC seems to be taking an active role in monitoring the oversea foreign listings of Chinese tech firms through its cybersecurity competences and the CRM process. 

The broader policy goals pursued by the data security requirements, cybersecurity review measures and the new personal information protection regime are becoming increasingly visible. On July 10 the CAC issued a notice to solicit comments for a revision of the CRM — only just one week after the public announcement of Didi’s review under the same legal regime. The revisions include:

• Harmonizing the CRM process with the expected Data Security Law — an indication that the concept of “important data” will play a more fundamental role in the cybersecurity audits of Chinese firms,
• Expanding the scope of operators under the scope of the CRM review process to include “data handlers conducting data handling activities that may influence national security” – with the mention that “data handlers” are the entities expected to comply with the personal information protection obligations under the future PIPL (the equivalent of a “data controller” under EU’s General Data Protection Regulation); and
• Adding a bright line threshold to require any operator holding personal information of over 1 million users who list stock abroad to make a mandatory cybersecurity filing under the CRM. The provision notably does not apply to listings in Hong Kong. 

In particular, the inclusion of this bright line threshold is significant because it indicates that Chinese regulators are strengthening the country’s personal information protection system even before the solidification of the PIPL. Internet companies in China now must make a correlation between their processing of personal information and internal cybersecurity audits both before and after offering these services abroad. 

With the newly revised CRM and recent Didi investigation, cybersecurity audits are becoming a central feature of China’s data protection ecosystem – one that turns on both the protection of personal and non-personal information. The formal adoption of the DSL and PIPL this year will add to this but in many respects Chinese regulators have already begun laying the groundwork of a new, far reaching, regulatory regime for data and the tech sector.