Internet platforms targeted in data security reviews
Nation steps up regulation of big tech companies
Cybersecurity reviews launched by China into internet platforms, including Didi Global, underline the country's resolve to crack down on data breaches and misuse, according to legal experts and technology industry observers.
They are part of China's broader push to align itself with international practices in toughening regulations aimed at technology companies, which are increasingly banking on data monetization for revenue growth, and posing bigger risks for data management, the experts and observers said.
As countries worldwide work on legal frameworks for the digital economy, the experts said, companies need to assess their data assets, which are "now as valuable and essential as oil and electricity".
Prioritizing data security has become essential for companies' healthy development, they added.
On July 5, the Cyberspace Security Review Office said it was conducting reviews in accordance with related laws into job recruiting platform Boss Zhipin and Yunmanman and Huochebang, two truck-hailing platforms that are part of the Full Truck Alliance.
The office cited data security risks as the reason for the reviews, which came shortly after it said on July 2 that an investigation had been launched into Chinese ride-hailing giant Didi.
In a statement published on July 5, it said the probes are being undertaken to "prevent national data security risks, maintain national security and protect the public interest".
Such efforts come as countries worldwide place increased importance on data security and play their part in regulating companies.
CNBC reported that US President Joe Biden signed an executive order last month to protect personal data from foreign adversaries. The order sets criteria for the US government to evaluate the risk of apps linked to such adversaries, including the threat to national security.
In European Union member states, the General Data Protection Regulation, one of the strongest legislative attempts globally to govern the collection and use of personal data, took effect in May, 2018.
"The Didi probe is the first time China's internet regulator has publicly cited national security as a reason for launching an inquiry into a big tech company," said Song Haixin, a senior lawyer at law firm Jincheng Tongda &Neal (Shanghai).
"The investigation marks a milestone in China's efforts to handle national security issues related to data, and it could affect how future probes will be carried out."
The Cyberspace Administration of China laid the legal groundwork last year for such probes and is now enforcing new rules, Song said.
According to measures that took effect a year ago, entities subject to cybersecurity reviews should receive the initial results within 45 days, but the results from complicated cases take longer to process.
Song said: "It is high time for companies, Chinese and foreign, to comb through their data assets. Instead of paying lip service, they must sit down and devote considerable resources to identifying crucial data and how to process and store it."
Experts said Didi, Full Truck Alliance and Boss Zhipin boast sizable pools of data that include not just information about individual users, but also basic data related to crucial infrastructure such as roads and transportation－significant aspects of national security.
Li Keshun, deputy director of the Jiangsu Provincial Big Data Transaction and Circulation Engineering Laboratory, said these companies, as leading platforms in the fields of daily travel, online freight transportation and job hunting, hold at least 80 percent of the in-depth data in their respective industries.
"Such data can directly or indirectly reflect flows of population, commercial goods, business operations and other key information in many regions across China," Li said.
In the prospectus for its initial public offering, or IPO, Didi said it has 493 million active riders annually and processes 41 million daily transactions on average.
In 2017, a Didi unit obtained a license to carry out high-definition mapping for autonomous driving technologies in China, which can be closely related to national geographic information security.
Full Truck Alliance's two truck-hailing platforms carry crucial data related to logistics and expressways, as their services are available in more than 300 cities nationwide. According to the company, it is now the largest highway logistics internet information platform in China.
Boss Zhipin boasts 30.6 million active users a month on its online employment platform and served more than 6.3 million certified companies as of March, according to its IPO prospectus.
Didi, Full Truck Alliance and Kanzhun, which operates Boss Zhipin, debuted on US bourses last month.
Li Tianhang, senior partner at Hui Ye Law Firm in Shanghai, said that as a company mainly operating in China, all Didi's data are stored locally. However, overseas listings will inevitably involve the cross-border flow of data.
In March, the US securities regulator began introducing rules to exclude foreign companies from US stock exchanges if they did not comply with US auditing standards.
The move fueled concerns that US regulators would potentially gain increased access to the audit documents of US-listed Chinese companies.
Li said the regulatory requirements are bound to affect such companies and they also trigger concerns about whether data from these businesses' China operations can be "exported" to other nations.
To prevent increased security risks, the Cyberspace Security Review Office said that during investigation periods apps run by Didi, Full Truck Alliance and Kanzhun must halt the registration of new users. It also ordered app stores to remove Didi from their platforms for its illegal collection and use of users' personal information.
The companies said in separate statements that they would cooperate with the investigations and conduct comprehensive screening of security risks.
On Tuesday, the State Council, China's Cabinet, said in a statement that the nation would step up supervision of Chinese companies listed offshore, including improving the regulation of cross-border data flows and security.
Zuo Xiaodong, vice-president of the China Information Security Research Institute, who once helped draft cybersecurity regulations, said the moves show that the nation attaches great importance to such issues.
When security risks or potential problems are found, action will be taken promptly, as cybersecurity involves national security, Zuo added.
The actions already taken could mark the start of a new round of strengthened regulatory scrutiny of Chinese internet companies.
China's Data Security Law, which was passed last month, is due to take effect in September. Hefty penalties will be imposed for serious violations, including business suspension and revocation of business licenses.
In addition, a draft law on the protection of personal information is being deliberated.
Zhao Zhanling, a lawyer at Beijing Yunjia Law Firm, said data-related investigations may be conducted regularly in future as the country pays greater attention to cybersecurity. Companies should no longer just talk about data security, but take action in their daily corporate operations, Zhao added.
Xiang Ligang, director-general of the Information Consumption Alliance, a technology industry association, said: "These moves send a clear signal that data security will come under increased scrutiny as China places its sprawling digital economy in an improved legal framework to pursue high-quality development."
Rory Green, China economist at investment research provider TS Lombard, wrote in a research note: "The battle for data sovereignty is beginning … It is increasingly clear that governments around the world have recognized the importance of data and the need to regulate the utility-like private firms that control its production and flow."
Experts said that in an increasingly stricter regulatory environment, technology companies need to take cybersecurity and data protection seriously and give them top priority.
Several lawyers said that although many companies often talked about cybersecurity, few devoted sufficient resources to introducing stringent data protection measures. The back-to-back investigations of companies, including Didi, serve as a wake-up call that a new era of cybersecurity regulation is on the way, in tandem with the growing amount of data in people's work and daily lives.
Ma Jihua, a veteran independent technology analyst, said data security is not just about technology companies. It is also becoming increasingly relevant to companies in traditional sectors, as the real economy becomes intertwined with the digital economy, and as more industrial, manufacturing and medical data go online.
Toughened regulation of data security will also affect companies' core business models.
Ma said the challenges concerning data security, privacy, ownership and use pose a bigger question, as internet and technology companies rely heavily on monetization of data for revenue.
The Schall Law Firm, a US shareholder rights litigation firm, said in a statement that on behalf of Didi investors it is investigating claims of securities legislation violations. The investigation focuses on whether Didi issued false and/or misleading statements and/or failed to disclose information pertinent to investors.
Song, from Jincheng Tongda & Neal (Shanghai), said: "From now on, all companies need to evaluate their data assets to see whether they have such large volumes of data, or if their data concern national security. This is a prerequisite for companies to draft their development strategies."