China's cybersecurity laws emerge as a new force in clampdown on tech giants

China's most recent crackdown on the tech sector has come as a shock to many observers, not just for the scope of the actions regulators appear to be taking to clip the wings of a number of Internet high-fliers, but also for the surprise emergence of the Cyberspace Administration as a major player in the government campaign.

Campaigns targeting mobile apps that harvest the data of the country’s almost 1 billion Internet users aren't new and date back as far as January 2019. Authorities have repeatedly driven home the message that cybersecurity and data security can be as important as national security, and in fact often involve national security.

As a result, enforcement actions aren't unheard of. But people were still shocked by the recent announcements by the Cyberspace Administration targeting four apps — Didi, Yunmanman, Huochebang and Boss Zhipin.

While the apps may well have legitimate cybersecurity and data-processing problems, what stood out was the timing of the government's announcements — two days after Didi’s US IPO. Moreover, the deviation in style from the regulator’s normal enforcement behavior, with a very public stance, suggests there might be something more going on.

The high-profile action by the Internet regulator sent a message that China’s targeted crackdown on tech companies, which started late last year, is far from over. As a new force on the scene, the Cyberspace Administration could create far more uncertainty for businesses than antitrust enforcement, which has up to now been in the spotlight.

Enforcement in cybersecurity and data protection in China has been focused less on individual cases with jaw-dropping fines and more on sweeping campaign-style action that requires companies to continually examine their compliance.

After introducing new rules in May targeting personal-data collection by apps, the Cyberspace Administration reprimanded 351 apps over malpractices in the handling of personal data. These apps included big names such as Tencent, ByteDance, Kuaishou and Baidu. But unlike the stock-price plunge Didi suffered this week, previous announcements didn't spook their investors,.

In the past, the regulator never explicitly ordered an app to be removed. Its usual practice was to summon company executives for a meeting and order them to correct their wrongdoing. Occasionally, the regulator ordered the shutdown for a particular function, such as commenting, on the app for a limited period of time.

The most high-profile enforcement action in the past was when the Cyberspace Administration was involved in ordering the hotel chain Marriott to shut down its Chinese website, its Chinese app and its global app for a week after it was alleged to have violated the Cybersecurity Law by listing Taiwan as a country, a highly sensitive political offense.

China’s relatively young cybersecurity regime is still taking shape. Multiple regulators across industries and other areas currently wield extensive power to regulate the data-processing activities of businesses.

The Cybersecurity Law came into effect in June 2017. A new Data Security Law will take effect next year. Another Personal Information Protection Law is expected to go through later this year.

What’s the penalty?

When Alibaba was fined $2.8 billion in April for anticompetitive behavior, its stock price jumped, with investors noting that the penalty was only a tiny fraction of the company’s value.

But the consequence for Didi and the other apps in this latest crackdown could be graver than a slap-on-the-wrist fine.

The cybersecurity reviews which Didi is now facing are based on measures that were rolled out amid high tensions in the trade war between the US and China in 2019, aiming to protect important Chinese networks from vulnerabilities caused by foreign suppliers that are subject to US sanctions.

Companies that fail to comply with the procedure can be fined as much as ten times the value of the products purchased. Employees directly involved face a maximum fine of 100,000 yuan ($15,000).

But costs can far exceed a fine when new-user registration is suspended, as is the case for the four apps in this latest crackdown. A review can last up to 125 working days, with potential extensions, counting from the time when a company files for a review.

Didi has already warned shareholders that its China revenue was likely to take a hit. Yesterday, Chinese media reported that Tencent and Alibaba have removed in-app access to Didi on their own apps, a main portal for Didi users.

Broader US-China relations

The fact that all three companies behind the apps were recently listed in the US undoubtedly will put on hold any US listing plans that are underway for Chinese companies. It also reinforces concerns that the current regulatory environment in China is being influenced by the possibility that the US and China are heading toward an economic decoupling.

The US in late 2020 adopted a new law to stop the long-term practice that allowed listed Chinese companies to withhold audit papers for the US regulators to inspect. Chairman Yi Huiman of the China Securities Regulatory Commission said in March that the Chinese side had been seeking collaboration with the US in regulating listed Chinese companies but had not received positive feedback.

On Wednesday, the government rolled out opinions to tighten the regulation of Chinese companies seeking foreign listings and to step up cross-border enforcement collaboration in data security, cross-border data flows and confidential management information.

It’s reportedly considering requiring Chinese approval before foreign listings can go forward.

Discouraging Chinese companies from listing on US exchanges could be a way to avoid Chinese businesses, some with massive troves of domestic data, from becoming targets of exploitation if political relations between the two countries go sour.

The Didi news came just one day after the Chinese Communist Party celebrated its 100th anniversary on July 1. With its demonstrated military, economic and political power, the party seems not to be shying away from a decoupling from the US. In fact, it may be deliberately flexing its muscles.

In June, China promulgated a Law on Countering Foreign Sanctions, an important tool to hit back at foreign sanctions and just another example of the continuing antagonism between the US and China.