Opinion: Data Security Becomes a Core Issue for Doing Business in China
By Edward Tse
Originally published by Caixin Global on November 3, 2021.
As many people know, China is now a major digital economy. By the end of 2020, almost a billion people had access to the internet in China. WeChat, China’s largest social media platform, surpassed 1.2 billion monthly active users in 2020, and Douyin, the Chinese twin of TikTok, now has over 600 million daily active users.
Meanwhile, over 700 million monthly users now visit e-commerce platform Pinduoduo. Alibaba-affiliated Alipay and Tencent’s WeChat Pay — the domestic e-payments giants that pioneered new payment technologies using QR codes — currently process about 95% of the digital payments market in China.
Data is being generated in China at a whirlwind pace. According to the China Academy of Information and Communications Technology, the total amount of data generated in the country went up from 2.3 zettabytes in 2017 to 3.9 zettabytes in 2019, and it is continuing to grow.
Back in 2015, Jack Ma, co-founder and then-executive chairman of Alibaba proclaimed: “We are entering a new energy era. In this era, the core resource is no longer oil, but data.” Since the wireless internet was first introduced in China, entrepreneurs have been quick to leverage it to build business models that rest on the gathering and usage of data. To this end, quite a number of successful tech platforms have emerged. Some like Alibaba Group Holding Ltd., Tencent Holding Ltd. and Bytedance Inc. have made it to the big league on a global basis.
These companies typically build their business models on a number of pillars enabled by data. The first is their ubiquity in connecting to their users through vast amounts of data. Apps such as the ones mentioned above have very large numbers of frequent users. Second is their ability to focus on each user on the data set on a “segment-of-one” basis using their algorithms. Many of these companies were able to expand very fast mainly because China didn’t have many regulations on data gathering and usage. The ingenuity of the entrepreneurs coupled with the prevalence of pain points in Chinese society allowed many of these companies to grow. Some of them were able to become “exponential organizations.”
Over time, issues related to data security began to surface in several areas. One typical question regulators and companies are asking is related to the ownership of the data. Usually, there are multiple stakeholders involved in the data value cycle, all of which might attempt to claim ownership of the data because, for instance, they created or generated data, or because they use, compile, select, structure, re-format, enrich, analyze, purchase, or add value to the data.
The second is data privacy. Keeping private data and sensitive information safe is paramount. But it is difficult to identify what data is considered private, what data can be shared and what data cannot be shared. And the third is data monopoly. Internet companies possess the personal data of millions of users, but to what extent they can actually manipulate the data by using sophisticated algorithms for their benefit is still a grey area.
Along the way, several events have exemplified the severity of these issues. In August 2020, the China Banking and Insurance Regulatory Commission (CBIRC) fined two of the country’s biggest state-owned banks, China Merchants Bank Co. Ltd. and Bank of Communications Co. Ltd., for failing to protect the personal data of their credit card customers. In order to prevent risks regarding national data security, China’s internet regulator has also ordered Didi Chuxing Technology Co. Ltd., a leading ride-hailing company in China, to stop signing up new users. Didi’s apps were forced off major app stores for two days after its IPO in July 2021. With China’s continuing cybersecurity reviews, rules for overseas listings have been tightened, and companies like the ones behind Keep, a Chinese sports-oriented social platform, and Ximalaya FM, the largest podcast platform in China, have recently canceled plans for U.S. IPOs.
Three major pieces of legislation in China have set the cornerstones for addressing issues related to data security. In June 2017, China implemented the Cybersecurity Law (CSL), which acts as the baseline for maintaining network security. The law requires that data be stored within China and that organizations and network operators submit to government-conducted security checks. In order to further protect national data security and the public interest, the Data Security Law (DSL), which took effect on Sept. 1, requires all companies in China to classify the data they handle into different categories and prescribes how such data is to be stored and transferred to other parties. On Aug. 20, China also passed the Personal Information Protection Law (PIPL), which took effect on Nov. 1. This new law imposes restraints on data collection and the transfer of personal information, and has an extraterritorial effect for companies both inside and outside of China. Once effective, the PIPL will work together with the CSL and the DSL to establish a broader regulatory architecture governing cybersecurity and data privacy protection in China.
Against this backdrop, companies are concerned about a number of key questions. Foreign-owned multinational corporations (MNC) are concerned about how to manage data across different regions, both in their home countries and in China, as well as cross-border data transfers, in compliance with the new data laws. For domestic companies planning to list overseas, strategic plans need to be put in place to comply with data security regulations. Both need to figure out how to use data to generate competitive advantages while staying away from the “red lines.”
These regulations are driving MNCs to set up research and development or innovation centers at their headquarters, increasingly in China. For MNCs, the way to operate in China has evolved quite a bit, particularly since global geopolitics started to undergo a significant shift. Data security has become a key issue that they are often not well prepared for. China has become not only a market or supply chain hub, but also a source of knowledge and inspiration because of intensive innovation. A key enabler of this is the increasing divergence in the speed, intensity and degree of sophistication of the digital infrastructure that China is building compared with other parts of the world.
Looking from a strategic standpoint, what could happen in the next few years? The big questions are where the data should be stored and secured, and where and with whom can they be shared with for the benefit of the company? Where do you draw the line? The DSL and PIPL will change how companies think about running a business in China. A lot of changes for management systems and processes as well as organizational structure will likely take place.
Looking forward, humanity expects to be even more connected. At the same time, local requirements for data sovereignty will also come to the fore. Business models will become more complicated. Those who can figure out the new game faster and better than others will likely generate new sources of competitive advantages along the way. These realities are challenging the minds of corporate executives and strategists the world over.