China’s New Power Play: More Control of Tech Companies’ Troves of Data
Shortly after rising to power in late 2012, Xi Jinping made his first company visit in his new job as China’s Communist Party chief, to Tencent Holdings Ltd. There, he raised a topic that has become both an opportunity and a challenge for his rule: the vast troves of personal data being gathered by the country’s technology companies.
Mr. Xi complimented Tencent’s founder, Pony Ma, on the way the company was accumulating information from millions of users, and harnessing that data to drive innovation. He also suggested that data would be useful to Beijing.
“You have the most sufficient data, then you can make the most objective and accurate analysis,” he told Mr. Ma, according to state media accounts. “The suggestions to the government in this regard are very valuable.”
More than eight years later, those suggestions are becoming demands. The government is now calling on big tech companies like Tencent, online retailing giant Alibaba Group Holding Ltd. and TikTok owner ByteDance Ltd. to open up the data they collect from social media, e-commerce and other businesses, according to official documents and interviews with people involved in policy-making.
The complex new web of laws and regulations around sharing digital records is being driven by the huge growth in data held by China’s tech giants—and a belief that the government should be able to access it. The efforts are also part of Mr. Xi’s quest to rein in the increasingly powerful tech sector, which has pushed back on some of Beijing’s previous data-sharing efforts. The most recent law, passed Thursday, will make it harder for companies to resist such requests.
China’s leaders worry that the country’s tech giants could be using their extensive personal and corporate digital records to build alternative power centers in the one-party state. That concern led Mr. Xi to halt a planned initial public offering by Jack Ma’s financial-technology behemoth Ant Group Co. late last year.
Chinese government entities involved in the effort to regulate data, including the State Council and the Cyberspace Administration of China, didn’t respond to requests for comment.
Beijing is also intensifying the pressure on foreign firms operating in China to keep records gathered from local customers inside the country, so the government has more authority over the records. Western companies have long complained such “data-localization” requirements could stifle innovation in their global operations or enable Chinese authorities to steal their proprietary information.
U.S. electric-car maker Tesla Inc. pledged in late May to build more data centers in China and to keep information generated by the vehicles it sells there within Chinese borders. In a statement posted on Chinese social media, Tesla said it was “honored” to participate in an industry discussion on the matter.
Tesla didn’t respond to requests for comment.
China’s motives
Many countries are wrestling with how to regulate digital records. Some economies, including in Europe, emphasize the need for data privacy, while others, such as China and Russia, put greater focus on government control. The U.S. currently doesn’t have a single federal-level law on data protection or security; instead, the Federal Trade Commission is broadly empowered to protect consumers from unfair or deceptive data practices.
Behind China’s moves is a growing sense among leaders that data accumulated by the private sector should in essence be considered a national asset, which can be tapped or restricted according to the state’s needs, according to the people involved in policy-making.
Those needs include managing financial risks, tracking virus outbreaks, supporting state economic priorities or conducting surveillance of criminals and political opponents.
Officials also worry companies could share data with foreign business partners, undermining national security.
Beijing’s latest economic blueprint for the next five years, released in March, emphasized the need to strengthen government sway over private firms’ data—the first time a five-year plan has done so.
A key element of Beijing’s push is a pair of laws, one passed on Thursday and the other a proposal updated by China’s legislature in April. Together, they will subject almost all data-related activities to government oversight, including their collection, storage, use and transmission. The legislation builds on the 2017 Cybersecurity Law that started tightening control of data flows.
The new Data Security Law, which will take effect on Sept. 1, includes a goal of classifying private-sector data according to its importance to state interests. The vaguely worded clause, analysts and legal experts say, gives authorities considerably more leeway to control data deemed essential to the state, while making it harder for businesses, both Chinese and foreign, to say no.
The law will “clearly implement a more stringent management system for data related to national security, the lifeline of the national economy, people’s livelihood and major public interests,” said a spokesman for the National People’s Congress, the legislature.
The proposed Personal Information Protection Law, modeled on the European Union’s data-protection regulation, seeks to limit the types of data that private-sector firms can collect. Unlike the EU rules, the Chinese version lacks restrictions on government entities when it comes to gathering information on people’s call logs, contact lists, location and other data.
“Less invasive private-sector data collection anywhere is a good thing,” says analyst Ryan Fedasiuk at Georgetown University’s Center for Security and Emerging Technology. “But China’s push for data privacy strikes me as yet another move to strengthen the role of the government and the party vis-à-vis tech companies.”
Authorities are taking action even before the laws take effect, as part of the tech clampdown.
In late May, citing concerns over user privacy, the Cyberspace Administration of China singled out 105 apps—including ByteDance’s video-sharing service Douyin and Microsoft Corp.’s Bing search engine and LinkedIn service—for excessively collecting and illegally accessing users’ personal information. The government gave the companies named 15 days to fix the problems or face legal consequences.
Bytedance, Microsoft and LinkedIn didn’t respond to requests for comment. It’s unclear how the companies responded to the government’s request.
Two weeks earlier, the government ordered 13 firms, including the financial arms of food-delivery giant Meituan, ride-sharing provider Didi Chuxing Technology Co. and e-commerce firm JD.com Inc., to adhere to tighter regulation of their data and lending practices.
Meituan, Didi and JD.com all said they had agreed to rectify their business practices as required.
Foreign firms
Beijing’s pressure on foreign firms to fall in line picked up with the 2017 Cybersecurity Law, which included a provision calling for companies to store their data on Chinese soil. That requirement, at least initially, was largely limited to companies deemed “critical infrastructure providers,” a loosely defined category that has included foreign banks and tech firms.
In private meetings with American firms, Chinese officials have dismissed concerns that the rule could allow China to take proprietary information, while saying the data needs to be stored in China for security and regulatory purposes, according to people familiar with the discussions.
To comply with tough Chinese cybersecurity rules, Apple Inc. in 2017 pledged to store all cloud data for its customers there with a government-owned company. It has built a data center in China for customers of its iCloud service, for data including photos, documents, messages, apps and videos uploaded by Apple users throughout the mainland. Apple declined to comment.
Since last year, Chinese regulators have formally made the data-localization requirement a prerequisite for foreign financial institutions trying to get a foothold in China. Citigroup Inc. and BlackRock Inc. are among the U.S. firms that have so far agreed to the rule and won licenses to start wholly-owned businesses in China.
Citigroup and BlackRock declined to comment.
The data-security laws promise to broaden the requirement to include more types of foreign companies. Regulators are also rolling out sector-specific rules to strengthen control over data considered important to state interests.
Tesla’s Gigafactory in Shanghai has sparked some new rules. China’s leadership greenlighted the U.S. car maker’s plan to set up the wholly-owned production facility in 2018.
Senior officials have publicly likened Tesla to a “catfish” rather than a “shark,” saying the company could uplift the auto sector the way working with Apple and Motorola Mobility LLC helped elevate China’s smartphone and telecommunications industries.
To ensure Tesla doesn’t become a security risk, China’s Cyberspace Administration recently issued a draft rule that would forbid electric-car makers from transferring outside China any information collected from users on China’s roads and highways. It also restricted the use of Tesla cars by military personnel and staff of some state-owned companies amid concerns that the vehicles’ cameras could send information about government facilities to the U.S.
In late May, Tesla confirmed it had set up a data center in China and would domestically store data from cars it sold in the country. It said it joined other Chinese companies, including Alibaba and Baidu Inc., in the discussion of the draft rules arranged by the CyberSecurity Association of China, which reports to the Cyberspace Administration.
Lawyers and analysts say China’s rules could ultimately serve many purposes, including slowing foreign companies’ technological progress. An inability to send certain data back to the U.S. could hurt Tesla’s ability to use artificial intelligence algorithms to analyze such data to improve its cars.
“It’s reducing a proprietary advantage companies like Tesla have,” says Lester Ross, a Beijing-based lawyer at WilmerHale, who advises American firms operating in China.
Internal debate
In the past, the government often demanded data from private firms, and could sometimes enforce its wishes, especially for hunting down criminal suspects and silencing dissent. Chinese companies have pushed back on previous proposals to open up and centralize their statistics, such as those on customers’ borrowing habits and payment histories.
Over the years, senior officials including Premier Li Keqiang have sometimes argued for giving the private sector more autonomy in collecting and handling user data, people familiar with Beijing’s internal deliberations say. The idea was to encourage firms to keep innovating and to accommodate their growth, including overseas.
On the other side are officials from China’s security apparatus and financial regulatory agencies, who thought tech firms were becoming too big and not doing enough to support state objectives. Resisting requests to share more data, China’s tech giants cited a lack of relevant regulations.
Increasingly, China’s president, Mr. Xi, leaned toward voices advocating greater digital control. He now labels big data as another essential element of China’s economy, on par with land, labor and capital.
“Whoever controls data will have the initiative,” he has said in private meetings, according to the people familiar with internal discussions.
The government grew more aggressive after a now-infamous speech by tech billionaire Jack Ma last October, in which he angered regulators by criticizing them for smothering innovation. Mr. Xi halted the IPO of Ant Group, in which Mr. Ma is the controlling shareholder, soon after.
Chinese regulators believe Ant and other financial-technology players, including Tencent, have monopolized user data to get unfair advantages over banking institutions, while also making it harder for the state to monitor credit risk.
Ant built its own credit-risk system as it expanded into consumer lending, in part using spending and bill-paying data from its Alipay app, used by more than one billion consumers. Ant wound up with a sizable position in China’s financial sector, traditionally dominated by China’s state-owned banks. It works with banks to fund the loans, but hasn’t had to bear much of the default risk.
New regulations proposed late last year by the central bank and China’s top banking regulator are calling on firms like Ant and Tencent to transmit credit statistics into either a centralized system run by the central bank or a credit-rating agency controlled by the government.
“From the point of view of the state, anti-data monopoly must be strengthened,” said Li Lihui, a former president of state-owned Bank of China Ltd. and now a member of China’s legislature. He said he expects China to establish a “centralized and unified public database” to underpin its digital economy.
Ant and Tencent declined to comment. During the company’s earnings call in March, Tencent’s president, Martin Lau, said, “We’ll be completely compliant with whatever regulations that will become in place.”
Another initiative under way involves some Chinese cities testing so-called unified data centers for private-sector firms to share data with authorities.
Shenzhen, where Tencent is based, is planning to build one that would centralize the storage, sharing and supervision of data collected by government entities as well as companies in finance, education, telecommunications and other areas.
The city hasn’t provided detailed information on its plans for using the information, which it broadly defines as “public data.” A Shenzhen official confirmed the initiative but declined to comment further.
“Public data is a new type of state-owned asset, and its data rights belong to the state,” said a draft regulation released by Shenzhen’s government last year.