What is China’s ‘battle for data’ and who will be targeted next?

Chinese business & finance updates

Sign up to myFT Daily Digest to be the first to know about Chinese business & finance news.

The shockwaves that have wiped billions of dollars off Chinese shares in recent days are part of a regulatory assault that is expected to extend beyond tech to all private-sector areas of business in the country.

What initially started in November with the suspension of the $37bn initial public offering of billionaire Jack Ma’s fintech, Ant Group, has broadened this month into an investigation into data security at ride-hailing app Didi Chuxing and devastating restrictions on the tutoring industry.

Experts and companies warn that the turbulence shows no signs of easing as the Chinese government rolls out a sweeping new legal framework for how businesses collect and use data.

“We are telling our clients, you’re looking at two to three years of extreme uncertainty,” said Kendra Schaefer, tech analyst at Beijing-based consultancy Trivium.

What are the new laws?

Chinese companies — and potentially anyone doing business in China or trading with the world’s second-biggest economy — face a string of laws on data.

The best understood is the Cybersecurity Law, which came into force in 2017, covering network and equipment security. It has a review process for establishing which companies are handling so-called “critical information infrastructure”, or data that is viewed as potentially damaging to Chinese security or posing a risk to the country’s citizens.

In September, China will introduce a new Data Security Law. This will help regulators define which data can be transferred outside of China without the state’s approval and what is prohibited.

By early next year, the Chinese government is expected to also release a Personal Information Protection Law, similar to Europe’s General Data Protection Regulation. The law is expected to have far-reaching implications for China’s huge digital economy, including establishing processes for data audits of apps such as Didi.

Ernan Cui, a China consumer analyst with Gavekal Dragonomics, said behind Beijing’s waves of regulatory action were essentially a “battle for control over data” between the government and the private sector.

What are the key grey areas?

Trivium’s Schafer said it was unclear whether Beijing planned to publicise which companies had been designated as operators of critical information infrastructure and therefore would be subject to stricter oversight.

“That’s the big issue . . . companies just don’t know yet,” she said. “What was actually quite notable about the CAC [Cyberspace Administration of China, the internet regulator] coming after Didi was that’s how we found out they are ‘critical infrastructure’.”

On cross-border data transfers, the CAC has said that any data requested by foreign authorities will need Chinese approval.

“It’s not just about tech companies. It’s about every company that sends anything out of China,” Schafer said.

While few foreign companies provided critical information infrastructure — such as telecoms networks — many foreign groups would be ensnared because they sold services and products to Chinese clients, said Andrew Gilholm, head of China analysis at Control Risks, a consultancy.

“[Chinese] companies are being asked: ‘Who are your foreign providers?’, or ‘Where do you depend in your supply chain on foreign entities?’,” he said.

Who will the regulators target next?

Analysts expect Beijing will slowly move from sector to sector, region by region, deciding what data is sensitive and therefore needs approvals to leave the country.

One pharmaceutical company based in China’s Jiangsu province said it had already become subject to unpredictable CAC reviews on its transfer of data to its research and development lab in the US.

“Officials have suggested that it is better to relocate our lab back in China as the regulations are likely to become tighter,” a representative said, asking not to be identified for security reasons.

Sam Radwan, principal at Enhance International, a consultancy that advises Chinese companies, said industries such as insurance and healthcare should expect oversight to intensify because they were involved in mass data collection programmes.

Car insurance companies, for example, have been running extensive trials in China that digitally track drivers’ behaviours and locations. Telemedicine, likewise, has boomed in China. Such sectors have been collecting data that is “richer” and “even more sensitive” than Didi’s, Radwan noted.

The China branches of foreign companies should also prepare for a “tussle” with regulators over sending basic corporate information out of China, analysts warned.

“Let’s say you’re a Japanese company contracted to a big Chinese company to build a new subway in Chongqing, and you have some data related to the project which you transfer to Tokyo — these are the kind of things where companies have worrying grey areas because it is a normal part of business,” Gilholm, the China risk analyst, said.

Complicating the outlook further are questions over which regulatory agencies will control the new data management regime.

“Turf wars are a natural outgrowth of new regulatory processes,” Schafer added.

Additional reporting by Nicolle Liu in Hong Kong