Closed lock in the hand against China flag showing data security law on tech giants

New Data Security Law in China Makes Government Power Over Tech Giants Absolute

A series of moves by the Chinese government to assert dominance over the country’s native tech giants has seemingly culminated with a new data security law that can put them out of business for “mishandling core state data.”

The new law routes all decisions involving the security of this data through government national security officials. Violators can be hit with massive fines, have their operating licenses revoked or even be permanently forced out of business.

Data security law expands China’s crackdown on tech giants

The new data security law is aimed more at China’s homegrown tech giants (Alibaba, ByteDance, Tencent) than it is at foreign companies that operate there, but it nevertheless creates onerous compliance issues for the Silicon Valley firms eager to take advantage of its domestic market.

The data security law broadly defines “core state data,” apparently leaving plenty of wiggle room to label just about any personal or business information it cares to in this way. This formally paves the way for the government to order a violating business to cease operations entirely, have its licenses temporarily suspended, or pay a fine of up to 10 million yuan (about $1.6 million).

The new law has an emphasis on data flowing out of the country. It specifies that companies providing information to foreign law enforcement agencies without government permission face additional fines of up to five million yuan. These companies may also be held legally liable if the government finds that this data was used to “harm national security” in some way.

The intent toward China’s homegrown tech giants is clear, as the Xi administration has been unambiguous in its position toward these companies over the past year; they are expected to fall in line and defer to the Chinese Communist Party, as Beijing centers itself as one of the world’s biggest players in the international data market. However, the law creates further confusion for any foreign tech company operating in China. Foreign firms want access to China’s lucrative and still-growing market, but often find themselves caught between Beijing’s demands and the data privacy laws (not to mention general social expectations) of their home country.

China’s information sector is one of the fastest-growing aspects of its economy, with the country projected to store about 1/3 of the world’s data by 2025. The government wants this market under central control, and to keep popular internet platforms like Alibaba from using it to cultivate an independent power base. Much of this crusade has been conducted under the auspices of antitrust investigations, with the Chinese tech giants accused of anticompetitive practices and market dominance by the government. Earlier this year, the government quickly cobbled together new antitrust laws that were clearly aimed at the tech giants. This led to $2.8 billion in fines on Alibaba as well as much smaller fines to many of the other tech companies accompanied by warnings to get in line or suffer a similar fate.

Requirements on storage and transfer of personal data

Due to national security concerns and backlash from the general public, most foreign firms operating in China have already sequestered the user data of the country’s residents off from the rest of the world. The Chinese government has formalized this policy via the data security law by requiring any personal data collected from its citizens to be stored on servers in the country, making those servers subject to essentially unfettered government access under the existing national intelligence laws. Some of China’s own tech giants are responding to the new national security laws by attempting to parcel out certain services that have large foreign followings and sell them outside of the country, as was seen when ByteDance considered offers for TikTok as the Trump administration threatened to ban the app from the United States.

The data security law may also be part of a set of maneuvers to counter foreign sanctions against the country. The stipulation about companies not providing information to foreign law enforcement may be aimed at threatening them into refusing to cooperate with investigations that could lead to sanctions or asset seizure; cooperate with foreign agencies, and your business arm in China will be shut down. The Trump administration was active in sanctioning Chinese government officials and businesses linked to the country’s military in response to the crackdowns on the Hong Kong protests and the treatment of Uyghur Muslim minorities. The Biden administration thus far appears to be continuing with this pattern of sanctions.

New Chinese law routes all decisions involving data #security through government officials. Violators can be hit with massive fines, have their operating licenses revoked or even be permanently forced out of business. #respectdataClick to Tweet

In addition to requiring that personal information of Chinese citizens and critical data be stored on servers within the country, the new data security law lays out new terms for international data transfers. These broad categories of protected data can only be transferred to other nations when there is an “essential business need,” and compliance requirements are laid out which include security assessments conducted by government officials. All of the personal information protection laws also apply to big tech firms in Hong Kong and Macau along with the mainland.


Senior Correspondent at CPO Magazine