This article was originally published by Radio Free Asia and is reprinted with permission.
A new law passed this week by China’s National People’s Congress (NPC) will give the ruling Chinese Communist Party (CCP) the power to shut down companies in possession of user data deemed important or critical by officials.
China’s Data Security Law, passed June 14, gives the government a far greater degree of control over user data held by both state organizations and private companies, including foreign companies.
The law, which takes effect from Sept. 1, says user data will be classified into “core state” data — pertaining to government operations and the “public interest” — and “important data.”
But it gave no precise definition for those terms, suggesting that officials and law enforcement agencies will have broad powers to interpret the law’s measures as they see fit.
Companies or organizations that send “important data” overseas will face fines of 100,000 to 10 million yuan, and could have their business licenses revoked.
“Core state” data covers any data collected for “public purposes,” even if it is a private company doing the collecting.
The move will enable Chinese officials to control more closely user data in the hands of private technology companies, which are currently facing a slew of investigations and regulatory measures aimed at reining in their growing power: much of which stems from their vast banks of user data.
The law bars any company operating inside China from providing data stored in China to overseas agencies without government approval, potentially creating a huge barrier for foreign companies with branches in China.
New regulatory moves
Emily de La Bruyere, a senior researcher at the Washington-based Foundation for the Defense of Democracies, said the law is the latest in a slew of regulatory moves aimed at controlling data.
“What it does, to my mind … is it creates a legal architecture for Chinese state control over data,” La Bruyere said. “[It] creates … a legal basis according to which the Chinese government can claim and claim oversight over private companies’ data.”
“It has a section in it that refers specifically to data localization and export regulations that says that data transfer has to be done in accordance with those,” she said.
“That … gives the framework for Beijing to control what it sees as the critical resource for the next generation.”
In practice, the CCP has regarded information about its energy security, transportation networks, financial intelligence, telecommunications, and other key parts of the economy as “critical information.”
The data security law comes after U.S.-based electric carmaker Tesla announced it would move Chinese user data to a new center in China. The company will expand its network of data centers and store all data generated by the cars it sells in China within the country’s borders, according to Reuters.
Analysts told RFA that the move would normalize demands on foreign investors that they hand over core technology and data to the CCP as the price of doing business in China.
Data localization for foreign companies operating in China was first laid down in the 2017 cybersecurity law as a prerequisite for permission to do business.
U.S. tech giant Apple promised to relocate all of its Chinese customers’ cloud service data to China in the same year. That data is now stored at a data center in China, owned by a state-owned company.
Growth in surveillance
Daniel Gonzales, a senior researcher at the Rand Corporation, says the data security law shows how valuable user data is to the CCP under Xi Jinping, who has presided over an unprecedented growth in technological mass surveillance of Chinese citizens.
“The data that the technology companies have, the Chinese government has realized it’s very valuable for government control purposes, for surveillance purposes,” Gonzales said. “And so … they put in place this new law to provide them access to this information.”
“Unfortunately, it’s a reduction in the privacy of Chinese citizens … it will undoubtedly increase the level of control over … surveillance in China, by the government,” he said.
The Wall Street Journal quoted a government source as saying that the law represents a move away from a tendency to outsource data collection to the private sector in recent years, to encourage innovation.
That approach is now being overridden by fears over the power wielded by big technology companies, the paper said.