How Will New Data Security Rules Reshape China’s Internet Industry?

A planned Hong Kong share sale by SenseTime Group Inc. is attracting close attention from investors looking for clues as to how Beijing’s new rules on cybersecurity will affect overseas listings by artificial intelligence companies and other data-intensive businesses.

An initial public offering (IPO) by SenseTime, China’s largest artificial intelligence (AI) company, won clearance at a Nov. 19 hearing of the Hong Kong Stock Exchange (HKEX). That was five days after Beijing issued new draft rules that share sales outside the Chinese mainland are subject to heightened scrutiny on exporting data that could affect national security.

It was also well before the broadened requirements might go into effect. An analyst at a major brokerage told Caixin that SenseTime was “decisive” in timing its IPO ahead of the proposed new rules.

In an updated prospectus, SenseTime said it was not required to undergo a cybersecurity review and was not involved in any investigation. The company’s products help governments and companies build up digital management operating systems such as smart cities.

Review Scope Expanded

China’s cyberspace watchdog issued the draft rules for public comment until Dec. 13. If enacted, the rules could create new headwinds for data-rich businesses that pivoted their capital-raising plans from the U.S. to Hong Kong after Chinese ride-hailing giant Didi Global Inc. was hit by a cybersecurity probe following its New York listing in July. Didi was forced to remove its app from domestic app stores.

Data, the foundation of the internet industry, has become China’s top regulatory focus. The country has generated a raft of giant platforms such as Tencent, Alibaba, ByteDance and a large number of unicorn companies amid rapid growth over the past two decades. The internet giants thrive on China’s 1 billion netizens, more than 70% of the country’s population. They have come to profoundly affect people’s social lives, travel, entertainment, shopping and other aspects of daily life by collecting massive amounts of data and actively mining it for more value, creating a huge and ever-growing digital economy.

Government officials have criticized the industry for paying more attention to data collection than protection, engaging in practices that invade users’ privacy, leveraging market dominance to force consumers to pick sides, restricting the flow of data and enabling hidden transactions involving data.

At a conference Nov. 20, Chinese Vice Premier Liu He emphasized that data is becoming a key factor in production and called for speeding up construction of a new governance model on data that combines government supervision with industry self-discipline.

After Didi’s share sale in the U.S., the Cyberspace Administration of China (CAC) released a draft revision in July to the Measures for Cybersecurity Review, which would require that any Chinese company holding the personal information of 1 million or more users would have to seek a government cybersecurity review before listing abroad. The changes would block almost all Chinese unicorn internet companies from U.S. share sales and force them to raise capital in Hong Kong to avoid potential reviews.

Several data-rich Chinese companies have since scrapped U.S. flotation plans and filed for IPOs in Hong Kong or considered doing so, such as social network Soul, podcast and audio app operator Ximalaya Inc. and social media and e-commerce app Xiaohongshu. All have users far exceeding the 1 million threshold.

The new draft rules issued earlier this month would expand the scope of cybersecurity reviews to companies seeking to raise funds in Hong Kong that deal with data important to national security. The draft law is short on details. It doesn’t, for example, elaborate on what constitutes a national security concern.

The HKEX asked Chinese mainland companies in their IPO hearings whether the new cybersecurity review rules apply to them, including noninternet companies, Caixin learned from several lawyers working on Hong Kong IPOs. As there is still a lack of specific explanations from regulatory authorities, companies are required only to have legal opinions issued by lawyers on their risk of facing a cybersecurity review, according to the lawyers.

Even after a company wins approval at an IPO hearing, the HKEX can ask still more questions if it sees possible risks of a cybersecurity review, a lawyer told Caixin.

At this stage, it is difficult to assess the actual impact of the draft rules as the degree of a cybersecurity review may vary at different levels of regional regulators, said Xu Ke, executive director of the Digital Economy and Law Innovation Research Center for the University of International Business and Economics in Beijing. The uncertainties will directly affect the business decisions of companies, he said.

One day ahead of SenseTime’s IPO hearing, the HKEX’s listing committee approved Nasdaq-listed Weibo Corp. to sell shares in the city. The Chinese social media giant with data on 560 million users had planned to go private before pushing ahead with its Hong Kong secondary listing. But the company eventually scrapped the time-consuming privatization plan out of worry that the tightened regulatory environment might complicate the listing process, a capital market participant close to Weibo’s privatization plan told Caixin.

Similarly, Nasdaq-traded Chinese job search provider 51job Inc. also delayed its plan to go private after a buyout group was in talks with Chinese authorities over recent regulatory changes that might affect the deal.

In the current regulatory environment, companies are worried about being put under the microscope, so they communicate with regulators before proceeding with any major deals such as IPOs, mergers and acquisitions, and privatizations, a private equity fund manager told Caixin.

Compliance Pressure

Meanwhile, companies are also modifying their business practices in compliance with the new data security law, which imposes more specific requirements on collecting and using sensitive personal data.

The new law, if enacted, will make marketing using facial recognition technology very difficult, an AI marketing salesperson told Caixin. His company sells marketing and security systems based on machine vision algorithms to banks. For example, by analyzing customers’ faces and clothing, banks can quickly determine income and other personal data to help them carry out targeted sales pitches.

In recent months, the company suspended sales of systems collecting people’s facial data, he said. The programs can still collect images below the face, such as movements and clothing, but without facial recognition, the accuracy of the algorithm is significantly compromised, he said.

AI products used in the health-care industry also involve sensitive personal data, such as patients’ CT scan images, test results and medical history. A person at a healthcare AI company said his company is modifying data in its products that can be traced to a person’s identification.

The new data law also affects how large e-commerce platforms manage user information in logistics and marketing. In early October, Alibaba’s Tmall and started to encrypt sensitive information concerning recipients of online orders. Software providers and merchants no longer can get recipients’ names, cell phone numbers or addresses from the e-commerce platforms. Such information will be encrypted in a code. When a user visits a merchant’s store on the platforms, the merchant can see only the code, which includes information concerning the user’s location and consuming habits but not the precise address and contact information.

The move means retailers, digital ad companies and merchants can no longer obtain customers’ personal information to send targeted ads to them, a person familiar with Alibaba’s ad business told Caixin.

Another focus of regulation is enabling the free flow of data between different platforms. In September, the Ministry of Industry and Information Technology (MIIT) urged internet operations to stop blocking each other’s links, the so-called “walled gardens” technique used to protect their own digital ecosystems and stymie rivals.

The new data security rules reaffirm the importance of interconnectivity among different platforms, specifying that internet platforms providing instant messaging should provide data interfaces for other operators of the services, support user data exchange between different instant messaging apps and prohibit blocking cross-platform access and file transfer. This further provides a legal basis for data sharing among social media platforms.

Tencent and Alibaba have long erected walls between their platforms. Alibaba’s e-commerce sites Taobao and Tmall do not allow shoppers to use Tencent’s WeChat Pay system to complete transactions. Meanwhile, WeChat’s 1.25 billion users can’t send each other direct links to Taobao and Tmall products, and stores on WeChat do not accept payments via the Alibaba-affiliated Alipay service.

In response to the MIIT, Tencent now allows WeChat users to access external services such as Alibaba’s Taobao online mall or ByteDance’s video app Douyin. But that applies only to one-on-one messaging, not group chats or Facebook-like Moments pages, while sharing external links via the two venues are usually considered more effective.

Earlier this month, Douyin said users will soon be able to create and publish short videos based on Tencent’s copyrighted clips, another step toward breaking the data walls between different platforms. Tencent told Caixin that it is getting in touch with many other third-party platforms to offer them access to its copyrighted content.

But currently, Douyin users still can’t share their videos on WeChat as they do on other platforms, such as Kuaishou and Bilibili. Tencent stressed that sharing video links from third parties poses risks of harassment, fraud and inducement.

The new data rules clearly state that internet platforms shall bear the responsibility for data security management of third-party products and services linked to them, and users may demand compensation from the platforms for damages caused by these products and services. The rules will increase the burden and cost of reviewing external links by platforms.

New Business Opportunities

Data regulation will undoubtedly cause short-term pain to many new-economy companies, but it will also create new opportunities.

The first to benefit is the cybersecurity industry. The new rules require that companies dealing with important data or seeking overseas share sales should conduct data security reviews annually on their own or hire external data security service providers. Large internet platforms with more than 100 million daily active users should be evaluated by CAC-certified third-party organizations when establishing platform rules and privacy policies and making revisions that have a significant impact on users’ rights and interests,. All of this will create new business opportunities for third-party organizations.

In August, China released new regulations on the security and protection of critical information infrastructure, requiring operators to establish solid network security systems. Analysts at Huatai Securities said this means industries such as communications, energy, transportation, water conservation, finance, public services and defense technology will significantly increase investment in data security.

Chinese cloud services provider UCloud Technology Co. Ltd. is one of the companies benefiting from the demand. The Shanghai-based company provides a data storage platform called safe house, which uses data sandboxing, blockchain and encryption technologies to ensure data security. Since its launch in 2017, the safe house concept has been widely used in government, finance, medical and other fields. Clients include the Shanghai and Xiamen municipal governments.

UCloud solution director Xiong Hui told Caixin that more and more companies have come to inquire about safe house products this year amid compliance pressure.

When he pitched the concept to companies in 2017, most of them didn’t understand it at all, he said. “Now I don’t need to explain it,” he said, citing the new round of data regulation.

Wei Yiyang contributed to this report.

Authors: Yuan Ruiyang, Zhang Erchi, Guan Cong, Qian Tong, He Shujing, Tan Min, Denise Jia, Caixin Global

You might also like