In September the Cyberspace Administration of China (CAC) announced a three-year plan to regulate predictive algorithms, and Chinese companies scrambled to comply with new regulations. News of the plan came on the heels of two other stringent policies – the Data Security Law (DSL) and Personal Information Protection Law (PIPL) – which were passed earlier this year and came into full effect in November.
China’s push for data security and algorithmic governance should be viewed as a new chapter in the country’s storied attempts to regulate the technology sector. In all likelihood, these moves will minimally affect state security bureaus’ data collection capabilities, but will create steep compliance costs for internet companies that could hamper the state’s long-term development goals.
The DSL is designed to curtail invasive data collection by Chinese tech companies. Specifically, it restricts the collection of data by Chinese companies within and outside of China that may “harm the national security or public interests of the PRC.” Given the ambiguous nature of the law, many Chinese companies have erred on the side of over-compliance, rather than risk facing exorbitant penalties – which range from $1,000 to over $150,000, and may result in the suspension or revocation of a business’ license.
The PIPL imposes even more day-to-day compliance costs on Chinese tech companies that work with personal data. Under the law, Chinese companies are now obligated to create cybersecurity teams, conduct training sessions, and classify data according to the potential for national security threat. The sweeping regulatory framework consists of 74 articles, and it applies to any company that handles individual Chinese citizens’ personal information.
Taken collectively, the DSL and PIPL should be viewed as a new chapter in Beijing’s push to regulate the Chinese technology sector. At first glance, the steep limits they place on data collection stand at odds with Beijing’s long-standing ambition to become the world leader in AI by 2030. But the laws’ long-term effects will hinge on two hotly debated questions about how China’s national tech champions interact with the state.
The first question is whether the new regulations will actually apply to China’s “national AI champions,” or whether the special relationship between big tech and the state might exempt them from the most onerous requirements.
On the one hand, the Communist Party under Xi Jinping seems adamant about curtailing the massive power China’s tech companies have accumulated over the past decade, and is using these data governance regulations to reassert control. For their part, investors do expect China’s internet titans to take a hit. Immediately after the DSL was passed, the Hang Seng Tech index measured a 2.5 percent decrease in China’s largest internet and e-commerce stocks, to include those of Tencent and Alibaba, amounting to a loss equivalent to tens of billions of U.S. dollars. In the same month, when China’s most popular ride sharing app Didi Chuxing filed for an IPO on the New York Stock Exchange, Chinese regulators yanked it from app stores, citing violations of DSL’s data security regulations. The company has since lost 30 percent of users and seen its share value decline by more than 40 percent.
On the other hand, however, the Chinese government has historically relied on Chinese internet giants Baidu, Alibaba, and Tencent to aid in intelligence and police work, by collecting and processing troves of information these companies collect about Chinese netizens. Through Article 7 of China’s National Intelligence Law, Article 77 of the National Security Law, and Article 28 of the Cybersecurity Law, the government is able to deputize internet companies to assist with intelligence gathering. The codependent relationship between Baidu, Alibaba, Tencent, and Chinese security services could imply that China’s AI champions are too big to regulate.
But if they are subject to the full force of the DSL and PIPL, the second question is whether the limitations set out in these laws will materially limit Chinese tech giants’ ability to collect and process data at scale.
Neither the DSL nor PIPL constrains data collection by China’s state security apparatus – only internet and data companies. But it’s not clear to what extent state security offices rely on data collected data in-house or outsourced to these firms. If public security bureaus have immediate and unfiltered access to the collection platforms operated by private companies, as has been claimed about Huawei 5G platforms and Lenovo computers, then the government would have little incentive to spare Chinese AI companies from stringent restrictions on data collection.
But, because of their special relationship with the state, it’s possible that China’s internet companies will benefit from data collected and provided by Chinese security services to continue their AI development. Under the auspices of China’s national security and cybersecurity laws, Chinese businesses are compelled to work with the state’s security apparatus. Companies that handle data related to “national security” are further required to allow the Ministry of State Security access to their companies’ servers. Even if Baidu, Alibaba, and Tencent face data collection limitations, they could theoretically continue to rely on data provided by Chinese security services to fine-tune their AI products.
Although it’s not clear how exactly China’s large internet companies may be affected by new regulations on data and algorithms, the composition of China’s private tech industry will be fundamentally altered. The DSL and PIPL will make it substantially harder for existing businesses to continue operating with the same degree of autonomy they had enjoyed in the past, and may create steep barriers for new players hoping to enter China’s tech market.