Skip to main content

Expert Interview

Didi and China’s Data Regulation

By Xu Peng, Masters candidate, UC San Diego School of Global Policy and Strategy

lizhi-liu.jpegLizhi Liu is an assistant professor in the McDonough School of Business and a faculty affiliate of the Department of Government at Georgetown University. She studies the politics of technology and data in China.


Background:

In early July 2021, mere days after the massive ride-hailing platform Didi’s NYSE IPO, the Chinese government conducted a sweeping crackdown on the company for misuse of customer data. One speculated explanation was that Didi chose to be listed in the U.S., potentially risking sharing critical data with Didi’s American counterparts. From Trump’s attempted ban on WeChat and TikTok to the EU General Data Protection Regulation (GDPR), data has become an important topic in international relations. What is unique about the Didi crackdown? What does it say about China’s approach towards data regulation? How should we consider data in the future in international relations? I invited Assistant Professor Lizhi Liu to provide her insights on these questions and more.

Let’s start off with the basics: Didi wasn’t the first Chinese company to go public in the U.S. Is a Chinese big tech company being listed in the U.S. really a data security threat to China? 

Liu: Some people were surprised by Didi’s app store ban and thought it was somehow unique, but this was hardly the first time an app was banned for violating rules regarding personal data collection. So, I don’t think Didi is that special. The new regulations were not targeted at one single firm or an individual entrepreneur. Besides Didi, two other firms that went listed around the same time – Kanzhun Limited and Full Truck Alliance Co. Ltd. – also underwent cybersecurity review.

It is therefore important to understand Didi’s case in the broad context of regulatory change. Here, China’s new data regulations and the clashes between U.S. and China regulations play a key role.

Prior to Didi’s IPO, China put the Cybersecurity Review Measures into effect on June 1, 2020. The measures stipulate that operators of “Critical Information Infrastructure” (CII) are required to go through national security reviews when purchasing network products and services. Didi and the other two firms were treated as operators of CII because they host a great deal of geographic, economic and personal data.

Another regulatory change in 2020 is that the U.S. made a move that would have ramifications for Chinese companies listed on the U.S. stock markets. The U.S. SEC had long worried that the Chinese companies were not providing reliable financial disclosures, particularly after Luckin Coffee’s data fabrication scandal. In December 2020, Trump signed the Holding Foreign Companies Accountable Act (HFCA). This law stipulates that firms that do not allow their audit working papers to be inspected can now be delisted.

This is where the conflict began. From China’s perspective, the HFCA is politically motivated and targeted at China. Sure,[LG1]  HFCA applies to all foreign firms, but 90% of the firms that refused inspection were located in mainland China and Hong Kong. Moreover, the HFCA requires disclosure of state influence and party members on these companies’ boards.

Here, then, we have a clash of data regulations. U.S. law demands data on Chinese firms’ audit working papers. But China fears that audit working papers may contain state secrets. Chinese law bans firms from giving foreign regulators access to such data without government approval. This clash is difficult to reconcile. This also makes the Chinese government wary of firms going listed in the U.S.

This seems tied to a related issue you have discussed that Chinese tech companies face a “deep versus broad” dilemma: deep ties with the Chinese government reduce domestic political risks but raise overseas regulatory risks. Some Chinese tech companies like ByteDance have tried to address this dilemma by running the same product in two versions: Douyin  for Chinese customers and TikTok for overseas customers. What do you think of this approach?

Liu: Having two versions is not sufficient to solve their dilemma, especially when the host government is concerned about external threats and data security. For example, the Trump Administration attempted to ban TikTok even though the app does not operate in China. Trump still suspected TikTok of handing over U.S. citizens’ data to Beijing through its China-based parent company.

In ByteDance’s case, the U.S. stance created a difficult challenge: how could the company credibly signal TikTok’s independence? It tried several strategies, including restricting China-based engineers’ access to TikTok’s data and announcing that TikTok would set up a global headquarters outside China. None of these strategies worked. Trump was not persuaded and still demanded that ByteDance sell TikTok.

In the end, ByteDance was able to reach a deal with Walmart and Oracle on two key points: data localization and security review. TikTok’s U.S. user data would be stored on Oracle’s U.S.-based cloud infrastructure and Oracle would get full access to TikTok’s source code and updates for review. ByteDance would retain TikTok’s technologies and algorithms and an 80% share of TikTok Global. (After Trump left office, ByteDance walked away from the deal.)

Many think the ban on TikTok was merely motivated by the U.S.-China rift. Geopolitical rivalry certainly played a critical role. But a deeper logic underlying the ban is data politics, the politics of the collection, transfer and usage of data.

Data politics is a general and rising form of interstate politics and is not specific to U.S.-China relations. As global concerns about foreign government surveillance increase, tech firms are more and more vulnerable to national security investigations by foreign regulators. For example, Apple and Tesla’s operations in China were also suspected of sending user data back to the U.S. government. Subsequently, both companies moved to store their Chinese user data in mainland China. These cases suggest multinational tech companies need to find ways to divide their global markets to comply with domestic laws. They also must somehow signal their independence from the home market and home government.

Indeed, the world seems to be headed toward more conflicts regarding data regulation. Do you think this will result in divided markets in digital services?

Liu: It is clear that the global internet has been moving towards the so-called “splinternet” – a cyberspace fragmented along national or geopolitical boundaries.

In the past, cross-border data flows were largely unregulated. Nowadays, a growing number of countries have started to restrict them, embrace data sovereignty and install data localization requirements.

While tech firms certainly need to be regulated and some of these data regulations are indeed necessary, such regulations can also be viewed as a form of non-tariff barriers to trade. There is an economic cost for having divisions and fragmentations in the world markets. Economies of scale will suffer, leading to potential welfare loss.

Therefore, I think we will go through two phases. Right now, we are in the phase of having more regulations, which will restrict cross-border data sharing and splinter the internet. But, when the costs of data restrictions become too high, there will be more bilateral and multilateral negotiations on lowering the barriers to data sharing. A historical parallel would be how states engaged in multilateral negotiations to lower tariffs on physical products.

Let’s get back to the implications of data for politics. We’ve seen how data can change democratic institutions by affecting elections. Can data change the authoritarian institutions of China?

Liu: Yes and no.

On the one hand, we should not exaggerate the effects of data. It is questionable whether data can fundamentally change any institution, including democratic institutions. Data has long been a critical economic input. Its impact depends on who is using it, how it is being used, and for what purposes. There is never a simple answer.

On the other hand, in China and other countries, we witness the rise of a co-governance system by the state and by digital platforms. Nowadays individuals and businesses are not merely regulated by formal laws but also by private rules stipulated by large digital platforms.

The invention of digital technologies has enabled the collection, storage and processing of data at a massive scale. Digital platforms thus have gained substantial power by collecting and analyzing user data. When a platform hosts a large number of users, it becomes a kind of public infrastructure because it impacts a tremendous number of people and every aspect of society. Under these circumstances, governments often lack technical expertise, so they must rely on digital platforms to regulate themselves.

Therefore, when we discuss how data changes democratic or authoritarian institutions, we have to examine platform-government relations. We must examine how private regulations interact with public ones. It is a complicated interaction whose outcome will depend, at least in part, on the specific configurations of the platform-government relationship.

For more discussion of data politics, please see Lizhi Liu’s paper, “The Rise of Data Politics: Digital China and the World.”