Data Sovereignty in Action: Ant Group and Didi Chuxing Case Studies

The global economy is undergoing a transformation widely recognized as the 4th industrial revolution made possible by data driven intelligent systems. Policy makers around the world are searching for new regulatory and governance frameworks to help societies manage the potential and risks these new systems bring to society. China is at the forefront of this challenge. Chinese policy makers are placing more focus on constructing legal regimes to govern data from both a national security and economic development lens. This paper aims to look at China’s approach to data governance through the regulatory regimes emerging from eff orts to govern its technology platform companies.

Local consumer technology platform companies such as Alibaba, Tencent, Didi Chuxing, encouraged by government national policies, have taken on an unprecedented role in the transformation of the Chinese economy from a primarily manufacturing driven economy to a services and consumption driven economy. In areas such as media and communication, finance, and mobility they can be seen as key infrastructure providers (Hong Shen 2019) with ownership of big data in these areas typical of surveillance capitalist business models observed around the world (Shoshana Zuboff, 2018). Several platform companies actively participated in national development initiatives, such as poverty alleviation, and scholar Julie Chen observed that platforms‘ promoted a self-brand as social service providers’ invoking techno-utopian visions of benefits to the economy. (Chen Julie, 2020). Now the relationship between platforms, consumers, and the state is going through a major transformation.

A number of regulatory arms of the Chinese state are introducing new laws and regulations aimed at consumer technology platforms in a range areas including antitrust, national security, finance, labour and consumer rights, and privacy. In the past 12 months over a dozen companies have been fined or faced business restrictions under the aegis of anti-trust, privacy, and finance. Regulators opened investigations against the country’s largest platforms including Alibaba, Meituan, and Didi Chuxing (Technode ChinaTechlash Tracker 2021). In a December 2020 China’s top leaders
vowed to ‘contain disorderly expansion of capital, and ensure fair market competition’ (Xinhua, March 2021). An influential Chinese academic in a newspaper opinion page said the age of ‘barbaric growth’(野蛮) for technology companies has ended, and a new phase defined by rules and good systems, especially taking aim at platform companies abuse of their monopoly control over data (Fang Xingdong, July 2021). Several of the economic, security, social, and political interests behind this campaign is converging around data governance.

Part one of this paper draws an outline of the scale of China’s public and private data ecosystem and the key tensions emerging around data. This is followed by a list of the key stakeholders involved in the creation, collection, processing, and governance of data in the People’s Republic of China (PRC).

Part two ‘articulating data sovereignty’ looks at the evolving legal regimes in China that help shed light on the PRC’s thinking of data sovereignty and two case studies that illustrate these laws and policies in action. In particular focus is placed on the Data Security Law (数据安全法) (DSL) set to be enacted on 1 September 2021. Building on the 2017 Cybersecurity Law(CSL) (网络安全法), and other administrative regulations, this new law bring new levels of details around how data is to be governed, including cross-border data flows out of the PRC, and data governance as an economic policy to promote data sharing within the economy. In addition to these laws industry specific regulations in areas such as finance and anti-trust are also discussed here as they pertain to explaining how the PRC is articulating data sovereignty.

Two emerging case studies in particular and reflect how Beijing intends to exert its influence on data flows and de-facto set the definitions and scope of the regulations. Ant Group, a fintech platform that is the largest mobile payments and financial services provider with over a billion users, was made to suspend its expected world record IPO in November 2020, due to concerns from Beijing and regulators. On 3 July 2021 Didi Chuxing, leading mobility tech giant, was placed under Cybersecurity Review “to guard against national data security risks. In the case of Ant a new regime may compel it share its data with a state-owned entity governed by the central bank (Lingling Wei, 2020). In the case of Didi new precedent may be set for a threshold on cross-border data transfers and foreign access to data. Observing these case studies are important because they set precedent and offer insight into how Beijing translates the high-level
principles in its laws into implementable policy. The outcomes from both these cases will have far-reaching implications for how data is conceived and regulated not just in China but also globally.

In conclusion this paper will sum up the data cultures emerging in China broadly and what they say about the major trends that will influence the future of the Internet and data flows. In absence of global rules or frameworks for data flows, countries are creating their own models nationally.

This paper was originally published as part of Konrad-Adenauer-Stiftung’s Data Security, Privacy and Innovation Capability in Asia Case Studies. Read the complete paper here.

Dev Lewis