Data protection: Chinese authorities put compliance pressures on online business operators

China - 

Data Protection Alert

On July 2, 2021, the Cyberspace Administration of China (CAC) announced on its website that it has started a cybersecurity review on Didi (world’s biggest online ride-hailing company), and during the review Didi is not allowed to register new users. CAC did not offer details about this law enforcement action, but said its purpose is to prevent data security risks, citing its Cybersecurity Review Measures. 

The announcement (see here) was published just two days after Didi’s huge IPO on NYSE. On the same day, Didi’s share fell as much as 10.9% after the open and was closed with a down of 5.30%. On July 4, 2021, CAC further ordered the removal of Didi’s ride-hailing app from the app stores with the reason that the app has “severely violated the laws and regulations when collecting and using personal information”, and On July 5, 2021, CAC further announced cybersecurity review on three other online platform operators providing cargo transportation hiring services and recruitment services.

China’s Cybersecurity Law and CAC’s Cybersecurity Review Measures require that the operators of critical information infrastructure (CIIO)[1] shall undergo a cybersecurity review before CAC when procuring network products and services. The law also has established other cybersecurity related obligations and the cybersecurity/national security reviews for network operators in processing important data and personal information. Taking into account that the above investigations are all connected to companies with personal information (of the drivers, passengers and job applicants) and important data (road, traffic, location, etc.) and were recently listed at foreign capital market, international transfer of data could also be an element that attracted the concern of CAC. Recently, China further developed the compliance obligations on data security with enactment of the Data Security Law, which, among others, established multiple mechanisms to regulate cross-border data flow and also authorized CAC to design the rules for non-CIIOs to transfer the important data outside of China (See our previous article on Data Security Law).

Huge efforts have also been made by the Chinese regulators on law enforcement. Apart from the recent investigations of CAC on Didi and other online platforms which seem to be a more specifically targeted and national security related move, the Chinese authorities have also been actively enforcing personal data and other online business related regulations covering all kinds of business. For example, CAC has been actively regulating smart phone apps to combat violation of personal data protection (See our recent article analyzing CAC’s actions.). In the meantime, as of June 21, the Ministry of Industry and Information Technology (MIIT) has also reviewed 1,170,000 mobile phone apps, required 4,002 apps to correct their irregularities, publicly denounced 1,248 apps that failed to correct within given time limit and ordered the removal of 329 apps from app stores.

Cybersecurity and data protection are not the only compliance pressure on the companies operating online business. Chinese authorities are also using other tools in their toolbox, such as anti-trust and unfair competition regulations. For example, a CNY 18.2 billion fine has been imposed by State Administration for Market Regulation (SAMR, China’s market regulator) on ecommerce platform Alibaba who abused its market dominance by prohibiting the online store owners from opening stores or doing promotions on other ecommerce platforms. SAMR is also amending the Provisions on the Administrative Punishment of Price-related Violations, which will provide a clearer legal ground to prohibit unfair competition tactics of in ecommerce, such as price dumping and pricing discrimination by using big data and data profiling.

The tightened regulation on online business and active law enforcement may be good for creating a healthy environment and would also bring more competitions into the market, which will eventually benefit all the players. However, companies who have online business should also be mindful of the latest developments to better manage the compliance risks.


[1] Critical information infrastructures (CIIs) refers to any information infrastructure that can endanger national security, national strategy, and civil welfare in the event of a data breach, compromised network, or system malfunction. There has been no publicly available list of CIIs but according to a guideline of China’s public security authority, CIIs can be websites such as the official websites of Chinese Communist Party, government authorities, public institutions, enterprises and websites that provide public information services to the public; online shopping, online payment, tourism and travelling, forum, map, music and video, search engine, online subscription and other platforms and all kinds of smart application platforms; and office and business systems, industrial control system, large data center, could computing platform, television broadcasting system, etc.