Chinese regulators have tightened restrictions on data privacy and data security. Tech companies will need to overhaul their data practices -- and their business models.
By LU Keyan, LI Jingya
First, it was Didi, and now it has caught up with every other firm in the digital business. It was clear that something was up when the ride-hailing app disappeared from the app stores. But how the investigation suddenly expanded to engulf almost everyone in the internet industry has come as shock.
Anyone with the data of more than 1 million users – not that much considering China's almost a billion netizen population - has to pass a security review before listing overseas. A close eye is to be kept on all stages of the data process: collection, use, and sharing. In many respects, the new measures are a matter of national security, keeping China's digital infrastructure safe from both foreign and domestic interference.
Keep (a fitness app), Himalaya FM (podcasts), HelloBike, and LinkDoc (medical) have already called off New York IPOs, awaiting follow-up regulations and clarification.
In May, the Cyberspace Administration of China revealed data privacy violations by over 300 apps, many owned by Alibaba, Baidu, Bytedance and Tencent. Most of the problematic apps collected personal data without consent, including data unrelated to the primary purposes of the apps. Last month’s cybersecurity law classified almost all types of data and assigned appropriate security requirements to each. Shenzhen, China’s tech heartland, legislated on data profiling and sharing earlier this month.
The public is not surprised in the least. In fact, complaints about surveillance from the big techs have been fermenting - you talk with your mom about a new handbag on sale, a Luxury brand ad pops up on your WeChat Moments - but data privacy has always been a slippery issue. Mobile apps need contact information to send standard information and marketing materials. Very few people object to this. On the other hand, big data seems to consume almost everything in its path and off the path. “Friends”— real-life acquaintances and social media contacts — have taken on new meaning and value.
Data tells big tech what we want to buy, when, and how much we’ll pay for it. It knows what we want to eat, when we want it, and where we are to eat. It probably even knows what we can and can’t afford, and perhaps better than we do. This business model – putting what we are most likely to buy in front of us at the right time – is the bread-and-butter business model of almost all e-commerce. User data is the lifeblood of targeted advertising. User behavior data also leads to price discrimination. New users are given generous discounts, while old customers are charged full prices.
An e-commerce site, for example, can analyze the sales and marketing information of third-party sellers so that the search algorithm would prioritize its own private labels. Or a social media platform can disable links to a competitor’s site. They can examine our decision-making processes, and interfere with those processes however they like, in the name of better serving our needs.
Regulators around the world are grappling with the same issues, but with different priorities. Lawmakers in the US and the EU are discussing potential legislation.
Tech companies have conflicting priorities and plead limited resources. Moving fast and breaking things is not the best way of protecting user data. Scrutiny has been half-hearted at best and companies are complacent. Security is non-standard, with almost every company having its own “best practice.”
In startups, a manager asked not to be named who had worked for five different tech companies said, everyone sees everything. Managers can go into the system and play with user information. At bigger companies, you need proper sign-offs to access sensitive user information, which is sent to you as a matter of course by an unseen data guy. Fintech companies are more careful, but risk management and auditing of data practices are again, non-standard. Tech giants like Tencent conduct compliance reviews for every single product, but many do not.
Data privacy has been the topic of the day at meetings and seminars everywhere since National Consumer Protection Day on March 15. But without regulatory guidelines, progress is futile. What needs to be done is quite plain, but legislation is required to know exactly how.
Complicating an already overwrought situation, many platforms are compendia of smaller platforms. Data is shared up and down the e-commerce chain, and so those at the top may be liable for data breaches at the bottom, or vice versa. Currently, it is often the app developer who feels the regulators’ wrath, an uncomfortable place for the blame to lie.
When China stirs, the global financial market comes to attention. In the US, investors are worried that more security measures are in the works, fundamentally undermining business models.
“Now the first thing in everyone’s mind is not a company’s scale or profitability. It’s whether some regulator can wipe it off the map with a single decree,” an primary market investor who preferred anonymity said. It may take months or even years to restore market confidence.
Confusion discourages investment and innovation. Some of the uncertainties come from ambiguities in the new regulations. Key concepts, such as “critical information infrastructure,” lack clear definitions. All companies that deal with sensitive data need robust security protocols, with sufficient resources to support them. This may require functions beyond a company’s scope that will cost substantial amounts of money, time and effort.
Corporate law specialist WEI Shilin hopes regulations eventually find a balance between flexibility and enforcement, and that both sides understand each other’s needs and concerns. “If a company wants to be listed abroad, the regulators are obviously entitled to a say in where servers are located and how data is handled.”