Hello from Beijing, where we’re nearing the end of a month of record-breaking thunderstorms that are closing schools and outdoor venues. Huddled indoors, the topic keeping us riveted is what to make of ride-hailing giant Didi Chuxing’s regulatory car crash.
Didi’s crisis and its implications for China’s data-rich multinationals will take months to fully unfold. Seven Chinese government departments, including state security forces, announced on Friday last week that they were stationing staff inside Didi’s offices.
They are there to carry out the cyber security review announced two weeks ago, just days after Didi’s $4.4bn initial public offering in New York. That announcement and the penalties that followed have sent Didi’s share price down more than 10 per cent below its IPO price.
US shareholders have already filed class-action lawsuits claiming Didi neglected to disclose its regulatory risks. The reality may be less straightforward and much more worrying: that the breadth and vagueness of China’s data security legislation puts many companies at risk of unintentional miscommunication with the regulators.
Charted waters looks at how shipping fees affecting US shippers continue to rocket.
China’s data fears risk morphing into US-style paranoia
Although China’s cyber space agency has not explained exactly why it initiated a cyber security inspection of Didi, it referred to national security and data security risks. Since 2018, the two concepts have become inseparable for the Chinese government, which recently passed its Data Security Law.
“Data is a country’s fundamental strategic asset. Without data security, there is no national security,” opens the law, which comes into effect on September 1.
Ahead of that looming deadline, and in the aftermath of the Didi debacle, businesspeople and lawyers are puzzling over how to comply with a vague set of legal obligations. Under China’s civil law, very broad laws are first passed and then clarified through subsequent implementing guidelines and industry standards. These clarifying measures are still missing, however. That leaves companies in a situation where the Data Security Law expands the scope of which cross-border transfers of “important” data require government approval, but sets no clear procedure to win approval.
The need to audit cross-border data flows has huge impacts on companies that don’t consider themselves tech groups. All multinationals need to transfer data in and out of the country, starting with payroll data. Medical insurance companies handle even more personally sensitive data. All of this could be subject to review.
In the absence of legal clarity, sources fear they will be subject to the whims of US-China tensions and opaque regulators. “This isn’t a cyber security compliance issue, this is a government relations issue,” complained one multinational executive.
I am sure the staff of ByteDance, the parent company of short-video app TikTok, had the same thought on their minds when then US president Donald Trump threatened to ban the app in August 2020 on national security grounds. At the time, many of us puzzled over the threat posed by Beijing having access to the nation’s latest dance crazes, given that the nature of TikTok means almost all data sent to the platform is posted publicly.
The problem is that data paranoia too easily becomes a self-perpetuating meme. Within days, Trump’s concerns started to be treated seriously by companies who banned their employees from using the app (although Amazon made a speedy U-turn). Data paranoia can also become unfalsifiable. Once Trump fired the allegation out into the world, everyone scrambled to figure out what it was based on — in other words, doing the US government’s job for it.
We are in a similar situation with Didi, whose faults have not been publicly aired and whose executives may be as much in the dark as the rest of us as to what the problem is. Indeed, the fact that Beijing is now conducting a cyber security review suggests that the government itself isn’t yet clear about the problem. It is concerned about the vast hordes of user itineraries and mapping data the company holds, and is trying to figure out what might go wrong.
While the Didi debacle exposes the lack of a clear regulatory framework in China to govern sensitive data, the past few years of US-China tussles have also highlighted how other governments are unclear about the nature of the cyber threats they face. This leads to trade policy that is based on political trust, rather than on technical standards.
Yet interpersonal trust is not a good gauge of cyber security. Political allies spy on one another and tech companies based in unfriendly countries may provide more secure services than less-skilled companies in allied countries.
That is not to say that Huawei or Didi harbour no security risks. But when it comes to deciding what to do about them, governments seem initially to tend towards being broad-brush and maximalist with regulation. In the end, they will find the only practical solution involves detailed technical guidance to companies over what data outflows are OK and what are not.
The cyber security industry has for a long time worked to create processes that do not rely on interpersonal trust to be secure. Trade Secrets can’t help but wonder whether if more government leaders were technology-literate, they would consider technical solutions before political sticks.
Charted waters
Yesterday’s Trade Secrets looked at the arguments for and against US president Joe Biden’s executive order aimed at limiting shipping transportation costs. We know what’s driven that order — sky-high rates for transcontinental shipments. The surges began during the second half of last year, but as the charts below show, rates are continuing to rocket, especially on the northern Europe to US east coast route. Claire Jones
Trade links
How is China’s zero Covid-19 strategy going? Not well, according to this report. Beijing’s commitment to achieving no cases means most of its citizens will probably be cut off from the outside world until the end of the year. Not great news for a country so reliant on trade. There’s more on the aftermath of the Fit for 55 package unveiled last week, this time from US oil and gas exporters. They have been warned they face a further tightening of European anti-pollution rules despite energy’s exclusion from a swath of climate proposals introduced in Brussels last week.
The imbalance in vaccine supplies is deepening around the world, with an excess in the US and Europe contrasting with shortages in many countries in Asia. The result: 150m doses are unused (Nikkei, $, subscription required). India’s exports have been at a standstill (Nikkei, $) for three months so far — with little prospect of their resumption anytime soon — after a deadly second wave of the virus ravaged the south Asian nation of more than 1.3bn people in April and May. Claire Jones
Source: Economy - ft.com