Is China locking information on the country inside a “black box”?
We should avoid building a modern tower of babel
Looking from outside: China is creating a “black box” around information on the world’s second-largest economy, alarming global businesses and investors.
Reality on the ground: China is in implementation stage of data laws passed in 2022. It clearly stated who would be impacted, and how. Details are yet to be filled in, companies are coping with it preemptively. The process is announced well ahead and under way, data are still flowing in and out.
Concerns about China turning into an “information black box” peaked recently after reports of Wall Street Journal, Bloomberg, and Reuters, led to claims that Chinese authorities was launching a concerted effort to shut down foreign access to multiple types of Chinese data. While such claims may sound probable and feed into mainstream narrative, we, at Baiguan, believe that such claims and narrative miss many nuanced facts, conflict with other development on the ground and serve mainly a sensational purpose.
Relevant reports include Wind's termination of overseas contracts to certain “think tanks and research firms”, restrictions on overseas access to two major company registration databases (Qichacha “QCC” and Tianyancha “TYC”), scrutiny of several international business research firms in China, suspension of bond market data, and suspension of contracts between China National Knowledge Infrastructure (”CNKI”) and foreign clients…The list keeps going.
So what is really going on? First, we did some fact-checking. We talked to several overseas users of Wind Info, some of whom our own clients, and they confirmed they could still use Wind’s services normally. Foreign visits to QCC and TYC were indeed blocked, and as far as we know, they have been blocked since last year. At Baiguan, which is powered by BigOne Lab, China’s leading data research company, our business is also operating as normal. But being in the same information services industry, we take this issue dear to our heart, and it is in our own best interests to keep a tab on latest policy developments.
So far, our simple assessment is this: these events are related in a way, but maybe not in a way that fits the sensational narrative. In fact, the Chinese regulator intends to create rules to systematically manage data outflow, and there has been a succession of data and cybersecurity regulations since 2019. However, the regulatory details related to cross-border data outflow are not yet completely clear, such as the clear definition of "important data outflow", which has not been formally determined. Therefore, companies (including ourselves) are adopting a more cautious and pre-emptive approach, especially with regard to data sets with unclear ownership, such as company registration data mentioned in other reports.
This article will go through the details of relevant regulations, why specific datasets may be sensitive, how do restrictive regulations fit with encouraging policies and how companies are responding and evolving in the current environment.
Long-expected implementation of regulation
The Chinese government has been transparent about setting up its cross-border data transfer regulation regime for years. For those who have been paying attention to the development of regulatory updates, there were no surprises. In fact, if one follows the development of this regime, they would come to a different understanding of the events reported and reach a different conclusion.
In October 2021, the Cyberspace Administration of China (CAC) released the "Measures for Security Assessment of Data Export Security (Draft for Comments)."
In July 2022, the CAC released the official version of the "Measures for Security Assessment of Data Export Security" (the "Measures").
The Measures would take effect on September 1, 2022, with a 6-month grace period for transition.
According to the Measures, in order to regulate data cross-border activities, protect personal information rights and interests, and maintain national security and data cross-border security, data processors that provide important data and personal information collected and generated during operations in China to cross-border entities must adhere to specific conditions or reach a certain threshold. In such cases, a data cross-border security assessment ("Assessment") should be declared to the CAC and relevant authorities before the data cross-border activity. The CAC, together with relevant authorities, will assess whether the government’s requirements are met.
Entities affected by these regulations mainly include critical information infrastructure operators (”CIIO”), personal information processors, and important data processors. The types of data that need to be reviewed include “personal information” and “important data”. The access or retrieval of data stored in China by overseas entities, organizations, or individuals is also considered as data cross-border activity.
Companies and data processors that meet the triggering conditions must follow a four-step process to conduct relevant data cross-border activities. First, they need to submit application materials to the provincial Cyberspace Administration and conduct a "data cross-border risk self-assessment" and prepare relevant reports. Second, they must wait for the provincial department to confirm the completeness of the materials before submitting them to the CAC for review and evaluation. Third, they must wait for the CAC to organize relevant authorities and specialized agencies to assess the situation based on the application. Fourth, they must have the data cross-border activity declared in a state of suspension until the assessment is passed.
The entire process may take more than 45 working days. However, due to the need for pre-assessment self-evaluation reports, legal documents, and supplementary materials drafted between the applicant and overseas recipients, the time required may be longer.
Existing data cross-border activities that started before the Measures and did not meet its requirements should complete rectification within six months from the date of implementation. Therefore, many organizations had to self-assess before March 1, 2023, and take actions accordingly.
As a result, many data providers may be halting and reviewing their data activities as they prepare for assessments. While there is no detailed list of entities that have started assessments, key localities such as Beijing, Zhejiang, and Shanghai have disclosed statistics of applications for assessment.
According to official reports, as of February 28, 2023, Zhejiang has received 69 formal application materials, out of which 32 have been approved after complete verification and submitted to the CAC. The approved applications are mainly in the fields of e-commerce platforms, finance, logistics, security, communications, and other fields.
As of February 22, 2023, Beijing has received 48 formal application materials, with 2 applications approved, and 142 companies have expressed their intention to apply. The applications are mainly in the fields of medical, finance, automotive, civil aviation, insurance, tourism, industrial automation, e-commerce, recruitment, electronic technology, and other fields. Noticeable applicants include Amazon, BMW, Samsung, JP Morgan, Swiss Re etc.
As of April 28, 2023, Shanghai has received over 400 application materials involving key areas such as finance, retail, business services, automotive industry, and healthcare. After complete verification, nearly 60 application materials have been submitted to the National Cyberspace Administration, with 2 applications approved.
The sensitivities of company registration data
During the assessment process, it is common for data providers to suspend their data activities. According to Bloomberg, Wind Info, QCC, and TYC curtailed foreign users' access to company registration data. This type of data is ambiguous, so caution is advised.
Currently, company registration data in China is publicly available on local administration websites for market regulations. Additionally, there is a national system called the "National Enterprise Credit Information Publicity System." Public users can access some company registration information, with more details available after registering an account on the website.
While this data is relatively accessible, the user experience can be cumbersome. To provide a smoother experience, private data aggregators like QCC and TYC were founded a few years ago. These aggregators build data-scrapers to extract data from hundreds of government websites, and develop consumer apps that give users access to all of them. They charge users fees through the app. Unlike company registration data in some other countries, there are no clear regulations on whether private companies can profit from selling company registration data, or who is responsible for the proper use of the data. When cross-border data regulation is implemented, these questions will likely arise again. These companies will probably conduct self-examinations. If they submit to the assessment, they will need to suspend their current activities until receiving a review response, which can take more than 45 days.
It is known that TYC restricted external data access prior to July 2022. When we contacted QCC's customer service, they stated that overseas IP access was restricted by the end of 2022 to comply with the regulations of the CAC's respective measure. Wind Info, which reportedly curbed its company registration data access to foreign users, had invested in QCC in 2019. Wind Info may have taken actions following its portfolio company's adjustment.
In addition, company registration data also pertains to transmitting personal data. Since company registration data contains the information of millions of business owners, there is no doubt that the amount of personal data in these types of databases surpasses the threshold to submit the Assessment. With the ambiguity of the rights to the data and personal data issues, operators of company registration data no doubt have to be conservative.
However, Wind Info did not curb its most valuable access to its key foreign users, financial institutions. "Wind Info has long been providing a domestic version and global version which has different data... Our HK team uses the global version... they have not seen changes in access in the last few weeks..." according to an offshore USD hedge fund we contacted. Another analyst at a global multi-billion hedge fund we contacted also found no changes in their access to Wind Info. This suggests that it was more of a business decision, where Wind Info curbed its higher risk, low revenue part of the access while keeping its high revenue part of the access.
“Information Black Box” or maturing management approach
Some of us may still believe that tighter rules on cross-border transmission would lead to a less transparent China and contradict the government's pledge to continue opening up China. However, we understand that the intention of the authorities was not to restrict data access, as mentioned in our previous article on the Data Management Bureau, but to systematically create a managed cross-border data transmission and transaction system. China sees data as a new production factor and a key element in its production factor reform, so it is exploring ways to release the value of data while ensuring security.
The lack of understanding of the assessment process was mainly due to the lack of English-based communication, which is also why there is a lack of awareness of China's efforts to create a cross-border data flow system. By reading their WeChat account, we can see how Shenzhen is exploring a path for cross-border data transactions, which is one step further than data transmission. Shenzhen's exploration in data exchange has been blessed by the central government and allows us to glimpse into China's directions and ideas regarding cross-border data operations. On January 26, 2022, the NDRC and the Ministry of Commerce issued the "Opinions on Relaxing Market Access Measures for Shenzhen to Build a Pilot Demonstration Zone for Socialism with Chinese Characteristics," which mentions:
“…encouraging Shenzhen to conduct local policy research and exploration within the framework of national laws and regulations, and establishing basic systems and technical standards for data resource property rights, transaction circulation, cross-border transmission, information rights and interests, and data security protection under.”
“Exploring mechanisms for personal information protection and sharing.”
“Accelerating the promotion of public data openness.”
“Focusing on financial, transportation, health, medical and other fields to connect with international rules, actively participating in the formulation of international rules for cross-border data flow, conducting pilot projects for cross-border data transmission (export) security management…and establishing data security protection capacity evaluation and certification, data circulation backup review, cross-border data circulation and transaction risk assessment…”
“With RMB as the main settlement currency, researching and promoting a batch of data asset trading products with clear demand, high transaction frequency, and high degree of standardization.”
“Exploring the construction of offshore data trading platform…”
This initiative wasn't just empty talk. It resulted in experimental cross-border data transactions that were completed with regulatory support. In May 2022, ChinaScope, a Shanghai-based data company, sold its "SmartTag News Analytics" product to a reputable overseas top hedge fund for 5 million RMB through the Shenzhen Data Exchange. This transaction was reported on the NDRC's official website. The Shanghai Data Exchange also recently announced its "international section," which allows for data to be transmitted both ways (outside-in and inside-out). There are several similar efforts across China to develop cross-border data transmission mechanisms. If you would like to learn more, please leave us a message.
Conclusion
Our assessment of recent events is as follows:
Keep reading with a 7-day free trial
Subscribe to Baiguan - China Insights, Data, Context to keep reading this post and get 7 days of free access to the full post archives.