China to Create New Top Regulator for Data Governance, Wall Street Journal, Mar. 6, 2023.
By Keith Zhai
Beijing’s plan to streamline regulatory structure would bring all data-related issues under a single agency
China is set to create a new government agency to centralize the management of the country’s vast stores of data, as Beijing seeks to address data-security practices by businesses and streamline its regulatory structure.
The new national data bureau is set to become the top Chinese regulator on various data-related issues, people familiar with the matter said, in a shift from the current structure in which multiple ministries share oversight.
The plan to establish the agency is expected to be discussed and approved at the National People’s Congress during its annual session, which will run through March 13, they said.
If established, the agency would rule on whether multinational companies can export data generated by their operations in China, they said. It would also set and enforce data-collection and sharing rules for businesses, they said. For instance, it could bar companies from collecting certain kinds of consumer data, or vet the data that domestic companies plan to share with foreign business partners to check for potential national-security breaches, the people said.
The new data regulator would also investigate various issues in the digital domain, such as the use of algorithms for data manipulation or for inducing internet addiction among minors, the people said, as well as identifying data-security vulnerabilities that are prone to cyberattack.
The National People’s Congress and State Council Information Office, which handles press inquiries on behalf of the Chinese government, didn’t respond to requests for comments.
The plan would bring a more streamlined approach to data governance, establishing a single go-to regulator on data-related issues as businesses deal with an increasing number of rules and laws surrounding data.
Still, technology executives familiar with the plans have expressed concern over whether a new regulator would stifle innovation in the already bruised technology sector, coming on the heels of a two-year crackdown on powerful internet companies.
Currently, data regulation in China is handled by several agencies, including the Cyberspace Administration of China, the Ministry of Industry and Information Technology and the National Development and Reform Commission, the country’s main economic planner. The involvement of multiple authorities has left businesses confused at times about which body to approach on compliance issues, industry executives have said.
The new bureau will hold a similar status as the State Anti-Monopoly Bureau, which is headed by a deputy-minister-level official, the people said. After the antitrust bureau was elevated in 2021 from a small department, it became better equipped to access resources across various government agencies to scrutinize mergers and acquisitions.
Regulators around the world have been dealing with the large volumes of data generated by digital activity. Europe began enforcing a robust privacy law in 2018 known as the General Data Protection Regulation. In the U.S., which doesn’t have a federal-level law on data privacy, the Federal Trade Commission has been exploring new regulations to enhance online privacy protections.
Beijing has also introduced various laws and regulations to oversee handling of data held by internet companies amid growing consumer concerns around data privacy, in line with the global regulatory trend.
In recent years, China has curbed data collection by technology companies, though policy analysts have said the rule is unlikely to limit the state’s widespread use of surveillance. It has forbidden certain data from leaving China, especially that which it considers critical to national security, and has required regulatory approval for dispatching certain data overseas. It has also compelled internet companies to share some algorithms with regulators.
Such rules have led to growing compliance costs for companies. Multinationals, including Apple Inc. and Tesla Inc., have set up new data centers in China to store more data locally. Both domestic and multinational companies are going through costly and time-consuming steps to map how data is transferred.
The burden on regulators is also growing. They must review a large number of security-review applications from businesses related to overseas data transfers, as well as checking various data practices. When it comes to regulating algorithms, some technology experts have raised the question of whether government officials are equipped with the expertise to handle such reviews.
Beijing has clamped down on powerful internet companies in recent years over alleged data breaches. In July last year, authorities imposed a $1.2 billion fine on Didi Global Inc., a ride-hailing firm, for violating rules pertaining to data practices. Beijing launched an investigation of Didi days after its blockbuster U.S. initial public offering.
Shen Lu contributed to this article.