The Cyberspace Administration of China (CAC), the country’s top internet regulator, is reshaping internet and AI governance. Following the Data Security Law and Personal Information and Protection Law which went into effect late last year, the CAC and other government agencies have recently finalized a set of new regulations to help implement those laws. Their efforts demonstrate the government’s attempts to shape online opinion, safeguard national security, and “spread positive energy.” 

Guiding these regulations is the government’s broader goal to transform China’s digital economy, outlined in a new five-year plan published by the State Council on Wednesday. Among the government’s targets for 2025 is an increase of the digital economy’s share of the national GDP to 10 percent, from 7.8 percent in 2020. To fuel this expansion, the plan also aims to increase tenfold the number of Chinese households connected to gigabit broadband, and to double the number of residents registered for online government services with their real identity from 400 million to 800 million. The State Council’s plan described how data collection and governance will play key roles in developing China’s digital economy:

According to the plan, efforts will be made to accelerate the construction of the information network infrastructure, and a national-level integrated big data center system coordinating computing power, algorithms, data, and application resources.

High quality data elements will be provided.

Market entities will be encouraged to collect data in accordance with the law. Data resources processing will be improved and the data service industry will be fostered and expanded.

In addition, market-based circulation of data elements will be promoted. Furthermore, new mechanisms for the development and utilization of data elements will be developed.

[…] A sound digital economy governance system will be established with the participation of governments, platforms, enterprises, industrial organizations, and the general public, according to the circular. [Source]

China just unveiled parts of its 14th Five-Year plan for the digital economy. 1/ https://t.co/8VQXyqMmLd

— Chang Che (@Changxche) January 13, 2022

TLDR: Beijing will push digitization in older industries, and SMEs that find new ways to accelerate industrial output. That digitization will create more data, and that data can be harnessed for "smart" stuff, e.g. cities, and maybe even a “national-level big data system.”

— Chang Che (@Changxche) January 13, 2022

The push to maneuver China's digital economy and its real economy into a state of symbiosis is shaping up to be one of the biggest tech policy storylines over the next couple of years, and one global governments will read with interest. 12/12

— Kendra Schaefer 凯娜 (@kendraschaefer) January 11, 2022

This drive is accompanied by tightening regulation. The first major set of new regulations concerns recommendation algorithms. Following the release of a draft version last August, last Tuesday the CAC and three other government bodies announced the final version, which will go into effect on March 1. Tracy Qu and Jane Zhang from the South China Morning Post described some of the CAC’s goals in issuing the new regulation:

The new regulation, according to a statement from the CAC on Tuesday, seeks to address “algorithmic discrimination”, which has led to differentiated pricing of products and services. Certain internet platforms have been charging consumers extra fees based on data about these users’ spending habits.

The CAC said the new regulation also aims to put a stop to so-called content intoxication. For example, the algorithm used by Chinese short video-sharing platform Douyin, the sister app of TikTok, has been known to keep users constantly engaged with a near-endless amount of content tailored to their tastes and interests. In addition, the algorithms used on many video games are designed to keep encouraging players to spend more time and money on them.

The algorithm regulation is expected to help authorities clamp down on information recommendations, which have the potential of “shaping public opinion” or “social mobilisation”, according to the CAC.

Online news providers will be required to get a licence for their services. They are also specifically prohibited from publishing information that is not from the government’s list of approved news sources. In October last year, Beijing released its white list of 1,358 news outlets. [Source]

Well, here they are. Yesterday, China's cyberspace watchdog, the CAC, finalized China's groundbreaking new rules on recommendation algorithms. They take effect in early March. Thoughts on the final version below. 1/11 https://t.co/Ctc1hSWy25

— Kendra Schaefer 凯娜 (@kendraschaefer) January 5, 2022

It's clear to me that Beijing has paid close attention to the impact that fake news has had on US national unity, as is noping right out of that issue before it becomes a bigger problem. 5/11

— Kendra Schaefer 凯娜 (@kendraschaefer) January 5, 2022

Also, the draft required companies to respond to user requests for info on what data algos gather and what they do. The final version puts that burden on companies, who have to transparently supply it by default. 7/11

— Kendra Schaefer 凯娜 (@kendraschaefer) January 5, 2022

CAC’s approach = most mature, influential & in-tune w/ regulatory zeitgeist. It focuses on dissemination of info and some user rights.

It also floats new requirements for algorithmic explainability, a topic 🇪🇺&🇺🇸 also grappling with.
A+ analysis: https://t.co/iNFkRReb0m (5/x)

— Matt Sheehan (@mattsheehan88) January 12, 2022

China's finalized algorithmic recommendation rules, effective March 1, will be mostly familiar for those who read our translation and analysis on last year's public draft. But there have been some significant changes. 1/ https://t.co/phHiffcFrC

— Stanford DigiChina Project (@DigiChn) January 10, 2022

Big tech companies are key targets of these new regulations, since algorithms are integral to their business models. “Algorithms are a company’s deepest-held secret, their most valuable asset and letting the government dig around in there would be a problem,” according to Kendra Schaefer, a Beijing-based partner at Trivium China. Luo Meihan from Sixth Tone described how the CAC regulations aim to curb companies’ manipulation of algorithms:

Chinese tech companies use algorithm technology for a wide range of applications, from recommending content to users on e-commerce and short video platforms to offering efficient food delivery services. However, companies seeking to make higher profits have been accused of using highly manipulative algorithms to grab user attention, influence prices, and even exploit the rights of gig workers.

The new policy requires service providers to publicly disclose the fundamentals and mechanism of their recommendation algorithms and allow users to easily turn off the service. The directive also bans companies from practices that may cause internet addiction among minors as well as price discrimination based on customers’ preferences and purchase habits, while requiring them to offer safe algorithmic recommendation services for the elderly. [Source]

Another major set of regulations apply to Chinese companies that list on overseas stock exchanges. Last week, the CAC and 12 other regulatory bodies announced that starting on February 15 they would implement new rules requiring platform operators with data on more than one million users to undergo cybersecurity reviews before listing abroad. Should the CAC deem their listing a threat to national security, the companies will then be prohibited from listing. Brenda Goh and Josh Horwitz from Reuters reported on the motivation behind the new rules and their scope of application:

“With stock market listings there is a risk that key information infrastructure, core data, important data or a large amount of personal information could be impacted, controlled or maliciously used by foreign governments,” said the CAC in a statement, reiterating a concern flagged in July when the changes were first proposed.

[…] Alex Roberts, who tracks data policy at law firm Linklaters in Shanghai, said the new rules appeared to have shrunk the scope of the companies likely to be affected by the changes, as compared to the proposal made in July.

“The most significant change in these cybersecurity review measures seems to be the narrowing of the review’s application to only critical information providers, data processors that may impact national security, or platform operators holding over 1 million individuals’ personal data,” said Roberts.

Based on the rules, however, it was still not clear which types of companies would be affected, he added. [Source]

NEW: Our translation of the revised Cybersecurity Review Measures, which take effect next month and add a review requirement for online platforms with more than 1 million users before any foreign IPO. https://t.co/VZ7xKXeag9 Translation updated by @China_Digital. Intro @gwbstr

— Stanford DigiChina Project (@DigiChn) January 10, 2022

Whether the cybersecurity review would apply to Hong Kong was unclear under the original draft of the regulation released in July of last year. In November, the CAC clarified that companies listing in Hong Kong would have to undergo a cybersecurity review if the sale of their shares could affect national security. In this final version of the regulations, however, there is no mention of Hong Kong. Xinmei Shen from the South China Morning Post described how analysts interpreted this omission as exempting Hong Kong listings from review: 

Internet platforms operators with more than 1 million users in China must go through a cybersecurity review before they apply to “foreign” regulators to raise funds through IPOs, the Cyberspace Administration of China (CAC) said.

The regulation did not mention Hong Kong, a special administrative region (SAR) that is not considered a “foreign” authority under China’s “one country, two systems” governance arrangement. That means IPOs by Chinese technology companies will be exempted from the review, according to an article on the Chinese blog Xiaobei Talks Security, a cybersecurity policy-themed blog started by a group of cybersecurity lawyers and scholars.

“The policy is clear now; the document only proposed requirements for IPOs in foreign markets without mentioning Hong Kong, which means cybersecurity reviews are not required for companies going public in Hong Kong,” according to the article. [Source]

Last July, the CAC disrupted Didi’s US$4.4 billion IPO on the New York Stock Exchange, accusing the company of having failed to mitigate the national security risks of its overseas listing and subsequently pulling Didi’s app from app stores. Under pressure from the Chinese government, Didi has since pivoted from New York to Hong Kong, along with numerous other Chinese companies in a series of “homecoming listings.” Weibo is one such company that listed in Hong Kong last year, but this has not shielded it from regulatory scrutiny. Shortly after it went public, as Liza Lin reported for The Wall Street Journal, Weibo was fined millions of dollars by the CAC for spreading “illegal information” on its platform:

The Cyberspace Administration of China said on Tuesday that Twitter-like Weibo had been ordered to pay a penalty of 3 million yuan, the equivalent of about $471,000, for disseminating “illegal information” in severe violation of regulations including the country’s cybersecurity law and its law governing the protection of minors.

The internet regulator said its Beijing office had separately fined Weibo more than 40 times for violations over the first 11 months of the year, resulting in a total penalties equal to $2.2 million.

Weibo said the company accepts the penalty and will start to implement corrective measures, including cleaning up soft pornography and misleading marketing content. The platform had 511 million monthly active users as of September 2020, the most recent number available on the company’s website. [Source]

In early December, the CAC fined Douban US$235,000 for “unlawful” release of information and demanded “immediate rectifications” from the company, without giving further details or reasons. Days later, regulators removed Douban and 105 other apps from app stores, citing “excessive collection of personal information.” Last year, the CAC penalized Douban 20 times and Weibo 44 times. The latest fines come only weeks Chinese tennis star Peng Shuai posted her allegation of sexual assault against China’s former vice-premier Zhang Gaoli, which was heavily discussed on both platforms before being quickly censored. 

Weibo was fined by CAC 44 times this year, totaling 14.3 million RMB ($2.2 million). Checkmate, Douban https://t.co/Y4Ih8cYIdT

— Zeyi Yang 杨泽毅 (@ZeyiYang) December 14, 2021

Now we know that the state reprimands don't just come in words, but also in fines. China's cyber administrator stated today that it has fined Douban 20 times this year, totaling $1.4 million. https://t.co/yIPZRdrWIM https://t.co/m7CqzEALaw pic.twitter.com/H3e28l2bgM

— Zeyi Yang 杨泽毅 (@ZeyiYang) December 2, 2021

First it was Douban. Now Weibo. Who’s next? CAC recently fined Weibo 3 million RMB for insufficient content moderation, and revealed that was the 44th fine Weibo incurred in 2021. Despite pervasive censorship it engineers, Weibo’s been fined over 14 million RMB this year. pic.twitter.com/An6nb4L6c4

— Shen Lu (@shenlulushen) December 14, 2021