The golden days of unfettered growth for China’s homegrown tech companies could be coming to an end as regulators speed up data-oriented reforms. What are the legal pitfalls and the hefty consequences, and who will be most affected? Luna Jin reports

China’s massively successful big tech outfits are being reined in as the nation tightens its control over the data these companies manage – or may fail to manage.

There is no better example than Didi. Remember its big reveal back in 2015 of visits to and from government ministries? Initially a PR exercise in collaboration with Xinhua, this kind of data extraction by a company with almost 400 million active users becomes a matter of concern when such a company decides to list overseas.

After its US IPO, the app has been subject to a review by the Cybersecurity Administration of China (CAC) and blocked from accepting new users. The CAC removed 25 apps under the company, citing its “serious violations of laws and regulations pertaining to the collection of personal information”.

As a result of these actions, Bloomberg recently reported that Didi could face hefty fines and delisting or withdrawal of its US shares.

It remains uncertain what exactly triggered the investigation, but it is clear that tighter controls are intended for companies that have until now enjoyed virtually limitless operational freedoms.

The rapid progress of a recent series of top-down legislative and administrative efforts targeting leading internet platforms on antitrust and data compliance, however, have surely kept the market restless.

A revised draft of the Measures for Cybersecurity Review, issued on 10 July, provides that operators holding the personal information of more than a million users and planning to list on foreign markets, must apply for a review – which in China could apply to every known market player.

As a result, a number of Chinese tech startups have shelved their highly anticipated US IPOs, including Xiaohongshu, Himalaya and Keep. Meanwhile, Chinese stocks listed in the US have plunged, some by as much as half their value.

As suddenly as it has evolved, experts say none of this is un- expected. Jet Deng, a senior partner at Dentons in Beijing, points out that as early as last November the State Administration for Market Regulation (SAMR) had begun deploying anti-monopoly actions towards internet companies with a high-profile consultation process on the draft of the Anti-Monopoly Guidelines on the Platform Economy, a key document that fuelled a number of enforcement cases.

The guidelines were made official in February, and positioned the focus of the current regulatory campaign to a specific type of tech company – the platform operators, notes Rachael Li, a Beijing-based partner at Zhong Lun Law Firm.

Contrary to the harsh crackdown perceived by many, China is rather catching up with the rest of the world on antitrust governance in the tech sphere with a developing legal arsenal, albeit with a much more progressive approach.

“The concern of big tech and their social, economic and political influence has become a global phenomenon and, in this sense, China is doing something that other governments want to do but may not be able to do,” says Vincent Chan, the China strategist of investment consultancy firm Altheia Capital.

Companies must boost compliance to adapt. Still, more certainty from an improving regulatory environment, in the long run, will benefit the industry.

Closing the VIE loophole

In almost all jurisdictions, it is common practice for companies to file for merger review and obtain approval from the regulators before finalising major investment or M&A projects. However, until last year, Chinese internet companies had never filed for merger review for their M&A and joint venture (JV) establishment projects.

“This is illegal,” says Zhou Zhaofeng, the Beijing-based managing partner at Fieldfisher. “There was no other industry where anti-monopoly obligations were ignored as completely as the internet sector.”


Twenty years ago, as China restricted foreign investment in specific industries, related companies had very limited options to raise funds through the capital market. Against this backdrop, pioneered by Sina, a creative design of the variable interest entity (VIE) structure at the dawn of the century ushered in a new era of overseas listings for Chinese companies and brought about a rapid boom of the country’s internet industry.

The structure, created to circumvent Chinese law, however, had neither been directly nor positively acknowledged or denied by Chinese regulators – until last year. This left the investment and M&A activities of related companies falling into ambiguity, or even a regulation vacuum.

“Considering that the development of China’s internet industry started slightly later than Europe and the US, China has been adhering to an attitude of inclusive and prudent regulation to encourage the development of these companies,” notes Huang Wei, the Beijing-based managing partner at Tian Yuan Law Firm.

As technology progresses, China has developed well-capitalised internet conglomerates with strong market influence, which have ventured not only into people’s livelihood sectors but also into finance and other areas. “If they are not effectively regulated in anti-monopoly, a series of problems that harm consumers’ welfare, orderly competition and the safety of financial markets will occur,” says Huang.


In this sense, regulating companies with VIE structures is imperative. In July last year, a JV establishment transaction between Shanghai Mingcha Zhegang Management Consulting and Huan-sheng Information Technology (Shanghai) was unconditionally approved by the SAMR. This was the first time that Chinese merger control authorities had publicly accepted and unconditionally approved a case involving a VIE structure.

“It’s a clear signal that the VIE structure is no longer a grey area for the review of concentration of business operators,” says Scott Yu, a Beijing-based partner at Zhong Lun Law Firm and lead partner of the transaction. The rule is also made clear at the policy level in the above-mentioned guidelines.

Deng, of Dentons, points out that after the introduction of the guidelines up until now, the SAMR has imposed 44 penalties on failure to seek clearance with regard to transactions involving a VIE structure ever since the very first three cases last December, including Alibaba.


“Companies with a VIE structure should promptly assess whether they need to seek clearance prior to implementation of the transaction, especially for complex situations such as multiple rounds of financing and minority investments,” says Deng.

It is estimated that more than 300 Chinese companies have adopted VIE structures to achieve overseas listings, and thousands of companies have accepted PE/VC investment under the structure. Given the limited flexibility of current domestic capital markets and a gradual clarity of the central government’s regulatory trend on VIE structures, international investors’ concern as to whether the central government will kill the VIE completely seems to be irrelevant in the near future.

Scope of impact

Although the 44 penalties administered for procedural violations amounted to a mere RMB500,000 (USD76,800) each, Yu believes that failing to seek clearance is also a violation of substantive legal requirements, and that the penalties are not high simply because the maximum fines provided for in the law are not high.

Considering that future amendments to the Anti-Monopoly Law (AML) are likely to increase the amount of penalties in this regard, he suggests that internet companies, as well as funds and other investors with portfolios in the industry, should conduct a comprehensive self-examination of their past investment behaviour, and identify and voluntarily surrender themselves as soon as possible, before it’s too late.

In early 2020, the SAMR issued amendments to the AML for public consultation, which, among other things, significantly raise the cap on fines for failing to seek clearance, from RMB500,000 to a maximum of 10% of a party’s global turnover in the previous year. If imposed on top-tier Chinese internet companies, and considering their revenue in recent years, the fines could easily exceed RMB10 billion once the amendments become law, which is very likely to happen this year.

So, for these past investments, how far back will the current anti-monopoly enforcement actions go? Should the two-year retroactive statute of limitations set out in the Administrative Penalties Law apply in this case?

Yu believes otherwise. He points out that the retrospective period prescribed is counted from the date on which the violation is terminated, while the outcome of these failures to seek clearance has continued to exist, and therefore they shall not be exempted using the retrospective period standard.

“In fact, there are already cases in practice where penalties are still imposed more than two years after [the completion of the transaction],” says Yu. “We therefore recommend that relevant parties conduct self-examination since the implementation of the AML in 2008.”


However, he also notes that in past practice there was still room for argument for cases that predated the promulgation of the Interim Measures for Investigating and Handling Failure to Legally Declare the Concentration of Business Operators, in 2012.

Apart from investments and mergers, Yu says the guidelines also cover several other types of behaviour of internet companies, including:

(1) the collection and use of user data;

(2) the impact of the use of technology and algorithms on bilateral competition;

(3) the impact of the use of technology and algorithms on pricing; and

(4) the fairness of trading terms between the platform operator and merchants within the platform.

Bigger storm brewing

According to Deng, the above-mentioned 44 merger review penalties are just part of the initial stages of the SAMR’s antitrust deployment, and none of them involves a high target amount. “The SAMR is still carefully investigating some big cases, with major enforcements in the wind,” he says.

In addition to failure to seek clearance, John Ren, the managing partner of T&D Associates in Beijing, says that abuse of dominant market position and monopoly agreements provided by the AML remain the focus of enforcement.

It took only 107 days for the SAMR to decide in April on Alibaba’s record-breaking RMB18.2 billion penalty for forcing vendors to choose between Alibaba or competing platforms, a typical case for the abuse of dominant market position.

Zhou, of Fieldfisher, points out that the use of big data in abuse of dominant market position – such as price discrimination driven by algorithms, which is unique to the new economy sector – has attracted the attention of anti-monopoly enforcement agencies globally. “This will become the focus of enforcement in China for some time to come,” he predicts.

This was made clear in China’s first fundamental and comprehensive data legislation, recently passed in Shenzhen. The Shenzhen Special Economic Zone Data Regulations stipulate that “data analysis shall not be used to impose differential treatment on users with the same trading conditions without justified reasons”.

Violators can be fined up to RMB50 million. The amendments of the Provisions on the Administrative Punishment of Price-related Violation, on which the SAMR called for public consultation on 2 July, also include big data-enabled price discrimination in the “pricing violations in new business models” provision (article 13). This provision also covers the unfair competition behaviour of internet companies that grab market share through subsidies.

Community group-buying, hailed by Chinese tech companies as a way to cut out the middleman by connecting food suppliers directly with end customers, is another area of focus. If the maximum penalty of 5% of sales in the previous year is applied, as provided in the amendments, the RMB1.5 million penalties im- posed by the SAMR this March on Didi, Meituan and Pinduoduo for price subsidies and using false or misleading price tactics to “trick” consumers, will rise to about RMB710 million, RMB570 million and RMB300 million, respectively.

New compliance front

At the heart of the regulatory updates, increased enforcement efforts and penalties, lies the internet companies’ most important asset – data.

In the coming decades, data will be the most important resource. “It’s kind of the ‘new gold’, and those companies that have access to data will become the most powerful,” says Ulrike Glueck, the managing partner of CMS China in Shanghai. “This makes it very important to supervise and ensure that collection, storage and use of data are done in line with the law.”

It should be noted, however, that the central government’s anti-monopoly regulation regarding data is by no means aimed at suppressing tech companies. Deng says the guiding principle behind these actions is placing equal emphasis on development and regulation.

“The Chinese government actually recognises the important contribution of the platform economy to our economic development, livelihood protection and increasing international competitiveness, as stated clearly both in the Central Economic Work Conference from last year and the Government Work Report this year,” he says.

Zhou points out that for a long time China has undertaken a relatively relaxed regulatory attitude towards data compliance, since “companies involved have powerful lobbying capabilities, and the data sector is still developing”.

In relation to the Didi cybersecurity and national security fiasco are a number of new amendments in the Measures for Cybersecurity Review (Draft for Comment) preventing potential risks to cross-border data transfer, and applying to critical information infrastructure (CII) operators as well as the data processors.

Currently, investors and companies are closely monitoring the otential impact of the relevant provisions, with some companies that had been queuing to raise funds overseas suspending their listing plans in light of the key document.

For these companies, according to Yuan Lizhi, a partner at Jingtian & Gongcheng in Beijing and Shanghai, data security, the compliance of the cross-border transfer of important and core data is one focus of the cybersecurity review.

The two most important considerations added under article 10 of the draft for comment regarding national security review priorities are:

(1) the risks of core data, important data or large amounts of personal information being stolen, breached, damaged or illegally used for transfer abroad; and

(2) the risk of the CII, core data, important data or large amounts of personal information being influenced, controlled or maliciously used by foreign governments after a foreign listing.

It is interesting that the wording “foreign” instead of “offshore” in the provisions has led to speculation that companies planning to list in Hong Kong may be exempted from the cybersecurity review, and that therefore domestic companies planning to list in the US may turn to Hong Kong in the short term. Another discussion surrounding wording in the draft for comment is in article 6, which is unclear as to the scope of the companies it refers to. It provides that “operators hold- ing the personal information of more than 1 million users and newly listing on foreign markets must apply for a review”. For the Chinese market, 1 million users is a very low threshold, and companies engaged in “to customer” businesses can easily trigger the review, and their proposed listings will undoubtedly be the most affected.

Among the companies recently disclosed queuing to list in the US, several are platform-as-a-service (PaaS) providers that offer enterprise-level cloud services. As to whether they fall under the scope of the review, Yuan says that the wording used in the draft remains to be tested in practice. However, he adds that, considering the backdrop and intention of the amendments emphasising the material impact on national security, the wording should be interpreted in terms of the actual access to the data, rather than being limited by the business model and legal formality.

“From this perspective, even though PaaS providers, bound by law and contracts, only provide basic cloud services and do not touch users’ personal data per se, they have the ability to do so, so they are not precluded from being deemed to be in ‘holding’ of users’ data,” he says. Yuan adds that PaaS providers could also trigger scrutiny for falling within the scope of CII, as referred to in article 2.

Given many uncertainties at play, Yuan suggests that companies involved in VIE structures focus on whether new data interactions will occur at the business operation level, especially for data transfer abroad, and whether they contain important and core data, for future mergers and investments.

“Where the industry has requirements such as local data storage or restrictions on data transfer abroad, the target company must strictly comply, and parties involved must not access data through control at will,” he says. Additional attention should also be paid to the process of business presentations, and providing financial statements and data to investors and financial advisers, as to whether it involves the transfer of data out of the country from the domestic target company, says Yuan.


Internet companies, due to their own business characteristics, often need to balance anti-monopoly and data compliance, and their compliance teams face the challenge of constantly updating their knowledge and identifying new risks.

In this regard, Ren, of T&D Associates, suggests that in-house counsel of these companies should give special consideration to:

(1) how to more effectively embed relevant competition compliance mechanisms at multiple levels of the company’s businesses, such as timely feedback and assessment of antitrust issues involved in the process of investment and mergers, review and improvement of the business model itself, identification and consultation of antitrust issues involved in internal policies and commercial agreements, etc; and

(2) better prevention of the company, its employees and the platform’s algorithms and operational arrangements from committing acts that harm and exclude competition.

Zhou, on the other hand, stresses that the compliance system must be integrated into daily business activities, rather than simply coming up with guidelines and a compliance system and leaving it at that. “At the same time, a compliance audit system should be established to ensure that antitrust compliance measures are in place,” he suggests.

The end game

With the speed and gravity surrounding the current round of antitrust enforcement actions, how far are the regulators willing to go? Will there be a potential spin-off in China, as occurred in 1984 to AT&T in the US? Zhou believes that, given China’s past antitrust enforcement practices, a spin-off would be unlikely.

“It’s more likely that regulators will allow for operation with affiliated conditions, i.e. requiring companies to report regularly on their compliance with the requirements of the anti-monopoly enforcement agencies, rather than an outright breakup,” he says.

Deng agrees. “Except for restoration, divestiture of assets and other similar measures in the concentration of business operators regime, there is no legal basis for forcibly splitting up companies in China unless they do so voluntarily after negotiating with the government.

“If the existing measures are sufficient enough for regulating the development of the internet economy, then there is no need for the government to require a spin-off.”

However, he also cautions that amendments to the AML could be passed within this year, and whether a spin-off revision is included in the amendments would be revealed then.

The Central Economic Work Conference at the end of last year identified “strengthen anti-monopoly efforts and prevent disorderly expansion of capital” as one of the key tasks for government work this year. The key question is whether there will be an unintended consequence of negatively affecting China’s productivity gains or innovation capacity.

Chan, of Altheia Capital, says that business model innovation is key to these new economy sectors, and business model innovation by nature involves a lot of trial and error; in the process, there could always be activities that are borderline legal or illegal. “If companies need to get the bureaucracy to approve any actions before they try something new, the business will be very difficult to run,” he says.

“We should not forget that these ‘Big Tech’ companies are the most innovative, and drivers of innovation in the past 10 to 20 years in China.”

Takeaway for foreign companies

For many foreign and foreign-invested companies, a major concern is whether they can store data obtained, e.g. from their customers in China, on their overseas server or cloud, and what the requirements are, says Glueck of CMS.

“They need to keep a close eye on any updates, set up an internal data management, and regularly review and update their internal policies on data handling,” she says.


In terms of antitrust compliance, Glueck reminds foreign companies to check and ensure that their “contracts and business relationships with suppliers, customers and distributors” are compliant with related laws and regulations.

Huang, of Tian Yuan, believes that the current enforcement efforts are by no means confined to China’s homegrown companies. “Multinational companies should pay close attention to the penalty cases published by the regulators, screen risks on all fronts in conjunction with the new rules, and upgrade their compliance systems,” he says.