The Diplomat author Mercy Kuo regularly engages subject-matter experts, policy practitioners, and strategic thinkers across the globe for their diverse insights into U.S. Asia policy. This conversation with Dr. Rogier Creemers – assistant professor in modern Chinese studies at Leiden University and co-editor of “The Emergence of China’s Smart State” (Rowman and Littlefield 2023) – is the 393rd in “The Trans-Pacific View Insight Series.”
Why is the Cyberspace Administration of China (CAC) considered the world’s most powerful digital institution?
The CAC has several different roles, both political and regulatory. First, it houses the secretariat of the Central Cybersecurity and Informatization Commission. This top-level decision-making body, chaired by Xi Jinping personally, groups the heads of all important party and state bodies, as well as the People’s Bank of China and the military, that are involved in digital policymaking. Running the secretariat means the CAC has a direct line to the top leadership, and plays a very important role in both supplying the Commission with information, and in implementing their policy decisions.
Second, it has regulatory power over online content in China, which it has taken to include AI content recommendation and generation in recent years. As such, it is the prime rule-setter for the world’s largest online population and second-largest digital economy.
Third, it is responsible for the protection of personal information under the Personal Information Protection Law and has some tasks concerning data security under the Data Security Law as well. Next to content, this is the most impactful area of digital regulation now. This is not to say the CAC has done everything right. It is currently working on revisions to data export rules that have proved to be excessively onerous to both Chinese and international businesses, for instance, and significant lack of implementation and enforcement clarity remains around the Data Security Law.
Furthermore, the CAC has direct authority over a number of specific technical bodies, such as CNNIC (China’s DNS registry) and CNCERT/CC (China’s computer emergency response team), the cybersecurity standardization body TC260, and a number of industrial associations such as the Cybersecurity Association of China. In short, no state anywhere in the world has been as ambitious in regulating the digital sphere as China has, and given the country’s scale and technological leadership, it automatically means the CAC – with its broad political and regulatory tasks – is arguably in a league of its own.
How has the Cybersecurity Law (CSL) empowered the CAC?
First, the CSL consolidated an earlier State Council decision to empower the CAC as the primary regulator for online content, having identified undesirable content as a key cybersecurity risk. Furthermore, the CSL also put the CAC in charge of coordinating all cybersecurity-related work with other ministries and regulatory bodies.
However, that coordination has not always worked well. Particularly in the area of data protection, there were years of turf conflicts between the CAC and the Ministry of Public Security, which meant few actual regulations were passed. Part of the task of the subsequent PIPL and DSL was to clarify those responsibilities.
The CAC also has oversight over processes such as critical information infrastructure protection, the cybersecurity review of digital products and services, and cybersecurity incident response.
Explain the scope and scale of CAC’s domestic and foreign engagement function.
At home, the CAC has been a cheerleader for the development of China’s digital industry, as well as for building awareness around digital concerns. For the past decade, it has organized a national Cybersecurity Week, a series of events, exhibitions, radio and television programs, academic and policy exchanges aimed at increasing cybersecurity awareness among the populace. It is vocal about the role of digital technology in broader party initiatives, such as its poverty elimination drive, and in continuing the process of economic and social modernization.
Internationally, its main showpiece is the World Internet Conference, held every year in the Zhejiang river resort of Wuzhen since 2014. Initially, the CAC also sought a greater role in direct engagement with global digital governance initiatives. However, since the downfall of its first director Lu Wei, it mainly supports the Ministry of Foreign Affairs, who takes the lead. It has, nevertheless, significantly contributed to initiatives such as the Global AI Initiative, presented at October’s Belt and Road Forum.
Describe the relationship between the CAC and Chinese Communist Party (CCP).
The CAC effectively wears two hats – it is “one body with two nameplates” (yige jigou, liangge paizi). On the one hand, it is a state institution; on the other, it is a party body directly subordinate to the Central Committee. Denoting its origins as part of the propaganda bureaucracy, it has particularly close links with the Central Propaganda Department: CAC directors are ex officio heads of the CPD. These arrangements are reproduced at the local level.
The CAC’s party identity and authority emanating from the Central Committee does give it more political clout than “mere” State ministries. Moreover, it oversees the China Internet Investment Fund, which, amongst others, takes “golden shares” in major digital businesses.
Assess how the CAC operates at the central, provincial and municipal levels.
At the national level, the CAC is mainly a rule-setting body, with the vast majority of its enforcement powers and responsibilities devolved to the local levels. However, these local CACs display varying levels of capability and competence, with some of the most powerful ones located in major tech hubs such as Beijing, Shanghai, and Guangdong.
The CAC does, however, decide on the most important cases, including the 8 billion RMB fine imposed against ride-hailing giant Didi Chuxing.