Behind the Facade of China’s Cyber Super-Regulator: What we think we know—and what we don’t—about the Cyberspace Administration of China
The article examines the complexities and challenges posed by the Cyberspace Administration of China (CAC), the country’s regulatory authority for cyber affairs. It traces the CAC’s origins to the State Internet Information Office (SIIO) and its evolution under the intertwined party-state system led by the Chinese Communist Party (CCP). The CAC was spotlighted internationally after it targeted DiDi Global for a cybersecurity review just days after DiDi’s U.S. IPO, leading to a suspension of new user registrations and eventually a hefty fine for alleged violations of cybersecurity, data security, and personal information protection laws. This action, like other sudden regulatory interventions, was not clearly based on existing law, and lacked transparency, reflecting the CAC’s powerful yet opaque role in China’s governance structure.
The CAC’s dual party-state nature complicates its position: it operates both as a regulatory authority under state laws and as a party organ under the CCP. This dual role raises significant questions about its accountability and the transparency of its decision-making processes. While it engages in rulemaking and administrative activities typical of regulatory bodies, it lacks the typical attributes of transparency and procedural fairness expected of such bodies.
The article also discusses the broader context of CAC’s authority expansion, especially in cybersecurity and data security, which aligns with the CCP’s priorities of national security and technological sovereignty. However, the blending of party directives and state regulations can obscure the legal basis for its actions and limit the recourse available to businesses and individuals affected by its decisions. Overall, the CAC exemplifies the challenges of governance in China where regulatory and political functions are deeply interwoven, leading to a regulatory approach that is often reactive and opaque, with significant implications for both domestic and international actors in the digital space.
