Didi cybersecurity review expected to set precedent for future ‘national security’ probes into data collection

·6-min read

China’s cybersecurity review of ride-hailing giant Didi Chuxing has set a precedent for how the government will handle national security issues related to data, and lays the groundwork for future investigations into other major tech companies, according to analysts.

The cyberspace security review office, an obscure unit of the powerful Chinese Administration of Cyberspace (CAC), announced the review into Didi on Friday, saying it had stopped the ride hailing giant from registering new users. In another statement on Sunday, CAC said it had also ordered app stores to remove Didi from their platforms.

Then on Monday morning, the cyberspace security review office said it was launching a similar investigation on “national security” grounds into truck-hailing apps Yunmanman and Huochebang, as well as a recruiting app operated by Boss Zhipin.

Do you have questions about the biggest topics and trends from around the world? Get the answers with SCMP Knowledge, our new platform of curated content with explainers, FAQs, analyses and infographics brought to you by our award-winning team.

Like Didi, which listed on the New York Stock Exchange last week, Full Truck Alliance, which runs Yunmanman and Huochebang, raised US$1.6 billion from its stock offering last month, while Boss Zhipin started trading on Nasdaq in mid-June after raising US$912 million.

CAC said the investigations were launched “to prevent risks regarding national data security and to maintain national security”.

The office said the probe was conducted in accordance with the National Security Law, the Cybersecurity Law and the Measures for Cybersecurity Review, but it did not mention any specific clauses that Didi had supposedly violated.

Didi is under investigation by China’s cyberspace administration

The Didi investigation marks the first time Beijing has publicly cited national security as a reason for launching an inquiry into one of the country’s tech giants.

Analysts say the impact could be far-reaching. “It begins a new round of regulatory scrutiny on Chinese internet companies,” said Wang Sixin, a law professor at the Communication University of China.

Wang indicated that the CAC laid the groundwork last year for such probes into legal and institutional groups, and it is now putting new rules into force.

Wang said the recent flurry of US public listings may have triggered the investigations. “For companies like Didi, they have a lot of basic data on roads, transport as well as consumption habits. This kind of data is closely related to national security,” Wang said.

Zhai Wei, a law professor at East China University of Political Science and Law in Shanghai, said the investigation was a new milestone in the cybersecurity and internet regulation space.

“In the past, the [cybersecurity] law was just on paper and we had not implemented it much … [The Didi case] will set a benchmark for future cases,” Zhai said.

Big Tech companies have recently faced mounting regulatory pressure in other areas, most notably from multiple antitrust-related investigations and fines.

Past cases involving data security have been framed in terms of user privacy, according to John Dong, a securities lawyer at Joint-Win Partners in Shanghai. With the new case against Didi, government policy and regulations have become one of the biggest risks for companies, he said.

“Once the issue is related to national security, it should be recognised as a business risk at the highest level,” Dong said.

Traders seen during the IPO for Didi Global Inc on the New York Stock Exchange floor. Photo: Reuters
Traders seen during the IPO for Didi Global Inc on the New York Stock Exchange floor. Photo: Reuters

The news dampened excitement around Didi following its IPO on June 30, when the Beijing-based company raised US$4.4 billion, valuing it at about US$70 billion. After news of the investigation broke, Didi’s share price fell 5.3 per cent on Friday to US$15.50. It lost a further 1 per cent in after-market trading.

Companies backing the Chinese ride-hailing firm tumbled in Asian trading on Monday. SoftBank Group, Didi’s largest shareholder with a 20.1 per cent stake, fell 5.4 per cent in Tokyo. Tencent, with less than 10 per cent stake, declined 3.6 per cent in Hong Kong, erasing all of its gains this year.

Didi said in a statement that it will cooperate with the investigation.

On Saturday, Didi vice-president Li Min refuted rumours circulating on microblogging platform Weibo that the company had surrendered Chinese user data to US authorities.

“Domestic user data is stored on domestic servers, and it is impossible [for us] to give the data to the US,” Li wrote in a Weibo post.

Li also engaged with other Weibo users and threatened to sue people for spreading false information about the ride-hailing giant. However, his efforts failed to stop some netizens from guessing at possible reasons behind the cybersecurity review.

Under China’s Measures of Cybersecurity Review guidelines, which went into effect in June 2020, a cybersecurity review is meant to assess national security risks associated with “network products and services purchased by key information infrastructure operators”.

A review could be launched in response to the misuse or destruction of information infrastructure, mishandling of data, or even supply interruptions resulting from “political, diplomatic and trade factors” as a result of an operator acquiring products and services.

A review generally takes up to 45 working days to complete, but that period can be extended and does not include the time that a target company spends preparing documents for the investigation. At the same time, the regulation stipulates that any member of the review office has the right to initiate an investigation if it sees a potential national security concern in a network product or service.

The Didi investigation is the first time the cyberspace security review office has been involved in such a case. The group coordinates with 12 Chinese ministerial bodies, including the Ministry of Public Security and the Ministry of State Security.

Nathaniel Rushforth, a lawyer specialising in cybersecurity for Shanghai-based DaWo Law Firm, said he expects to see the office involved in more cases going forward.

“We can expect to see an uptick in reviews and enforcement actions against all companies, domestic and foreign-invested, likely including those more in the public eye,” Rushforth said.

China’s new Data Security Law pushes back on US jurisdictional encroachment

He added that companies like Didi are coming under increasing scrutiny because of the “copious amounts of personal information and other potentially sensitive data” they collect.

“The ‘cybersecurity framework’ is designed to exert a measure of control over what these companies are doing with the data they collect and process in China,” Rushforth said. “Additionally, potential cross-border transfer [of data] is a hot-button issue for multinationals, and these laws also tighten requirements for engaging in such transfers.”

Zhai, the law professor in Shanghai, said the Didi case has broad implications for how China will handle national security in the future. Didi has become part of China’s “critical information infrastructure”, he said, because its data resources are linked to economic and social security.

“On the surface, it’s just a cybersecurity case, but it involves security issues in other dimensions,” Zhai said.

More from South China Morning Post:

This article Didi cybersecurity review expected to set precedent for future ‘national security’ probes into data collection first appeared on South China Morning Post

For the latest news from the South China Morning Post download our mobile app. Copyright 2021.

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting