n July 10, the Cyberspace Administration of China (CAC), the country’s internet watchdog, proposed a revision to China’s cybersecurity rules and a new regulation of “critical information infrastructure.”
Citing concerns over data held by companies which could be “affected, controlled, and maliciously exploited by foreign governments,” the new rules would require any company with data involving more than one million users to seek the agency’s approval and submit IPO materials before listing overseas.
The move came a week after the CAC launched a high-profile investigation into Didi, China’s largest ride-hailing service, over “seriously violating laws” on data collection and usage on July 2, less than 48 hours after Didi went public in the US on June 30. Didi was ordered to remove its app from all mobile app stores in the Chinese mainland and it is not allowed to register new users, although existing customers can still use it.
The most popular ride-hailing app in China, Didi says it has 493 million active users. According to data released by the Ministry of Transport, in October 2020 alone, 562 million bookings were made through the company’s platform, accounting for 90.6 percent of total market share.
In its statement, the CAC said its investigation into Didi was prompted by potential leaks of sensitive data that might harm China’s national interests. As it implies the investigation is about a leak of sensitive data that has already happened, rather than a potential threat, the announcement led to wide speculation about what happened during Didi’s IPO on the New York Stock Exchange (NYSE).
Rumors circulating on Chinese social media claim the company agreed to hand over its data to the US government in order to have its IPO approved by US authorities. Didi was swift to deny this. Li Min, a senior executive of Didi posted on WeChat that the company’s data is stored on Chinese servers and there is no possibility that Didi would hand over data to the US government.
But few were reassured by Li’s comments. Didi’s own attempts to lay low during its IPO only made things more suspicious. It was the biggest IPO of a Chinese company on the NYSE since Alibaba Group’s 2014 listing, which raised US$21.77 billion. However, Didi Global, the name it listed under, seemed to be trying to be as discreet as possible, with no official announcement made and no “bell-ringing” ceremony. The IPO on June 30 raised US$4.4 billion with shares listed at US$16. Following news of the investigation, the value of the shares plummeted.
On Chinese social media, research in 2015 conducted by Didi was quickly recirculated. The company analyzed bookings made by staff working in different ministries of the central government in Beijing, and concluded the Ministry of Public Security was the busiest branch, with staff at the National Development Reform Commission (NDRC), China’s top economic planner, being the earliest to start work and those at the Ministry of Land and Resources working the longest hours.
Back in 2015, the research was passed around on social media to show Didi’s big data capability. But now, it served as a reminder for the public of what Didi can do with the data it harvests and how a data leak could undermine national security. The company also collects satellite data from China’s Beidou positioning system and video footage from in-car cameras.
It is alleged that such sensitive data can be a potential target for overseas intelligence agencies. The fact that its largest lab which processes data using artificial intelligence is located in California, and one of Didi’s independent directors, Adrian Perica, a West Point military academy graduate and former US army officer, does not help either. Perica is Apple’s VP of corporate development who joined Didi’s board when Apple invested US$1 billion in the company in 2016.
“It is definitely a legitimate concern for the Chinese authorities regarding the risk posed by a data leak to national security given the scale and scope of data Didi collects,” said Liu Xu, a researcher with the National Strategy Institute Tsinghua University.
For many, Didi’s case may mark the start of China’s efforts to establish a tighter data security regime. According to Jiao Haitao, an economic law professor at China University of Political Science and Law, the investigation into Didi is the first major case conducted under the Cybersecurity Review Measures, which went into effect on June 1, 2020.
“In the past, the concept of cybersecurity in China was quite abstract, with no established procedures and standards, but Didi’s case could change all of that,” Jiao said.
According to Liu Xu, what is different about the CAC’s move is that it is the first time the authorities have launched a formal investigation into cybersecurity. In the past, such reviews were usually conducted in an informal fashion which was not legally binding or enforceable. “It [Didi’s case] will help set a precedent for future cases,” Liu said.
Liu added that such reviews should have been conducted earlier, especially when many of China’s tech giants are partially owned by foreign investors. In Didi’s case, both its largest and second-largest stakeholders, Softbank and Uber, are foreign entities, which own a combined 30 percent of the company.
“Didi acquired Uber China in 2016, it reached a strategic deal with Uber to become each other’s stakeholders, and it remains unclear whether the two sides reached any deals in data exchange and cooperation,” said Liu. “If there is such a deal, is it allowed for companies partially owned by foreign investors? If so, should it be submitted to the authorities for review and approval? These are the questions we need answered.”
In the past months, Chinese regulators have noticeably stepped up oversight of the sprawling tech giants amid rising sentiments against them. Since late last year, the CAC has periodically published lists of apps that were found to be inappropriately collecting information. On June 11, it warned 129 apps against illegally collecting personal data.
In May, the CAC published a set of draft rules to tighten oversight of data collection in the auto industry. The proposed regulations were announced after Tesla, whose cars were reportedly banned from military locations, prompted the carmaker to reassure that it stores data collected from its cars in China entirely on local servers.
The simmering tensions amid tech and trade wars between the US and China no doubt add a political dimension to China’s regulation of tech firms. Under the previous Trump administration, the US imposed new auditing standards on Chinese companies listing in the US in 2020 aimed at shutting Chinese companies out of the US financial market.
However, Chinese companies have still flocked to list in the US, both in pursuit of better returns and as a means to circumvent regulatory restrictions on ownership by foreign investors in the internet industry. According to data from Refinitiv, a financial market data firm, Chinese companies raised US$12 billion from NYSE IPOs, more than triple the amount in 2019. In the first six months of 2021, 34 firms, including Didi, raised another $12.5 billion in US markets.
As many of these companies are tech firms with powerful data collecting ability, cross-border transfer of data has emerged as a new focus of Chinese regulators. The Didi investigation may signal that the Chinese government is trying to close the loophole, which is increasingly considered a risk for national security.
On July 6, the State Council issued a notice that pledged to strengthen its regulation and speed up the revision of regulations on data security for Chinese firms listed overseas. On July 9, the CAC expanded the scope of the investigation, announcing a ban on another 25 apps owned by Didi, including Didi Enterprise and Uber China on the same grounds of violating the law over personal information collection.
It announced similar reviews regarding “national data security risks” of other internet companies, including job recruiting platform Boss Zhipin, and two truck-booking apps under Full Truck Alliance. Both Boss Zhipin and Full Truck Alliance are listed in the US.
Several Chinese companies have now put their plans for an IPO in the US on ice, including medical data specialist LinkDoc and Keep, a popular fitness app backed by Softbank and Tencent. Many believe that when the newly proposed revision to the data security rules comes into effect, the wild days of the Chinese internet and tech unicorns will be over.