Didi cybersecurity review expected to set precedent for future ‘national security’ probes into data collection
- The Didi review is the first time Beijing has invoked national security in a Big Tech investigation, a move that could be precedent-setting, say analysts
- News of the investigation, coming two days after Didi’s IPO in New York, triggered a 5 per cent drop in its share price
Then on Monday morning, the cyberspace security review office said it was launching a similar investigation on “national security” grounds into truck-hailing apps Yunmanman and Huochebang, as well as a recruiting app operated by Boss Zhipin.
Like Didi, which listed on the New York Stock Exchange last week, Full Truck Alliance, which runs Yunmanman and Huochebang, raised US$1.6 billion from its stock offering last month, while Boss Zhipin started trading on Nasdaq in mid-June after raising US$912 million.
CAC said the investigations were launched “to prevent risks regarding national data security and to maintain national security”.
The office said the probe was conducted in accordance with the National Security Law, the Cybersecurity Law and the Measures for Cybersecurity Review, but it did not mention any specific clauses that Didi had supposedly violated.
The Didi investigation marks the first time Beijing has publicly cited national security as a reason for launching an inquiry into one of the country’s tech giants.
Analysts say the impact could be far-reaching. “It begins a new round of regulatory scrutiny on Chinese internet companies,” said Wang Sixin, a law professor at the Communication University of China.
Wang indicated that the CAC laid the groundwork last year for such probes into legal and institutional groups, and it is now putting new rules into force.
Wang said the recent flurry of US public listings may have triggered the investigations. “For companies like Didi, they have a lot of basic data on roads, transport as well as consumption habits. This kind of data is closely related to national security,” Wang said.
Zhai Wei, a law professor at East China University of Political Science and Law in Shanghai, said the investigation was a new milestone in the cybersecurity and internet regulation space.
“In the past, the [cybersecurity] law was just on paper and we had not implemented it much … [The Didi case] will set a benchmark for future cases,” Zhai said.
“Once the issue is related to national security, it should be recognised as a business risk at the highest level,” Dong said.
Didi said in a statement that it will cooperate with the investigation.
On Saturday, Didi vice-president Li Min refuted rumours circulating on microblogging platform Weibo that the company had surrendered Chinese user data to US authorities.
“Domestic user data is stored on domestic servers, and it is impossible [for us] to give the data to the US,” Li wrote in a Weibo post.
Li also engaged with other Weibo users and threatened to sue people for spreading false information about the ride-hailing giant. However, his efforts failed to stop some netizens from guessing at possible reasons behind the cybersecurity review.
China kicks off antitrust probes into Alibaba over alleged monopolistic practices
Under China’s Measures of Cybersecurity Review guidelines, which went into effect in June 2020, a cybersecurity review is meant to assess national security risks associated with “network products and services purchased by key information infrastructure operators”.
A review could be launched in response to the misuse or destruction of information infrastructure, mishandling of data, or even supply interruptions resulting from “political, diplomatic and trade factors” as a result of an operator acquiring products and services.
A review generally takes up to 45 working days to complete, but that period can be extended and does not include the time that a target company spends preparing documents for the investigation. At the same time, the regulation stipulates that any member of the review office has the right to initiate an investigation if it sees a potential national security concern in a network product or service.
The Didi investigation is the first time the cyberspace security review office has been involved in such a case. The group coordinates with 12 Chinese ministerial bodies, including the Ministry of Public Security and the Ministry of State Security.
Nathaniel Rushforth, a lawyer specialising in cybersecurity for Shanghai-based DaWo Law Firm, said he expects to see the office involved in more cases going forward.
“We can expect to see an uptick in reviews and enforcement actions against all companies, domestic and foreign-invested, likely including those more in the public eye,” Rushforth said.
He added that companies like Didi are coming under increasing scrutiny because of the “copious amounts of personal information and other potentially sensitive data” they collect.
“The ‘cybersecurity framework’ is designed to exert a measure of control over what these companies are doing with the data they collect and process in China,” Rushforth said. “Additionally, potential cross-border transfer [of data] is a hot-button issue for multinationals, and these laws also tighten requirements for engaging in such transfers.”
Zhai, the law professor in Shanghai, said the Didi case has broad implications for how China will handle national security in the future. Didi has become part of China’s “critical information infrastructure”, he said, because its data resources are linked to economic and social security.
“On the surface, it’s just a cybersecurity case, but it involves security issues in other dimensions,” Zhai said.