Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
Chinese truck-hailing apps Huochebang and Yunmanman, owned by Full Truck Alliance, seen on smartphones in this illustration picture taken on July 5. Photo: Reuters

China launches cybersecurity review into more US-listed firms following action against Didi Chuxing

  • The new targets of China’s cybersecurity review regulation include two truck-hailing apps and an online recruitment firm
  • The move comes hours after the powerful cyberspace administration agency ordered Didi Chuxing off the nation’s app stores
China’s powerful internet watchdog launched new cybersecurity reviews of three more online services on Monday, including newly-listed truck-hailing service providers and an online recruitment app, hours after an action against ride-hailing giant Didi Chuxing.

The Cyberspace Administration of China (CAC) said it is targeting apps Yunmanman and Huochebang, dubbed China’s “Uber for trucks”, and an online recruiting platform known as Boss Zhipin, to prevent data security risks and to protect national security.

Full Truck Alliance, the result of a merger between Yunmanman and Huochebang in 2017, raised US$1.6 billion on the New York Stock Exchange last month. Beijing-based Kanzhun, the company behind Boss Zhipin, also went public in June, raising US$912 million. Didi Chuxing collected US$4.44 billion in its blockbuster offering last week.

China’s cybersecurity watchdog orders Didi removed from country’s app stores

Using wording similar to that of its Didi probe, the administrator ordered the three apps to stop registering new users. It cited the National Security Law, the Cybersecurity Law and the Measures for Cybersecurity Review as justification for the action, but did not mention any specific clauses that the three apps had supposedly violated.
Existing users of apps can still use the services. Unlike Didi, the apps are also still available in Chinese app stores. On Sunday, the CAC ordered app stores to remove Didi, but it did not explicitly connect the move to the cybersecurity review.

Boss Zhipin and Full Truck Alliance said they will actively cooperate with the review and assess their cybersecurity risks.

Full Truck Alliance is one of China’s biggest trucking companies. In 2020, about 20 per cent of China’s heavy- and medium-duty truckers fulfilled shipping orders using the company’s platforms, according to its prospectus, citing data from China Insights Consultancy. It also said 2.8 million truckers fulfilled 71.7 million orders on its platforms last year.

Boss Zhipin also looms large in its industry. It had 24.9 million monthly active users in the first three months of the year, according to the company’s prospectus. Its 85.8 million verified jobseekers and 13 million verified enterprise users include executives from big companies, small business owners and recruiting professionals, according to the document.

A driver of Chinese ride-hailing service Didi drives with a phone showing a navigation map on Didi's app in Beijing on July 5. Experts say Chinese authorities could be concerned about the exposure risks of sensitive data collected by Didi and similar services. Photo: Reuters

Experts said the public listings for all three companies under review may have raised red flags in Beijing. Possible national security concerns could centre around the vast troves of data the companies hold, which include user location data and road conditions, among other sensitive data.

The Global Times, a state-owned tabloid newspaper under Communist Party mouthpiece People’s Daily, said in an editorial that Beijing cannot allow a company like Didi, with its two biggest shareholders based overseas, to hold so much data.

“China can’t allow an internet giant to run a super database that contains more personal data of Chinese people than the state has, nor can China allow [internet firms] to use such data freely,” the editorial reads.

Tech stocks sink in Hong Kong on China’s tightening curbs as Tencent erases 2021

Companies backing the Chinese ride-hailing firm tumbled in Asian trading on Monday. SoftBank Group, Didi’s largest shareholder with a 20.1 per cent stake, fell 5.4 per cent in Tokyo. Tencent, with less than 10 per cent stake, declined 3.6 per cent in Hong Kong, erasing all of its gains this year.
San Francisco-based Uber Technologies still holds 11.9 per cent of the company, down nearly 7 percentage points since Didi bought out its rival’s China operations. Didi executives and directors control 57.1 per cent of the voting power.

Didi fell 1 per cent in US after-market trading on Friday to US$15.37. They will resume trading on Tuesday due to Independence Day market holiday on Monday. Kanzhun lost 2.1 per cent on Friday while Full Truck Alliance gained 2.3 per cent.

Under China’s cybersecurity review regulation, which went into effect in June 2020, an investigation can be launched when authorities think an internet product or service could “affect national security”.

Didi is under investigation by China’s cyberspace administration

“Data security could be a life-or-death issue for companies, but these companies underestimated the importance of data security and cybersecurity compliance, and still hold the traditional idea that fundraising comes first,” said He Yuan, executive director of Shanghai Jiao Tong University’s Data Law Research Centre. “It’s important to maintain adequate communication with regulators, which they clearly haven’t done enough of.”

At the heart of the issue, according to He, is “data sovereignty”. The Chinese government wants to ensure the data of domestic companies is controllable and not subject to the “long-arm jurisdiction” of other countries, He said, adding that the government wants the final say on data related to national security.

It is also possible that regulators now regard service providers like Didi, Full Truck Alliance and Boss Zhipin as “critical information infrastructure operators”, making them subject to cybersecurity reviews, experts said.

Under the regulation, the purchase of certain goods or services could trigger a review if it is found to put “critical information infrastructure” at risk of being misused or destroyed, result in important data being exposed, or lead to supply interruptions involving “political, diplomatic and trade factors”.

A review generally takes up to 45 working days to complete, but that period can be extended and does not include the time that a target company spends preparing documents for the investigation.

This article appeared in the South China Morning Post print edition as: Mainland watchdog to review more apps on data security grounds