Boss Zhipin and Full Truck Alliance said they will actively cooperate with the review and assess their cybersecurity risks.

Full Truck Alliance is one of China’s biggest trucking companies. In 2020, about 20 per cent of China’s heavy- and medium-duty truckers fulfilled shipping orders using the company’s platforms, according to its prospectus, citing data from China Insights Consultancy. It also said 2.8 million truckers fulfilled 71.7 million orders on its platforms last year.

Boss Zhipin also looms large in its industry. It had 24.9 million monthly active users in the first three months of the year, according to the company’s prospectus. Its 85.8 million verified jobseekers and 13 million verified enterprise users include executives from big companies, small business owners and recruiting professionals, according to the document.

Experts said the public listings for all three companies under review may have raised red flags in Beijing. Possible national security concerns could centre around the vast troves of data the companies hold, which include user location data and road conditions, among other sensitive data.

The Global Times, a state-owned tabloid newspaper under Communist Party mouthpiece People’s Daily, said in an editorial that Beijing cannot allow a company like Didi, with its two biggest shareholders based overseas, to hold so much data.

“China can’t allow an internet giant to run a super database that contains more personal data of Chinese people than the state has, nor can China allow [internet firms] to use such data freely,” the editorial reads.

Tech stocks sink in Hong Kong on China’s tightening curbs as Tencent erases 2021

Didi fell 1 per cent in US after-market trading on Friday to US$15.37. They will resume trading on Tuesday due to Independence Day market holiday on Monday. Kanzhun lost 2.1 per cent on Friday while Full Truck Alliance gained 2.3 per cent.

Under China’s cybersecurity review regulation, which went into effect in June 2020, an investigation can be launched when authorities think an internet product or service could “affect national security”.

Didi is under investigation by China’s cyberspace administration

“Data security could be a life-or-death issue for companies, but these companies underestimated the importance of data security and cybersecurity compliance, and still hold the traditional idea that fundraising comes first,” said He Yuan, executive director of Shanghai Jiao Tong University’s Data Law Research Centre. “It’s important to maintain adequate communication with regulators, which they clearly haven’t done enough of.”

At the heart of the issue, according to He, is “data sovereignty”. The Chinese government wants to ensure the data of domestic companies is controllable and not subject to the “long-arm jurisdiction” of other countries, He said, adding that the government wants the final say on data related to national security.

It is also possible that regulators now regard service providers like Didi, Full Truck Alliance and Boss Zhipin as “critical information infrastructure operators”, making them subject to cybersecurity reviews, experts said.

Under the regulation, the purchase of certain goods or services could trigger a review if it is found to put “critical information infrastructure” at risk of being misused or destroyed, result in important data being exposed, or lead to supply interruptions involving “political, diplomatic and trade factors”.

A review generally takes up to 45 working days to complete, but that period can be extended and does not include the time that a target company spends preparing documents for the investigation.