Explainer | Why is Didi’s cybersecurity review important and what will it mean for the ride-hailing giant’s future?
- Didi is the first Chinese tech company to face a probe by China’s cyberspace administration on national security grounds
- Worst case scenario for Didi is that damage could go much deeper than fines, experts say
The cyberspace security review office, an obscure unit of the powerful Chinese Administration of Cyberspace (CAC), on Friday announced a probe into Didi Chuxing on national security grounds, two days after the ride-hailing giant made its initial public offering in New York.
This was followed by another statement on Sunday in which CAC said it had ordered app stores to remove Didi from their platforms. On Monday morning, the cyberspace security review office said it was launching a similar investigation on “national security” grounds into truck-hailing apps Yunmanman and Huochebang, as well as a recruiting app operated by Boss Zhipin.
While many key questions remain unanswered, including more details on the transgressions by Didi and other apps, the probes have opened another front in Beijing’s ongoing scrutiny of the country’s technology giants, and added a new layer of uncertainty for Chinese tech firms seeking a listing in the United States.
Below are some key takeaways about the probe based upon official statements, laws and expert views:
Why is the cybersecurity review of Didi important?
It is the first time in China that the cyberspace security review office, which was created last year as a coordination agency among 12 ministries, has shown its teeth to a major domestic technology company.
It is different from previous antitrust or pricing investigations into Big Tech in China: the regulator in charge of the Didi investigation is the cyberspace security review office, not the State Administration for Market Regulation, and the probe into Didi is about national security concerns, a more serious issue than monopolistic behaviour and pricing irregularities.
“The current investigation into Didi was initiated out of cybersecurity concern, particularly relating to cross-border data transfer issues,” said Angela Zhang, director of the Centre for Chinese Law at the University of Hong Kong.
The nature of the probe into Didi – around national security – makes it far more serious, according to Singapore Management University’s associate professor of law, Henry Gao.
The Didi case will likely set a precedent for the office to run after other Big Tech firms. It adds a new watchdog, a new compliance issue, and a more serious regulatory threat to all big tech companies in China.
What would be the good and bad outcomes for Didi?
According to China’s cybersecurity review regulation issued in 2020, a review generally takes up to 45 working days to complete, but that period can be extended and not include the time that a target company spends preparing documents for the investigation. It means, in implementation, the probe can take months to complete.
The worst scenario, according to the University of Hong Kong’s Zhang, would be a ruling that results in the firm’s delisting from the US market.
Gao says that in a worst-case scenario Didi could be ordered to suspend its operations for a rectification, and then as a result, loses its market dominance.
It is also worth watching whether China’s other government agencies, including the antitrust watchdog, transportation authority, banking regulator and labour watchdogs step in. If this happens, “they could be investigating all kinds of activity and then all hell breaks loose,” Gao said.
As things stand, Didi has been accused by the cyberspace administration of violating Chinese laws and regulations in its collection and use of personal data.
Meanwhile, according to China’s cybersecurity review law, if Didi is found to have sold problematic products and services with national security implications, it could be fined up to 10 times the purchase value and ordered to replace these products and services.
How wide is Beijing’s cybersecurity review?
It is currently unknown but after the announcement of the investigations into the three other apps - Yunmanman, Huochebang and the one operated by Boss Zhipin - all of which made initial public listings in the US last month, there is speculation that China’s cybersecurity review could extend to more tech companies, especially those listed in the US or with plans to go public there.
Who is in the firing line because of the Didi review?
Didi’s stock investors are likely to bear the brunt of any financial losses caused by the probe. Didi’s big corporate backers – including SoftBank Corp and Uber – are also expected to take losses. Will Wei Cheng and Jean Qing Liu, the two founding shareholders, will be at the centre of any storm but it is too early to say whether there will be any personal implications.
Didi drivers and passengers who have the app already downloaded on their mobile phones, can continue to use the service. Meanwhile, the probe has given China’s other ride-hailing service providers a chance to expand market share. As things stand, Didi controls around 90 per cent of the market with about 210 other players fighting for the other 10 per cent.
What prompted Beijing’s probe into Didi and what is the end game?
It remains unknown why Beijing decided to launch a cybersecurity review into Didi two days after its US$4.4 billion IPO in New York. A Didi vice-president denied online allegations on Saturday that Didi had surrendered Chinese user data to the US.
The cybersecurity review office said the probe is to “maintain national security and protect the public interest”, without elaborating further.
However, an editorial in the Global Times, a newspaper affiliated with the People’s Daily – the official newspaper of the Chinese Communist Party – argued that the state, instead of tech giants, should decide the rules of personal information collection and use. As such, one purpose of Beijing’s probe and punishment of Didi is to make sure the corporate sector does not own more data than the state.