China technology
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
The app of Chinese ride-hailing giant Didi is seen on a mobile phone in front of the company’s logo in this illustration picture taken July 1, 2021. Photo: Reuters

China’s Big Tech crackdown: How an obscure office in Beijing’s cybersecurity administration has struck fear into the country’s tech giants

  • The Didi move, the first time Beijing publicly launched a probe into a tech company on national security grounds, triggered a global sell-off in Chinese tech stocks
  • While the Cyber Security Review Office remains opaque, there is little doubt it will play a significant role in supervising China’s internet industry

An obscure bureaucratic office in Beijing has emerged as one of the most feared government institutions for China’s Big Tech as Beijing clamps down on what it sees as cybersecurity risks in the internet sector.

The Cyber Security Review Office was created last year as a joint task force by 12 Chinese ministries, including the Ministry of Public Security and the Ministry of National Security, to look into cybersecurity risks.

“The state has a cybersecurity review requirement, and this office was created to get the job done,” one Beijing-based regulatory source who has direct knowledge of the matter said.

The office, under the Cyberspace Administration of China (CAC), had been out of public view for a year until last week when it dropped the bombshell that it was putting ride-hailing giant Didi Chuxing under review over possible data security and national security risks.

The action, taken just two days after Didi raised US$4.4 billion in a New York IPO, was said to be justified under China’s National Security Law, its Cybersecurity Law, and a set of guidelines called the Measures for Cybersecurity Review.

It marked the first time Beijing publicly launched a probe into a tech company on national security grounds, and triggered a sell-off in Chinese tech stocks in both New York and Hong Kong, with Didi seeing one-third of its market valuation evaporate over the last three trading days.

What does Didi’s probe mean for the industry and China’s tech giants?

While the cybersecurity review office remains opaque – its location, structure and leadership remain unknown, and it does not have an independent website or external telephone numbers – there is little doubt it will play a significant role in supervising China’s internet industry.

It was created last year after China introduced a new cybersecurity regulation that required operators of “critical information infrastructure” to undergo a review process for any corporate transaction that could have national security implications.

With the backing of the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Commerce, the People’s Bank of China, State Administration for Market Regulation, State Administration of Radio and Television, and State Cryptography Administration, the Cyber Security Review Office will be a key gatekeeper when it comes to overseas IPOs, along with existing watchdogs such as the Chinese Securities Regulatory Commission and the State Administration of Foreign Exchange.

Didi review seen as new milestone in Beijing’s cybersecurity regulations

Working details of any cybersecurity reviews will be handled by the China Cybersecurity Review Technology and Certification Centre (CCRC), under the direction of the Cyber Security Review Office, which does not have any administrative power over the country’s tech companies, according to the regulatory source.

One internet company source, who has worked with CCRC on multiple projects, said it has been largely toothless in the past and often tried to sell certification services to tech firms. But the latest policy changes could put its service of granting security certificates for products and companies in high demand.

CCRC, which was created in 2006 as the China Information Security Certification Centre, said on its website that one of its functions was to provide technical support for cybersecurity reviews.

Didi saw one third of its market valuation evaporate over three trading days following Beijing’s cybersecurity probe announcement. Photo: Reuters

It will also likely be the direct contact for tech firms submitting materials for review. The agency, which changed its name three years ago to indicate its wider scope of operations, reviewed 28 apps in 2019 and granted 18 security certificates to mobile apps, including Baidu Maps, the e-commerce app Suning Yigou, an app from China Mobile, and two travel booking apps by Tongcheng-Elong.

CCRC director Wei Hao was quoted as saying by state-run Legal Daily that the app certification process includes technical verification, on-site inspection and post-certification supervision.

In addition to Didi, Chinese recruitment platform Boss Zhipin and truck-hailing platforms Huochebang and Yunmanman operated by Full Truck Alliance, are also being investigated by the cybersecurity review office over security concerns.

“Internet companies which do not abide by the law will be eventually be eliminated,” said Joy Huang, a partner at Allbright Law Offices. “Compliance comes at a cost, and those who are able to survive must be powerful companies. Then the winners should bear social responsibility and national security responsibilities.”

This article appeared in the South China Morning Post print edition as: how an obscure gatekeeper struck fear into Big Tech