China’s Didi Chuxing investigation closes in on 60-day mark with no conclusion in sight

Initiated on July 2, the Chinese government’s cybersecurity review of ride-hailing giant Didi Chuxing will mark its 60th day this Friday
The pace of the investigation showed that regulators are exercising prudence in this case, the resolution of which may affect the company’s investors

Didi Chuxing

Coco Fengin BeijingandChe Panin Beijing

Published: 9:30pm, 23 Sep 2021

Why you can trust SCMP

China’s cybersecurity review of ride-hailing giant Didi Chuxing shows no sign of concluding any time soon, as the widely followed investigation closes in on the 60-day mark and the company’s business starts to slow down.

Didi incurred the ire of regulators when it rushed to raise US$4.4 billion from its initial public offering in New York, ignoring their warnings about network security compliance. On July 2, internet watchdog the Cyberspace Administration of China (CAC) launched an investigation into Didi and then ordered the company’s app removed indefinitely from local app stores, which stopped it from registering new users.

While Didi’s cybersecurity review will mark its 60th day on Friday since CAC initiated the action, analysts said the pace of the investigation showed that regulators are exercising prudence in this case, the resolution of which may affect the company’s investors as well as the relationship between the US and China capital markets.

There is no binding deadline for Didi’s cybersecurity review since this investigation “can be extended in case of special circumstances”, said Nicholas Bahmanyar, a senior consultant for cybersecurity at LEAF law firm in Beijing. Apart from Didi’s case, he indicated that major new laws being rolled out this year highlights data security’s importance “like never before” in China.

07:30

Why China is tightening control over cybersecurity

Neither CAC nor Didi has provided any details about the ongoing investigation. Didi is “actively and thoroughly cooperating with the cybersecurity review”, according to a company statement earlier this week.

CAC did not immediately respond to requests for comment. Didi also did not immediately reply to requests for further comment.

Under China’s Cybersecurity Review Measures, a regulation jointly issued by 12 ministerial bodies last year, a “normal” investigation should take up to 60 working days. The conclusion of this review shall be enacted within 30 days, but can be extended by another 15 days “if the situation is complicated”. Related authorities shall be informed of the conclusion reached and these authorities must provide their views within 15 working days.

Should the relevant authorities fail to agree on the conclusion, they can initiate a “special review procedure” to submit the results of the review to the Central Cyberspace Affairs Commission – headed by President Xi Jinping – for final approval. An investigation under this “special review procedure” must be concluded within 45 working days. This process can be extended “appropriately” if the situation is complicated.

Days after launching its investigation into Didi, CAC proposed amendments to the regulation that would prolong the “special review process” to three months. The amendments have not been made official.

Why are so many Chinese agencies reviewing ride-hailing giant Didi Chuxing?

“It seems like these inquiries are generally falling within the prescribed timelines, if not wrapping up ahead of time,” said Nathaniel Rushforth, a cybersecurity and data law specialist at DaWo Law Firm in Shanghai. “However, the approach seems to be somewhat flexible case by case.”

Didi’s investigation, which is the first under the cyberspace security review office, comes as Beijing pushes a slate of new laws and regulations to ensure that data related to local customers and operations are kept inside the country.

“It’s difficult to say” how much Chinese companies’ awareness of data security can be attributed to any single incident, according to Paul McKenzie, managing partner of law firm Morrison & Foerster’s Beijing and Shanghai offices.

“Companies are [now] very focused on the raft of new data regulations being issued and coming into force this fall, including a new Data Security Law that came into effect at the beginning of this month and the new Personal Information Protection Law that comes into effect November 1,” McKenzie said.

Ride-hailing giant Didi Chuxing denies executive Jean Liu is jumping ship

Soon after it launched an investigation into Didi, CAC also targeted Full Truck Alliance – operator of apps Yunmanman and Huochebang, dubbed China’s “Uber for trucks” – and an online recruiting platform known as Boss Zhipin to prevent data security risks and to protect national security. There have been no official updates about these cases.

Earlier this month, Didi founder and chief executive Cheng Wei moved to head an internal committee that will oversee the overhaul of the company’s data management, according to an internal memo seen by the South China Morning Post. It showed the ride-hailing giant’s effort to abide by regulators’ demands, which was internally described as “a matter of survival”.

Speculation about Didi’s fate, however, has continued to swirl. Didi earlier this week denied reports that company co-founder and president Jean Liu was on her way out, and threatened legal action to fight the “malicious” spread of rumours.

That followed the release of official data which showed a 21.1 per cent drop in Didi’s ride-hailing orders in August from the previous month, a steeper decline than the industry’s overall 17.2 per cent decrease in the same period, indicating that local rivals may be chipping away at the company’s market lead as it remains under Beijing’s cybersecurity review.

This article appeared in the South China Morning Post print edition as: Didi inquiry hits 60 days as business slows down

Post