Didi Chuxing pushed ahead with its listing in New York before the Cyberspace Administration of China (CAC) had fully cleared the ride-hailing giant’s data security concerns, forcing Beijing to put it under a national security review and kick it off the country’s app stores, according to two people familiar with the situation. One regulatory source in Beijing, who is not directly involved in the case but was briefed on discussions, said Didi had “forced its way” to go public in New York without completing a thorough data security assessment by CAC, a necessary step for Beijing amid its enhanced scrutiny of data security. But as a data assessment is not yet an institutionalised part of the listing process, Didi was able to go ahead with its US listing plan without complete clearance from CAC, which would include conducting a full body check of disclosed information to see whether an initial public offering (IPO) might impair China’s data security, the source added. The ruling Chinese Communist Party and the State Council, the cabinet, issued a new policy guideline on Tuesday night, saying China will change its rules around the overseas listings of Chinese businesses and empower domestic regulators and watchdogs to have a say in their listing. According to the policy directives, China will also improve the regulation of data security, “cross-border data flow” as well as confidential information processing, a strong indication that Beijing is tightening its data controls. The domestic procedure for a Chinese company to go public in an overseas market like New York was created as early as 2005 by the State Administration of Foreign Exchange. The concept of data security barely existed at that time and CAC was not created until 2011. Meanwhile, the relationship between Beijing and Washington has gone from cosy to frosty amid an escalating tech war, which has seen the US slap sanctions on leading Chinese companies. Data security is currently high on Beijing’s agenda. Washington has attempted to stop Chinese apps, such as ByteDance short video-sharing hit TikTok, from acquiring US consumer data, and now Beijing is pushing back in kind by stepping up its efforts to protect data leakages from Chinese soil. China takes Didi off app stores A second source close to CAC, who requested anonymity as the information is private, said that the investigation into Didi is focused on whether there is a security risk of “important data and the personal information of Chinese citizens going abroad”. China published a cybersecurity review regulation last year and created an office within CAC to coordinate among 12 ministries, including the Ministry of Public Security and the Ministry of State Security, over cybersecurity reviews. The probe into Didi – announced last Friday, two days after the company made its US$4.4 billion IPO in New York – was the first time that the cybersecurity review office has publicly taken action against a Chinese company. “Most of the Chinese companies choosing to go public in the US set up an offshore holding company. Although compliance with China’s laws and regulations is required, they can use this approach to avoid needing the direct approval of securities regulators,” said Luo Zhiyu, a partner at DeHeng Law Offices, who specialises in cross-border IPOs, mergers and acquisitions. “For other relevant regulators, the company can seek compliance testimony from the authorities, but this isn’t a must and depends on the IPO lawyer and underwriter’s due diligence investigation requirements and the company’s legal compliance condition,” added Luo. On Monday morning the review office widened its investigation to another three apps, which are run by Full Truck Alliance and Boss Zhipin respectively, for the same stated reason of “national security and data security”. Both Full Truck Alliance and Boss Zhipin conducted IPOs in the US last month. China launches cybersecurity review into more US-listed firms A third source close to Didi, who requested anonymity as the information is private, said that China’s cyberspace administration was asserting its authority and that the case had exposed inconsistencies among different Chinese government agencies. “If Didi really has a problem, the regulators would have stopped the initial public offering,” the source said. The need for domestic data security checks of Chinese tech companies before listing in the US adds another layer of uncertainty for IPO investors. According to China’s security review regulation published in 2020, any review is generally about whether a key information infrastructure operator has used “products and services” that may hurt national security. CAC has also accused Didi of a severe violation of laws and regulations in its collection and use of consumer data. According to a research note by Gavekal analysts Ernan Cui and Thomas Gatley, published on Monday, Didi employees have shared information on Chinese social media saying that the company was under pressure from the cybersecurity regulator to delay its initial public offering but proceeded anyway. “If this is the case, and top leaders have been angered, the firm could face more investigations and penalties,” they wrote. Ride-hailing giant Didi remains a sticky habit for Beijing drivers Didi said in a statement on Sunday that it is cooperating with the review and thanked the regulator for checking risks. Didi has also said it had no knowledge of the imposed review and punishment before its initial public offering, according to a Reuters report. Didi did not respond to a further request by the South China Morning Post for comment on Tuesday and multiple calls to CAC were not answered. Didi’s shares dropped 5.3 per cent on Friday, and closed down by nearly 20 per cent, at US$12.59 on Tuesday. Law firms in the US, including Rosen, Schall and Labaton Sucharow, have called on US investors to file class action lawsuits against Didi because of the course of events.