South China Morning Post
Advertisement
Advertisement
Didi Chuxing
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
The app of Chinese ride-hailing giant Didi Chuxing is seen on a mobile phone in front of the company logo on July 1. Didi has become the subject of China’s first cybersecurity review, but the many different ministries involved suggest a broad scope. Photo: Reuters
TechPolicy

Explainer | Why does ride-hailing giant Didi’s cybersecurity review involve so many Chinese government agencies and who is absent?

  • China’s Cybersecurity Review Office is managed by 12 ministries, but only four are involved in Didi’s review with three unrelated agencies invited to join
  • It is too early to tell how China’s first cybersecurity review of a Big Tech company might end, but it’s already having a chilling effect on US IPOs
Didi Chuxing
Coco Feng
Coco Fengin Beijing
Why you can trust SCMP
After having its apps removed from app stores and being sued by shareholders in the US, Didi’s cybersecurity review is finally getting under way. A task force of seven Chinese ministries entered the company’s offices on Friday to kick off the country’s first such review, testing new powers that could have a wide-ranging impact on how the country’s biggest technology companies operate.

While rules dictate that several ministries could potentially be involved in cybersecurity reviews, not all of them are involved with Didi’s case and some additional ones have been invited on. Here is a closer look at who is involved and what it means for China’s dominant ride-hailing firm.

Which Chinese ministries are involved in cybersecurity reviews?

According to China’s Cybersecurity Review Measures published in 2020, such reviews are handled by the Cybersecurity Review Office under the Cyberspace Administration of China (CAC).

How an obscure government office has struck fear into China’s Big Tech

The office is backed by 12 ministries: the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the People’s Bank of China, the State Administration for Market Regulation, the State Administration of Radio, Film and Television, the National Administration of State Secrets Protection, and the State Cryptography Administration.

Which ministerial bodies are involved in the cybersecurity review of Didi Chuxing?

Seven ministries are involved with Didi’s review, according to a statement from the CAC on Friday, but only four of them are among the agencies that back the Cybersecurity Review Office.

In addition to the CAC, the bodies from the review office include the Ministry of Public Security, the Ministry of State Security and the State Administration for Market Regulation. The other three agencies are included on an “ad hoc” basis. They are the Ministry of Natural Resources, the Ministry of Transport and the State Administration of Taxation.

Why are an additional three ministries involved in Didi’s probe?

Chinese authorities did not provide details of how the cybersecurity review is being conducted, but it is possible the additional agencies have been brought in because of the specific industry in which Didi operates.

Didi has access to a lot of real-time mapping data such as road conditions, which Chinese regulators consider sensitive information. Photo: Bloomberg

The Ministry of Natural Resources is the regulator in charge of mapping the country, indicating the body might be involved in reviewing Didi’s mapping information, which is considered part of the sensitive data that the company stores.

The involvement of the Ministry of Transport, which is in charge of regulating licensing of taxi services, could mean the review will also examine Didi’s compliance with taxi licensing and driver qualification laws.

The taxation authority’s involvement is also a strong sign that the probe may involve an investigation into possible tax fraud.

Why are some ministries absent from Didi’s review?

Eight of the 12 ministries that back the cybersecurity review office are not currently involved in the Didi probe. The most surprising for industry watchers is the absence of the Ministry of Industry and Information Technology, as the agency has been very active in reviewing apps for excessive user data collection.

The fact that the Ministry of Finance is not involved is also notable. The agency is traditionally in charge of regulating audits for Chinese companies seeking public listings overseas. Didi’s initial public offering in New York, against the wishes of the CAC, is considered the main reason for the company’s current woes.

07:30

Why China is tightening control over cybersecurity

Why China is tightening control over cybersecurity

The Chinese Securities Regulatory Commission and the State Administration of Foreign Exchange were also notably not among the new agencies invited to participate. The two bodies are not part of the Cybersecurity Review Office, but they are directly involved in overseas listings.

The People’s Bank of China, one of the 12 review office ministries, is also not directly involved.

What does the review mean for Didi?

This is China’s first cybersecurity review into a company, so there is no precedent to suggest how things might end for Didi. Many analysts and legal experts say it is too early to tell how the investigation might end or what punishments Didi could face.

The only indication of the situation’s severity is all the ministries involved. On the surface, it does not look good for Didi, if only because having investigators from the state and public security offices knocking at the door is a nightmare scenario for any Chinese company.

Didi won’t be the last IPO to set sail for New York, but is there a storm ahead?

The good news for the ride-hailing giant is that the absence of key regulators suggests the company ticked all the necessary boxes regarding the conventional procedures for an overseas IPO.

What does this mean for future cybersecurity reviews?

As the body for initiating, organising and coordinating cybersecurity reviews, the CAC – and its previously obscure Cybersecurity Review Office – now has even more power over the country’s internet giants. The agency also has the authority to involve other government agencies in specific cases.
While it is impossible to know how the CAC might wield this power in the future, or where other tech companies stand, it appears to already be threatening future overseas listings from Chinese firms.
Cybersecurity reviews have also been launched into Boss Zhipin and Full Truck Alliance. Like Didi, both companies publicly listed in New York in June.
3