Beijing has started on-site cybersecurity inspection of Didi Chuxing after the company ‘forced its way’ to a New York listing
- The on-site inspection comes two weeks after the country’s internet regulator launched a cybersecurity review into the company
- A cybersecurity review generally takes up to 45 working days to complete, but that period can be extended
A task force of seven Chinese ministries, including the Cyberspace Administration of China (CAC), the public security ministry and the national security ministry, entered Didi Chuxing’s offices on Friday to conduct the country’s first-ever cybersecurity review.
The CAC said in a statement that it has teamed up with the Ministry of Public Security and the Ministry of National Security to start an on-site cybersecurity inspection of Didi, two weeks after the country’s internet regulator announced a cybersecurity review into the ride-hailing giant and stopped it from registering new users in response to Didi’s decision to make an initial public offering in New York without full consent from Beijing.
The other departments involved in the on-site inspection include the State Administration for Market Regulation (SAMR), the Ministry of Natural Resources, the Ministry of Transport, and the State Administration of Taxation. Among them, the natural resources ministry, the transport ministry and taxation bureau are not among the 12 government agencies directly backing the cybersecurity review office.
It is not known how long the on-site investigation will take. Didi did not immediately respond to a request for comment on Friday.
Chinese regulators suspect Didi of deceit in US listing, sources say
Wang Sixin, a professor from the Communication University of China, said as this is the first time that the cybersecurity review office, which was created last year within CAC, has conducted a review, many questions remain unanswered.
“There are huge unknowns about how [Beijing] will deal with Didi,” Wang said. He added that the line-up of ministries in the probe had revealed some information though. For instance, the involvement of SAMR means there might be antitrust probes into Didi while the presence of the natural resources ministry shows Beijing’s concern about mapping information security.
Liu Dian, an associate researcher at the Chongyang Institute for Financial Studies of Renmin University, said the line-up of seven ministries shows that the scope of the investigation will be “comprehensive”. “The government really attaches great importance to the Didi case,” Liu said.
Didi’s head office in the Zhongguancun Software Park in northwestern Beijing looked normal on Friday afternoon without any sign of police or security agency vehicles. The Post spoke with eleven Didi employees outside the building, and eight of them said their work had not been interrupted.
One employee, who was on a smoke break, said the only impact of the investigation for him was the “psychological discomfort” due to the extensive media coverage of the investigation.
The involvement of seven ministries in a joint probe into a Chinese business entity is unprecedented. In the antitrust probe of Alibaba Group Holding, owner of the South China Morning Post, initiated last Christmas Eve, a group of antitrust regulators entered the e-commerce giant’s headquarters to conduct interviews and collect evidence for just a single day.
Lu Chuanying, general secretary of the Cyberspace International Governance Research Centre at the Shanghai Institute for International Studies, said the review of Didi is set to become a “landmark case” in Beijing’s discipline of technology firms.
Lu added that China’s digital economy has developed to a stage where relevant security measures must be set up. Though the companies have been used to a quasi-unregulated status in the past and may find the current measures a bit hard to stomach, the trend is inevitable and they will have to embrace the changes.
In 2014, China’s top leader Xi Jinping directly connected cybersecurity to national security. Since then, China has accelerated the development of its data governance regime. Just this year, Beijing introduced the Data Security Law (DSL), which takes effect in September, and has an upcoming Personal Information Protection Law that is still under review.
The haphazard patchwork of laws and regulations has turned into one of the most sophisticated regulatory frameworks in the world, with Beijing seeking to maintain a tight grip on data while unleashing its economic potential and protecting consumer privacy.
The DSL calls for the establishment of a data classification system that protects what is considered “core data” and “important data”, but it allows for less sensitive data to be used in boosting the digital economy.
Under the law, companies that transfer core data overseas without proper regulatory approval will face a penalty of up to 10 million yuan (US$1.54 million) and could be forced to shut down. Companies that hand over important data to a foreign judiciary or law enforcement agency without prior approval could also be fined up to 5 million yuan.
The on-site inspection comes after the Beijing-based company raised US$4.4 billion in a US initial public offering late last month that valued it at about US$70 billion. Reuters reported on June 17 that China’s market regulator had begun an antitrust probe into Didi, citing three people with knowledge of the matter.
A cybersecurity review generally takes up to 45 working days to complete, but that period can be extended and does not include the time that a target company spends preparing documents for the investigation. At the same time, cybersecurity regulations stipulate that any member of the cyberspace security review office, a department within the CAC, has the right to initiate an investigation if they see a potential national security concern in a network product or service.
