China’s concerns about cybersecurity – embedded in national security – have underpinned a sweeping campaign against companies that store vast amounts of personal data. Now the companies planning to list an IPO in the US–like Didi Chuxing–have an arduous task ahead of them.
The campaign over data privacy and cybersecurity was in the making for some time. In China, there has been a growing realisation that homegrown technology platforms have enormous amounts of data without clear guidelines on storing and using it. President Xi Jinping considers the need to regulate data a critical national security emergency.
“Without cybersecurity, there will be no national security, no stable economy, and the interests of the people can hardly be guaranteed,” said Xi Jinping in 2018 at a national conference on cybersecurity in Beijing.
Xi Jinping’s remarks on cybersecurity since 2014 were emphasised by People’s Daily in a column called “Time and Practice” earlier in January 2021.
He has also called for the need to “build a community with a shared future in cyberspace”.
For now, China is going after homegrown data-rich companies that have eyes on the US market.
All eyes on Didi
A new draft guideline by the Chinese Cyber Security Review Office suggests a further deepening of the investigation
“Operators who have personal information of more than 1 million users going to list abroad must report to the Cyber Security Review Office for a cybersecurity review,” says Article 6 of the draft document.
“When an operator purchases network products and services, it shall predict the national security risks that the products and services may bring about after they are put into use. Those that affect or may affect national security should report to the Cyber Security Review Office for a cybersecurity review,” says Article 5 of the document.
Didi Chuxing – a ride-hailing company – is facing a severe crackdown because of its data usage policy. The Cyberspace Administration of China (CAC) is currently conducting a “comprehensive examination of cybersecurity risks” into Didi. The ride-hailing company recently raised $4.4 billion in a US public stock offering. Financial Times reported citing a person close to Didi that the CAC advised the company to delay its IPO.
Chinese social media users have alleged that Didi shared the personal data of Chinese customers, including their ride data, with the US.
“Like many overseas-listed Chinese companies, Didi stores all domestic user data on servers in China. It is impossible to pass data on to the United States,” Didi’s VP Li Min said in a post on Weibo.
Didi has 377 million annual active users and 13 million active drivers in China. Didi collects phone numbers, real names, location data, and even facial recognition data for some of its services.
In 2017, Didi won a rare government license to produce high-precision maps and survey the vast geography of China. According to Financial Times, the CAC asked Didi to make changes to its app in 20 requests before listing in the US. The report suggests that the Chinese cyber regulator was concerned with sensitive government location data – including military bases — being leaked to the US. Didi denies data was leaked to the US.
The CAC is also known as the Office of Central Cyberspace Affairs of China, and is headed by Xi Jinping.
A 2015 joint study by Didi and an arm of the Xinhua News Agency demonstrated the data gathered from ride-hailing to and from central Chinese government departments could reveal sensitive details. The study found 1,327 departures and arrivals from the Ministry of Public Security’s office in 24 hours. When analysed with other open-source material, the data can give an insight into the workings of the Chinese security agencies.
The Chinese government has now sent regulators from the Ministry of Public Security, the Ministry of State Security, the Cyberspace Administration of China, the Ministry of Transport, and the Ministry of Natural Resources to investigate Didi. The involvement of the Ministry of Public Security, responsible for domestic security, and the Ministry of State Security, in charge of the civilian intelligence operations and counterespionage, reveals this investigation could result in severe penalties or criminal charges — not just a mere fine. This is the first such probe into a tech company on national security grounds. That too one that just made its debut on the New York Stock Exchange.
The current phase of the investigations into data privacy in China is driven by a relatively new government entity called Cyber Security Review Office. The new office was only established in 2020 as a joint task force by 12 Chinese ministries, including China’s security services.
“National security department and seven other departments jointly stationed in Didi” was a prominent trend on Weibo, and viewed 78.6 million times.
On 9 July, the CAC announced that 25 apps owned by Didi Global would be taken off applications stores in China.
Some Weibo users said that Didi faces very severe investigation while other companies have gotten away by paying a small fine. The crackdown on Didi has allowed other ride-hailing companies to expand their operations. Meituan Dache – a ride-hailing business of delivery company Meituan – has relaunched its app on stores to capture the business resulting from Didi’s fallout.
An old video of Didi CEO Cheng Wei praising the US and its innovative ecosystem, which produced the likes of Uber, surfaced on Weibo. Cheng also criticised the restrictive nature of the Chinese internet. Some netizens speculated the remarks made in the video might have intensified the crackdown on Didi.
The investigation into Didi has won widespread support among Chinese citizens on social media. A large part of the public opinion is driven by privacy related concerns and citizens do want greater oversight on technology platforms. Didi can’t register new users until the investigation is complete, which may last for ten weeks.
Between Hong Kong and the world
In 2018, Xi Jinping outlined his blueprint for enhancing China’s cyber capabilities.
“China will fiercely crackdown on criminal offences including hacking, telecom fraud, and violation of citizens’ privacy,” he said.
In April, a draft of the law on personal information protection was submitted to the Standing Committee of the National People’s Congress for a second reading. The law–when approved–will impose the setting up of an independent body primarily “mainly composed of outsiders to supervise how the information is handled”. The new regulation could force companies to set up a permanent entity within the company to monitor data privacy.
Bloomberg recently reported that China might exempt certain Hong Kong-listed companies from cybersecurity review. According to the sources cited, Hong Kong companies headed to the US for listing will go through a formal review. In the past, Hong Kong listing was the step towards a US stock market listing for Chinese companies, but that may not be so easy anymore.
Robin Xing, the chief China economist at Morgan Stanley Asia, said Beijing might allow some companies to list in the US. Still, the most sensitive sectors that store extensive data of Chinese citizens would be encouraged to list in Hong Kong.
China’s investigation into its technology companies is driven by national security and data privacy. But China is stepping on the global ambitions of its companies – restricting the vision of China Inc.
The author is a columnist and a freelance journalist. He was previously a China media journalist at the BBC World Service. He tweets @aadilbrar. Views are personal.
(Edited by Neera Majumdar)