Concerns over privacy, data security and national security are mounting as China’s ubiquitous carpooling and ride-hailing app Didi Chuxing runs into a regulatory storm after its New York Stock Exchange debut last week.
As Chinese cybersecurity watchdogs move to put a brake on the vehicle-for-hire platform, unverified reports are swirling that Didi surrendered sensitive user data to the United States before its June 30 IPO.
Data ownership is again front and center in the latest episode of Beijing’s regulatory clampdown on China’s big tech firms.
The state-backed, nationalistic tabloid Global Times stating explicitly that “no tech giants or any other businesses should be allowed to glean and amass data of Chinese people more than the government does” and that “no entities should be allowed to know the lives and privacy of Chinese people more than the government does.”
In a Sunday op-ed likely channeling Beijing’s stance, the paper claimed that Chinese watchdogs must ensure the Chinese version of Uber, whose user base hit 377 million in March, does not veer off course or run counter to public and national interests, especially when foreign investors had come onboard as Didi’s largest and second-largest shareholders.
“With its market dominance, Didi possesses the most comprehensive profiles about how Chinese move and travel in key cities and far-flung places across the country and its trove of mobility, destination, address and payment data must be stored and handled properly and kept beyond the snooping of foreign exploiters and the nation has the responsibility to supervise and step in,” the article said.
Probes into Didi’s alleged breaches in its collection, handling and use of personal data and other information were initiated by the Cyberspace Administration of China and China Cybersecurity Review Technology and Certification Center, with powers vested by China’s national security law, cybersecurity law as well as cybersecurity review ordinance.
These stipulate that related investigations must be completed within 45 days to release key findings, a process extendable by 15 days in complicated cases. Reuters noted last week that China’s market regulators and monopoly busters may home in on Didi’s practices that hamper fair competition.
Didi, expecting more legal roadblocks, has swerved swiftly to meet regulators halfway by halting new user registration since July 3 and vowing full cooperation and rectification. It has assured that, while its app had been pulled off app stores in China, existing users and drivers would not be affected as trips could still be made on its platform.
Beijing’s compliance drive does not mean the end of the road for Didi, whose trip-matching and carpooling services are a lifeline for China’s 13 million self-employed drivers and their families, according to the company’s prospectus.
Yet Didi faces a bumpy ride to restore its battered image among some indignant Chinese as they say the company is headed for a political cliff amid unconfirmed rumors that it had granted the US government access to all its data, including vital and even classified geospatial information about roads and installations in Chinese cities in exchange for American regulators and the New York bourse greenlighting its IPO.
Li Min, Didi’s senior vice president, has emphatically dismissed the accusations as groundless, adding that all data is and will be securely stored in servers in mainland China.
Eric Mer, a professor of political science with the Peking University, said rumors about Didi transferring its sensitive data to the US as a quid pro quo to allow its IPO “stretched credulity” as China’s cybersecurity review ordinance was promulgated in June 2020 by ministries responsible for national security, public security and information technology more than a year before Didi’s US flotation.
He said Didi, like all Chinese tech giants, must be cognizant of updated requirements and must have legal and compliance teams to ensure conformity.
Mer said the probes Didi faces could be more about the improper collection, storage and handling of personal data and information than a grave national security issue and that Didi may get out of the morass quicker than many may expect since the livelihoods of so many drivers is at stake. But he warned that “regulatory shock waves” could still hit the many Chinese tech firms now making a beeline for listings in the US.
“When bilateral ties continue to sour, Beijing may frown upon Chinese firms, especially tech firms, seeking IPOs in the US when they sell shares to Western investors and share their profit from China with them,” Mer said.
“Subtle pressures are brought to bear on these companies to make them float instead on domestic stock markets or they will be exposed to the kind of scrutiny Didi is now facing.”
Questions have also been raised about Beijing’s belated actions against Didi and if there were sufficient communications between government watchdogs and the company before the latter’s share sale in the US to avoid rattling the market.
Liu Xiaobo, a financial commentator and a former Xinhua business reporter, wrote on his blog that Beijing may plan to expand the powers of the China Securities Regulatory Commission to scrutinize overseas IPO plans of Chinese companies and the data and information they would hand over, since Chinese firms could be requested by foreign regulators and bourses to disclose sensitive data. He said the parameters for the approval process could be hashed out soon.
“The labyrinthine domestic and foreign law and compliance requirements may make some of them reconsider their IPO plans and instead to list in Shanghai, Shenzhen or Hong Kong,” Liu said.
He said the investigation into Didi could examine how the company, as a systemically important internet and technology service provider, had procured backbone information devices and solutions to store its sensitive data to guarantee these systems would not pose risks to or break laws governing cybersecurity and national security.
These laws contain clauses governing the purchase and maintenance of key information systems and databanks to protect them from hackers from “foreign adversaries” who may want to burrow into them to steal state and commercial secrets.