China has taken a series of actions recently in an effort to tighten scrutiny of the data security practices of domestic technology companies. Most prominently, the Cybersecurity Review Office (CRO) and Cyberspace Administration of China (CAC) initiated multiple cybersecurity reviews, including one on Chinese ride-hailing company Didi. These investigations all involved companies that recently had Initial Public Offerings (IPOs) in the United States. In addition, the CAC removed Didi Travel from app stores due to its mishandling of users’ personal information; and the State Council issued a document to strengthen legislation on data security and data flows as part of the effort to crack down on illegal activities in the securities markets.
New cybersecurity reviews
On July 2, the CRO launched its first cybersecurity review on the Chinese ride-hailing app “Didi Travel” to “prevent data security risks, safeguard national security and protect the public interest.” The app will not be able to register new users during the investigation. (See full announcement in Annex I)
Soon afterwards, the CRO pushed forward with additional cybersecurity reviews, announcing three more reviews on July 5. The announcement targets two logistics apps, Yunmanman and Huochebang, both run by Full Truck Alliance Co. Ltd (FTA). It also targets one recruitment platform, Zhipin.com, run by Kanzhun Ltd. Both companies, FTA and Kanzhun, went public on the U.S. stock market in June this year. As was the case with Didi, the announcement pauses new user registration during the investigation.
Legal basis for Didi’s investigations
There was speculation that the cybersecurity review was due to Didi’s handling of data storage and cross-border data transfer, which is governed by Article 37 of China’s Cybersecurity Law. The law requires critical information infrastructure (CII) operators that gather and produce personal information and other important data to store the information within China. (See Annex II for the full text of Article 37)
In response, Li Min, the Vice President of Didi Global, which is the company that runs the “Didi Travel” app, denied these allegations on Chinese social media platform Weibo, and according to an informal translation said that it is “absolutely impossible” to leak any data to the United State because all data of domestic users are stored at servers in China.
Other legislation that may be relevant to the cybersecurity review includes Article 59 of the National Security Law and Article 35 of the Cybersecurity Law. Article 59 requires a national security review for, among other things, internet information technology products and services that impact or might impact national security. Article 35 requires a national security review for CII operators purchasing network products and services that might impact national security.
To implement these laws, the CAC released the Measures on Cybersecurity Review (the Measures) last year. The Measures set up rules to secure the supply chain of CII operators. The products and services purchased by CII operators, according to the Measures, include high-capacity data storage and large databases and applications that will have an important impact on CII safety. During a related press conference, a spokesperson stated that important network and information system operators in the fields of road and water transportation, as well as some other industries, would also be subject to the requirements in the Measures.
It is possible that Didi Travel falls into the category of CII operator or important network and information system operator, both of which would be subject to cybersecurity reviews. Didi accounts for at least 80% of China’s ride-hailing market and has the most comprehensive travel information of individuals in China.
Usually, a cybersecurity review will take up to 45 business days and could be extended for another 15 business days. In special cases, the review can take even longer. Part of the cybersecurity review will evaluate the risks of “being illegally controlled, interfered with, or destroyed, and the risk of important data being stolen, leaked, or damaged.”
Didi reportedly failed to complete all data security assessments with the government, which could have triggered the cybersecurity review. The cybersecurity review may also address the information Didi submitted for its U.S. listing. The U.S. Holding Foreign Companies Accountable Act passed last year requires Chinese companies listed in the United States to comply with American auditing standards and share accounting information with U.S. regulators. However, the Chinese government has been reluctant to allow U.S. regulators access to Chinese companies’ audit reports, citing national security concerns.
In parallel, on July 4, the CAC issued a notice stating that the app “Didi Travel” has seriously violated laws and regulations in collecting and using personal information. As a result, the CAC required all app stores to remove “Didi Travel.” In the meantime, the notice requires Didi to fix all the existing problems. (See Annex III for an informal translation of the announcement.) Similarly, the CAC issued another notice on July 9 to require app stores to remove 25 more applications related to Didi because of their mishandling of personal information.
The July 4 notice is a separate and independent case from the cybersecurity review mentioned above. The relevant provision for the July 4 notice could be Article 41 of China’s Cybersecurity Law, which requires all network operators to follow the “laws, administrative regulations and agreements with users” when collecting and using personal information. (See Annex IV for the full text of Article 41.) An editorial piece from the Global Times stated that Didi “poses potential data risks to individuals.”
The CRO and CAC announcements on Didi came just a couple of days after the company went public in the United States. The company’s stock price had dropped from $14 at its IPO down to $11.25 on July 9. Didi is also facing at least two lawsuits from U.S. investors, and possibly more class actions.
The incident with Didi also sparked comments that U.S. investors may from now on change their attitudes towards investing in Chinese companies because of high capital risks. As a Wall Street Journal report noted, “Beijing is now taking an explicitly hostile—or at least highly skeptical—attitude to overseas tech listings themselves,” and “[a]nyone buying into a Chinese internet tech IPO or hoping this crackdown proves transitory is taking a huge risk.”
Part of a larger campaign?
On July 6, the State Council issued the Opinions on Strictly Cracking Down on Illegal Securities Activities According to Law (关于依法从严打击证券违法活动的意见) (the Opinions). Some reports have suggested the Opinions target domestic companies' overseas share sales and data security, but the Opinions seem more of a response to several recent high-profile cases in the Chinese securities market and aim at setting up an orderly capital market in China, as suggested by the head of China Securities Regulatory Commission, Yi Huiman, in a recent press conference. In particular, it calls for improving the legal liability system, law enforcement and judicial system for crimes in the securities market.
The Opinions do touch upon overseas activities. The document sets goals of improving laws and regulations on data security, cross-border data flow and management of confidential information in the section of international cooperation on cracking down illegal securities-related activities. In the same section, the need to revise the regulations on confidentiality and file management related to the issuance and listing overseas is also emphasized, as well as the need to fulfill the legal liabilities for the information security of companies listed overseas.
It is a bit unclear what role the Opinions will play in the ongoing cybersecurity reviews, but it is certain that domestic tech companies have been under increased scrutiny from the Chinese government. On July 7, China’s State Administration of Market Regulation announced punishments in 22 antitrust cases. Didi is involved in 8 of the cases with a fine of up to 4 million yuan (approximately 62 billion USD). In addition, two other Chinese tech giants, Alibaba and Tencent, are involved in 6 and 5 cases, respectively. Previously, Alibaba was fined a record $2.8 billion over antitrust violations.
Annex I: Circular regarding Launching Cybersecurity Review on “Didi Travel”
In order to prevent national data security risks, safeguard national security and protect the public interest, in accordance with the National Security Law of the People’s Republic of China and the Cybersecurity Law of the People’s Republic of China, the Cybersecurity Review Office will begin cybersecurity review on “Didi Travel” under the Measures on Cybersecurity Review. To cooperate with the cybersecurity review and prevent growing risks, “Didi Travel” will stop new user registration during the review period.
Cybersecurity Review Office
July 2, 2021
Annex II: Article 37 of National Cybersecurity Law:
Personal information and other important data gathered or produced by critical information infrastructure operators during operations within the mainland territory of the People's Republic of China shall be stored within mainland China. Where due to business requirements it is truly necessary to store it outside the mainland, they shall follow the measures jointly formulated by the State network information departments and the relevant departments of the State Council to conduct a security assessment; but where laws and administrative regulations provide otherwise, follow those provisions.
Annex III: Circular regarding Removing “Didi Travel” App
Based on reports, and after tests and investigations, the "Didi Travel" app was found to have seriously violated laws and regulations in collecting and using personal information. According to the relevant provisions of the Cybersecurity Law of the People's Republic of China, the Cyberspace Administration of China notifies all app stores to remove the "Didi Travel" app and requires Didi Travel Technology Co., Ltd. to strictly follow the legal requirements and national standards to rectify existing problems, to effectively protect the safety of personal information of all users.
Cyberspace Administration of China
July 4, 2021
Annex IV: Article 41 of Cybersecurity Law:
Network operators collecting and using personal information shall abide by the principles of legality, propriety, and necessity; publish rules for collection and use, explicitly stating the purposes, means, and scope for collecting or using information, and obtaining the consent of the person whose data is gathered.
Network operators must not gather personal information unrelated to the services they provide; must not violate the provisions of laws, administrative regulations or agreements between the parties to gather or use personal information; and shall follow the provisions of laws, administrative regulations and agreements with users to process personal information they have stored.