It has been a rollercoaster week for Didi Global. Last Wednesday, Didi raised $4.4 billion in a behemoth US IPO. Two days later on Friday evening, China’s cybersecurity regulator announced an investigation into the company. Then on Sunday night, less than a week after Didi went public on the New York Stock Exchange, the regulator asked app stores in China to remove Didi’s app.

The probe of China’s dominant ride-hailer follows other large penalties for Chinese tech majors, such as the abrupt suspension of Ant Group’s giant $34 billion dual IPO listing in Shanghai and Hong Kong in November 2020 and a $2.8 billion antitrust fine for Alibaba in April. 

Authorities at the Cyberspace Administration of China (CAC), a cyberspace watchdog, said on July 2 that they launched a “cybersecurity review” of Didi to “guard against risks to national data security” and “protect the public interest.” Citing national security law and cybersecurity law, they also asked Didi to stop registering new users. Two days later, they ordered operators to pull Didi’s app from all app stores for issues concerning user data protection, saying the app “seriously violated Chinese laws and regulation on personal information collection and usage.”

The app store suspension, although dramatic, hasn’t stopped Didi from operating. Didi’s service is still widely available in China. The ban means new users cannot download Didi’s app and use its service. Yet new users, at the time of this writing, can still register for the service through Didi’s mini-program embedded in apps like WeChat, a popular Chinese messaging app, according to our observations. Also, existing users, which account for most Chinese ride-hailing customers as the company holds 90% of the market share, can still use the service, either through Didi’s app or its mini-program on WeChat. 

On Monday, the CAC expanded its probe, announcing that it also launched similar cybersecurity investigations into three other companies and asked them to stop registering new users. All these companies have recently debuted on US stock exchanges. Job recruitment platform Boss ZhiPin debuted on Nasdaq under Kanzhun, a Tencent-backed company, on June 11. Partner transport companies Huo Chebang and Yun Manman went public together on the New York Stock Exchange on June 22 as a single company called Full Truck Alliance. 

The actions are a notable step up for privacy regulation. But they come as part of a long-term effort to regulate data use during an ongoing crackdown on big tech, experts told TechNode.

Business may be… fine?

Didi said in a July 4 statement that it expects that the app takedown may have “an adverse impact on its revenue in China.” 

According to a 2020 regulation for the review process, a cybersecurity review should be completed within 45 days. However, it can be extended if “the situation is complicated.”

James Hull, analyst and portfolio manager at Hullx Capital, said a suspension of 45 days or longer isn’t “that bad for the company,” because most Chinese users already have the Didi app and could access Didi through WeChat mini-programs. The Chinese version of the app was downloaded about 900,000 times in June, according to SensorTower, or 30,000 times per day.

Michael Tan, a partner with international law firm Taylor Wessing Shanghai Office, told TechNode that he thinks the investigation could take six months. Didi’s stock price is likely to take a hit, but the company is unlikely to be delisted from the US, he added, because Chinese regulators will focus on data security more than the listing.

But Tu Le, founder and managing director of business intelligence firm Sino Auto Insights, told TechNode that he thinks US investors may demand more information. “If I were a US investor in Didi, I’d like to know what Cheng Wei, Jean Liu, and the rest of the management team ‘knew,’ if anything at all, and ‘when’ they knew it.”

“If there was prior knowledge that Cyberspace Administration of China would block new users due to security issues, then it should’ve been disclosed prior to the IPO,” Le added.

Didi shares on the New York Stock Exchange fell 5.3% on Friday, following the CAC announcement of a cybersecurity review of the company. The US market had not opened on Monday at the time of this publication. 

Both Le and Michael Tan say Didi’s probe could have broader implications for Chinese data companies planning to raise money in the US.

Le said the Didi probe “should really freak out any data company planning to IPO in the US.” Data companies need to make sure that their data management strategy is bulletproof if they decide to list in the US later this year, he said. “I’d say they’ll still do it, but this should give them pause, if only for a brief moment,” he added.

Why is Didi being investigated?

It’s not entirely clear what got Didi in trouble. The notices refer to national security and to “serious problems with illegal and irregular collection and use of personal data.” Timing suggests that the recent US IPO could also be a factor. All three firms that were penalized this past week have been listed on US markets since early June 11. 

The company says that all information related to Chinese users is stored in China, in response to speculation of Didi sharing sensitive data. Company Vice President Li Meng wrote on Weibo Saturday that the company was willing to sue over speculation that it had shared sensitive information during its IPO process.

Tan said that alleged data privacy abuse is the main reason for Didi’s investigation. Didi’s US IPO likely accelerated the probe but didn’t trigger it.

In 2015, Chinese state news agency Xinhua collaborated with Didi’s big data analytics department on a report focusing on commuting patterns of state staff working for different Chinese ministries. “Almost all ministries work overtime,” the report said, “The Ministry of Land and Resources is the busiest. There were 298 rides hailed between 6 p.m. to 2 a.m. in two days,” Xinhua said. China could deem data like this as sensitive.

The investigation targets Didi’s potential privacy breach activities in China, Tan said. “US IPO will result in disclosure of much business-related information to the US markets and other third parties in the US,” he said. “This will inevitably lead to some speculation, such as Didi being investigated due to national security concerns or providing access to sensitive data,” he added.

Legal background 

The investigations are based on a relatively new CAC power called a “cybersecurity review.” This review process was created by the 2016 Cybersecurity Law, but has never previously been implemented, according to the Beijing News. According to the law and 2020 implementation measures, the review system focuses on operators of “critical information infrastructure,” and their purchases of “network products and services that might impact national security.” The Cybersecurity Law, along with landmark laws on privacy and data security, is part of an ongoing effort to regulate the use of personal data by companies in China. Cross-border data transfers are a focus of these laws, but the laws also require companies to implement best practices for collecting and storing data.

“That could cover anything from Didi’s servers to cloud computing to basic network equipment,” said Tiffany Wong, a consultant at research-based consultancy Sinolytics.

Wong said that it’s also possible for companies to get in trouble under these laws due to how they store and process important data. “It could be that Didi hasn’t segmented their personal information to the CAC’s liking, or don’t have good data protection mechanisms in place as required, and the state wants Didi to have full compliance before collecting any more personal information,” Wong added. 

Moreover, Xie Maosong, a senior politics and governance researcher at the Chinese Academy of Sciences, told TechNode that he thinks Didi and other internet companies need to develop a better sense of social responsibility in China instead of focusing only on making money. Xie studies Chinese governmental policies and he gave lectures a few weeks ago to the Cybersecurity Administration in Hangzhou on regulating Chinese internet companies. 

“In the western society, capital takes priority,” said Xie, “but in China, politics always takes priority. Here, politics doesn’t refer to the Chinese government, and it refers to the interests of the nation, a collective interest, in contrast to the interests of a few capitalists,” he added.

Tech crackdowns in China

The investigation into Didi came as China widened an ongoing crackdown on tech companies. The crackdown started in November when authorities halted Chinese fintech giant Ant Group’s plans for a mega dual IPO, citing “changing regulatory environment.” Since then, regulators have abandoned their laissez-faire approach to tech firms and put them under the microscope.

In December, the State Administration for Market Regulation (SAMR) announced an anti-monopoly investigation into e-commerce behemoth Alibaba. The probe was closed in April as the market regulator imposed a record RMB 18.2 billion ($2.8 billion) fine on Alibaba. 

Anti-monopoly has been the most active area of the campaign, hitting tech titans like Tencent, Alibaba, Meituan, and Didi itself, according to TechNode’s Techlash Tracker database. But the campaign also involves privacy protection, data security, and financial de-risking. Over the past year, hundreds of companies have been hit with small fines over privacy and data security violations.

READ MORE: INSIGHTS | Making sense of China’s big tech crackdown

The Didi probe is the first major case in the privacy and data security section of the campaign. 

In the past, companies like Tencent, search engine Sogou, and smartphone maker Xiaomi were fined small amounts of money for collecting excessive or unnecessary data from their app users. Those enforcements usually cite China’s 2017 Cybersecurity Law and regulations on how apps should collect and store user data. 

The investigation into Didi, however, probably involves national security issues, according to the CAC. In addition to the Cybersecurity Law, the CAC also cited China’s National Security Law in announcing the Didi probe. The 2015 National Security Law has a clause (in Chinese) vowing to “safeguard the nation’s cyberspace sovereignty, security, and interests.”

“The state attaches great importance to cybersecurity and data security. The Cybersecurity Law passed in 2017, the Cybersecurity Review Measures issued in 2020, and the Data Security Law that is taking effect in September are all signs of the government’s determination to protect cybersecurity and data security,” said Qi Aimin, a professor at Chongqing University’s School of Law.

Recent cybersecurity reviews on tech firms, including probes into Boss Zhipin, Huo Chebang, and Yun Manman announced on Monday, proving that “large-scale cybersecurity and data security investigations of internet companies will become a trend,” said Qi.

A timeline of Didi’s regulatory woes

Dec. 24, 2020: Chinese transport minister Li Xiaopeng pledges to ramp up antitrust enforcement as one of the ministry’s priorities in 2021. The head of Chinese transport watchdog made the comment a month after the release of the draft anti-monopoly guidelines targeting the country’s big tech companies by the SAMR.

March 12, 2021: China’s top market watchdog SAMR fines (in Chinese) Didi Mobility Pte. Ltd., a subsidiary of the Chinese ride-hailing giant, RMB 500,000 ($77,400) for failing to seek antitrust clearance for the establishment of a joint venture with Softbank. In the current antitrust law framework, companies need to receive approval for mergers or acquisitions involving firms with annual revenues of RMB 10 billion and above globally or more than RMB 2 billion in China.

April 30, 2021: Didi is again ordered (in Chinese) to pay a penalty after insufficiently disclosing three acquisitions and investments for antitrust reviews, including a takeover of a Shenzhen-based car rental firm. Chinese gaming powerhouse Tencent and retail giant Suning were also punished for the same reasons, with each fined RMB 500,000, the highest amount stipulated by the law.

May 12, 2021: China’s cyberspace administration issues new draft rules on data collection applying to both carmakers and ride-hailing platforms, stipulating that companies need to gain regulatory approval before providing “important and private data” to foreign entities (our translation). Coming after growing concerns about vehicle cameras and where the car data is going, CAC writes in the announcement (in Chinese) that the rules have been drafted to safeguard national security and the public interest.

May 14, 2021: Chinese antitrust regulators order ride-hailing platform Didi and online services giant Meituan to rectify their ride-hailing practices, reports Bloomberg. The two companies were among 10 online on-demand services ordered to make changes to their operations, including increasing drivers’ commission fees.

June 17, 2021: Reuters reports that China’s market regulator is investigating whether Didi violated antitrust rules. Didi dismisses the report as “unsubstantiated speculation from unnamed sources.” However, the company acknowledged that it has just completed a one-month self-inspection to correct monopolistic practices, along with dozens of other companies, as required by regulators, in its IPO prospectus filed last month.  

Qin is the managing editor at TechNode. Previously, she was a reporter at the South China Morning Post's Inkstone. Before that, she worked in the United States for five years. She was a senior video producer...

David Cohen is a former acting editor in chief at TechNode. Since 2010, he has covered China as a writer and editor at outlets including the Diplomat, the Jamestown Foundation, and China Policy. He’s...

Jill Shen is Shanghai-based technology reporter. She covers Chinese mobility, autonomous vehicles, and electric cars. Connect with her via e-mail: jill.shen@technode.com or Twitter: @jill_shen_sh