Didi showcases Beijing’s tug of war between data flows and data security

A stock trader with a US flag emblazoned on his sleeve works in front of a screen displaying the logo for Chinese ride-hailing app Didi…
A stock trader with a US flag emblazoned on his sleeve works in front of a screen displaying the logo for Chinese ride-hailing app Didi…
Image: Reuters/Brendan McDermid
We may earn a commission from links on this page.

As investors, politicians, analysts, and businesses around the world watch China’s crackdown on ride-hailing app Didi, one thing to pay attention to is what this signals about Beijing’s strategy on cyber sovereignty, global data flows, and data security.

At the China’s annual World Internet Conference last November, a group of the country’s major universities and a prominent government think tank jointly issued a document laying out the principles of cyber sovereignty. A key concept underpinning the short paper (link in Chinese) was the free flow of data in cyberspace.

That concept of free data flow made an appearance again in China’s new data security law, which takes force in September after its passage in Beijing’s top legislature last month. According to Xu Ke, a professor at the University of International Business and Economics’ school of law, this is the first time that China has encoded in law the principle of the free movement of data.

But, as Xu wrote in a recently published paper on China’s cross-border data, the principle of the free flow of data is circumscribed by another important concept: the secure flow of data. The interplay of these two concepts is designed to “balance the dual objectives of openness to the outside world and national security,” he wrote, but it also creates a conflict between the ideals of data freedom and data control. For example, a Chinese company may amass vast troves of user data that criss-crosses servers worldwide, potentially posing national security concerns for Beijing if the data falls into the hands of an adversary.

That conflict is now playing out in real time as the Chinese government this week dramatically intensified its crackdown on domestic tech platforms, most notably the ride-hailing app Didi. The company has been refuting allegations that it handed over troves of user and road data to the US. But that denial appears unlikely to put an end to the firm’s regulatory troubles, at least for now.

On Sunday (July 4), regulators ordered the app removed from China’s app stores, just days after the company’s blockbuster listing in New York. The ban followed on the heels of a cybersecurity review of Didi, spearheaded by China’s cyberspace administration, which barred the company from new user sign-ups. Since then, Didi’s shares have plunged below its IPO price, wiping out $15 billion of market value.

In its 2016 cybersecurity law, Beijing made it explicitly clear that cybersecurity reviews are a national security issue. The new data security law also presents data security as a national security concern. It stipulates that firms found to be mishandling “core state data” can be punished with hefty fines, or even be ordered to cease business operations. What amounts to “core state data,” however, is left undefined, but it clearly will include data gathered and held by private firms.

China has a strong economic incentive to promote the free flow of data: according to consulting firm McKinsey, global data flows raised global GDP by over 10% compared to a scenario in which there were no such cross-border flows. New hurdles in Europe for data flows to the US would certainly create additional challenges and costs for US companies to host compliant sites in Europe. Yet China is also aware of the inherent risks posed by this data movement: after all, former US president Donald Trump banned the Chinese apps TikTok and WeChat over concerns that their vast troves of data would be used to spy on Americans.