China’s Big Tech crackdown has opened a new front: national security

Logo of Didi Chuxing is seen at its headquarters in Beijing
Logo of Didi Chuxing is seen at its headquarters in Beijing
Image: Reuters/Kim Kyung-Hoon
We may earn a commission from links on this page.

In the span of just a week, Chinese ride-hailing giant Didi Chuxing, went from being a tech darling with a successful US listing to the face of a new dimension to Beijing’s crackdown on its tech firms.

After the last-minute cancellation of fintech giant Ant’s IPO last year, many investors, including SoftBank and Uber, may have been holding their breath in the run-up to Didi’s US debut on June 30. But the IPO seemingly went off without a hitch—Didi priced its shares at the top range and raised $4.4 billion. A day later, its shares rose and it hit a value of $80 billion. The day after that, the Cyberspace Administration of China opened a cybersecurity investigation into Didi, citing “risks related to national data security.”

Soon, the watchdog ordered all app stores in China to remove Didi’s app, saying the company had committed “serious violations of laws and regulations in collecting and using personal information.” Shares of Didi have so far shed around 20% of their value since its debut.

In a statement posted on its Weibo account on July 10, Didi said it “sincerely accepts and firmly follows” instructions from regulators. The company didn’t immediately reply to a request for comment.

Didi illustrates Beijing’s new focus on user data

China’s war against big tech has so far focused on monopolistic practices, which the government has positioned as a bid to protect both consumer rights and maintain financial stability. This first stage of deeper regulation was marked by the abrupt suspension of Ant Group’s IPO planned for November.

With what appears to be the first national security review of a Chinese tech giant, authorities appear to now be concerned about whether companies like Didi could end up providing sensitive data to the US in the course of being listed there. According to the Wall Street Journal, Chinese regulators had asked Didi to postpone its listing until the potential national security ramifications were addressed. The Journal also reported that TikTok parent ByteDance decided to postpone plans for a US IPO after regulators asked it to address data risks.

“I think China is systematically enhancing its supervision and law enforcement in the cybersecurity field,” said Xia Hailong, a lawyer with Shanghai Shenlun law firm, whose practice focuses on tech regulations. “…considering Didi’s IPO would add to the difficulty of regulators’ supervision of the firm given the listing could involve the outbound flow of data, all such elements might have together led to the investigation into Didi now.”

China’s move against Didi mirrors concerns demonstrated by the US. Last year then president Donald Trump issued executive orders to ban dealings with TikTok and WeChat on the grounds that their access to US user data constituted a national security concern.  The orders were first halted by US courts and then revoked by president Joe Biden. TikTok, owned by China’s ByteDance, had to repeatedly assure US regulators and users that it doesn’t transmit their data back to China. Similarly, a Didi executive pledged on Weibo last week that the company hadn’t transmitted user data to the US.

The concerns over how and where data should be held also feed back into the antitrust scrutiny—with regulators feeling the data amassed by the largest firms amounts to an unfair competitive advantage, and that some of this data would be better housed in entities overseen by authorities.

“No internet giant is allowed to become a super database that has more personal data about the Chinese people than the country does, not to mention using the data at its own will,” China’s state-owned tabloid Global Times wrote in an op-ed last week on the Didi saga. “For companies like Didi which have gotten listed in the US market and whose largest and second largest shareholders are foreign companies, China should more strictly supervise their information security to protect both personal data security and national security.”

A timeline of Beijing’s rapid-fire crackdown on Didi

The stunning pace at which the Didi saga has unfolded is probably the best illustration of Beijing’s anger toward the firm.

  • Friday, July 2: CAC, the cyber watchdog, issues a statement saying it has opened a cybersecurity probe into the company based on China’s national security and cybersecurity laws. The company is barred from adding new users until the review is completed.
  • Sunday, July 4: The regulator finds serious violations of regulations and laws in collecting and using personal information, and orders all app stores to remove Didi’s app.
  • Monday, July 5: CAC announces that it has started cybersecurity probes into apps operated by Chinese truck hailing firm Full Track Alliance and a recruitment company under Kanzhun, both listed in the US.
  • Tuesday, July 6: In a joint statement, the State Council, China’s cabinet-equivalent, and Communist Party central committee signal that overseas listings and cross-border data flows will be subject to tighter regulation.
  • Friday, July 9: China orders another 25 apps linked to Didi to be removed from app stores, citing illegal collection of personal data.
  • Saturday, July 10: In the harshest blow last week, the regulator proposes revisions to the Measures for Cybersecurity Review, which went into effect last year. A key add under the revisions, which is in the public comment stage, is that companies holding the data of more than 1 million users, a very low threshold in the populous country, will need to go through cybersecurity checks if they want to list overseas. Meanwhile, the period for the security review to be completed has also been extended from 45 working days to three months or longer.

Closing the “variable interest entity” loophole

The revisions to the cybersecurity review rules deal a blow to Chinese tech companies planning overseas IPOs.

For decades, Chinese tech giants managed to skirt rules that barred foreign ownership in many types of companies by using the variable interest entity arrangement to list overseas. This involved setting up a corporate structure in some place like the Cayman Islands that foreign investors could buy shares in, and putting in place complex contracts regarding profits or voting between those entities and the company in China. Beijing tacitly accepted this workaround even though it meant that firms didn’t require its formal approval to list abroad, and that authorities couldn’t easily police financial improprieties that occurred in the course of some of these listings—and nor could US regulators as firms said that Chinese laws barred them from fully disclosing their books.

While the cybersecurity review changes above wouldn’t apply to listings in Hong Kong, China’s securities regulator is also reportedly revising rules that would require firms using the VIE structure to seek approval from the government for listings in Hong Kong or the US, according to Bloomberg. Firms already listed under this structure, such as Alibaba, might have to seek approval to issue new shares.

The possible changes, if executed, would make the process of carrying out an overseas listing far more cumbersome, and could dent investors’ enthusiasm for Chinese tech startups as it could become more difficult for them to cash out. Still, it seems unlikely regulators intend to disrupt the longstanding relationship that has seen Chinese tech firms rise with the help of foreign expertise and funding from global investors—though they may accept some collateral damage in the short term.

“Internet supervision…could objectively speaking increase the difficulty and costs of overseas listings, but that is not the purpose of regulators,” said Xia.