The China tech regulator taking on Didi: Five things to know

HONG KONG/TOKYO — Following the announcement of strong actions against Didi Global, one of China’s most well-known digital businesses, global investors have reason to pay closer attention to the Cyberspace Administration of China. The CAC informed Didi on Sunday that it had discovered “severe violations” of data rules with its all-important consumer app and that it must be deleted from Chinese app stores — a major setback just days after the company raised almost $4.4 billion in an IPO in New York. Didi’s stock dropped 20% on the first trading day after the CAC took action. Didi isn’t the only company that has been probed by the administration. Two more companies that recently went public in the United States, logistics firm Full Truck Alliance and recruitment platform Kanzhun, were told that they would be subjected to “cybersecurity reviews” based on national data security concerns and would not be able to register new users until the reviews were completed. The crackdown has made the Chinese IT sector wary of further action, and investors are irritated that officials intervened only after businesses listed in the United States. Here are five things to know about China’s latest restrictions on some of its domestic technology companies. What is China’s Cyberspace Administration? The Chinese Cyberspace Administration (CAC), also known as the Office of the Central Cyberspace Affairs Commission, reports to both the Communist Party and China’s government, the State Council. It was founded in 2011 under the State Council and rose to prominence in 2014, when the party’s Central Committee established a cybersecurity and IT application steering group, led by President Xi Jinping and controlled by the CAC. “There is no national security without cybersecurity; there is no modernization without IT applications,” Xi declared at the first meeting. The CAC will collaborate with 12 other major central government organizations, including the ministries of public security and state security, to examine network products and services from operators of critical information infrastructure under a cybersecurity review system introduced a year ago. Zhuang Rongwen, 60, who is also deputy chairman of the party’s Publicity Department, leads the CAC. Zhuang was a technocrat in Fujian Province, where Xi worked from 1985 to 2002, before being promoted to Beijing in 2010. What prompted the CAC to take action now? No one knows for sure at this moment, but policy consultancy Trivium China warned clients in a note that the move coming just weeks after Didi, Full Truck Alliance, and Kanzhun listed in the United States does not appear to be a coincidence. Trivium speculated that the move could be motivated by annoyance at the companies for rushing ahead with New York IPOs while China’s crackdown on major online platforms is still ongoing, or because CAC “is genuinely concerned about data security risks posed by overseas listing,” citing public comments by the securities regulator and state media reports last month. “The apparent concern is that foreign interests could gain access to Didi’s data, putting national security at risk,” said Gavekal Research analysts Ernan Cui and Thomas Gatley, who linked the CAC’s move to the new cybersecurity review system. “The issue appears to be that Didi revealed information about its [network equipment] suppliers to IPO investors in the United States before Chinese officials saw them.” Another factor in the timing of the crackdown could be China’s Data Security Law, which was passed last month. Its scope includes transportation data, which is not named as a subject of surveillance in the draft bill. The new rule also gives authorities more control over data collection, protection, and transfer, making it impossible for businesses to use data obtained in China for purposes outside of China. Why is data so important to Beijing? China has been dubbed “the Saudi Arabia of data” by Kai-Fu Lee, a Chinese venture capitalist and former Google executive, and officials have grown to consider data as a resource too important to be totally entrusted to the country’s leading internet platforms. Issues around data exploitation played a crucial role in Ant Group’s $35 billion IPO in November and sister company Alibaba Group Holding’s 18 billion yuan ($2.78 billion) penalties in April. “We must not allow any internet giant to become a super database of Chinese people’s personal information that is more detailed than what the state has, let alone give them the right to use that data at will,” the Global Times, a tabloid under the wing of party mouthpiece People’s Daily, wrote in an editorial published on Sunday night. “The country needs tougher information security regulation, especially for companies like Didi Chuxing, which are listed in the United States and whose largest and second largest owners are foreign companies,” the editorial stated. “The data of Didi’s domestic users is stored on domestic servers, and it is absolutely impossible to pass the data to the US,” company Vice President Li Min said Saturday in a post on the Weibo network in response to speculation that the company had shared data with the US to secure its New York listing. He warned the company would sue those who continued to “spread malicious rumors.” Who else could be on the CAC’s radar? This is still unclear. Despite the recent actions against Didi, Kanzhun, and Full Truck, as well as previous actions against Ant and Alibaba Group Holding, LinkDoc Technology, a medical data business funded by Alibaba Health Information Technology, is planning a $210 million IPO on the Nasdaq Stock Market later this week. According to two people familiar with the deal, the company plans to close its books on the sale on Wednesday, a day earlier than expected due to significant demand. Since May, the CAC has publicly penalized 351 apps for improperly gathering and utilizing personal data. Tencent Holdings, Baidu, ByteDance, LinkedIn, and Nike have all built and operated apps. The software developers were given 10 to 15 days to fix the problems and report their progress, or they would face more penalty. Due to data security concerns, Beijing reportedly persuaded podcast platform Ximalaya to abandon plans to list in the United States in favor of Hong Kong earlier this year. The problem is also expected to play a role in ByteDance’s aspirations to offer some or all of its businesses, including TikTok, on the stock exchange. What other regulatory stumbling blocks will Chinese firms face? In a joint statement released Tuesday evening, the State Council and the Communist Party General Office said they would establish new legislation and guidelines governing the handling of cross-border data flows and sensitive information in connection with Chinese companies’ abroad IPOs. A draft Personal Information Protection Law is also being considered; it is anticipated to be enacted later this year as the third leg of the country’s extensive regulations on digital information. The timing of Beijing’s efforts, coming so soon after the three New York IPOs, has rung up alarm bells in the United States. “Whatever the reasons for China’s national security activities are, the US perspective is that Beijing cynically timed its regulatory blow to fall after Didi had sucked up U.S. investors’ money,” Cui and Gatley of Gavekal said. They believe the initiatives will hasten a legally mandated effort to boost US hurdles to Chinese businesses listing in the United States if they refuse to give American authorities access to their audit records, a long-standing issue already exacerbated by Beijing’s existing data-sharing restrictions. The experts predicted that “the impetus for an accelerated decoupling of the two countries’ equities capital markets will rise.” What had appeared to be a record-breaking year for Chinese IPOs in the United States, with 34 IPOs raising $12.4 billion to date, is now in risk. Narayanan Somasundaram contributed additional reporting from Hong Kong./nRead More