- China’s internet regulator announced an investigation into ride-hailing group Didi Global, citing illegal collection and use of personal data.
- The State Council, China’s cabinet, also called for new rules to tighten regulation of foreign listings by Chinese companies, just days after Didi’s New York IPO.
- Beijing has previously signaled its increasing concern about data security and digital privacy with two new laws discussed or enacted in recent months.
The 2 July announcement by the Cyberspace Administration of China (CAC) did not specify Didi’s alleged violations, saying only that the purpose of the investigation is to “uphold national security and the public interest.” A follow-up announcement on 4 July stated that Didi’s app “collected and used personal data in serious violation of law and regulation.” CAC also forbade Didi from adding new users for the duration of the investigation and temporarily banned app stores from offering the Didi app for download.
Data security is now a top priority
As with the recent regulatory crackdowns on Alibaba and Ant Group over anti-monopoly and financial risk concerns, the timing and severity of the government action is surprising, but authorities had clearly signaled their increased focus on data privacy and security in recent months. Two recent notes analyzed the newly-enacted Data Security Law and a draft Personal Information Privacy Law that parliament is likely to approve this year.
Anti-monopoly concerns are closely linked to data privacy and security. Didi’s quasi-monopolistic position in the ride-hailing market is the reason that the company has accumulated an unrivaled trove of user data. Didi had 600mn total users by the end of 2020, including users and drivers, and operated 60mn trips per day across taxis, bike sharing, and other transport methods. In April the State Administration of Market Regulation (SAMR) fined Alibaba, which owns a stake in Didi, for antitrust violations, and the agency is reportedly preparing a fine for Tencent, another Didi shareholder.
CAC’s investigation into Didi takes its authority from the 2015 National Security Law, the 2017 Cybersecurity Law, and the 2020 Cybersecurity Review Measures. Regulators are reportedly concerned about Didi’s purchase of server hardware from abroad that could be vulnerable to security breaches. The Cybersecurity Review Measures require that operators of “critical information infrastructure” request a government review of important procurement transactions. Significant uncertainty remains, however, about the definition of “critical” infrastructure and which specific procurement transactions require a review. CAC reportedly advised Didi to delay its IPO until it had conducted a review, but CAC and other agencies stopped short of demanding a halt to the listing.
Under the Cybersecurity Review Measures, investigations can last up to 30 business days, with extensions of 15 business days possible for complex cases. On 5 July, CAC announced similar investigations into three other internet platforms: two truck-hailing apps operated by Full Truck Alliance and a job recruiting platform, Boss Zhipin.
Foreign listings are a vulnerability for data security
Didi’s IPO appears to be a case in which several strands of policy focus converged. In addition to the anti-monopoly and data security issues described above, regulators are also concerned about risks related to overseas listings by Chinese companies. Like Didi, Full Truck and Zhipin also completed New York IPOs within the last month and possess valuable troves of user data.
For years, financial regulators have sought to encourage national champion technology companies to list on Chinese stock exchanges. The Shanghai exchange created a new stock boards targeted at emerging tech companies, and the Hong Kong exchange revised listing requirements to address regulatory barriers that had pushed companies like Alibaba, Baidu, and JD.com towards New York. For different reasons, US policymakers also want to discourage US listings by Chinese companies. The Holding Foreign Companies Accountable Act (HFCA), which the US Congress enacted in December 2020, will force Chinese companies to delist from US exchanges if they fail to submit audit records to US regulators.
But neither the threat of US delisting nor Chinese regulators’ preferences have so far discouraged Chinese companies from selling shares in the US. Some 34 Chinese companies raised a total of USD 12.4bn in New York in the first half of this year – both figures are all-time records. The main reason is that the approval process for mainland IPOs remains lengthy and onerous. Didi was reportedly also concerned that its use of unlicensed drivers might violate Hong Kong exchange rules.
Chinese policymakers now are moving more aggressively to discourage overseas listings. On 6 July, the State Council called for revising rules on foreign listings, while tightening regulation of data disclosure by listed companies. China’s National Security Law and its revised Securities Law already forbid US-listed Chinese companies from disclosing audit records to US regulators as required under US law. This is the issue that, if left unresolved, will eventually lead to delistings under the HFCA. Moreover, as previously discussed, the new data security law and the pending personal privacy law include provisions restricting cross-border transfer of Chinese data and the provision of such data to foreign law enforcement authorities. The latest State Council announcement appears to reflect a similar concern – that disclosure rules for overseas-listed companies could force Chinese companies to reveal sensitive data.
Foreign listings: amend, don’t end
Following the State Council announcement, the China Securities Regulatory Commission (CSRC) will likely impose new rules that raise regulatory hurdles for Chinese companies – especially tech companies – seeking foreign listings, but regulators probably do not intend to shut down such listings entirely. For years the CSRC has been content to maintain a tight grip on the flow of mainland IPOs while exerting minimal control over foreign listings. This two- track system served to protect unsophisticated Chinese retail investors from low-quality IPOs, while still allowing not-yet-profitable Chinese companies to obtain financing elsewhere. The CSRC is now gradually loosening its grip on IPO approvals in Shanghai and Shenzhen, but full deregulation is still years away, if it ever comes.
At a minimum, new rules will likely close a loophole that enables offshore- domiciled companies to list abroad without Beijing’s approval. Additional rules governing disclosures to foreign stock exchanges are also likely. But the State Council statement also hints at possible of regulatory loosening. One line calls for “strengthening cross-border regulatory cooperation.” Though vague, this phrase suggests a possible compromise to resolve the US-China audit disclosure dispute that led to the HCFA. CSRC Chairman Yi Huiman has previously signaled A willingness to compromise on this issue. Still, any bilateral agreement would need to overcome anti-China politics in Washington, where many US politicians would be happy to deny all Chinese companies access to US capital markets, even if the audit disclosure issue were resolved.
As with Ant and Alibaba, regulators do not appear to want to destroy Didi but rather to subject the company to tighter regulation. While the temporary ban on adding new users appears harsh, the app is already so widely used that there was little scope for further user growth within China, while existing users can continue to hail rides without disruption.