Cover Series: The Regulatory Landslide Engulfing Chinese Tech Firms (Part 3)

First it was probes into financial risk, then measures to curb monopolistic behavior. Now, in the last two weeks the regulatory landslide sweeping over Chinese internet companies has incorporated an even more sensitive area: national security.

The government’s top cybersecurity regulator this month announced national security probes of three recently U.S. listed firms and proposed draft rules that would require it to approve virtually any overseas listing by a mainland tech firm.

The hammer fell first on the company group that includes Didi Global, then simultaneously on the world’s largest truck-booking platform Manbang Group, and the operator of recruitment platform Boss Zhipin. All three are now under investigation after an office of the Cyberspace Administration of China (CAC) publicly enacted cybersecurity review provisions for the first time since they came into effect in June last year.

Insiders and experts say the move, which stunned markets and saw investors flee Chinese tech stocks in their droves, is the clearest signal yet of local regulators’ increasingly acute focus on the potential security implications of the large datasets held by private firms — and fears such data will be transferred outside their jurisdiction.

A new draft revision to the cybersecurity review measures could mean any Chinese company that holds the personal information of 1 million or more users would have to seek a government review before listing abroad. The draft changes to the Measures for Cybersecurity Review were revealed on Saturday and are open for public comment until July 25.

Companies should provide their prospectuses to the Cybersecurity Review Office, the CAC office that conducts cybersecurity reviews, the draft shows. This would mean that companies’ prospectuses and other filings will be checked by the government before they file for a listing outside China.

Crackdown cornucopia

Spooked investors have dumped Chinese technology stocks since the domestic watchdogs’ moves earlier this month, extending a rout that has seen more than $800 billion wiped from their market value since a February peak.

The regulatory hits that have contributed to that collapse have been continuous, but varied. They have come from different agencies and spanned financial risk, privacy, antitrust, and personal data protection.

Beijing’s clampdown on Didi is the latest example of a major Chinese internet firm falling afoul of the country’s regulators. But while the case resembles recent hits on tech giants like Tencent Holdings Ltd. and the torpedoing of Ant Group Co. Ltd. blockbuster IPO last year, there’s more to the story.

When Alibaba was fined a record 18.2 billion yuan in April, the penalty was ordered by the State Administration for Market Regulation (SAMR), which manages market principles like fair competition.

After a four-month investigation, SAMR concluded that Alibaba had violated antitrust rules by forcing vendors on its e-commerce platforms, including Taobao and Tmall, to choose between its services and those of its competitors, as well as burning cash to build market share. Similar issues have seen other penalties slapped on other platform companies like delivery giant Meituan and Tencent Holdings Ltd.

The SAMR also criticized Alibaba for employing opaque pricing strategies and unscrupulous marketing techniques, which are the same issues that have catalyzed a high-profile crackdown on online tutoring platforms.

This has all played out against the background of a separate SAMR probe into Ant Group, after regulators forced the shock suspension of its record $34.5 billion IPO in Hong Kong and Shanghai and ordered an overhaul of the Jack Ma-founded firm’s highly leveraged microlending business in an effort to curb financial risks.

In contrast to these SAMR investigations, the cybersecurity probe of Didi has been launched by the CAC’s Cybersecurity Review Office. It says the focus of the investigation is to ensure Didi’s ride-hailing platform collects, stores and uses personal data in ways that pose risks neither to national security nor to consumer rights and interests.

The leading role of the CAC, which oversees and regulates the country’s tightly controlled internet, reflects Beijing’s growing preoccupation with data security in the context of not only personal information but also national security, says Clement Chen, a University of Hong Kong professor focusing on data law.

Didi’s rush to market

Rumors are flying about who knew what, when, and whether Didi fulfilled its disclosure obligations ahead of its $4.4 billion New York IPO on June 30. In at least two U.S. class action lawsuits, investors accuse the company of misleading them by failing to disclose a warning from China’s internet regulator to delay the listing until it had reviewed its network security.

 Read more
Cover Series: How Didi’s Rush to Raise Funds in U.S. Backfired (Part 1)

Didi has been laying even lower over the past week than it did in the lead-up to the IPO, with representatives declining to provide even background information on the crisis that has engulfed the firm. Clamming up may be expected of a company which is now being probed under China’s National Security Law.

But Didi’s shares have tanked and were still trading at more than 20% below their IPO price on Tuesday, as a parallel story plays out in the U.S., where senators from both sides of the aisle are demanding answers — and have called on the Securities and Exchange Commission to investigate.

Critical information infrastructure

The cybersecurity reviews of Didi, Manbang and Boss Zhipin, show regulators now see them as operators of “critical information infrastructure” (CII), said Nicolas Bahmanyar, a data privacy consultant at Leaf Law Firm.

One regulatory insider, who spoke on condition of anonymity, said: “In the future, national security reviews of platform companies will become standard practice in the same way as personal information protection and unfair competition investigations.”

Hints of what CII operators are can be found in the Draft Regulations on the Protection of Critical Information Infrastructure published in 2017 — holders of data that if destroyed or leaked would seriously damage national security, the economy, peoples’ livelihoods, or the public interest.

The draft includes a grab bag of examples — information on everything from the financial system, transport and water, public health and the environment, through to telecommunications, strategic research on chemicals, food and drugs and more.

The point, say insiders, is to ensure the security of supply chains. Zuo Xiaodong, vice president of the China Information Security Research Institute, who has been involved in drafting major government cybersecurity policies, told Caixin that large internet platforms would increasingly be treated as CII by regulators.

Zuo said there were two potential triggers for cybersecurity reviews. The first was where a CII operator procures network products or services that may affect national security. The second was simply that members of the Cybersecurity Review Office think one is needed.

While the Cybersecurity Review Office resides in the CAC, the CAC is one of 12 ministries that jointly form the national cybersecurity review mechanism. In practice that means any of the twelve can initiate a review.

A prominent feature of China’s Cybersecurity Law, as well as the Data Security Law which is set to come into effect in September, is that they attach great importance to regulating the cross-border flow of personal data, said Chen.

“According to some scholars, that’s a response to the GDPR in the European Union, to assert state sovereignty over personal data generated domestically,” Chen said.

The changing environment has been tripping up foreign firms, too, with star electric-vehicle maker Tesla Inc. announcing a new data center in Shanghai in May to store information gathered on local users and their vehicles, after CEO Elon Musk was forced to deny that the firm would ever use a vehicle’s technology for spying.

That came two weeks after the CAC issued new draft rules on car data collected by automakers requiring it be stored locally, and banning such information from being sent overseas without authorization.

The prospectuses of all the firms show they count their vast proprietary datasets as critical assets. In the case of Didi, the biggest government concern was the cross-border transfer of data, Zuo said.

A 2015 feature by the state-run Xinhua News Agency used data from Kuaidi’s car-hailing services to track activity at top level Chinese government ministries, showing for instance, that employees of the Ministry of Land and Resources appeared to work the most overtime, and that the Ministry of Public Security counted the most arrivals and departures within a 24 hour period — at all hours of the day and night.

Meanwhile Manbang Group, according to the firm’s prospectus, was the world's largest digital freight platform in 2020, with about 2.8 million truck drivers — 20% of China’s entire heavy and medium truck driver fleet — using the platform that year to complete 71.7 million trips.

Who is at risk?

“It’s a black box,” says Bahmanyar. Which private companies might be defined by the regulator as operating CII for the purpose of such reviews was unclear, Bahmanyar said.

But the crackdown on Didi, given the size of the company, was “sending the signal that any tech company or data-rich company, as soon as they’re going to reach a certain critical mass, will be under very harsh scrutiny” if they seek an overseas listing.

Chen Jihong, a partner at Zhong Lun Law Firm, said even the act of submitting a prospectus in the U.S. may have met the threshold of cross-border data transmission, given just how high the threshold is for CII operators.

Last week LinkDoc became the first Chinese company known to have put a U.S. IPO on ice since the Didi action.

On Friday, Chinese audio platform Ximalaya Inc. and bike sharing firm Hello Inc. had also suspended their planned listings. Sources told Caixin that Ximalaya will likely seek to list in Hong Kong.

‘Not an easy question’

“Essentially, I will be asking companies, ‘are you developing a Chinese product, or a foreign product?’” says Bahmanyar.

He predicts that the changing regulatory environment will split how technology products are designed for the Chinese market. “We are going to see companies choosing to fully localize the development of their products in China, and also fully localize outside of China for the rest of the world.”

“So you are going to see a Chinese wall within the company on product R&D and deployment, just to avoid any influence. I think that’s what companies should be prepared to do — to localize their entire supply chain for China and for the rest of the world.”

While that may work for a multinational corporation, if you’re a small tech company, “it’s essentially asking you to choose between China and the rest of the world,” he says. “It’s not an easy question.”

This is the third in a series of stories about the regulatory storm that followed Didi's IPO. Click to read part one, part two, and part four.

Contact reporter Flynn Murphy (flynnmurphy@caixin.com) and editor Joshua Dummer (joshudummer@caixin.com)

Download our app to receive breaking news alerts and read the news on the go.

Follow the Chinese markets in real time with Caixin Global’s new stock database.