Didi: the first cybersecurity review in China

10 Aug 2021

by Peggy Tong

Didi is China’s biggest ride-hailing app. At the end of June this year, it was officially listed on the New York Stock Exchange and its market value reached US $67 billion at the issue price. Just a few days after listing, Didi faced one of the biggest crises in its history. All of its 25 apps were taken offline and its share price dropped.

What happened

On July 2, the Cybersecurity Review Office announced a cybersecurity review on Didi and on July 4, just two days later, it ordered Didi to remove Didi Apps from all App stores. On July 16, the Cyberspace Administration of China, under which the cybersecurity review office operates, together with six other departments jointly launched a cybersecurity review against Didi.

Such a large-scale joint department review is very rare in China. This is the first time that China launched a cybersecurity review on an enterprise. As such, special attention should be paid to how this review will operate in practice.

Illegal collection and use of personal information

The Cybersecurity Law and the Measures for Cybersecurity review provides for a cybersecurity review in order to prevent national data security risks and safeguard national security and public interests. According to the governmental notice, the Didi App has serious problems in collecting and using personal information illegally.

As a leading company in the field of transportation, the Didi App has more than 1 billion users. With such a high number of users, Didi is able to collect a large number of user’s personal travel information and high-precision map information. It can be considered that the leakage of this critical information will have a great impact.

Although the final result has not come out yet, we can still learn some experience from it. Several regulations are related in this action, such as the Cybersecurity Law, the Data Security Law, the Measures for Cybersecurity Review and so on.

Which direction is the Cybersecurity Review heading?

On 10 July, a revision draft of the Cybersecurity Review Measures was published for comments. Article 6 mentions that in order to apply for a listing overseas, an operator must apply to the cybersecurity review office for a cybersecurity review if it is in possession of the personal information of more than 1 million users.

The fact that these draft Measures are published so shortly after the Didi listing and cybersecurity review shows that in in the future, overseas listings will be more scrutinized for Chinese companies.

In other words, the Chinese government takes a cautious attitude towards data leaving the country. The draft Measures are introduced in order to avoid the leakage of sensitive information and data. In the big data era, critical information has been raised to the level of national security.

The revised Measures also stipulate the factors which will be taken into consideration when assessing the national security risks during the cybersecurity review.

These factors include the security, openness, transparency, diversity of sources, reliability of any supply channel of any product or service and the risk of its supply being interrupted due to political, diplomatic, trade or other factors; the risk of theft, leakage, corruption or illegal use or export of any critical or key data or a large amount of personal information; the risk of any critical information infrastructure, key or important data, or a large amount of personal information being affected, controlled, or maliciously exploited by a foreign government after the company is listed overseas, and other risks.

Take-aways for now: protect data!

We will await the outcome of the cybersecurity review on Didi, and will then see what in practice happens to companies that might not act in accordance with the current laws and regulations in China. In this regard it is also important to notice that China will have a new Data Security Law from 1 September 2021, on which we already published.

In the meantime, enterprises should pay more attention to data security compliance. For those companies with a small number of users, excessive demand for user’s information is likely to increase the cost for operators to protect these data and get into unnecessary troubles. The more data you have, the greater risk you face. Also, the requirements for the security, openness, transparency and diversity of the products and services supply will be higher.

For larger companies, especially those who are planning overseas listings, they will need to be prepared to face the cybersecurity review and provide solid evidence and demonstration in advance for the data security risks that may be questioned in the review.

Finally, bear in mind that a cybersecurity review might strongly adversely impact on your business. For Didi, many users choose other apps during the cybersecurity review, some users even cancelled their account in Didi because they think their personal information has been stolen. As such, being on top of data protection in China, seems to be the new reality for companies in China.

Didi: the first cybersecurity review in China

Related content

China’s first legal Measures on Artificial Intelligence (AI)

Generative AI in China with socialist characteristics: draft measures

TikTok and data privacy in China: security assessment with CAC