TOKYO/HONG KONG — Global investors suddenly have reason to take much more notice of the Cyberspace Administration of China, after the regulator unveiled tough measures against one of the country’s most recognizable tech companies, Didi Global.
Ride-hailing company Didi was told by the CAC on Sunday that it had found “serious violations” of data laws with its all-important consumer app and that it must be removed from app stores in China — a big blow just days after the company raised almost $4.4 billion in an initial public offering in New York.
Didi shares fell 20% on the first trading day after the CAC acted.
Nor has Didi been the only company scrutinized by the administration. Two more companies that also recently listed in the U.S., logistics group Full Truck Alliance and recruitment platform Kanzhun, were told that they face “cybersecurity reviews” on national data security grounds and would not be able to register new users until the reviews were completed.
The crackdown has left the China tech sector nervous of further action and investors angry that regulators have acted only after the companies listed in the U.S.
Here are five things to know about what China intends with its latest curbs on some of its homegrown technology groups.
What is the Cyberspace Administration of China?
The Cyberspace Administration of China (CAC) is also known as the Office of the Central Cyberspace Affairs Commission and reports to both the Communist Party and to the State Council, China’s cabinet.
It was established under the State Council in 2011 and began gaining prominence in 2014 when a cybersecurity and IT application steering group was established under the party’s Central Committee, headed by President Xi Jinping and administered by the CAC.
“Without cybersecurity, there is no national security; without IT applications, there is no modernization,” Xi said at the first meeting.
Under a cybersecurity review system announced a year ago, the CAC is to work with 12 other key central government agencies, including the ministries of public security and state security, to check network products and services from operators of critical information infrastructure.
The CAC is headed by Zhuang Rongwen, 60, who is also deputy head of the party’s Publicity Department. Before being promoted to Beijing in 2010, Zhuang was a technocrat in Fujian Province, where Xi worked from 1985 to 2002.
Why has the CAC acted now?
No one can be sure at this point, but policy advisory Trivium China told clients in a note that the timing of the move within weeks of Didi, Full Truck Alliance and Kanzhun listing in the U.S. does not appear to be a coincidence.
Pointing to public comments by the securities regulator and state media reports last month, Trivium suggested the move could be driven by annoyance at the companies for rushing ahead with New York IPOs while China’s crackdown on major online platforms is still ongoing or might be because CAC “is genuinely concerned about data security risks posed by overseas listing.”
“The apparent worry is that Didi’s data could be accessed by foreign interests, and so endanger national security,” said Gavekal Research analysts Ernan Cui and Thomas Gatley, linking the CAC’s move to the new cybersecurity review system. “The problem seems to be that Didi disclosed details of its [network equipment] suppliers to IPO investors in the U.S. before Chinese regulators had seen them.”
Another factor behind the crackdown’s timing could be the Data Security Law China adopted last month. Its scope includes transportation information, an area not mentioned in the draft bill as subject to monitoring.
The new law also grants authorities greater oversight over the collection, protection and transfer of data, making it difficult for companies to utilize data collected within China for any purposes overseas.
Why is Beijing concerned about data?
Kai-Fu Lee, the Chinese venture capital investor and former Google executive, has called China “the Saudi Arabia of data,” and officials have come to see data as a resource too valuable to be fully entrusted to the country’s dominant internet platforms. Issues regarding the exploitation of data played a key role in moves to stop Ant Group’s $35 billion IPO in November and the 18 billion yuan ($2.78 billion) fine imposed on sister company Alibaba Group Holding in April.
“We must not allow any internet giant to become a super database of Chinese people’s personal information that is more detailed than what the state possesses, let alone give them the right to use that data at will,” said an editorial published on Sunday night by the Global Times, a tabloid under the wing of party mouthpiece People’s Daily.
“Especially for companies like Didi Chuxing, which are listed in the United States and whose largest and second largest shareholders are foreign companies, the country needs to have stricter information security supervision,” the editorial said.
In response to speculation that Didi had shared data with the U.S. to secure its New York listing, company Vice President Li Min said Saturday in a post on the Weibo network, “The data of Didi’s domestic users is stored on domestic servers, and it is absolutely impossible to pass the data to the U.S.” He warned the company would sue those further “spreading malicious rumors.”
Who else might be in the CAC’s sights?
This is not clear yet. Despite the moves against Didi, Kanzhun and Full Truck as well as the earlier moves against Ant and Alibaba Group Holding, LinkDoc Technology, a medical data company backed by Alibaba Health Information Technology, is moving ahead with a $210 million IPO later this week on the Nasdaq Stock Market. The company is set to close its books on the offering on Wednesday, a day earlier than planned due to strong demand, two people familiar with the transaction said.
The CAC has publicly reprimanded 351 apps for illegally collecting and using personal information since May. These include apps developed and managed by Tencent Holdings, Baidu, ByteDance, LinkedIn and Nike. The app operators were given 10 to 15 days to rectify issues and report progress or they would face further punishment.
Earlier this year, Beijing reportedly pressured podcast platform Ximalaya to halt plans to list in the U.S. in favor of Hong Kong due to data security concerns. The issue is also likely factoring in keenly watched plans by ByteDance to list some or all of its businesses, such as TikTok.
What other regulatory hurdles will Chinese companies face?
The State Council and the Communist Party General Office said in a joint statement on Tuesday evening that it will enact new legislation and rules covering the handling of cross-border data flows and sensitive information in relation to the overseas IPOs by Chinese companies. A draft Personal Information Protection Law is also under review; it is expected to form a third leg of the country’s expansive controls on digital information later this year.
The timing of Beijing’s moves on the heels of the three New York IPOs is setting off alarms in the U.S.
“Whatever the reasons for China’s national security actions, the U.S. perception is that Beijing cynically timed its regulatory blow to fall after Didi had sucked up U.S. investors’ cash,” said Cui and Gatley of Gavekal. They predict the moves will accelerate a legally mandated effort to raise U.S. barriers to listings by Chinese companies that deny American regulators access to their audit records, a long-standing issue already complicated by Beijing’s existing data-sharing rules.
“The momentum to an accelerated decoupling of the two countries’ equity capital markets will increase,” the analysts said. What had looked to be a record-setting year for Chinese listings in the U.S. — with 34 IPOs taking in $12.4 billion so far — is now in jeopardy.
Additional reporting by Narayanan Somasundaram in Hong Kong