State security officials, regulators, and police have since been sent to the company offices, according to the Wall Street Journal. This comes at a time when the Chinese government is closely examining cybersecurity practices and personal data collection. Among the immediate ramifications for Didi are the inability to register new users and apps being removed from app stores.
The fallout has market watchers closely examining how these events will affect the business climate in China, while tech businesses having to consider whether they are indeed fully compliant.
Michael Tan, a partner at Taylor Wessing and head of the firm’s TMC practice for China, says the events have created something of a buzz when it comes to compliance in China, particularly in terms of data protection.
“This is a very hot topic,” Tan says, adding “Within business circles, there has been quite a heated discussion about the data security law.” He notes that the actions against Didi represent a “very strong warning from the regulators.”
In particular, Tan says the U.S. IPO was a sign that Didi “chose to cross the line.”
“That triggered quite a strong reaction from the regulators, because that certainly means it needs to be scrutinised if there is any kind of data breach cases which could potentially jeopardise not only privacy but also national security, this is for sure,” Tan says.
“If you go public in the U.S. instead of China, there are all these public disclosure requirements, that may expose quite a lot of business data to the public and U.S. regulators. This is certainly, no something that is good, let alone, in the internet sector that has long been rampant abuse of privacy. This will mean if some other third parties including foreign governmental agencies want to have a closer look at your case, they could for sure take a closer look,” he adds.
Tan says Didi fell under the scrutiny of regulators based on existing concerns around privacy breaches, and regulators have been paying close attention to the business prior to its listing.
“If you read the official announcement, the regulators concluded that there have been privacy breaches, this is the legal basis or argument used to further the investigation,” he notes.
For Didi, the nature of the business was already likely to place them somewhat under the spotlight.
“Obviously they have a lot of data in their hands, they also have been expanding quite aggressively in the past. So now there have been certain violations of rules as investigated, at least according to the official announcement,” Tan says.
“The biggest hurdle they are facing, is they have been going beyond certain (unspoken) regulatory boundaries, particularly in cybersecurity, data security,” he adds.
But while “the business will be jeopardised,” Tan says “in reality, you can still use the app, just like today I’m still using Didi, as an existing user, you can still use it.”
China’s government has been taking data protection increasingly seriously in recent years, with a new data security law coming into effect in September 2021. Tan views the Didi episode as being part of a global greater emphasis on data security.
“Every country is becoming highly alert and also are trying to protect themselves. This is also one of the major concerns behind the Chinese legal framework behind data security. Which is closely linked to the so-called data sovereignty,” Tan says.
“If you have business activities in China or are dealing with China, you need to follow Chinese law, I think that’s inevitable,” he adds.
To contact the editorial team, please email ALBEditor@thomsonreuters.com.