China Removes Didi from App Stores: What We Learned from the Case and China’s Cybersecurity Regime

Posted by Written by Sophie You and Emilia Jin Reading Time: 6 minutes

The ride-hailing giant Didi Global Inc. is subject to a Chinese regulatory probe after its US IPO, offering lessons for cybersecurity compliance in China. We list out some of the important steps foreign enterprises must pay attention to as cybersecurity and data security compliance become top priorities for China’s regulators, particularly in the rapidly expanding technology sector.

Brief introduction of Didi’s case

China’s Cybersecurity Review Office announced on July 2, 2021, that it was launching a review into Chinese leading car-hailing company Didi Global Inc., which had raised about US$4.4 billion in its IPO on the New York Stock Exchange on June 30. According to the announcement, this review was conducted “to guard against national data security risks, to safeguard national security and the public interest”, as stipulated in the Cybersecurity Law of the People’s Republic of China (2017) (hereinafter referred to as Cybersecurity Law“) and State Security Law of the People’s Republic of China (2015) (hereinafter referred to as “State Security Law”). During the review, Didi was required to suspend new user registration in China.

On July 4, the Cyberspace Administration of China (“CAC”) notified app stores to remove Didi Chuxing due to “serious” violations of laws and regulations regarding the collection and use of personal information. Following the Didi Chuxing Case, the CAC issued an announcement to conduct network security review on Yunmanman, Trucking Gang, and BOSS Zhipin on July 5. These companies have all recently listed on NASDAQ just like Didi Global.

Why is Didi being reviewed?

The Chinese government’s recent actions on these platforms have brought cybersecurity issues into people’s view again.

The legal basis for the cybersecurity review of Didi lies in the Cybersecurity Law, the State Security Law, and the Cybersecurity Review Measures (2020) with various relevant cybersecurity regulations stipulated. For example, according to Article 59 of the State Security Law, the State shall carry out security review against network information technology products and services that affect or may affect state security. According to Article 35 of the Cybersecurity Law, CAC and departments of the State Council may conduct review on any purchase of network products and services by the critical information infrastructure operator (hereinafter referred to as “CIIO”) that may threaten the national security. Meanwhile, Article 2 of the Cybersecurity Review Measures stipulates that cybersecurity review is required when a CIIO purchases network products or services.

According to the above content, the object of the cyber security review shall be “purchase of network products and services by CIIO ” which “affects or may affect national security”.

As a service provider of China’s transportation industry, the data Didi possesses may include users’ personal information, road traffic data, travel path, etc., which definitely conforms to the definition of “critical information infrastructure” in Article 31 of the Cybersecurity Law stipulating important industries, such as information service and transport, as critical information infrastructure.

Officials from the CAC, the Ministry of Public Security, the Ministry of State Security, and the Ministry of Natural Resources, along with tax, transport, and antitrust regulators have begun an on-site investigation at the company’s offices after the announcement and it seems that deliberations are still at a preliminary phase. According to the CAC, Didi has been asked to strictly follow legal requirements and seriously rectify existing problems to protect the users’ information.

Overview of China’s cybersecurity legislation

The current cybersecurity legal framework

There was no unified law on cybersecurity in China for several decades, until the legal framework on cybersecurity was constituted by the Cybersecurity Law (2017), the Personal Information Protection Law (Draft), and relevant supporting measures and regulations.

Since its implementation in June 2017, the Cybersecurity Law (2017), as the first established law on cybersecurity, has set out general requirements for the implementation of various fields of network security, data compliance, and personal information protection. It stipulates that the state adopt a graded system for cybersecurity protection, under which network operators are required to ensure that the network is free from disruption, and to prevent network data from being disclosed, stolen, or tampered.

Various laws and regulations, department rules, national standards, and industry standards have been issued in the past four years based on the Cybersecurity Law (2017), including the Personal Information Protection Law (Draft),and the Data Security Law of the People’s Republic of China (2021) (hereinafter referred to as ‘Data Security Law’).

The new Data Security Law was announced in June 2021 and will come into effect in September this year. As the first basic law in the field of data, the Data Security Law (2021) includes 7 chapters and 55 Articles, stipulating general provisions, data security and development, data security system, obligations for data security protection, government data security and openness, legal liability, and supplementary provisions.

The Data Security Law (2021) will have a profound impact on data security practices in China and those foreign organizations that process data from China.

In addition, various data protection regimes have been established so far.

A new data classification and hierarchical protection system

The State shall conduct data protection according to the importance of the data to economic and social development, as well as the harm caused to national security and public interest by its leak.

A critical data risk assessment system

This assessment system, which will become a regular regulatory mechanism for critical data, meaning that internal risk assessment of critical data may become a normalized compliance requirement for enterprises.

A national data security review system

This review system is totally different from the one stipulated by the Cybersecurity Law (2017). The subject to be reviewed in the Cybersecurity Law only includes CIIO, and the behavior includes whether the product or service is influenced by political or other factors except for data leak. However, in the Data Security Law (2021), the subject of data activities is not restricted, and the objects of data security review includes both online and offline data activities.

An export evaluation system for critical data

According to Article 25 of the law, the State exercises export control over the data which falls under controlled items and is related to the safeguarding of national security and the fulfillment of international obligations.

With different perspectives, the Cybersecurity Law (2017), the Data Security Law (2021), and the Personal Information Protection Law (Draft) will serve together as core laws on cybersecurity and jointly construct the legal protection system of data and network security in China after the last one is established in the future.

Cybersecurity review measures (Draft revision for comment)

A Notice on Seeking Public Comments on the Cybersecurity Review Measures (Draft Revision for Comment) (hereinafter referred to as ‘Draft Revision) has been announced by the CAC soon after the review on Didi on July 10, 2021.

As mentioned above, the original Cybersecurity Review Measures stipulated in Article 2 that the object of cybersecurity review is “critical information infrastructure” but the Draft Revision includes “data processors” into the scope of cybersecurity review.

Moreover, an Article 6 is added to the Draft Revision, stipulating that where any operator who possesses the personal information of more than one million users goes public abroad, it shall file an application for cybersecurity review, which is an important clause and also the most relevant clause for the recent review of cybersecurity of domestic platform companies listed in the United States.

Article 14 of the Draft Revision extends the period of the review procedure from the original 45 working days to three months, and which may be extended for complicated cases. This amendment may lead to a corresponding extension of the overseas listing preparation schedule.

How should enterprises respond to the new cybersecurity laws?

As the Data Security Law is going to soon take effect, it is expected that the Personal Information Protection Law and other rules and regulations related to cybersecurity, information security, data security, data compliance, and personal information protection will also be implemented.

Those newly announced laws and drafts send a strong and clear message from the Chinese government that cybersecurity will be subjected to further constraints by related laws along with the development of the country’s vast and pioneering digital economy.

With the gradual improvement of relevant legal provisions, the law will also give enterprises higher data compliance and governance requirements. Enterprises shall anticipate the regulatory practice and induce actual legal consequences in cases of incompliance.

In response to the new cybersecurity laws, enterprises should improve their compliance awareness of network information security. Prejudgment of potential risks and filing an application for cybersecurity review as requested by laws should be actively conducted in accordance with the enterprise conditions.

Moreover, enterprises should make regular risk assessments on its cybersecurity review process, CIIO, data export security, and other related aspects.

If there is anything that will affect or may affect China’s State security, the enterprise should report to the Cybersecurity Review Office and apply for a cybersecurity review at once.

About Us

China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at china@dezshira.com. 

Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.