China uses Didi as data law test dummy

HONG KONG, July 6 (Reuters Breakingviews) – Investors are watching anxiously as China tests out new data laws on Didi Global (DIDI.N). The $75 billion ride-hailing group’s information trove and foreign backers mean it’s a good candidate to make an example of.

The Cyberspace Administration of China used to be focused mostly on stamping out online indecency. In recent years, though, the agency has seized the leading role in President Xi Jinping’s cybersecurity campaign. Last year, it unveiled plans to target operators of “critical information infrastructure” – a loosely defined term that encompasses companies in communications, finance, transportation, health and more. This year, it has followed through, to investors’ pain.

Just days after Didi raised $4.4 billion in New York, the regulator announced it was investigating the ride-hailing company and told it to suspend new user registrations. That was followed by a harsh order to remove Didi from domestic app stores for illegally collecting personal data, alongside separate investigations into two other U.S.-listed Chinese firms.

Didi is probably the primary target. As of March, the company boasted 377 million annual active users and 13 million drivers at home, feeding the app a constant stream of personal information including locations and spending, plus traffic data. Didi’s listing prospectus even boasts the company on a daily basis processes “60 to 80 billion routing requests with over 4 million requests per second at peak capacity”. A data leak or network malfunction by Didi might plausibly affect the public interest or security. That the company, which also dabbles in autonomous driving, is backed by Uber (UBER.N) in the United States and Japan’s SoftBank (9984.T) is another source of concern for wary officials.

For technology peers, legal uncertainty is rising. Terms like “national core data”, for example, adopted in the recently passed Data Security Law, are defined so broadly as to encompass anything. Beijing is just getting started, too; a personal information protection law and autonomous driving legislation are in the pipeline. Alibaba’s e-commerce data might be more tightly controlled; even food delivery app Meituan’s (3690.HK) information on Chinese dining habits might be targeted next. Investors will watch carefully how Beijing treats Didi, but if the next round of rules don’t add clarity, a swathe of Chinese industries may struggle to find capital.

Follow @mak_robyn on Twitter

CONTEXT NEWS

– The Cyberspace Administration of China suggested ride-hailing company Didi Global delay its initial public offering and urged it to review its network security, the Wall Street Journal reported on July 5, citing people familiar with the matter.

– The CAC on July 4 ordered app stores in China to remove Didi’s app, saying it had illegally collected users’ data. This follows the CAC’s announcement of an investigation into Didi to protect “national security and the public interest” on July 2.

– “Prior to the IPO, Didi had no knowledge of the CAC’s decisions, announced on July 2 and July 4, 2021, with respect to the cybersecurity review and suspension of new user registrations in China, and the removal of the Didi Chuxing app from the app stores in China, respectively,” Didi said in a statement sent to Reuters.

– Didi’s New York shares closed down 5.3% to $15.53 on July 2. The shares did not trade on Monday due to a U.S. holiday.

– For previous columns by the author, Reuters customers can click on

Editing by Pete Sweeney and Katrina Hamlin