China’s powerful state espionage agency and six other government agencies have taken the unusual step of stationing investigators in Didi Chuxing’s offices to conduct a security investigation into the ride-hailing group.
The review, which plunged Didi’s stock price when it was first announced following the company’s $4.4 billion IPO earlier this month, marks the first time the secretive State Security Department has publicly announced that it will temporary staff in a company.
China’s Cyberspace Administration, the regulator responsible for coordinating Didi’s cybersecurity assessment, said on Friday that the investigation would also involve the police, the tax authorities, the market competition regulator, as well as the industry’s regulators. for natural resources and transportation.
“Announcing which agencies are involved is a warning to other companies not to tamper with national security, but it is also an attempt by Beijing to make the assessment process more transparent,” said Feng Chucheng, technical analyst at consultancy Plenum. . ah.
The magnitude of the investigation into Didi, which the CAC announced two weeks ago, is likely to further fear investors in Chinese technology stocks and dampen appetites for the country’s offshore IPOs.
The CAC followed up on the security investigation into Didi with a series of punitive measures that saw the share price drop 20 percent in the week following the IPO. The agency also proposed new rules that prohibit companies with more than 1 million users from advertising abroad until they receive official approval after undergoing a security review.
The CAC did not provide details of its concerns, referring only to data security and national security risks. Before the IPO, the CAC had asked Didi to correct the display of map labels, fearing they would inadvertently reveal sensitive locations, such as military bases, people familiar with the matter said.
But there is no evidence yet that sensitive data has been leaked. Didi’s Vice President Li Min has responded to social media speculation, saying it is “absolutely impossible” that the company could have provided data to the US.
Didi’s research is also Beijing’s first public agency to use its new cybersecurity assessment mechanism. The procedure was just over a year old and was intended to assess supply chain security rather than data security.
The unprecedented nature of the Didi case and the lack of details about what a review entailed had taken the company into uncharted territory, legal experts said.
“It is extremely unusual. There will be all-round compliance risks,” said Xu Ke, head of the Internet Law Institute at the University of International Business and Economics in Beijing.
The number of agencies involved also increased the risk of disagreements and a lengthy review process, with Didi being banned from signing up new users.
Pursuant to the regulations for cyber security review, a preliminary review must be completed within 60 working days, or three months. If the different bodies do not agree on their conclusions, a special assessment must be initiated, which may take an additional 45 working days or more.
“All major regulators are in place, meaning this inspection will be comprehensive first and not too short,” said James Gong, attorney at Herbert Smith Freehills.
Kendra Schaefer, a technical analyst with Beijing-based consultancy Trivium, said: “It’s been made pretty clear in the regulatory documents that there are coordination issues and there are a lot of chefs in the kitchen.”
Schaefer added: “The Ministry of State Security is a new turn. If you take a broad definition of what national security is, this is what happens.”
Additional reporting by Nian Liu in Beijing