The headquarters of DiDi in Beijing Photo:VCG
China’s cyberspace regulator on Monday put three more internet platforms under scrutiny, three days after it announced a review of cybersecurity into the country’s top ride-hailing platform Didi Chuxing, indicating the country’s resolve to clamp down on data breaches and misuse as part of a broader move to protect the digital economy from unchecked expansion of capital.
The latest efforts, intended to handle national data security risks, add to a flurry of moves since late last year to ensure the healthy growth of China’s sprawling platform economy that’s increasingly regarded as a trendsetter for the global internet sector, industry observers said.
To flesh out the legal framework for various aspects of the digital economy, especially the rise of data sovereignty, as the country moves to align itself with international practices in reining in Big Tech, they called for a rethink of overseas listings by especially bigger internet platform operators whose commercial successes are contingent upon data monetization.
China’s cybersecurity review office said Monday it was conducting reviews in accordance with relevant laws into job recruiting platform Boss Zhipin, and Yunmanman and Huochebang – two truck-booking platforms under the Full Truck Alliance, citing national data security risks.
Platform operators caught in the cybersecurity crosshairs are major Chinese firms that recently launched IPOs in the US market, prompting concerns over whether the country’s data sovereignty remains intact amidst the US’ continued vigilance of Chinese firms.
Kanzhun, the owner of Boss Zhipin, floated on NASDAQ on June 11. Full Truck Alliance, the Chinese service similar to Uber Technologies that connects freight shippers and truck drivers, dubbed “Didi in the truck freight area,” debuted its US IPO on June 22.
Didi, for its part, only began trading on the New York Stock Exchange on June 30.
New user registration on the three platforms would be halted during the review to stop the spread of risks, the office said in an announcement Monday.
On Friday, a review was launched into Didi and its ride-hailing app was slapped with a takedown order on Sunday due to “serious violations of law and regulations” in the collection and use of personal information.
The hypothetical scenario of the US coercing Chinese firms to submit data could happen, experts said, citing the US government’s track record of stopping at nothing to forcing businesses to surrender.
At a regular press briefing in Beijing on Monday, Foreign Minister spokesperson Wang Wenbin said that time and again, it has been demonstrated that it is the US that forces companies to open “back doors” and illegally obtain user data.
“The US is the biggest threat to global cybersecurity,” Wang said in response to Microsoft Vice President Tom Burt’s revelation during a hearing at the US Congress on June 30 that over the past five years, US law enforcement agencies issued 2,400 to 3,500 secrecy orders per annum to the company to gain access to its user data without effective supervision by US courts.
The US takeover of French power and transportation conglomerate Alstom, intertwined in a contentious corruption probe into an Alstom executive, is also proof that Uncle Sam could go to any lengths to attain its goal, analysts said.
The possible intimidation of US-listed Chinese firms regarding data transfers could be one of the biggest risks for the likes of Didi, Dong Shaopeng, a senior research fellow at the Chongyang Institute for Financial Studies at Renmin University of China, told the Global Times on Monday.
If what happened to Microsoft repeats itself in the case of Didi or other Chinese firms, “the US might take advantage of the information and data [it steals] to mount attacks against major Chinese government departments and critical infrastructure, or threaten such attacks to demand concessions from China as regards economic and political interests, thereby undermining China’s development interests,” Dong said.
Tougher regulation, healthier cyber economy
The reviews send a clear signal that data security, a pivotal part of the digital economic prowess, would come under increased scrutiny to contribute to a new normal in China’s cyberspace that prioritizes healthier growth, data privacy and national security. This is especially the case amid lingering woes over a confrontational approach to China’s internet prominence that prevails in the US, analysts said.
“It is not targeting any particular firm, but the imminent need of data protection in case of any loophole, amid the backdrop of the China-US tech race, calls on authorities to take action,” Ma Jihua, a veteran tech analyst, told the Global Times on Monday.
The Chinese regulator’s tightening security on data management, especially for industry giants like Didi, will become the norm, according to Ma.
In a reply to the Global Times on Monday, Full Truck Alliance said it will actively cooperate with any regulatory review and continue to accept the guidance and supervision of regulatory authorities.
In response to the review announcement, Boss Zhipin also pledged to comprehensively troubleshoot and prevent cybersecurity risks. The job-hunting platform said it will continue to improve its cybersecurity awareness and capabilities.
The recent back-to-back instances of cybersecurity reviews are considered part of the country’s broad-based efforts to place its vibrant platform economy in an improved legal framework that will put the country on par with its global peers in regulating internet behemoths.
Both China and the US have realized that large monopolies are standing in the way of the development of small businesses and hampering innovation, Ma said.
A sweeping move was taken against runaway expansion of capital late last year in China, with an array of major internet platforms summoned by regulators for rectification.
Alibaba, which has been at the center of the regulatory toughening whirlwind, was slapped with a record $2.8 billion antitrust fine in April after a more-than-three-month probe determined that the e-commerce giant had abused its market position for years.
Chinese food delivery giant Meituan is also under investigation for suspected monopolistic practices.
The shift toward data security is seen as indicative of the sophistication of China’s regulatory mentality when it comes to the internet sector.
The issue with data security became prominent during the Trump era, which serves as a wake-up call for the EU and China to strengthen their data sovereignty, Ma stressed.
The EU General Data Protection Regulation, one of the strongest legislative attempts across the globe to govern the collection and use of personal data, was enacted in 2016 before taking effect in May 2018.
In a sign of a ramped-up anti-monopoly crackdown, EU competition chief Margrethe Vestager recently warned Apple against the use of privacy and security concerns as an excuse to ward off competition on the App Store.
On the part of China, the Cybersecurity Law took effect on June 1, 2017. The country also unveiled the full text of the Data Security Law in June. The law, which is to take effect in September, will slap hefty penalties for serious violations, including a business suspension, revocation of business licenses and penalties of up to 10 million yuan ($1.55 million).
On top of that, a draft law on personal information protection is being deliberated.
Rethinking overseas listings
The Chinese regulator may want to create a model of Didi’s rectification for other firms whose data are closely related to the real economy and information infrastructure while also aiming at overseas listings, experts told the Global Times.
Data security has been elevated to a national security priority and its role as the cornerstone for these firms and the economy should not be understated as data has become a new battleground in the international race, said Liu Dingding, a Beijing-based independent tech analyst.
Liu believes that given the current situation, more Chinese firms that intend to list in the US should think twice amid the tense environment, and seriously consider plans of a secondary listing in the home market.
“In the listing process in the US, some important data and personal information held by Chinese companies may be revealed due to the US regulation request. In other words, listing in the US could lead to security risks,” Zuo Xiaodong, vice-president of the China Information Security Research Institute, told the Global Times on Monday.
“As long as a product and service may pose a risk to national security, it may be subject to review. It will be treated equally whether the provider is domestic or foreign,” Zuo noted, citing the cybersecurity review measures.
In April 2020, 12 Chinese government agencies led by the Cyberspace Administration of China (CAC) jointly unveiled the cybersecurity review measures, effective June 1, 2020.
Any of the 12 agencies that suspects a risk to national security can initiate a cybersecurity review, according to Zuo.
As for possible review consequences, experts said it is not likely to be a big issue, as claimed by rumors on Chinese internet that these firms are “spying.”
“Didi or other firms might face administrative penalties if their use of data has compromised privacy or posed risks to national security,” said Ma, adding that the national body might also enter these private firms to help with the makeover.
Didi on Saturday denied rumors it handed over Chinese users’ data to the US after the US listing.
“Like many other Chinese firms listed overseas, all of Didi’s domestic user data is stored in domestic servers and there is no chance of giving them to the US,” said Didi Vice President Li Min, the Global Times has confirmed.