Ride-hailing giant Didi slapped with Chinese cybersecurity review days after IPO
Shortly after Chinese ride-hailing app Didi launched its IPO on the NYSE, the Chinese authorities announced that the company would be subjected to a cybersecurity review. Didi had earlier kept a low profile, knowing its listing was a risky move. But few expected the company to take its first hit from China and not the US. Could this be China's way of discouraging homegrown firms from passing their profits to foreign investors? Yu Zeyuan reports.
Two days after China's ride-hailing giant Didi Chuxing Technology Co. made its debut on the New York Stock Exchange (NYSE), it came under a cybersecurity review in China, inviting much speculation.
Didi held its IPO on the NYSE on 30 June. Unlike Alibaba's high-profile US IPO, Didi's affair was a low-key one. There was no bell ringing or fanfare.
Perhaps Didi learnt from Ant Group's botched IPO last year. Then, Jack Ma adopted too high a profile, openly attacking financial regulators just before the company's dual listing on the Shanghai and Hong Kong stock exchanges. As a result, the IPO was scuttled and Ma's reputation took a big hit. Didi founder Cheng Wei is known to be humble and must have learnt from Ant Group's mistakes. Also, because Didi has been receiving negative press in the last two years, its executives and shareholders hoped that the IPO would not draw much attention outside the capital market.
But from their actions, it is clear that they believe Didi does pose a cybersecurity risk.
Didi comes under cybersecurity probe
Alas, the inevitable happened. On 2 July, a statement by the Cyberspace Administration of China (CAC) said that in line with the country's national security and cybersecurity laws, the Cyberspace Security Review Office would be conducting a cybersecurity review on Didi Chuxing based on the Measures for Cybersecurity Review. This was to prevent risks relating to national data security, to ensure national security, and to protect the public interest. To get their full cooperation and to contain the risk, the authorities also stipulated that Didi would not be able to register new users during the review period.
Chinese officials made the announcement on 2 July in an apparent bid to avoid getting in the way of the Chinese Communist Party's 100th anniversary a day earlier. But from their actions, it is clear that they believe Didi does pose a cybersecurity risk. (NB: On the heels of Didi's review, the CAC has announced further cybersecurity reviews of other US-listed Chinese giants, namely online recruiter Zhipin.com and truck-hailing apps Huochebang and Yunmanman.)
Didi gave a low-key response to the Chinese authorities' move, pledging to fully cooperate with the probe. They would also initiate a comprehensive risk assessment and improve the company's cybersecurity and technology capacities.
'Absolutely not possible' for data to have been passed to the US
"Didi's cybersecurity review" became one of the hottest searches in China. No matter how low a profile Didi keeps, it cannot stop the surge of public opinion.
Some netizens speculated that Didi was targeted after it handed over China's map data to the US in exchange for being listed on the NYSE.
As public opinion raged on, Didi vice president Li Min wrote on his personal WeChat and Weibo on 3 July that he was aware of the malicious rumours being spread about Didi passing data to the US. He clarified, "Like many other Chinese firms listed overseas, all of Didi's domestic user data are stored in domestic servers and it is absolutely not possible to pass them to the US." While the rumour-mongers have voluntarily deleted the posts, he said that the company would still sue them to protect Didi's rights and interests.
However, Li's refutation did not have much of an effect. Some netizens said a personal statement by a vice president was not much of a clarification, and Didi should have refuted the rumours as a company. User @CHINAD8 (@帝吧官微) posted on Weibo that the statement played on words: it said user data was not shared, but in fact the biggest threat to national security is location data being leaked. Now that the state is investigating, it is best to wait for the results.
Some netizens also spoke up for Didi. User @tandiankanfa (@谈典看法) wrote: "Many China companies are listed in the US, and when it comes to location data, Didi is obviously not a match for other companies that specialise in navigation. Spreading malicious rumours might be defamatory as reputation and business interests are at stake."
But news of the probe has led to major losses for Didi. When the market opened on 2 July (US Eastern Standard Time), Didi's share prices plunged - at one point by more than 10% - and lost 50 billion RMB in market value (about S$10 billion).
For Didi to get listed in New York was risky to begin with. However, most would have thought that the company would encounter problems from the US, and not China.
Under the regulations, cybersecurity investigations are to be completed within 45 working days, with an extension of 15 working days for more complicated cases. It is easy to imagine that Didi's share price would continue to be affected before the conclusion of the investigation.
Tense US-China relations backdrop to the furore
Some would question why Didi was not given prior warning before the listing in the US, and why no prior communication was sought by Didi to reassure the Chinese authorities.
There are no clear answers to these questions. The larger atmospherics are certainly unhelpful with China-US relations at a low with no prospect of improvement in the near future. The US has ramped up checks and restrictions on US-listed China companies, some of which have chosen to return to China or get listed in Hong Kong. For Didi to get listed in New York was risky to begin with. However, most would have thought that the company would encounter problems from the US, and not China.
It is not yet known what problems will be found with Didi, but the investigation is unlikely to threaten Didi's survival. As of end March 2021, Didi had 377 million annual active users and 13 million annual active drivers in China, making a major contribution to employment and social stability.
The assertion that Didi submitted user data as a "proof of allegiance" to the US is quite improbable. The cybersecurity measures rolled out in China last June require that companies like Didi conduct internal checks and communicate with the regulatory authorities regularly.
Didi's troubles may suggest that China no longer encourages companies to seek listings in the US as it is tantamount to allowing foreign investors to reap profits earned in China. Instead, it wants Chinese companies to favour markets in China or Hong Kong, so as to open up more investment channels for large amounts of indigenous capital.
Related: Amid the pandemic, is the China-US tech war firing up again? | Chinese academics: How China and ASEAN can deepen digital economy partnership | What the Chinese government wants to tell Alibaba and China's tech giants [Part II] | From heroes to pests: What's happening to China's internet giants?