China launches cybersecurity review into more US-listed firms following action against Didi Chuxing

China’s powerful internet watchdog launched new cybersecurity reviews of three more online services on Monday, including newly-listed truck-hailing service providers and an online recruitment app, hours after an action against ride-hailing giant Didi Chuxing.

The Cyberspace Administration of China (CAC) said it is targeting apps Yunmanman and Huochebang, dubbed China’s “Uber for trucks”, and an online recruiting platform known as Boss Zhipin, to prevent data security risks and to protect national security.

Full Truck Alliance, the result of a merger between Yunmanman and Huochebang in 2017, raised US$1.6 billion on the New York Stock Exchange last month. Beijing-based Kanzhun, the company behind Boss Zhipin, also went public in June, raising US$912 million. Didi Chuxing collected US$4.44 billion in its blockbuster offering last week.

Using wording similar to that of its Didi probe, the administrator ordered the three apps to stop registering new users. It cited the National Security Law, the Cybersecurity Law and the Measures for Cybersecurity Review as justification for the action, but did not mention any specific clauses that the three apps had supposedly violated.

Existing users of apps can still use the services. Unlike Didi, the apps are also still available in Chinese app stores. On Sunday, the CAC ordered app stores to remove Didi, but it did not explicitly connect the move to the cybersecurity review.

Boss Zhipin and Full Truck Alliance said they will actively cooperate with the review and assess their cybersecurity risks.

Full Truck Alliance is one of China’s biggest trucking companies. In 2020, about 20 per cent of China’s heavy- and medium-duty truckers fulfilled shipping orders using the company’s platforms, according to its prospectus, citing data from China Insights Consultancy. It also said 2.8 million truckers fulfilled 71.7 million orders on its platforms last year.

Boss Zhipin also looms large in its industry. It had 24.9 million monthly active users in the first three months of the year, according to the company’s prospectus. Its 85.8 million verified jobseekers and 13 million verified enterprise users include executives from big companies, small business owners and recruiting professionals, according to the document.

A driver of Chinese ride-hailing service Didi drives with a phone showing a navigation map on Didi’s app in Beijing on July 5. Experts say Chinese authorities could be concerned about the exposure risks of sensitive data collected by Didi and similar services

Experts said the public listings for all three companies under review may have raised red flags in Beijing. Possible national security concerns could centre around the vast troves of data the companies hold, which include user location data and road conditions, among other sensitive data.

The Global Times, a state-owned tabloid newspaper under Communist Party mouthpiece People’s Daily, said in an editorial that Beijing cannot allow a company like Didi, with its two biggest shareholders based overseas, to hold so much data.

“China can’t allow an internet giant to run a super database that contains more personal data of Chinese people than the state has, nor can China allow [internet firms] to use such data freely,” the editorial reads.
Tokyo-based SoftBank Group is Didi’s largest shareholder, with 20.1 per cent of the company after the IPO, according to Didi’s prospectus. San Francisco-based Uber Technologies still holds 11.9 per cent of the company, down nearly 7 percentage points since Didi bought out its rival’s China operations. Didi executives and directors control 57.1 per cent of the voting power.

Under China’s cybersecurity review regulation, which went into effect in June 2020, an investigation can be launched when authorities think an internet product or service could “affect national security”.

“Data security could be a life-or-death issue for companies, but these companies underestimated the importance of data security and cybersecurity compliance, and still hold the traditional idea that fundraising comes first,” said He Yuan, executive director of Shanghai Jiao Tong University’s Data Law Research Centre. “It’s important to maintain adequate communication with regulators, which they clearly haven’t done enough of.”

At the heart of the issue, according to He, is “data sovereignty”. The Chinese government wants to ensure the data of domestic companies is controllable and not subject to the “long-arm jurisdiction” of other countries, He said, adding that the government wants the final say on data related to national security.
It is also possible that regulators now regard service providers like Didi, Full Truck Alliance and Boss Zhipin as “critical information infrastructure operators”, making them subject to cybersecurity reviews, experts said.

Under the regulation, the purchase of certain goods or services could trigger a review if it is found to put “critical information infrastructure” at risk of being misused or destroyed, result in important data being exposed, or lead to supply interruptions involving “political, diplomatic and trade factors”.

A review generally takes up to 45 working days to complete, but that period can be extended and does not include the time that a target company spends preparing documents for the investigation.

Author: Xinmei Shen, South China Morning Post