Pity the poor punters who took a bath on the initial public offering of Didi Chuxing, the Chinese ride-hailing service, on the New York Stock Exchange. There is feverish speculation about why Chinese authorities acted as they did, but the most convincing explanation is that those investors were the proverbial chickens that had to be killed to scare some ambitious digital monkeys in China.
Beijing’s chief concern is data, and that Didi, with its 600 million customers, has a mouth-watering database. Didi hopes to mine that information for business payoffs; China fears that others could mine it for equally profitable, and damaging to national security, consequences.
This is no one-off event. This episode is emblematic of the ways that governments, executives and investors must think about business opportunities in the digital economy and a warning about the need for ever more intense preparations by companies and individuals to navigate this new business landscape.
Didi Chuxing is a ride-hailing app, a Chinese version of Uber, and provides an estimated 20 million rides a day. It debuted on the NYSE at the beginning of July. Reportedly, hours before the IPO, China’s Cybersecurity Authority (CAC) informed the company that there were problems with its data policies, and therefore it had to suspend accepting new subscribers.
The ban was later extended to another 25-Didi related apps and the company was subsequently ordered to pull its app from stores. The news only became public after the stock opened and shares dropped 20% on the first day of trading thereafter.
Speculation was rife about the Chinese government’s motives. One explanation was that those authorities were again trying to clip the wings of high-flying tech entrepreneurs, as in the case with Jack Ma and the Ant Financial IPO that was squelched last year.
This argument has assumed more weight after reports that regulators also blocked a merger involving Tencent, the company that operates the messaging service WeChat, and one of China’s largest online payment providers, which would have created a dominant video game streaming operator. The powers that be in China are increasingly attentive to the concentration of power by tech giants and want to make sure that those companies know their place in the country’s political landscape.
A second hypothesis is that Beijing watched Chinese companies raise more than $12 billion in IPOs during the first half of 2021 and would prefer to see that action in Chinese markets — either in Hong Kong or Shanghai. For Chinese authorities, the IPO money and associated payments, the status and boost to financial markets and regulators rightly belongs to China.
For them, Chinese companies should be building the international reputation of Chinese stock markets, not reinforcing those of the United States. If American investors got a haircut, so much the better. And Chinese markets have Chinese regulators, reinforcing local control over those companies.
The real issue is more basic, however: It’s national security. Like all such services, Didi collects vast amounts of user location and trip route data for legitimate business purposes, like safety or customer analytics. Didi’s cars also have cameras to monitor road conditions (as well as keep an eye on what is happening in the vehicle during the ride). The Chinese government rightly fears that such information could be mined to identify places or individuals that it prefers to be kept secret.
The U.S. acts similarly. A few years ago, the U.S. government forced a Chinese company to divest itself of Grindr, a gay dating app that it had acquired, arguing that the data it contained could be used to blackmail users (reasoning that they might be vulnerable if their sexuality was not generally known).
Several years ago, another Chinese company was blocked from acquiring the Starwood hotel chain, although there were many reasons for the failure of that deal. One U.S. concern was the hotel’s membership program and the insight it might provide into government employees and their travel.
In both cases, the U.S. government had the statutory authority to act, under the Committee for Foreign Investment in the United States (CFIUS). In China, authority has been less clear. Since June 2020, CAC could order a review of national security risks associated with “network products and services purchased by key information infrastructure operators,” but no investigation had been launched until the Didi case.
Other regulatory actions were initiated in recent months, but they were for collecting users’ personal information and illegally accessing it, not national security. Reportedly, CAC wanted to delay the Didi listing until after the review, but had no power to do so.
That refusal to bend to CAC’s preferences may have made the situation worse. It made the Chinese government look weak and embarrassed officials who had been involved in decision-making or investigations. To justify its crackdown, CAC said Didi’s app “has serious violations of laws and regulations pertaining to the collection of personal information,” but it hasn’t publicly specified just what the company did wrong. Didi officials strenuously denied that they gave any information to U.S. authorities and insist that all data is stored on Chinese computers in China.
Expect the Didi scrub to become the new normal. CAC last week announced that Chinese companies that have data on more than 1 million users will need to pass a security review before issuing shares on overseas stock exchanges. One expert notes that 1 million is a very low threshold, including virtually any company with hopes to go public.
In September, the Data Security Law goes into effect. It will require companies with “critical data” to conduct risk assessments and submit reports to authorities, and mandates annual reviews of entities with data affecting China’s national security.
This will have profound implications for multinational companies doing business in China and virtually any company with ambitions in the digital era, since many of those dreams float above beds of data. First, we have to recognize that the bits and bytes that are so enticing to digital entrepreneurs are just as threatening to national security-minded folks. Any database of any size would seem to have national security implications; if you can’t see them, either you’re not creative enough or you’re not paranoid enough.
A second key realization is that the idea of an unbounded internet that unites all users and offers limitless potential may be inspiring but it’s quaint and naive. The internet is increasingly segmented, with regulations and restrictions in cyberspace that correspond to the physical borders of the map. It has not been Balkanized, but it is by no means a single shared space. The borders are becoming more solid and less permeable daily, and navigating them will be increasingly difficult and demanding. We may be connected, but we won’t necessarily be able to reach out and touch .
Brad Glosserman is deputy director of and visiting professor at the Center for Rule Making Strategies at Tama University as well as senior adviser (nonresident) at Pacific Forum. He is the author of “Peak Japan: The End of Great Ambitions” (Georgetown University Press, 2019).
In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.