Commentary: Didi’s troubles with China should be everyone’s business
China’s clampdown on Didi reflects regulators’ brewing concerns over cross-border data flows, with implications for digital trade, say Qian Jiwei and Deng Liuchun.
SINGAPORE: It was a hard-won victory when China’s major ride-hailing platform Didi Chuxing raised US$4.4 billion via the initial public offering (IPO) on the New York Stock Exchange in June.
The tech titan had spent close to a decade fending off Uber and merging with local competitor Kuaidi Dache to keep investors happy and the cash flowing into a billion-dollar losing business. But in the first quarter of 2021, Didi’s balance sheets turned green, the first time since 2018.
The iron was hot, it was time to strike. After all, the Chinese economy was rebounding with COVID-19 receding, and US stock markets were hungry. Didi had already filed with the US Securities Exchange Commission last year, waiting for the right moment to list.
Jun 30 was a day for the history books: Didi’s listing was the largest US IPO by a Chinese firm since Alibaba’s 2014 debut. It earned a valuation of US$68 billion.
But it all went to pieces from there. Two days later, China’s cybersecurity watchdog, the Cyberspace Administration of China (CAC), launched a review involving Didi and ordered new user registrations to be suspended. On Jul 4, CAC directed the removal of Didi's apps from app stores.
READ: Commentary: How Tencent became world’s most valuable social media company – and then everything changed
A week later, on Jul 16, seven Chinese regulatory agencies, including CAC, the Ministry of Public Security, the Ministry of State Security, the Ministry of Natural Resources, the Ministry of Transport, the State Taxation Administration, and the State Administration for Market Regulation dispatched officials to carry out an on-site cybersecurity sweep at Didi.
DIGITAL PLATFORMS AND PRIVACY CONCERNS: A DILEMMA FOR REGULATORS
Digital platforms like Didi pose an awkward conundrum for Chinese regulators. While consumers and businesses have made the massive digital leap in a span of a few years, and China has played host to a wide array of leading digital platforms and unicorns, personal data protection rules are still in their infancy.
The law is playing catch-up to some extent. China’s latest effort to create an overarching digital economy framework codifying legal responsibilities took the form of China’s first Civil Code, which came into force in January.
While framed as a legislative effort towards protecting people’s civil rights, the Civil Code emphasises information security obligations.
An entire chapter on privacy and personal data protection outlines guiding principles for how government agencies, network operators, and enterprises should manage personal information, including personal emails, travel history, and biometric information, as well as civil liabilities for offences.
More rules will come. In passing the law, the National People’s Congress outlined plans to enact a Data Security Law and a Personal Information Protection Law (PIPL).
The first, delineating rules on consent for sharing of personal data, will come into effect in September, while the second will be discussed by the Standing Committee of the National People’s Congress in October.
A first local-level regulation on personal data protection, Shenzhen Special Economic Zone Data Regulation, which empowers individuals to opt out of data collection by digital platforms, will also be enacted from January 2022.
As Chinese authorities crystalise new curbs on personal information, was Didi’s size its Achilles heel? Was it an example to be made? After all, as the leading company in the ride-hailing business, Didi served 377 million annual active users, 13 million drivers, with over 25 million daily transactions in China.
We won’t know but the episode has forced others to sit up. ByteDance has since quietly shelved IPO aspirations.
READ: Commentary: Why the interest over TikTok CEO Chew Shou Zi’s nationality and how Singaporean he is?
The worry Chinese regulators may have is that digital platform companies like Didi collect an unprecedented amount of data – real names, detailed whereabouts, personal background, facial recognition, and travel patterns - generated by a large volume of transactions.
While this treasure trove of data allows Didi to perform big-data analytics and enhance operational efficiency, reduce costs and manage risks, however, it raises concerns of privacy.
Western nations understand this struggle and have formulated their own models to deal with this conundrum. The EU rolled out the General Data Protection Regulation (GDPR) in 2018, requiring digital platforms to obtain active consent when using or sharing user data.
While the US doesn’t have a single principal data protection law, the best example is the California Consumer Privacy Act, signed into law in 2018, which allows consumers to ask firms to delete and refrain from selling their personal data.
However, because this tightened protection imposes sizeable compliance costs on firms and hurts small and new businesses more than Big Tech giants, it has unintendedly bred an even more concentrated digital market.
CROSS-BORDER DATA FLOWS: CHINA’S MAIN CONCERN
The crackdown on Didi also underscores China’s growing sensitivities towards data security as a key area of national vulnerability.
Authorities released a draft amendment to new cybersecurity rules in early July requiring Chinese companies which handle personal data of more than 1 million users to undergo a cybersecurity review before seeking IPO outside China.
The draft also explicitly stated a risk associated with a foreign IPO for which “critical information infrastructure,” “important data,” or “a large amount of personal information” could be “influenced, controlled, and abused” by foreign governments.
The law also outlines a solution: Cross-border data transfer would be subject to a cybersecurity review by regulators who can reject requests with high risks.
Didi understands what the rules of the game are. Vice President Li Mi had posted on Weibo that Didi stored all Chinese user data in servers in China, in a veiled reference to the Cybersecurity Law which mandates that “important data” be stored within China. But it appears words didn’t suffice.
There is little nefarious happening here when cross-border data flows are a key concern area for other jurisdictions, albeit with different approaches emerging.
The EU’s GDPR allows the free flow of personal data only if a country has an “adequate level of protection”, with the European Commission recognising Israel, Japan, and Switzerland, among others, as qualifying countries. Personal data between the US and the EU can be transferred only by certified organisations under the EU–US Privacy Shield.
Listen to a communications researcher and a lawyer break down WhatsApp's new terms of service on CNA's Heart of the Matter podcast published in January this year:
IMPLICATIONS FOR CROSS-BORDER DATA REGULATIONS
China’s data regulatory framework is still in the making. But how Didi’s tussle with Chinse regulators unfolds is a useful case that can demonstrate how regulations regarding cross-border data flows are enforced.
No doubt that can have implications for foreign investors. Wall Street has chilled to the idea of investing in Chinese companies.
But an even bigger question looms beyond that of short-term financial losses. Against this backdrop of massive digital transformation triggered by the COVID-19 pandemic, the emergence of different data regulatory regimes will shape the evolving structure of cross-border data flows.
Countries might adopt different approaches depending on their strategic considerations.
Blocs with a single data market allowing free cross-border data flows may emerge. This poses interesting policy questions for emerging digital hubs like Singapore, which will have to manoeuvre through different regulatory regimes.
Moreover, with the rise of digital trade, data regulation has become increasingly prominent in regional free trade agreements, as a feature in the United States-Mexico-Canada Agreement and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) which requires member states not to restrict cross-border data flows.
Others, like the Regional Comprehensive Economic Partnership (RCEP), allow member states to impose national regulations on cross-border data flows.
An ideal solution is for countries to agree on global rules on cross-border transfer that support the growth of digital trade and minimise regulatory compliance costs for firms. Currently, a group of 86 countries are negotiating e-commerce rules on cross-border transfer and data localisation under the umbrella of the World Trade Organization.
But such an agreement remains elusive, given the policy variations across countries. Tech companies like Didi will have to expend resources riding the choppy regulatory waves and abide by the rules of different regimes.
As many Southeast Asian countries are members of both the CPTPP and RCEP, major tech companies in the region will have to figure out how to respond to the requirements of different data regimes so that growth is not stifled.
The explosive technology-driven growth has been a life-saver for economies that would have collapsed otherwise in these pandemic times. Whether this current boom in the region can sustain its pathway in the long run will hinge on a healthy interaction between the tech firms and policymakers.
At a time when people are talking optimistically about a post-pandemic recovery fuelled by the digital economy, Didi’s troubles with China should be everyone’s business.
Qian Jiwei is Senior Research Fellow at the East Asian Institute, National University of Singapore. Deng Liuchun is Assistant Professor of Social Sciences (Economics) at Yale-NUS College.
The views and opinions expressed herein are those of the authors and do not represent the views and opinions of their institutions or any of their subsidiaries or affiliates.