China’s powerful state spy agency and six other government departments have taken the unusual step of stationing investigators in the offices of Didi Chuxing to conduct a security probe of the ride-hailing group.
The review, which sent Didi’s share price plunging when it was first announced after the company’s $4.4bn US initial public offering earlier this month, marks the first time the secretive Ministry of State Security has publicly announced it will temporarily base staff inside a company.
The Cyberspace Administration of China, the regulator in charge of co-ordinating the cyber security review on Didi, said on Friday the probe would also involve the police, tax authorities, the market competition regulator, as well as industry regulators for natural resources and transport.
“The announcement of which agencies are involved is a warning shot to other companies that you don’t mess with national security but it’s also an attempt by Beijing to make the review process more transparent,” said Feng Chucheng, tech analyst at consultancy Plenum.ai.
The scale of the investigation into Didi, which the CAC announced two weeks ago, is likely to further frighten investors in Chinese tech stocks and dampen appetite for the country’s offshore IPOs.
The CAC followed up the security review into Didi with a raft of punitive measures that sent its share price down 20 per cent over the week following its IPO. The agency also proposed new rules banning companies with more than 1m users from listing abroad until they had received official permission after undergoing a security review
The CAC did not give details of its concerns, referring only to data security and national security risks. Before the IPO, the CAC had asked Didi to rectify its display of mapping labels, fearing they could inadvertently reveal sensitive locations, such as military bases, people familiar with the matter said.
But there is no evidence yet that sensitive data have been leaked. Didi’s vice-president Li Min has responded to speculation on social media saying it is “absolutely not possible” the company could have given data to the US.
Didi’s investigation is also the first public instance of Beijing using its new cyber security review mechanism. Just over a year old, the procedure was designed to assess supply-chain security rather than data security.
The unprecedented nature of the Didi case and the lack of detail over what a review involved had put the company in uncharted territory, legal experts said.
“It’s extremely unusual. There will be all-round compliance risks,” said Xu Ke, head of the internet law institute at the University of International Business and Economics in Beijing.
The number of agencies involved also raised the risk of disagreements and a prolonged review process, during which Didi was banned from signing up new users.
Under the cyber security review regulations, a preliminary review must be concluded within 60 working days, or three months. If the different agencies disagree on their conclusions, a special review should be launched, which can last another 45 business days or more.
“All the main regulators are there, which means that firstly, this inspection will be comprehensive, and secondly, it will not be too short,” said James Gong, lawyer at Herbert Smith Freehills.
Kendra Schaefer, tech analyst at Beijing-based consultancy Trivium, said: “It’s been made quite clear in the regulatory documents that there are questions of co-ordination and a lot of cooks in the kitchen.”
Schaefer added: “The Ministry of State Security is a new twist. When you take a broad-based definition of what national security is, this is what happens.”
Additional reporting by Nian Liu in Beijing