In what appears to be an increasingly common show of might, Chinese government regulators have again clamped down domestically on a high-profile, publicly-traded company, despite its prominent name recognition and deep roster of foreign investors.
The weekend move by the Cyberspace Administration of China that ordered local app-store operators to remove the rideshare giant DiDi Global from their platforms was alarming not only for its timing — coming just three days after DiDi’s highly sought $4 billion initial public offering on the New York Stock Exchange — but also for its reminiscence to a similar takedown of billionaire investor Jack Ma’s Ant Group last fall.
No sooner had the DiDi news rocked the world and sparked a wave of speculation and concern, additional reports surfaced suggesting that China’s internet watchdog’s clampdown was not just a two-off but had just spread to at least two other U.S.-listed companies as well.
So far, Beijing-based regulators have offered little in the form of an explanation, leaving the media and global investment community to temporarily fill in the blanks as to the broader meaning and implications that the cybersecurity review of these companies will carry and how far the crackdown might potentially spread.
What is known is that after an active winter and spring surge of IPOs into record-high U.S. markets, there are now close to 250 different Chinese companies trading on U.S. exchanges, ranging from the well-known (Alibaba, China Life, Tencent, Baidu) to the unknown (Dragon Victory and Antelope Enterprises).
Given that Didi’s shares are worth $75 billion, and Ma’s Ant Group reported to be perhaps three or four times greater than that, Beijing’s regulators have shown no fear or reluctance to take on big names with deep pockets.
In fact, it could be argued that the Chinese data security enforcers actually seek out high-profile targets that they can prostrate in front of the world. Confounding the latest crack-down is the paradoxical fact that the Chinese government is an equally fervent promoter of its homegrown companies and growing list of billionaires, who it likes to see taking their rightful place on the world stage.
Although this trend is still developing, as it stands now, DiDi’s 500 million or so current users can continue to use the app to order rides and other services so long as they had already download it by Sunday (July 4).
The move by the Cyberspace Administration is dramatic but not entirely unexpected. In the weeks before DiDi pushed public on a U.S. exchange, China’s cybersecurity watchdog suggested the ride-hailing firm delay its initial public offering to allow it to conduct a thorough self-examination of its network security. DiDi declined, determining that waiting for its public push would be a problem, and in the absence of a formal request, pushed went ahead with its public listing.
Protecting The Data
Whereas the Ant Financial IPO was clipped just days before its IPO at the behest of China’s President Xi Jinping personally intervening to block the planned blockbuster list event, this time, the CAC let the DiDi IPO go through before delivering its jolt.
“This is deeply unfair to investors,” Brock Silvers, chief investment officer at Hong Kong-based private equity firm Kaiyuan Capital told Bloomberg. “And as a crucial matter of market integrity, China’s regulators should cease allowing companies to list while under investigation.”
Unfair to investors, but the result of a recent focus on data security, particularly over the last year, and a growing willingness in Beijing to regulate strictly even if those rules come at the cost of luring foreign investors.
The specific issue in DiDi’s case, according to reports, is that official concern that the servers on which DiDi stores its vast troves of user data (which are all housed within China’s national borders) could have been produced abroad and thus pre-built with software that could potentially be extracting sensitive user information. DiDi, as a transportation firm, is classified as “critical infrastructure,” which further increases national security concerns associated with it.
The regulator’s cybersecurity review centers on where DiDi purchased the products and services used for its network and what security risks its procurements of supplies might open them up to. And while investors have certainly balked at the CAC’s aggressive behavior in the last few days, some analysts think cybersecurity officials aren’t wrong to be pushing forward so hard.
“In my view it would be totally within the bounds of the cybersecurity reviews to look at server suppliers,” Graham Webster, who leads the DigiChina project at the Stanford University’s Cyber Policy Center, told The Wall Street Journal. “If any servers were procured and Didi didn’t file for review, they would seem to be in breach or have another reading of the rules.”
What Happens Now
DiDi, it seems, is working hard to conform to regulator standards, noting via a public statement that it had removed its app from various app stores and begun the “corrections” that regulators have ordered.
But even if DiDi and Chinese regulators can find a way to strike a deal that works for both sides, it seems challenges for tech firms like DiDi looking to work at a global scale and listing in foreign markets may be just starting. Firms with vast troves of data, deep coffers and reach across all aspects of Chinese life have come to look increasingly like a national security concern for China’s leaders.
A risk they are willing to attempt to legislatively control. Last May, Chinese officials passed a data-security law that will give the state more power to get private-sector firms to share data with authorities but restricts them from sending information overseas. The law takes effect on Sept. 1.