On July 17, Prof. Lu Chuanying was interviewed by SCMP on cybersecurity review. The report is as follows.

A task force of seven ministries, including the Cyberspace Administration of China (CAC), the public security ministry and the national security ministry, entered Didi Chuxing’s offices yesterday to conduct the country’s first cybersecurity review.

The CAC said in a statement that it teamed up with the Ministry of Public Security and the Ministry of National Security to start an on-site cybersecurity inspection of Didi, two weeks after the country’s internet regulator announced a review into the ride hailing giant and stopped it from registering new users in response to Didi’s decision to make an initial public offering (IPO) in New York without full consent from Beijing.

The other departments involved in the on-site inspection include the State Administration for Market Regulation (SAMR), the Ministry of Natural Resources,the Ministry of Transport, and the State Administration of Taxation. Among them, the natural resources ministry, the transport ministry and taxation bureau are not among the 12 government agencies directly backing the cybersecurity review office.

It is not known how long the investigation will take. Didi did not immediately respond to a request for comment yesterday. 

Wang Sixin, a professor from the Communication University of China, said as this was the first time the cybersecurity review office, which was created last year within CAC, had conducted a review, many questions remained unanswered.

“There are huge unknowns about how [Beijing] will deal with Didi,” Wang said. He added that the line-up of ministries in the probe had revealed some information. For instance, the involvement of SAMR meant there might be antitrust probes into Didi while the presence of the natural resources ministry showed Beijing’s concern about mapping information security. 

Liu Dian, an associateresearcher at the Chongyang Institute for Financial Studies of Renmin University, said the line-up of seven ministries showed the scope of the investigation would be “comprehensive”. 

“The government really attaches great importance to the Didi case,” Liu said. Didi’s head office in Beijing looked normal yesterday afternoon with no sign of police or security agency vehicles. The Post spoke to several Didi employees outside the building, most of whom said their work had not been interrupted. 

The involvement of seven ministries in a joint probe into a Chinese business entity is unprecedented. In the antitrust probe of Alibaba Group Holding, owner of the South China Morning Post, initiated last Christmas Eve, a group of antitrust regulators entered the e-commerce giant’s headquarters to conduct interviews and collect evidence for just one day.

Lu Chuanying, general secretary of the Cyberspace International Governance Research Centre at the Shanghai Institute for International Studies, said the review of Didi was set to become a “landmark case” in Beijing’s discipline of technology firms. Lu added that China’s digital economy had reached a stage where relevant security measures must be set up. Though the companies had been used to a quasiunregulated status in the past and might balk at the current measures, the trend was inevitable.

In 2014, President Xi Jinping directly connected cybersecurity to national security. Since then, China has accelerated the development of its data governance regime. A haphazard patchwork of laws and regulations has turned into one of the most sophisticatedregulatory frameworks in the world, with Beijing seeking to maintain a tight grip on data while unleashing its economic potential and protecting consumer privacy.

The on-site inspection comes after the Beijing-based company raised US$4.4 billion in its IPO late last month, which valued it at about US$70 billion. Reuters reported on June 17 that China’s market regulator had begun an antitrust probe into Didi.

A cybersecurity review generally takes up to 45 working days to complete, but that period can be extended. At the same time, cybersecurity regulations stipulate that any member of the cyberspace security review office has the right to initiate an investigation if they see a potential national security concern in a network product or service.

Source of documents：SCMP, July 17