Skip to main content

Data Security Law in China

July 20, 2021

By Szu-Yi (Julie) Lee

This blog post was submitted as a contribution to the Tabula project, an international and comparative research collaboration carried out over the summer of 2021.


The Cyberspace Administration of China (CAC) announced on July 2, 2021, that for the protection of national security and public interest, under the National Security Law, Cyber Security Law, and Cyber Security Review Measures, it would put Didi Chuxing–the Chinese version of Uber, which had recently gone public in the United States–under cybersecurity scrutiny. During its period of investigation, no new users were allowed to subscribe to the Didi app. On July 4, the CAC announced that because Didi Chuxing had had “problems of seriously violating laws on collecting and using personal information,” the app was to be removed from the app store in China.

Didi Chuxing, developed by Beijing Xiaoju Technology Co., was established in 2012, and by 2021 it had claimed a more than a 90% share in the ride-sharing market of China. It also offers service in 14 other countries. On June 30, 2021, it had just completed its $4.4 billion US initial public offering, making it the largest Chinese company going public in the US since Alibaba did so in 2014.

The announcement of the investigation of Didi Chuxing by the CAC was quickly followed by statements of more investigations of other digital platforms that went public in the US in the weeks before, such as Full Truck Alliance and BOSS Zhipin. Conspiracy theories have arisen as a result, considering the escalation of scrutiny on data collection in China.

According to the CAC’s ruling published on its official website on July 4, the review of Didi Chuxing is based on data security and national security risks; however, prior to this announcement, it did not mention any report or constructive method of review. Legally, the CAC invoked the National Security Law, Cyber Security Law, and Cyber Security Review Measures. It did not specify which article or provision it is referencing as the basis for its ruling, however. Under the Cyber Security Law and Cyber Security Review Measures Article 2, the subject matter of the applicable law should be “critical information infrastructure operators.” To that end, one must question first whether Didi Chuxing meets this description. If it does, how one would define purview under the Cyber Security Law and Cyber Security Review Measures would be subject to debate.

Furthermore, in Article 6, the Cyber Security Law and Cyber Security Review Measures provided: “When operators purchase network products and services, the potential security risks of operating products and services once in operation should be anticipated, and a security risk report should be generated. Where [there is an impact or potential impact on national security], an application for cybersecurity review shall be made to the Office for Cybersecurity Review.” Such a provision could serve not only as an instrument to block entry of unfavorable foreign investment, but also as a means to harness domestic mega tech companies.

These investigations constitute the first time Beijing’s secretive Ministry of State Security has utilized the recent law. In addition, due to the ambiguities of the legal text and the lack of details in the published ruling, tech companies are now in uncharted territory. The regulatory risks, aside from the strong-arm tactics being used by China, are only part of the legal agenda to protect national security. The CAC has recently declared that Chinese companies with data from more than one million subscribers must comply with a stringent security-check procedure before issuing shares on an overseas stock exchange market.

Since Ant Group, an internet financial platform, was blocked from offering shares on the Hong Kong and Shanghai markets in 2020, other tech giants, including Alibaba, Tencent, and Meituan, have faced regulatory turmoil. The first wave of attack was led by the State Administration of Market Regulation, the national antitrust enforcement agency of China, and the legal reference of its initiative was antitrust law. With Didi Chuxing and the companies that followed, however, the central legal issue has been data security. How the legislation and enforcement in China will achieve the aim of its regulatory policy is disputable, then; but the impact on foreign investors and domestic tech companies is undeniable.