China Thumbnail

The increasing list of Chinese companies, particularly in the tech space, being reined in by the Chinese government should have US officials worried about more than just investing. It is now crystal clear that Chinese businesses must comply in all matters with the Communist Party: business leaders will be muzzled, data privacy is non-existent, and foreign owners’ have no property rights.   

After Chinese ride hailing company Didi’s tumultuous IPO, US senators called for SEC investigations as to whether Didi mislead the public, but the more revealing story remains the lengths to which China will go to exercise control over its companies and the data they keep.   

Chinese ride-hailing company, Didi, raised $4.4 billion by listing its shares on the New York Stock Exchange on June 30th, marking the biggest US IPO by a Chinese company since 2014. Shortly thereafter, on July 2nd and 4th, the Cyberspace Administration of China (CAC) rolled out orders to remove Didi from app stores and announced an on-sight probe that would also involve police, tax authorities, the market competition regulator, and regulators for natural resources and transport. This is the first time a government cloaked in secrecy publicly announced an investigation involving staff based within a company.  

By the following Wednesday, Didi’s market value tumbled to $57 billion, down from nearly $70 billion on its first day of trading, prompting the senators’ calls for investigation.  

The CAC almost immediately announced similar investigations that also included blocking new user sign-ups into truck-hailing app Full Truck Alliance and recruiting app Boss Zhipin, both of which listed on the NYSE in June. No details publicly provided; the CAC only cited suspected violations of China’s national security and cyber security laws.  

While Didi may not operate in the United States it operates on a scale similar to Huawei internationally. In May 2021 testimony to the US-China Economic and Security Review Commission, Dr. R Evan Ellis of the US Army War College said “Didi’s advance in [Latin America], combined with the financial, positional, and other information collected on its clients, also presents a largely unrealized intelligence risk in the region on a scale similar to that presented by Huawei.”  

Didi’s privacy policies in Latin American (Argentina, Colombia, Chile, Mexico, Panama, PeruDominican Republic, Costa Rica, and Ecuador) state that personal data will be stored in the US—or any other part of the world where there is an entity controlled by Didi aka China. In other nations with close ties to America like BrazilJapanSouth AfricaAustralia and New Zealand, Didi’s privacy policy is minimal or non-existent. Mexican authorities have already called into question Didi data transfers with China and how that could affect their elected officials and foreign diplomats, as have Argentinian news organizations.  

China’s Measures on Automobile Data Security clarify that “important data” for the purposes of ride-hailing platforms, like Didi, include data on the flow of people and traffic in sensitive areas; data on aggregate traffic volume and flows; and any other data that Didi might collect that the government comes to determine is relevant to national security.  

That means all data stored by any Chinese company can and will be transferred to the Chinese government should the request be made.   

This is a serious risk to the US, our allies, and Americans abroad, especially American diplomats who might unwittingly be using these applications. Trip information includes locations, trip times and passenger information that can reveal private meetings and daily schedules linked directly to an individual’s financial data. Data gathered from trip information that is not anonymized and pooled in aggregate can paint a vivid picture of an individual or group’s habits and possible future patterns.   

While, Senators Marco Rubio (R-Fl.), Chris Van Hollen (D-Md.), Masha Blackburn (R-Tenn.), and John Kennedy (R-La.)  are right to question the IPO process, we should look even more carefully at the data stewardship of Chinese companies.  

China is not hiding their intentions either. State-run media are backing up the government’s actions saying “an internet giant absolutely cannot have a better command than the state of the super-database that is Chinese people’s personal data.”    

This is not to say the US should in engage in full-scale data localization tactics. Cross border data flows remain important for general commerce and for a fully functioning internet, but as China continues to disrupt the playing field and becomes increasingly aggressive on data collection and localization, our elected officials should remain on guard.