China sent regulators including state security and police officials to Didi Global Inc.’s ride-hailing business on Friday as part of a cybersecurity investigation, the latest development in a regulatory saga that has gripped China’s tech industry.
Regulators from government units including the Ministry of Public Security, the Ministry of State Security, the Cyberspace Administration of China, the Ministry of Transport and Ministry of Natural Resources will be stationed at Didi starting Friday for the investigation, the cyberspace administration said in an online statement.
The Cyberspace Administration of China, the country’s internet regulator, earlier this month ordered Didi to undergo a cybersecurity review over national-security concerns, days after the company raised $4.4 billion in a New York initial public offering. The regulator also said Didi illegally collected personal data and ordered more than two dozen of its apps removed from app stores.
The Ministry of Public Security is in charge of China’s domestic security, while the Ministry of State Security oversees the country’s civilian arm for intelligence gathering and counterespionage. Lawyers and analysts say the two ministries are part of an agency overseeing cybersecurity reviews.
Still, their participation signals the potentially serious nature of the investigation. Potential outcomes include financial penalties, suspensions of business licenses and criminal charges.
The large number of ministries participating in the probe also highlights the breadth of the data Didi holds and that is now coming under regulatory scrutiny. The Transport Ministry regulates the ride-hailing industry, while the Ministry of Natural Resources is in charge of mapping and road surveying.
Didi didn’t respond to a request for comment.
Didi is the first major internet company to be publicly subject to the cybersecurity review, said Yan Luo, a partner and cybersecurity lawyer at Covington & Burling LLP in Beijing. Last week, the Cyberspace Administration of China released a security-review revision, for public comment, in which it said companies holding personal data on at least one million users must apply for a cybersecurity review before any foreign listings.
The probe illustrates how the regulators are broadening the scope of cybersecurity reviews, which had focused on technology supply-chain risks in the past, to more broadly defined data-security risks, such as cross-border transfers of "important data and a large amount of personal data," Ms. Luo said.
Didi, the most popular ride-hailing app in China, with 377 million annual active users, amasses data including consumers’ personal information, street mapping, and real-time movements of vehicles and people. This has put the company’s data collection and handling practices on the radar of regulators, as such data is considered sensitive by Chinese authorities, lawyers and analysts said.
On Friday morning, dozens of officials arrived at Didi’s Beijing headquarters and spoke with executives, according to an employee there. While the on-site visit by the officials came as no surprise to many employees, the mood at the company was tense, and employees on site were ordered to stay silent and banned from posting the development on social media, the person said.
The Wall Street Journal reported earlier that Didi pushed ahead with its IPO despite being urged by China’s internet regulator to submit itself to a cybersecurity review.
Click here to read more on the Wall Street Journal.