Translation: CAC Announces ‘Cybersecurity Review’ of Ride-Hailing Giant Didi, Just After Its IPO

Published

July 2, 2021

Last revised

October 14, 2021

Published

July 2, 2021

Last revised

October 14, 2021


The Cybersecurity Review Office of the Cyberspace Administration of China on Friday announced the initiation of a review of the Chinese ride-hailing giant Didi Chuxing. The announcement came two days after the company’s more than $4 billion USD IPO, the Financial Times reported.

DigiChina has translated the official announcement below.

The cybersecurity review process is outlined in the “Cybersecurity Review Measures,” finalized in 2020, which established the Cybersecurity Review Office under the CAC.

Cybersecurity reviews under those Measures focus on security implications stemming from procurement and installation of “network products and services” by entities deemed to be “critical information infrastructure (CII) operators.” The language generally centers around “national security” risks, but both CII and national security can be defined broadly to include economic security, mass breaches of personal data, etc.

According to the Cybersecurity Review Measures:

Article 9: The cybersecurity review process focuses on assessing the potential national security risks brought about by procurement of network products and services, mainly considering the following factors:

  1. The risk that the use of products and services could bring about the illegal control of, interference with, or destruction of CII, as well as the theft, leak, or damage of important data;
  2. The harm to CII business continuity of product and service supply disruptions;
  3. The security, openness, transparency, and diversity of sources of products and services; the reliability of supply channels, as well as the risk of supply disruptions due to political, diplomatic, and trade factors;
  4. Product and service providers’ compliance with Chinese national laws, regulations, and department rules;
  5. Other factors that could harm CII security and national security.

The review, which under the Measures would conclude within 45 days unless there are complications, and may require Didi and/or its suppliers to make changes. Penalties for non-compliance are set out in the Cybersecurity Law and may include suspending use of certain systems, a fine up to 10 times the purchase price of the systems, and fines between 10,000 and 100,000 RMB for responsible personnel.

Translation

Cybersecurity Review Office Announcement on the Initiation of Cybersecurity Review of “Didi Chuxing”

July 2, 2021, 19:19   Source: Cyberspace Administration of China Website

In order to guard against national data security risks, safeguard national security, and ensure public interests; in accordance with the “National Security Law of the People’s Republic of China” and the “Cybersecurity Law of the People’s Republic of China”; the Cybersecurity Review Office, according to the “Cybersecurity Review Measures,” is effectuating cybersecurity review of Didi Chuxing. In order to cooperate with cybersecurity review work and guard against the expansion of risks, Didi Chuxing will stop new user registrations during the review.

Cybersecurity Review OfficeJuly 2, 2021

Original Chinese

网络安全审查办公室关于对“滴滴出行”启动网络安全审查的公告

2021年07月02日 19:19 来源: 中国网信网

为防范国家数据安全风险,维护国家安全,保障公共利益,依据《中华人民共和国国家安全法》《中华人民共和国网络安全法》,网络安全审查办公室按照《网络安全审查办法》,对“滴滴出行”实施网络安全审查。为配合网络安全审查工作,防范风险扩大,审查期间“滴滴出行”停止新用户注册。特此公告。

网络安全审查办公室2021年7月2日

CITED BY

After 5 Years, China’s Cybersecurity Rules for Critical Infrastructure Come Into Focus Citations Icon

Webster, Graham
2021