Didi headquarters in Beijing. Image from Wikimedia Commons available under CC license.
In a short question-and-answer transcript on Thursday, the Cyberspace Administration of China (CAC), the country’s chief internet monitoring and control agency, answered a number of basic questions about its action against the Chinese vehicle-for-hire company Didi, which included a fine of 1.2 billion dollars. Left conspicuously unanswered by the transcript, and the flood of Chinese media coverage of the Didi case, however, is the exact nature of the company’s alleged national security violations.
The CAC said it found “egregious” violations of data security laws relating to the collection and handling of personal customer data in its investigation of Didi, announced in July last year, just days after the company’s New York IPO. The company had illegally gathered user data – including location and facial recognition data as well as mobile phone camera data — since 2015, the CAC said.
As some analysts have noted, one curious aspect of the Didi decision is that two of the three laws the company is said to have violated actually took effect after the launch of the investigation in early July 2021. These are the Data Security Law (数据安全法), which took effect on September 1, 2021, and the Personal Information Protection Law (个人信息保护法), which did not take effect until November 2021. The CAC has also said that Didi violated the 2017 Cybersecurity Law (网络安全法).
But another point of curiosity in the decision against Didi is the question of national security violations. While the original grounds for the investigation centered on “national security and the public interest,” the CAC has not provided details about the exact nature of the government’s national security concerns.
On this issue, the agency’s question-and-answer transcript reads:
Previously, a cybersecurity review also found that certain data processing activities at Didi seriously impacted national security, and that it had refused to comply with the clear requirements of regulatory authorities, openly assenting but quietly violating, as well as other violations of laws and regulations such as the malicious evasion of oversight. The illegal and non-compliant operations of Didi have posed serious security risks to the security of critical national information infrastructure and data security.
The justification for silence on the nature of Didi’s national security violations is, well, national security. “As these relate to national security, they are not disclosed in accordance with the law,” the transcript said.