Chinese ride-sharing giant DiDi has been caught in Chinese regulators’ crosshairs since it launched its starcrossed $4.4 billion U.S. IPO in June. DiDi finally announced last Friday its plans to delist from the New York Stock Exchange and relist in Hong Kong. The company’s departure from the U.S. could make it the test case in a transition to a tougher data security oversight regime that could shape how Chinese tech giants conduct their businesses in the future.
Though DiDi didn’t specify the reason for its delisting, tech analysts widely believe the company was under immense political pressure to withdraw its U.S. offering, which, the public learned in retrospect, never received a full green light from Beijing. Just two days after DiDi executives rang the bell at the New York Stock Exchange, on July 2, China’s powerful cyberspace watchdog launched a cybersecurity probe into the company’s data infrastructure.
Since then, DiDi has heightened regulatory concerns and catalyzed public discussion about two areas in which both Beijing and Washington have taken a keen interest: cybersecurity and Chinese tech firms’ U.S. listings.
“DiDi might not be driving trends by setting precedent, but rather it might be a guinea pig in a bigger transition,” Graham Webster, a research scholar and editor in chief of the DigiChina Project at Stanford University, told Protocol.
Beijing passed the Data Security Law and the Personal Information Protection Law this year to rein in tech companies and restrict data transfer to foreign countries. Beijing also reportedly plans to ban domestic companies handling sensitive data from listing abroad through so-called variable interest entities (VIEs), which DiDi and most other tech heavyweights used for the past two decades to bypass foreign investment restrictions on overseas listings.
Meanwhile, DiDi is caught in a years-long auditing deadlock between Beijing and Washington. The SEC last week finalized revised rules that can now allow the American regulator to force all Chinese companies to delist from American exchanges if they don't comply with U.S. auditing requirements. And the U.S. securities regulator is also looking to clamp down on Chinese VIEs.
“In the grand scheme of things, this development will [have] a chilling effect on the market and a damper on the animal spirits of the domestic platform industry,” Xiaomeng Lu, a director in Eurasia Group's geo-technology practice, told Protocol. “Entrepreneurs would be very hesitant to ruffle the feathers of regulators for a while.”
A chilling effect
The Cyberspace Administration of China (CAC)’s investigation into DiDi’s data infrastructure is still ongoing, long past the date by which the regulator said it would reach a conclusion. Analysts at political risk consultancy Eurasia Group believe the CAC has possibly reached “a key milestone” in its probe into DiDi, and might have pushed DiDi to delist from the U.S. behind the scene. So DiDi is hitching itself to Hong Kong, which the mobility company once shunned because of the Hong Kong Stock Exchange’s more stringent listing requirements.
DiDi’s plight, against the backdrop of new regulatory moves in both China and the U.S., will likely prompt other Chinese tech firms to wind down their U.S. listings. And Chinese tech unicorns will raise funds through other channels, including going public in Hong Kong.
Cybersecurity reviews will be another part of the new normal for Chinese tech unicorns. Not only is DiDi itself subject to a prolonged cybersecurity review, but its defiant IPO — in Beijing’s eyes — has also provoked the CAC to establish a cybersecurity review regime this past summer, now likely to be applicable to Hong Kong listings.
“Didi's case definitely made one thing clear for Chinese tech companies, if it wasn't clear already: If you've got lots of user data you're going to be more tightly regulated — and that goes doubly for your overseas activity,” said Taylor Loeb, an analyst at Trivium China, a China policy research group.
What’s next?
Now that DiDi has ticked off Chinese authorities and will have to withdraw its New York listing, analysts at Eurasia Group believe that DiDi will be forced to restructure the company to address the Chinese government’s data security and national security concerns, following the steps of Ant Group, another tech unicorn that has fallen from Beijing’s grace and has agreed to share its troves of consumer data with a state-backed credit-scoring agency.
One possible outcome of the cybersecurity review is to introduce state shareholders to DiDi’s governance structure. “Didi will end up in a worse place than Ant [Group] on the restructuring front,” Lu of Eurasia Group told Protocol.
Lu believes DiDi’s cybersecurity review outcomes could set precedent for other Chinese tech unicorns, which could allow regulators to tighten their grip over Chinese tech companies seeking to list overseas. A partial state partnership “would open a new front of China's ongoing rectification campaign, expanding on existing effort in the areas of fintech regulation, antitrust reform, content policing, algorithm supervision and labor condition improvement,” Lu and other Eurasia analysts wrote in a report.
A few Chinese tech companies have already introduced state shareholders into their corporate governance. For example, back in August, a state-backed company, Wangtouzhongwen Technology, bought a 1% stake in TikTok’s parent company ByteDance. Wangtouzhongwen Technology is owned by several state-backed entities, including a fund backed by the CAC.
To be sure, analysts are reluctant to extrapolate too much from DiDi’s fiasco, noting that DiDi’s situation is unique. “The regulatory assault on DiDi stands apart from the general industry situation because the company was perceived as brazenly defying the government,” Webster said. “There’s a broader effort to exert control over data-intensive industries, but to assess it one should look at companies that have not just especially ticked off the government, such as DiDi or Ant Financial.”