Recently, Didi's implementation of internet censorship has sparked widespread discussion across various sectors. Star Law Firm has specially provided a legal analysis of this incident, shedding light on the "ins and outs" of cybersecurity reviews.

Eye Record

I. What is a cybersecurity review?

Legislative Background of Cybersecurity Review

How is the cybersecurity review process initiated?

Methods for Identifying Critical Information Infrastructure

2. Why was Didi subjected to a cybersecurity review?

Didi boasts a massive user base.

Didi's controlled data includes a wealth of sensitive information.

The "sensitivity" of data transmission discussions in complex domestic and international environments

Didi Discloses Risks Related to Data Compliance

3. How can companies respond if they face a cybersecurity review?

IV. Conclusion

I. What is a cybersecurity review?

1. Legislative Background of Cybersecurity Reviews

In recent years, the idea that data security is vital to both public interests and national security has gained widespread acceptance. Meanwhile, critical information infrastructure—essential for managing sensitive data across key industries and sectors—plays an even more crucial role in safeguarding national security, economic stability, social harmony, and public health and safety. It’s clear that ensuring the secure and stable operation of this critical infrastructure directly protects people’s livelihoods, public welfare, and national security from potential threats.

As early as 2015, the National Security Law stipulated that "the state shall establish systems and mechanisms for national security review and oversight, conducting such reviews on foreign investments, specific items and critical technologies, cybersecurity information technology products and services, construction projects involving national security considerations, as well as other major undertakings and activities—whether they have already impacted or may potentially affect national security—in order to effectively prevent and mitigate national security risks." Meanwhile, the Cybersecurity Law, which took effect on June 1, 2017, specifically emphasized that operators of critical information infrastructure are obligated to undergo cybersecurity reviews. When procuring network products and services, they must sign security and confidentiality agreements with suppliers as required, clearly outlining their respective safety and privacy obligations and responsibilities.

To further clarify the requirements outlined in the two aforementioned higher-level laws, on April 13, 2020, 12 departments—including the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the State Secrecy Administration, and the State Cryptography Administration—jointly issued the "Measures for Cybersecurity Review." These measures were piloted starting June 1, 2020, with the specific aim of safeguarding the security of the supply chain for critical information technology infrastructure.

2. How is the cybersecurity review process initiated?

According to Article 3 of the Cybersecurity Review Measures, the cybersecurity review process combines proactive pre-review with ongoing monitoring. Moreover, it is readily apparent from the specific provisions of these measures that the review can be initiated either through a voluntary, proactive declaration before the fact or via a reactive investigation conducted during the process itself.

Note 1: The Cybersecurity Review Office is located within the National Internet Information Office. It is responsible for developing institutional frameworks related to cybersecurity reviews, organizing these reviews, and serves as the entity directly implementing cybersecurity review activities.

Note 2: The member organizations of the cybersecurity review mechanism include the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the People's Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the State Cryptography Administration, and the State Secrecy Administration.

The cybersecurity review department outlines the workflow following the decision to conduct a cybersecurity review:

3. Methods for Identifying Critical Information Infrastructure

The "Cybersecurity Review Measures" is a departmental regulation specifically designed for critical information infrastructure. Given that the Cyberspace Administration of China has initiated a cybersecurity review of Didi Chuxing, the company appears to potentially qualify as an operator of critical information infrastructure. Following this development, many enterprises can’t help but wonder whether they, too, might fall under the category of critical infrastructure operators—and consequently face similar cybersecurity review requirements.

Since the announcement of the 2017 Cybersecurity Law, the specific criteria for defining Critical Information Infrastructure have remained unresolved. Although draft versions of the "Regulations on Security Protection of Critical Information Infrastructure" and the "Information Security Technology—Methodology for Determining the Boundaries of Critical Information Infrastructure" were previously released for public consultation, no official, binding documents have yet been issued. On September 22, 2020, the Ministry of Public Security issued the "Guiding Opinions on Implementing the Cybersecurity Level Protection System and the Critical Information Infrastructure Security Protection System," providing detailed guidance on how to identify and designate critical information infrastructure. The document mandates that regulatory authorities overseeing key industries and sectors develop their own rules for identifying critical infrastructure within their respective domains, submitting these rules to the Ministry of Public Security for record-keeping. Additionally, these authorities are tasked with organizing the actual identification process for critical infrastructure in their respective fields, ensuring that the identified entities are promptly notified and that the results are reported to both the relevant operators and the Ministry of Public Security. Based on this guidance, it appears that the final list of critical information infrastructure may not be publicly disclosed. Instead, the designation process will likely proceed by notifying specific organizations directly and filing the findings with the Ministry of Public Security—perhaps as another layer of protection for these vital systems.

Nevertheless, companies can proactively conduct self-assessments even before receiving official notification of their designation as critical information infrastructure entities. By preparing in advance, they can ensure readiness—such as promptly initiating the necessary procedures for cybersecurity review if their systems are identified as critical infrastructure—or proactively gathering and archiving the required documentation ahead of time. This approach not only supports a company’s compliance management but also enhances its overall corporate image. Between 2017 and 2018, the author discovered that several provinces had already undertaken self-assessment initiatives targeting critical information infrastructure. For instance, in April 2018, the Forestry Department of Xinjiang Uygur Autonomous Region released the "Guidelines for the Census of Critical Information Infrastructure in the Autonomous Region." These guidelines provided a detailed explanation—supported by both text and visual aids—on how to classify and define critical infrastructure. The process outlined includes: first, identifying the operational units responsible for core business functions; second, mapping out and pinpointing key business processes; third, determining the network assets, information systems, industrial control systems, and other components that underpin these critical operations, then compiling a preliminary list; and finally, assessing the extent to which these critical systems rely on specific infrastructure elements—and evaluating the potential impact of cybersecurity incidents on business continuity and operations. This document serves as an invaluable resource for companies looking to carry out their own self-assessments. As such, the author has included it as an appendix to this article for readers’ reference (please note that the attachment is quite lengthy; for access, please contact the author at the end of the article).

2. Why was Didi subjected to a cybersecurity review?

Didi Chuxing officially listed on the New York Stock Exchange in the U.S. on June 30. However, just two days later, on July 2, the Cyberspace Administration of China announced that it had launched a cybersecurity review of Didi—timing that has naturally sparked widespread speculation and debate. Still, before the final review results are released, I’d advise against making unfounded assumptions or drawing premature conclusions about facts that remain undisclosed. Instead, this article will focus solely on explaining the rationale behind the cybersecurity review of Didi, drawing insights from publicly available information released by the company itself, alongside an overview of China’s cybersecurity review framework.

1. Didi boasts a massive user base.

Didi's IPO prospectus for its U.S. listing provided specific figures on metrics such as active users, active drivers, and average daily transaction volume. While the document did differentiate between users by country and region, as a company that originated and grew domestically, it’s safe to assume that Chinese users make up Didi’s largest customer base.

Didi's publicly released prospectus revealed that, in the 12 months leading up to April 2021, it had 493 million annual active users (roughly 500 million), 15 million annual active drivers (about 15 million), and an average of 41 million daily transactions. Additionally, the prospectus disclosed, "Over the past three years,… we are already improving the lives of more than 60 million people outside of China," further highlighting Didi's massive user base within China.

2. The data controlled by Didi contains a large amount of sensitive information.

The author separately reviewed the privacy policies published on Didi’s official website and in the Didi Chuxing app. According to the website, the "Personal Information Protection and Privacy Policy" was updated on June 14, 2021, and took effect on June 21, 2021. In contrast, the privacy policy displayed within the app was updated on June 29, 2021, with the new version becoming effective on July 7, 2021. While the app version featured minor updates compared to the website version—such as adjustments to how the privacy policy is presented, removal of instructions regarding chauffeurs circling the vehicle for inspection and photo-taking, and elimination of details about data collection during car pickup and delivery processes—these changes may reflect Didi’s ongoing business adjustments or potentially align with efforts to adhere to the principle of collecting only the minimum necessary information. Beyond these specific tweaks, however, both versions of the privacy policy remain identical in terms of their explanations regarding data collection, usage practices, and described processing activities.

Based on the types of information collected as disclosed in the privacy policy, Didi holds extensive personal sensitive data, such as:

As a "national-level" app with a massive user base and the ability to collect extensive sensitive user data, Didi's system stability and the level of protection it provides for data security directly impact public interests. Moreover, the app gathers vast amounts of trip information, real-time video recordings of driving processes, road data, and more—data that could inadvertently involve national geographic mapping and surveying information. Consequently, the information controlled by Didi is also closely tied to national security.

The newly introduced Data Security Law will only come into effect on September 1, 2021; therefore, applying the currently valid Cybersecurity Review Measures to Didi for a cybersecurity review is entirely appropriate.

3. The "sensitivity" of data transmission topics in complex domestic and international environments

The issue of data going abroad has consistently been a key focus of national legislation and law enforcement oversight. On July 3, 2021, Li Min, Vice President of Didi, debunked rumors claiming that Didi had handed over domestic data—including road data—to the United States, stating, "Like many Chinese companies listed overseas, Didi stores all data from its domestic users on servers located within China, making it absolutely impossible to transfer this data to the U.S."

Didi's privacy policy includes a clarification on the issue of data transfer abroad: "If personal information is to be transferred overseas, we will clearly inform you about the purpose of the transfer, the recipient, the security measures in place, and will obtain your separate consent."

Before the review results are announced, the author declines to comment on the widely circulated rumors about the Didi incident online. According to the "Measures for Cybersecurity Review," the Office of Cybersecurity Review is strengthening its oversight—both proactive and reactive—through mechanisms such as accepting public reports. Given this regulation, it remains unclear whether the Office has initiated a cybersecurity review of Didi after receiving similar rumor-related reports.

4. Risks in Data Compliance Disclosed by Didi

Didi disclosed in its prospectus the legal risks associated with its business being subject to various laws, regulations, rules, policies, and other obligations related to privacy, data protection, and information security—some of which have already materialized amid the ongoing security review phase.

"We receive, transmit, and store vast amounts of personally identifiable information and other data on our platform. We are subject to numerous laws and regulations governing privacy, data protection, and the collection, storage, sharing, use, disclosure, and safeguarding of certain types of data across various jurisdictions. To comply with privacy, data protection, and information security standards and protocols mandated by laws, regulations, industry standards, or contractual obligations, we have already incurred—and will continue to incur—substantial costs. Moreover, any changes to existing privacy, data protection, or information security laws or regulations, or the adoption of new ones—particularly if they impose stricter safeguards for specific types of data, introduce fresh requirements for data retention, transmission, or disclosure, or create additional compliance burdens—could significantly increase the cost of delivering our services. This might also necessitate major adjustments to our operations or even force us to discontinue offering certain services in the jurisdictions where we currently operate—or potentially in others we may enter in the future."

Although we strive to comply with applicable laws, regulations, and other obligations related to privacy, data protection, and information security, our practices, products, or platforms may still fail to meet these legal, regulatory, or contractual requirements. If we fall short of complying with any privacy, data protection, or information security laws, regulations, or obligations that apply to us—whether intentionally or unintentionally—or if unauthorized access, use, or disclosure of personally identifiable information occurs, along with any other data security incidents, or if we are perceived or accused of experiencing any such failures or incidents—we could face reputational damage, potentially leading to restrictions on both new and existing drivers and riders from using our platform. This could also result in investigations, fines, temporary suspensions of one or more of our apps, or other penalties imposed by government authorities, as well as private claims or lawsuits—all of which could significantly harm our business, financial condition, and operational performance. Even when our practices aren’t legally mandated, discussions about privacy concerns and divergent opinions—regardless of their validity—could still tarnish our reputation and brand, ultimately impacting our business, financial standing, and bottom-line results adversely.

3. How can companies respond if they face a cybersecurity review?

Following the announcement from the Network Security Review Office, Didi responded promptly, expressing its commitment to actively and fully cooperate with the network security review process. Indeed, when a company faces a proactive investigation by regulatory authorities, maintaining open communication and demonstrating strong cooperation with the regulators is the top priority for handling such inquiries effectively. Yet, beyond merely complying with regulatory requests by providing necessary materials, proactively "saving itself" also serves as a crucial strategy—helping the company navigate the review smoothly and even turning around its public image in a positive light.

Ultimately, the cybersecurity review process is a specialized management system designed specifically for security assessments of critical information infrastructure. If companies can demonstrably prove they are fulfilling their obligations as operators of critical information infrastructure, the review process will naturally proceed smoothly. However, this effort is by no means something that can be accomplished overnight through last-minute preparations—only sustained, standardized management practices will truly deliver effective results.

When demonstrating compliance with the aforementioned obligations, companies can focus on the following three areas:

(1) Retained enterprises shall maintain all internal control documents, employee training records, and other materials developed and adhered to in fulfilling the aforementioned obligations. (For guidance on how companies can effectively implement data security compliance measures, refer to the new law interpretation: "A Checklist for Corporate Compliance Under the Data Security Law.") (2) Provide information demonstrating that the company has conducted internal audits, including joint security impact assessments conducted by both internal teams and external professional organizations (such as law firms or technical testing agencies) prior to launching or procuring new products or services. (3) In response to the widely discussed issues of data localization and cross-border data transfers, furnish evidence confirming that the company’s data centers are located within the country, along with retained records of data transmission and network logs, to facilitate review of data flow activities when required.

Conclusion

With the implementation of the Data Security Law, the framework linking cybersecurity, data security, and national security has been preliminarily established. Moving forward, cases similar to Didi’s are likely to become increasingly common. The Didi incident has also served as a wake-up call for many businesses: cybersecurity and data compliance issues often arise unexpectedly, placing even greater demands on companies to consistently meet their regulatory obligations.

We will continue to closely monitor and share our perspectives on how Didi will respond to this cybersecurity review incident and address the resulting societal impact. Given the current complex domestic and international environment, as well as the increasingly stringent regulatory landscape, we can’t help but wonder: if the first case has already arrived, how long until the next one emerges?

Note:

1. From Didi's official website: Personal Information Protection and Privacy Policy

2. Personal sensitive information refers to personal data that, if leaked, illegally disclosed, or misused, could jeopardize an individual’s physical and financial security—and may easily lead to damage to one’s reputation, mental and physical well-being, or even discriminatory treatment. Typically, personal information of children aged 14 and under (inclusive), as well as data involving the privacy of natural persons, are classified as sensitive personal information.