context: Didi’s unexpected and unwanted IPO infuriated Beijing; failing to stop it, national security and financial agencies have reportedly lost face. The involvement of MSS, as well as the actions from relevant regulators, suggests Beijing is trying to assert its authority.

At least seven agencies are now enlisted in regulatory action against DiDi as its IPO fallout spreads
  • cybersecurity review: seven agencies, including CAC (Cyberspace Administration of China), MPS (Ministry of Public Security) and MSS (Ministry of State Security), dispatched officials to DiDi on 16 Jul 2021 to conduct the cybersecurity review ordered by CAC on 2 July
    • CAC is also revising the rules on cybersecurity review to confirm its role in regulating overseas listings
  • privacy regulations: 25 DiDi apps, including its primary app, were removed from mobile app stores on 4 July for ‘severely violating relevant laws and regulations when collecting and utilising personal information’
  • anti-trust: DiDI was fined 4 million by SAMR (State Administration for Market Regulation) for failing to file its M&As

Cybersecurity reviews were designed to ‘deter’ perceived threats to national security and are not to be invoked casually, says Zuo Xiaodong 左晓栋 China Information Security Research Centre deputy head who helped draft multiple cybersecurity regulations. Public security authorities have a list, notes Zuo, of firms and facilities well deserving of cybersecurity review; ultra-large internet platforms will likely come under scrutiny. DiDi was aware that it falls under the scope of the cybersecurity review regulations, insiders told Caixin. Yet the firm claims it was unaware of the review up to the IPO.

DiDi had long been in the regulators’ bad books prior to its devious IPO, reports Caixin. Securities regulators ‘already blocked its planned Hong Kong IPO in 2020’. It remains plagued by compliance issues, remaining sceptical in early 2021 when Beijing attempted to domesticate the big tech sector. When DiDi filed for its New York prospectus, regulators ordered DiDi to conduct a data security review before listing overseas but fell short of objecting to the IPO.