Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS China
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
English 简体中文
Legal Update

China launches cybersecurity review on Didi

07 Jul 2021 China 4 min read

Authors

  • Nick Beckett

    Left CMS

On 2 July 2021, the Cybersecurity Review Office of China announced the launch of a cybersecurity review on the car-hailing platform giant Didi. The review was ordered two days after the launch of Didi’s IPO on the New York Stock Exchange (NYSE: DIDI).

The announcement stated that the review is being conducted to prevent national data security risks, maintain national security, and protect the public interest. These aims may justify the launch of a national security review under the PRC National Security Law. Since Didi’s business focuses on the operation of network and information technology products and services, the specific review shall be conducted under the cybersecurity review regime established under the PRC Cybersecurity Law.

According to the PRC Cybersecurity Law and the Cybersecurity Review Measures, only critical information infrastructure (CII) operators may be subject to cybersecurity reviews. Although the announcement remains silent in this regard, in all probability Didi is now considered a CII operator.

One focus of a cybersecurity review is on the network products and services used by a CII operator. The main factors to be considered include:

  • The critical features of the products and services (e.g. safety, openness, transparency, diversity of sources, reliability of supply channels, and risks of the supply being disrupted due to political, diplomatic, and trade factors);
  • The risks that CII could be illegally controlled, interrupted or destroyed, and that important data could be breached, leaked or damaged if the products and services are used;
  • The compliance status of the relevant product and the service suppliers under Chinese laws; and
  • Any other factors that may jeopardise the CII and national security.

More details regarding how a cybersecurity review shall be carried out under the Measures can be found here.

Another focus of a cybersecurity review is cross-border transfer of data. A CII operator is required to store all personal and important data generated during its operation exclusively within the Chinese territory. No cross-border transfer is permitted unless government-organised security assessments are passed.

While Didi has responded via a social media account that it stores the personal data of all Chinese users within China and will not violate laws by transferring personal data to the US, there has been no official statement (either from the authority or Didi) whether the review involves any transfer of important data or any other violations. (Detailed requirements on cross-border transfer of data can be found here and here).

On 4 July 2021, two days after the announcement of the cybersecurity review, the authority ordered Didi to remove its mobile applications from all app store and markets. The order was based on an investigation that revealed Didi’s collection and use of personal data seriously violated the applicable data-protection requirements.

The authority remains silent on whether this order was issued as part of the cybersecurity review. There is no official confirmation whether the recent enforcement actions were triggered or related to Didi’s IPO in the US or its current VIE structure in China (which is a structure for foreign parties to invest in sectors subject to foreign investment restrictions via contractual control over Chinese operating companies holding the required licences).

Enforcement in cyber space is expected to become a focus of the authorities in the coming months. Following the cybersecurity review of Didi, on 5 July 2021 the authority launched cybersecurity reviews of three other major online business operators (a major online recruiting platform and two online car-hailing platforms).

If an operator is found guilty of serious violations of cybersecurity requirements, penalties may include administrative fines, an order to make corrections, suspension of business operations or revocation of its business licence. As a result, all operators involved in online business in China or with Chinese partners should review their compliance status and take all necessary actions to remain compliant.

For more information on how your Chinese business can meet cybersecurity requirements, contact your CMS client partner or local CMS experts:

More insights
TMC - Technology, Media & Communications

Explore more

Video China

CMS China Legal Lunch Bites: Navigating the Amended PRC Cybersecurity Law

29 Jan 2026 1 min read
Expert Guide International

Protection of Graphical User Interfaces as Registered Design Rights or Design Patents in China

14 min read
Event China

On the Pulse webinar series 2026 - Spring/Summer

30 Jun 2026
Back to top Back to top
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.