What is driving China’s clampdown on Didi and data security?

China’s cyberspace regulator has launched a probe into ride-hailing giant Didi Global , calling for it to stop adding new users and for app stores to remove it, days after it went public in a $4.4 billion New York stock sale.

The move, followed by similar actions against two other recently U.S.-listed Chinese firms, comes amid tightening policies around data control and privacy, and a broader crackdown on tech firms.

WHAT ARE THE ALLEGATIONS AGAINST DIDI?

The Cyberspace Administration of China (CAC) on July 2 called for Didi to stop accepting new user registrations, citing China’s Cybersecurity Law, a sweeping piece of legislation implemented in 2017.

Two days later, the CAC said Didi’s app “has serious violations of laws and regulations pertaining to the collection of personal information.”

The CAC has not publicly specified the violations.

WHAT USER DATA DOES DIDI COLLECT?

Didi, China’s biggest ride-hailing company, provides 20 million rides a day in China to users who sign up through an app that uses a phone number and password.

Didi collects user location and trip route data, for safety and data analysis. It routinely publishes reports illustrating its big data analytics, showing, for example, what times people in certain cities finish work, or which employers have the longest work hours.

Didi also equips cars with cameras monitoring road conditions, and what is happening in the car, collecting data on 100 billion kilometres of Chinese roads per year.

Didi stores all Chinese user and roads data on domestic servers. A Didi executive said on Saturday it was impossible that it passed data to the United States.

WHY DID THE CAC TARGET DIDI?

China is in the process of revamping its policy towards privacy and data security.

In late April, China issued a second version of a draft Personal Information Protection Law, which calls for tech platforms to impose stricter measures to ensure secure storage of user data.

In September, China is set to implement its Data Security Law, which requires companies that process “critical data” to conduct risk assessments and submit reports to authorities. It also calls on organizations that process data affecting China’s national security to submit to annual reviews.

Michael Tan, who heads the China TMC practice of international law firm Taylor Wessing, says these laws build on the Cybersecurity Law, and the actions against Didi and other companies publicly demonstrate how seriously the government will enforce the new legislation.

In May, the CAC accused 105 apps, including Bytedance’s Douyin and Microsoft’s Bing, of collecting excessive amounts of users’ personal information and illegally accessing it.

WHAT’S WITH THE TIMING?

The move has drawn comparisons to late last year when Ant Group, the fintech affiliate of Alibaba, saw its massive planned Shanghai and Hong Kong IPO thwarted when regulators announced an investigation days before it was due to list.

Some investors and experts suspect that by targeting a high-profile tech company that listed in the United States, Beijing is signalling it wants its data-rich tech firms to list domestically, not overseas, for security reasons.

Late on Tuesday, China’s cabinet said Beijing will step up supervision of Chinese firms listed offshore and bolster regulation of cross-border data flows and security.

“When companies go public they need to disclose a lot of detail about how their supply chain actually operates,” said Nico Bahmanyar, who tracks Chinese data policy at Beijing-based law firm Leaf.

“So if China sees a risk there, it will be easier to control on the Hong Kong stock exchange than the U.S. stock exchange.”