Cross-Border Transfer of Data – Case Study of Didi

Cross-Border Transfer of Data – Case Study of Didi
By Elizabeth Zhou | July 9, 2021

Didi, the uber of China, submitted its prospectus in the United States on June 10, and officially went public on June 30th. July 1st was the Chinese party’s 100th anniversary celebration. On July 2nd, the Cyberspace Administration of China issued an announcement to initiate a cyber security review of Didi. At the same time, Didi was removed from the Chinese app/android store on July 4th. Because of this regulator change, Didi lost US$15 billion in US stock market, and it is going to be sued by American shareholders over stock plunge caused by the regulatory changes. Didi’s failure is not only caused by the special political environment of China, but also caused by Didi’s negligence in cross-border transfer of data.

What is cross- border transfer of data? “What data can be transferred out?” and “what data must be stored inside of the country?” are two major questions around this topic. In fact, different countries have different policies. For example, in European countries, GDPR stipulates that personal data can flow freely within the European Union or the European Economic Area, while outflow of the European Economic Area, Cross-border transfers of personal data to a third country must be based on an adequacy decision or another valid data transfer mechanism, such as Binding Corporate Rules, Contract Clauses and EU-US Privacy Shield. While for CCPA, there are no such restrictions on cross-border transfer of data. China has the most strict management of cross-border data. Chinese Cyber Security Law (CCSL) stipulates that the important data should be stored in the territory. If it is really necessary to transfer to overseas due to business needs, a safety assessment shall be carried out in accordance with the measures formulated by the relevant departments of the State Council. Compared with Europe and the United States, China’s cross-border data is subject to strict scrutiny to ensure personal privacy and national security.

Why Didi Fail?

The United States introduced a Foreign Company Accountability Act (HFCA) last year, which specifically mentions that as long as it is a company going public in the United States, it must accept the review from the US Public Company Accounting Supervision Committee. This requirement is indeedly strict, therefore the Chinese company faces either being reviewed with the entire accounting manuscript or it will be forced to delist. But this review actually violated Chinese securities laws. Mentioned above, CCSL has special requirements that no unit or individual can provide relevant information and data overseas without authorization from the State Council. Because of this dilemma, Didi chooses bypassed the domestic process and submitted its data to the US directly. And because of Didi’s negligence on CCSL, Chinese government enforced strict regulatory changes on Didi, causing the following punishments.

What we learned from Didi?

Cross-border transfer of data involves two countries’ policies which rises up the barrier for companies that want to go to overseas. Especially under countries have special political weather, companies should be more cautious and patient.