A week after the close of our conference comparing platform governance in the US and China, the Chinese government took another strong action to subordinate one of its major private platform companies. This time it was Didi Chuxing, China’s dominant ride-hailing platform. The government said it was conducting a “cybersecurity review” of the company, during which Didi Chuxing was forced to stop new user registrations and was removed from app stores in China. A translation of the announcement is provided by DigiChina here; it is intended to “guard against national data security risks, safeguard national security, and ensure public interests.”

The Chinese internet regulator then widened its probe to three more Chinese companies, including truck-hailing app operator Full Truck Alliance and online recruiting app operator Kanzhun Ltd. A common thread among the targeted platforms is a listing on the U.S. stock market. Some analysts have suggested that the government wants to discourage Chinese tech companies from seeking IPOs in New York. The CAC claimed that the companies were “mishandling personal data,” in an attempt to give their actions a pro-privacy, pro-user gloss, but in China under the CCP personal data protection and national government control of data blur into each other. The stated motive behind these actions was “national security;” i.e., to prevent any Chinese user data from relying on network products and services outside the country. Professor Henry Gao of Singapore Management University suggested that the reviews “relate to some services that the four firms use” and that “the service provider is [a] non-Chinese company like AWS?”

The Chinese actions contradict one of the popular narratives about China in the U.S., which is that China’s industrial policies in platforms and ICT services are designed to promote its own “national champions” at the expense of foreign, mainly American, competitors. We don’t see Chinese platforms taking over the world; we see China sealing itself and its firms off. China is enacting a severe form of data localization and potentially also restrictions on capital raising that not only handicaps foreign participation in its domestic market, but actively harms its own private, internationally competitive firms. China’s chief motivation is national security and information control, rather than an expansionist industrial policy. These developments blow a big hole in the “all Chinese firms are agents of the Chinese state” theory, favored by American China hawks. There is a huge conflict of interest between the private firms’ desire to enter foreign markets and access foreign capital and the government’s tech nationalist policies.

Like Alibaba, Didi Chuxing was a private firm with a presence in multiple national markets and internationalized in terms of its ownership and operations. Just days before the announcement of the cybersecurity review freeze, Didi completed a successful Initial public offering in the NYSE, raising $4.4 billion. Uber holds 12% of the company, and Japan’s Softbank 20%; in 2016 Apple invested $1 billion in it. It is probably not a coincidence that the firms under review are all listed in the United States and have ties to foreign capital.

The cybersecurity review process is outlined in the “Cybersecurity Review Measures.” These regulations, finalized in 2020, established the Cybersecurity Review Office under the Cyberspace Administration of China. The measures focus on security implications stemming from procurement and installation of “network products and services” by entities deemed to be “critical information infrastructure (CII) operators.” Didi’s removal from app stores and suspension of new users does not prevent its service from working if users have already downloaded it, so it is not a devastating blow to Didi, but it will have a business impact.

Perhaps this action will make American policy makers take a new look at some of their assumptions about the China threat. Classifying any cross border services and data flows from foreign firms as a national security threat is a recipe for isolated, state-dominated information services markets and authoritarian control over the evolution of the platform economy. Let’s hope the U.S. and Europeans are repelled by this action and not inspired to imitate it.