The Peculiar Case of DiDi: What Brussels Learns from China’s Crackdown on Ride-hailing Apps

Introduction

On December 3rd, DiDi, the world’s largest ride-hailing app, announced it would delist from New York Stock Exchange (NYSE) and move its listing to Hong Kong, heeding the calls from the Chinese authorities. DiDi, with its 600 million users (which is more than six times larger than Uber), is by far the world’s largest ride-hailing app and calls itself ‘the world’s largest depository data. As such, it has been subject to several onerous investigations in China since its initial public stock offering (IPO), which had put the company under the purview of US financial authorities. Inevitably, such jurisdictional overlap is sensitive for Chinese security agencies, who deem any access to DiDi’s location data a matter of national security.

Unsurprisingly news reports indicate that DiDi’s launch in Europe is now suspended for at least twelve months.[1] However, the crackdown has its roots in causes that are more complex than Beijing’s pursuit to regulate the internet. DiDi is another incident where privacy obligations of different jurisdictions conflict, and how data collection by foreign platforms has become a reciprocal sensitivity and security risk for Beijing, Brussels, and Washington: Floodgates are open on judicial proceedings in the EU and the Member States since the enactment of the General Data Protection Regulation (GDPR). Notably, the Schrems cases challenged data transfers of EU territory to the US.[2] The complainant successfully argued that the EU data protection rights might be infringed in light of domestic and extraterritorial powers of US intelligence and law enforcement agencies, which resulted in the invalidation of the EU-US Safe Harbor Framework (and its successor, the Privacy Shield). ECJ has also ruled (in Schrems II) that companies must take adequate additional measures to ensure that the recipient country guarantees GDPR-equivalent protection when they also use other mechanisms to transfer data, such as standard contract clauses.[3]

However, the US is just one of over 150 recognised jurisdictions without an EU adequacy decision. Moreover, the vast majority of these jurisdictions have granted their internal security and intelligence agencies access to data (including those on EU citizens) held and stored on their territories by their businesses. Some of these programmes support legitimate policy objectives, placed under proportionate parliamentary and judicial safeguards – while some practices are clearly not. Yet, data controllers routinely use contractual arrangements, explicit consent, or claim ‘legitimate interest’ to transfer EU citizens’ data to other jurisdictions than the US.

Many of these countries are also marching into the digital economy, rightly benefitting from the level-playing field it offers to innovators and creators regardless of their country of origin. Numerous social media, gaming, retail and content apps from the emerging markets have gained instant global popularity. This success story is perhaps the greatest economic innovation of our generation. However, the app economy poses an inherent problem for privacy regulators: Even the most well-meaning, responsible, and benevolent service provider may be subject to legal or extra-legal obligations in its country of origin that may conflict with Member State strategic interests or EU data protection laws. The problem is particularly pronounced if the privacy law is applied extraterritorially, as the EU does.

But Beijing’s own issues with ride-hailing apps herald a new kind of concern. EU and Member State cases concern the use of US-based social media, where users voluntarily and actively share their opinions and content. Such data can be monetised for advertising purposes, which entails a high commercial value. However, mobility apps facilitate our personal travel, leaving behind Ariadne’s thread of data, containing the destination, purpose of travel, and identity of people in the users’ proximity during transit or at the destination. Such information (that is often inadvertently shared) is not just more intrusive than ramblings and memes that users voluntarily and actively upload on social media. But mobility and location data could also have a considerable strategic value, as underlined by recent examples of surveillance, tracking and monitoring involving mobile triangulation or app location data.

Conflicting Legal Principles

The past is not void of attempts to square this circle, with Huawei being the most notable example. The Chinese network equipment vendor has offered to localise data and sign ‘no spy’ agreements.^[4] But even when they are signed in good faith by a data processor or a controller, such contracts have no legal effect or enforceability against a foreign government. In the eyes of public international law, such private commitment does not limit the legal basis of a foreign government to access EU citizen data. Moreover, their compliance is impossible to verify since data access takes place out of sight, why even treaties – with clear and precise commitments, signed between heads of governments – are impossible to verify or enforce.^[5]

The relationship between the EU GDPR and Chinese law is a case that raises several complex questions. This is not due to European sentiments against Chinese governance structures, or what Europeans believe take place within China’s internal affairs. China is simply the next contradiction that the EU privacy laws will be forced to tackle as the second most successful exporter of digital services after the US. An impressive and vibrant Chinese app economy has gone abroad, where apps like Tiktok, UC, musical.ly, PlayIt, Helo, Alibaba and Shareit enjoy a greater international user-base than the more domestic-oriented major players like Baidu, Weibo and WeChat. Also, publishers like Gomo or Meitu develop user-friendly photo-editing tools, while device manufacturers like Xiaomi pre-installs many of their own apps on their devices destined for the Single Market.

Market data indicate that nearly four per cent of app downloads in the larger EU Member States originate directly from Mainland Chinese jurisdiction (i.e. not via overseas subsidiaries or from Hong Kong or Macao).^[6] One of them – TikTok – is already used by one-fifth of all EU citizens.[7] DiDi is just one example of the global ambitions of Chinese unicorns, as it already operates in Latin America, Africa, Russia, Australia and two EU adequacy countries – Japan and New Zealand – where it combines its global data know-how to manage local subcontractors.

But rather than the legal approach the EU has taken on Chinese 5G equipment (through Member States’ designation and restriction of high-risk Chinese vendors), the enforcement on apps is unlikely to be subject to outright bans under the EU law. Instead, following the paths set by the EU and US deliberations following the Schrems cases, China’s use of transfer mechanisms must fulfil the conditions stipulated by the Court.

In conclusion, the failure to uphold the same standards for transfers to other countries would imply that Europe has greater faith in any other legal system (including China) than the US. Moreover, following the public revelations of the upstream data collection programmes of the NSA in 2013, the EU used its political and economic leverage to coerce the US into a negotiation. In the years that followed, the Obama Administration agreed to, inter alia, reform the Foreign Intelligence Surveillance Act restricting bulk data collection, enact the Judicial Redress Act (which granted legal standing of EU citizens before US courts), and to set up a sui generis ombudsman system to process EU complaints. These reforms (in addition to the prerequisites set forth by Schrems rulings) are de facto EU minimum standards for all transfer to third countries. Union law expects these standards to be upheld wherever GDPR transfer mechanisms are used. Otherwise, the EU finds itself in an untenable contradiction from the viewpoint of both privacy and diplomacy.

Extraterritorial Access Obligations

In effect, all countries (including EU Member States) are engaged in activities that involve government agencies accessing private data to support national security or law enforcement objectives –  and more rarely – even for commercial purposes.[8] Both Beijing and Washington have undergone significant reforms of their intelligence laws that empower their law enforcement agencies to gather evidence against their citizens and the security agencies to collect intelligence on foreigners, albeit with some significant differences in their implementation.

Negotiations with Brussels have significantly reshaped US law since 2013. US Foreign Intelligence Surveillance Act (FISA) that allows intelligence agencies to access personal data on foreigners have been reformed. Similarly, objections by the EU have set some limits within the US Clarifying Overseas Use of Data (CLOUD) Act, when law enforcement officials request access to personal data on foreign and domestic entities held by US companies and their subsidiaries abroad in criminal investigations and judicial proceedings.

In parallel, China is increasingly codifying a legal basis for its public security practices that are typically extra-legal in nature. China’s National Intelligence Law of 2017 shares many similarities with the Counterterrorism Law and the Cybersecurity Law that preceded it, as all three require all citizens and businesses to ‘support, assist, and cooperate with national intelligence efforts’,^[9] under punitive sanctions.^[10] The obligations encompass any necessary means to carry out intelligence work overseas,^[11] giving the intelligence agencies the power to read or collect relevant files;^[12] or to use ‘communication tools’ and ‘transportation tools belonging to individuals and organisations.^[13]

While both systems oblige their nationals to surrender data and provide a broad legal basis for their security and law enforcement agencies to access EU citizen data, they differ in some important respects, beginning with proportionality and purposefulness. Under US law – whose standards the ECJ has rejected – the legitimacy of the objective is subject to a court review ex parte of probable cause before a warrant is issued, which is also subject to time limits. Meanwhile, in China (in keeping with its continental traditions), necessity and legitimacy is self-determined by the executive branch and party discipline and determined ex-post through disciplinary action.[14]

Each FISA warrant is not just tethered to an exacting probable-cause determination but can also be challenged under specific circumstances. Service providers may bring a civil action against authorities in case of unlawful collection of data and ask the judiciary to modify or quash the legal process when it believes that the disclosure would be against the laws of a foreign government, such as the GDPR. In contrast, China’s National Intelligence Law explicitly obliges its nationals to not disclose their cooperation with the agencies,[15] which also inadvertently counteracts the merits of any assurances given of non-cooperation.

The Judicial Redress Act also extends the civil remedies to a positive list of countries, including the EU Member States. At prima facie, Chinese laws are not entirely without safeguards. Similar to US FISA and CLOUD acts, any violation of ‘lawful rights and interests of citizens and organisations’ is punishable by law,^[16] and Chinese citizens and organisations can file a report or make an accusation when the security agencies exceed the scope of their authority or act against the law.^[17] However, foreign entities have no means of redress before a Chinese court. Needless to say, there are no known cases of even Chinese processors successfully challenging (or even attempting to challenge) government requests for access.^[18] In any case, even the existence of such cases would have no precedent, as case law has little legal merit in Chinese jurisprudence.

European leaders and EU courts determined that the US laws do not live up to EU standards and forced the three consecutive administrations into political negotiations. Unless they demand equivalent concessions from China and other jurisdictions, the EU must deem Chinese safeguards to be better than those under current US laws – which is clearly not the case. In fact, the Constitution of the People’s Republic of China and the recent Personal Information Protection Law (PIPL) recognise privacy rights de jure, similar to GDPR and EU fundamental rights. However, this right is only afforded to Chinese citizens and can be restricted to guarantee public or state security.^[19] Also, the 2017 National Intelligence Law only vaguely states that the ‘lawful rights and interests of individuals and organisations’ shall be protected but does not outline a clear procedure for the judicial redress, nor what these rights are, or the prerequisites that decide the case. Hence, it is unclear which legal facts would determine that a government agency exceeds the scope of its authority, even if the decision could be contested by a European subject.

Localisation Requirement of ‘Critical’ and ‘Important’ Data

The legal construct of the National Intelligence Law is relatively unique even within the Chinese legal system, which is traditionally adhering strictly to the territoriality principle. However, the extraterritorial application of the National Intelligence Law is inevitable due to the inherent nature of foreign intelligence, which is always extraterritorial. However, the 2017 law also stands out compared to other intelligence laws as China conflates the legal basis for domestic and foreign intelligence activities. Without the equivalence to the US Judicial Redress Act or parliamentary control, China’s safeguards (in the form of judicial redress and civil remedies) are confined within its own idiosyncrasies, and one may debate whether they are fully open to its own legal and natural persons.

While there is much ado in the current public debate about China’s social credit system and pandemic surveillance, these practices have relatively little interactions with GDPR or impact outside of EU expatriates who reside in China. In contrast, its privacy and sectoral regulations could inadvertently extend the Chinese government access to data and complicate any negotiations or the remote prospect of adequacy. China’s own GDPR, the Personal Information Protection Law (PIPL) that recently came into effect, shares some of the most defining features with EU GDPR – such as legal definitions, personal rights, obligations for lawful processing, and as a law with extraterritorial scope. But PIPL also restricts international data transfers in a manner that GDPR does not: Large-scale processors (which effectively means any large organisation inside or outside of China) and critical information infrastructure operators (CIIOs) are obliged to localise their data within China,^[20] unless oversea transfers are pre-approved by the Cybersecurity Administration of China (CAC), who is also authorised to maintain a ‘blacklist’ of organisations who may not touch Chinese citizens’ data.^[21] Transfers to foreign public authorities without prior consent by the authorities are forbidden,^[22] and keeping with Chinese trade policy, PIPL also reserves the right to take reciprocal measures against any foreign jurisdiction that does not allow Chinese entities to process their personal data.

The practical implication of PIPL is how it formalised China’s privacy rules, which already operated under de facto double-consent, i.e. the requirement of consent from the data subject as well as competent authorities. This is written in plural, as state agencies often compete for regulatory authority. PIPL in conjunction with the National Intelligence Law also complicates the use of EU transfer mechanisms since GDPR compliance of Chinese processors cannot be verified. Since privacy negotiations (in the EU and elsewhere) are no longer based on functional equivalence alone and increasingly depend on reciprocity and two-way openness, de jure localisation becomes a veritable obstacle as the EU has never undertaken any cooperation or scoping discussions (for adequacy or otherwise) with a jurisdiction that mandates de jure data localisation.

China’s Approach to Information Sovereignty

In addition to China’s new privacy rules, its two important information security acts – namely DSL and CSL (that preceded PIPL) are still in force. These acts distinguish another uniquely Chinese class of data that needs to be localised – namely ‘important data’ – that was first introduced in CSL, although it remains undefined. In any legal system, laws with overly broad or ambiguous scope tend to lend themselves to discrimination since the enforcement agencies lack the resources to investigate all transgressions; and if the rules are drafted in an ambiguous manner where anyone can be declared guilty, the sovereign has the discretion to selectively investigate and remove any commercial actor it deems politically undesirable.

In sum, the restrictions imposed on large-scale processors, CIIOs and ‘important data’ have merely formalised several pre-existing de facto or de jure data localisation mandates. Recent laws have unified the ban on data transfers from China in banking,^[23] credit ratings,^[24] medical data,^[25] online lending,^[26] maps and other geospatial information,^[27] which includes location data of motor vehicles,^[28] taxis or ride-sharing,^[29] and bicycle rentals.^[30] Moreover, collecting ‘high-precision’ driving data requires a government license that is reserved for indigenous companies and entities. With just 26 license holders, all headquartered in China,^[31] the EU auto and network manufacturers are de facto excluded from connected vehicles without joint-venturing with a local Chinese partner since driving logs and routes create a high-precision map of roads and topology.

These restrictions overlap with CIIOs, which was understood to mean important industries and (own emphasis) sectors like public communications and information services, energy, transports, utilities, banking, public services, including e-government and defence. A 2021 State Council Regulation (and later decisions) also add that to the definition as a sector where, ‘in the event of damage thereto, loss of function thereof or leak of data therefrom, could seriously jeopardise national security, national economy and people’s livelihoods, or the public interest.’

The domains listed under CIIOs overlaps to some extent with the scope for EU Critical Infrastructure (CI) in past laws and a specific directive currently under review.^[32] However, China has also come to include any sector (including bicycle rentals) that could reveal geospatial information on individuals and public officials. By and large, both jurisdictions follow definitions on critical infrastructure protection that are risk-based, but it differs on against whom the risks are posed: the 2021 State Council Regulation points to how China’s policy objectives go beyond the protection of CI and the society, and also look to a wider objective of economic, security, national stability and ‘internal public order’, i.e. the protection of political stability.

The philosophy of information sovereignty, a thought where the national sovereignty encompasses control of data, information and ideas passing within and across its territory,^[33] is neither novel to our times nor to China. Such ideas proliferate in legal systems where the territoriality principle is interpreted in extremis. As a result, data is not just a public good – but a national public good, serving the interests of the nation. Many other practical aspects of PIPL, such as how transfer abroad must pass a security assessment administered by a government agency (rather than say, clear and precise legal conditions or consent), underpins a data protection philosophy rooted in national sovereignty – and not just privacy as an absolute vertical right that protect individuals against the state.

Privacy Aspects of Mobility Apps

Analysis hereto indicates that Chinese-EU perspectives on privacy may contradict each other at least as much as they do across the Atlantic – albeit revolving around other principles and types of data. Several leading Chinese scholars and privacy experts have pointed to ‘a link between mobility data, including location data, and national security, making it ‘an ideal candidate for important data’.^[34] Luo et al. point to the recently promulgated Measures on the Automotive Data Security Management,^[35]  which designates auto industry data as restricted ‘important data’ in China. The non-exhaustive list of affected data types includes information generated by vehicles, road traffic volume, audio and video data recorded outside of the car (including other vehicles or sighted faces and voices of pedestrians), and data on the operation of electric vehicle charging networks. The central government restricts what is available in the public domain, as mapping data with a higher level of accuracy than that provided in publicly available maps is deemed ‘important’, with the data on the flow of people and traffic in important and sensitive geographic areas and places where government agencies at county level and above are located.

Another example is the circumstances that surround the Central Government’s response to the rise and internationalisation of China’s leading ride-hailing and sharing app, DiDi. Ride-sharing operated for many years in an unregulated grey area in the Chinese economy before the Interim Measures for the Administration of Online Taxi Booking Business Operations and Services (‘Interim Measures’) came into effect in November 2016. The 2016 Measures was promulgated with guidelines to the province governments on reforming the taxi industry. The 2016 Measures legalised the grey economy and (unlike some EU Member States) took a surprisingly technology-neutral approach against traditional taxi operators and online ride-hailing and ride-sharing businesses. But the core of its operations – namely the data – remain strictly regulated, as all ride-sharing data (as well as information on all motor vehicles) remain in the restricted class of ‘important data’.

The societal and privacy rationale behind the enhanced sensitivity of location and geospatial data (compared to, say, voluntarily uploaded items of self-expression or dance routines on social media) was discussed at the onset. However, there is also a vindictive rationale behind China’s data regulation. In 2015, DiDi shared its data with a media outlet controlled by the state news agency, Xinhua, which resulted in articles revealing information on rides to or from various government departments, including the Ministry of Public Security.^[36] Since DiDi (and Chinese regulations) requires national identification numbers from both drivers and clients, the readers could enjoy in-depth details and speculation about visitors that were cross-referenced to ongoing investigations.

Such reckless use of data and media antics would set off immediate responses by the authorities in any country (and China is certainly no exception) that may also shed some light on the rationale behind the designation of vehicle data as a national security matter. In its IPO prospectus, DiDi rightly called itself ‘the world’s largest depository of data’ – to which CAC responded with a rare, public statement that gave DiDi just one-hour notice to seize signing up new users,^[37] followed by a multi-agency investigation, involving law enforcement agencies, industry regulators, tax, cyber and antitrust authorities.^[38]

Given the forceful responses of Chinese authorities, and with its share prices slumping to nearly half the original market valuation, DiDi has succumbed to CAC and is delisting from NYSE. ^[39] Other news suggests that DiDi is even in talks to hand over its data warehouse and monitoring to Westone, a Chinese state-owned enterprise,^[40] in what seems like an ultimate act of repentance and self-immolation. Furthermore, a state-owned corporate group (owned and managed by the municipal government of Beijing) is proposing to take over DiDi outright –^[41] a fate already faced by Alibaba,[42] or Huawei’s popular sub-brand, Honor.[43]

Conclusions

The conflict between GDPR transfer mechanisms and third-country surveillance practices are not a problem unique to the transatlantic relationship. China is the home to some of the most interesting and innovative digital ecosystems and entrepreneurs of this decade, and the global success of TikTok and DiDi pave the way for a new generation of Chinese multinationals who are no longer fuelled by low-cost manufacturing prowess, but by Big Data, AI and the platform economy.

China’s venture into the digital economy has not been without complications: Both China and the EU have veered into extraterritorial applications of their laws – Beijing claims exclusive jurisdiction over its subsidiaries operating abroad or any data of strategic value, including mobility data, while the EU claims jurisdiction over its citizens’ data wherever it may reside. If TikTok, DiDi or any Chinese platform would transfer any EU user data to their headquarters, Schrems II states that they must be able to guarantee that Chinese authorities ensure a level of data protection that is essentially equivalent to GDPR. In practical terms, such prospects are notional within a judiciary framework where EU citizens have no rights or legal standing.

Moreover, the data does not need to be moved or duplicated in another jurisdiction for a government agency (or any third-party) to be able to access that data. Various intelligence law even provide legal basis to coerce its nationals to allow access to that data inside Europe. Admittedly, there are few policy options available to eliminate such risks. India and China are so far the only G20 jurisdictions that have applied large-scale ‘catch all’ bans of foreign apps on national security grounds.[44] But for the EU and many pluralistic democracies, censorship or ex ante state approvals (e.g. ICP-licences) are not very attractive regulatory approaches.[45] Here is where the transatlantic negotiations set an immutable precedence: As there are fewer safeguards in China’s National Intelligence Law compared to US FISA and Cloud Act, it is nothing but extraordinary unless the EU does not require the same concessions and safeguards from China.

Such negotiations are not just integral to EU GDPR, but also inevitable for China’s coming internationalisation of its digital economy, and the European Parliament has raised the question (coincidentally over DiDi’s planned launch in Europe).[46] Unlike previous incidents involving Huawei or TikTok, DiDi has never issued a public statement about whether the data that the company collects abroad is processed, stored, or mirrored in China. The core of this problem is not just the extraterritorial features of their respective laws, but how the Chinese government deems mobility data a core national interest. Both Chinese and EU authorities agree that collection of geospatial information of individuals carry extraordinary risks, and recent incidents have led to the former demanding full authority of any company operating in this sector. Legal philosophies also diverge over whether that risk is posed against the individual or the state.

Finally, China’s own crackdown on the company shows how the peculiar case of DiDi is indeed multifaceted, taking place at a time when Chinese law is increasingly codified and unified under a common legal framework. The Central Government has long sought to organise the grey economy, including the sharing economy. Prior to the 2016 law, the State Information Centre estimated that the sharing economy’ at around RMB 1.956 trillion, with 500 million users and engaging 50 million of the workforce,^[47] which is larger than most Latin American or South-East Asian countries, still growing at 40% per year – and it is a market China does not grant reciprocal access to for the EU businesses. While it the Chinese government is protective about its data, media reports of reckless data-sharing indicate that the crackdowns are not only driven by political objectives – but there are also genuine corporate malpractices to consider in the case of DiDi.

---

[1] Yifan Yu, China’s Didi rethinks UK plans amid regulatory pressure at home, Nikkei, August 24, 2021, https://asia.nikkei.com/Business/China-tech/China-s-Didi-rethinks-UK-plans-amid-regulatory-pressure-at-home.

[2] ECJ, Maximillian Schrems v Data Protection Commissioner, C-362/14; Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, C-311/18

[3] Iibid., See paragraphs 92—96 referring to Article 46; also EPDB, Recommendations 01/2020

[4] Paul Sandle, Huawei willing to sign ‘no-spy’ pacts with governments: chairman, Reuters, May 14, 2019, https://www.reuters.com/article/us-huawei-security-britain-chairman-idUSKCN1SK1HL.

[5] See inter alia Lee-Makiyama et al. in European Commission, Report from the High-Level Hearing: ‘Strategic Autonomy in the Digital Age’, European Commission, December 17, 2018.

[6] Pandaily, Chinese Apps Become Popular Overseas, Pandaily, May 7, 2018, https://pandaily.com/chinese-apps-become-popular-overseas/.

[7] Mansoor Iqbal, TikTok Revenue and Usage Statistics (2021), Business of Apps, November 12, 2021, https://www.businessofapps.com/data/tik-tok-statistics/.

[8] Lee-Makiyama, Stealing Thunder: Cloud, IoT and 5G Will Change the Strategic Paradigm for Protecting European Commercial Interests, ECIPE, February 2018, https://ecipe.org/publications/stealing-thunder/.

[9] Article 7 of the National Intelligence Law of the People’s Republic of China, 2017

[10] ibid., article 14

[11]ibid., article 10

[12] ibid., article 16

[13] ibid., article 17

[14] ibid., articles 18; 23; 27

[15] ibid., article 6

[16] ibid., article 31

[17] ibid., article 27

[18] Yuan Yang, Is Huawei Compelled by Chinese Law to Help with Espionage?, Financial Times, March 5, 2019, https://www.ft.com/content/282f8ca0-3be6-11e9-b72b-2c7f526ca5d0.

[19] Personal Information Protection Law, 2021

[20] ibid., article 40

[21] ibid., article 42

[22] ibid., article 41

[23] Article 6 of People’s Bank of China, Notice by the People’s Bank of China Regarding the Effective Protection of Personal Financial Information by Banking Institutions, 2011

[24] Article 24 of State Council, Regulation on the Administration of Credit Investigation Industry, State Council, 2013

[25] Article 10 of National Health and Family Planning Commission, Administrative Measures for Population Health Information (for Trial Implementation) 2014

[26] Article 27 of China Banking Regulatory Commission, Interim Measures for the Administration of the Business Activities of Online Lending Information Intermediary Institutions, China Banking Regulatory Commission, 2016

[27] Article 34 of State Council, Regulation on Map Management, State Council, 2016

[28] Cybersecurity Authority of China, Measures on the Automotive Data Security Management, 2021

[29] Article 27 of State Council, Interim Measures for the Administration of Online Taxi Booking Business Operations and Services, State Council, 2016

[30] Article 4 of Guiding Opinions on Encouraging and Regulating the Development of Internet Bicycle Rental, State Council, 2021

[31] Yoko Kubota, In the New China, Didi’s Data Becomes a Problem, WSJ, July 18, 2021, https://www.wsj.com/articles/in-the-new-china-didis-data-becomes-a-problem-11626606002.

[32] See European Council, 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection; also European Commission, Proposal for Directive, COM(2020) 829 Final

[33] Hamid Mowlana, Global Information and World Communication: New Frontiers in International Relations, SAGE, 1997; Wenxiang Gong, Information Sovereignty Reviewed, The University of Rhode Island, 2005

[34] Payal Shah, Spotlight on the Emerging Chinese Data Protection Framework: Lessons Learned from the Unprecedented Investigation of Didi Chuxing, Future of Privacy Forum, 2021, https://fpf.org/blog/spotlight-on-the-emerging-chinese-data-protection-framework-lessons-learned-from-the-unprecedented-investigation-of-didi-chuxing/.

[35] Yan Luo, The Future of Data Localization and Cross-border Transfer in China: a Unified Framework or a Patchwork of Requirements?, International Association of Privacy Professionals, June 22, 2021, https://iapp.org/news/a/the-future-of-data-localization-and-cross-border-transfer-in-china-a-unified-framework-or-a-patchwork-of-requirements/.

[36] Kubota, Did’s Data Becomes a Problem.

[37] Financial Times, Didi caught as China and US battle over data, Financial Times, 2021, https://www.ft.com/content/00403ae5-7565-413e-907d-ad46549375ba.

[38] Financial Times, Chinese regulators swoop on Didi offices to conduct security probe, Financial Times, 2021, https://www.ft.com/content/29291c6d-a5e6-4154-bd8d-53ba361f4507.

[39] Jing Yang, Didi Global Plans to Delist From New York Stock Exchange, WSJ, December 3, 2021, https://www.wsj.com/articles/didi-global-plans-to-delist-from-new-york-stock-exchange-11638495158.

[40] Julie Zhu, Didi in Talks with State-backed Westone to Hand over Data Control-sources, Reuters, August 6, 2021, https://www.reuters.com/world/china/exclusive-didi-talks-with-westone-hand-over-data-control-after-ipo-dustup-2021-08-06/.

[41] Bloomberg, City of Beijing Said to Seek Taking Didi Under State Control, Bloomberg, 2021, https://www.bloomberg.com/news/articles/2021-09-03/beijing-s-city-government-seeks-to-take-didi-under-state-control.

[42] Jing Yang, Alibaba, Under Beijing Pressure, Moves to Sell Stake in State-Owned Broadcaster, WSJ, September 24, 2021, https://www.wsj.com/articles/alibaba-under-beijing-pressure-moves-to-sell-stake-in-state-owned-broadcaster-11632474362.

[43] Raymond Zhong, In Sign of Strain, Huawei Will Sell Its Budget Smartphone Brand, Honor, The New York Times, November 17, 2020, https://www.nytimes.com/2020/11/16/business/in-sign-of-strain-huawei-will-sell-its-budget-smartphone-brand-honor.html.

[44] Hindley, Lee-Makiyama, Protectionism Online: Internet Censorship and International Trade Law, ECIPE, 2009.

[45] Ibid.

[46] MEP Eva Kaili to the European Commission, P-004161/2021

[47] State Information Centre, Report on the Development of the Chinese Sharing Economy, State Information Centre, February 2016, http://www.sic.gov.cn/archiver/SIC/UpFile/Files/Htmleditor/201602