Image source: China Visual Group

BEIJING, July 21 (TMTPOST) – At 1 pm on Thursday, one statement and one Q&A were posted on the official website of the Cyberspace Administration of China simultaneously, saying that a huge fine was slapped on Didi Global, the dominant player of China’s ride-hailing sector.

The fine of 8.026 billion yuan (about US$1.19 billion) meted out to the company and 1 million yuan (about US$147,710) each to Cheng Wei, the firm's Chairman and CEO, and Liu Qing, the firm's President, marked the end of a probe of slightly over 12 months into alleged data security malpractices of the company, which was hastily listed in the New York Stock Exchange in June 2021 and delisted in December 2021.

Didi violated the Internet Security Law, the Data Security Law and the Personal Information Protection Law, according to the statement. 

The Internet watchdog said in the Q&A that the probe was launched to “prevent national data security risks, safeguard national security and protect the interest of the public” in July 2021. After an in-depth investigation, the conclusion was that evidence for the violations was clear and solid and the nature of the violations was serious, according to the statement.

In the Q&A, the regulator listed 16 counts of violations in eight aspects. First, it illegally collected 11.96 million of snapshots from users’ cellphone photo albums; second, it collected unnecessarily information from users’ pasteboards and application list for 8.323 billion times; third, it collected information on passenger face recognition for 107 million times, on the age range for 53.50 million times, on occupations for 16.33 million times and on relationship for 13.83 million times. It also overly collected information on “home” and “office” for 153 million times. Fourth, it illegally collected users’ information on user’s real-time location for 167 million times. Fifth, it collected information on driver’s education background for 142,900 times and on drivers’ identification cards for 57.8 million times; sixth, it collected the purpose of a passenger’s travel without notifying the passenger for 53.97 billion times; seventh, it often demanded the right to access a passenger’s phone number unnecessarily; eighth, it did not provide a clear and accurate explanation on the purpose of collecting information on a user’s devices.

The Q&A also said that the Internet security review found that Didi’s data processing activities severely affected national security negatively and Didi refused to meet explicit requirements of the regulator by pretending to abide by but actually dodging supervision. Didi’s malpractices have caused risks to information infrastructure and data critical to national security. Because it concerns national security, findings in this regard are not disclosed to the public, according to the statement.

The Q&A emphasized that Didi’s violations were serious because it turned a deaf ear to cybersecurity concerns from the regulator. Second, Didi’s violations dated back to June 2015 or lasted as long as seven years. The company violated the Internet Security Law that came into force in June 2017, the Data Security Law that took effect in September 201 and the Personal Information Protection Law that become effective in November 2021.

The wide range and high frequency of the company’s violations listed by the Internet regulator shocked many netizens. Meanwhile, they also wonder whether other companies engaged in similar activities to violate the privacy of application users.

Specter of Incompliance

Didi was founded in June 2014 with the capital of 800,000 yuan (about US$114,000) in a computer warehouse in Beijing. Its business model was similar to Uber. However, its business expansion was faster than Uber thanks to the massive China market. In the 12 months to March 2021, Didi had China’s largest ride-hailing platform, with 377 million active users and 13 million drivers. After years of subsidizing its passengers and drivers lavishly with money from its deep-pocketed investors such as SoftBank, it forced its rivals to agree to a merger or a takeover. But it still reported net losses of 10.6 billion yuan in 2021 after years in red. 

On June 30, Didi made a debut in the U.S. capital market. However, the debut was quiet, even without a NYSE bell-ringing ceremony. Didi floated a US$4.4 billion initial public offering in New York on June 30, 2021, the second largest U.S. IPO by a Chinese firm ever and only after Alibaba’s, despite Chinese regulators’ opposition to its public listing plan and concerns over its cybersecurity practices.

In less than 48 hours after the IPO, a review of its cyber security practices was launched. On July 5, Didi’s 25 applications were removed from app stores in China and no users were allowed to sign up. Regulatory officials visited Didi headquarters in person. With the plunge of the stock price, Didi was sued by many investors in a few class actions.

Didi’s management, led by Cheng and Liu, hold a 9.78 percent stake. The top three institutional shareholders are SoftBank (20.10%), Uber (11.90%) and Tencent (6.4%).

Didi had faced two options: its privatization or delisting from the U.S. market and listing in the Hong Kong Stock Exchange. It delisted from the U.S. market in December 2021, when its stock price was about half of its issue price. Didi’ failure to comply with regulations was still a major concern to Hong Kong’s regulator as they strove to protect investors. Didi’s compliance was 70% below regulatory standards in China and 95% below regulatory standards in Beijing and Shanghai, according to a research report. Didi’s major rival Dida also faced a similar problem and thus its IPO plan did not go through in Hong Kong.

The hefty fine may not signal a new round of clampdown on tech giants in the face of a slowing economy. After paying the fine, the ride-sharing giant may get its apps back in the apps stores, paving the way for its IPO in Hong Kong. The return of Didi's apps to the stores also would mark the first step towards its normal operations.