China has fined Didi Global 8.026 billion yuan (almost $1.2 billion), in one of the largest regulatory penalties imposed on a Chinese technology company, after a year-long probe into the ride-hailing giant.
Didi severely violated China’s data collection laws by illegally collecting millions of pieces of user information over seven years starting June 2015. It had carried out data processing activities that “seriously affected national security,” the Cyberspace Administration of China (CAC) said in a statement on Thursday.
The cybersecurity regulator said Didi had “maliciously evaded supervision” and that its probe had revealed “conclusive” evidence of the company’s violations of three separate laws related to data security, Internet security and personal data protection.
It fined Didi 8.026 billion yuan and, in an unusual move, hit its founder and chief executive Cheng Wei and president Jean Liu with additional penalties of 1 million yuan (almost $150,000) each as they were considered to be ultimately responsible for the violations.
The large-ticket fine, which represents about 4.6% of Didi’s $25.7-billion revenue in 2021, concluded a probe that forced the Chinese ride-hailing leader to delist from the New York stock exchange (NYSE) less than one year of its debut. It came as part of Beijing’s sweeping regulatory crackdown on the tech sector that started back in late 2020 when the regulator halted Ant Group’s plan of floating the world’s largest initial public offering at $34.5 billion.
The heavy penalties “have underscored Didi’s once freewheeling and rather aggressive data collection approach amid its development in the early days,” Hu Xijin, a prolific commentator who previously served as the editor-in-chief at the Communist Party tabloid Global Times, wrote in a social media post.
“The way that Internet companies collect user data should be minimised to only information critical to their business operations. Didi’s pursuit of maximising its database is not only against the laws but also against business ethics, imposing great risks to the interests of its clients,” said Hu. “This practice of collecting user information with no limit can also be seen among other Internet companies in varying degrees.”
The CAC also disclosed details of Didi’s infractions not deemed sensitive for national security, including illegally collecting close to 12 million screenshots from users’ photo albums. It also highlighted an excessive collection of personal information, including facial data, age, occupation and family relation, among others.
“The circumstances are serious, and the nature is vile,” said the regulator.
Didi said in a social media post that it “sincerely accepted” the penalties and would conduct comprehensive self-examination and rectification to comply with the regulations.
“Data privacy and control will continue to trend in importance, regardless of company size. It is clear proof that no company is too big to escape the eye and wrath of regulators at this stage,” said Benjamin Harris, CEO of Singapore-headquartered cybersecurity startup watchTowr. He added that regulators elsewhere will also continue to take cybersecurity seriously.
Didi’s fine is less than the record $2.75 billion levied on e-commerce empire Alibaba Group for antitrust violations last year but more than the $527-million fine on the country’s food delivery firm Meituan. Alibaba’s fine was about 4% of its 2019 domestic sales while Meituan’s was equivalent to 3% of its 2020 domestic sales.
Take a breather
The long-awaited decision on Didi is expected to help remove some of the regulatory uncertainty that at one point wiped more than 80% of its market value in a major setback for investors, including its largest shareholder SoftBank’s Vision Fund as well as US peer Uber Technologies.
“What should be brought to our attention is that despite being a large-ticket fine, the penalty is not fatal to Didi. There is a wide-spreading expectation that Didi will soon get approval to relaunch its app,” said Hu.
“It means that recognition is taking shape among the public. That is: the key reason for the government to rectify and regulate the operations of Internet companies is to make sure that they can continue developing and creating new growth records on the basis of complying with the laws and regulations.”
While the worst may have passed for Didi, industry observers also expect tech companies in China to take a breather this year as Beijing seeks to stabilise and revive its virus-ridden economy amid global inflation.
Early this year, Didi was reportedly in conversations about the possibility of launching an IPO in Hong Kong in the second quarter of this year. But its relisting plan was put on hold indefinitely after failing to win approval from Chinese regulators, said sources cited by Hong Kong’s media outlet South China Morning Post. The sources said Didi had been notified that its relisting plan would not receive a green light until it makes sufficient “rectifications” in accordance with the probe conducted by China’s regulator.
The authority began investigating Didi’s business shortly after its $4.4-billion New York debut on June 30, 2021. It also ordered app stores to remove about two dozen apps operated by Didi and demanded the company stop onboarding new users, citing national security and public interest.
By the time of its delisting in June, Didi’s stock had lost over 80% from a valuation of up to $80 billion on the day of its US IPO.