China's ride-hailing giant Didi fined $1.2b for 16 legal breaches; move ends year-long probe, highlighting data security
Published: Jul 21, 2022 10:30 PM
The headquarters of DiDi in Beijing Photo:VCG

The headquarters of DiDi in Beijing Photo:VCG

China's internet regulator fined ride-hailing giant Didi Global 8.026 billion yuan ($1.2 billion) for 16 legal violations, calling an end to a cybersecurity probe that lasted more than one year and sending a strong signal that will lay the ground for the healthy development of internet-based platform economy. 

The announcement may also mark the beginning of a gradually normalized business climate for Didi, though rectifications are likely to continue for a while, industry observers said.

China's internet regulator, the Cyberspace Administration of China (GAC), said in a statement on Thursday that Didi had committed 16 offenses involving the illegal collection of data from drivers and passengers. 

They included excessive collection of 107 million instances of passengers' facial recognition information, and analysis of 53.976 billion sets of passenger travel intention information without informing the passengers in advance. 

Other illegally collected information included users' ages and occupations, as well as their photos and short messages.

The GAC used strong wording while commenting on the company's violations, saying that Didi's violations were severe and brought "serious risks to national cyberspace security and data security."

"Moreover, even with clear orders from regulatory authorities to right its problems, Didi failed to carry out comprehensive and in-depth rectifications. The nature of the offenses was egregious," the GAC said in a statement. 

Didi CEO Cheng Wei and President Liu Qing were also fined 1 million yuan each by the regulator.

The punishment marks a temporary end to Didi's investigation, Wang Peng, an assistant professor at the Gaoling School of Artificial Intelligence at the Renmin University of China, told the Global Times on Thursday. 

Taking the opportunity, the regulators are hoping to promote the standardization of management, so that platform enterprises can "truly have a sense of data security" and the internet firms are warned "not to endanger public safety and infringe on personal privacy," Wang said.

The Chinese central government's attitude toward the platform economy is "encouraging, supporting and guiding their development," Wang said.

The Political Bureau of the Communist Party of China Central Committee held a meeting in April, pointing out that the platform economy must develop in a healthy way. 

"Rectifications for the platform economy will be completed, regular supervision will be initiated, and specific measures to support the sector's sound growth will be unveiled," officials said at the meeting.

The penalties that Didi faces are not shocking, although the sum fine is huge, Weng Guanxing, a partner at Shanghai-based law firm Wintell & Co, told the Global Times on Thursday.

The fine accounts for approximately 5 percent of Didi's 160.5 billion yuan in domestic business revenues in 2021, compared with the fine previously imposed on e-commerce titan Alibaba Group and delivery giant Meituan, which stood at $2.75 billion and $527 million respectively. The $2.75 billion was about 4 percent of Alibaba's domestic revenue in 2019, while $527 million was roughly 3 percent of Meituan's domestic business revenue in 2020.

A GAC spokesperson said in another statement that the administrative penalties related to the cybersecurity review of Didi this time are different from general administrative penalty. "Didi's violations of laws and regulations are serious, and it should be severely punished following a complete cybersecurity review."

Weng said that regulators could have imposed even higher a penalty. "As to the Cybersecurity Law and Data Security Law, the penalties on the CEO and president of Didi touched the maximum, which is 1 million yuan, but in accordance with the provisions of the Cybersecurity Law and Data Security Law, the fines could be one to 10 times the illegal income, plus forfeiture of such illegal income."

Moreover, the regulator could also order the suspension of Didi's domestic business, revoke its business license, and seek criminal prosecution, if applicable. 

Didi said on its Weibo account on Thursday that it fully accepted the regulator's decision, and it will rectify its wrongdoings, and conduct a comprehensive internal review.

"We will treat this as a warning, and insist on paying equal attention to operational security and corporate development, strengthening the construction of networks and data security, as well as ramping up protection of personal information," Didi said in the statement.

The Thursday fine ruling comes more than a year after authorities initiated a cybersecurity probe into the company, days after it launched a $4.4 billion IPO in New York on June 30, 2021.

The GAC did not mention whether and when some of Didi's apps would be restored and expand its business in China.

"The future direction of Didi's business, including technical architecture and stock listing plans, among other issues, will undergo systematic changes, and now is just the beginning," Wang said.

Didi surges over 6 percent at pink sheets over the counter market as of press time Thursday.