Didi signage logo on building showing ride hailing app ruling on China data laws

China Fines Leading Ride Hailing App Didi $1.2 Billion in Ruling That Clarifies Violations of Data Laws

Ride hailing giant Didi’s exile into the wilderness appears to be ending, and the Chinese government’s harsh wave of regulatory crackdowns has taken sharper focus, as the investigation has concluded and a fine of $1.2 billion has been announced.

Didi was accused of violating China’s data laws last year, but the government revealed little in the way of details about what it had actually done. The crackdown on the ride hailing app came shortly after it listed on the New York Stock Exchange, with other Chinese companies in the same situation receiving a similarly harsh response from the government.

Chinese government makes example of ride hailing app with massive fine

China has fined other companies as much as $2.8 billion for antitrust violations as part of its wave of crackdowns on tech firms in recent years, but this is the largest fine yet for breach of its data laws. Didi is the leading app-based ride hailing service in China, remaining in this position in spite of being forced out of app store listings for a year; existing customers were able to continue using the app during this time, but the company was unable to sign up new customers.

The crackdown is nominally about data privacy, but it is widely believed that the Chinese government is also concerned about the growing power of big tech platforms to rival its own influence. Over the past two years it has put a special emphasis on companies that make public offerings overseas, pressuring them to return to Beijing or Hong Kong with their listings.

The Cyberspace Administration of China (CAC) announcement of the fine was accompanied by more concrete details about the ride hailing giant’s violation of data laws. The agency said that Didi had stored some 57 million driver identification numbers without encryption, collected 12 million images from user phones that contained pictures and personal information, and had analyzed customer travel records without providing users with required notification. The CAC said these offenses dated back to 2015. In addition to the massive fine placed on the company, Didi founder Cheng Wei and president Jean Liu were found personally responsible and each fined an additional $150,000.

The government has not yet made an announcement about allowing the ride hailing service to return to app stores, but it is generally expected once the company makes payment arrangements. However, the pronouncement that Didi had put the “security of the country’s key information infrastructure” caused some government supporters on platforms such as Weibo to call for even harsher punishments for the company. Inside sources at the company had previously told Reuters reporters that they were in the midst of an application process to have the app returned to app stores and that all of the company’s apps were being updated to ensure compliance with the data laws.

Message sent to big tech: No company is above China’s data laws

Analysts believe that this and other recent moves signal an end to the worst of the Chinese government’s crackdowns on its domestic big tech companies, as the message has now been clearly sent: respect the data laws to the fullest, don’t challenge the government’s authority, and no overseas IPOs without express permission granted in advance. A general economic slump brought on by the Covid-19 pandemic is also thought to be playing a role in the government’s level of regulatory intervention.

China’s Personal Information Protection Law (PIPL) came into effect in late 2021 and provides for maximum penalties of up to 5% of the annual revenue of companies that violate data laws. Fines during this campaign against big tech have tracked close to this maximum, but not quite at it. The ride hailing outfit was hit with the largest thus far by this measure, paying about 4.6% of its revenue. Alibaba, which paid $2.8 billion in an antitrust decision last year, paid 4%. Meituan, a major food delivery service comparable to Doordash, paid about 3% with a $530 million 2021 fine.

While Didi has remained the most widely-used ride hailing app over the past year, it has lost substantial market share to competitors that moved aggressively to take advantage of the situation. And after seeing its initial IPO price drop by 80% after it was delisted, Didi pulled the listing from New York and announced plans to list in Hong Kong earlier this year, which have been on hold pending the outcome of this investigation. The company took a $4.7 billion loss in the third quarter of 2021, the first in which it was unable to onboard new users, and has seen an overall revenue drop of 1.7% since the incident began.

While the Chinese government may have had additional reasons for this campaign, the country’s domestic tech firms did play very fast and loose with user data during their rapid rise.

Ride hailing giant Didi's exile into the wilderness appears to be ending, and the Chinese government's harsh wave of regulatory crackdowns has taken sharper focus, as a fine of $1.2 billion has been announced. #privacy #respectdataClick to Tweet

Ilia Kolochenko, Founder/CEO and Chief Architect at ImmuniWeb, notes that this decision indicates that China has gotten very serious about the data privacy of individuals and will not hesitate to levy major penalties under its data laws: “This case tellingly illustrates that governments all around the globe finally start taking data protection and privacy seriously. This trend is clearly visible not only in developed Western countries, which set the tone with GDPR back in 2016, but in many developing countries in Latin America, Africa and Asia. Importantly, the growing number of regulations increasingly impose personal liability upon corporate executives for a failure to implement and supervise an adequate data protection strategy at their company. We shall expect higher fines both for non-compliant companies and their executives, whilst the latter will not necessarily be covered by corporate insurance due to the novelty of the issue. Ongoing risk and threats assessment, privacy impact audits and implementation of a systemized, risk-based and process-driven data protection strategy is the only way for executives to avoid facing harsh monetary penalties or even a personal bankruptcy.”