Shanghai Nanpu bridge with busy city traffic showing Didi problems with data protection rules

Didi Ride-Sharing App Suspended by China Over Violation of Data Protection Rules

While the rest of the world tends to think of China as a place where there is no personal privacy while online, the country’s government has spent the past year getting very serious about cracking down on companies that collect too much user data. Popular ride-sharing app Didi is the latest target, suspended from app stores for violating the country’s data protection rules until it makes changes to its user data collection processes.

Didi received the suspension order from the Cyberspace Administration of China (CAC), which did not release any public details about exactly how the data protection rules were violated. Didi has removed its app from app stores and has stopped taking on new users as it makes the required changes. This includes the “light version” apps found on Alipay and Wechat.

China takes swift and harsh action in response to violations of data protection rules

The CAC has ordered the country’s app stores to keep Didi out of their listings until the company addresses the issues. The app continues to function in the meantime for those who have already downloaded it; Didi provides an estimated 20 million rides across the country each day. With an active user base of hundreds of millions, it is the largest rideshare app in China.

The ruling comes just after Didi had raised $4.4 billion in an initial public offering and four days after it began trading on the New York Stock Exchange. The CAC’s stated reason for opening the investigation was “national security and the public interest,” but the timing tracks with a general pattern of special regulatory attention being paid to tech platforms that accrue enough of a user base and wealth to be a potential problem for the government. Immediately following the Didi announcement, the CAC also announced that it was taking similar suspension measures against two apps that had listed for trading in the US in recent weeks under the new data protection rules: Full Truck Alliance, a rideshare specifically for trucks, and job listing site Boss Zhipin.

Though the CAC did not get specific about how the data protection rules were violated, Didi is known to collect a wide range of real-time mobility data from users (such as information used for real time traffic analysis). The company had updated its data privacy policy on June 29, just before it began trading publicly, but characterized the update as a routine adjustment as it added two new chauffeur services.

This is not the first collision Didi has had with Chinese regulators. The company was previously probed due to concerns that it might be storing user and road data on servers outside of China, something not allowed by current data protection rules in the country. Founded in 2012 and becoming an almost immediate success (with substantial backing from tech giant Tencent), antitrust concerns were soon raised as it bought out competitors culminating in the 2016 acquisition of Uber China. The company ran into additional trouble in 2018 when two different passengers were murdered by drivers in the Hitch social carpooling service. Part of its safety response to this incident was to launch the “Red Flag Steering Wheel” program, which indicates which drivers are members of the governing Chinese Communist Party (CCP), and onboarded an additional 1,000 CCP members.

China’s new data security law and crackdown on Big Tech

China’s tech platforms face even harsher penalties under the new Data Security Law, which will be fully implemented as of September 1. The new data protection rules allow the government to levy harsh fines or even force firms to shut down if they fail to comply with an issue that involves national security. The government has broadly tied the category of “important data,” which includes various types of customer personal information, to national security concerns. In addition to suspension of business licenses, Chinese companies can be fined up to the equivalent of $1,560,000 for each violation. Some believe China’s crackdown on its homegrown tech firms can be traced back to Alibaba founder Jack Ma’s invective against the government’s regulatory system last year, which came as fintech platform Ant Group made its IPO.

CAC's stated reason for was 'national security and the public interest,' but the timing tracks with a general pattern of special regulatory attention being paid to #BigTech platforms that grow too big and go public in the US. #privacy #respectdataClick to Tweet

In the United States, investors are incensed at the move. They believe it to have been timed by the government to fall specifically after Didi already had the cash of US investors in hand (which caused an immediate 20% drop in value), and some are calling for the Securities and Exchange Commission to follow through on plans to subject US-listed Chinese firms to fully comply with auditing policies. Two lawsuits have been filed in New York and Los Angeles, claiming that Didi failed to disclose related talks it was having with Chinese regulators to investors; the suits also name Didi’s lead underwriters, including Goldman Sachs and Morgan Stanley. According to insider sources cited by Bloomberg, the Chinese government had warned Didi of concerns about the new data protection rules and asked it to delay its public offering as long as three months ago.