China’s cybersecurity regulator has fined the Didi Global juggernaut $1.2 billion after a year-long investigation, saying it violated data security and personal information protection laws.
The regulator also said there were “serious security risks” in Didi’s data handling methods, which would not be detailed as they related to national security.
“The evidence is conclusive,” the regulator said in a statement posted online. “The circumstances are grave, the nature is immoral, and the punishment should be severe.”
China’s Didi to drop from US roster just months after rideshare firm’s $4.4 billion bid
In addition to the fines imposed on the company, Didi chairman Cheng Wei and chairman Jean Liu were each fined $148,000. Didi released a statement on Thursday saying he accepted the ruling and would strengthen his privacy protections, while stopping short of apologizing to customers or sharing details about the changes he would make.
“We sincerely thank the relevant authorities for their inspection and guidance, and the public for their criticism and oversight,” Didi said.
The crackdown on Didi reflects Beijing’s concern over the vast amounts of personal data that internet companies collect and the risk that they could leak overseas and harm national security. Other Chinese internet giants have also come under official scrutiny, including Alibaba’s Ant Group, whose record IPO plans were abruptly scrapped in 2020.
Duncan Clark, chairman of Beijing-based consultancy BDA China, said Didi executives likely got caught up in “their own reality-distorting field” thinking they could push the envelope as l one of the country’s star start-ups. He said Didi had defied the government, including pushing forward his registration abroad.
“Didi was clearly inspired by Uber, which ended up being an investor,” he said. “So there was a Chinese equivalent in play here, doing things first and asking for forgiveness, not asking for permission.”
Analysts say Chinese officials are concerned that in Didi’s case, sensitive locations and personal information of important individuals could be leaked from his databases.
Such concerns are not unfounded. Earlier this month, hackers claimed to have hacked into a Shanghai police database containing the personal data of a billion people, in what is believed to be one of the biggest such exposures in history. if confirmed. The anonymous poster claimed the database was hosted by AliCloud, a subsidiary of Chinese e-commerce giant Alibaba Group. Alibaba did not immediately respond to a request for comment.
In China, escalating business costs send some companies to the exit
China’s Personal Information Protection Law also came into effect in November, strengthening Chinese consumers’ rights against excessive corporate tracking.
Trouble started for Didi a year ago. Just days after the company went public on the New York Stock Exchange, China’s Cyberspace Administration announced an investigation, saying the company “illegally collected and used users’ personal information.” The regulator has ordered Didi’s carpooling app removed from Chinese app stores. Existing users could continue to use the app, but the move torpedoed the company’s growth prospects.
Shares in Didi’s U.S. custodian closed at $3.49 on Wednesday, after falling 79% from its opening price on the day of its listing. The company offers a ride-sharing platform similar to that of Uber, except that passengers can also use it to book regular taxis.
Didi investors voted in May to delist from the New York Stock Exchange, hoping a return home would help appease regulators in Beijing.
In its statement on Thursday, China’s Cyberspace Administration said Didi had illegally processed 64.7 billion pieces of personal information since its first breach in 2015. This included users’ age group information, home addresses , locations, driver training and other data.