China’s cybersecurity regulator fined ride-hailing juggernaut Didi Global $1.2 billion after a year-long probe, saying it had violated laws on data security and the protection of personal information.
The regulator also said there were “severe security risks” in Didi’s data-processing methods, which would not be detailed because they related to national security.
“The evidence is conclusive,” the regulator said in a statement published online. “The circumstances are serious, the nature is immoral, and the punishment should be severe.”
In addition to the fines on the company, Didi’s chairman, Cheng Wei, and president, Jean Liu, were each fined $148,000. Didi issued a statement Thursday saying it accepted the judgment and would strengthen its protection of personal information, while stopping short of apologizing to customers or sharing details on what changes it would make.
“We sincerely thank the competent authorities for their inspection and guidance, and the public for their criticism and supervision,” Didi said.
The crackdown on Didi reflects Beijing’s alarm at the vast troves of personal data that internet companies are gathering, and the risk that they could leak overseas and undermine national security. Other Chinese internet giants have also come under official scrutiny, including Alibaba’s Ant Group, whose plans for a record IPO were abruptly canceled in 2020.
Duncan Clark, chairman of Beijing-based consultancy BDA China, said Didi’s executives probably got caught in “their own reality distortion field” in thinking they could push the envelope as one of the country’s start-up stars. He said Didi had challenged the government, including pushing forward with its overseas listing.
“Didi was clearly inspired by Uber, which ended up being an investor,” he said. “So there was a Chinese equivalent at play here, doing things first and asking for forgiveness, not asking for permission.”
Analysts say Chinese officials have been concerned that in Didi’s case, sensitive locations and personal information of important individuals could be leaked from its databases.
Such concerns are not without basis. Earlier this month, hackers claimed to have breached a Shanghai police database containing personal data of 1 billion people, which would be one of the largest such exposures in history if confirmed. The unnamed poster claimed the database was hosted by AliCloud, a subsidiary of Chinese e-commerce giant Alibaba Group. Alibaba did not immediately respond to a request for comment.
China’s personal information protection law also went into effect in November, shoring up the rights of Chinese consumers against excessive corporate tracking.
The trouble began for Didi a year ago. Just days after the company’s IPO on the New York Stock Exchange, China’s cyberspace administration announced a probe, saying the company “illegally collected and used users’ personal information.” The regulator ordered Didi’s ride-hailing app to be removed from Chinese app stores. Existing users could continue using the app, but the move torpedoed the company’s prospects for growth.
Didi’s American depositary shares closed at $3.49 on Wednesday, having slumped 79 percent from its opening price on its listing day. The company offers a ride-sharing platform similar to Uber’s, with the difference that riders can also use it to book regular taxis.
Didi’s investors voted in May to delist from the New York Stock Exchange, in hopes that a return home would help mollify Beijing regulators.
In its statement Thursday, China’s Cyberspace Administration said Didi had illegally processed 64.7 billion pieces of personal information since its first violation in 2015. This included users’ age group information, home addresses, locations, driver education and other data.