For background information on Didi’s clashes with the government and the cybersecurity investigation it was placed under in July 2021, please check our timeline article.
On July 21st 2022 the Cyberspace Administration of China (CAC) announced that it was giving Didi a RMB 8.02 billion ($1.19 billion) fine, about 4.6% of its $25.7 billion revenue in 2021, for violating three laws:
- Cyber security law: a law implemented in 2017 “with the aim of increasing data protection, data localization, and cybersecurity ostensibly in the interest of national security.”
- Data security law: a law implemented in September 2021 (2 months after the start of the government’s investigations into Didi) that “governs the creation, use, storage, transfer, and exploitation of data within China.”
- Personal information protection law: a law implemented in November 2021 (4 months after the start of the government’s investigations into Didi) “protecting personal information rights and interests, standardising personal information handling activities, and promoting the rational use of personal information.”
Note that at the time of the announcement of the ‘network security review’ of Didi on July 2nd 2022, the National Security Law and the Cyber Security Law were cited by the CAC as reasons for the investigation. Two days later the CAC put out a second statement that “after testing and verification, the Didi App has been found to have serious problems regarding the illegal and irregular use of personal information collection”.
Didi’s CEO Cheng Wei and President Jean Liu were both personally held responsible an each fined RMB 1 million. According to sources of Pandaily, Jean Liu will be leaving the company.
Illegal data collection and processing
Bloomberg quoted the CAC as saying: “Our investigation discovered that Didi’s actions on data management severely affected national security. It also neglected to comply with our specific demands and avoided oversight, among other infractions, promising one thing but doing the opposite.”
According to the CAC, Didi had been illegally collecting millions of pieces of user data for 7 years and carried out data processing activities that seriously affected national security. These activities and dangers remain unspecified for reasons of … national security.
In a Q&A the CAC specified 16 types of violations of Didi illegally collecting and processing almost 65 billion pieces of personal data. The CAC summarised these violations into eight aspects (translated by Pekingnology and DigiChina).
- Illegally collecting 11.96 million pieces of screenshot data in the photo albums of users’ smartphones;
- Excessively collecting 8.323 billion pieces of data from users’ clipboards and lists of apps;
- Excessively collecting 107 million pieces of passenger facial recognition data, 53.5092 million pieces of age data, 16.3356 million pieces of occupation data, 1.3829 million pieces of family relationship data, and 153 million pieces of “home” and “company” address data;
- Excessively collecting 167 million pieces of accurate location (latitude and longitude) data when passengers were evaluating substitute driver services, while the app is running in the background, or when the mobile phone is connected to the Orange Vision device;
- Excessively collecting 142,900 pieces of driver’s education data, and stored 57.8 million pieces of driver’s ID number information in plain text;
- Analysing 53.976 billion pieces of information about passengers’ travel intentions, 1.538 billion pieces of data about permanent cities of residence, and 304 million pieces of data about non-permanent business/travel without explicitly informing passengers;
- Frequently asking for irrelevant “telephone permissions” when the passenger was using DiDi’s 顺风车 Hitch service within the app;
- Not giving an accurate or clear explanation in processing 19 types of personal information such as device information.
Most of these offences seem to relate to excessive information gathering and processing and therefore violations according to the Personal Information Protection Law (PIPL) that was implemented in November 2021.
Personally, I think many other Chinese apps violated these same rules, especially prior to the implementation of the PIPL. The Chinese authorities have been known to frequently crack down on apps that gather excessive amounts of data, even before the implementation of the PIPL. As Kendra Schaeffer of Trivium China pointed out on Twitter: ”If data over-collection was the real issue, if the CAC wanted to, they could have simply pulled Didi’s apps from app stores for a week and resolved the problem with no investigation and no fine.”
It is expected that Didi will be allowed to have its apps available on Chinese app stores again if these issues have been resolved, but this was not confirmed by the CAC. According to sources of Reuters Didi has been making necessary changes. The apps have been unavailable in app stores for a year, blocking Didi from acquiring new customers. Existing customers were able to use their already installed apps though. Nevertheless, according to Quest Mobile Didi had already lost 20% of its monthly active users to competitors like Cao Cao and T3 by the end of 2021.
So, what’s behind this?
In May 2021, CAC issued draft rules on data collection by carmakers and ride-hailing platforms, requiring them to gain regulatory approval before providing “important and private data” to foreign entities. CAC wrote in the announcement that the rules had been drafted to safeguard national security and the public interest. According to Bloomberg, regulators had urged Didi as early as April 2021 to ensure the security of its data before proceeding with the IPO or to shift the location to Hong Kong or mainland China where disclosure risks would be lower.
I think we can safely assume that the investigation of Didi was triggered by Didi’s disregard of this request and its listing on a foreign exchange while authorities had asked it to wait. Didi has been turned into an example of the risks of such blant disregard of the authorities. Didi thought they could get away with it, but they didn’t.
A worry of the government was the potential data transfer that a foreign IPO might require, now or in the future. Following scandals like the one with Luckin Coffee, there have been calls from the US’ Securities and Exchange Commission for China to provide more openness for audits by American officials of Chinese companies listed on US stock exchanges. It’s unclear how serious data disclosure risks are in such audits, but shortly after the start of the Didi investigation a Chinese law was implemented requiring companies with more than 1 million users to go through a cybersecurity review before listing abroad.
Despite in my opinion it not being the primary reason for the crackdown on Didi, looking at the data the ride-hailing company was collecting I can’t help but think of an anecdote from Lulu Chen’s new book Influence Empire. During a conversation about possible investment by Tencent into Didi, Didi’s CEO Cheng Wei was asked what was making his business successful. Unlike the other candidates in the market, who would mention getting drivers to join or their marketing activities, Cheng had answered that the key to Didi’s success was algorithms. And we all know what good algorithms need, right?