In July 2021 Didi clashed with various regulators of the Chinese government. This wasn’t the first time, although it is the most severe case, with the government starting a cybersecurity review for the first time ever. This timeline summarizes some milestones in Didi’s development and moments it ran into the government. It also gives a detailed analyses of recent happenings, taken from various sources. Did we miss anything important? Please let us know.
The early years
March 2009 – Uber Technologies Inc. is founded in the USA.
September 2010 – Yongche, the first Chinese Uber clone, launched service. (source)
June 2012 – Didi Dache is founded.
August 2012 – Kuaidi Dache is founded,
Late 2012/Early 2013 – A dozen of taxi apps emerged between late 2011 and early 2012, including Yaoyao Zhaoche, Dache Xiaomi (developed by Yongche), Anyimob, Easy Taxi, and Didi Dache. In order to grab larger market share in a crowded market, taxi app companies competed by paying hefty subsidies to users and taxi drivers. For the sake of market share, none of the taxi apps was taking transaction-based commission or any other fees. (source)
May 2013 – Kuaidi Dache starts a cooperation with mobile payment app Alipay. (source) Government bans bidding feature in taxi apps, which allowed users to offer tips upfront to win a cab in peak hours. (source)
August 2013 – The government officially recognises four taxi apps, among which Didi. (source)
November 2013 – Kuaidi acquires fourth largest taxi app Dahuangfeng. (source) In the second half of 2013, few taxi apps can sustain the staggering money burning speed. Two bellwethers of the industry Didi Dache and Kuaidi Dache survived. (source)
Jan 2014 – Didi gets added to Tencent’s WeChat app. (source)
February 2014 – Uber China launched. Unlike Didi and Kuaidi, which started as taxi-hailing apps, Uber China introduced luxury car services.
December 2014 – Baidu invests in Uber China. Internet giants Alibaba and Tencent were already backing taxi-apps Kuaidi Dache and Didi Dache respectively. (source)
February 2015 – Under pressure from investors, Didi Dache and Kuaidi Dache merge to become Didi Kuaidi, later renamed to Didi Chuxing. (source) In 2015 Didi added other features to complement its basic taxi-calling function such as new premium vehicle services, functions for carpool and designated driver transportation modes. (source)
July 2015 – Chinese state news agency Xinhua collaborated with Didi’s big data analytics department on a report focusing on commuting patterns of state staff working for different Chinese ministries. (source) This has recently been mentioned by media as an early example of the sensitivity of Didi’s data gathering.
September 2015 – Didi Kuaidi had obtained 80% market share in private car hailing services and 99% of the taxis market share. (source)
August 2016 – Didi, which has 87% market share, acquires Uber China, which was losing $1 billion per year in the discount war with Didi. Uber gets a stake of 17,5% in the new combined company. Didi also made a $1 billion investment in Uber Global. (source) The Ministry of Commerce and was still investigating anti-competitive implications longer after the limit of 180 days in the anti-trust law.
September 2016 – Didi didn’t apply for antitrust clearance for the Uber merger since it claimed it was not required to do so since the two companies that merged were earning less annual revenue than China’s anti-trust law’s threshold of 10 billion yuan ($1.5 billion). (source) China’s Ministry of Commerce didn’t accept that interpretation and launched an investigation into Didi’s acquisition of Uber. (source) The Ministry of Commerce was still investigating anti-competitive implications long after the limit of 180 days mentioned in the anti-trust law.
December 2016 – New requirements for ride-hailing are implemented in Beijing and Shanghai. Drivers on the ride-sharing platforms must have a local residency registration (hukou). Cars must meet certain engine and wheelbase size standards and must be registered locally, barring many of the existing cars that registered in other provinces. Didi’s estimate showed that this requirement will slash more than half of its drivers in Beijing and forces out an overwhelming majority of Shanghai drivers from the platform. (source)
June 2017 – China’s Cybersecurity Law commenced. It gives the Cybersecurity Administration of China (CAC) the power to launch a ‘cybersecurity review’. According to the law and later 2020 implementation measures, the review system focuses on operators of ‘critical information infrastructure’ and their purchases of “network products and services that might impact national security.’ The Cybersecurity Law, along with landmark laws on privacy and data security, is part of an ongoing effort to regulate the use of personal data by companies in China. Cross-border data transfers are a focus of these laws, but they also require companies to implement best practices for collecting and storing data. (source)
April 1 2018 – A WeChat article accusing DiDi of ignoring sexual harassment claims goes viral. (source)
May 6 2018 – A female Didi’s carpooling service Didi Hitch user is killed by her driver. (source) The Didi Hitch app let drivers view the detail information about the passenger, including the age, profession, profile photo, and gender of the person requesting the ride, and the number of passengers who will be riding along. Other than the profile, the driver could also see the passenger’s ‘review section’, which can often be spammed with inappropriate comments regarding the passenger’s body and looks. (source)
May 11 2018 – Didi takes Hitch down for “rectification”. (source)
May 16 2018 – Didi suspends night-time road sharing service. (source)
May 23 2018 – Didi is rumored to be planning an IPO in Hong Kong in the second half of 2018 earliest. (source)
June 15 2018 – Didi resumes part of its night-time Hitch services allowing drivers picking up same-sex passengers only. (source)
August 24 2018 – Another female user of Didi Hitch was murdered by her driver. Didi suspended its Hitch service again. The company admitted fault on their part saying, “Our investigation found that the driver account belongs to the suspect’s father who has passed the full verification process, criminal background screening, the facial recognition before taking the first order, and other security measures. The suspect borrowed his parent’s account to take orders in violation of terms of our services.” The night safety mechanism was defective. The night mode face recognition was not triggered before the driver took the order.” In addition, before the incident, the passenger filed a complaint of sexual harassment against the driver, but the customer service failed to reach the suspect after five attempts. (source)
“These two vicious incidents that have violated the life and safety of passengers has exposed the gaping operational loopholes of the Didi Chuxing platform,” the Ministry of Transport said in a statement, ordering the ride-hailing company to improve its driver vetting and education process among other demands. (source)
Over the previous four years, at least 50 sexual harassment and assault incidents by Didi drivers were reported by local media and relevant authorities. Of the 50 drivers involved, at least 3 had previous criminal records, but still managed to pass Didi’s driver identity check procedure. (source)
August 27 2018 – Didi was summoned by local authorities in Chongqing, Guangzhou, Shenzhen, Dongguan, Wuhan, Guiyang, and Haikou, following earlier meetings demanded by Beijing, Tianjin, and Nanjing. (source)
September 2018 – The Shanghai Municipal Transportation Commission accused Didi of being uncooperative when requested to provide more information after finding inconsistencies between vehicle and driver data on paper materials from Didi and data uploaded to supervision platforms. (source) The Ministry of Transportation openly pointed out that the Didi Uber China merger could be a monopoly. A possible reason for a delayed investigation semmed to be the absence of proper legal definition of ride-hailing in China, allowing existing legal frameworks to come up with fair and lawful judgement. (source) An investigation into Didi Hitch uncovered “a wide array of problems including monopolistic behavior, some illegal operations, weak emergency management, practices that posed dangers to social stability and public safety, and insufficient protection of personal information by Hitch (..)”. (source) Didi temporarily suspends late-night services again. (source)
November 2018 – China’s Ministry of Transport claimed Didi had “lost control” of its drivers and vehicles after a series of safety issues. It said Didi’s carpool service Hitch lacked adequate safety measures, which could result in significant hazards. The ministry vowed to fine Didi executives. (source)
November 16 2018 – Beijing once again announced an investigation into the merger between Didi Chuxing and Uber China regarding potential monopoly charges. (source)
December 2018 – Didi said it will over time remove drivers and vehicles that do not meet the company’s safety requirements, the latest in a series of safety measures following an investigation by China’s transportation authority. (source)
January 2019 – Didi announced it dismissed more than 80 employees in 2018 after its compliance staff found more than 60 cases of internal corruption. The employees were laid off for alleged “severe violations” of the firm’s rules, which involved cases of fraud, bribes, or information security breaches. (source)
June 2019 – A Didi driver flees to avoid the police, injuring three pedestrians and a police officer. Shanghai police determined that the driver was not eligible to work for the ride-hailing service in Shanghai, which requires a Shanghai identification card. Didi was fined RMB 100,000 (around $14,400) for slack management. (source)
August 2019 – Didi was ordered to pay fines totaling RMB 5.5 million ($780,000) for failing to weed out unqualified drivers on its platform in Shanghai. Authorities found that as many as eight out of ten locally registered Didi drivers failed to meet regulatory standards in a series of spot checks in July. The crackdown resulted in the number of Didi vehicles in circulation in Shanghai falling by around one-sixth from 120,000 in June to less than 100,000. Didi pledged to remove around one-third of its registered drivers in the city to comply fully. (source)
November 2019 – Didi resumes operations of its carpooling service Hitch in a limited number of cities and limited times and distances. (source)
December 2019 -Didi Chuxing pilots mandatory audio recording as a safety feature during long rides on its Hitch service. (source) The owner of a car fleet company attempted to commit suicide. In his suicide note, he blamed Didi for putting his company out of business. The note called Didi out for their monopolistic practices and especially their use of unlicensed cars. (source)
March 2020 – Didi resumed limited nighttime operations of its carpooling service Hitch in some cities across China, while implementing stricter identity checks for drivers and passengers. (source)
Towards the IPO
July 2020 – Didi is in the early stages of preparation for an initial public offering in Hong Kong. (source)
October 2020 – Reuters reports that Didi is considering listing in Hong Kong in 2021.
Late 2020 – Didi begins discussing IPO plans with its bankers at Goldman Sachs Group Inc., Morgan Stanley and JPMorgan Chase & Co. The company weighed whether to go public in Hong Kong or the U.S., and was seeking a valuation of as much as $100 billion. (source)
December 2 2020 – The U.S. House of Representatives unanimously approved a bill that would ban trading in shares of foreign companies whose audit papers aren’t inspected by U.S. regulators for three consecutive years. The measure passed the Senate in May 2021. (source)
December 24 2020 – Chinese transport minister Li Xiaopeng pledges to ramp up antitrust enforcement as one of the ministry’s priorities in 2021. The head of Chinese transport watchdog made the comment a month after the release of the draft anti-monopoly guidelines targeting the country’s big tech companies by the State Administration for Market Regulation (SAMR). (source)
December 2020 – Didi got sued by the Taxi Association (composed of 50+ relevant corporations) for violating anti-monopoly; abusing its market power to unnaturally depress ride hailing prices. (Source: Tech Buzz China Insider)
March 3 2021 – SAMR fined Chengxin Youxuan, Didi’s community group-buying platform, 1.5 million yuan ($233,656) along with another four firms, citing “improper pricing behavior.” (source) The companies leveraged their capital advantage to compete for market share by selling products at prices lower than cost. (source)
End of March/Early April 2021 – Didi homes in on the U.S. for its IPO because the listing rules were more amenable and the company expected a better valuation from investors familiar with its American counterpart, Uber Technologies Inc. The Hong Kong exchange also questioned Didi’s compliance with Chinese regulations. It didn’t have licenses to operate in certain cities and many of its drivers lacked a household registration, or hukou, for the cities where they lived, part of municipal requirements for providing on-demand ride-hailing services there. (source) Complying with rules across all of China’s provinces and municipalities would have been difficult for Didi. The Hong Kong exchange offered a compromise: stripping the noncompliant businesses and listing the rest, one of the people said. Unwilling to make the concessions, Didi decided to head to New York. (source)
March 12, 2021 – SAMR fines a subsidiary of Didi RMB 500,000 ($77,400) for failing to seek antitrust clearance for the establishment of a joint venture with Softbank. (source)
March 30 2021 – Didi spins of it’s lossmaking community group buying business. (Source: Tech Buzz China Insider)
April 2021 – Regulators expressed concerns about Didi’s data security practices since at least April. Regulators urged Didi to ensure the security of its data before proceeding with the IPO or to shift the location to Hong Kong or mainland China where disclosure risks would be lower (..). Regulators didn’t explicitly forbid the company from going public in the U.S., but they felt certain Didi understood the official instructions, they said. (source) At the time there was no formal approval process for Chinese companies listing overseas.
April 2021 – Didi and more than 30 other Chinese internet companies met with regulators, including the SAMR. The regulators asked the companies to conduct a “self-inspection” and submit compliance commitments. The companies were asked to identify and correct possible violations of antimonopoly, anti-unfair competition, tax and other related laws and regulations. (source)
April 30 2021 – Didi is again ordered to pay a RMB 500,000 penalty after insufficiently disclosing three acquisitions and investments for antitrust reviews, including a takeover of a Shenzhen-based car rental firm. (source)
May 12 2021 – CAC issues new draft rules on data collection applying to both carmakers and ride-hailing platforms, stipulating that companies need to gain regulatory approval before providing “important and private data” to foreign entities. Coming after growing concerns about vehicle cameras and where the car data is going, CAC writes in the announcement that the rules have been drafted to safeguard national security and the public interest. (source)
May 14 2021 – Didi, Meituan and other on-demand transport companies are warned by the Ministry of Transport of violations ranging from monopolistic practices (unfair pricing and monopolizing freight data) to poor treatment of workers. (source)
June 10 2021 – Didi files their prospectus for IPO. According to the document China mobility is 93% of revenue, international 2% and other businesses (including bike sharing and community group buying) 5%. In China mobility 97% of gross revenue comes from ride hailing, which breaks down in Didi Taxi, Didi Express (ride-hailing), Didi Premier and Didi Hitch (carpooling). (Source: Tech Buzz China Insider) The prospectus includes the following text: “(..) the PRC legal system is based, in part, on government policies and internal rules, some of which are not published in a timely manner, or at all, but which may have retroactive effect. As a result, we may not always be aware of any potential violation of these policies and rules.”
June 16 2021 – SAMR is investigating Didi on suspicion of anti-competitive practices. Regulators are also investigating whether Didi used anti-competitive practices to squeeze out smaller rivals, and whether Didi manipulated the price of rides. (source) Didi had acknowledged that it had just completed a one-month self-inspection to correct monopolistic practices, along with dozens of other companies, as required by regulators, in its IPO prospectus. (source)
June 28 2021 – Didi gives the green light for the IPO. Didi told its bankers it was allowed to go public provided the company keep a very low profile, (..) adding that the bookrunners were told by the company there would be no press release to announce the IPO. Didi didn’t even publicize to its own employees its impending New York listing — a landmark for the still-young company — until the last minute. Near midnight on June 30, the company posted an announcement on an internal forum (..). (source)
June 30 2021 – Didi accelerated its IPO from July 2nd to June 30, ignoring the request of the CAC. Some people suspect that it has used the diverted attention to the celebrations of the 100th anniversary of the CCP. (Source: Tech Buzz China Insider) Others claimed Didi may have rushed its IPO out before China unveiled a new web security law, which could have hurt its valuation. (source) Didi priced its IPO at $14 and sold $4.4 billion worth of stock.
July 2 2021 – Cyberspace Administration of China (CAC) announced that In order to prevent national data security risks, maintain national security and protect public interests it would implement a network security review of Didi. The basis of the review was the National Security Law and the Cyber Security Law (the new Data Security Law and Personal Information Protection Law have not come into effect yet). In order to cooperate with the network security review and to prevent the expansion of risk, during the review period Didi is ordered to stop all new user registration. (Source: Tech Buzz China Insider)
July 4 2021 – Cyberspace Administration of China (CAC) puts out a second statement that “after testing and verification, the Didi App has been found to have serious problems regarding the illegal and irregular use of personal information collection”. Based on the Cyber Security Law the CAC ordered Didi’s apps to be taken down from app stores, an order that is not uncommon for the CAC to pressure companies to rectify issues. Didi was asked to “act in strict accordance with the legal requirements, with reference to the relevant national standards, seriously rectify existing problems, and effectively protect the security of personal information of users.” (Source: Tech Buzz China Insider)
July 5 2021 – The CAC announced that it also launched cybersecurity investigations into three other companies that recently debuted on US stock exchanges and asked them to stop registering new users. Job recruitment platform Boss ZhiPin debuted on Nasdaq under Kanzhun, a Tencent-backed company, on June 11. Partner transport companies Huo Chebang and Yun Manman went public together on the New York Stock Exchange on June 22 as a single company called Full Truck Alliance. (source)
July 8 2021 – China’s market regulator fined a number of internet companies including Didi Chuxing, Tencent and Alibaba for failing to report earlier merger and acquisition deals for approval, according to a statement on the website of the SAMR. The regulator fined the companies 500,000 yuan each case citing the country’s anti-monopoly laws. Subsidiaries of Didi are involved with 8 of the 22 deals. In one of the cases, Didi established a joint venture company with China FAW Group Corporation (SASACJ.UL) in 2018, without reporting the deal for antitrust reviews before the new company’s registration. (source)
July 9 2021 – Chinese authorities ordered all app stores in China to remove 25 apps owned and operated by DiDi, including Didi Chuxing Enterprise Edition, Uber China, and D-Chat. (source)
July 10 2021 – The CAC proposed to revise the Measures for Cybersecurity Review, a regulation that came into effect in June 2020, adding a new article on overseas IPOs. One key purpose for overseas IPO reviews is to control the risk of companies exporting “core” and “important” data, or being “influenced, controlled, or abused” by foreign governments during the listing process, according to the draft provision. (source) The CAC announced that companies holding data on more than 1 million users must now apply for cybersecurity approval when seeking listings in other nations because of the risk that such data and personal information could be “affected, controlled, and maliciously exploited by foreign governments. Regulators are also considering requiring VIEs (Variable Interest Entities) like Alibaba that have already gone public to seek approval for additional share offerings in the offshore market. (source)
July 16 2021 – Officials from the Cyberspace Administration of China, Ministry of Public Security (in charge of domestic security), Ministry of State Security (civilian arm for intelligence gathering and counterespionage), Ministry of Natural Resources (in charge of mapping and road surveying), the Ministry of Transport (regulates the ride-hailing industry) as well as the tax and antitrust regulators (SAMR) begin an investigation into Didi’s data security. Didi is the first major internet company to be publicly subject to the cybersecurity review,. (source) According to a 2020 regulation for the review process, a cybersecurity review should be completed within 45 days. However, it can be extended if “the situation is complicated.” (source)
July 22 2021 – Bloomberg report that Chinese regulators are considering serious, perhaps unprecedented, penalties for Didi. “Regulators are weighing a range of potential punishments, including a fine, suspension of certain operations or the introduction of a state-owned investor (..). Also possible is a forced delisting or withdrawal of Didi’s U.S. shares (..)” According to Bloomberg’s sources going ahead with the IPO against the wishes of the CAC had been considered a challenge to Beijing’s authority. (source)
July 2021 – Various Chinese companies with IPO plans have put these on hold, including LinkDoc, Meicai, Keep, Xiaohongshu and Hello Inc. (source)
July 23 2021 – Didi’s shares dropped further to almost $8. They had started trading at $14,40 and had reached a height of $18,01.
July 29 2021 – Rumour has it that Didi considers going private and compensate investors. (source)
August 2 2021 – The city of Xi’an orders Didi to ban unlicensed vehicles, threatening more than half its fleet in the city.
The ban follows an investigation into Didi’s operations in the city which found that 54 per cent of the 964 vehicles investigated lacked proper licences. Only 30 per cent of vehicles operating on Didi’s platform met regulatory requirements, according to the country’s transport ministry. (source)
August 6 2021 – Bloomberg reports that Didi has put forth a number of proposals to appease the powerful internet industry overseer, including ceding management of its data to a private third party. Regulators have signaled a preference for that third party to be state-controlled.
August 11 2021 – South China Morning Post reports that Alibaba’s chairman Daniel Zhang Yong and Tencent’s president Martin Lau Chi-ping, both directors on Didi’s board, explicitly counselled for the ride-hailing company to defer its New York listing. SCMP also stated that Didi completed the technical upgrade of its smartphone apps to comply with the Chinese regulators’ demands on data collection, mapping and user privacy, part of its rectification to return to Android and Apple app stores after it was forcibly removed last month. Didi may have to reshuffle its senior management team.
August 16 2021 – Didi said it has updated a billing function for drivers as previously promised, in a sign that it is working on the app to meet the demands of regulators. It has added a new feature to its driver app, which provides a detailed breakdown of a driver’s income for each ride and the share a driver earns from each passenger payment over a seven day period, to boost “transparency” in billing for drivers. (source)
September 1 2021: Bloomberg reports that Didi is helping workers establish their first union.
September 2 2021: Chinese regulators ordered car-hailing services run by Didi Global Inc., Meituan and Alibaba Group Holding Ltd. to rectify instances of what the government considers misconduct by December. Regulators highlighted violations including recruiting unlicensed drivers and the need to strengthen user data protections. Some companies used “vicious” competition and undermined the safety and stability of the industry. (source)
September 3 2021: Bloomberg reports that Beijing’s municipal government has proposed an investment in Didi that would give state-run firms control of the world’s largest ride-hailing company. Under the preliminary proposal, Shouqi Group — part of the influential Beijing Tourism Group — and other firms based in the capital would acquire a stake in Didi.
September 7 2021: SMCP reports that Didi has set up a committee headed by its founder to oversee the overhaul of its data management. Didi’s founder and chief executive Cheng Wei will head the Information and Data Security (IDS) committee established in July. Chief technology officer Zhang Bo will be the executive deputy director, marking a significant departure from the previous practice that had the committee as a supporting unit established in 2016.
What is this about?
Although there were various anti-trust issues at Didi and the company has had various run-ins with regulators for at least 6 years, based on the July 2nd statement by the CAC we can see that the investigation focuses on data security.
Sensitive data that Didi holds includes (source):
- User data (including real name identification and sometimes biometrical data)
- Movement data
- Real-time location data
- In-car camera and voice recordings
- High-precision maps
Didi says that all information related to Chinese users is stored in China, in response to speculation of Didi sharing sensitive data. (source)
According to sources of the Financial Times “the Cyberspace Administration of China frequently communicated with Didi, making more than 20 requests for changes to the app, which Didi implemented (..). In its requests to Didi, the CAC wanted changes to the way its app collects and displays mapping information (..). When a user opens the app, it suggests common pick-up points nearby based on passenger demand. The CAC was concerned this could inadvertently reveal locations where sensitive government personnel worked (..). Separate to these requests for mobile app rectification, the CAC had also advised Didi to postpone its IPO until it had conducted a cyber security review (..). The CAC has no legal power to delay IPOs, and the company denied that it knew before its listing that regulators were poised to intervene.”
On July 5th The Wall Street Journal wrote: “Of particular concern for China’s cybersecurity authority (..) is a standard U.S. request that prospective listed companies disclose to the SEC “material contracts,” or information concerning the companies’ major vendors and suppliers. Though companies like Didi store their data on users and traffic flows on servers that are housed within China’s borders, officials at the Cyberspace Administration worry that equipment for those servers, if procured from abroad, could be vulnerable to security breaches upon the company’s disclosure, potentially putting the caches of data in danger. The regulator’s cybersecurity review centers on where Didi purchased the products and services used for its network and what security risks its procurements of such supplies might pose (..)”
On July 9th the Wall Street Journal wrote: “The Chinese officials urged the company to postpone the share sale because Beijing was concerned that IPO documents required by U.S. regulators could had sensitive information and data it didn’t want U.S. authorities to have. The officials made clear to Didi that the government didn’t intend to block the IPO, but wanted the company to wait until it had carried out the proper security checks and made sure the documents it would present to the U.S. regulators contained no sensitive information. Officials also wanted to address the issue of audit working papers, the two people said. US congress passed a law last year to require U.S.-listed Chinese companies to hand over audit documents for U.S. regulators’ inspection, or risk being kicked off the stock exchanges. China has long resisted such demands, and the two nations have been in a standoff on the issue. One person close to the company said Didi hasn’t handed anything sensitive to U.S. regulators to date. Chinese officials, however, argue that it is for regulators, not the company, to decide what is sensitive. In China, the ride-hailing company is classified by law as a “critical infrastructure provider,” language that signals national-security sensitivities. Beijing’s suggestion that Didi delay its IPO left the company having to decide whether to comply with U.S. or Chinese priorities. Didi signaled to regulators that it would consider the request, and that it wouldn’t be a problem to postpone the listing if needed, say people familiar with its communications with regulators. (source)
Since the July 2nd statement mentioned the National Security Law it was initially speculated that Didi might have already shared sensitive data with foreign parties. These speculations might be partially based on information that the US Public Company Accounting Oversight Board wants Chinese companies might have to supply when doing a US listing. In the Tech Buzz China Insider community Rui Ma pointed out that under these new rules, which go in effect in 2023 only, auditors would be based in China and the US would not have access to the audit paper. She also argued that since the National Security Law was no longer mentioned in the second statement by the CAC on July 4th, this might be much more about domestic data security.
Whatever the exact reason was, data security, whether domestic and/or cross-border, definitely seems to be the center of the problem.