China fines Didi $1.2bn over ‘egregious’ data security violations

Cyberspace Administration of China says Beijing-based startup illegally collected user data since 2015.

China has fined ride-hailing giant Didi almost $1.2 bn for 'egregious' violations of data security rules, capping a year-long probe [File: Getty Images/Barcroft Media]

China has fined ride-hailing giant Didi almost $1.2bn for “egregious” violations of data security rules, capping a year-long probe that torpedoed the startup’s stock price and forced its delisting from the United States stock market.

The Cyberspace Administration of China (CAC) said on Thursday it fined the startup 8.026 billion yuan after finding it had illegally collected customer information since 2015 and handled data in a way that endangered national security.

The alleged breaches included illegally storing the personal information of more than 57 million drivers in an unsecure format and analysing passenger details such as mobile phone photos and facial recognition data without their knowledge or consent.

“Didi’s illegal operations have brought serious security risks to the security of the country’s key information infrastructure and data security,” the CAC said in a statement.

The penalty amounts to more than four percent of Didi’s annual revenue, which came to $27.3bn in 2021.

The CAC said it also fined the Didi’s founder and Chief Executive Cheng Wei and President Jean Liu 1 million yuan ($148,000) each.

The Beijing-based startup said in a statement on its Weibo account that it accepted the regulator’s penalty and would reflect on its actions and how to improve its practices.

“Though it seems counterintuitive, Didi is likely to be feeling pretty relieved,” Kendra Schaefer, a China tech analyst at Beijing-based policy research group Trivium, told Al Jazeera.

“This probe has been preventing the company from moving forward in almost every other respect, and at this point, the company is likely to be willing to pay anything to get this albatross off their back.”

Schaefer said the fine against Didi is in line with past regulatory actions against Alibaba and Meituan, which were fined about four percent and three percent of their annual revenues, respectively, for unrelated alleged violations.

The Chinese regulator began its investigation into Didi after it debuted on New York Stock Exchange in June 2021 despite being urged to delay the listing amid concerns over the public release of sensitive data.

Didi lost 80 percent of its market cap, or more than $60bn in value, after attracting regulatory scrutiny, becoming one of the highest profile causalities of Beijing’s sweeping crackdown on private industry, which has targeted sectors ranging from tech to property and education.

Schaefer said the regulation’s decision and stated rationale leave unanswered questions about the nature of Didi’s alleged wrongdoing.

“What’s a bit bizarre here is that the CAC found that Didi violated the Personal Information Protection Law, which was not effective until November 2021, months after the investigation into Didi was launched,” she said.

“There are other discrepancies in the CAC’s announcements – ultimately, the original reason that Didi was investigated, the supposed violations of national security, were never clarified. Sad trombone.”

Source: Al Jazeera and news agencies