Regulators sought to make the company an example of the consequences of mishandling data — and of the grave political error of ignoring the authorities.
In slapping China’s ride-hailing giant, Didi Global, with a record $1.2 billion fine for data breaches, Beijing made clear to the country’s internet companies that their freewheeling days were over.
The penalty imposed by China’s internet regulator on Didi, one of the country’s most valuable tech companies, was the third in a series of major moves by the government to rein in China’s high-flying internet sector. As China’s leader, Xi Jinping, has waged an expansive campaign to strengthen state control over the economy, regulators have zeroed in on internet companies like Didi, which runs services similar to Uber, that have amassed sweeping and some say excessive influence over Chinese society.
In recent months, regulators backed by the highest levels of the ruling Communist Party have gone after internet shopping and food-delivery behemoths for antitrust violations. With Didi, they sought to make the company an example of the consequences of mishandling data, which China has deemed an issue of national security, and — perhaps just as important — the grave political error of ignoring the authorities.
“I think the C.A.C. wants to use this case to set up a chilling precedent for other Chinese tech firms,” said Angela Zhang, a law professor at the University of Hong Kong who specializes in China’s regulatory governance.
The penalty, announced Thursday by China’s internet regulator, the Cyberspace Administration of China, was the largest fine issued in China over data protection issues. The authorities also singled out two of Didi’s founders for blame, and invoked national security as they accused Didi of a string of violations, including the storage of 57 million driver identification numbers without encryption.
The announcement ended a yearlong investigation that had spoiled Didi’s blockbuster listing in the United States and ultimately forced the company to delist from the New York Stock Exchange. Thursday’s move appeared to clear the way for Didi to list its shares in Hong Kong, and could imply that a frenzied period of rule-making and harsh regulatory enforcement may be easing.
Beijing is under pressure to revive the slowing economy ahead of an important political meeting this year at which Mr. Xi is expected to claim a third term as the country’s leader. In May, China’s premier, Li Keqiang, cheered many when he offered support for the digital economy. By closing the investigation into Didi, Beijing could be seen as sending a further signal to reassure investors and restore confidence in the economy.
Yet for tech firms, government pressures have not relented. In this month alone, China’s antitrust regulator punished Didi and other internet firms for failing to report mergers for antimonopoly review, while the country’s central bank fined Didi for mishandling customer data.
Although regulators may back off on policing Chinese tech firms in the short term to encourage economic growth, “it is only a temporary reprieve,” said Ms. Zhang, the expert.
Legal experts said the penalty imposed on Didi could force Chinese internet companies, which had grown quickly in part by operating with little constraint, to reassess how and whether they should collect, store or seek to profit from the personal information of Chinese citizens.
The authorities’ concerns about data security are not unfounded. The tech sector has a history of excess data collection and leaks, which have led to widespread fraud. Chinese authorities have introduced laws that force firms to better communicate with consumers and protect their data.
Yet even as the government has reined in the private sector, it has struggled to protect the masses of data its own security apparatus collects on its citizens through online and real-world surveillance. In recent weeks a hacker offered to sell a Shanghai police database with billions of records that included the personal information of Chinese citizens. The database had been left unsecured for months. In stark contrast to the highly public prosecution of Didi and its rivals, news of the government leak was censored.
In a statement detailing Didi’s infractions, regulators said Didi had illegally collected about 12 million screenshots from users’ phones and excessively amassed personal data, including millions of addresses, phone numbers and face images. The statement noted that driver identifications were stored in plain text — not encrypted — and that the company failed to clearly notify users about analyses done on their travel records.
It also named Didi’s chief executive and founder, Cheng Wei, and its president, Jean Liu, as individuals responsible for violations. Each was fined about $150,000.
“Didi’s illegal operations have brought serious security risks to the security of the country’s key information infrastructure and data security,” the regulator wrote.
The regulator accused Didi of “malicious evasion of supervision” and of refusing to meet clear requirements that had been set — a warning, in other words, that no company, no matter how valuable or internationally prominent, could afford to ignore Beijing.
In a statement, Didi said it accepted the punishment and would improve its data security. “We sincerely thank the relevant authorities for their inspection and guidance, and the public for their criticism and supervision,” the company said. As a part of the investigation, Didi has not been allowed to register new users or list its apps on stores, restrictions that have hit the company’s bottom line. Although analysts widely expect the government to walk back those suspensions, the announcement did not mention this.
The Didi fine broadly matched penalties paid out by other Chinese internet giants, Alibaba and Meituan, in terms of the share of the companies’ annual revenue, during a nearly two-year regulatory crackdown on the sector. The regulatory pressures, and a longstanding spat between China and the United States over auditing, have suppressed many tech companies’ share prices.
China’s internet firms face a long road to recovery. China’s economy has been hit by a broad slowdown resulting from strict Covid-19 controls that have prompted repeated lockdowns of cities around the country. Last week, China posted its lowest growth rate since the beginning of the pandemic as unemployment neared historic highs and consumer spending slowed.
For Didi, once hailed as an innovator and disrupter in China’s staid transportation sector, it has been a fast fall from grace. The company was considered the pride of China’s spunky, and valuable, start-up scene in 2016 when it beat its American rival, Uber, and bought the firm’s Chinese operations. At the time, its executives vowed that the data it collected would be used to unsnarl traffic jams and eventually help develop driverless cars.
As Beijing has asserted greater control over internet firms like Didi, it has sought to shape a private sector more in line with the Communist Party’s focus on political security and meeting its policy goals. Popular attitudes about China’s tech sector, once an emblem of future achievement, appear to have shifted, too.
After the punishment was announced, a number of professors and tech commentators took to Weibo to call for even harsher punishments.
Jin Canrong, a professor of international relations at Renmin University, called the revelations of Didi’s violations “really shocking!” Didi “disregarded national security, disregarded national laws and disregarded citizens’ privacy,” he added. Others went further, wondering whether a company that jeopardized national security should be allowed to exist at all.
In the short term, the government will probably relent on Didi, allowing it to restore its apps in stores. But the company will still have to show that it has addressed the regulator’s concerns over data security and other issues, said Linghao Bao, an analyst at Trivium China, a China-focused policy research team.
“Big tech platforms are getting a break as the economy is not doing so well. Regulators are shifting from a campaign-style crackdown toward a more rules-based governance,” he said. “But tech regulation is here to stay over the long term.”