The Cyberspace Administration of China (CAC) this week announced the outcome of its year-long "cybersecurity review" of the Chinese ride-hailing giant DiDi. While many headlines focused on the size of the ¥8 billion RMB ($1.2 billion USD) fine, the outcome and the way it was announced raise several questions about China's regulatory trajectory in digital sectors. Among those questions: The CAC announcement and accompanying Q&A point to multiple laws and regulatory authorities; what does this tell us about how those legal regimes are developing? The cybersecurity review was initiated after DiDi went forward with an IPO in New York that it had reportedly been warned by regulators to delay; what does it tell us that the IPO goes wholly unmentioned? Given that the CAC announcement explicitly states that some details are not being made public because they are national security-related, what parts of the story are the general public and businesses missing? And what, if anything, does this outcome reveal about broader Chinese government enforcement campaigns in tech sectors?
We invited contributors to offer their brief thoughts on the outcome, the official account of which DigiChina translated in full.
The Didi case was staged as a cybersecurity case, but the decision is primarily based on privacy violations. The penalties are calculated based on the 5% annual turnover clause under China’s Personal Information Protection Law (PIPL), whereas penalties under the Cybersecurity Law and the Data Security Law have significantly friendlier caps. How the decision was reached, particularly the transition from cybersecurity to privacy, was not explained.
Cybersecurity and privacy cases generally belong to separate areas, because they involve different interests that are protected by distinct Chinese laws. While the Cyberspace Administration of China (CAC) is authorized by the Cybersecurity Review Measures to handle cybersecurity review cases, the PIPL only authorizes the CAC to “coordinate” privacy protection-related work, and assigns enforcement to departments of the State Council (such as the Ministry of Industry and Information Technology and the State Administration for Market Regulation). It’s worth reiterating that the CAC alone signed off on the Didi decision.
The decision is concerning in other aspects as well; for example, it applies laws retroactively. But a more practical concern surrounds how this case may impact China’s enforcement on cybersecurity and privacy protection in the future. With the Didi case established as a precedent, my guess is that the regulators may find it easier to make a similar decision next time.
The PIPL’s 5% annual turnover penalty clause has shown its teeth, and may also be leveraged by regulators in future cybersecurity or data security-focused cases where personal data mishandling can also be found, so that the penalties may be significantly higher. The flip side is that businesses now should have stronger incentives to level up investment in personal data protection to strengthen their compliance with the PIPL.
Jamie P. Horsley
Visiting Lecturer in Law and Senior Fellow, Paul Tsai China Center, Yale Law School
The CAC's short official announcement leaves many questions open. For one, the announcement notes that the CAC "filed a case" (立案) and launched an investigation after the conclusion of the "cybersecurity review," which was the process originally initiated in July 2021. Then, in the published Q&A between an unnamed CAC official and unnamed journalists, the official says the punishment is related to the cybersecurity review. Because detailed decisions are not made available regarding the cybersecurity review or violations of laws such as the Personal Information Protection Law, the specific legal process is left unclear. This also means that there may be other punishments, in addition to the announced fines, that have not been publicly revealed.
Next, although the CAC mentions the Administrative Punishments Law, the Q&A notes that these are no ordinary administrative punishments: "The administrative punishment of DiDi relevant to this cybersecurity review is special and different from regular administrative punishment." Could this be a reference to authorities under different laws? Details are not offered.
Meanwhile, how the fines for DiDi and its two executives were calculated is not explained. Although DiDi's fine of ¥8.026 billion RMB could of course consist of multiple fines for multiple offenses, the CAC statements provide no insight into how this sum was determined, and thus there is no guidance to others regarding potential future cases, despite the fact that the Q&A promises cyber authorities will "increase exposure of typical cases" and "educate and guide Internet enterprises to operate in accordance with laws and regulations."
Indeed, the failure to publish any detailed official decision explaining the fine and other punishments imposed on DiDi (taking down its apps and prohibiting new users, and possibly ordering it to delist from the U.S. stock market), in contrast to the detailed administrative punishment decision that was published by the State Administration for Market Regulation with respect to the historic fine assessed against Alibaba, leaves other companies, both domestic and foreign, in the dark as to what actions prompted the CAC’s various responses.
There are still more unanswered questions stemming from the CAC's announcement, but these alone show that, at least for now, the implications of the DiDi case are far from clear.
Director, Geo-Technology, Eurasia Group
Many observers have expected China’s unprecedented cybersecurity probe into DiDi to establish enforcement benchmarks and provide clarity for the country’s broad and vague digital security rules and laws. However, the investigation outcome has instead fueled fears of Beijing’s sweeping power over companies that fail to toe the line, leaving regulatory boundaries unclear for businesses and individuals alike.
Last June, under considerable investor pressure, DiDi pushed through its IPO in New York without Beijing’s approval. The defiant action prompted an unusual expansion of China’s cybersecurity review mechanism, targeting the newly listed firm, rattling investors, and sending DiDi’s shares off a cliff. This occurred only a few months after the last-minute suspension of financial technology giant Ant’s IPO in Shanghai, another case of overly confident tech tycoons angering top national decision makers and jeopardizing fund-raising. This repeat of politically inappropriate behavior clearly antagonized authorities and almost certainly contributed to the characterization of the company’s problems.
Fast forward a year, and Cyberspace Administration of China (CAC) officials have concluded their probe, claiming to have discovered “illegal operations bringing serious risks to China’s critical information infrastructure and data security” but would not disclose specifics of the wrongdoing due to alleged national security concerns. The resulting punitive measures, including a hefty $1.2 billion fine on the company, seem to have been justified by the so-called “grave circumstances and despicable character” of DiDi’s misconduct and the company’s “feigning compliance, and maliciously evading supervision.” The strong moral judgement appears to have contributed to the harsh treatment of China’s top ride-hailing platform. Nevertheless, the source of regulators’ highly emotional reaction in this case is ultimately unclear. Did DiDi maliciously evade supervision with its information protection practices or data storage operations, or was it merely pointing to the company’s rushed public offering?
At the moment, U.S. and Chinese regulators are down to the wire in their negotiations around information disclosure standards for U.S.-listed Chinese companies. It is uncertain whether the U.S. Securities and Exchange Commission would indeed have required information of a sensitive nature from DiDi, or whether China’s data governance regime is irreconcilable with U.S. market transparency rules. Regardless, China’s extensive cybersecurity framework appears to have created significant leverage for the CAC to act against perceived corporate transgressions in a highly politicized case.
On May 23, 2022, DiDi officially announced its plan to voluntarily delist from the New York Stock Exchange. The company has been silent on the motivation behind this decision, though there is little doubt that Chinese officials have put pressure on the company to undo its mistake. The CAC has also reportedly considered other options to remedy the claimed national security concerns. These include a possible re-shuffle of top executives including DiDi’s Chairman Cheng Wei and CEO Liu Qing. A potential spin-off of the company’s autonomous driving arm could allay some of the data-related security concerns. Finally, the introduction of state-owned or -affiliated stakeholders may help instill political awareness and prescribed ethical values currently absent in the company.
The lack of transparency in CAC’s final report raised more questions than answers about DiDi’s case: What specific misbehaviors did the regulator uncover during the investigation, how did authorities apply the laws and regulations to these violations, and will officials take further actions to discipline the firm? Early signs indicate that the app’s trouble is far from over. On July 25, media reports suggest DiDi has lost its license to create its own digital maps, a foundational tool for the company’s autonomous driving division. Inability to utilize the platform’s vast pool of data would deal a major blow to the firm’s ambition to become a mobility service leader in the future.