China’s Didi Chuxing ‘Fears More Sanctions’

The management of Chinese ride-hailing giant Didi Chuxing reportedly remains concerned about further regulatory sanctions even after a record-breaking 8 billion yuan ($1.18bn, £980m) fine handed down by the Cyberspace Administration of China (CAC) last month.

The fine was the largest ever imposed for data protection breaches, far higher than the EU’s $877m fine against Amazon under the GDPR in August 2021.

In addition, the Didi fine retroactively took into account violations dating back to 2015, even though the oldest of the laws involved was passed in 2017.

The most recent of those laws came into force in September and November 2021, months after the CAC’s investigation began in July 2021, industry watchers noted.

More fines?

Analysts have said the CAC’s unprecedented measures could be followed by sanctions by other agencies, and the Financial Times cited an unnamed Didi employee as saying there had been internal discussion around the possibility of an additional fine by the Ministry of Industry and Information Technology (MIIT), which regulates China’s internet platforms.

Another mid-level manager told the paper that if Didi took on a state-owned shareholder it could regain regulators’ trust.

“We need a state-owned shareholder to come in to completely get rid of the regulatory risks. Then the regulators will trust us again,” the person was quoted as saying.

But the paper said some shareholders, including two members of an investment team from Tencent, believed the worst of the sanctions against Didi were over.

Ongoing probe

“The fine did not exceed people’s expectations,” one of the Tencent team told the paper.

The largest regulatory fine imposed on a Chinese tech company to date was the 18.2bn yuan penalty against Alibaba last year.

The investigation of Alibaba, starting in November 2020, kicked off an ongoing regulatory crackdown that has sought to rein in the power of China’s biggest tech firms.

Hong Kong-based law firm Mayer Brown cautioned in a research note on Friday that the Didi fine is “the tip of the iceberg” as the CAC has stated its intention to “lawfully increase the intensity of law enforcement in [cybersecurity and data protection]”.

Data laws

It advised companies operating in China or who deal with companies subject to Chinese data laws, to conduct regular data audits.

The company noted in particular that firms should pay attention to several cross-border data transfer mechanisms set to come into force in the coming months, along with the Security Assessment Measures applying to such transfers.

In light of the retrospective application of China’s data laws against Didi these are something that “businesses should definitely be wary of”, the firm noted.