3 DiDi: Customer Privacy and Regulation
Note. Retrieved from https://www.caixinglobal.com/2021-07-04/chinas-cybersecurity-regulator-orders-didi-removed-from-app-stores-101735800.html
By: Yihao Ding and Shaista Karim Sadrudin Jaffer
November 30, 2023 / University of Ottawa – Telfer School of Business Management
The FinTech Explorer: A Comprehensive Guide
One hundred years ago, the lack of computers limited how people accessed information. The only means they could obtain information were telephones and letters, and they relied on reading newspapers, magazines, and other similar sources to keep abreast of market trends and business news. Today, the world is very different. We live in a time when having information is very important and getting it quickly can give you an advantage. Information is much more readily available due to the advancement of technology, such as through social media platforms, podcasts, and online forums. Bill Gates said, “In the digital world, information is the new currency. Knowing how to gather, analyze and utilize information will determine who can successfully navigate this century”. Individuals and businesses must learn to acquire, analyze, and utilize information effectively to maintain a competitive force. While these actions can improve business outcomes, they also risk crossing the boundary between respecting and violating customer privacy, which can ultimately harm companies in the long run. It begs whether sacrificing consumer privacy for profit is a viable strategy in today’s world.
While many are aware of the rapid advancement in global technology sectors, the complexities within China’s ride-hailing industry, exemplified by DiDi, present a unique case of technological growth intertwined with regulatory challenges. Established in 2012 by Cheng Wei and Zhang Bo, DiDi quickly became the dominant player in the Chinese market, capitalizing on the urbanization and digitalization trends sweeping the nation. By 2020, DiDi had captured nearly 90% of the market share, boasting millions of daily transactions and expanding its services beyond simple ride-hailing to include multiple transportation options. This rapid growth was fueled by extensive data collection and analytics, which became a cornerstone of DiDi’s business strategy. However, this reliance on data also increased concerns about privacy and security.
The tipping point occurred when DiDi went public on the New York Stock Exchange in June 2021. At the time of its IPO, DiDi’s market capitalization reached more than 400 billion yuan (approximately $68 billion USD). The listing not only elevated the founder’s net worth to nearly 30 billion yuan (about $4.6 billion USD) but also sparked significant interest among investors, prompting them to buy shares.
Just when everyone thought that DiDi would continue to grow and increase in value, the Chinese National Cyber Administration received a report three days later, indicating that the DiDi app had committed significant violations of laws and regulations related to the collection and use of personal information. To uphold consumer privacy, the Cybersecurity Review Office prevented new users from registering. Two days later, the rumors were confirmed true, and the Chinese National Cyber Administration formally instructed all app stores to remove the DiDi app and required DiDi to modify the application to align properly with legal requirements. On June 10, 2022, DiDi was officially delisted from the New York Stock Exchange, and in less than a year, DiDi’s market value plummeted by $56 billion. Additionally, DiDi was fined a hefty $1.14 billion and faced an indefinite suspension of its app, signaling the company’s demise. The future looked bleak for this once-promising company.
The Stolen “Property”
As the DiDi app got suspended, investors became increasingly curious about the reason behind such an extreme action. They wondered what personal information DiDi collected and how much was stolen. After a few months of investigation, the Chinese National Network Office (CNNO) finally revealed the shocking truth. DiDi illegally collected and processed an enormous amount of personal information during its eight years of operation. According to the CNNO, DiDi collected an astonishing amount of 64.709 billion pieces of personal information. This included 11.9639 million screenshots from mobile phone users’ photo albums, 8.323 billion pieces of user clipboard information and application list information, 107 million pieces of face recognition information, 53.5092 million pieces of age group information, 16.3356 million pieces of occupation information, 1.3829 million pieces of family relationship information, and 153 million pieces of “home” and “company” taxi address information.
Moreover, DiDi also analyzed 53.976 billion pieces of passenger travel intention information, 1.538 billion pieces of resident city information, and 304 million pieces of remote business/tourism information. These alarming numbers revealed the extent of DiDi’s excessive data collection practices. The CNNO’s findings left investors wondering how such a large amount of data was misused and what consequences it may have for the affected individuals.
DiDi was not transparent in collecting all this data and often used vague language to mislead its passengers. In fact, during the investigation, it was found that the DiDi app frequently asked for unnecessary “phone permissions” when passengers used hitch services and failed to explain why it needed access to users’ personal information and device data.
Furthermore, CNNO also found that DiDi posed a serious threat to the security of the Chinese government. DiDi collected personal data of civil servants and officers and even collected information on the government sector’s taxi usage data, including sensitive institutions such as the police office, the Ministry of Land and Resources, the Ministry of Transport, and a Chinese bank. These actions violated consumers’ privacy and seriously threatened national security. As a result, DiDi is now facing massive fines and a potential permanent ban.
Economic Pressures and IPO Options
We cannot help but wonder why a nearly monopolistic company like DiDi was so eager to go public without thorough preliminary scrutiny; thus, it is crucial to discuss DiDi’s disastrous financial situation. Despite having a 90% market share, competition is still extremely fierce in the Chinese market, which has a population of 1.4 billion people. According to a previously published prospectus, DiDi’s net losses were 15 billion Yuan in 2018, 9.7 billion Yuan in 2019, and 10.6 billion Yuan in 2020. However, in 2021, DiDi’s finance was gradually improving. In the first quarter of 2021, DiDi’s net profit was 5.5 billion Yuan. This was driven by DiDi’s gain on investment of 12.36 billion Yuan in the first quarter. DiDi’s Q2 2021 revenue report reveals that its taxi business in China generated a total revenue of 44.8 billion Yuan, including 800 million Yuan in revenue and $2.6 billion in revenue. Meanwhile, its travel business in China generated $1.7 billion in revenue, while its international business suffered a loss of $1.2 billion and its other businesses generated $2.8 billion in revenue. However, this still could not cover the losses from previous years. DiDi chose to take advantage of its improved finances and IPO as soon as possible to attract more investors with its 2021 favorable financial reports.
However, when DiDi chose to go public in China, it encountered another problem. To go public in China, the China Securities Regulatory Commission will have to review the composition of shareholders. In 2021, Softbank Group in Japan was the largest shareholder in DiDi, owning 21.5% of the shares. Uber came in second place with a 12.8% stake. DiDi’s co-founders, Cheng Wei and Liu Qing, held less than 10% of the shares, while Tencent held 6.4%. The rest of the company, comprising 52% of shares, was owned by the DiDi leadership team, including Cheng Wei, Liu Qing, and Zhu Jingshi. As the primary stakeholders were foreign, namely Softbank and Uber, DiDi failed to pass the China Securities Regulatory Commission’s listing review. The regulations stipulate that foreign ownership should not exceed 30%, and no foreign investor should hold more than 10% of shares. Consequently, DiDi opted to go public in the United States despite the risk of exposing national privacy data since it could not grow publicly in China.
Legal Framework and Compliance Prior to IPO
Before DiDi embarked on its ambitious IPO in the United States, a thorough understanding and adherence to the legal requirements of China’s regulatory environment were crucial. However, it appears that DiDi may not have fully accounted for the extensive legal framework governing data privacy and cybersecurity in China. This oversight in not fully vetting all legal stipulations exposed the company to significant risks that could have been mitigated with more diligent preparatory work.
China’s regulatory landscape is particularly stringent with laws designed to protect national security and the privacy of its citizens. These laws are not only comprehensive but also carry heavy penalties for non-compliance, especially for companies that handle large volumes of personal data. DiDi’s failure to completely align its operations with these legal requirements before proceeding with its IPO was a critical misstep. It led to immediate regulatory scrutiny and swift actions by Chinese authorities, significantly impacting the company’s operations and its market presence.
Understanding this legal context is essential for framing DiDi’s situation and the subsequent regulatory responses it faced. The four critical laws that DiDi overlooked include:
- The “Network Security Review Regulations (Article 2)” and “Network Security Law (Article 35)” state that when operators of critical information infrastructure purchase network products and services that may affect national security, they must undergo a network security review. (This emphasizes DiDi’s failure to hand over its data for consideration by the national security departments.)
- The “Data Security Law (Article 24)” establishes a data security review system and requires a national security review of data processing activities that may impact or pose a risk to national security. The review decision is final. (This emphasizes DiDi’s unauthorized collection and analysis of the private data of government officials)
- The “National Security Law (Article 59)” establishes a system for reviewing and supervising foreign investment, critical technologies, network information technology products and services, national security-related construction projects, and other activities that could affect or pose a risk to national security. This system’s purpose is to prevent and address national security risks effectively. (This emphasizes that DiDi is composed of foreign capital and may have the risk of leaking data)
- The “Cryptography Law (Article 27)” requires critical information infrastructure operators to undergo a national security review organized by the state cyberspace administration and relevant departments when purchasing network products and services involving commercial cryptography that may impact national security. (This emphasizes DiDi’s theft of password privacy from its users’ phones.)
Through its complex journey, DiDi became a cautionary tale in the realm of digital platform governance. The stringent regulatory reaction to its IPO highlighted the paramount importance of legal compliance in the tech industry. Faced with a forced retreat from the stock market and heavy penalties, DiDi’s imperative was clear: a thorough reformation of its data governance was required to reconcile with both national security interests and user privacy concerns.
This case highlights the need for technology companies to operate within a framework that upholds data privacy and adheres to stringent regulatory standards. In the aftermath of the IPO debacle, DiDi had to reinvent its approach to data management, placing privacy and compliance at the forefront of its business model. The solutions DiDi implemented, aiming to restore trust and ensure regulatory alignment, may serve as a benchmark for industry practices.
Ultimately, DiDi’s story did not conclude with its regulatory challenges. Instead, it marked a new beginning, with the company securing approval to resume operations and attempting to regain its market position. While the future remains uncertain, DiDi’s response to these challenges offers valuable insights for tech companies worldwide on the importance of navigating the interplay between innovation, consumer privacy, and legal compliance. In the spirit of this newfound direction, we propose a set of strategic solutions that, while speculative, could offer a roadmap for DiDi and similar companies seeking to reconcile growth with ethical data management and stringent regulatory adherence.
Data Minimization and Personalized Price Discrimination
Maximizing sales has always been a critical objective for companies, and personalized price discrimination is a classic concept in microeconomics that can help achieve this goal. For instance, if a loaf of bread costing $7 can be sold for $8 to 20 customers while only 10 customers are willing to pay $10, then employing price discrimination can help extract more revenue. By charging higher prices to those willing to pay more than the cost, companies can avoid leaving any surplus for customers willing to spend only as much as the cost. This ensures that all the products are sold at the highest possible prices, maximizing revenue. Unfortunately, some companies, like DiDi, had resorted to illegally collecting data to achieve perfect price discrimination.
A report emerged on March 17, 2021, revealing that DiDi used its accumulated data to determine prices. Testers employed six different phones belonging to distinct individuals, and each phone had the DiDi app installed to locate the same destination. The resulting fares ranged from 52 to 70 Yuan, and DiDi’s customer service could not explain this discrepancy. However, an internet technician suggested that the variation in fares could be attributed to factors such as how frequently the app was used, how often it was opened, and whether the user relied on setting their price.
Per the prospectus, DiDi’s revenue in China was 1332.07 billion Yuan, 1479.4 billion Yuan, and 1336.45 billion Yuan in 2018, 2019, and 2020, respectively. However, the number of orders during the same period decreased from 87.89 billion to 77.5 billion. This apparent discrepancy could be partially explained through previous market research, which suggested that DiDi’s revenue growth was driven by factors other than the number of orders.
To address the root cause of its regulatory challenges, DiDi would have needed to adopt a data minimization strategy. This approach would have involved collecting only the data necessary to complete its services, thereby reducing the potential for privacy violations. DiDi must also have ensured that all data handling practices complied with the latest regulations in China and all operational jurisdictions, including the General Data Protection Regulation (GDPR) in Europe and other regional data protection laws.
Advanced and Transparent Data Security Measures
Enhancing cybersecurity measures would also have crucial for protecting sensitive user information against breaches and unauthorized access. DiDi should implement end-to-end encryption for all data transactions to ensure that data remains secure from the point of creation to its destination. Regular security audits and real-time threat detection systems are also vital. These audits, conducted by internal teams and external cybersecurity experts, help identify vulnerabilities within DiDi’s systems and mitigate them promptly. Real-time threat detection leverages advanced algorithms and machine learning to monitor suspicious activity, quickly identifying potential threats and preventing data breaches.
Transparency is also essential in rebuilding trust with users. DiDi should overhaul its user agreements and privacy policies to make them clear and accessible, detailing what data is collected, how it is used, and with whom it is shared. Moreover, implementing a consent management platform would empower users to control their data preferences more actively. This platform should allow users to easily opt-in or out of data collection schemes, providing clear options to enhance user autonomy over personal information. Such transparency aligns with global data protection standards like the GDPR and reinforces consumer confidence by demonstrating DiDi’s commitment to privacy and ethical data practices.
Integrated Strategy for Ethical Data Management and Stakeholder Engagement
By prioritizing these advanced security measures and enhancing transparency, DiDi can fortify its defenses against data threats and restore consumer confidence. These steps are not just about regulatory compliance; they are crucial for cultivating trust and securing a sustainable relationship with users in the increasingly data-driven global market.
DiDi can integrate several strategic approaches into a unified framework to effectively navigate the complex consumer data usage landscape. By establishing an ethical data use framework, DiDi would set clear guidelines and decision-making processes that align with user expectations and adhere to rigorous legal standards. This framework would guide the company’s data handling practices and serve as a benchmark for compliance across its operations.
An internal ethics committee is crucial in overseeing this framework. This committee would monitor DiDi’s adherence to ethical standards and address any issues or discrepancies. Its role would extend beyond mere oversight, actively refining ethical guidelines as new challenges and technological capabilities emerge.
Furthermore, engaging with stakeholders—customers, employees, and regulators—through regular surveys, feedback mechanisms, and meetings is essential. This engagement allows DiDi to gather valuable insights that can inform and continuously refine its strategies and operational tactics, ensuring that they remain responsive to the needs and concerns of all parties involved.
DiDi should leverage advanced technology such as artificial intelligence (AI) and machine learning to support these efforts. These tools can be instrumental in monitoring compliance and ethical use of data by analyzing data handling practices for potential violations and inefficiencies. AI algorithms can identify atypical patterns that may indicate risks, while machine learning models can anticipate future areas of concern, allowing DiDi to address potential issues before they escalate proactively. Implementing these solutions will require significant investment and commitment from DiDi’s leadership, but the potential benefits—restored consumer trust, regulatory compliance, and sustainable business practices—far outweigh the costs. This comprehensive approach addresses the immediate compliance issues and positions DiDi as a leader in ethical data management in the technology sector.
Analysis of Proposed Solutions for DiDi
The strategic overhaul following DiDi’s IPO missteps represents a crucial pivot towards suggesting robust regulatory compliance and enhanced trust with global investors and users. DiDi should aim to rectify past oversights and prevent similar regulatory backlashes that could jeopardize its operational stability and market presence by implementing stringent data protection measures and adopting a more transparent approach to data handling. In light of the proposed solutions to enhance DiDi’s data management practices and regulatory compliance, it is essential to consider the potential impacts and the broader implications these changes could have on the company’s operations and reputation.
- Impact on Regulatory Compliance and Market Trust:
Implementing rigorous data protection measures and an ethical data use framework could significantly improve DiDi’s standing with regulators and rebuild trust with its user base. By adopting end-to-end encryption and robust security audits, DiDi would likely see a reduction in data breaches, decreasing the risk of fines and sanctions from data protection authorities. Furthermore, a transparent approach to data handling and user consent could restore user confidence, encouraging more people to use the service without privacy concerns.
- Operational and Financial Considerations:
Integrating advanced AI and machine learning technologies for compliance monitoring and risk management could streamline operations, making them more efficient while reducing overhead costs associated with manual oversight. However, the initial setup of such technologies and personnel training to handle new systems will require substantial investment. The financial impact of these changes, including the potential for high upfront costs, must be weighed against the long-term benefits of avoiding regulatory penalties and fostering a safer service environment.
- Strategic Advantages in a Competitive Market:
As regulations around data privacy tighten globally, DiDi’s proactive adoption of these measures could provide a competitive edge. Being ahead of compliance could make DiDi a preferred choice for customers concerned about personal data security. Moreover, setting a high standard in ethical data use and consumer transparency may pressure competitors to elevate their practices, potentially leading to a more level playing field in regions with less stringent regulations.
- Risks and Challenges:
While the theoretical benefits of these solutions are clear, their practical implementation could encounter several challenges. Resistance to change within the organization, the complexity of integrating new technologies with existing systems, and potential pushback from stakeholders accustomed to the old ways of operating are just a few of the hurdles DiDi might face. Additionally, the broader impact on corporate culture and employee roles cannot be underestimated, as shifts towards greater transparency and accountability may disrupt established workflows and power dynamics.
While the proposed solutions for DiDi promise to address critical issues of regulatory compliance and user trust, their success will largely depend on careful implementation, ongoing evaluation, and the ability to adapt strategies in response to internal and external feedback. This theoretical analysis provides a roadmap for DiDi and serves as a case study for similar companies navigating the complex interplay of technology, privacy, and regulation in the digital age.
Summary of Recommendations
As DiDi moves forward, it is imperative to maintain a strong focus on ethical data management and regulatory compliance to ensure sustainable business practices. The following are critical recommendations for DiDi:
- Continuous Regulatory Adaptation: DiDi should continuously update its compliance frameworks to align with evolving global data protection regulations. This proactive approach will safeguard the company against potential legal challenges and reinforce its commitment to ethical practices.
- Enhanced Transparency Measures: Increase transparency around data collection and usage policies. This includes clear communication with users about how their data is being used and providing them with more control over their personal information.
- Strengthened Data Security: Invest in state-of-the-art cybersecurity measures to protect user data from breaches. Regular audits and updates to security protocols should be instituted to keep pace with technological advancements.
- Stakeholder Engagement: Continue to engage with all stakeholders, including customers, regulators, and employees, to gain insights that can inform policy and operational adjustments. This engagement is crucial for anticipating and responding to market and regulatory changes.
- Ethical Data Use: Maintain a robust ethical framework for data usage that goes beyond compliance to ensure decisions are aligned with legal standards and consumer expectations.
Implementing these strategies will provide DiDi with a robust platform for recovery and growth, ensuring its operations are innovative and compliant.
Didi’s Future with AI Integration
This case study illustrates the critical importance of aligning business practices with stringent regulatory standards, particularly in sectors where consumer privacy is at stake. DiDi’s experience with its U.S. IPO and the drastic regulatory interventions that followed highlight the potential consequences of neglecting these considerations. Journey for the tech industry, DiDi highlights the necessity of integrating ethical data management into core business strategies to ensure sustainable growth and trust in a data-driven global market.
DiDi’s subsequent overhaul of its data privacy strategies highlights the essential role of robust data governance in sustaining business operations in technology-driven markets. Implementing enhanced security measures, a transparent data use policy, and strict adherence to global and local regulations have been crucial steps towards mitigating past issues and restoring the company’s reputation.
Moreover, DiDi’s shift towards more ethical data practices, including minimizing data collection and improving user consent mechanisms, reflects a broader industry trend toward prioritizing consumer privacy. This approach aligns with regulatory expectations and enhances customer trust, vital for long-term business sustainability.
Adopting these changes, DiDi can serve as a model for other tech companies facing similar challenges, demonstrating that responsible data management can be a significant competitive advantage. As the company moves forward, its continued commitment to these principles will be crucial in shaping its strategic direction and ability to innovate while maintaining compliance and fostering a trustworthy relationship with its users.
In conclusion, DiDi’s journey highlights the importance of integrating ethical considerations into business strategies in the tech industry. By prioritizing consumer privacy and robust data governance, DiDi is well-positioned to navigate the complexities of the global market and lead by example in developing sustainable and responsible business practices.
References
Borak, M., Qu, T., & Shen, X. (2021). China’s big tech faces a wake-up call as the country’s web of data protection laws grows more elaborate. South China Morning Post. https://www.scmp.com/tech/big- tech/article/3140573/chinas-big-tech-face-wake-call-countrys-web-data- protection- laws?module=perpetual_scroll&pgtype=article&campaign=3140573
Hui, M. (2021). DiDi showcases Beijing’s tug-of-war between data flows and data security. Quartz. https://qz.com/2030277/DiDi-crackdown- shows-chinas-data-flow-vs-data-security-dilemma/
Horwitz, J., & Sun, Y. (2021). Explainer: What is driving China’s clampdown on DiDi and data security? Reuters. https://www.reuters.com/technology/what-is-driving-chinas-clampdown-DiDi- data-security-2021-07-07/
Lingling, W., & Zhai, K. (2021). Chinese regulators suggested DiDi delay its U.S. IPO. The Wall Street Journal. https://www.wsj.com/articles/chinese-regulators-suggested-DiDi-delay-its-u-s- ipo-11625510600
SECURITIES AND EXCHANGE COMMISSION. (2018). Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33-10459 (February 21, 2018) [83 FR 8166]. https://www.sec.gov/rules/interp/2018/33-10459.pdf
Shen, X., Borak, M., & Qu, T. (2021). China’s big tech face wake-up call as the country’s web of data protection laws grows more elaborate. South China Morning Post. https://www.scmp.com/tech/big- tech/article/3140573/chinas-big-tech-face-wake-call-countrys-web-data- protection- laws?module=perpetual_scroll&pgtype=article&campaign=3140573
Sun, Y. (2021). How did DiDi get to be worth 100 billion? Baidu. https://baijiahao.baidu.com/s?id=1703089431739858506&wfr=spider&for=pc
The Securities and Exchange Commission. (2018). Commission Statement and Guidance on Public Company Cybersecurity Disclosures. https://www.sec.gov/rules/interp/2018/33-10459.pdf
Wei, L., & Zhai, K. (2021). Chinese regulators suggested DiDi delay its U.S. IPO. The Wall Street Journal. https://www.wsj.com/articles/chinese- regulators-suggested-DiDi-delay-its-u-s-ipo-11625510600
Wu, K. (2021). Timeline: DiDi Global’s short-lived journey as a U.S.-listed company. Reuters. https://www.reuters.com/technology/DiDi- globals-short-lived-jour
