Exclusive | Didi’s business slows from break-neck pace as on-site probes by China’s cybersecurity regulators gum up operations

Employees of Didi Chuxing have been forced to address technical demands from regulators as cybersecurity probe drags on
The review has forced the ride-hailing giant to make the investigation its top priority as it seeks to get its app back into app stores

Didi Chuxing

Coco Fengin BeijingandMinghe Huin Beijing

Published: 12:02pm, 17 Aug 2021

Why you can trust SCMP

The Chinese government’s unprecedented probes into Didi-Chuxing, also involving public security investigators, have gummed up business operations at the platform that dominated 90 per cent of the country’s ride-hailing industry, according to several employees.

Engineers and product managers at the Beijing company, whose smartphone apps were removed from Android and Apple app stores in early July, are now busy writing up patches to close what Chinese regulators called technical loopholes in Didi’s data management system, according to staff who spoke on condition of anonymity. Several business units of the company have lowered their performance targets for 2021, which were set in January at the start of the financial year, because those goals were no longer realistic, given the review of the company’s business on July 16.

Investigators, who sequestered themselves into Didi’s head office in the Zhongguancun Software Park in the northwestern corner of the Chinese capital, have called mid-level staff in for hours of questioning, even on weekends and at short notice, employees said. Engineers have completed the rectification of the data management loopholes, according to staff members familiar with the matter.

The change shows how the core business of the dominant company in the world’s largest ride-hailing market – with 493 million monthly active customers and 13 million active drivers – is changing as it accedes to the rectification demands by China’s antitrust regulators. Didi raised regulators wrath when it rushed to raise US$4.4 billion in New York at the end of June, ignoring their warnings.

Part of the company’s rectification process involves addressing issues authorities see with its management of the data it collects from users and mapping, which must be corrected before Didi is allowed back on China’s Android and Apple app stores.

The government’s investigations of Didi have completed, and regulators are shifting their gaze to other technology companies that have completed their initial public offering applications to list in the United States, according to people familiar with the matter.

07:30

Why China is tightening control over cybersecurity

Didi’s spokespeople did not respond to requests for comment.

One sign of how operations have been impacted is the slow roll-out of a billing feature that allows drivers to see detailed data on their share of passenger bills.

Sun Shu, the chief executive of Didi’s ride-hailing business and the head of its drivers committee, promised the feature in a public letter at the end of May. Drivers first started getting this data in mid-August, but only in seven Chinese cities, including Shenyang and Changchun. The country’s busiest cities – Beijing, Shanghai and Shenzhen – have not been included yet.

The government has also not disclosed much information about the investigation, which is being led by the Cyberspace Administration of China (CAC) and joined by six other agencies, including the Ministry of State Security and the Ministry of Public Security.

According to China’s cybersecurity review regulation, a probe typically concludes within 30 working days, but it can run up to 45 working days. An additional 45 days can be added as a special review period when there is disagreement among regulators.

The government has been weighing different potential punishments for Didi, including a record fine, the introduction of a state investor, or even a forced delisting from the New York Stock Exchange, Bloomberg reported in July. Didi has also been in talks with a state-owned company to handle its data management and monitoring, Reuters reported this month.

Didi has denied reports that it would be taken private, transfer data to a third party or introduce large new shareholders. The company also denied that it is facing a management reshuffle, which the Post reported last week as a possible consequence of the company going public against the warnings by the CAC.

Cheng Wei, Founder and CEO of Didi Chuxing, unveils rebranding and service upgrades to Didi Premier in Beijing on June 29, 2018. Photo: Reuters

Didi said last week that it is “actively and fully cooperating with authorities in the cybersecurity review”.

Carly Ramsey, a Shanghai-based director at the consultancy Control Risks who tracks political and regulatory risks in Greater China and North Asia, said that although it is hard to determine what the final penalties will be, China’s cybersecurity review measures offer a guide.

According to the country’s national security, cybersecurity and data security laws, which will act as a reference for measures against Didi, entities can be warned, fined, forced to “rectify” their products and services, or have their business licenses revoked. The first two laws are already in effect, and the newly passed Data Security Law takes effect next month.

“The outcome of the case, including what data are being looked into, will be an important reference for future cases,” Ramsey said. “There is a lot of speculation that the case is broader than just cybersecurity, but [also regards] listings in the US, so we really want to see what the investigation is about.”

This article appeared in the South China Morning Post print edition as: Didi business slows down as investigation hits operations

Post