Didi said on its Weibo account on Thursday that it fully accepted the regulator’s decision and would rectify its wrongdoings.

07:30

Why China is tightening control over cybersecurity

Why China is tightening control over cybersecurity

The CAC’s decision comes more than a year after authorities initiated an unprecedented cybersecurity probe into the company, days after it launched a US$4.4 billion initial public offering in New York on June 30, 2021.

However, the abrupt investigation shook investor confidence in Chinese technology stocks. Since then, few Chinese companies have chosen to list in the US.

The CAC said in its statement that Didi had committed 16 offences involving the illegal collection of data from drivers and passengers. They include the illegal processing of 64.7 billion personal information entries over the span of seven years since June 2015.

“Didi has failed to perform its duty to maintain cyberspace security, data security, and personal information protection … bringing serious risks to national cyberspace security and data security,” the regulator said.

“Moreover, even with clear orders from regulatory authorities to correct the issues, Didi failed to carry out comprehensive and in-depth rectifications. The nature of the offence was egregious.”

The CAC did not disclose what security threats Didi had caused to “the nation’s crucial information infrastructure and data security”, citing national security reasons.

“Today’s CAC announcement signifies that the probe has basically come to a close”, said Sun Pengcheng, a lawyer specialising in data law at Dentons law firm.

He said, however, that the results lack meaningful implications for other data-rich internet companies regarding their data compliance practices because it is difficult to tell where the red line is when it comes to data-related national security issues.

While the investigation has ended, China’s regulatory crackdown on Big Tech players may not be over, according to Alex Capri, lecturer at the National University Singapore Business School and Lee Kuan Yew School of Public Policy.

“Beijing’s fixation on data as a national security issue virtually guarantees that tech companies from China, as well as foreign companies in China, will have to deal with rigid rules regarding data sharing, data localisation and data sovereignty,” he said, noting that the scrutiny on Didi’s data practices also applies to other tech giants.

“Investors should remain sceptical when it comes to investing in China tech,” according to Capri, partly because geopolitical tensions remain between China and the West.

Didi Global reveals it faces SEC probe over NYSE IPO

On Thursday, the CAC said Didi was found to have illegally collected nearly 12 million pieces of photo information from users’ phones, 107 million entries of facial recognition data, 53.5 million entries of age data, 16.3 million entries of occupation data, and 1.4 million entries of data about family relations.

Didi was also accused of gathering 153 million entries of home and company address data and 167 million entries of location information. Didi analysed, without user consent, 54 billion entries regarding the travel purposes of passengers.

“The investigation also found that Didi had engaged in data processing activities that seriously affected national security, and refused to fulfil the requirements of regulatory authorities, among other illegal issues, such as false compliance and malicious evasion of supervision,” the statement said.