Didi's $1.2 Billion Penalty and the Global 5% Upper Bound

This post was originally published in both English and Chinese on Interconnected.blog on July 24, 2022.

Last week, the embattled Didi stock had arguably its best week ever since its IPO last July, notching a 20% weekly gain.

Why? Because it was fined $1.2 billion by the Cyberspace Administration of China (CAC) for its egregiously poor data privacy and cybersecurity (mal)practices – roughly 4.4% of Didi’s previous year revenue.

Why would a penalty, let alone one of the largest regulatory fines ever imposed by the CAC, send Didi’s stock price way up? Because the market tends to reward certainty, even if that certainty is a $1.2 billion dollar fine.

Furthermore, this Didi fine, along with previous fines on Alibaba, Meituan, Google, and Facebook, signals the emergence of a macro certainty – a global 5% upper bound penalty standard on tech companies across regions and jurisdictions.

The 5% Upper Bound

Let’s first take a look at all the major regulatory penalties levied on all major tech companies over the last decade or so.

• June 2017: Google was fined $2.7 billion or 2.5% of its 2016 revenue by the European Commission (EC) for antitrust violations in search and Google Shopping listings.
• July 2018: Google was fined $5 billion or 4.5% of its 2017 revenue by the EC for antitrust violations for Android’s pre-install apps.
• March 2019: Google was fined $1.68 billion or 1.2% of its 2018 revenue by the EC for antitrust violations in forcing partners to use AdSense.
• July 2019: Facebook was fined $5 billion or 9% of its 2018 revenue by the US Federal Trade Commission (FTC) for data privacy violations and leak to Cambridge Analytica.
• April 2021: Alibaba was fined $2.8 billion or 4% of its 2019 China revenue by the State Administration for Market Regulation (SAMR) for antitrust violations with “choose one out of two” practices.
• October 2021: Meituan was fined $533 million or 3% of its 2020 China revenue by SAMR for antitrust violations with “choose one out of two” practices.

At first glance, the FTC-Facebook penalty, amounting to 9% of previous year’s revenue, was a major exception. However, Facebook allegedly (and voluntarily) paid more to the FTC in order to shield both Mark Zuckerberg and now-former COO, Sheryl Sandberg, from personal liability – a matter that Facebook/Meta is now being sued for by its shareholders. The original fine the FTC was planning to impose was only $106 million, well less than 1% of its previous year 2018 revenue of $55.8 billion.

Technically, the CAC has the power to penalize Didi up to 10% of its previous year’s revenue. But the penalty came in at 4.4%, despite Didi’s “extremely bad” data privacy and collection practices – gathering data from users’ screenshot albums to facial recognition information to location and travel intention data.

When the EU’s GDPR framework was first enshrined in 2018, it explicitly set a 4% upper bound of previous year’s global revenue for the worst data privacy offenders. Intentionally or not, regulators from the EU, the US, and China, who are in charge of cybersecurity, data privacy, and antitrust (three distinct issue areas), all appear to have organically coalesced around a “rule of thumb” upper bound of no more than 5%. This organic convergence among major economies’ regulators makes intuitive sense – as much as you want to punish bad behavior, you don’t want to damage your own country’s tech companies more than their global competitors, who are all doing the same thing!

Given how widely this 5% upper bound penalty standard has been applied across the global tech sector, it is hard to know whether it is tough enough or fair enough. But at least in Didi’s case, I believe it is.

Tough Enough and Fair Enough

The context of Didi’s punishment is unique in two ways, making the ultimate $1.2 billion penalty both tough and fair.

App Delisted During Investigation: Didi’s app was delisted from all app stores in China, almost as soon as the company IPO’ed last July and triggered the anger of Chinese regulators. Most tech companies that are under investigation get to continue operating their business, perhaps make some adjustment in anticipation of future penalties, but never have its core product delisted while waiting for a verdict.

Thus, what happened to Didi was quite extraordinary! Forcing its core ridesharing app off the app stores is arguably more damaging to Didi than this eventual fine. Case in point: in Didi’s most recent earnings report, its core China ride sharing business declined 15.1% – roughly the same dollar amount as the fine itself – effectively doubling the damage.

Global Revenue as Denominator: Didi’s penalty also appears to be calculated using its global revenue as the denominator, not just its China business. While using global revenue is the norm in the EU and the US, both Alibaba and Meituan’s penalties were calculated using their China market revenue as the denominator. In Alibaba’s case, it certainly made the $2.8 billion fine easier to swallow, since its overseas revenue is not trivial. As for Meituan, this choice of denominator probably did not make much of a difference, since its revenue is mostly from China.

Didi’s situation is somewhere in the middle. While Didi’s business is nowhere as expansive as Alibaba’s, it is aggressively expanding internationally, taking market share in Latin America, Japan, South Africa, Australia, and a few other countries. (I witnessed Didi’s aggressive expansion in Mexico personally last year, and have written about it in detail in a previous post.) Although most of these expansion motions are money-burning machines, they do generate a significant amount of topline revenue – making the choice of using a global, not a China-only, revenue denominator much more expensive for Didi.

Whether you think Didi’s $1.2 billion punishment is good news or bad news, we finally have some clarity around this iconic and controversial company. And if the global 5% upper bound penalty standard becomes the norm, investors can feel more confident modeling the eventual damage of any tech company in any jurisdiction going through an antitrust or cybersecurity investigation.

Holistically, this emerging certainty should form a more stable and welcoming global investing environment. So far, seeing how Didi’s stock has been treated, Mr. Market seems to agree.