Last week, the embattled Didi stock had arguably its best week ever since its IPO last July, notching a 20% weekly gain.
Why? Because it was fined $1.2 billion by the Cyberspace Administration of China (CAC) for its egregiously poor data privacy and cybersecurity (mal)practices – roughly 4.4% of Didi’s previous year revenue.
Why would a penalty, let alone one of the largest regulatory fines ever imposed by the CAC, send Didi’s stock price way up? Because the market tends to reward certainty, even if that certainty is a $1.2 billion dollar fine.
Furthermore, this Didi fine, along with previous fines on Alibaba, Meituan, Google, and Facebook, signals the emergence of a macro certainty – a global 5% upper bound penalty standard on tech companies across regions and jurisdictions.
The 5% Upper Bound
Let’s first take a look at all the major regulatory penalties levied on all major tech companies over the last decade or so.
- June 2017: Google was fined $2.7 billion or 2.5% of its 2016 revenue by the European Commission (EC) for antitrust violations in search and Google Shopping listings.
- July 2018: Google was fined $5 billion or 4.5% of its 2017 revenue by the EC for antitrust violations for Android’s pre-install apps.
- March 2019: Google was fined $1.68 billion or 1.2% of its 2018 revenue by the EC for antitrust violations in forcing partners to use AdSense.
- July 2019: Facebook was fined $5 billion or 9% of its 2018 revenue by the US Federal Trade Commission (FTC) for data privacy violations and leak to Cambridge Analytica.
- April 2021: Alibaba was fined $2.8 billion or 4% of its 2019 China revenue by the State Administration for Market Regulation (SAMR) for antitrust violations with “choose one out of two” practices.
- October 2021: Meituan was fined $533 million or 3% of its 2020 China revenue by SAMR for antitrust violations with “choose one out of two” practices.
At first glance, the FTC-Facebook penalty, amounting to 9% of previous year’s revenue, was a major exception. However, Facebook allegedly (and voluntarily) paid more to the FTC in order to shield both Mark Zuckerberg and now-former COO, Sheryl Sandberg, from personal liability – a matter that Facebook/Meta is now being sued for by its shareholders. The original fine the FTC was planning to impose was only $106 million, well less than 1% of its previous year 2018 revenue of $55.8 billion.
Technically, the CAC has the power to penalize Didi up to 10% of its previous year’s revenue. But the penalty came in at 4.4%, despite Didi’s “extremely bad” data privacy and collection practices – gathering data from users’ screenshot albums to facial recognition information to location and travel intention data.
When the EU’s GDPR framework was first enshrined in 2018, it explicitly set a 4% upper bound of previous year’s global revenue for the worst data privacy offenders. Intentionally or not, regulators from the EU, the US, and China, who are in charge of cybersecurity, data privacy, and antitrust (three distinct issue areas), all appear to have organically coalesced around a “rule of thumb” upper bound of no more than 5%. This organic convergence among major economies’ regulators makes intuitive sense – as much as you want to punish bad behavior, you don’t want to damage your own country’s tech companies more than their global competitors, who are all doing the same thing!
Given how widely this 5% upper bound penalty standard has been applied across the global tech sector, it is hard to know whether it is tough enough or fair enough. But at least in Didi’s case, I believe it is.
Tough Enough and Fair Enough
The context of Didi’s punishment is unique in two ways, making the ultimate $1.2 billion penalty both tough and fair.
App Delisted During Investigation: Didi’s app was delisted from all app stores in China, almost as soon as the company IPO’ed last July and triggered the anger of Chinese regulators. Most tech companies that are under investigation get to continue operating their business, perhaps make some adjustment in anticipation of future penalties, but never have its core product delisted while waiting for a verdict.
Thus, what happened to Didi was quite extraordinary! Forcing its core ridesharing app off the app stores is arguably more damaging to Didi than this eventual fine. Case in point: in Didi’s most recent earnings report, its core China ride sharing business declined 15.1% – roughly the same dollar amount as the fine itself – effectively doubling the damage.
Global Revenue as Denominator: Didi’s penalty also appears to be calculated using its global revenue as the denominator, not just its China business. While using global revenue is the norm in the EU and the US, both Alibaba and Meituan’s penalties were calculated using their China market revenue as the denominator. In Alibaba’s case, it certainly made the $2.8 billion fine easier to swallow, since its overseas revenue is not trivial. As for Meituan, this choice of denominator probably did not make much of a difference, since its revenue is mostly from China.
Didi’s situation is somewhere in the middle. While Didi’s business is nowhere as expansive as Alibaba’s, it is aggressively expanding internationally, taking market share in Latin America, Japan, South Africa, Australia, and a few other countries. (I witnessed Didi’s aggressive expansion in Mexico personally last year, and have written about it in detail in a previous post.) Although most of these expansion motions are money-burning machines, they do generate a significant amount of topline revenue – making the choice of using a global, not a China-only, revenue denominator much more expensive for Didi.
Whether you think Didi’s $1.2 billion punishment is good news or bad news, we finally have some clarity around this iconic and controversial company. And if the global 5% upper bound penalty standard becomes the norm, investors can feel more confident modeling the eventual damage of any tech company in any jurisdiction going through an antitrust or cybersecurity investigation.
Holistically, this emerging certainty should form a more stable and welcoming global investing environment. So far, seeing how Didi’s stock has been treated, Mr. Market seems to agree.
滴滴：80 亿元处罚和 5% 的罚款上限
(本篇中文版文章是读者 Ben Yu 做的编译，我做了一些修改后发表。非常感谢Ben的贡献！)
萎靡不振的滴滴股票在上周突然上涨 20%，可以说是自去年滴滴 7 月 IPO 以来表现最好一周了。
为什么会出现这种情况？因为滴滴由于严重的数据隐私安全问题，被国家互联网信息办公室（CAC）处以 80 亿元（约12亿美元）的罚款，这大约是滴滴在 2021 年收入的 4.4%。
这可能有些令人疑惑：为什么滴滴被罚款，反而让滴滴的股价大幅上涨了呢？更不用说这是 CAC 有史以来判决的规模最大的监管罚款之一。这是因为，这笔罚款让滴滴的未来走向变得更加明确，而股票市场一贯奖励“明确”，即便明确的来法是笔罚款。
如果去统计过去滴滴、阿里巴巴、美团、Google 和 Facebook 的罚款，会在宏观层面总结出一个结论：全球的科技公司在不同管辖地区的罚款上限，基本为上一年收入的 5%。
- 2017 年 6 月：欧盟委员会裁定 Google 滥用搜索引擎市场的支配地位，非法操纵购物广告搜索而被罚，相当于其 2016 年收入的 2.5% 。
- 2018 年 7 月：Google 因为滥用安卓市场的主导地位而违反了反垄断法，被欧盟委员会罚款 50 亿美元，相当于其 2017 年收入的 4.5%。
- 2019 年 3 月：Google 因为迫使合作伙伴使用 AdSense，违反了反垄断法，欧盟委员会对 Google 处以 16.8 亿美元罚款，相当于其 2018 年收入的 1.2%。
- 2019 年 7 月：Facebook 因为非法将用户数据泄露给剑桥分析公司，被美国联邦贸易委员会（FTC）处以 50 亿美元罚款，相当于其 2018 年收入的 9%。
- 2021 年 4 月：阿里巴巴因为迫使商家在平台之间二选一，被国家市场监督管理总局（SAMR）处以 28 亿美元的罚款，相当于其 2019 年在中国市场收入的 4%。
- 2021 年 10 月：美团因违反反垄断规定而被 SAMR 处以 5.33 亿美元的罚款，相当于其 2020 年在中国市场收入的 3%。
其中，FTC 对 Facebook 的处罚（相当于前一年收入的 9%）看起来是一个例外，但是据称 Facebook 自愿向 FTC 支付更多的罚款，以保护扎克伯格和桑德伯格免于个人法律责任——Facebook 现在正被其股东起诉此事。FTC 最初计划开出的罚单只有 1.06 亿美元，远低于其 2018 年 558 亿美元收入的 1%。
理论上 CAC 可以对滴滴进行最高达其上一年收入 10% 的处罚，而且滴滴的数据隐私问题非常严重：违法收集用户手机相册中的截图信息、过度收集乘客人脸识别、位置和行程信息等等。但最终滴滴的罚款则是上一年收入的 4.4%。
当欧盟在 2018 年首次出台《通用数据保护条例》（GDPR）时，它明确地为最严重的数据隐私侵犯情况设定了前一年全球收入 4% 的上限。不管有意与否，欧盟、美国和中国的监管机构在处理网络安全、数据隐私和反垄断（三个不同的问题领域）的案件上 ，都心照不宣地遵循处罚不超过 5% 的原则，这种统一背后的含义是，尽管国家想惩罚这种不良行为，但都不希望自己国家的科技公司比它们全球竞争对手承受更大的损失。
鉴于这个 5% 的上限罚款标准在全球科技行业的应用范围如此广泛，很难知道是否足够严厉又足够公平。对滴滴这一例来说，我认为怒是公平的。
对滴滴的惩罚在两个方面是特有的，使得最终 80 亿元的惩罚既严厉又公平。
调查期间 App 被下架：去年滴滴 IPO 引发中国监管机构的不满，要求其 App 从各个应用商店下架。大部份的科技公司在接受调查时都可以继续运营业务，或者会在预期受到惩罚的情况下做出一些调整，但在等待裁决期间，它们的核心产品都不会被勒令下架。
因此，发生在滴滴身上的事情还是有些罕见的。对滴滴来说，强迫其核心 App 下架可以说比最终的罚款更具破坏性。举一个例子：滴滴最近的盈利报告显示，其核心业务下降了 15.1% – 大致相当于罚款本身的金额，所以实际上这次处罚对滴滴来说造成了双倍的损失。
不管你认为滴滴被罚 80 亿元是好事还是坏事，我们终于对这家标志性的、有争议的公司的未来走向更明确些了。而且，如果全球 5% 的罚款上限成为约定俗成的标准，投资者就有更多的信心去模拟未来公司遇到这种处罚情况后，对公司的最终损害会有多大。