DiDi Global (DIDIY) Risk Factors

We receive, transmit and store personally identifiable information and other data on our platform, and we are subject to numerous laws and regulations that address privacy, data protection and the collection, storing, sharing, use, disclosure and protection of certain types of data in various jurisdictions. The PRC government has proposed or promulgated a number of new measures and regulations in recent years regarding cybersecurity and data security, such as the Cybersecurity Law promulgated by the Standing Committee of the National People's Congress in November 2016, which came into effect in June 2017, the Data Security Law promulgated by the Standing Committee of the National People's Congress in June 2021, which came into effect in September 2021, the Personal Information Protection Law promulgated by the Standing Committee of the National People's Congress in August 2021, effective in November 2021. These regulatory developments impose more specific and comprehensive requirements with respect to data security and privacy protection. For more information about these PRC laws and regulations, see "Item 4. Information on the Company-B. Business Overview-Regulation-PRC Regulations-Regulations Relating to Cybersecurity and Information Security" and "Item 4. Information on the Company-B. Business Overview-Regulation-PRC Regulations-Regulations Relating to Privacy Protection." On December 28, 2021, the CAC, together with certain other PRC governmental authorities, promulgated the Revised Cybersecurity Review Measures, which took effect from February 15, 2022. Pursuant to these measures, the purchase of network products and services by an operator of critical information infrastructure or the data processing activities of a network platform operator that affect or may affect national security will be subject to cybersecurity review. In addition, any online platform operator possessing over one million users' individual information must apply for a cybersecurity review before listing abroad. The competent governmental authorities may also initiate a cybersecurity review against an operator if the authorities believe that the network product or service or data processing activities of the operator affects or may affect national security. Article 10 of the Revised Cybersecurity Review Measures also set out certain national security risk factors to be considered and assessed under the cybersecurity review. See "Item 4. Information on the Company-B. Business Overview-Regulation-PRC Regulations-Regulations on Cybersecurity and Information Security." As of the date of this annual report, no regulator has promulgated any detailed implementation rules, the specific scope of "operators of critical information infrastructure" is subject to the discretion of the regulators and the specific rules regarding whether an activity "will or may affect national security" have not yet been promulgated. As such, how the Revised Cybersecurity Review Measures will be interpreted or implemented depends on the implementation rules to be promulgated by the regulators. If we fail to comply with these new regulatory requirements, we may be subject to new legal risks. We intend to closely monitor regulatory developments and take any necessary measures in a timely manner to protect user privacy and data security. For example, after these new laws and regulations were promulgated, to ensure our compliance with them, we (i) enhanced the ability of our internal departments to protect information and maintain data security; (ii) supplemented and refined our policies for data security and personal information protection; (iii) enhanced our assessment and approval procedures for data processing activities, and created personal information protection assessments regarding processing of sensitive information; (iv) refined our mechanisms for responding to user rights requests to ensure a timely and adequate response; and (v) further enhanced our technical measures relating to data security. On November 14, 2021, the CAC promulgated the draft Regulations on the Administration of Cyber Data Security for public comment, pursuant to which data processors conducting the following activities must apply for cybersecurity review: (i) a merger, reorganization or division of internet platform operators that have acquired a large number of data resources related to national security, economic development or public interests affects or may affect national security; (ii) an overseas listing of a data processor that processes the personal information of more than one million users; (iii) a listing in Hong Kong that affects or may affect national security; or (iv) other data processing activities that affect or may affect national security. To date, these draft regulations have not yet become effective, but if they were promulgated in their current form, and if we are required to apply for a new cybersecurity review but are unable to complete that review, our business operations may be materially and adversely impacted. In addition, the draft Regulations on the Administration of Cyber Data Security set out a full set of compliance requirements with respect to the processing of important data and impose regulatory requirements on the governance of internet platform operators' data. Since our mobility services may involve the collection and usage of important data, if this draft is finalized in its current form, we would need to enhance our internal data governance to comply with the compliance requirements. These laws, rules or regulations, together with the rules promulgated by the CSRC regarding overseas listing by PRC domestic companies, may further affect our business and any future securities offerings given factors such as our various networks, platforms, types of data collected, number of users, among others. See "Item 3. Key Information-D. Risk Factors-Risks Relating to Doing Business in China-We may be required to obtain approval or subject to filing or other requirements from the CSRC or other PRC governmental authorities for any future listing or other financing activities" for more details regarding the rules promulgated by the CSRC regarding overseas listing by PRC domestic companies. In the meantime, the PRC regulatory authorities have also enhanced the supervision and regulation of cross-border data transfer. For example, the CAC promulgated the Measures for the Security Assessment of Cross-Border Data Transfer, which took effect on September 1, 2022. These measures require data processors providing data to overseas recipients to apply for a security assessment of cross-border data transfer by the national cybersecurity authority through its local counterpart under certain circumstances. The CAC also promulgated the Measures on the Standard Contract for Cross-border Transfer of Personal Information, which became effective on June 1, 2023. These measures require personal information processors providing personal information to overseas recipients by entering into standard contracts to file with the local counterpart of the CAC under certain circumstances. Furthermore, on March 22, 2024, the CAC promulgated the Provisions on Promoting and Standardizing Cross-Border Data Transfer, which further set forth the circumstances that are exempted from, and thresholds for, performing the security assessment or filing procedures for cross-border data transfer under these measures. We have incurred, and will continue to incur, significant expenses in our efforts to comply with cybersecurity and information security standards and protocols imposed by law, regulation, industry standards or contractual obligations. Changes in existing laws or regulations or adoption of new laws and regulations relating to cybersecurity and information security, particularly any new or modified laws or regulations that require enhanced protection of certain types of data or new obligations with regard to data retention, transfer or disclosure, could greatly increase the cost to us of providing our service offerings, or require significant changes to our operations. The regulatory authorities have the power, based on statutes and regulations, to carry out inspections or cybersecurity reviews of us. If any of our behavior has violated statutes or regulations, we may incur heavy fines or negative publicity, and we may need to change our business practices, which may increase our expenses and materially affect our business, prospects, financial condition and operational results. For example, in accordance with the requirements of the PRC Cybersecurity Law, a cyberspace operator or a cyberspace product or service provider which infringes upon the legal rights of individuals' personal information in violation of the provisions under the Cybersecurity Law may be ordered by a competent authority to make rectifications, and depending on the seriousness of the case, it may be subject to warnings, confiscation of illegal gains, and/or monetary fines. In serious cases, the competent authorities may require us to suspend operations, shut down our websites and apps or revoke our business permits and licenses. We have undergone a cybersecurity review in China in the past. See "Item 8. Financial Information-A. Consolidated Statements and Other Financial Information-Legal and Administrative Proceedings" for more details. In addition, if in the future, we are subject to business restrictions resulting from new regulatory reviews, or if we violate any PRC statutes or regulations and incur any penalty or punishment, the growth or use of our platform in China may decline, which would have a material adverse effect on our business, financial condition, operations and prospects. Despite our efforts to comply with applicable laws, regulations and other obligations relating to privacy, data protection and information security, we cannot assure you that our practices, offerings or platform meet all of the requirements imposed on us by such laws, regulations or obligations. Any failure on our part to comply with applicable laws or regulations or any other obligations relating to privacy, data protection or information security, or any compromise of security that results in unauthorized access, use or release of personally identifiable information or other data, or the perception or allegation that any of the foregoing types of failure or compromise has occurred, could damage our reputation, discourage new and existing drivers, riders and other users from using our platform or result in investigations, fines, suspension of one or more of our apps, or other penalties by government authorities and private claims or litigation, any of which could materially adversely affect our business, financial condition and results of operations. If there is a perception of privacy concerns, it may harm our reputation and brand and adversely affect our business, financial condition and results of operations.

Illegal, improper or otherwise inappropriate activities by drivers, consumers or other users, including the activities of individuals who may have previously engaged with our platform but are not then receiving or providing services offered through it, or individuals who are intentionally impersonating users of our platform, could adversely affect our brand, business, financial condition and results of operations. These activities may include assault, abuse, theft and other misconduct. While we have implemented various measures intended to anticipate, identify and address the risk of these types of activities, these measures may not adequately address or prevent all illegal, improper or otherwise inappropriate activities by these parties. Such conduct could expose us to liability or adversely affect our brand or reputation. At the same time, if the measures we have taken to guard against these illegal, improper or otherwise inappropriate activities are too restrictive and inadvertently prevent or discourage drivers, consumers or other users from remaining engaged on our platform, or if we are unable to implement and communicate these measures fairly and transparently or are perceived to have failed to do so, the growth and retention of the number of drivers, consumers and other users on our platform and their utilization of our platform could be negatively impacted. Further, any negative publicity related to the foregoing, whether such incident occurred on our platform or on our competitors' platforms, could adversely affect our reputation and brand or public perception of ride hailing and other mobility services in general, which could negatively affect demand for platforms like ours, and potentially lead to increased regulatory or litigation exposure. Any of the foregoing risks could harm our business, financial condition and results of operations.

We generate a significant percentage of our transactions from certain major cities. We experience greater competition in large cities than we do in other markets in which we operate, which has led us to offer significant driver incentives and consumer discounts and promotions in these cities. As a result of our geographic concentration, our business and financial results are susceptible to economic, social, weather, and regulatory conditions or other circumstances in each of these cities. For example, travel restrictions and other limitations imposed in Guangdong province in early 2021 during the COVID-19 pandemic adversely affected our operating performance and results of operations for the three months ended June 30, 2021, including in terms of China Mobility GTV and Platform Sales. Outbreaks of contagious diseases or other viruses such as the COVID-19 pandemic could lead to a sustained decline in the desirability of living, working and congregating in the cities in which we operate. Any short-term or long-term shifts in the travel patterns of consumers away from cities, due to health concerns regarding epidemics or pandemics, could have an adverse impact on our GTV from these areas. An economic downturn, increased competition, or regulatory obstacles in any of these cities would adversely affect our business, financial condition, and operating results to a much greater degree than would the occurrence of similar events in other areas. In addition, any changes to local laws or regulations within these cities that affect our ability to operate or increase our operating expenses in these markets would have an adverse effect on our business. Furthermore, if we are unable to renew existing licenses or do not receive new licenses in the major cities where we operate or such licenses are terminated, any inability to operate in such urban area, as well as the publicity concerning any such termination or non-renewal, could adversely affect our business, financial condition, and operating results. Further, we expect that we will continue to face challenges operating in non-urban areas, where our network is smaller and our presence is smaller. If we are not successful operating in non-urban areas, or if we are unable to operate in certain key cities in the future, our ability to serve what we consider to be our total addressable market would be limited, and our business, financial condition, and operating results would suffer.

We rely heavily on information technology systems across our operations. Our information technology systems, including mobile and online platforms, mobile payment systems and administrative functions, and the information technology systems of our third-party business partners and service providers contain proprietary or confidential information related to business and sensitive personal data, including personally identifiable information, entrusted to us by drivers, consumers, businesses, employees, and job candidates. Computer malware, viruses, spamming, and phishing attacks have become more prevalent in our industry, have occurred on our systems in the past, and may occur on our systems in the future. Various other factors may also cause system failures, including power outages, catastrophic events, inadequate or ineffective redundancy, issues with upgrading or creating new systems or platforms, flaws in third-party software or services, errors by our employees or third-party service providers, or breaches in the security of these systems or platforms. If we cannot resolve these issues in an effective manner, they could adversely impact our business operations and our financial results. Because of our prominence, the number of platform users, and the types and volume of personal data on our systems, we may be a particularly attractive target for such attacks. Although we have developed systems and processes that are designed to protect our data and that of platform users, and to prevent data loss, undesirable activities on our platform, and security breaches, we cannot assure you that such measures will provide absolute security. Our efforts on this front may be unsuccessful as a result of, for example, software bugs or other technical malfunctions, employee, contractor, or vendor error or malfeasance, or the appearance of new threats that we did not anticipate or guard against, and we may incur significant costs in protecting against or remediating cyber-attacks. Any actual or perceived failure to maintain the performance, reliability, security, and availability of our products, offerings, and technical infrastructure to the satisfaction of platform users and government regulators would likely harm our reputation and result in loss of revenues from the adverse impact to our reputation and brand, disruption to our business, and our decreased ability to attract and retain drivers and consumers.

We have operations in China and 14 other countries through our platforms or our partnerships across the world as of December 31, 2023. We began expanding into international markets in 2018 and have limited experience operating in many jurisdictions outside of China. We have made, and expect to continue to make, significant investments to expand our international operations and compete with local competitors. Such investments may not be successful and may negatively affect our operating results. Our International segment had adjusted EBITA losses of RMB5.8 billion, RMB4.0 billion and RMB2.3 billion (US$0.3 billion) in 2021, 2022 and 2023, respectively. Conducting our business internationally, particularly in countries in which we have limited experience, subjects us to risks that we do not face to the same degree in China. These risks include, among others: - operational and compliance challenges caused by distance, language, and cultural differences;- the resources required to build a local management team in each new market and to localize our service offerings to appeal to drivers and consumers in that market;- compliance challenges caused by unfamiliar laws and regulations;- competition with businesses that understand local markets better than we do, that have pre-existing relationships with potential consumers in those markets, or that are favored by government or regulatory authorities in those markets;- international geopolitical tensions;- political, social and economic instability in any jurisdiction where we operate;- international export controls and economic and trade sanctions;- legal uncertainty regarding our liability for the actions of drivers, consumers and other third parties, including uncertainty resulting from unique local laws or a lack of clear legal precedent;- fluctuations in currency exchange rates;- managing operations in markets in which cash transactions are favored over credit or debit cards;- adverse tax consequences, including the complexities of foreign value added tax systems, and restrictions on the repatriation of earnings;- increased financial accounting and reporting burdens, and complexities associated with implementing and maintaining adequate internal controls;- difficulties in implementing and maintaining the financial systems and processes needed to enable compliance across multiple offerings and jurisdictions; and - reduced or varied protection for intellectual property rights in some markets. These risks could adversely affect our international operations, which could in turn adversely affect our business, financial condition, and operating results.

Any unforeseen public health matters, such as pandemics, epidemics or other outbreaks of contagious diseases, could adversely affect our operations or the economies of the markets where we operate. For example, from 2020 through 2022, outbreaks of COVID-19 resulted in the temporary closure of many corporate offices, retail stores, and manufacturing facilities across China. The demand for our mobility offerings, as well as the supply of drivers, decreased drastically under those conditions. Outbreaks of other similar contagious diseases may materially and adversely affect our business, financial condition and results of operations in the current and future years. In addition, a significant natural disaster, such as an earthquake, fire, hurricane, tornado, flood or significant power outage, could disrupt our operations, mobile networks, the internet or the operations of our third-party technology providers. Political crises, such as terrorist attacks, war and other political instability, or other catastrophic events, whether in China or abroad, could adversely affect our operations or the economies of the markets where we operate. The impact of any natural disaster, act of terrorism or other disruption to us or our third-party providers' abilities could result in decreased demand for our offerings or a delay in the provision of our offerings, which could adversely affect our business, financial condition and results of operations. All of the aforementioned risks may be further increased if our disaster recovery plans prove to be inadequate. Disruptions or downturns in global or national or local economic conditions may cause discretionary spending and demand for ride hailing and other mobility services to decline. An economic downturn resulting in a prolonged recessionary period would have a material adverse effect on our business, financial condition, and operating results.