China's ride-hailing conglomerate Didi Global Inc (Didi) was fined RMB 8.026 billion (approx. USD 1.18 billion) for violations of cybersecurity and data related laws. The record high fine relating to data protection was published by the Cyberspace Administration of China (CAC) on 21 July.
According to the press release (in Chinese language) of the CAC, Didi was found to be in violation of the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law (PIPL) in eight aspects, including:
illegal collection of more than 11 million pieces of snapshot information in users' mobile phone albums;
excessive collection of more than 8.3 billion pieces of information in users' clipboards and lists of applications;
excessive collection of more than 107 million pieces of facial recognition information, 53 million pieces of age (range) information, 16 million pieces of occupation information, 1.3 million pieces of family relationship information and 153 million pieces of home and office address information of passengers;
excessive collection of more than 167 million pieces of precise location information (longitude and latitude) during the process of users commenting on designated driving service, application backstage running and mobile phones connecting to Didi's video recording equipment;
excessive collection of more than 140,000 pieces of education information of drivers and storing more than 57 million pieces of driver ID numbers in plaintexts;
analysing more than 53 billion pieces of transportation purpose information, 1.5 billion pieces of residential city information and 304 million pieces of cross-city business / travel information, without explicitly informing the passengers;
repeatedly seeking the irrelevant "telephone authorisation" from passengers when they use carpooling service; and
failure to clearly and accurately explain the processing purposes of 19 types of personal information, including user device information.
The CAC stated that Didi's illegal conducts starting from June 2015 have imposed significant risks to the country's cybersecurity and data security, and seriously infringed the privacy and personal information rights of users. The CAC also commented that Didi's violations involve an enormous amount of data (over 64.7 billion pieces), multiple types of sensitive personal information and various applications and processing activities, and the fine was based on the nature, duration and damage of Didi's illegal activities.
Didi's chairman and president were both held liable for being the persons in charge of Didi's violations and fined RMB 1 million respectively.
Under the PIPL that has taken effect from 1 November 2021, serious data violations may lead to an administrative fine up to RMB 50 million (approx. USD 7.4 million) or up to 5% of the annual turnover of the preceding year in case of an enterprise and an administrative fine up to RMB 1 million (approx. USD 147,800) can be imposed to person-in-charge or other personnel directly responsible.
The CAC and several other competent regulators initiated the cybersecurity investigation on Didi in July 2021. 26 mobile applications operated by Didi were later removed from app stores due to illegal collection and usage of personal information.
Didi has published a statement that it accepted this decision; and would conduct comprehensive self-examination and complete remediation in line with the decision and relevant laws and regulations.
_11zon.jpg?crop=300,495&format=webply&auto=webp)
