Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

China: CAC fines Didi RMB 8 billion for CSL, DSL, and PIPL violations

The Cyberspace Administration of China ('CAC') announced, on 21 July 2022, that it had fined Didi Global Co., Ltd RMB 8.026 billion (approx. €1.1 billion) for violations of the Personal Information Protection Law ('PIPL'), Data Security Law ('DSL'), and Cybersecurity Law ('CSL'), following an investigation. 

Background to the decision

In particular, the CAC noted that, following an investigation by the Cybersecurity Review Office, it had filed a case to investigate Didi's suspected illegal activities. In addition, the CAC confirmed that it had conducted investigations and inquiries, collected technical evidence, and ordered Didi to submit relevant materials.

Findings of the CAC

Following its investigation, the CAC concluded that Didi had violated the CSL, DSL, and PIPL, and that the circumstances were of a serious nature.

More specifically, the CAC detailed that the illegal data handling included:

  • the illegal collection of screenshots of information from users' mobile photo albums;
  • excessive collection of user clipboard and application list information;
  • excessive collection of passengers' face recognition information;
  • excessive collection of passengers' evaluation of chauffeur-driven services; and
  • the collection of mobile phone connection records and precise location (longitude and latitude) information.

Furthermore, the CAC explained that Didi did not fulfill its obligations of cybersecurity, data security, and personal information protection in accordance with relevant laws and regulations, as well as the requirements of regulatory authorities. On this point, the CAC explained that Didi disregarded national cybersecurity and data security protection, which brought serious hidden risks, noting that Didi did not carry out the corrections ordered by the regulatory authorities.


In the aftermath of the investigation, the CAC fined Didi RMB 8.026 billion (approx. €1.1 billion) for its violation of the CSL, DSL, and PIPL, taking into account the nature, duration, harm, and circumstances of Didi's illegal acts. 

More generally, the CAC noted that it will intensify enforcement in areas such as cybersecurity, data security, and personal information protection in accordance with the law, through law enforcement interviews, corrective orders, warnings, fines, orders to suspend related businesses, business closures for rectification, and website closures, among other things.

You can read the press release here and the answers to reporters here, both only available in Chinese.