China: CAC fines Didi RMB 8 billion for PIPL, CSL, DSL violations
The Cyberspace Administration of China ('CAC') announced, on 21 July 2022, that it had fined Didi Global Co., Ltd RMB 8,000,000,000 (approx. €1.1 billion) for violations of the Personal Information Protection Law ('PIPL'), Data Security Law ('DSL'), and Cybersecurity Law ('CSL'), following an investigation.
Background to the decision
In particular, the CAC noted that it had, following an investigation by the Cybersecurity Review Office, filed a case to investigate Didi's suspected illegal activities. In addition, the CAC confirmed that it had conducted investigations and inquiries, collected technical evidence, and ordered Didi to submit relevant materials.
Findings of the CAC
Following its investigation, the CAC concluded that Didi had violated the CSL, DSL, and PIPL, and that the circumstances were of a serious nature.
More specifically, the CAC detailed that the illegal data handling included:
- the illegal collection of screenshots of information from users' mobile photo albums;
- excessive collection of user clipboard and application list information;
- excessive collection of passenger face recognition information;
- excessive collection of passengers' evaluation of chauffeur-driven services; and
- the collection of mobile phone connection records and precise location (longitude and latitude) information.
Furthermore, the CAC explained that Didi did not fulfil its obligations of cybersecurity, data security, and personal information protection in accordance with relevant laws and regulations as well as the requirements of regulatory authorities. On this point, the CAC explained that Didi disregarded national cybersecurity and data security protection, which brought serious hidden risks, noting that Didi did not carry out the corrections ordered by the regulatory authorities.
In the aftermath of the investigation, the CAC fined Didi RMB 8,000,000,000 (approx. €1.1 billion) for its violation of the CSL, DSL, and PIPL, taking into account the nature, duration, harm, and circumstances of Didi's illegal acts.
More generally, the CAC noted that it will intensify law enforcement in areas such as cybersecurity, data security, and personal information protection in accordance with law, through law enforcement interviews, corrective orders, warnings, fines, orders to suspend related businesses, business closures for rectification, and website closures, among other things.