Cyberspace regulator's Q&A on DiDi's $1.2b fine
"The nature (of DiDi's violation) is extremely bad," says Chinese govt.
As exclusively reported by Keith Zhai and Liza Lin on July 19 in the Wall Street Journal, the Cyberspace Administration of China (CAC) on July 21 slapped a $1.2 billion fine on DiDi Global Inc., the Chinese ride-hailing giant.
(In my personal observation, Keith Zhai is the most productive source on China in Western mainstream media these days.)
Will Wei Cheng 程维 Chairman of the Board and Chief Executive Officer and Jean Qing Liu 柳青, Director and President, were each hit with a $148,000 (a million yuan) fine personally.
The fine is the biggest by CAC so far and the cause is cybersecurity violations. Calculations of the amount are not available. The tone of CAC’s statement is very harsh, i.e. the “nature (of DiDi’s violation) is extremely bad.”
In April 2021, China’s State Administration for Market Regulations (SAMR) fined Alibaba $2.8 billion citing antitrust abuse, and that amount was 4% of its 2019 domestic revenue. Last year, SAMR also fined Meituan $530 million, 3% of its 2020 revenue.
CAC details DiDi’s violation of users’ privacy, including 违法 “illegally” or 过度 “excessively” gathering and analyzing information, including facial recognition. Even frequently DiDi apps’ frequent requests for permission to users’ phones was listed as a violation.
CAC withholds the details of DiDi’s risk to China’s national security.
CAC says the severity, the lengthy duration of the violations, the massive amount of information involved, the harm of the violations, and the many types of violations warrant a severe penalty.
Unsurprisingly, DiDi has accepted the penalty.
For more details, see below.
(Click here for an exclusive book excerpt on the birth of DiDi.)
Q: What are the violations of laws and rules?
A: It has been found that there are 16 types of violations in DiDi, which can be summarized into eight aspects.
Illegally collect 11.96 million pieces of screenshot information in the photo albums of users’ smartphones;
Excessively collected 8.323 billion pieces of information from users’ clipboards and lists of apps;
Excessively collected 107 million pieces of passenger facial recognition information, 53.5092 million pieces of age information, 16.3356 million pieces of occupation information, 1.3829 million pieces of family relationship information, and 153 million pieces of taxi address information of "home" and "company";
Excessively collected 167 million pieces of accurate location (latitude and longitude) information when passengers were evaluating the service, the DiDi app was running in the background, and when the mobile phones were connected to DiDi’s Orange Vision recording equipment.
Excessively collected 142,900 pieces of driver's education information, and stored 57.8 million pieces of driver's ID number information in plain text;
Analyzed 53.976 billion pieces of information about passengers' travel intentions, 1.538 billion pieces of information about permanent cities, and 304 million pieces of information about non-permanent business/travel without explicitly informing passengers;
Frequently asked for permission to access the 电话 Phone when the passenger was using DiDi’s 顺风车 Hitchhiking service within the app, which (according to CAC) is irrelevant
Did not give an accurate or clear explanation in processing 19 types of personal information such as 用户设备信息 User Equipment Information
Previously, the cybersecurity review also found that DiDi had data processing activities that seriously affected national security, as well as other violations of laws and regulations such as refusing to comply with the explicit requirements of regulatory authorities, 阳奉阴违 overtly agree but covertly oppose (regulators), and maliciously evading supervision. DiDi's illegal and rule-breaking operation brings serious security risks to the security of national key information infrastructure and data security. Because it involves national security, the details are not disclosed according to law.
Q: What is the main basis for the decision to impose the relevant administrative penalties against Didi?
A: The administrative punishment related to the cybersecurity review of Didi is different from general administrative punishments and has its particularity.
Didi’s violation of laws and regulations is serious and should be severely punished based on the review of cybersecurity.
Judging from the nature of the illegal acts, Didi failed to fulfill its obligations of cybersecurity, data security, and personal information protection in accordance with the relevant laws and regulations and the requirements of the regulatory authorities, ignoring the national cybersecurity and data security, which brought serious potential risks to the national cybersecurity and data security. In addition, Didi failed to carry out comprehensive and in-depth rectification after the regulatory authorities’ instructions. This nature is extremely bad.
Judging from the duration of the illegal acts, the relevant illegal acts of Didi Company started in June 2015 and lasted up to now, which is 7 years. DiDi continuously violated the Cybersecurity Law effective since June 2017, the Data Security Law effective since September 2021, and the Personal Information Protection Law effective since November 2021.
Judging from the harm of the illegal acts, Didi has collected personal information such as users’ clipboard information, screenshots in photo albums, and family relationship information through illegal means, thus seriously infringing on the privacy of users and seriously infringing on the rights and interests of users' personal information.
Judging from the amount of personal information illegally processed, Didi has illegally processed 64.709 billion pieces of personal information, which is a huge amount, including various sensitive personal information such as facial recognition information, accurate location information, and ID numbers.
Judging from the illegal handling of personal information, Didi's illegal behavior involves multiple apps, covering various situations such as excessive collection of personal information, mandatory collection of sensitive personal information, frequent requests of permissions in its apps, incomplete fulfillment of its obligation to notify the handling of personal information, and incomplete fulfillment of its obligation in cybersecurity data security protection, etc.
Considering the nature, duration, harm, and circumstances of Didi's illegal acts, the main basis to make the decision to impose the relevant administrative penalties on Didi includes the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, the Law on Administrative Penalty, and other relevant provisions.
The complete Q&A in Chinese is available on CAC’s website.
DiDi’s public statement, via its official account on Weibo, the Chinese equivalent of Twitter
Today, the Cyberspace Administration of China made a decision to impose relevant administrative penalties upon a cybersecurity review against Didi Global Co., Ltd. in accordance with the law.
We sincerely accept this decision and resolutely obey it. In strict accordance with the penalty decision and the requirements of relevant laws and regulations, we will conduct a comprehensive and in-depth self-examination, actively cooperate with the regulation, and earnestly complete rectification.
We sincerely thank the competent authorities for their inspection and guidance, as well as the public for their criticism and supervision. We will take this as a warning and adhere to both security and development. We will further strengthen cybersecurity and data security, strengthen the protection of personal information, earnestly fulfill our social responsibilities, serve every passenger, driver, and partner well, and realize the safe, healthy, and sustainable development of our company.
Again, click here for an exclusive book excerpt on the birth of DiDi.