Nine months after the implementation of the Personal Information Protection Law of the People's Republic of China ("PIPL"), on July 21, 2022, the Cyberspace Administration of China ("CAC") announced the penalty decision against Didi Global Inc. ("Didi"), an innovative company which once created a new era and has become a domestic ride-hailing giant.

In accordance with the PIPL, the Data Security Law of the People's Republic of China ("DSL"), the Cybersecurity Law of the People's Republic of China ("CSL"), and other laws and regulations, CAC imposed a fine of RMB 8.026 billion on Didi; Cheng Wei (chairman and CEO of Didi) and Liu Qing (president of Didi) were each fined RMB 1 million. The year-long investigation and the "Didi Incident" finally come to a conclusion.

Doing a good job in data compliance has become a compulsory course for companies that have the ambition to stand out from the trend of the times. This alert will introduce the background and facts of "Didi Incident", and provide some key takeaways for kind reference.

I. Important Events on the Timeline

On June 30, 2021, Didi was successfully listed on the New York Stock Exchange. Only two days later, CAC announced its initiation of cybersecurity review on Didi Chuxing, during which Didi Chuxing was not allowed to accept new user registration.

On July 4 and 9, 2021, Didi Chuxing and other 25 Didi mobile apps were announced to be removed from APP Stores due to the collection and use of personal information in serious violations of laws and regulations.

On July 16, 2021, CAC, together with the Ministry of Public Security, the Ministry of National Security, the Ministry of Natural Resources, the Ministry of Transport, the State Taxation Administration, the State Administration for Market Regulation, jointly stationed in Didi Chuxing Technology Co., Ltd. to carry out cybersecurity review.

From December 3, 2021, due to the pressure from both the Public Company Accounting Oversight Board in the U.S. and domestic cybersecurity review, Didi started the NYSE delisting process. The series of documents stated that the company needs to complete the domestic cybersecurity review and rectification before it can resume normal operations (including applying for 26 mobile apps to be re-listed in China and resuming new user registrations).

On July 21, 2022, CAC issued the penalty decision against Didi.

II. Violations

A. Personal Information Protection Perspective

In the press conference of CAC, the regulator outlined 16 illegal behaviors of Didi, which can be summed up in 8 aspects, in terms of personal information protection.

  1. Illegally collecting 11.9639 million screenshot information from users' mobile phone photo albums;
  2. Excessively collecting 8.323 billion pieces of user clipboard information and application list information;
  3. Excessively collecting 107 million pieces of passenger facial recognition information and 53.5092 million pieces of age group information, 16.3356 million pieces of occupational information, 1.3829 million pieces of family relationship information, and 153 million pieces of hailing address information labeled as "home" and "company";
  4. Excessively collecting 167 million pieces of precise location (longitude and latitude) information when passengers evaluated the chauffeur service, when the app was running in the background, and when the mobile phone was connected to a video recorder device;
  5. Excessively collecting 142,900 pieces of driver education information, and storing 57.8026 million pieces of driver ID number information in plain text;
  6. Analyzing 53.976 billion pieces of passenger travel intention information, 1.538 billion pieces of resident city information, and 304 million pieces of non-local business/travel information without clearly informing passengers;
  7. Requesting for irrelevant "telephone permissions" frequently when passengers use the ride-hailing service; and
  8. Failing to accurately and clearly inform users of the processing purposes of 19 types of personal information, such as user equipment information.

B. National Security Perspective

The cybersecurity review also found that Didi has data processing activities that seriously affect national security. Although it was not expressly stated in details, this is most likely related to the large amount of corrected and precise geographic information that stored in Didi system. In the process of listing overseas, these data related to national security may be transferred abroad.

C. Other Violations

The decision also mentioned Didi's other violations of laws and regulations, such as refusal to fulfill the requirements of the regulatory authorities, malicious evasion of supervision, etc.

III. Penalty Decision

A. Subject

The subject of the illegal act in this case was identified as Didi Global Inc. The illegal acts of each business line were concretely implemented under the unified decision-making and deployment of this company.

Cheng Wei, chairman and CEO of Didi, and Liu Qing, president of Didi, are responsible for the violations.

B. Penalty

CAC imposed a fine of RMB 8.026 billion (approximately USD 1.2 billion) on Didi, accounting for nearly 5% of Didi's turnover of 2021 in China, which is RMB 160.521 billion. Cheng Wei and Liu Qing were each fined RMB 1 million (approximately USD 150,000).

C. Legal Basis

According to the public information, the penalty decision on Didi was made in accordance with the PIPL, the DSL, the CSL, the Administrative Punishment Law and other relevant provisions, mainly taking into account the following circumstances of Didi's illegal acts:

  • Bad faith: failed to conduct in-depth rectification when being ordered to make corrections;
  • Long duration: violations started in June 2015, and lasted for 7 years to date;
  • Serious damage: seriously infringed privacy and personal information rights and interests;
  • Large amount: illegally processed more than 64.709 billion pieces of personal information;
  • Various violations: multiple illegal acts such as excessive and forced collection of information.

According to the PIPL, for serious personal information violations, a fine of less than RMB 50 million or less than 5% of the previous year's turnover may be imposed on the subject of the violation. As such, basically, Didi was fined at the highest level. Meanwhile, the CEO and president of Didi who assumed personal liability for the violations were also fined at the highest level, as the PIPL provides that, the directly responsible person in charge and other directly responsible personnel can be fined up to RMB 1 million.

IV. Looking Forward

A. "Didi Incident" Ends or Not?

In CAC's decision letter, the issue of national security was only briefly mentioned, and the two executives were limited to administrative fines, but it cannot be ignored that the risk of criminal punishment exists. The circumstances of Didi's violation of personal information are serious and have reached the standard of criminal liability. Didi illegally processed 64.709 billion pieces of personal information, which is a huge amount, including facial recognition information, precise location information, ID card numbers and other sensitive personal information. It would not be a surprise if criminal liabilities are imposed on both the company and the executives.

Besides, as above-mentioned, up to 7 departments at national level were involved in the investigation on Didi, CAC is only one of them, whether there will be further announcement on Didi Incident is worth looking forward to.

Moreover, due to Didi's infringement upon the rights and interests of a large number of individuals, it may face follow-up damage compensation actions brought by consumers, as well as public interest actions brought by consumer organizations and people's procuratorate in the future.

B. China's Data Law Enforcement Entered a New Era?

Undoubtedly, the landmark Didi case has attracted great attention to data law enforcement again, since the more than half a year's implementation of the PIPL and the DSL. Different from normalized mobile app inspections, China data law enforcement authority shows its teeth in Didi case, which is an important signal that China takes seriously about personal information and national security protection, and the laws do not remain on paper.

It is expected that data law enforcement will continue to emerge in the future, and both domestic and foreign-invested enterprises should get well prepared.

C. What to Do Next?

For businesses operating in China, especially those process a large amount of personal information and/or process data that may be related to national security, it is advisable to establish a comprehensive data compliance system; and for those that have already had, to conduct regular data compliance audit and mitigate the identified gaps in a timely manner.

Recently, China has intensively issued regulations and documents concerning cross-border data transfer, enterprises with needs for data export should pay close attention. With the implementation of those relevant regulations, it is believed that cross-border data transfer will be one of the priorities of data law enforcement in China. (You may contact us to get our alerts on the recently released data export related regulations.)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.