How Did Didi Run Afoul of China’s Cybersecurity Regulators? Understanding the US$1.2 Billion Fine
China’s cybersecurity authorities recently released the findings of the Didi cybersecurity review, a year-long saga culminating in a US$1.2 billion fine. Didi was found to have broken multiple data and cybersecurity laws through a variety of illegal activities, from the excessive collection of user information to improperly handling sensitive information. We discuss how Didi was in violation of China’s cybersecurity legislation, and offer advice for companies on how to ensure compliance to avoid similar pitfalls.
The recent RMB 8.03 billion (US$1.2 billion) fine incurred by popular ride-hailing company Didi Chuxing serves as a stark reminder of the importance of complying with China’s cybersecurity laws. The fine – the largest meted out to any company – was a result of a series of violations of China’s data security, cybersecurity, and personal information protection laws that took place over the course of seven years, starting in 2015.
While the Didi case may be unusual in its size and scope, it reveals the ways in which companies can be in breach of regulations, some of which are found in common business practices – collection of unnecessary personal information, lack of encryption for saved sensitive personal information, and failing to specify the purpose of personal information processing activities – to name a few.
In this article, we take a close look at Didi’s illegal activity and discuss how they broke China’s cybersecurity laws, as well as what lessons companies operating in the digital space can learn from the affair.
On June 30, 2021 Didi was listed on the New York Stock Exchange (NYSE), raising around US$4.4 billion. Just two days later, the Cyberspace Administration of China (CAC), China’s top cybersecurity regulator, announced a cybersecurity review of the company, and on July 4, 2021 ordered it to suspend all new user registrations for the duration of the review and removed Didi from all app stores in China.
The review was to be conducted in order “to guard against national data security risks, to safeguard national security and the public interest”, in accordance with the 2017 Cybersecurity Law (CSL) and 2015 State Security Law.
Speculations over the timing of the announcement of the security review abounded, but it has since transpired that the authorities had likely previously told Didi to delay the IPO in order to first carry out a review of its network and data security. However, Didi pushed ahead with the listing, reportedly due to pressure from investors.
The suspension of Didi’s activities has had a devastating impact on the company, leading to a US$4.7 billion loss in revenue in the fourth quarter of 2021 and forcing it to cut spending and lay off staff in the beginning of 2022. A planned listing in Hong Kong was again blocked due to further data security issues, causing its shares to fall 44 percent. In May 2022, the company announced its delisting from the NYSE after over 90 percent of shareholders voted in favor of the proposal.
On July 21, 2022, the CAC announced the results of the cybersecurity probe, and in a media Q&A stated that there had been conclusive evidence that Didi had violated relevant cybersecurity, data security, and personal information protection laws, and that the violations had been “serious […] and bad in nature” and that the violations should be “severely punished”. Didi was fined a total of RMB 8.026 billion (US$1.2 billion).
Which regulations did Didi break?
According to the CAC’s announcement released on July 21, 2022 the investigation found that Didi had violated the CSL, the Data Security Law (DSL), and the Personal Information Protection Law (PIPL). The fine of US$1.2 billion was levied in accordance with these laws, as well as the Administrative Penalty Law and other unnamed regulations.
In an attached media Q&A released by the CAC, it was further clarified that the probe was conducted in accordance with the Network Security Review Measures.
The CAC stated that Didi had made 16 violations covering eight different types of activity. These are:
- Illegally collecting almost 12 million screenshots from users’ mobile phone photo albums.
- Collecting 8.3 billion pieces of information from users’ clipboards and application lists in excess of the scope necessary to carry out operations.
- Collecting 107 million pieces of facial recognition data, 53.5 million pieces of information on age groups, 16.3 million pieces on occupations, 1.4 million pieces of information on family relationships, and 153 million “home” and “company” addresses from passengers, in excess of the scope necessary to carry out operations.
- Collecting 167 million pieces of information on the precise location (longitude and latitude) when passengers evaluated the driver services, both when the app was running in the background and when the mobile phone was connected to the Orange Video Recorder app (an app developed by Didi that enables dashcam recordings) in excess of the scope necessary to carry out operations.
- Collecting 142,900 pieces of information on drivers’ education and storing 57.8 million drivers’ ID numbers in plain text in excess of the scope necessary to carry out operations.
- Analyzing almost 54 billion pieces of information on passengers’ travel intent information, 1.5 billion pieces of information on passengers’ city of residence, and 304 million pieces of information of passengers’ non-local business and travel information without clearly telling passengers.
- Frequently requesting irrelevant phone permissions of passengers when using the ride-hailing service.
- Failing to accurately and clearly explain the purpose for processing 19 types of personal information, including user device information.
In addition to the above, the CAC said it had previously found that Didi had engaged in data processing activity that “seriously affect national security”, and had also violated other laws and regulations, including refusing to cooperate on certain requirements of the regulatory authorities and intentionally evading supervision. It also stated that Didi’s illegal operations had posed serious security risks to China’s critical information infrastructure and data security; however, details of these violations could not be divulged as they concerned matters of national security.
The above violations were found to have taken place over the course of seven years, starting from at least June 2015 and lasting until the present day. The duration of the illegal activity meant that Didi was in breach of the regulations laid out in the CSL, which came into effect in June 2017, the DSL (September 2021), and the PIPL (November 2021).
Responsibility for the above violations was found to lie with Didi Chuxing as well as the company’s chairman and CEO, Cheng Wei, and president, Liu Qing.
A close look at the legislation that Didi broke
The CAC did not mention which specific parts of the laws and regulations were breached, but we can make some deductions by looking at the articles that prohibit the kind of activity that Didi was involved in from the information provided.
Several of the violations discussed above (items 2, 3, 4, and 5) were related to the “excessive” collection of various types of information. This is in violation of Article 6 of the PIPL, Article 41 of the CSL, and Article 32 of the DSL. These articles stipulate that data processors (the company handling and processing the data collected) are only permitted to collect and process the scope of information required to complete the express purpose of the processing and prohibit the collection of information that falls outside of this scope. This indicates that the information Didi collected was not required to fulfill the specific functions or services requested by the users.
Another major breach of the laws is collecting or processing information without clearly telling users the purpose of the activity. This is in violation of Article 17 of the PIPL and Article 41 of the DSL, which requires data operators to inform users, in clear and understandable terms, the purpose for processing their personal information.
Finally, it is possible that Didi violated the regulations on the handling of “sensitive” personal information, which is subject to stricter requirements than other types of data in the PIPL. “Sensitive personal information” is defined in Article 28 of the PIPL as “personal information that can easily lead to the infringement of the personal dignity or natural persons or the harm of personal or property safety once leaked or illegally used, including such information as biometrics, religious beliefs, specific identities, medical health, financial accounts, and whereabouts, and the personal information of minors under the age of 14.”
The list of Didi’s violations includes a range of sensitive information, including facial recognition data, information on users’ age groups, occupations, family relationships, specific whereabouts, and ID numbers
The PIPL stipulates that personal information processors can only process sensitive personal information when they have a “specific purpose and sufficient necessity”, and are also required to implement stricter protective measures and receive additional consent to use the data. Although not specifically mentioned, it is possible that Didi’s violations were considered more egregious as they dealt with sensitive personal information, in addition to the fact that the information collected was not necessary to fulfill the operations. The millions of screenshots that Didi illegally collected from users are likely to have contained sensitive personal information, and it is possible that Didi did not obtain separate and explicit consent from users to collect them, in addition to the possibility that the screenshots were not necessary for Didi to fulfill its services.
|Articles Found to be Broken in Didi Cybersecurity Review|
|Excessive collection of data and personal information.||Article 6:
The processing of personal information shall have a clear and reasonable purpose, which shall be directly related to the purpose of processing, and shall be adopted in a way that has the least impact on personal rights and interests.
The collection of personal information shall be limited to the minimum scope to achieve the purpose of processing, and excessive collection of personal information shall not be allowed.
|Second paragraph of Article 41:
Network operators shall not collect personal information irrelevant to the services they provide, and shall not collect or use personal information in violation of laws, administrative regulations, and agreements between both parties, and shall process the personal information stored by it in accordance with the provisions of laws and administrative regulations and the agreement with the user.
|Second paragraph of Article 32:
Where laws and administrative regulations stipulate the purpose and scope of data collection and use, data shall be collected and used within the purpose and scope stipulated by laws and administrative regulations.
|Analyzing information without clearly telling users;
Failing to accurately and clearly explain the purpose for processing personal information;
Frequently requesting irrelevant phone permissions.
|Article 17: Prior to processing personal information, a personal information processor shall truthfully, accurately, and completely inform the individual of the following matters in an eye-catching manner and with clear and understandable language:
(I) the name and contact information of the personal information processor;
(II) the purpose and method of processing personal information, and the type and retention period of the processed personal information;
(III) the method and procedure for the individual to exercise the rights provided herein; and
(IV) other matters to be notified in accordance with the provisions of laws and administrative regulations.
|First paragraph of Article 41: When collecting and using personal information, network operators shall […] disclose the rules for collection and use, express the purpose, method, and scope of the collection and use of information, and obtain the consent of the data subject.||–|
|Illegally obtaining and failing to adequately protect sensitive information||Article 29 Individual consent should be obtained for processing sensitive personal information. Where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to written consent, such provisions shall prevail.
Article 30: For the processing of sensitive personal information of an individual, the personal information processor shall inform the individual of the necessity of processing sensitive personal information and the impacts on the individual’s rights and interests […]
What we can learn from the Didi case
The Didi case is the first major cybersecurity penalty to be levied by the CAC since several cyber and data security regulations have come into effect, and it reveals some of the ways in which companies may fall foul of regulators if they are careless in how they handle data or intentionally attempt to take advantage of users’ information. Didi is certainly not the only company that has breached the cyber and data security laws, and the CAC intends for the publication of Didi’s violations to serve as a deterrence for other companies engaging in similar illegal activity.
Many people believe that the Didi case is not applicable to other companies, in particular SMEs. The case of Didi may indeed be unusual in terms of the seriousness of the violations and the size of the fine, not to mention the considerable attention it has received from the media and the public. In the Q&A, the CAC states that Didi’s violations were particularly severe and that the penalty was, therefore “different from general administrative penalties”. This is due to a number of different factors: its failure to fulfill obligations to protect networks and data leading to “serious hidden risks” and to correct the errors when requested to do so by the authorities, the long period of time over which the violations took place, the sensitivity of the data that was handled (such as IDs, locations, and biometric data), as well as the sheer volume of information that was handled illegally across several Didi products – 64.7 billion pieces of information in total.
It is therefore reasonable to assume that a smaller company with fewer operations and less capacity to process large volumes of data will not face as big of a fine. However, even a smaller fine could have a significant impact on a company – especially if it comes with additional penalties, such as suspended operations, or public exposure. Regulatory penalties also pose a much larger threat to the existence of a smaller company that does not hold over 90 percent market share as Didi did prior to the probe.
In addition, more legislation and regulatory measures for the management of network and data security have been released or come into effect since Didi was first ordered to suspend new user registrations, which allows for less room to hide from regulators and fewer excuses for oversight. These include a series of regulatory measures on the export of data and personal information out of China. Even though none of the publicized violations were related to cross-border data transfer, it is an area of cybersecurity that foreign and multinational companies are more likely to come across than domestic companies.
The CAC also issued an additional warning in the Q&A to other companies, saying that it will “intensify law enforcement in areas such as cybersecurity, data security, and personal information protection […] by conducting law enforcement interviews, ordering corrections [of violations], issuing warnings, criticism notices, and fines, and ordering business suspensions, business closures for corrections [of violations], website closures, and delistings”, among other forms of punishment.
Ensuring that IT and storage systems, as well as business practices, are compliant with China’s cybersecurity legislation is paramount to staying on the good side of regulators. IT personnel and operational teams must be trained and educated to understand the latest data protection requirements and know how to identify and deal with possible compliance issues.
Companies are also advised to consider protection mechanisms such as data encryption and implementing limited authorization to data access by employees, as well as conducting regular data protection impact assessments to ensure the security of the data and that no staff member unintentionally breaks any regulations. The online travel agency Trip.com Group, for instance, has implemented a series of technologies and operational mechanisms to protect their users’ information, including a “zero trust” mechanism that minimizes staff members’ access to user data, encryption of all user information submitted during operations, and tracking data access authorization.
In the event of a cybersecurity review, the company’s response to the cybersecurity authorities’ criticisms and demands will also factor into the final outcome. Companies should under no circumstances seek to evade inspection or avoid providing evidence and information or making the requisite changes. Compliance with the authorities’ requests and a swift rectification of any wrongdoings will be seen favorably and can help to reduce the penalties that are imposed on the company.
It is also important to be aware of draft legislation on cybersecurity, which is often released months or even years before the law is passed and takes effect. The PIPL, for instance, was released in October 2020 and adopted in August 2021, giving companies time to familiarize themselves with the requirements and prepare accordingly. Several draft regulations on data and cybersecurity have been released since the DSL and PIPL came into effect last year, such as the Network Data Security Management Regulations, released in November 2021.
For help with understanding China’s cybersecurity legislation and setting up compliant IT systems and business practices, please feel free to contact our IT professionals for consultation at China@dezshira.com.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at email@example.com.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
- Previous Article China Export Tax Refund Policy: Recent Changes, Documentation Process, Foreign Exchange Management
- Next Article Investing in Zhuhai: Industry, Economics, and Policy