After a year-long investigation, China's cybersecurity watchdog, Cyberspace Administration of China (CAC), fined ride-hailing giant Didi Global $1.2 billion, finding that it had breached the country's laws governing data security and the protection of personal information.
In an unprecedented step, the CAC also held Didi’s President Jean Liu and Chief Executive Cheng Wei accountable for the offenses and issued fines of $148,000 each, thereby setting an example for the leaders in the industry to take proactive cybersecurity measures or risk penalties. CAC justified the fine by stating that Didi had failed to correct practices of sustained and illegal overcollection of sensitive and personal data and inadequate security.
CAC found conclusive evidence that Didi had committed violations of an “egregious nature” and charged Didi with illegally keeping more than 57 million driver IDs in plain text instead of a more secure format.
CAC added that its examination revealed that since 2015 Didi had collected data on users’ biometrics, age, residents and employment locations, and professional and family personal background information without providing an accurate and clear disclosure of its purpose for doing so, along with illegally collecting user location and app usage data.
Additionally, it also illegally gathered millions of user records, such as obtaining passenger information without their consent or knowledge, including images from their smartphones and facial recognition data.
In its statement, the CAC claimed that Didi had illegally processed 64.7 billion pieces of personal data since its first infringement in 2015.
The CAC began looking into Didi after it enlisted itself on the New York Stock Exchange in June 2021, despite requests from the CAC to postpone the listing, citing concerns about disclosing personal information.
According to the CAC, "Didi's illegal operations have brought serious security risks to the security of the country's key information infrastructure and data security".
After falling under regulatory inspection, Didi lost 80% of its market worth, or more than $60 billion in value, becoming one of the most prominent casualties of Beijing's extensive crackdown on private business.
Didi’s Non-Compliance Penalty
In this case, the fine imposed represents more than 4% of Didi's annual revenue, which was $27.3 billion in 2021. In addition, the CAC demanded that Didi halt registering new users and remove 25 of its apps from app stores, claiming public interest and national security.
Didi Fined – $1.2 Billion
Didi’s President Fined – $148,000
Didi’s CEO Fined – $148,000
The penalty imposed on Didi is consistent with penalties in previous regulatory proceedings taken against Alibaba and Meituan, which were penalized with fines of 4% ($2.75 billion) and 3% ($527 million) of their respective annual revenues for unrelated claimed offenses.
Didi’s Response
The Beijing-based firm acknowledged the regulator's fine in a statement posted on its Weibo account and said it would consider its next course of action and measures to strengthen its procedures. Additionally, the company sincerely thanked the competent authorities for their inspection and guidance and the public for their criticism and supervision.
Beijing's concern over the enormous amounts of personal information that internet companies are gathering, and the possibility of a leak of such personal data internationally that could jeopardize national security, is reflected in the penalty imposed on Didi.
According to security analysts, Chinese officials have been worried that, in Didi's case, personal information about important people and sensitive locations may have leaked from its databases.
This is significant partly due to national security concerns in line with the increased US-China tech competition. Therefore, Beijing now wants internet companies with more than one million users to go through a data security review before going public overseas.
How Securiti Can Help
Securiti enables organizations to discover, analyze and protect large datasets. It offers effective and automated Data Mapping, Incident Response and Management, and Data Intelligence that help organizations gain visibility to their datasets, identify datasets as a result of security incidents and achieve regulatory compliance.
Securiti combines reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with the PIPL, as well as other privacy and security regulations all over the world.
Ask for a demo to understand how Securiti can help you achieve compliance.
