Didi has just been slapped with the largest fine issued in China for breaching data laws

• CAC found Didi “guilty of 16 violations of relevant laws of data security and personal information protection [in China], including excessive collection of facial info of users.
• The staggering fine is to date the largest regulatory penalty imposed on a Chinese mainland-based tech company since Alibaba Group and Meituan.
• Didi fully accepted the regulator’s decision and said it would rectify its wrongdoings.

Again and again, China has proven to the world what it would cost for its biggest tech companies to breach laws and do things that would threaten national security. The latest casualty being Didi Global Inc — the embattled ride-hailing giant who has been under probe with the Cyberspace Administration of China (CAC) over the last one year. The Beijing-based company has been slapped with a fine of 8.026 billion yuan (US$1.2 billion) this week for 16 violations of relevant laws of data security and personal information protection.

The CAC’s decision also concluded the end of the year-long unprecedented cybersecurity probe into the company, which first started days after it launched a US$4.4 billion initial public offering in New York on June 30, 2021. The internet regulator found that “Didi was involved in data processing activities that seriously affected national security, and other violations of laws and regulations,” according to local reports.

What did Didi do exactly to have angered regulators in China?

Overall, CAC found Didi “guilty of 16 violations of relevant laws of data security and personal information protection [in China], including excessive collection of facial info of users.” It even said the ride-hailing giant was “refusing to comply with the explicit requirements of regulators” and there was “malicious evasion of supervision.”

The 16 offenses involved the illegal collection of data from both drivers and passengers. It  includes the illegal processing of 64.7 billion personal information entries over the span of seven years since June 2015. CAC also said Didi was found to have illegally collected nearly 12 million pieces of photo information from users’ phones, 107 million entries of facial recognition data, 53.5 million entries of age data, 16.3 million entries of occupation data, and 1.4 million entries of data about family relations.

The ride-hailing giant was also accused of gathering 153 million entries of home and company address data and 167 million entries of location information. Didi analyzed, without user consent, 54 billion entries regarding the travel purposes of passengers. “Didi has failed to perform its duty to maintain cyberspace security, data security, and personal information protection … bringing serious risks to national cyberspace security and data security,” the regulator said, according to South China Morning Post.

Not the first, certainly not the last

For context, the staggering fine is to date the largest regulatory penalty imposed on a Chinese mainland-based tech company since e-commerce titan Alibaba Group and delivery giant Meituan were fined US$2.75 billion and US$527 million respectively last year by antitrust regulators in China.

Besides the US$1.2 billion fine, the company’s senior executives Will Cheng Wei and Jean Liu Qing were each fined 1 million yuan, the regulator said in its statement. “Moreover, even with clear orders from regulatory authorities to correct the issues, Didi failed to carry out comprehensive and in-depth rectifications. The nature of the offense was egregious,” CAC continued in its statement.

In response to that, Didi on its Weibo account said that it fully accepted the regulator’s decision and would rectify its wrongdoings. Commenting on the fine imposed on Didi, Singapore-based cybersecurity startup watchTowr believes the decision made by the Chinese government to penalize ride-hailing giant Didi Global is a clear indication that regulators throughout the region continue to take cybersecurity seriously.

“Data privacy and control will continue to trend in importance, regardless of company size. It is clear proof that no company is too big to escape the eye and wrath of regulators at this stage. This also aligns to what watchTowr is seeing other markets doing, like Singapore’s Personal Data Protection Act (PDPA), with regards to fines for security breaches and regulatory lapses,” the firm said in an email to Tech Wire Asia.

---

---

---

---