This article is part of the series on China’s regulatory policy updates, reports, and advertising laws. If you have missed out on any of the articles from this series, you can click the following titles to read more – Anti-Monopoly Crackdown, PIPL, Advertising Law, October Update, November Update, December Update, January Update (RED Bans 39 Brands), Medical Advertising, March Update, IP Location Regulations.
With the increasingly strict implementation of China’s regulatory policies, it is not surprising to find that China is reviewing major leading platforms with unprecedented intensity, and issuing “sky-priced fines” to platforms that violated the law to alarm others. Apart from Alibaba, this round Didi’s sky-high fines is even more staggering.
Didi's exorbitant fine
Upon review and investigation, the evidence is conclusive that Didi has violated Cybersecurity Law, Data Security Law, Personal Information Protection Law, etc. On July 21, the Cyberspace Administration of China (CAC) fined Didi Global Inc. 8.026 billion renminbi (USD 1.2B), while the chairman and CEO of Didi Global Inc. Cheng Wei and President Liu Qing were fined 1 million renminbi (USD 150,000) each.
So what exactly did Didi violate?
According to the investigation, Didi has 8 main aspects violations (16 illegal facts in total), as follows:
Illegal collection of screenshot information from users’ mobile phone photo albums (11.9639 million pieces);
Excessive collection of user clipboard and application list information (8.323 billion pieces);
Excessive collection of passenger facial recognition information (107 million pieces), age group information (53.5092 million pieces), occupation information (16.3356 pieces), familial relationship information (1.3829 million pieces), home and work address ride-hailing information (153 million pieces);
Excessive collection of precise location information (latitude and longitude) from running the app in the background, or when the mobile phone is connected to the Orange Video recorder equipment, while the user reviewing substitute drive services;
Excessive collection of driver education history information (142,900 pieces) and storage of driver national identification numbers in plain text (57.8026 million pieces);
Analysis of passenger trip intention information (53.976 billion pieces), city of residence information (1.538 billion pieces), and business trip or travel information (304 million pieces) without having notified passengers;
Frequently requiring irrelevant ‘phone permissions’ when passengers use ride-sharing services;
Inaccurate and unclear explanation of 19 personal information handling purposes such as user device information
Didi in violation of law and regulations posed serious risks and hidden dangers to China's national security. Furthermore, it fails to conduct complete and thorough rectification when instructed by regulatory authorities, which is extremely despicable. For repeated violation and 7-year continuous violation of the Cybersecurity Law (CSL), the Data Security Law (DSL), the Personal Information Protection Law (PIPL), the illegal processing of up to 64.709 billion pieces of personal information, and illegal acts that threaten China’s national security, it is reasonable that CAC imposed such punishment to Didi.
In the era of big data, compliant and legal collection of personal information can optimize enterprise market decisions from an enterprise perspective, while consumers are still the ultimate beneficiaries. The most common type of information are:
Information about specific functions: mobile phone number, membership, password, real name, gender, date of birth, place of residence, identity card, etc
Information of additional services: geographic location, contacts access, phone storage access, camera or microphone access, etc
The first type of information collection is mainly to provide the precise marketing direction for brands and personalized services for users, and also to respond to the real-name authentication requirements of China’s regulatory policy. As for the second type of information collection, it is mainly to provide users with rapid and convenient service, however, some platform software makes it mandatory, and users won’t even be able to use the software if users disagree. Last year, the CAC, Ministry of Industry and Information Technology, Ministry of Public Security, and the State Administration for Market Supervision jointly issued the “Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications”, which clearly instructs major APP operators are not allowed to refuse users to use the basic functions of the APP when users disagree to collect non-essential personal information. On the pretence of collecting information, Didi illegally collects and processes users’ personal information, and makes it looks like it is for better and more accurate services to users, but no one knows its true intention.
Didi currently has about 377 million active users and 13 million active drivers in China, which means that Didi has at least 377 million user data. Given that Didi handles personal information illegally, it might know users better than themselves, and this data is the most precious resource in the information era, and from this data, Didi can analyse personal behaviour through ‘algorithms’, which then seriously violates personal rights and interest of users, and also further violates China’s ‘clean cyberspace’ plan. Earlier, the “Holding Foreign Companies Accountable Act” passed by the U.S. Congress earlier requires foreign companies to provide internal company information and data in order to be listed. Didi rushed to go listed in the United States before the implementation of the data security law and disregarded data security and China’s cybersecurity, which is why China treated Didi’s violations of laws and regulations as a serious threat to national security and imposed such penalties.
China Regulatory Policies
Since the implementation of China’s Data Security Law last year, China companies and individuals are restricted to provide any foreign ministry of justice and foreign law enforcement agencies with any data stored in China, and the Cyberspace Administration of China has required online platforms that hold more than 1 million users personal data must apply for a security review before listing in a foreign country. In recent years, China has promulgated laws and regulations such as CSL, DSL, PIPL, Critical Information Infrastructure Security Protection Provisions, Cybersecurity Review Measures, and Outbound Data Transfer Security Assessment Measures, to continuously strengthen the protection of personal information, data security, and cybersecurity. Through warnings, fines, business closures for rectifications, website closures, takedowns from Appstore, law enforcement consultations, and ordering to make rectifications, these law enforcement efforts are used to crack down on illegal acts. China amplified the exposure of these cases, not only to have an effective deterrent but also to educate and guide the enterprises to operate legally, thus it can help to promote a healthy, regulated, and standardized development of enterprise.
China’s increasingly stringent regulatory policies also mean that the emphasis on personal information protection is gradually increasing. The implementation of China’s regulatory policies will act as an effective deterrent for the enterprises while preventing the leakage of personal information and protecting the legitimate rights and interests of the public. China’s regulatory policies will only continue to be stricter, and government agencies will strengthen their scrutiny and enforcement, Didi’s punishment is just a starting point, and there may be more fines, warnings, and business closures in the future. We recommend that enterprises that abide by China’s regulatory policies do not outweigh the gains.
We will continue to follow China’s regulatory policy updates, contact us to understand more and discuss about China’s marketing strategies.