China gets serious about data protection: High fines in the case of mobility provider Didi

published on 9 August 2022 | reading time approx. 2 mintes

Cyber security and data protection are becoming increasingly important in the context of doing business in China. Legislators are working at full speed to enact numerous laws, ordinances and regulations. In practice, the authorities are strictly implementing these regulations.

In July 2021, the Chinese digital regulator “Cyberspace Administration of China” (CAC) launched a cyber security audit against the ride service provider “Didi” in China. On July 21, 2022, the CAC came to an initial conclusion. On its website, the CAC publishes a sizeable fine against Didi: the penalty is based on laws such as the Cyber Security Law (CSL), the Data Security Law (DSL) and the Personal Information Protection Law (PIPL). Didi was fined RMB 8,026 billion (approximately EUR 1.16 billion) and two executives of Didi were fined RMB 1 million (approximately EUR 150,000) each.

According to CAC’s announcement, Didi had seriously violated the above laws. A total of 16 violations of the law were identified, including:

Unlawful collection of screenshots on mobile phones of Didi users;
Excessive collection of information from the mobile phone clipboard of Didi users;
Excessive collection of information for facial recognition from passengers;
Excessive collection of accurate location data from passengers;
Analysis of information about passengers’ travel intentions without explicitly informing them.

CAC also found that Didi had seriously compromised national security through its data processing activities. However, the details were not released for reasons of national security.

CAC explained that several aspects were taken into account when setting the fine, in particular what legal provisions were infringed, how long the infringements lasted, how serious the damage was and how much personal data was unlawfully processed.

This fine imposed on Didi is an important precedent for Chinese legal history in the field of data protection. In the summer of 2022, the CAC created facts in this completely new area, where market participants are eagerly awaiting the substantiation of the abstract legal norms. The economic damage to Didi will have a lesson and signal effect on other market participants. The CAC’s justification as well as the listing of the individual violations and offences represent an initial orientation for other companies in the Chinese automotive industry, and in the area of data protection and cyber security in general, for command and prohibition. It is expected that the authorities will continue to strengthen enforcement of laws in the areas of cyber security, data security and protection of personal information.

Companies operating in China must ensure compliance with relevant laws. Violations of the law can result in heavy penalties, as the Didi example shows.