The Cyberspace Administration of China (CAC) on July 21 announced an ¥8 billion RMB ($1.2 billion USD) fine at the conclusion of a year of investigation and scrutiny focused on the Chinese ride-hailing giant DiDi Chuxing.
The CAC effort kicked off on July 2, 2021, with the announcement that DiDi would face review under the Cybersecurity Review Measures. Government scrutiny of DiDi soon broadened, and it reportedly had emerged after the company failed to heed government warnings to delay its listing on a U.S. stock exchange. DiDi's share price dropped drastically, and the company has since delisted.
Translations of the CAC's brief announcement of its decision and administrative punishment, and a longer but less formal set of answers to media questions by an unnamed CAC official, are below. DigiChina contributors have shared their analysis in a DigiChina Forum on implications of these outcomes.
This translation is by Graham Webster and was edited by Johanna Costigan.
Correction: In the headline, this translation originally rendered the USD fine amount as $2 billion, instead of the correct $1.2 billion. We regret the error.
Official Announcement of DiDi Fine
Source: http://www.cac.gov.cn/2022-07/21/c_1660021534306352.htm
Archived copy: https://web.archive.org/web/20220721172659/http://www.cac.gov.cn/2022-07/21/c_1660021534306352.htm
Decision of the Cyberspace Administration of China on Administrative Punishment Related to the Conduct According to the Law of a Cybersecurity Review of DiDi Global Inc.
July 21, 2022, 1:00 p.m. Source: Zhongguo Wangxin Wang
According to the verdict and the problems and evidence discovered during cybersecurity review, the Cyberspace Administration of China opened a case to investigate the suspected illegal activities of DiDi Global Inc. Upon investigation, DiDi Global Inc.'s illegal behavior in violation of the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law is clear, the evidence conclusive, the circumstances grave, and the character despicable (性质恶劣).
On July 21, according to the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, the Administrative Punishments Law, and other laws and administrative regulations, the Cybersecurity Administration of China fined DiDi Global Inc. 8.026 billion renminbi, and fined DiDi Global Inc. Chairperson and CEO Chéng Wéi 程维 and President Liǔ Qīng 柳青 1 million renminbi each.
Official CAC Q&A with journalists on the DiDi case outcome
Source: http://www.cac.gov.cn/2022-07/21/c_1660021534364976.htm
Archived copy: https://web.archive.org/web/20220721062144/http://www.cac.gov.cn/2022-07/21/c_1660021534364976.htm
The Relevant Person Responsible of the Cyberspace Administration of China Answers Journalists’ Questions on the Conduct of the Cybersecurity Review into DiDi Global Inc. and Related Administrative Punishments
July 21, 2022, 1:00 p.m. Source: Zhongguo Wangxin Wang
On July 21, the Cyberspace Administration of China announced the decision regarding administrative punishment related to the cybersecurity review of DiDi Global Inc. ("DiDi") according to the law. The relevant person responsible from the Cyberspace Administration of China answered journalists’ questions about issues related to the case.
1) Q: Please briefly introduce the background of the case and the review process.
A: In July 2021, in order to safeguard against national data security risks, uphold national security, and safeguard the public interest, and in accordance with the National Security Law and the Cybersecurity Law, the Cybersecurity Review Office implemented a cybersecurity review of DiDi according to the Cybersecurity Review Measures.
According to the results of the cybersecurity review and issues and evidence discovered, the Cyberspace Administration of China lawfully filed a case to investigate suspected violations of law by DiDi. During this time, the Cyberspace Administration of China conducted investigations and inquiries, collected technical evidence, ordered DiDi to submit relevant evidentiary materials, verified and analyzed in depth the evidence and materials in the case, fully heard DiDi's views, and ensured the legitimate interests of DiDi. Upon investigation, DiDi's illegal behavior in violation of the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law is clear, the evidence conclusive, the circumstances grave, and the character despicable. Strict punishment must be given.
2) Q: What illegal activities took place at DiDi?
A: A total of 16 illegal facts at DiDi have been ascertained, which can be summed up in eight main aspects. First, illegal collection of 11.9639 million pieces of screenshot information from users' mobile phone photo albums; second, excessive collection of 8.323 billion pieces of user clipboard and application list information; third, excessive collection 107 million pieces of passenger facial recognition information, 53.5092 million pieces of age group information, 16.3356 pieces of occupation information, 1.3829 million pieces of familial relationship information, and 153 million pieces of home and work address ride hailing information; fourth, excessive collection of 167 million pieces of precise location information (latitude and longitude) while evaluating substitute driver services [代驾服务, "chauffeur" services often marketed for when a driver has been drinking and needs someone to drive them and their car home -Ed.], while the app is running in the background, or when the mobile phone is connected to the Orange Vision device [a DiDi product collecting streetscape video data -Ed.]; fifth, excessive collection of 142,900 pieces of driver educational history information and storage of 57.8026 million pieces of driver national identification numbers in plain text; sixth, analysis of 53.976 billion pieces of passenger trip intention information, 1.538 billion pieces of city of residence information, and 304 million pieces of information on business or travel away from home without having clearly notified passengers; seventh, frequently requiring irrelevant "telephone permissions" when passengers use ride-sharing services; and eighth, inaccurate and unclear explanation of 19 personal information handling purposes such as user device information.
Previously, the cybersecurity review also discovered DiDi had data handling activities that seriously affect national security, as well as violations of law and regulations such as refusing to carry out supervising departments' clear requirements, feigning compliance (阳奉阴违), and maliciously evading supervision. DiDi's operations in violation of law and regulations posed serious risks and hidden dangers to national critical information infrastructure security and data security. Because this touches on national security, in accordance with law, it will not be made public.
3) Q: How has the law-violating subject been identified in this case?
A: DiDi was established in January 2013, and its relevant domestic lines of service primarily include online ride-hailing, ride-sharing, two-wheeled vehicles, car manufacturing, etc. Relevant products include 41 apps such as the DiDi Chuxing app, the DiDi Driver app, and DiDi Enterprise Edition app.
DiDi has the highest decision-making authority over major matters in each domestic business line, the intra-firm systems and norms it formulates are fully applicable to domestic business lines, and it bears supervision and management responsibilities for implementation conditions. Through the DiDi Information and Data Security Committee and the subordinate Personal Information Protection Committee and Data Security Committee, the company participates in the policymaking guidance, supervision, and management of relevant online ride-hailing, ride-sharing, etc., business line activities. Each business line's illegal activities are concretely carried out under the unified policymaking and deployment of the company. On these grounds, the law-violating subject is identified as DiDi.
DiDi Chairperson and CEO Cheng Wei and President Liu Qing had management responsibility for the illegal activities.
4) Q: What is the main basis for the decision to impose administrative punishment on DiDi relevant to the cybersecurity review?
A: The administrative punishment of DiDi relevant to this cybersecurity review is special and different from regular administrative punishment. DiDi's activities in violation of laws and regulations were serious, and combined with the cybersecurity review situation, call for the imposition of severe punishment. First, on the character of the illegal activities, DiDi failed to follow provisions of relevant laws and administrative regulations and the requirements of supervising departments in carrying out cybersecurity, data security, and personal information protection responsibilities. It disregarded national cybersecurity and data security, and posed serious risks and hidden dangers to national cybersecurity and data security. When instructed by supervising departments to rectify matters, it nonetheless failed to conduct complete and thorough reforms. The character was extremely despicable. Second, on the duration of the illegal activities, DiDi's relevant illegal activities began as early as June 2015 and continued to this day, lasting 7 years. It continued to violate the Cybersecurity Law implemented in June 2016, the Data Security Law implemented in September 2021, and the Personal Information Protection Law implemented in November 2021. Third, on the harm from the illegal activities, DiDi used illegal means to collect user clipboard information, screenshot information from within photo albums, familial relationship information, and other personal information. It seriously violated user privacy and seriously damaged user personal information rights and interests. Fourth, on the scale of illegal handling of personal information, DiDi illegally handled as many as 64.709 billion pieces of personal information. The scale of data was enormous, including many kinds of sensitive personal information such as facial recognition data, precise location information, and national ID numbers. Fifth, on the circumstances of illegal handling of personal information, DiDi's illegal activities entail multiple apps and encompass many kinds of circumstances, including the excess collection of personal information, the forced collection of sensitive personal information, frequent app requests for permissions, failure to fulfill personal information handling notice obligations, and failure to fulfill cybersecurity and data security protection obligations.
In the integrated consideration of the character of DiDi's illegal activities, their duration, their harms, and their circumstances, the main bases for the decision to impose punishment related to the cybersecurity review of DiDi are the relevant provisions of the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, the Administrative Punishments Law, etc.
5) Q: What are some key directions and areas for the next steps of cyber law enforcement?
A: In recent years, the country has continuously strengthened protection of cybersecurity, data security, and personal information. It has promulgated the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, the Critical Information Infrastructure Security Protection Provisions, the Cybersecurity Review Measures, the Outbound Data Transfer Security Assessment Measures, and other laws and administrative regulations. Cyberspace and informatization departments will expand the scope of law enforcement in areas such as cybersecurity, data security, and personal information protection. Through management and punishment measures such as law enforcement consultations, ordering rectifications, warnings, notices and criticisms, fines, ordering the suspension of relevant business, suspending operations for rectification, closing websites, takedowns (下架), and dealing with responsible persons, they will, according to the law, strike against harms to national cybersecurity or data security, damage to citizen personal information, and other illegal activities. They will realistically safeguard national cybersecurity, data security, and societal public interests and strongly ensure the legitimate rights and interests of the people and the masses at large. At the same time, they will increase exposure of typical cases, build great momentum and strong deterrence, let each case be a warning (做到查处一案、警示一片), educate and guide Internet enterprises to operate in accordance with laws and regulations, and advance the healthy, regulated, and orderly development of enterprise.
Chinese-language original
国家互联网信息办公室对滴滴全球股份有限公司依法作出网络安全审查相关行政处罚的决定
2022年07月21日 13:00 来源: 中国网信网
根据网络安全审查结论及发现的问题和线索,国家互联网信息办公室依法对滴滴全球股份有限公司涉嫌违法行为进行立案调查。经查实,滴滴全球股份有限公司违反《网络安全法》《数据安全法》《个人信息保护法》的违法违规行为事实清楚、证据确凿、情节严重、性质恶劣。
7月21日,国家互联网信息办公室依据《网络安全法》《数据安全法》《个人信息保护法》《行政处罚法》等法律法规,对滴滴全球股份有限公司处人民币80.26亿元罚款,对滴滴全球股份有限公司董事长兼CEO程维、总裁柳青各处人民币100万元罚款。
国家互联网信息办公室有关负责人就对滴滴全球股份有限公司依法作出网络安全审查相关行政处罚的决定答记者问
2022年07月21日 13:00 来源: 中国网信网
7月21日,国家互联网信息办公室公布对滴滴全球股份有限公司(以下简称“滴滴公司”)依法作出网络安全审查相关行政处罚的决定。国家互联网信息办公室有关负责人就案件相关问题回答了记者提问。
一、问:请简要介绍案件的背景和调查经过?
答:2021年7月,为防范国家数据安全风险,维护国家安全,保障公共利益,依据《国家安全法》《网络安全法》,网络安全审查办公室按照《网络安全审查办法》对滴滴公司实施网络安全审查。
根据网络安全审查结论及发现的问题和线索,国家互联网信息办公室依法对滴滴公司涉嫌违法行为进行立案调查。期间,国家互联网信息办公室进行了调查询问、技术取证,责令滴滴公司提交了相关证据材料,对本案证据材料深入核查分析,并充分听取滴滴公司意见,保障滴滴公司合法权利。经查实,滴滴公司违反《网络安全法》《数据安全法》《个人信息保护法》的违法违规行为事实清楚、证据确凿、情节严重、性质恶劣,应当从严从重予以处罚。
二、问:滴滴公司存在哪些违法违规行为?
答:经查明,滴滴公司共存在16项违法事实,归纳起来主要是8个方面。一是违法收集用户手机相册中的截图信息1196.39万条;二是过度收集用户剪切板信息、应用列表信息83.23亿条;三是过度收集乘客人脸识别信息1.07亿条、年龄段信息5350.92万条、职业信息1633.56万条、亲情关系信息138.29万条、“家”和“公司”打车地址信息1.53亿条;四是过度收集乘客评价代驾服务时、App后台运行时、手机连接桔视记录仪设备时的精准位置(经纬度)信息1.67亿条;五是过度收集司机学历信息14.29万条,以明文形式存储司机身份证号信息5780.26万条;六是在未明确告知乘客情况下分析乘客出行意图信息539.76亿条、常驻城市信息15.38亿条、异地商务/异地旅游信息3.04亿条;七是在乘客使用顺风车服务时频繁索取无关的“电话权限”;八是未准确、清晰说明用户设备信息等19项个人信息处理目的。
此前,网络安全审查还发现,滴滴公司存在严重影响国家安全的数据处理活动,以及拒不履行监管部门的明确要求,阳奉阴违、恶意逃避监管等其他违法违规问题。滴滴公司违法违规运营给国家关键信息基础设施安全和数据安全带来严重安全风险隐患。因涉及国家安全,依法不公开。
三、问:本案的违法主体是如何认定的?
答:滴滴公司成立于2013年1月,相关境内业务线主要包括网约车、顺风车、两轮车、造车等,相关产品包括滴滴出行App、滴滴车主App、滴滴顺风车App、滴滴企业版App等41款App。
滴滴公司对境内各业务线重大事项具有最高决策权,制定的企业内部制度规范对境内各业务线全部适用,且对落实情况负监督管理责任。该公司通过滴滴信息与数据安全委员会及其下设的个人信息保护委员会、数据安全委员会,参与网约车、顺风车等业务线相关行为的决策指导、监督管理,各业务线违法行为是在该公司统一决策和部署下的具体落实。据此,本案违法行为主体认定为滴滴公司。
滴滴公司董事长兼CEO程维、总裁柳青,对违法行为负主管责任。
四、问:对滴滴公司作出网络安全审查相关行政处罚的决定的主要依据是什么?
答:此次对滴滴公司的网络安全审查相关行政处罚,与一般的行政处罚不同,具有特殊性。滴滴公司违法违规行为情节严重,结合网络安全审查情况,应当予以从严从重处罚。一是从违法行为的性质看,滴滴公司未按照相关法律法规规定和监管部门要求,履行网络安全、数据安全、个人信息保护义务,置国家网络安全、数据安全于不顾,给国家网络安全、数据安全带来严重的风险隐患,且在监管部门责令改正情况下,仍未进行全面深入整改,性质极为恶劣。二是从违法行为的持续时间看,滴滴公司相关违法行为最早开始于2015年6月,持续至今,时间长达7年,持续违反2017年6月实施的《网络安全法》、2021年9月实施的《数据安全法》和2021年11月实施的《个人信息保护法》。三是从违法行为的危害看,滴滴公司通过违法手段收集用户剪切板信息、相册中的截图信息、亲情关系信息等个人信息,严重侵犯用户隐私,严重侵害用户个人信息权益。四是从违法处理个人信息的数量看,滴滴公司违法处理个人信息达647.09亿条,数量巨大,其中包括人脸识别信息、精准位置信息、身份证号等多类敏感个人信息。五是从违法处理个人信息的情形看,滴滴公司违法行为涉及多个App,涵盖过度收集个人信息、强制收集敏感个人信息、App频繁索权、未尽个人信息处理告知义务、未尽网络安全数据安全保护义务等多种情形。
综合考虑滴滴公司违法行为的性质、持续时间、危害及情形,对滴滴公司作出网络安全审查相关行政处罚的决定的主要依据是《网络安全法》《数据安全法》《个人信息保护法》《行政处罚法》等有关规定。
五、问:下一步网络执法的重点方向和领域有哪些?
答:近年来,国家不断加强对网络安全、数据安全、个人信息的保护力度,先后颁布了《网络安全法》《数据安全法》《个人信息保护法》《关键信息基础设施安全保护条例》《网络安全审查办法》《数据出境安全评估办法》等法律法规。网信部门将依法加大网络安全、数据安全、个人信息保护等领域执法力度,通过执法约谈、责令改正、警告、通报批评、罚款、责令暂停相关业务、停业整顿、关闭网站、下架、处理责任人等处置处罚措施,依法打击危害国家网络安全、数据安全、侵害公民个人信息等违法行为,切实维护国家网络安全、数据安全和社会公共利益,有力保障广大人民群众合法权益。同时,加大典型案例曝光力度,形成强大声势和有力震慑,做到查处一案、警示一片,教育引导互联网企业依法合规运营,促进企业健康规范有序发展。