Translation: Chinese Authorities Announce $1.2B Fine in DiDi Case, Describe ‘Despicable’ Data Abuses

Didi’s violations of data security and personal information protection laws cited as reason for punitive action


July 21, 2022

Article Banner Picture


July 21, 2022

The Cyberspace Administration of China (CAC) on July 21 announced an ¥8 billion RMB ($1.2 billion USD) fine at the conclusion of a year of investigation and scrutiny focused on the Chinese ride-hailing giant DiDi Chuxing.

The CAC effort kicked off on July 2, 2021, with the announcement that DiDi would face review under the Cybersecurity Review Measures. Government scrutiny of DiDi soon broadened, and it reportedly had emerged after the company failed to heed government warnings to delay its listing on a U.S. stock exchange. DiDi's share price dropped drastically, and the company has since delisted. 

Translations of the CAC's brief announcement of its decision and administrative punishment, and a longer but less formal set of answers to media questions by an unnamed CAC official, are below. DigiChina contributors have shared their analysis in a DigiChina Forum on implications of these outcomes.

This translation is by Graham Webster and was edited by Johanna Costigan.

Correction: In the headline, this translation originally rendered the USD fine amount as $2 billion, instead of the correct $1.2 billion. We regret the error.

Official Announcement of DiDi Fine


Archived copy:

Decision of the Cyberspace Administration of China on Administrative Punishment Related to the Conduct According to the Law of a Cybersecurity Review of DiDi Global Inc.

July 21, 2022, 1:00 p.m.  Source: Zhongguo Wangxin Wang

According to the verdict and the problems and evidence discovered during cybersecurity review, the Cyberspace Administration of China opened a case to investigate the suspected illegal activities of DiDi Global Inc. Upon investigation, DiDi Global Inc.'s illegal behavior in violation of the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law is clear, the evidence conclusive, the circumstances grave, and the character despicable (性质恶劣).

On July 21, according to the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, the Administrative Punishments Law, and other laws and administrative regulations, the Cybersecurity Administration of China fined DiDi Global Inc. 8.026 billion renminbi, and fined DiDi Global Inc. Chairperson and CEO Chéng Wéi 程维 and President Liǔ Qīng 柳青 1 million renminbi each.

Official CAC Q&A with journalists on the DiDi case outcome


Archived copy:

The Relevant Person Responsible of the Cyberspace Administration of China Answers Journalists’ Questions on the Conduct of the Cybersecurity Review into DiDi Global Inc. and Related Administrative Punishments

July 21, 2022, 1:00 p.m.  Source: Zhongguo Wangxin Wang

On July 21, the Cyberspace Administration of China announced the decision regarding administrative punishment related to the cybersecurity review of DiDi Global Inc. ("DiDi") according to the law. The relevant person responsible from the Cyberspace Administration of China answered journalists’ questions about issues related to the case.

1) Q: Please briefly introduce the background of the case and the review process.

A: In July 2021, in order to safeguard against national data security risks, uphold national security, and safeguard the public interest, and in accordance with the National Security Law and the Cybersecurity Law, the Cybersecurity Review Office implemented a cybersecurity review of DiDi according to the Cybersecurity Review Measures.

According to the results of the cybersecurity review and issues and evidence discovered, the Cyberspace Administration of China lawfully filed a case to investigate suspected violations of law by DiDi. During this time, the Cyberspace Administration of China conducted investigations and inquiries, collected technical evidence, ordered DiDi to submit relevant evidentiary materials, verified and analyzed in depth the evidence and materials in the case, fully heard DiDi's views, and ensured the legitimate interests of DiDi. Upon investigation, DiDi's illegal behavior in violation of the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law is clear, the evidence conclusive, the circumstances grave, and the character despicable. Strict punishment must be given.

2) Q: What illegal activities took place at DiDi?

A: A total of 16 illegal facts at DiDi have been ascertained, which can be summed up in eight main aspects. First, illegal collection of  11.9639 million pieces of screenshot information from users' mobile phone photo albums; second, excessive collection of 8.323 billion pieces of user clipboard and application list information; third, excessive collection 107 million pieces of passenger facial recognition information, 53.5092 million pieces of age group information, 16.3356 pieces of occupation information, 1.3829 million pieces of familial relationship information, and 153 million pieces of home and work address ride hailing information; fourth, excessive collection of 167 million pieces of precise location information (latitude and longitude) while evaluating substitute driver services [代驾服务, "chauffeur" services often marketed for when a driver has been drinking and needs someone to drive them and their car home -Ed.], while the app is running in the background, or when the mobile phone is connected to the Orange Vision device [a DiDi product collecting streetscape video data -Ed.]; fifth, excessive collection of 142,900 pieces of driver educational history information and storage of 57.8026 million pieces of driver national identification numbers in plain text; sixth, analysis of 53.976 billion pieces of passenger trip intention information, 1.538 billion pieces of city of residence information, and 304 million pieces of information on business or travel away from home without having clearly notified passengers; seventh, frequently requiring irrelevant "telephone permissions" when passengers use ride-sharing services; and eighth, inaccurate and unclear explanation of 19 personal information handling purposes such as user device information.

Previously, the cybersecurity review also discovered DiDi had data handling activities that seriously affect national security, as well as violations of law and regulations such as refusing to carry out supervising departments' clear requirements, feigning compliance (阳奉阴违), and maliciously evading supervision. DiDi's operations in violation of law and regulations posed serious risks and hidden dangers to national critical information infrastructure security and data security. Because this touches on national security, in accordance with law, it will not be made public.

3) Q: How has the law-violating subject been identified in this case?

A: DiDi was established in January 2013, and its relevant domestic lines of service primarily include online ride-hailing, ride-sharing, two-wheeled vehicles, car manufacturing, etc. Relevant products include 41 apps such as the DiDi Chuxing app, the DiDi Driver app, and DiDi Enterprise Edition app.

DiDi has the highest decision-making authority over major matters in each domestic business line, the intra-firm systems and norms it formulates are fully applicable to domestic business lines, and it bears supervision and management responsibilities for implementation conditions. Through the DiDi Information and Data Security Committee and the subordinate Personal Information Protection Committee and Data Security Committee, the company participates in the policymaking guidance, supervision, and management of relevant online ride-hailing, ride-sharing, etc., business line activities. Each business line's illegal activities are concretely carried out under the unified policymaking and deployment of the company. On these grounds, the law-violating subject is identified as DiDi. 

DiDi Chairperson and CEO Cheng Wei and President Liu Qing had management responsibility for the illegal activities.

4) Q: What is the main basis for the decision to impose administrative punishment on DiDi relevant to the cybersecurity review?

A: The administrative punishment of DiDi relevant to this cybersecurity review is special and different from regular administrative punishment. DiDi's activities in violation of laws and regulations were serious, and combined with the cybersecurity review situation, call for the imposition of severe punishment. First, on the character of the illegal activities, DiDi failed to follow provisions of relevant laws and administrative regulations and the requirements of supervising departments in carrying out cybersecurity, data security, and personal information protection responsibilities. It disregarded national cybersecurity and data security, and posed serious risks and hidden dangers to national cybersecurity and data security. When instructed by supervising departments to rectify matters, it nonetheless failed to conduct complete and thorough reforms. The character was extremely despicable. Second, on the duration of the illegal activities, DiDi's relevant illegal activities began as early as June 2015 and continued to this day, lasting 7 years. It continued to violate the Cybersecurity Law implemented in June 2016, the Data Security Law implemented in September 2021, and the Personal Information Protection Law implemented in November 2021. Third, on the harm from the illegal activities, DiDi used illegal means to collect user clipboard information, screenshot information from within photo albums, familial relationship information, and other personal information. It seriously violated user privacy and seriously damaged user personal information rights and interests. Fourth, on the scale of illegal handling of personal information, DiDi illegally handled as many as 64.709 billion pieces of personal information. The scale of data was enormous, including many kinds of sensitive personal information such as facial recognition data, precise location information, and national ID numbers. Fifth, on the circumstances of illegal handling of personal information, DiDi's illegal activities entail multiple apps and encompass many kinds of circumstances, including the excess collection of personal information, the forced collection of sensitive personal information, frequent app requests for permissions, failure to fulfill personal information handling notice obligations, and failure to fulfill cybersecurity and data security protection obligations.

In the integrated consideration of the character of DiDi's illegal activities, their duration, their harms, and their circumstances, the main bases for the decision to impose punishment related to the cybersecurity review of DiDi are the relevant provisions of the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, the Administrative Punishments Law, etc.

5) Q: What are some key directions and areas for the next steps of cyber law enforcement?

A: In recent years, the country has continuously strengthened protection of cybersecurity, data security, and personal information. It has promulgated the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, the Critical Information Infrastructure Security Protection Provisions, the Cybersecurity Review Measures, the Outbound Data Transfer Security Assessment Measures, and other laws and administrative regulations. Cyberspace and informatization departments will expand the scope of law enforcement in areas such as cybersecurity, data security, and personal information protection. Through management and punishment measures such as law enforcement consultations, ordering rectifications, warnings, notices and criticisms, fines, ordering the suspension of relevant business, suspending operations for rectification, closing websites, takedowns (下架), and dealing with responsible persons, they will, according to the law, strike against harms to national cybersecurity or data security, damage to citizen personal information, and other illegal activities. They will realistically safeguard national cybersecurity, data security, and societal public interests and strongly ensure the legitimate rights and interests of the people and the masses at large. At the same time, they will increase exposure of typical cases, build great momentum and strong deterrence, let each case be a warning (做到查处一案、警示一片), educate and guide Internet enterprises to operate in accordance with laws and regulations, and advance the healthy, regulated, and orderly development of enterprise.

Chinese-language original


2022年07月21日 13:00 来源: 中国网信网




2022年07月21日 13:00 来源: 中国网信网