The Cyberspace Administration of China (CAC) announced on July 21 that it fined China’s ride-hailing giant Didi 8.026 billion yuan ($1.2 billion) for illegally collecting customer information since 2015 and handling data in a way that endangered national security.
The penalty amounts to more than 4% of Didi’s annual revenue, which is close to the maximum 5% fines allowed under China’s Personal Information Protection Law (PIPL). Notably, the CAC also fined Didi’s founder and Chief Executive Cheng Wei and President Jean Liu 1 million yuan ($148,000) each for being personally responsible for Didi’s corporate offenses.
Morgan Lewis’s cybersecurity compliance team prepared an unofficial translation of CAC’s latest statement on the case in the form of a Q&A with media reporters. The statement revealed more details regarding CAC’s basis for its penalty decision. It stated that Didi committed 16 offenses, which appeared to focus on failure to adequately inform the drivers and passengers of data collection and obtain their informed consent.
The CAC also stated that Didi had engaged in data processing activities that had caused risks to “the nation’s crucial information infrastructure and data security” but did not disclose more specifics, citing national security reasons. In practice, an example of unspecified data processing activities might include attempted or actual transfer of sensitive data outside of China without first seeking and receiving data security clearance from the CAC, thereby potentially giving adversarial foreign regulators access to a large volume of personal and other sensitive data in China.
The record-breaking fine in this case came on the heels of the recent release of a series of new regulations and draft guidelines aimed at regulating the transfer of sensitive data outside of China. Please refer to our latest LawFlash regarding a summary of these regulations.
As the Didi case indicates yet again, non-compliance with China’s sweeping cybersecurity and data privacy regulations may result in significant legal penalties, and multinational corporations are well advised to review and update their current cybersecurity and data privacy policies and programs to mitigate those risks.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Gregory T. Parks
W. Reece Hirsch