Didi Global data security enforcement case
China's cyberspace regulator fined ride-hailing giant Didi Global RMB 8.026 billion (about $1.2 billion) after a year-long review found 16 violations of the Cybersecurity Law, Data Security Law and Personal Information Protection Law, including the illegal collection of facial-recognition, location and clipboard data from hundreds of millions of riders and drivers.
- Victim
- Didi Global
- Loss
- $1.20B
On 21 July 2022, the Cyberspace Administration of China (CAC) imposed a fine of RMB 8.026 billion β roughly $1.2 billion β on ride-hailing leader Didi Global, closing a year-long cybersecurity review. It was the largest data-protection penalty in Chinese history and one of the first to invoke all three pillars of China's new data regime at once.
Background
Just two days after Didi's $4.4 billion New York IPO on 30 June 2021, the CAC announced a cybersecurity review and, within days, ordered Didi's app removed from Chinese app stores. Twenty-five associated apps were pulled for illegal collection of personal information. The timing β immediately following an overseas listing the regulator had reportedly discouraged β led many observers to read the action as partly a message about data sovereignty and offshore listings.
The violations
The CAC concluded that Didi had committed 16 distinct violations spanning conduct from June 2015 onward, breaching the Cybersecurity Law (2017), the Data Security Law (Sept 2021) and the Personal Information Protection Law (Nov 2021). Regulators said Didi had illegally collected, among other things:
- Screenshots and clipboard contents from users' phones
- Tens of millions of pieces of facial-recognition data and precise location/GPS records
- Driver and passenger identity, occupation, family relationship and travel data
- Data processed in ways that endangered national data security
The CAC framed the conduct as large-scale over-collection affecting Didi's hundreds of millions of users and drivers, rather than a single external intrusion.
Impact
- RMB 8.026 billion (~$1.2 billion) corporate fine.
- Personal fines of RMB 1 million each against Didi's chairman/CEO and president.
- Didi delisted from the New York Stock Exchange in June 2022 amid the pressure and saw its app suspended from Chinese stores for roughly a year.
Why it matters
The Didi case is the landmark enforcement action of China's modern data-protection era. Unlike a breach driven by hackers, it established that excessive, non-consensual data collection is itself a punishable security failure under the CSL/DSL/PIPL framework, with penalties scaled to a percentage of revenue in the GDPR mould. It also signalled that Beijing treats large pools of citizen mobility and biometric data as a matter of national security, with direct consequences for where Chinese tech firms may list and how they may handle data.
Financial impact
Reported costs in USD
- Fines & settlements$1.20B
Timeline
Didi raises $4.4 billion in a New York IPO, despite reported regulatory unease about overseas listing and data handling.
The Cyberspace Administration of China (CAC) announces a cybersecurity review of Didi and orders the app removed from Chinese app stores days later.
25 Didi-related apps are pulled from app stores for illegal collection of personal information.
Didi delists from the New York Stock Exchange amid the ongoing regulatory pressure.
The CAC fines Didi RMB 8.026 billion (~$1.2 billion) for 16 violations and fines two executives RMB 1 million each.
Sources
- mayerbrown.comhttps://www.mayerbrown.com/en/insights/publications/2022/08/the-cac-is-comingdidi-chuxing-fined-a-recordbreaking-usd-12-billion-for-breach-of-data-protection-regulations
- cnn.comhttps://www.cnn.com/2022/07/21/economy/china-fines-didi-data-law-violation-intl-hnk
- washingtonpost.comhttps://www.washingtonpost.com/world/2022/07/21/china-didi-fine-data-security/
- china-briefing.comhttps://www.china-briefing.com/news/didi-cyber-security-review-which-laws-did-didi-break/