context: The investigation of ridesharing giant Didi Chuxing kicked off China’s campaign on data security scrutiny. With the publication of the Data Security Law, Personal Information Law and a series of other regulations, China’s data protection system is nearing completion. The economic slowdown is also pushing Beijing to shift to greater certainty in market regulation. This massive fine of Didi Chuxing marks the imminent end of the data security crackdown, in the eyes of many experts.

CAC (China Administration of Cyberspace) announced the final penalty imposed on Didi Chuxing on 21 Jul 2022. The penalty included a 8 bn fine. CAC explained the investigation process, investigation results and the reason for the penalty. It argued Didi

  • illegally collected users’ smartphone data
  • overly collected
    • users’ smartphone clipboards and app lists
    • users’ personal information, including
      • facial recognition
      • age
      • profession
      • family ties
      • family and company location
    • users’ precise location
    • drivers’ personal information, including
      • educational background
      • Citizen ID numbers and saved them without encryption
  • processed and analysed users’ travel data without noticing the users
  • asked for phone call authorisation, which was normally irrelevant to the service
  • unclear notifications regarding the goal of processing 19 types of users’ personal information
  • seriously threatened national security and CII (critical information infrastructure) while refusing to implement government regulations

CAC provided the judgment reference, including

  • government regulations
    • without satisfactorily rectifying violations, disregarding government orders
  • specific laws
    • Cybersecurity Law
    • Data Security Law
    • Personal Information Law
  • violating voluminous and wide-ranging personal private data
    • Didi processed 64.7 bn items of personal data

CAC pledged to continue the regulation on data security violations and strengthen the publicity of typical cases. Didi accepted the punishment and pledged to comply.