The Cyberspace Administration of China has fined ride-sharing company DiDi global ¥8.026 billion ($1.2 billion) for more than 64 billion illegal acts of data collection that it says were carried out maliciously and threatened national security.
Yes, we do mean billion. As in a thousand million.
The Administration enumerated DiDi’s indiscretions as follows:
- 53.976 billion pieces of information indicating travellers’ intentions were analyzed without informing passengers;
- 8.323 billion pieces of information were accessed from users’ clipboards and lists of apps;
- 1.538 billion pieces of information about the cities in which users live were analyzed without permission;
- 304 million pieces of information describing users’ place of work;
- 167 million user locations were gathered when users evaluated the DiDi app while it ran in the background;
- 153 million pieces of information revealing the drivers’ home and business location;
- 107 million pieces of passenger facial recognition information;
- 57.8 million pieces of driver’s ID number information in plain text;
- 53.5092 million pieces of age information;
- 16.3356 million pieces of occupation information;
- 11.96 million screenshots were harvested from users’ smartphones;
- 1.3829 million pieces of family relationship information;
- 142,900 items describing drivers’ education.
The Administration (CAC) also found DiDi asked for irrelevant permissions on users’ smartphones and did not give an accurate or clear explanation for processing 19 types of personal information.
The fine levied on DiDi is not a run of the mill penalty. The Administration’s Q&A about the incident points out that the fine is a special administrative penalty because DiDi flouted China’s Network Security Law, Data Security Law, and Personal Information Protection Law – and did so for seven years in some cases.
The Q&A adds that China has in recent years introduced many data privacy and information security laws, so it’s not as if DiDi did not have good indicators that it needed to pay attention to such matters.
The fine is around 4.7 percent of DiDi’s annual revenue – just short of the five percent cap on such fines available to Chinese regulators. The Q&A couches the fine as a warning and deterrent to other Chinese businesses that they’ll be in deep trouble of they don’t pay close attention to the nation’s laws.
DiDi appears to have got the message. It has apologised for its actions, accepted the fine, and vowed to ensure it does not repeat its mistakes.
Didi had already been punished with a suspension on new customer registration and restrictions on 26 of its apps. Those actions saw it delist from the New York Stock Exchange.
The fines were levied against Didi Global, which operates in 15 nations outside China, but it is unclear if the illegal data collection was conducted beyond the Middle Kingdom.
What is clear is that Chinese authorities very much want the nation’s internet companies to pay close attention to security and privacy laws.
The day before the CAC issued its fines on DiDi, it also re-published an article by China’s president Xi Jinping observing that the national policy to embed digital services in society and the economy sometimes creates opportunities for privacy infringements, IP abuses, development of monopolies, and even cyber terrorism.
“This is an important issue in digital governance, and it is also a ‘question of the times’ that must be answered,” the article states, before adding “Regulation and development have become the ‘two wings’ of the digital economy.”
DiDi appears to have ignored the regulation wing, and has been brought back to Earth with a thud. ®