Cyberspace Administration of China Issues Statement on Didi’s $1.2B Fines for Cybersecurity Law Violations

Todd Liao
Morgan Lewis
Contact
LinkedIn
Facebook
X
Send
Embed

Morgan Lewis

The Cyberspace Administration of China (CAC) announced on July 21 that it fined China’s ride-hailing giant Didi 8.026 billion yuan ($1.2 billion) for illegally collecting customer information since 2015 and handling data in a way that endangered national security.

The penalty amounts to more than 4% of Didi’s annual revenue, which is close to the maximum 5% fines allowed under China’s Personal Information Protection Law (PIPL). Notably, the CAC also fined Didi’s founder and Chief Executive Cheng Wei and President Jean Liu 1 million yuan ($148,000) each for being personally responsible for Didi’s corporate offenses.

Morgan Lewis’s cybersecurity compliance team prepared an unofficial translation of CAC’s latest statement on the case in the form of a Q&A with media reporters. The statement revealed more details regarding CAC’s basis for its penalty decision. It stated that Didi committed 16 offenses, which appeared to focus on failure to adequately inform the drivers and passengers of data collection and obtain their informed consent.

The CAC also stated that Didi had engaged in data processing activities that had caused risks to “the nation’s crucial information infrastructure and data security” but did not disclose more specifics, citing national security reasons. In practice, an example of unspecified data processing activities might include attempted or actual transfer of sensitive data outside of China without first seeking and receiving data security clearance from the CAC, thereby potentially giving adversarial foreign regulators access to a large volume of personal and other sensitive data in China.

The record-breaking fine in this case came on the heels of the recent release of a series of new regulations and draft guidelines aimed at regulating the transfer of sensitive data outside of China. Please refer to our latest LawFlash regarding a summary of these regulations.

As the Didi case indicates yet again, non-compliance with China’s sweeping cybersecurity and data privacy regulations may result in significant legal penalties, and multinational corporations are well advised to review and update their current cybersecurity and data privacy policies and programs to mitigate those risks.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis
Morgan Lewis
Contact
more
less

Morgan Lewis on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide