China's cybersecurity regulator said on Thursday it has fined ride-hailing giant Didi Global Inc more than 8 billion yuan ($1.19 billion), sending a strong message to the internet industry that it is vitally important to strengthen protection of data security and personal information.
The decision shows that China is aligning with international practices in toughening regulations on data breaches, highlighting the fact that prioritizing data security has become essential for the healthy development of companies, industry experts said.
The Cyberspace Administration of China said a one-year cybersecurity review has found clear evidence that Didi violated the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law.
The Beijing-based company illegally collected over 64.7 billion pieces of user information over a seven-year period starting from June 2015. The amount of the illegally collected information is staggering, as it includes facial recognition data, precise location information and identity card numbers, the regulator said.
The investigation also found that Didi has engaged in data processing activities that seriously affected national security and brought security risks to the nation's key information infrastructure. The company had refused to comply with regulatory requirements and had evaded supervision, the regulator added.
"Didi's violations of laws and regulations are serious and should be severely punished," the Cyberspace Administration of China said.
Song Haixin, a senior lawyer at the Jincheng Tongda & Neal Law Firm in Shanghai, said the Didi case focused on stricter regulation of data security. Instead of just paying lip service, companies must devote large resources to beef up the protection of data and personal information, Song said.
"Companies tend to assume that the regulation of app data is usually conducted online. But the details of Didi's illegal practices show that the regulator conducted on-site investigations of the company, with a very comprehensive review of its management and storage of data," Song said. "Once investigated, any illegal data practices by a company could be found."
Shen Meng, director of the investment bank Chanson & Co, said countries around the world are making tougher regulations against data breaches, as data security is now a key part of national security and data assets are considered to be just as valuable and essential as oil and electricity.
On top of the fine slapped on the company, Didi CEO Cheng Wei and president Liu Qing were fined 1 million yuan each.
Didi said in a statement on social networking platform Weibo on Thursday that the company sincerely accepted the decision and will conduct a comprehensive and in-depth self-examination.
Xu Hao, a lawyer at Jingsh Law Firm in Beijing, said Didi's practices, such as accessing the screenshots of passengers' photos stored in smartphones and information on their commute, violated the Personal Information Protection Law.
The Cybersecurity Law states that if a violation of this law constituted a crime, an investigation will look into possible criminal responsibility. "So far, the regulator only said Didi violated laws. It is still awaiting more information to see whether Didi's violation could constitute a crime," Xu said.
The Cyberspace Administration of China launched the cybersecurity review of Didi after the company made its debut on the New York Stock Exchange in June 2021. One year later, Didi was delisted from the exchange.
Didi has been unable to register new users since the investigation started. The regulator did not say on Thursday when the company could resume registering new users.