Didi slapped with $1.1B fine for breaching China data security laws

Didi Global has been fined 8 billion yuan ($1.18 billion) for breaching China's cybersecurity and data security laws. The Chinese ride-sharing operator is accused of 16 illegal practices involving the collection of passenger data. 

Cyberspace Administration of China (CAC) said Thursday Didi had violated the country's cybersecurity and data security laws. The industry regulator pointed to the Cybersecurity Law, Data Security Law, and Personal Information Protection Law (PIPL), reported state-run media agency China Daily.

CAC said Didi had illegally collected its users' personal data, including 107 million pieces of passengers' facial recognition details as well as their photos and short messages. 

In addition, the company's CEO Cheng Wei and president Liu Qing were each fined 1 million yuan ($148,070), in accordance with the respective regulations. 

Didi posted a statement Thursday on Chinese microblogging platform Weibo acknowledging the government's decision. It said it would comply with the fine order. 

The Beijing-based company added that it would conduct an internal assessment and cooperate with CAC to beef up its cybersecurity, data security, and personal data security measures.

Thursday's announcement comes a year into CAC's probe of Didi's cybersecurity practices, which had kicked just days after the company made its debut on the New York Stock Exchange. Didi in July 2021 was instructed to remove its app from local appstores, after CAC said it had breached regulations governing the collection and use of personal data. 

The regulator had put the company under a cybersecurity review to "prevent national data security risks" and safeguard public interest. 

Didi delisted from the New York Stock Exchange in June 2022. 

Hackers earlier this month claimed to have access to personal data of 1 billion residents in China, after putting the information on sale via an online forum. They allegedly retrieved the data from the Shanghai National Police, though, the Chinese government had yet to publicly acknowledge the leak. 

Reports emerged last week that Alibaba had been called in by Shanghai authorities over the breach. According to the Wall Street Journal, which cited unnamed sources, the affected database's administrative dashboard was left open without a password for more than a year. The data was hosted on Alibaba Cloud. 

CAC in January this year released draft laws that would require, amongst others, mobile apps to be licensed if they provided news and to go through a security assessment if they influenced public opinion. They also must adhere to cybersecurity guidelines and not endanger national security. 

The proposed legislation would further regulate services provided via mobile apps and ensure these operated alongside the country's other laws, including the PIPL and Data Security Law, CAC then said. 

RELATED COVERAGE

• Didi barred from China appstores amidst government cybersecurity review
• China data breach likely to fuel identity fraud, smishing attacks
• China moots additional security rules for apps that influence public opinion
• China looks to classify online data in draft security laws
• Data assessment, user consent key to compliance with China law
• China's personal data protection law kicks in today