Introduction Didi Chuxing (Didi) was fined RMB 8.026 billion (approx. USD 1.2 billion) on 21 July 2022, more than a year after the Cyberspace Administration of China (CAC) first initiated a cybersecurity review on the ride-hailing giant.
Observations While the fine still falls short of the USD 2.75 billion antitrust fine meted out to Alibaba last year, the penalty is significant for multiple reasons:
- This is the largest fine ever handed out for a breach of data protection regulations, handily topping Amazon’s USD 877 million General Data Protection Regulation fine in the EU.
- The penalty decision is one of the first public instances where a company has been penalised for violations of the Cybersecurity Law (CSL), Data Security Law (DSL) and Personal Information Protection Law (PIPL) (together, PRC Data Laws).
- While the cybersecurity review was initiated on 2 July 2021 on the basis of the Cybersecurity Review Measures (which have since been revised), the CAC utilised their findings to penalise Didi under the CSL, DSL and PIPL (which the CAC also administers).
Notably, the DSL and PIPL only came into force on 1 Sept 2021 and 1 Nov 2021, several months after the commencement of the investigation.
The CAC, in a press statement, has justified this on the basis of Didi's infractions beginning “as early as June 2015 and lasting for up to 7 years, continuously violating the Cybersecurity Law implemented in June 2017, the Data Security Law implemented in September 2021, and the Personal Information Protection Law implemented in November 2021”.
- Retrospective Application. The CAC’s characterisation of Didi’s breaches as continuous violations seem to suggest that uncured “breaches” of the laws/regulations may be punished, even if they took place before the particular law/regulation came into force.
This is evident from the CAC’s consideration of Didi’s breaches (beginning June 2015), despite the fact that they predated the earliest PRC Data Law, namely the CSL which came into force in June 2017.
In light of the soon-to-be implemented Security Assessment Measures applying to cross-border data transfers, the retrospective application of the PRC Data Laws is something that businesses should definitely be wary of.
- Personal Liability starts at the top. Two individuals, Cheng Wei, chairman and CEO of Didi Global, and Liu Qing, President of Didi Global, were each personally fined RMB 1 million (approx. USD 148,000) on the basis of the decision making, supervision and management they exercised. This is the maximum possible fine that can be issued to individuals under the PIPL. This broad brush penalisation of Didi’s top brass sends a strong message to other companies subject to the PRC Data Laws, and ‘encourages’ executives to pay closer attention to the data-related activities of their companies.
- CAC’s sweeping powers. During the course of investigations, the CAC “conducted investigation and inquiry, technical evidence collection, ordered Didi to submit relevant evidentiary materials, conduct in-depth verification and analysis of the evidentiary materials in this case”. The CAC’s investigations also lasted for more than a year, during which time 25 mobile apps operated by Didi were removed from PRC app stores. This showcases the extent to which the CAC’s exercise of investigation and enforcement powers may potentially hamstring a business, and serves as a reminder of the importance of compliance with PRC Data Laws, especially where a business may deal with a big volume of personal data.
What’s Next? Expect this to be the tip of the iceberg as the CAC has stated its intention to “lawfully increase the intensity of law enforcement in [cybersecurity and data protection]”. In the meantime, businesses with operations in the PRC, or who deal with PRC-based parties subject to the PRC Data Laws, should ensure they conduct regular data audits of their data policies and processes moving forward.
They should also keep an eye out for developments relating to the cross-border data transfer mechanisms which are set to be rolled out in the coming months (i.e. the Standard Contract, Cross-border data transfer certification, and Security Assessment).