China: Enforcement of data protection – 5% of annual local revenue

On Thursday 21 July 2022, the Cyberspace Administration of China (“CAC”) fined Didi Global Inc, an online ride-hailing business a total of RMB 8.026 billion (approximately USD 1.2 billion).

The CAC explained that the reasons for the fines were due to Didi’s:

  • illegal collection of over 11.9 million screenshots from users’ mobile phone photo albums;
  • excessive collection of over 8.3 billion users’ clipboard information and list of applications, 107 million passengers’ facial recognition information, 53.5 million pieces of information on age group, 16.3 million pieces of information on occupation, 1.3 million pieces of information on family relationships, and 153 million pieces of information on home and company addresses;
  • excessive collection of 167 million pieces of precise location data when passengers evaluate chauffeur-driven services, when the application was running in the background, and when the users’ mobile phones were connected to the video recording devices;
  • excessive collection of 142,900 drivers’ education information, and the storage of 57.8 million drivers’ ID information in plain text;
  • processing of over 53.9 billion passenger’s travel intention data, 1.53 billion pieces of data on users’ city of residence, and 304 million pieces of data on non-local business or travel without clearly notifying customers;
  • frequent seeking of irrelevant ‘telephone permissions’ during passenger travel; and
  • inaccurate and unclear description of the processing purposes of 19 types of personal information.

Furthermore, the CAC has previously found Didi’s processing activities to have serious effect on national security, personal privacy rights as well as other violations of laws and regulations (e.g. the refusal to fulfil regulatory requirements, evasion of regulatory supervision etc). As such, the fines are focused on Didi’s violation of cybersecurity and personal information protection laws and regulations for the past 7 years, inadequate corrections even where ordered by regulators, and excessive collection and non-compliant processing of personal information (including large volume of sensitive personal information).

Clarity on Fines?

There was previous uncertainty on whether the Personal Information Protection Law’s administrative fines of up to 5% of the organisation’s previous year’s annual return referred to an organisation’s China local or global revenue.

Moving forward, Didi’s fines may be indicative of how fines are calculated. Based on Didi’s financial reports, the CAC’s fines of RMB 8.026 billion were a 5% calculation based on local revenue, rather than global revenue. It is however, worth noting the CAC’s explanation that the penalties were imposed on Didi Global, rather than Didi China as Didi Global has the ultimate decision-making power on major issues of Didi’s business lines in China, and is responsible for monitoring and supervising the implementation of global policies which are applicable to business operations in China.

Enforcement trends – what next?

The Chinese authorities have recently become active in terms of clarifying their high-level laws through rules and regulations, and are expected to continue.

Organisations should focus on the way they address China data protection and cyber compliance, given that big fines are now a reality for China.

The CAC has also emphasised it will increase its enforcement efforts in cybersecurity and personal information protection through a range of enforcement interviews, correction offers, warnings, reporting criticism, fines, suspension of business and website closure etc.