On Thursday, July 21st, the Cyberspace Administration of China fined Didi, China’s largest ride service, CNY8B (@US$1.2B) for violations of its data privacy, data security and cybersecurity laws. The fine reportedly amounts to more than 4% of its total revenue of last year. It also fined the company’s Chairman (Cheng Wei) and President (Jean Liu) each CNY1M (@US$150k) as being responsible for the company’s violations. Regulators claimed Didi, since July of 2015, collected nearly 12 million screenshots and 107M pieces of passenger facial recognition data and more that 167M records of location data, and other information, causing serious national security risks to the country’s critical information infrastructure and data security. Didi has posted on its social media account that it has ‘sincerely’ accepted the decision. It is reported that the government will now ease restrictions it had placed on Didi, including adding new users and having apps removed from online stores in China.

It should be noted that Didi initially listed on the NY Stock Exchange in June of 2021, a move that was not well-met by Chinese regulators, who launched a probe 2 days after the listing, a probe that included raids to the company’s facilities. China subsequently issued several regulations to quickly close the loopholes of the cybersecurity/data protection legal regime, such as the Cybersecurity Review Measures, which require Internet platforms holding more than one million Chinese individuals’ data to pass a cybersecurity review before being listed overseas. Didi subsequently delisted in June of 2022.  It is reported that this resolution may now pave the way for Didi to list in Hong Kong. (Note: the Hong Kong Stock Exchange is not considered “foreign”).

This matter shows the importance of knowing what data you are collecting in China and ensuring compliance with local laws, many of which are new (such as China’s far-reaching Personal Information Protection Law and Data Security Law implemented in the Fall of last year). Not only can the fines and penalties be substantial, but the disruption of services during any investigation can be just as serious. This is especially true if the data collected may be determined as important for national, political or economic security.