Original link: https://www.williamlong.info/archives/6869.html
On July 21, the Cyberspace Administration of China imposed a fine of RMB 8.026 billion on Didi Global Co., Ltd. and RMB 1 million on Didi Global Co., Ltd. Chairman and CEO Cheng Wei and President Liu Qing. In response, Didi Chuxing responded through its official Weibo account that it sincerely accepts, resolutely obeys, strictly follows the punishment decision and the requirements of relevant laws and regulations, conducts comprehensive and in-depth self-examination, actively cooperates with supervision, and earnestly completes rectification.
The following is the full text of the decision of the Cyberspace Administration of China:
The Cyberspace Administration of China’s decision to impose administrative penalties related to cybersecurity review on Didi Global Co., Ltd.
According to the conclusion of the network security review and the problems and clues found, the Cyberspace Administration of China has filed a case for investigation into the suspected illegal activities of Didi Global Co., Ltd. in accordance with the law. After verification, Didi Global Co., Ltd. violated the “Network Security Law”, “Data Security Law” and “Personal Information Protection Law” with clear facts, conclusive evidence, serious circumstances and bad nature.
On July 21, the Cyberspace Administration of China imposed a fine of RMB 8.026 billion on Didi Global Co., Ltd. in accordance with the “Network Security Law”, “Data Security Law”, “Personal Information Protection Law”, “Administrative Penalty Law” and other laws and regulations. Cheng Wei, Chairman and CEO of Didi Global Co., Ltd., and Liu Qing, President of Didi Global Co., Ltd., were each fined RMB 1 million.
The relevant person in charge of the Cyberspace Administration of China answers reporters’ questions on the decision to impose administrative penalties on Didi Global Co., Ltd.
On July 21, the Cyberspace Administration of China announced its decision to impose administrative penalties on Didi Global Co., Ltd. (hereinafter referred to as “Didi Company”) for cybersecurity review. The relevant person in charge of the Cyberspace Administration of China answered questions from reporters on issues related to the case.
1. Q: Please briefly introduce the background of the case and the investigation process?
A: In July 2021, in order to prevent national data security risks, maintain national security, and protect public interests, in accordance with the National Security Law and the Cybersecurity Law, the Cybersecurity Review Office will implement the measures against Didi in accordance with the Cybersecurity Review Measures. Cybersecurity review.
According to the conclusions of the network security review and the problems and clues found, the Cyberspace Administration of China has filed a case for investigation of Didi’s suspected illegal activities in accordance with the law. During the period, the Cyberspace Administration of China conducted investigations, inquiries and technical evidence collection, and ordered Didi to submit relevant evidence materials, conduct in-depth verification and analysis of the evidence materials in this case, and fully listen to Didi’s opinions to protect Didi’s legal rights. After verification, Didi’s violations of the “Network Security Law”, “Data Security Law” and “Personal Information Protection Law” have clear facts, conclusive evidence, serious circumstances and bad nature, and should be severely punished.
2. Q: What are the violations of laws and regulations by Didi Company?
A: It has been found out that there are 16 illegal facts in Didi Company, which can be summed up in 8 aspects.
The first is to illegally collect 11.9639 million screenshot information from users’ mobile phone albums;
Second, 8.323 billion pieces of user clipboard information and application list information were excessively collected;
The third is to excessively collect 107 million passenger facial recognition information, 53.5092 million age group information, 16.3356 million occupational information, 1.3829 million family relationship information, and 153 million “home” and “company” taxi address information;
Fourth, 167 million pieces of precise location (longitude and latitude) information were collected excessively when passengers evaluated the chauffeur service, when the app was running in the background, and when the mobile phone was connected to the orange video recorder device;
Fifth, excessively collected 142,900 pieces of driver education information, and stored 57,802,600 pieces of driver ID number information in plain text;
The sixth is to analyze 53.976 billion pieces of passenger travel intention information, 1.538 billion pieces of resident city information, and 304 million pieces of non-local business/travel information without clearly telling passengers;
Seventh, when passengers use the ride-hailing service, they frequently ask for irrelevant “telephone permissions”;
Eighth, 19 personal information processing purposes, including user equipment information, were not accurately and clearly explained.
Previously, the network security review also found that Didi has data processing activities that seriously affect national security, as well as other violations of laws and regulations such as refusal to fulfill the clear requirements of the regulatory authorities, violation of the law, malicious evasion of supervision, etc. Didi’s illegal operations have brought serious security risks to the security of the country’s key information infrastructure and data security. It is not disclosed in accordance with the law because it involves national security.
3. Question: How was the violator of the law identified in this case?
Answer: Didi Company was established in January 2013. The relevant domestic business lines mainly include car-hailing, ride-hailing, two-wheeled vehicles, and car-building, etc. The related products include Didi Chuxing App, Didi Car Owner App, Didi Shunfeng Car App, Didi Enterprise Edition App and other 41 Apps.
Didi has the highest decision-making power over major matters of each business line in China. The company’s internal rules and regulations are applicable to all business lines in China, and it is responsible for the supervision and management of the implementation. Through the Didi Information and Data Security Committee and its personal information protection committee and data security committee, the company participates in the decision-making, guidance, supervision and management of online car-hailing, ride-hailing and other business lines related behaviors. The company’s unified decision-making and specific implementation under the deployment. Accordingly, the subject of the illegal act in this case was identified as Didi Company.
Cheng Wei, chairman and CEO of Didi, and Liu Qing, president of Didi, are responsible for the violations.
4. Q: What is the main basis for Didi’s decision to impose administrative penalties related to cybersecurity review?
A: The administrative penalties related to the cybersecurity review of Didi this time are different from general administrative penalties and are special. Didi’s violations of laws and regulations are serious, and should be severely punished in light of the network security review. First, from the perspective of the nature of the illegal act, Didi did not fulfill its obligations of network security, data security and personal information protection in accordance with relevant laws and regulations and the requirements of regulatory authorities, disregarding national network security and data security, and giving national network security, Data security has brought serious hidden risks, and even when the regulatory authorities ordered corrections, comprehensive and in-depth corrections have not been carried out, and the nature is extremely bad. Second, from the perspective of the duration of the violations, Didi’s related violations started in June 2015 and have lasted for 7 years. They have continued to violate the Cybersecurity Law implemented in June 2017 and the September 2021 The Data Security Law, which will be implemented in January, and the Personal Information Protection Law, which will be implemented in November 2021. Third, from the perspective of the harm of illegal acts, Didi collects personal information such as user clipboard information, screenshot information in albums, and family relationship information through illegal means, which seriously violates user privacy and seriously violates users’ personal information rights. Fourth, in terms of the number of illegally processed personal information, Didi Company illegally processed 64.709 billion pieces of personal information, a huge number, including facial recognition information, precise location information, ID numbers and other sensitive personal information. Fifth, from the perspective of illegal handling of personal information, Didi’s illegal activities involve multiple apps, including excessive collection of personal information, compulsory collection of sensitive personal information, frequent claims of rights by the app, failure to fulfill the obligation to notify personal information processing, and failure to fulfill network security requirements. Data security protection obligations and other situations.
Taking into account the nature, duration, harm and circumstances of Didi’s illegal acts, the main basis for Didi’s decision on administrative penalties related to cybersecurity review is the “Cyber Security Law”, “Data Security Law” and “Personal Information Protection Law” “Administrative Punishment Law” and other relevant provisions.
5. Q: What are the key directions and areas of network law enforcement in the next step?
A: In recent years, the state has continuously strengthened the protection of network security, data security, and personal information. Cybersecurity Review Measures, Data Exit Security Assessment Measures, and other laws and regulations. The cybersecurity and informatization department will intensify law enforcement in areas such as network security, data security, and personal information protection in accordance with the law, through law enforcement interviews, orders to make corrections, warnings, notification of criticism, fines, orders to suspend related businesses, business closures for rectification, website closures, delistings, Handling punishments such as those responsible, crack down on illegal acts that endanger national network security, data security, and infringe on citizens’ personal information in accordance with the law, effectively safeguard national network security, data security, and social and public interests, and effectively protect the legitimate rights and interests of the general public. At the same time, increase the exposure of typical cases, form a strong momentum and strong deterrence, investigate and deal with one case and warn one, educate and guide Internet companies to operate in compliance with laws and regulations, and promote the healthy, standardized and orderly development of enterprises.
Source: Netcom China
This article is reprinted from: https://www.williamlong.info/archives/6869.html
This site is for inclusion only, and the copyright belongs to the original author.