On July 21, the Cyberspace Administration of China (CAC) announced a decision to impose administrative penalties on Didi Global Co., LTD. (hereinafter referred to as Didi Co.) in connection with cyber security censorship. An official of the Cyberspace Administration of China answered journalists' questions on the case.
Q: Could you brief us on the background and investigation of the case?
A: In July 2021, in order to prevent national data security risks, safeguard national security and protect the public interest, in accordance with the National Security Law and cyber Security Law, the Cyber Security Review Office conducted a cyber security review of Didi In accordance with the Cyber Security Review Measures.
The Cyberspace Administration of China launched an investigation into Didi's alleged illegal activities in accordance with the law, based on the findings of the cyber security review and the problems and clues found. During this period, the Cyberspace Administration of China conducted investigation and technical evidence collection, ordered Didi to submit relevant evidence materials, conducted in-depth verification and analysis of the evidence materials in this case, and fully listened to Didi's opinions to protect the legal rights of Didi. It has been verified that didi's violations of the Cyber Security Law, Data Security Law and Personal Information Protection Law are clear, substantiated, serious and abysmal, and should be severely punished.
Q: What are the violations of laws and regulations in Didi?
A: Didi has been found to have committed 16 illegal acts, mainly in eight aspects.One is thatIllegally collected 11,963,900 screenshots of users' mobile phone photo albums;The second is8.323 billion pieces of clipboard information and application list information were collected excessively.The third is107 million pieces of facial recognition information, 53.5092 million pieces of age information, 16.356 million pieces of occupational information, 1,382,900 pieces of family relationship information, and 153 million pieces of taxi address information of "home" and "company" were overcollected. Fourth, 167 million pieces of accurate location (latitude and longitude) information were collected excessively when passengers appraised the proxy driving service, when the App was running in the background, and when the mobile phone was connected to the Juji recorder device. Fifth, 142,900 pieces of educational information of drivers were overcollected, and 57,802,600 pieces of driver id number information were stored in plain text; Sixth, 53.976 billion pieces of information about passengers' travel intention, 1.538 billion pieces of information about resident cities, and 304 million pieces of information about business and tourism in other places were analyzed without explicitly informing passengers.Seven isFrequently asking for irrelevant "telephone privileges" when passengers are using the ride-sharing service;Eight is19 personal information processing purposes including user device information are not accurately and clearly explained.
Earlier, the cyber security audit also found that Didi was involved in data processing activities that seriously affected national security, as well as other violations of laws and regulations, such as refusing to comply with the explicit requirements of the regulatory authorities, showing full compliance and malicious evasion of supervision. Didi's illegal operation has brought serious security risks to the security of national critical information infrastructure and data security. It's not public because of national security concerns.
Q: How is the illegal subject of this case determined?
A: Didi was founded in January 2013. Its domestic business lines mainly include ride-hailing, hitch, two-wheeler and car making, etc. Its related products include 41 apps, including Didi Chuxing App, Didi Car Owner App, Didi Hitch App and Didi Enterprise App.
Didi has the highest decision-making power on major issues of all domestic business lines, and the internal rules and regulations formulated by didi are applicable to all domestic business lines, and it is responsible for supervision and management of their implementation. The Company, through the Didi Information and Data Security Committee and its subordinate Personal Information Protection Committee and data Security Committee, participates in the decision-making, guidance, supervision and management of the activities related to the business lines such as online ride-hailing and hitchhiking. The illegal activities of each business line are implemented under the unified decision-making and deployment of the company. Accordingly, the subject of the illegal act in this case is identified as Didi.
Cheng Wei, chairman and CEO of Didi, and Liu Qing, president of Didi, are responsible for the illegal activities.
4. Q: What is the main basis for the decision of administrative punishment on Didi regarding the cyber security review?
A: The administrative penalty for the network security review of Didi is different from general administrative penalties and has particularity. Didi's violation of laws and regulations is serious and should be severely punished in light of its cyber security review.One is thatLook from the nature of the illegal act, drops the company did not in accordance with the relevant laws and regulations and regulatory requirements, the performance of the network security, data security, the obligation of personal information protection, ignore the national network security, data security, to the national network security, data security pose serious risks, and under the condition of supervision department shall be ordered to correct, still not to conduct a comprehensive in-depth rectification, Extremely bad nature.The second isAccording to the duration of the violations, Didi's related violations began in June 2015 and lasted for seven years, continuously violating the Cybersecurity Law implemented in June 2017, the Data Security Law implemented in September 2021 and the Personal Information Protection Law implemented in November 2021.The third isFrom the perspective of harm caused by illegal behaviors, Didi collects users' personal information such as clipboard information, screenshot information in photo albums and family relationship information by illegal means, which seriously infringes users' privacy and rights and interests of personal information. Fourth, In terms of the number of illegal personal information, Didi illegally processed 64.709 billion pieces of personal information, including face recognition information, precise location information, ID card number and other sensitive personal information. Fifth, In terms of the illegal processing of personal information, Didi's illegal behavior involves multiple apps, including excessive collection of personal information, forced collection of sensitive personal information, frequent App claims, failure to fulfill the obligation of informing personal information processing, and failure to fulfill the obligation of protecting network security data.
Taking into account the nature, duration, harm and situation of Didi's illegal acts, the decision to impose administrative penalties on Didi's network security review is mainly based on relevant provisions such as the Network Security Law, Data Security Law, Personal Information Protection Law and Administrative Penalties Law.
Q: What are the key directions and areas of cyber law enforcement in the next step?
A: In recent years, countries continue to strengthen the network security, data security, the protection of personal information, has promulgated the "law of network safety, the data safety" the personal information protection act the critical information infrastructure security protection ordinance "network security review method" "data exit safety evaluation method" and other laws and regulations. The cyberspace authorities will strengthen law enforcement in the areas of network security, data security and personal information protection according to law, and take punitive measures such as interviewing, ordering correction, warning, criticizing, fines, ordering suspension of relevant business, business suspension, website closure, removal of shelves and handling of responsible persons. We will crack down on illegal activities that endanger national cyber security, data security and infringe on citizens' personal information in accordance with the law, effectively safeguard national cyber security, data security and social and public interests, and effectively protect the legitimate rights and interests of the people. At the same time, it will increase the exposure of typical cases, form a strong momentum and strong deterrence, investigate and punish a case, warn, educate and guide Internet enterprises to operate in accordance with the law, and promote the healthy, standardized and orderly development of enterprises.