Data Protection and cyber security in China: Exploring the Didi Case

The personal data protection and cyber security sector in China has this summer, felt the impact brought by the record-high fine of near RMB 8 billion - approximately  1.2 billion US dollars - announced by the Cyberspace Administration of China ("CAC") against Didi Global Inc. ("Didi"). The biggest-ever administrative fine in the relevant sector, it marks the Chinese government's determination to enhance the enforcement of the series of laws and regulations promulgated in the personal data protection and cyber security sectors.

Six key points for companies operating in China

Although CAC's administrative decision on fining Didi is not publicly accessible, according to CAC's official press interview, we summarise some key points which are worthwhile to note by all companies operating in China, especially those processing personal data:

1. CAC lists out Didi's main violations on personal data protection, which are also frequent violations in the sector, as: excessive and/or illegal collection of personal data, collecting personal data without informing the data subject about the purpose of collecting relevant data, storing the personal data without de-identification, encryption or other similar safety measures, etc.;
2. The identification of the entity being subject to administrative punishments shall rely on which entity has the ultimate decision power. In Didi's case, although CAC's investigation is focused on the violations that occurred in China, the parent company, Didi Global Inc., located outside of China, has the highest power to make decisions for all its business lines operated in China and supervise the China operation. The parent company is therefore regarded as the entity that actually committed the violations;
3. The officials of Didi, CEO and President, have been fined RMB 1 million, approximately 150 thousand US dollars, and are personally responsible for Didi's violations.
4. The continuity and length of violations of personal data protection and cyber security laws and regulations would be factored-in when considering the severity of the violation, although some laws and regulations have only been promulgated recently;
5. Considering the nature and volume of personal data collected by Didi and the legal basis of punishment, experts suspect that Didi is qualified as a CIIO (Critical Information Infrastructure Operator);
6. CAC also found other infringements committed by Didi in violation of the Cyber Security Law and the Data Security Law, since different laws and regulations in the sector have overlapping areas. Didi is found liable under multiple personal data protection and cyber security laws.

According to the CAC, within the first half of 2022, a total of 3,491 websites and platforms were interviewed by CAC, with 3,052 websites warned, and 283 websites fined. 419 websites have been suspended or updated, 177 mobile applications have been removed from the shelves, and 12,292 websites have been shut down. There is no doubt that the Chinese government will continue cracking down on violations of personal data protection and cyber security laws.

What must companies do to stay compliant?

Not only must companies operating in China ensure compliance with one, or some, of the most relevant laws and regulations governing their business operation in this sector, they must also take into account the new laws and national standards being promulgated, or in the pipeline.