China cybersecurity agency fines ride-hailing giant Didi $1.2 billion for data issues

China's internet regulator on Thursday fined ride-hailing giant Didi $1.2 billion for the company’s voracious data collection policies and lackluster security protections around sensitive user information. 

The Cyberspace Administration of China said it concluded a network security review of the company and found “illegal activities” and violations of the country’s Network Security Law, Data Security Law and Personal Information Protection law. The fine is the largest data protection penalty issued by China, and the second-largest fine imposed on a Chinese technology firm after regulators slapped Alibaba with a $2.75 billion fine last year following an anti-monopoly probe.

The investigation of Didi began last year and the agency said it found 16 violations that included the illegal collection of nearly 12 million users’ photo albums, 107 million facial recognition profiles of passengers and significant amounts of data on user’s personal information. 

Didi kept millions of sensitive user records unencrypted, causing “national security risks,” according to Chinese regulators. 

The company’s app was also collecting “excessive” information on drivers and often asked for device permissions that allowed widespread access to a user’s device. A spokesperson for the Cyberspace Administration of China criticized the company for having “inaccurate and unclear” descriptions of why it needed the information it was collecting. 

“Previously, the network security review also found that Didi has data processing activities that seriously affect national security, as well as other violations of laws and regulations such as refusal to fulfill the clear requirements of the regulatory authorities, violation of the law, malicious evasion of supervision, etc,” the spokesperson said. 

“Didi's illegal operations have brought serious security risks to the security of the country's key information infrastructure and data security. Didi's violations of laws and regulations are serious, and should be severely punished in light of the network security review.”

Founded in 2013, Didi quickly became one of the most popular rideshare apps in China, offering a variety of vehicle-related services. Cheng Wei, Didi’s CEO and chairman, and the company’s president, Liu Qing, were each fined about $150,000. 

The Chinese government added that when Didi was asked to make changes to its data collection policies, it was ignored. The problems began in 2015 and continued even after China passed its Cybersecurity Law in 2017. 

“Didi Company illegally processed 64.709 billion pieces of personal information, a huge number, including facial recognition information, precise location information, ID numbers and other sensitive personal information,” the government spokesperson said. 

“Didi's illegal activities involve multiple apps, including excessive collection of personal information, compulsory collection of sensitive personal information, frequent claims of rights by the app, failure to fulfill the obligation to notify the handling of personal information, and failure to fulfill network security.” 

The Cyberspace Administration of China said it plans to “intensify” its enforcement of cybersecurity and data protection laws in the coming years. 

Didi has been in government crosshairs since last year, when it pushed forward with an attempt to be listed on the New York stock exchange in spite of government concerns about the move. Two days after the announcement, the cybersecurity review began.

The company delisted from the New York Stock Exchange in December. 

In a statement posted to Chinese social media platform Weibo, Didi apologized for the violations and said it appreciated the guidance from the Cyberspace Administration of China. 

“We will take a warning from this, and stick to placing equal emphasis on safety and development. We will further strengthen the construction of network security and data security, strengthen the protection of personal information, earnestly fulfill our social responsibility, serve every passenger, driver and partner well, and realize the safe, health and sustainable development of the enterprise,” the company said. 

Didi was barred from adding any new users and was required to shutter 25 of its apps during the investigation by Chinese regulators. The company did not respond to requests for comment about whether it will now be allowed to add new users. 

The financial penalty aligns with Chinese rules explaining that companies can be fined up to 5% of their annual revenue for violations of the China's Personal Information Protection Law. The $1.2 billion represents about 4.6% of Didi’s $25.7 billion revenue from 2021.