China imposes largest data protection penalty

29 July 2022 Reed Smith Client Alerts

Home Perspectives China imposes largest data protection penalty

After a year-long investigation into alleged violations of China’s data protection law by Didi Global Inc. (Didi Global), the Cyberspace Administration of China (CAC) announced on 21 July 2022 that a $1.2 billion (RMB 8.026 billion) administrative penalty will be imposed on Didi Global. To date, it is the highest regulatory penalty ever imposed in a data protection case in China.

Authors: Amy Yin Gerard M. Stegmaier Bryan Tan Asha Sharma

Extraterritorial application of China’s law to a non-China entity

The penalty has been imposed on Didi Global, a company incorporated in the Cayman Islands. Didi Global was the entity with actual control over the group’s data processing activities in China, according to the CAC. In taking this action, the CAC affirmed the extraterritorial effect of China’s data privacy laws, including the Personal Information Protection Law, and their application to entities incorporated outside of China.

Like many other Chinese businesses in the tech sector (such as e-commerce platforms and online publishing or streaming platforms) that are listed overseas, Didi Global uses a variable interest entity (VIE) structure. This structure facilitates a contract-based beneficiary shareholding of Didi Global’s operating companies, which are incorporated as purely domestic companies in China in order to avoid foreign ownership restrictions applicable to industries including transportation.

What were the violations?

According to the CAC, the following acts were non-exhaustive examples of Didi Global’s violations of China’s data protection laws:

Illegal collection of screenshots from users’ mobile phone albums.
Excessive collection of information from users’ clipboards and app lists.
Excessive collection of passengers’ facial recognition images and information about their ages, occupations, family relationships and addresses.
Excessive collection of users’ geolocation information (latitude and longitude) when users comment on the service, when the app runs in the background or when users connect their mobile phones to the “orange-vision” in-vehicle car camera and driving recorder app developed by Didi Global.
Excessive collection of drivers’ educational backgrounds and storing drivers’ identification numbers without redaction.
Unauthorised analysis of passengers’ travel plans and information about their cities of residence and travel/business trips to other cities.
Frequent and unnecessary requests for phone call permissions when offering ride-hailing services to passengers.
Failure to accurately and clearly state the purpose of processing certain personal information collected, such as users’ device information.

Following the above, the CAC emphasised that it was critical for Didi Global to analyse and properly justify the necessity of its collection of users’ personal information and in doing so, to adhere to the data minimisation principle.

What penalties has the CAC imposed?

The CAC imposed the following penalties on Didi Global:

A fine of RMB 8.026 billion (US$ 1.2 billion) on Didi Global, accounting for about 4.6 per cent of Didi Global’s RMB 173.827 billion total revenue last year, which almost reaches the maximum of 5 per cent of total revenue allowed under China’s Personal Information Protection Law.
A fine of RMB 1 million each for Didi Global’s CEO and president, which is the maximum fine that can be imposed on persons in charge of a company that violates China’s Personal Information Protection Law.

In addition, Didi Global’s apps were taken down from app stores during the investigation period. Didi Global was also banned from accepting new users on its apps, thereby leading to a loss of market share and revenue.

What did the CAC consider when determining the quantum of the penalty?

In its decision, the CAC emphasised that the hefty penalty imposed was due to the severity of the violations. In particular, the CAC took into account the following factors in determining the severity of the penalty:

Attitude of the business

Didi Global had failed to cease and rectify its violations even after it had received requests from the regulator to do so.

While no details were disclosed in the CAC’s decision, Didi Global had pushed ahead with its initial public offering (IPO) on the New York Stock Exchange (NYSE) without seeking the Chinese regulator’s pre-approval just weeks before the CAC released its draft Network Security Review Measures. These measures required a prior review and approval by the CAC for any offshore IPOs of Chinese businesses with more than one million individual users in China. This would therefore have been viewed as a deliberate circumvention of Chinese laws and a lack of cooperation by Didi Global.

We have reproduced a chronological timeline pertaining to Didi Global’s IPO and the CAC’s investigation as follows:

Didi Global chronological timeline

The violations persisted for a long period of time

During its investigation, the CAC discovered that Didi Global’s unlawful practices commenced in 2015 and had continued for years. As noted above, China’s Personal Information Protection Law actually became effective after the investigation on Didi Global had been initiated. The law does not specify that it has retrospective effect. The CAC took the view that since Didi Global’s violations continued even after the law was enacted, the entire period during which the conduct occurred (including the period before the new law was enacted) must be considered in totality when determining the penalty. The potential harm to individuals was significant.

The CAC noted the sensitivity of the personal information of users that was collected by Didi Global, which the CAC also considered to be excessive. The CAC was of the view that such excessive collection and processing of personal data could cause significant damage to users’ privacy rights.

A large volume of personal information was involved

Didi Global had illegally collected 64.709 billion personal data records, involving sensitive information such as facial recognition images, precise geolocation data, and identification numbers of users.

There were multiple violations

The CAC found that a total of 41 apps were developed and operated by Didi Global. As these apps were separate and distinct from each other, the contravening acts by Didi Global pertaining to each of these apps were viewed as multiple separate violations of China’s data protection laws and requirements.

Commentary and implications

The Didi Global case underscores the importance of taking compliance with China’s data protection laws seriously. It is evident that the CAC and other authorities will not hesitate to impose significant penalties for contraventions or violations of data protection standards. Although enforcement cases and judgments are not legally binding on subsequent cases in China since China is a civil law country rather than a common law country, the decision issued by the central level CAC will be regarded as having important precedential value in the sense that it provides guidance on how the CAC will conduct future investigations relating to data protection breaches. This would also help guide similar regulatory investigations and/or decision-making processes that may be undertaken or carried out by the CAC’s local/state counterparts, as well as other industry or sectoral regulators in China.

Businesses that fail to pay careful attention to Chinese data privacy laws, where applicable, may easily find themselves in the cross hairs of this regulator ‒ with significant consequences. This is especially so for companies in the tech and life sciences sectors, where VIE structures are commonly adopted for planned offshore listings and where large volumes of more sensitive personal information are collected and processed during such companies’ operations in China.

The Didi Global case also emphasises the value of taking a robust approach when interpreting and adhering to China’s data privacy laws. Not only is this recent enforcement action helpful but it also showcases how and why reviewing the legislative scheme in isolation may be especially risky.

From a practical perspective, companies that undertake a substantial review of their data processing activities and understand the scope of such activities, as well as their potential impact, will be better positioned to avoid interpretive uncertainty.

This enforcement action represents a clear example of China emerging as a significant data protection enforcer and yet another market where privacy and data protection regulation represents a significant emerging risk. As with other markets, such as the United States, the enforcement also showcases the increasing importance of privacy and security issues for public companies and their governance.

Please reach out to any of the authors of this alert or the Reed Smith attorneys with whom you regularly work for more information or guidance on these or related issues.

Client Alert 2022-199

Cheng, Cue named among top lawyers for DeSPAC transactions

Industries

Services

Business Teams

PitchBook: Reed Smith leads on PE transactions in healthcare

You May Be Interested

Cheng, Cue named among top lawyers for DeSPAC transactions

PitchBook: Reed Smith leads on PE transactions in healthcare

Share Tools