Extraterritorial application of China’s law to a non-China entity
The penalty has been imposed on Didi Global, a company incorporated in the Cayman Islands. Didi Global was the entity with actual control over the group’s data processing activities in China, according to the CAC. In taking this action, the CAC affirmed the extraterritorial effect of China’s data privacy laws, including the Personal Information Protection Law, and their application to entities incorporated outside of China.
Like many other Chinese businesses in the tech sector (such as e-commerce platforms and online publishing or streaming platforms) that are listed overseas, Didi Global uses a variable interest entity (VIE) structure. This structure facilitates a contract-based beneficiary shareholding of Didi Global’s operating companies, which are incorporated as purely domestic companies in China in order to avoid foreign ownership restrictions applicable to industries including transportation.
What were the violations?
According to the CAC, the following acts were non-exhaustive examples of Didi Global’s violations of China’s data protection laws:
- Illegal collection of screenshots from users’ mobile phone albums.
- Excessive collection of information from users’ clipboards and app lists.
- Excessive collection of passengers’ facial recognition images and information about their ages, occupations, family relationships and addresses.
- Excessive collection of users’ geolocation information (latitude and longitude) when users comment on the service, when the app runs in the background or when users connect their mobile phones to the “orange-vision” in-vehicle car camera and driving recorder app developed by Didi Global.
- Excessive collection of drivers’ educational backgrounds and storing drivers’ identification numbers without redaction.
- Unauthorised analysis of passengers’ travel plans and information about their cities of residence and travel/business trips to other cities.
- Frequent and unnecessary requests for phone call permissions when offering ride-hailing services to passengers.
- Failure to accurately and clearly state the purpose of processing certain personal information collected, such as users’ device information.
Following the above, the CAC emphasised that it was critical for Didi Global to analyse and properly justify the necessity of its collection of users’ personal information and in doing so, to adhere to the data minimisation principle.
What penalties has the CAC imposed?
The CAC imposed the following penalties on Didi Global:
- A fine of RMB 8.026 billion (US$ 1.2 billion) on Didi Global, accounting for about 4.6 per cent of Didi Global’s RMB 173.827 billion total revenue last year, which almost reaches the maximum of 5 per cent of total revenue allowed under China’s Personal Information Protection Law.
- A fine of RMB 1 million each for Didi Global’s CEO and president, which is the maximum fine that can be imposed on persons in charge of a company that violates China’s Personal Information Protection Law.
In addition, Didi Global’s apps were taken down from app stores during the investigation period. Didi Global was also banned from accepting new users on its apps, thereby leading to a loss of market share and revenue.
What did the CAC consider when determining the quantum of the penalty?
In its decision, the CAC emphasised that the hefty penalty imposed was due to the severity of the violations. In particular, the CAC took into account the following factors in determining the severity of the penalty:
- Attitude of the business
Didi Global had failed to cease and rectify its violations even after it had received requests from the regulator to do so.
While no details were disclosed in the CAC’s decision, Didi Global had pushed ahead with its initial public offering (IPO) on the New York Stock Exchange (NYSE) without seeking the Chinese regulator’s pre-approval just weeks before the CAC released its draft Network Security Review Measures. These measures required a prior review and approval by the CAC for any offshore IPOs of Chinese businesses with more than one million individual users in China. This would therefore have been viewed as a deliberate circumvention of Chinese laws and a lack of cooperation by Didi Global.
We have reproduced a chronological timeline pertaining to Didi Global’s IPO and the CAC’s investigation as follows: