On July 21, 2022, the CAC issued its penalty decision to Didi Global Inc. (Didi) after over 12 months’ investigation since it launched a cybersecurity review over Didi and two other companies last July. The penalties include a fine of CNY 8.026 billion on Didi and a fine of CNY 1 million on each of the Chairman and CEO.
According to the news release issued by the CAC, Didi had violated the CSL, the DSL and the PIPL. The CAC said that the facts of the violations are clear, the evidence is conclusive, the circumstances are serious and the nature is vile.
Didi was found to have committed 16 law violations covering eight aspects:
In addition, the CAC said that a previous cybersecurity review also found that Didi had engaged in data processing activities that seriously affected national security and violated other laws and regulations such as refusing to comply with explicit requests from the regulators and intentionally evading supervision.
While the scope of CII, core data and important data is yet to be clarified, the recent enforcement action against Didi seems to indicate that the CAC might elect to enforce the Review Measures where necessary. As such, network platform operators should start to assess whether their processing activities impact or may impact national security and therefore trigger the cybersecurity review process.
*Information is accurate up to 27 November 2023