The Cyberspace Administration of China has fined ride-sharing company DiDi global ¥8.026 billion ($1.2 billion) for more than 64 billion illegal acts of data collection that it says were carried out maliciously and threatened national security.
Yes, we do mean billion. As in a thousand million.
The Administration enumerated DiDi’s indiscretions as follows:
- 53.976 billion pieces of information indicating travellers’ intentions were analyzed without informing passengers;
- 8.323 billion pieces of information were accessed from users’ clipboards and lists of apps;
- 1.538 billion pieces of information about the cities in which users live were analyzed without permission;
- 304 million pieces of information describing users’ place of work;
- 167 million user locations were gathered when users evaluated the DiDi app while it ran in the background;
- 153 million pieces of information revealing the drivers’ home and business location;
- 107 million pieces of passenger facial recognition information;
- 57.8 million pieces of driver’s ID number information in plain text;
- 53.5092 million pieces of age information;
- 16.3356 million pieces of occupation information;
- 11.96 million screenshots were harvested from users’ smartphones;
- 1.3829 million pieces of family relationship information;
- 142,900 items describing drivers’ education.
The Administration (CAC) also found DiDi asked for irrelevant permissions on users’ smartphones and did not give an accurate or clear explanation for processing 19 types of personal information.
The fine levied on DiDi is not a run of the mill penalty. The Administration’s Q&A about the incident points out that the fine is a special administrative penalty because DiDi flouted China’s Network Security Law, Data Security Law, and Personal Information Protection Law – and did so for seven years in some cases.
The Q&A adds that China has in recent years introduced many data privacy and information security laws, so it’s not as if DiDi did not have good indicators that it needed to pay attention to such matters.
The fine is around 4.7 percent of DiDi’s annual revenue – just short of the five percent cap on such fines available to Chinese regulators.