The CAC is coming: Didi Chuxing fines record $1.2 billion for violating privacy rules | Perspectives & Events – Mayer Brown | Hot Mobile Press

introduction
Didi Chuxing (Didi) was fined RMB8.026 billion (about US$1.2 billion) on July 21, 2022, more than a year after the Cyberspace Administration of China (CAC) first issued a cybersecurity review of the ride- hailing giants had initiated.

observations
Although the fine still falls short of the $2.75 billion antitrust fine imposed on Alibaba last year, the fine is significant for several reasons:

  1. This is the highest fine ever was fined for violating data protection rules, exceeding Amazon’s US$877 million fine in the EU.
  2. The penal decision is one of the first public instances in which a company has been penalized for violations of the Cybersecurity Law (CSL), Data Security Law (DSL) and Personal Information Protection Law (PIPL) (collectively, the PRC Data Laws).
  3. While the cybersecurity review was initiated on July 2, 2021 based on the cybersecurity review measures (which have since been revised), the CAC used their findings to penalize Didi under the CSL, DSL and PIPL (which the CAC also administers).

Notably, the DSL and PIPL only came into effect on September 1, 2021 and November 1, 2021, respectively, several months after the investigation began.

The CAC justified this in a press statement with Didi’s violations beginning with “already in June 2015 and lasting up to 7 years, constantly hurt the Cyber ​​Security Act implemented in June 2017, the Data Protection Act implemented in September 2021 and the Personal Data Protection Act implemented in November 2021“.

snack

  1. Retroactive Application. The CAC’s characterization of Didi’s violations as continuing violations seems to indicate that uncured “violations” of law/regulations may be sanctioned, even if committed before the relevant law/regulation came into force.

This is evident from the CAC’s review of Didi’s violations (since June 2015), despite predating the PRC’s earliest data law, the CSL, which came into force in June 2017.

With soon to be implemented security assessment measures applicable to cross-border data transfers, the retrospective application of PRC data laws is something businesses should definitely be wary of.

  1. Personal liability begins at the top. Two people, Cheng Wei, Chairman and CEO of Didi Global, and Liu Qing, President of Didi Global, each attended personally fined RMB 1 million (approx. USD 148,000) based on the decision-making, supervision and management they exercised. This is the highest possible fine that can be imposed on individuals under the PIPL. This harsh punishment of Didi’s top executives sends a strong message to other companies subject to the PRC’s data laws and “encourages” executives to pay more attention to their companies’ data-related activities.
  2. CAC’s far-reaching powers. In the course of the investigation, the CAC “investigation and investigation carried out, technical evidence collectioninstructed Didi to present relevant evidence, conduct an in-depth review and analysis of the evidence in the case“. The CAC’s investigation also lasted more than a year, during which 25 mobile apps operated by Didi were removed from the PRC’s app stores. This demonstrates the extent to which the CAC’s exercise of investigative and enforcement powers can potentially impede a company and is a reminder of the importance of complying with PRC data laws, particularly when a company may handle a large amount of personal data.

What’s next?
Expect this to be the tip of the iceberg as the CAC has stated its intention to “lawfully increase the intensity of law enforcement [cybersecurity and data protection]“. Meanwhile, companies operating in the PRC or dealing with PRC based parties subject to PRC data laws should ensure that they conduct regular data reviews of their data policies and processes going forward.

You should also keep an eye on the developments related to the cross-border data transfer mechanisms to be introduced in the coming months (ie standard contract, cross-border data transfer certification and security assessment).

Leave a Comment