China has fined global mobility technology platform Didi Global around $1.2bn (8.026 billion yuan) for violating the country’s network security law, data security law and personal information protection law.
The Cyberspace Administration of China (CAC), the country’s cybersecurity regulator, also fined two Didi executives 1 million yuan each for the infringements.
The announcement came a year after the ride-hailing service had its app removed from the web by the Chinese authorities over privacy concerns, when the investigation started.
In a statement, the CAC wrote: “Based on the conclusions of the network security review and the problems and clues found, the State Internet Information Office filed a case and investigated Didi Global Co., Ltd. for suspected illegal acts in accordance with the law. After investigation, Didi Global Co., Ltd.’s violations of the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law are clear, the evidence is conclusive, the circumstances are serious and the nature is heinous.”
It did not mention whether the firm, which has around 550 million users across the country, as well as in Australia, Latin America and other Asian countries, could restore its apps to apps stores in the country.
In a statement, Didi said it accepted the regulator’s decision and will “obey” its requirements.
The fines were announced in the context of growing data protection and privacy concerns in China. There have been a number of new laws introduced in this area, including the Personal Information Protection Law (PIPL) last year.
Earlier this month, an anonymous hacker claimed to have stolen the personal information of 1 billion Chinese citizens, representing one of the biggest data breaches in history.
Commenting on the story, Ilia Kolochenko, founder of ImmuniWeb, and a member of Europol Data Protection Experts Network said: “This case tellingly illustrates that governments all around the globe finally start taking data protection and privacy seriously. This trend is clearly visible not only in developed Western countries, which set the tone with GDPR back in 2016, but in many developing countries in Latin America, Africa and Asia.
“Importantly, the growing number of regulations increasingly impose personal liability upon corporate executives for a failure to implement and supervise an adequate data protection strategy at their company. We shall expect higher fines both for non-compliant companies and their executives, while the latter will not necessarily be covered by corporate insurance due to the novelty of the issue. Ongoing risk and threats assessment, privacy impact audits and implementation of a systemized, risk-based and process-driven data protection strategy is the only way for executives to avoid facing harsh monetary penalties or even a personal bankruptcy.”