China has fined Didi Global, a global mobility technology, around $1.2 billion (8.026 billion yuan) for violating the country’s network security law, personal information protection law, and data security law.
The country’s cybersecurity regulator, the Cyberspace Administration of China (CAC), also fined two Didi executives 1 million yuan each for the infringements.
The ride-hailing service had its app removed from the web by the Chinese authorities last year, prompting an investigation to start.
The CAC explained: “Based on the conclusions of the network security review and the problems and clues found, the State Internet Information Office filed a case and investigated Didi Global Co., Ltd. for suspected illegal acts in accordance with the law. After investigation, Didi Global Co., Ltd.’s violations of the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law are clear, the evidence is conclusive, the circumstances are serious and the nature is heinous.”
The statement did not mention whether the company could restore its app in the apps store in China. The app has around 550 million users across the country, as well as in Latin America, Australia, and other Asian countries.
In a response statement, Didi said that it will “obey” the regulators requirements and accepted the regulator’s decision.
This ruling comes at a time where there is growing privacy and data protection concerns in China. There have been a number of new laws introduced in this area too. In 2021, the Personal Information Protection Law (PIPL) was introduced.
Ilia Kolochenko, founder of ImmuniWeb and member of Europol Data Protection Experts Network, said: “Importantly, the growing number of regulations increasingly impose personal liability upon corporate executives for a failure to implement and supervise an adequate data protection strategy at their company. We shall expect higher fines both for non-compliant companies and their executives, while the latter will not necessarily be covered by corporate insurance due to the novelty of the issue. Ongoing risk and threats assessment, privacy impact audits and implementation of a systemised, risk-based and process-driven data protection strategy is the only way for executives to avoid facing harsh monetary penalties or even a personal bankruptcy.”