All of a sudden! Didi was fined 8.026 billion yuan: the illegal collection of tens of billions of data is shocking!

According to the Network Security Law, data Security Law, personal Information Protection Law, Administrative punishment Law and other laws and regulations, the State Cyber Information Office imposed a fine of 8.026 billion yuan on Didi Global Co., Ltd., and a fine of 1 million yuan on Cheng Wei, chairman and CEO of Didi Global Co., Ltd., and Liu Qing, president of Didi Global Co., Ltd.

Since July last year, in order to prevent national data security risks, safeguard national security, and safeguard public interests, in accordance with the National Security Law and the Network Security Law, the Network Security Review Office conducted a network security review on Didi in accordance with the Network Security Review measures.

The State Internet Information Office pointed out that according to the investigation, there are a total of 16 illegal facts in Didi, which can be summed up in eight aspects:

One is to illegally collect 11.9639 million screenshots from users' mobile phone albums.

The second is excessive collection of user clipboard information and 8.323 billion items of application list information.

Third, excessive collection of 107 million pieces of passenger face recognition information, 53.5092 million pieces of age information, 16.3356 million pieces of occupation information, 1.3829 million pieces of kinship information, and 153 million pieces of taxi address information of "home" and "company".

The fourth is to excessively collect 167 million pieces of accurate location (longitude and latitude) information when passengers evaluate the driving service, when App is running in the background, and when the mobile phone is connected to the orange recorder.

Fifth, excessively collect 142900 pieces of driver's education information and store 57.8026 million pieces of driver's ID number information in clear text.

Sixth, without clearly informing passengers, 53.976 billion items of passenger travel intention information, 1.538 billion pieces of resident city information and 304 million pieces of remote business / remote tourism information are analyzed.

Seventh, passengers frequently ask for irrelevant "telephone permissions" when using the hitchhiking service.

Eighth, 19 personal information processing purposes, such as user equipment information, are not accurately and clearly stated.

Didi has the highest decision-making power on major matters of each business line in the territory, and the internal system and norms formulated by the company are applicable to all business lines in the territory, and are responsible for the supervision and management of the implementation.

Cheng Wei, chairman and CEO of Didi, and Liu Qing, president of Didi, are in charge of illegal acts.

The relevant administrative penalties for the network security review of Didi Company are different from the general administrative penalties and have particularity. The circumstances of Didi's violations of laws and regulations are serious, and combined with the situation of network security review, it should be punished severely and severely.

First, from the nature of the illegal acts, Didi failed to fulfill the obligations of network security, data security, and personal information protection in accordance with the provisions of relevant laws and regulations and the requirements of the regulatory authorities, and ignored the national network security and data security. it brings serious hidden dangers to national network security and data security, and under the condition that the regulatory authorities have ordered it to correct, it has not yet carried out comprehensive and in-depth rectification, and the nature is extremely bad.

Second, in terms of the duration of the violations, Didi's related violations began as early as June 2015 and have lasted for seven years. Continue to violate the Network Security Law implemented in June 2017, the data Security Law implemented in September 2021 and the personal Information Protection Law implemented in November 2021.

Third, from the harm of illegal behavior, Didi Company collects user clipboard information, screenshot information in photo albums, kinship information and other personal information through illegal means, which seriously infringes upon user privacy and the rights and interests of user personal information.

Fourth, from the number of illegal processing of personal information, Didi company illegally processed 64.709 billion pieces of personal information, a huge number, including face recognition information, accurate location information, ID card number and other sensitive personal information.

Fifth, from the perspective of illegal handling of personal information, Didi's illegal behavior involves a number of App, including excessive collection of personal information, compulsory collection of sensitive personal information, frequent claims by App, failure to fulfill the obligation of personal information processing and disclosure, failure to fulfill the obligation to protect network security data, and so on.

Taking into account the nature, duration, harm and situation of Didi's illegal acts, the decision on the relevant administrative penalties for network security review of Didi Company is mainly based on the relevant provisions such as the Network Security Law, the data Security Law, the personal Information Protection Law, and the Administrative punishment Law.

Going back a year, on June 30, 2021, Didi quickly and quietly listed on the New York Stock Exchange and IPO raised $4.4 billion, the largest US listing of Chinese stocks since Alibaba in 2014.

Then, on July 2, two days later, the Network Security Review Office conducted a network security review on "DiDi" in accordance with the "Network Security Review measures."

In order to cooperate with the network security review work and prevent the expansion of risks, "DiDi" stopped new user registration during the review period.

Then, DiDi Mini Program was removed from the shelves on July 7, and DiDi App, the official website, has been removed from the shelves and cannot be downloaded completely. On July 9, 25 App models, including Didi Enterprise Edition, were removed from the shelves.

On July 16, 2021, the State Cyber Information Office, together with the Ministry of Public Security, the Ministry of State Security, the Ministry of Natural Resources, the Ministry of Transport, the State Administration of Taxation and the General Administration of Market Supervision, jointly stationed in DiDi Science and Technology Co., Ltd. to carry out network security review.

On June 2, 2022, Didi formally submitted an application for delisting to the SEC. On June 10, Didi was officially delisted from the New York Stock Exchange.

Today, the State Internet Information Office issued a decision on Didi's administrative punishment. in response, DiDi responded through the official Weibo, saying that "sincerely accept, resolutely obey, and strictly abide by the penalty decision and relevant laws and regulations." comprehensive and in-depth self-investigation, actively cooperate with supervision, and conscientiously complete rectification and reform. "

He was fined 8.026 billion yuan. From the result of the processing, Didi paid the price for its previous barbaric growth and disregard of information security. At the same time, it also made everyone soberly aware:

No matter how strong the power of capital is, it cannot override the security of user data.