Didi was fined 8.026 billion yuan to collect billions of data illegal

According to the news on July 21, the WeChat public account of "China Information China" WeChat, according to the problems and clues found in the conclusions and clues of network security censorship, the National Internet Information Office shall investigate the suspected illegal behavior of Didi Global Co., Ltd. in accordance with the law.After verification, Didi Global Co., Ltd. violated the personal information protection law of the Cyber Security Law of the Cyber Security Law, the facts of illegal and illegal acts were clear, the evidence was conclusive, the circumstances were serious, and the nature was bad.

On July 21, the State Internet Information Office shall be fined a fine of 8.026 billion yuan in RMB 8.026 billion in accordance with laws and regulations such as the Personal Information Protection Law of the Personal Information Protection Law of the Cyber Security Law of the Network Security Law.Cheng Wei, chairman and CEO of Global Co., Ltd., and Liu Qing, President Liu Qing, were fined RMB 1 million.

On July 21, the National Internet Information Office announced the decision to review the relevant administrative penalties of Didi Global Co., Ltd. (hereinafter referred to as "Didi Company") in accordance with the law.The relevant person in charge of the National Internet Information Office answered questions from reporters on the case -related questions.

The relevant person in charge of the National Internet Information Office decided to answer reporters to Didi Global Co., Ltd. in accordance with the law

I. Q: Please briefly introduce the background and investigation of the case?

Answer : In July 2021, in orderDidi implements network security review.

According to the issues and clues found in the conclusions of network security review, the National Internet Information Office shall investigate the case of suspected illegal acts in Didi in accordance with the law.During the period, the National Internet Information Office conducted an investigation and inquiry and technical evidence collection, and ordered Didi Company to submit relevant evidence materials to conduct in -depth verification and analysis of the evidence materials in this case, and fully listen to the opinions of Didi Company to protect the legitimate rights of Didi.After investigation, Didi Company's illegal and violations of the Personal Information Protection Law of the Data Security Law of the Corporation of Didi Corporate Formation of the Personal Information Protection Law is clear, the evidence is conclusive, the circumstances are serious, and the nature of it should be severely punished.

2. Q: What illegal and illegal acts exist in Didi?

Answer : It is found that there are 16 illegal facts in Didi, mainly 8 aspects.First, the screenshot information in the user's mobile phone album illegally was 119.639 million; the second was to over -collect the user's shear board information and the application list information of 8.323 billion pieces; the third is to over -collect the passenger face recognition information of 107 million, the age group information of 53.092 millionArticles, professional information of 16.3356 million pieces, family relationship information of 1.3829 million, "home" and "company" taxi address information of 153 million pieces; fourth, when over -collecting passenger evaluation services, app background in the APP, mobile phone connection orange view recordsThe accurate location (latitude and longitude) information of the instrument equipment is 167 million; the fifth is to over -collect 142,900 driver's academic information, which stores 57.8026 million pieces of information in the form of a clear text;Intent information of 53.976 billion, the resident city information of 1.538 billion, and 304 million travel information in different places/different places; seventh is the "phone permissions" that frequently obtained unrelated "phone permissions" when passengers use the ride -winding car service;19 personal information processing purposes such as equipment information.

Earlier, cybersecurity review also found that Didi has a data processing activity that seriously affects national security and the clear requirements of the regulatory authorities. Yang Fengyin violations and malicious evasion of supervision and other violations of laws and regulations.The illegal operation of Didi Corporation has brought serious security risks to the security of national key information infrastructure security and data security.Because of national security, it is not disclosed according to law.

Three, Q: How did the illegal subject of this case determine?

Answer : Didi was established in January 2013. The relevant domestic business lines mainly include online car rental, ride -hailing, two -wheeled cars, cars, etc., Didi car owner APP, Didi Shunfeng APP, Didi Enterprise APP and other 41 APPs.

Didi has the highest decision -making power on major business lines in the country. The internal system specifications formulated by the formulation of the internal system of enterprise are applicable to all domestic business lines, and the responsibility for supervision and management of the implementation situation.The company participated in the decision -making guidance, supervision and management of the personal information protection committee and the personal information protection committee and the data security committee under it, and participated in the business lines such as online car rental and ride.The company's unified decision -making and deployment implementation.Based on this, the subject of the illegal act in this case was identified as Didi.

The chairman and CEO Cheng Wei and president Liu Qing of Didi, Liu Qing, who are in charge of illegal acts.

Four. Q: What is the main basis for the decision to make cyber security review related administrative penalties to Didi?

Answer : This time, the relevant administrative punishment of Didi's network security review is different from ordinary administrative penalties and is particularly special.The plot of Didi illegal behaviors is serious, and combined with network security censorship, it should be punished strictly.First, from the nature of illegal acts, Didi has not fulfilled network security, data security, and personal information protection obligations in accordance with relevant laws and regulations and regulatory departments.Data security brings serious hidden risks, and in the case of regulatory authorities ordered correction, it has not carried out comprehensive and in -depth rectification, and its nature is extremely harsh.Second, from the perspective of the duration of illegal acts, the earliest illegal acts of Didi started in June 2015. It has continued to this day and has been 7 years long.The data security law and the personal information protection law implemented in November 2021.Third, from the perspective of illegal behavior, Didi Company collects personal information such as user cutting information, screenshot information in the album, and family relationship information through illegal means, which seriously violates user privacy and seriously infringes on user personal information rights.Fourth, from the perspective of the number of personal information illegal processing, Didi Company's illegal processing personal information reached 64.709 billion, which was huge, including many types of sensitive personal information such as face recognition information, accurate location information, and ID number.Fifth, from the perspective of illegal handling personal information, Didi illegal acts involved multiple APPs, covering excessive collection of personal information, compulsory collection of sensitive personal information, frequent claims of apps, notification obligations of personal information processing, not doing network security, unsatisfactory network securityData security protection obligations and other situations.

Comprehensive consideration of the nature, duration, harm, and situation of Didi Company's illegal behavior, the main basis for making the relevant administrative penalties for cyber security review of Didi is the Personal Information Protection Law of the Network Security Law Personal Information Protection Law.Wait for relevant regulations.

5. Q: What are the key directions and areas of the next step of online law enforcement?

Answer : In recent years, the state has continuously strengthened the protection of network security, data security, and personal information.Regulations on laws and regulations such as data outbound security assessment measures such as network security review.Treatment of punishment measures such as responsible persons and other illegal acts such as hazarding national cyber security, data security, and infringing personal information of citizens in accordance with the law, and actual securityThe protection of national network security, data security, and public interests of the society will effectively protect the legitimate rights and interests of the people.At the same time, increase the exposure of typical cases, form a strong momentum and strong deterrent, to investigate and deal with one case, warn, and promote Internet companies to operate compliantly in accordance with laws, and promote the healthy and orderly development of enterprises.

Previously