On July 21, 2022, the Cyberspace Administration of China (“CAC”) – the country’s primary regulator for cybersecurity and privacy – imposed a fine of RMB 8.026 billion (around $1.2 billion USD) on China’s largest ride-hailing company for violating data protection laws, including the Cybersecurity Law, Data Security Law and Personal Information Protection Law.  In addition, the CEO and the President of the company were each personally fined RMB 1 million (around $150,000 USD).

The public notice of the penalty decision does not provide much detail, but a CAC spokesperson indicated in a press conference that the administration found a total of 16 violations.  This included the illegal collection of large volumes of data on passengers, such as screenshots from albums on mobile devices, user clipboard information and application list information, facial recognition data, and age-related data.  According to the CAC, the company also failed to accurately specify the processing purposes for 19 different types of personal information, including user device information.  

According to the CAC spokesperson, these violations began in May 2015 and continue to this day, which, on a continuous basis, violate the Cybersecurity Law effective since June 2017, the Data Security Law effective since September 2021, and the Personal Information Protection Law effective since November 2021, respectively.

Looking ahead, the CAC spokesperson indicated that the CAC will continue to strengthen enforcement in the areas of cybersecurity, data security and personal information protection.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.

Photo of Xuezi Dan Xuezi Dan

Xuezi Dan is an associate in the Beijing office of Covington and Burling LLP. Her practice focuses on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China. She has worked closely with many leading…

Xuezi Dan is an associate in the Beijing office of Covington and Burling LLP. Her practice focuses on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China. She has worked closely with many leading international companies on matters ranging from cross-border data transfer, data localization, data protection program, and cybersecurity regulatory compliance.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.

Nicholas is a member of the Bar of Texas and Brussels Bar (Dutch Section, B-List). District of Columbia bar application pending; supervised by principals of the firm.