On July 21, 2022, the Cyberspace Administration of China (“CAC”) – the country’s primary regulator for cybersecurity and privacy – imposed a fine of RMB 8.026 billion (around $1.2 billion USD) on China’s largest ride-hailing company for violating data protection laws, including the Cybersecurity Law, Data Security Law and Personal Information Protection Law. In addition, the CEO and the President of the company were each personally fined RMB 1 million (around $150,000 USD).
The public notice of the penalty decision does not provide much detail, but a CAC spokesperson indicated in a press conference that the administration found a total of 16 violations. This included the illegal collection of large volumes of data on passengers, such as screenshots from albums on mobile devices, user clipboard information and application list information, facial recognition data, and age-related data. According to the CAC, the company also failed to accurately specify the processing purposes for 19 different types of personal information, including user device information.
According to the CAC spokesperson, these violations began in May 2015 and continue to this day, which, on a continuous basis, violate the Cybersecurity Law effective since June 2017, the Data Security Law effective since September 2021, and the Personal Information Protection Law effective since November 2021, respectively.
Looking ahead, the CAC spokesperson indicated that the CAC will continue to strengthen enforcement in the areas of cybersecurity, data security and personal information protection.