Didi Global Inc.
Issued by Cyberspace Administration of China (CAC) on 2022-07-21
What happened
China's Cyberspace Administration (CAC) fined Didi Global ¥8.026 billion (approximately $1.19 billion USD) for serious violations of China's Personal Information Protection Law (PIPL), Data Security Law, and Cybersecurity Law. The CAC found that Didi illegally collected users' personal information including facial recognition data, precise location data, device information, and audio recordings through its ride-hailing app. Didi was also found to have collected clipboard information, address book data, and photo albums without users' knowledge. The company processed personal information of over 600 million Chinese users without adequate legal basis. The massive fine represented approximately 4% of Didi's 2021 domestic revenue. Didi's chairman and president were also personally fined ¥1 million each.
Articles violated
Lessons learned
China's PIPL carries enforcement consequences comparable to GDPR, with fines of up to 5% of annual revenue. Over-collection of personal data — especially biometric data, precise location, and device information — attracts the highest penalties. Companies must limit data collection to what is strictly necessary for the service. Personal liability for company executives is a reality under PIPL. The Didi case signaled that Chinese authorities will enforce data protection laws aggressively, even against domestic technology giants. Companies operating in China must conduct thorough data collection audits.
Source
View original decisionDisclaimer: This summary is for informational purposes only and does not constitute legal advice. Refer to the original decision for complete details.
Get enforcement alerts for Technology
We track GDPR fines across Europe. Enter your email to get notified about new enforcement actions.