China’s cybersecurity regulator fined ride-hailing juggernaut Didi Global $1.2 billion after a year-long probe, saying it had violated data security and personal information protection laws.

The Cyberspace Administration of China said Thursday that Didi illegally collected 12 million pieces of “screenshot information” from users’ mobile photo albums, excessively collected 107 million pieces of passenger facial recognition information and 1.4 million pieces of family relationship information, among other violations.

The regulator also said there were “severe security risks” in Didi’s data-processing methods, which would not be detailed because it related to national security.

“The evidence is conclusive,” the regulator said in a statement published online. “The circumstances are serious, the nature is immoral, and the punishment should be severe.”

China’s Didi to delist from U.S. just months after ride-hailing firm’s $4.4 billion offering

In addition to the fines on the company, Didi’s chairman Cheng Wei and president Jean Liu were each fined $148,000. Didi issued a statement on Thursday saying it accepted the judgment and would strengthen its protection of personal information, while stopping short of apologizing to customers or sharing details on what changes it would make.

“We sincerely thank the competent authorities for their inspection and guidance, and the public for their criticism and supervision,” Didi said.

The crackdown on Didi reflects Beijing’s alarm at the vast troves of personal data that internet companies are gathering, and the risk that it could leak overseas and undermine national security. Other Chinese internet giants have also come under official scrutiny, including Alibaba’s Ant Group, which saw its plans for a record IPO abruptly canceled in 2020.

Analysts say Chinese officials have been concerned that in Didi’s case, sensitive locations and personal information of important individuals could be leaked from its databases.

Such concerns are not without basis. Earlier this month, hackers claimed to have breached a Shanghai police database containing personal data of 1 billion people, which would be one of the largest such exposures in history if confirmed. The unnamed poster claimed the database was hosted by AliCloud, a subsidiary of Chinese e-commerce giant Alibaba Group. Alibaba did not immediately respond to a request for comment.

In China, escalating cost of business sends some companies to the exits

China’s personal information protection law also went into effect in November, shoring up the rights of Chinese consumers against excessive corporate tracking.

The trouble began for Didi a year ago. Just days after the company’s IPO on the New York Stock Exchange, China’s cyberspace administration announced a probe, saying the company “illegally collected and used users’ personal information.” The regulator ordered Didi’s ride-hailing app to be removed from Chinese app stores. Existing users could continue using the app, but the move torpedoed the company’s prospects for growth.

Didi’s American depositary shares closed at $3.49 on Wednesday, having slumped 79 percent from its opening price on its listing day. The company offers a ride-sharing platform similar to Uber, with the difference that riders can also use it to book regular taxis.

Didi’s investors voted in May to delist from the New York Stock Exchange, in hopes that a return home would help mollify Beijing regulators.

In its statement on Thursday, China’s Cyberspace Administration said Didi had illegally processed 64.7 billion pieces of personal information since its first violation in 2015. This included users’ age group information, home addresses, locations, driver education, and other data.

Leave a Reply

Your email address will not be published. Required fields are marked *