China: Recent Regulatory Action - DiDi Case

Latest Developments

On July 21, 2022, the CAC issued its penalty decision to Didi Global Inc. (Didi) after over 12 months’ investigation since it launched a cybersecurity review over Didi and two other companies last July. The penalties include a fine of CNY 8.026 billion on Didi and a fine of CNY 1 million on each of the Chairman and CEO.


According to the news release issued by the CAC, Didi had violated the CSL, the DSL and the PIPL. The CAC said that the facts of the violations are clear, the evidence is conclusive, the circumstances are serious and the nature is vile.

Didi was found to have committed 16 law violations covering eight aspects:

  • The illegal collection of screenshot information from users’ phone albums;
  • The excessive collection of users’ clipboard and App list information;
  • The excessive collection of passengers’ information about facial recognition, age, job, family relationships and hailing address;
  • The excessive collection of precise location (latitude and longitude) information;
  • The excessive collection of drivers’ education information and the storage of drivers’ unredacted ID number information;
  • The analysis of passengers’ travel intentions, city of residence and non-local business/travel information without clearly informing the passengers;
  • Frequent requests of irrelevant “phone call permissions” when offering ride-hailing service; and
  • Failure to accurately and clearly explain the purpose of processing 19 types of personal information such as users’ device information.

In addition, the CAC said that a previous cybersecurity review also found that Didi had engaged in data processing activities that seriously affected national security and violated other laws and regulations such as refusing to comply with explicit requests from the regulators and intentionally evading supervision.

Next steps and relevance

While the scope of CII, core data and important data is yet to be clarified, the recent enforcement action against Didi seems to indicate that the CAC might elect to enforce the Review Measures where necessary. As such, network platform operators should start to assess whether their processing activities impact or may impact national security and therefore trigger the cybersecurity review process.

*Information is accurate up to 27 November 2023


Cybersecurtiy - Explore further sections

Explore other chapters in the guide

Data as a key digital asset

Crypto assets

AI as a digital asset

Privacy & Data Protection


Digital Identity and Trust Services