Introduction
Observations
While the fine still falls short of the
- This is the largest fine ever handed out for a breach of data protection regulations, handily topping Amazon's
USD 877 million General Data Protection Regulation fine in the EU. - The penalty decision is one of the first public instances where a company has been penalised for violations of the Cybersecurity Law (CSL), Data Security Law (DSL) and Personal Information Protection Law (PIPL) (together, PRC Data Laws).
- While the cybersecurity review was initiated on
2 July 2021 on the basis of the Cybersecurity Review Measures (which have since been revised), the CAC utilised their findings to penaliseDidi under the CSL, DSL and PIPL (which the CAC also administers).
Notably, the DSL and PIPL only came into force on
The CAC, in a press statement, has justified this on the basis of
Takeaways
- Retrospective Application. The CAC's characterisation of
Didi's breaches as continuous violations seem to suggest that uncured "breaches" of the laws/regulations may be punished, even if they took place before the particular law/regulation came into force.
This is evident from the CAC's consideration of
In light of the soon-to-be implemented Security Assessment Measures applying to cross-border data transfers, the retrospective application of the PRC Data Laws is something that businesses should definitely be wary of.
- Personal Liability starts at the top. Two individuals, Cheng Wei, chairman and CEO of
Didi Global , andLiu Qing , President ofDidi Global , were each personally finedRMB 1 million (approx.USD 148,000 ) on the basis of the decision making, supervision and management they exercised. This is the maximum possible fine that can be issued to individuals under the PIPL. This broad brush penalisation ofDidi's top brass sends a strong message to other companies subject to the PRC Data Laws, and 'encourages' executives to pay closer attention to the data-related activities of their companies. - CAC's sweeping powers. During the course of investigations, the CAC "conducted investigation and inquiry, technical evidence collection, ordered
Didi to submit relevant evidentiary materials, conduct in-depth verification and analysis of the evidentiary materials in this case". The CAC's investigations also lasted for more than a year, during which time 25 mobile apps operated byDidi were removed from PRC app stores. This showcases the extent to which the CAC's exercise of investigation and enforcement powers may potentially hamstring a business, and serves as a reminder of the importance of compliance with PRC Data Laws, especially where a business may deal with a big volume of personal data.
What's Next?
Expect this to be the tip of the iceberg as the CAC has stated its intention to "lawfully increase the intensity of law enforcement in [cybersecurity and data protection]". In the meantime, businesses with operations in the PRC, or who deal with PRC-based parties subject to the PRC Data Laws, should ensure they conduct regular data audits of their data policies and processes moving forward.
They should also keep an eye out for developments relating to the cross-border data transfer mechanisms which are set to be rolled out in the coming months (i.e. the Standard Contract, Cross-border data transfer certification, and Security Assessment).
Visit us at mayerbrown.com
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This
Ms
16-19th Floor
Tel: 3127820600
Fax: 3127017711
E-mail: Mnoonan@mayerbrown.com
URL: www.mayerbrown.com
© Mondaq Ltd, 2022 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source