DiDi fine showcases the stringent implementation of cybersecurity law
Kong Qingjiang
A logo of Chinese ride-hailing giant DiDi at its headquarters in Beijing, July 2, 2021. /CFP

A logo of Chinese ride-hailing giant DiDi at its headquarters in Beijing, July 2, 2021. /CFP

Editor's note: Kong Qingjiang is Dean of the School of International Law at China University of Political Science and Law. The article reflects the author's opinions and not necessarily the views of CGTN.

The Cyberspace Administration of China (CAC), the country's cybersecurity authority fined ride-hailing giant DiDi Global 8.026 billion yuan (about $1.2 billion) on July 21, 2022 for violation of China's network security law, data security law and personal information protection law. The fine sets a record high of the national security-related fines imposed by the Chinese authorities. The fine is just next to the one of 18.22 billion yuan that imposed on Alibaba by China's State Administration of Market Regulation (SAMR) one year ago for violation of the Anti-monopoly Law.

In recent decades, China has emerged as a country with a large number of internet applications. Many online platforms like Alibaba and DiDi cover almost all aspects of daily life. These platforms either accumulate massive amounts of citizens' personal data, or even have monopolistic access to user information in one or another area. Once such data or information is leaked, the sanctity of personal information will be at a risk; and if such data or information is manipulated by foreign powers, national security will be endangered.

While digital economy is becoming a new driver of China's high-quality development, national security has emerged as a central issue in the political and economic landscape of China. A remarkable reform is thus being undertaken to have in place a system for cyberspace and data security. 

From the Cybersecurity Law of 2017, to the Data Security Law and the Personal Information Protection Law of 2021, China has formed a legal system that governs network security, data security and personal information protection. 

While the Cybersecurity Law involves the overall governance of cyberspace security, focusing on systems such as critical information infrastructure protection, cybersecurity review, and cross-border data flow, the Data Security Law regulates the data protection, development and utilization, and the Personal Information Protection Law determines the basic principles and institutional rules for the protection of personal information.

The Cybersecurity Law, Data Security Law and Personal Information Protection Law, which constitute the three pillars of information security in the country, has shaped the reform agenda in the field of cyberspace, such as tightened curbing of cross-border flow of data, misuse and abuse of personal information via the cyberspace, as well as regulations on online platforms.

The colossal penalty showcases, again, how serious the authority is about cybersecurity and data security. The DiDi case was first announced last year, just days after DiDi's initial public offering (IPO) on the New York Stock Exchange (NYSE). DiDi had come under fire after it reportedly pushed ahead with its initial public offering despite outstanding regulatory concerns about the impact of cross-border data outflow on national security.

Alibaba Group was fined for the violation of the Anti-monopoly Law in 2021. /CFP

Alibaba Group was fined for the violation of the Anti-monopoly Law in 2021. /CFP

In an apparent effort to appease the regulatory anger, DiDi announced less than six months later that it would delist from the NYSE and made plans to list in Hong Kong Special Administrative Region, which is subject to the National Security Law.

The DiDi case was not the single isolated event. One year ago, Alibaba Cloud, the cloud computing subsidiary of Alibaba, was reportedly suspended for six months from a national network security information-sharing platform by the Ministry of Industry and Information Technology (MIIT), China's internet technology regulator, for failing to report a software security glitch.

Alibaba Cloud first detected and reported the serious Apache Log4j 2 security glitch to the U.S.-based Apache Software Foundation, but failed to report the security risk to the Chinese regulator within the two-day reporting timespan as required, failing to effectively support the MIIT to detect network security threats and vulnerabilities.

The incident was a blow to the company's credibility and reputation, particularly in conjunction with the unprecedented SAMR anti-monopoly fine.

In concluding, the DiDi case, as well as others, have constantly sent warnings to other domestic and international technology companies in China: while they must put network security first above business, they should not underestimate the Chinese authorities' commitment to safeguard cybersecurity. 

If they ignore their obligations of cyber security, data security, and personal information protection in accordance with relevant laws and regulations and the requirements of regulatory authorities, the regulatory storm will come in its own way. For the purpose of safeguarding national security and promoting the healthy development of the digital economy, "too big to fail" has no place in front of cyber security and data security.

(If you want to contribute and have specific expertise, please contact us at Follow @thouse_opinions on Twitter to discover the latest commentaries on CGTN Opinion Section.)

Search Trends