According to the conclusion of the network security review and the problems and clues found, the state Internet Information Office filed a case for investigation on the suspected illegal acts of didi Global Co., Ltd. It is verified that didi Global Co., Ltd. has violated the network security law, the data security law and the personal information protection law with clear facts, conclusive evidence, serious circumstances and bad nature. On July 21, the state Internet Information Office imposed a fine of 8.026 billion yuan on didi Global Co., Ltd. and a fine of 1 million yuan on Cheng Wei, chairman and CEO of didi Global Co., Ltd. and Liu Qing, President of didi Global Co., Ltd. in accordance with the network security law, data security law, personal information protection law, administrative punishment law and other laws and regulations. The relevant person in charge of the state Internet Information Office answered reporters' questions on the decision to impose administrative penalties related to network security review on didi Global Co., Ltd. in accordance with the law On July 21, the state Internet Information Office announced the decision to impose administrative penalties related to network security review on didi Global Co., Ltd. (hereinafter referred to as "didi company") in accordance with the law. The relevant person in charge of the state Internet Information Office answered reporters' questions about the case. 1、 Q: please briefly introduce the background and investigation process of the case? A: in July 2021, in order to prevent national data security risks, safeguard national security and protect public interests, according to the national security law and the network security law, the Network Security Review Office implemented network security review on didi company in accordance with the network security review measures. According to the conclusion of the network security review and the problems and clues found, the state Internet Information Office filed a case for investigation of the suspected illegal acts of didi company according to law. During this period, the state Internet information office conducted investigations and technical evidence collection, ordered didi company to submit relevant evidence materials, conducted in-depth verification and analysis of the evidence materials of this case, fully listened to the opinions of didi company, and guaranteed the legal rights of didi company. It is verified that Didi's violations of the network security law, the data security law and the personal information protection law have clear facts, conclusive evidence, serious circumstances and bad nature, and should be severely punished. 2、 Q: what are the illegal behaviors of didi company? A: after investigation, there are 16 illegal facts in didi company, which can be summarized into 8 aspects. First, illegal collection of 11.9639 million screenshots in users' mobile photo albums; Second, over collecting 8.323 billion pieces of user clipboard information and application list information; Thirdly, 107million pieces of passenger face recognition information, 53.5092 million pieces of age information, 16.3356 million pieces of career information, 1.3829 million pieces of family relationship information, and 153 million pieces of taxi address information of "home" and "company" were excessively collected; Fourth, 167million pieces of accurate location (longitude and latitude) information were collected when passengers evaluated valet service, APP background operation, and mobile phone connected to orange recorder equipment; Fifth, 142900 pieces of driver's academic information were excessively collected, and 57.8026 million pieces of driver's ID number information were stored in clear text; Sixth, analyze 53.976 billion pieces of passenger travel intention information, 1.538 billion pieces of resident city information, and 304 million pieces of non local business / non local tourism information without clearly informing passengers; Seventh, passengers frequently ask for irrelevant "phone permission" when using the free ride service; Eighth, 19 personal information processing purposes such as user equipment information were not accurately and clearly explained. Previously, the network security review also found that didi company had data processing activities that seriously affected national security, as well as other violations of laws and regulations such as refusing to comply with the explicit requirements of the regulatory authorities, openly obeying but secretly violating, and maliciously evading supervision. Didi's illegal operations have brought serious security risks to the security of national key information infrastructure and data security. Because it involves national security, it is not made public according to law. 3、 Q: how to identify the illegal subject of this case? A: didi company was founded in January, 2013. The relevant domestic business lines mainly include online car hailing, free ride, two wheeler, car making, etc. the relevant products include 41 apps, including didi travel app, Didi owner app, Didi free ride app, Didi enterprise app, etc. Didi company has the highest decision-making power on major issues of domestic business lines, and the internal system and norms formulated by the company are applicable to all domestic business lines, and it is responsible for the supervision and management of the implementation. Through didi information and data security committee and its subordinate personal information protection committee and data security committee, the company participated in the decision-making guidance, supervision and management of online car hailing, hitchhiking and other business line related behaviors. The illegal behaviors of each business line were specifically implemented under the unified decision-making and deployment of the company. Accordingly, the subject of the illegal act in this case is identified as didi company. Cheng Wei, chairman and CEO of didi company, and Liu Qing, President, are responsible for violations. 4、 Q: what is the main basis for the decision to impose administrative penalties related to network security review on didi company? A: the administrative punishment related to the network security review of didi company is different from the general administrative punishment and has particularity. Didi company's violations of laws and regulations are serious, and should be severely punished in combination with the network security review. First, in terms of the nature of the illegal act, Didi company failed to perform its obligations of network security, data security and personal information protection in accordance with relevant laws and regulations and the requirements of the regulatory authorities, ignoring the national network security and data security, bringing serious risks to the national network security and data security, and has not carried out comprehensive and in-depth rectification under the order of the regulatory authorities, which is extremely bad in nature. Second, from the perspective of the duration of the illegal acts, the relevant illegal acts of didi company began in June 2015 and have lasted for up to seven years. They have continued to violate the network security law implemented in June 2017, the data security law implemented in September 2021 and the personal information protection law implemented in November 2021. Third, from the perspective of the harm of illegal acts, Didi company collects personal information such as user clipboard information, screenshots in photo albums and family relationship information through illegal means, which seriously infringes on users' privacy and their personal information rights and interests. Fourth, in terms of the number of illegal processing of personal information, Didi company illegally processed 64.709 billion pieces of personal information, a huge number, including face recognition information, accurate location information, ID number and other sensitive personal information. Fifthly, from the perspective of illegal processing of personal information, Didi's illegal activities involve multiple apps, including excessive collection of personal information, compulsory collection of sensitive personal information, frequent claims on apps, failure to fulfill the obligation of informing about personal information processing, failure to fulfill the obligation of network security data security protection, and other situations. Considering the nature, duration, harm and situation of Didi's illegal acts, the main basis for the decision of administrative punishment related to the network security review of didi company is the relevant provisions of the network security law, the data security law, the personal information protection law, the administrative punishment law and so on. 5、 Q: what are the key directions and areas of network law enforcement in the next step? A: in recent years, the state has continuously strengthened the protection of network security, data security and personal information, and has promulgated laws and regulations such as the network security law, the data security law, the personal information protection law, the key information infrastructure security protection regulations, the network security review method, and the data exit security assessment method. The Internet Information Department will strengthen law enforcement in the fields of network security, data security, personal information protection, etc. by law enforcement interviews, ordering corrections, warnings, circulars of criticism, fines, ordering suspension of relevant businesses, suspension of business for rectification, closure of websites, removal from the shelves, handling of responsible persons and other punishment measures, crack down on illegal acts endangering national network security, data security, infringement of citizens' personal information, etc. in accordance with the law, and effectively safeguard national network security Data security and social public interests, and effectively protect the legitimate rights and interests of the broad masses of the people. At the same time, we should strengthen the exposure of typical cases, form a strong momentum and powerful deterrence, investigate and deal with a case and give a warning, educate and guide Internet enterprises to operate in accordance with the law, and promote the healthy, standardized and orderly development of enterprises. (Xinhua News Agency)