5 August 2021
I believe everyone is more or less concerned about the incident in July that Didi was censored by the relevant department's network security and caused new users to stop registering.
On July 4, 2021, the National Internet Information Office issued a notice regarding the removal of the "Didi Travel" app. The reason was that the "Didi Travel" app had serious violations of laws and regulations in collecting personal information. The rough course of the matter is as follows.
Didi was listed on the New York Stock Exchange at 9 pm on June 30. At 7 pm on July 2, the Cyber Security Review Office under the National Internet Information Office announced that it initiated a cyber security review of Didi. During the review, Didi stopped new user registration. In addition, in April, Didi was included in 34 Internet platforms requiring self-examination and self-correction, and in July, the State Administration of Market Supervision imposed 4 million yuan fines on 8 joint ventures and undeclared investments of Didi. Didi is now After only one week of listing, it fell below the issue price, and was subject to a class action lawsuit by a number of US law firms on the grounds that "disclosure of information seriously misled investors and suffered losses."
One of the important core reasons why the regulator made this series of actions after Didi went public in the United States was because of concerns about data security.
According to relevant media reports of Didi’s data in the first quarter of this year, Didi China Travel has 156 million monthly active users, 377 million annual active users, 13 million active drivers, and an average daily transaction volume of China’s travel business of 25 million. In the same period, Didi is active globally. There are 493 million users and 15 million active drivers worldwide. In addition, Didi obtained the "Navigation Electronic Map Production" Grade A surveying and mapping qualification in 2017. The "High-precision Map" produced will collect a large amount of accurate geographic information data including vehicle positioning and surrounding environment.
In addition, a 2015 article on the official official account of the Didi Research Institute (coordinates in California, USA) was transmitted on the Internet, using the Ministry of Public Security, the Ministry of Supervision, the Ministry of Civil Affairs, the Ministry of Justice, the Ministry of Finance, the Ministry of Human Resources and Social Security, and the Ministry of Land and Resources within two days. Didi Kuaidi’s taxis, express buses, and special vehicles from the Ministry of Foreign Affairs, Ministry of Environmental Protection, Ministry of Housing and Urban-Rural Development, Ministry of Transport, Ministry of Water Resources, Ministry of Agriculture, Ministry of Commerce, Ministry of Culture, Health and Family Planning Commission, People’s Bank of China, National Audit Office and other ministries and commissions Using data, it analyzed the travel rules of the aforementioned ministries and commissions such as working hours and driving routes, and made contact with current hot issues at the time.
It can be seen that the data in Didi's hands is huge and important.
According to the "Foreign Company Accountability Act" promulgated by the United States in May 2020, Didi needs to provide accounting papers to the American Public Company Accounting Oversight Board (PCAOB). Although China has negotiated with the United States on the review of China's concept stock accounting drafts, the negotiations have not yet come to fruition. Didi's listing in the United States at this time means that Didi has the potential to provide non-desensitization and data to the United States. If such a possibility is really realized, it will undoubtedly endanger China's national security and the data and privacy of Chinese citizens.
In the above incident, there are several core legal issues.
One is the question of how the concept of "data security" should be understood at the legal level.
According to the definition in the "Data Security Law" that will be implemented on September 1 this year, "data" refers to any record of information electronically or in other ways. Speaking of this, we must talk about the difference between "information" and "data". Information is the knowledge and insights obtained from many structured and unstructured data using certain methods, processes, algorithms, and systems. In other words, "information" is produced based on "data", which is abstract; while "data" is the concrete and objective manifestation of "information", which is concrete.
The data can be desensitized, and through certain professional cleaning steps, the data can be stripped of the data subject and data environment to a certain extent. However, according to the current mainstream consensus in the academic and practical circles, such cleaning cannot completely separate the data subjects. This is why, Didi’s data sharing may not only lead to foreign security crises by interpreting data to gain insights into China’s economy, but also infringing on citizens’ personal privacy due to citizens’ personal information interpreted in the data.
The above simple analysis can slightly explain why big data can bring huge economic benefits to the country, while the issue of "data security" should be emphasized so much.
Second, what is the current legal framework in China regarding the issue of data security.
Regarding data security legislation, following the "Data Security Law of the People's Republic of China" (hereinafter referred to as the "Data Security Law") passed by the Standing Committee of the National People's Congress on June 10 this year and will be implemented on September 1 this year, the corresponding The supporting "Data Security Management Regulations" were subsequently listed in the 2021 legislative plan issued by the General Office of the State Council, and it is expected that regulations on data collection, use and management will be further improved.
According to the "Data Security Law", individuals and organizations that collect, store, use, process, transmit, provide, and disclose data within the territory of the People's Republic of China need to be carried out in accordance with the "Data Security Law" and perform the corresponding data Safety obligations and are subject to the supervision of relevant administrative departments.
In addition, Articles 1034 to 1039 of the Civil Code stipulate the principles and conditions for the processing of personal information. Natural persons may consult, copy, and submit personal information to personal information processors. Right to request objection, correction, deletion, etc. The "Network Security Law" also includes "the ability to protect the integrity, confidentiality, and availability of data" in the connotation of "network security."
Third, under the above-mentioned current legal framework, Internet companies have greater data compliance risks than ordinary companies. What is the specific embodiment.
The current regulatory environment is not only Didi, which went public in the United States, but its data security issues have been paid attention to by the regulatory authorities. At present, other domestic Internet industry companies have also received close attention from the regulatory authorities.
On the morning of July 26, the official website of the Ministry of Industry and Information Technology issued an announcement on "Starting a special rectification action for the Internet industry", including actions that threaten data security. This aspect focuses on rectifying the problems that companies fail to take necessary management and technical measures in data collection, transmission, storage, and external provision, including failure to encrypt sensitive information during data transmission, and failure to obtain data before providing data to third parties. The user agrees to wait for the scene.
Generally speaking, for domestic Internet companies, to carry out data processing activities in China, they need to perform data security obligations under security supervision; to carry out data processing activities abroad, they need to be careful not to harm China’s national security, public interests, or citizens’ Organize legitimate rights and interests.
Finally, for all companies that have data processing activities in China, what are the basic compliance obligations that need to be fulfilled?
When companies carry out data processing activities in China, the obligations that need to be fulfilled are divided into general obligations and special obligations of important data processors.
The general obligations required to carry out data processing activities are:
(1) Establish a sound data security management system;
(2) Organize and carry out data security education and training;
(3) Take corresponding technical measures and other necessary measures to ensure data security;
(4) Strengthen risk prediction, and immediately take remedial measures when data security deficiencies, loopholes, and other risks are discovered; when data security incidents occur, they should immediately take measures to notify users in a timely manner and report to relevant competent authorities in accordance with regulations.
The special obligations of important data processors are:
(1) Identify the person in charge of data security and the management organization, and implement the responsibility for data security protection;
(2) Conduct regular risk assessments of its data processing activities in accordance with regulations, and submit risk assessment reports to relevant competent authorities (risk assessment reports should include the types and quantities of important data processed, the status of data processing activities, and the data they face Security risks and countermeasures, etc.);
In addition, it is necessary to remind all companies to pay attention to the handling of personal information in compliance.
At present, a considerable number of companies have been subject to administrative penalties due to non-compliance in handling consumer personal information. Since the Criminal Law Amendment (9) added the crimes and penalties for selling, illegally providing, stealing or illegally obtaining citizens’ personal information, there have been a large number of companies or individuals that have been criminally prosecuted for the aforementioned acts.
For domestic enterprises, employee information, customer information, personal information generated or removed from production, sales, and services, and other important data are almost inevitable. Therefore, the establishment of an effective personal information processing and data processing compliance mechanism can avoid infringement disputes, administrative penalties and criminal liabilities from the source. At the same time, as personal information protection and data protection are increasingly being valued by the public today, contributions in user information protection can increase corporate image and public trust, thereby increasing brand value.
For further information, please contact:
Peng Qiao, R&P China Lawyers
info@rplawyers.com
refer to:
[1] Ministry of Industry and Information Technology of the People's Republic of China: "The Ministry of Industry and Information Technology Launches a Special Rectification Action for the Internet Industry", July 26, 2021, https://www.miit.gov.cn/jgsj/xgj/gzdt /art/2021/art_b86f1d15c9824f3297090330353ce2f3.html .
[2] General Office of the State Council: "Notice of the General Office of the State Council on Printing and Distributing the State Council's 2021 Legislative Work Plan", State Development Office [2021] No. 21, http://www.gov.cn/zhengce/content/2021-06/ 11/content_5617194.htm .
[3] National Internet Information Office: "Notice on Delisting "Didi Travel" App", July 4, 2021, http://www.cac.gov.cn/2021-07/04/c_1627016782176163.htm .
[4] Caixin Weekly: "Cover Report | Didi Earthquake", July 12, 2021, https://weekly.caixin.com/2021-07-09/101737957.html .
