Relevant person in charge of the State Cyber Information Office decided to answer reporters on the decision to make cyber security review related administrative penalties in accordance with the law.

On July 21, the National Internet Information Office announced the decision to review the relevant administrative penalties of Didi Global Co., Ltd. (hereinafter referred to as "Didi Company") in accordance with the law. The relevant person in charge of the National Internet Information Office answered questions from reporters on the case -related questions.

1. Q: Please briefly introduce the background and investigation of the case?

Answer: In July 2021, in order to prevent national data security risks, safeguard national security, and protect public interests, in accordance with the National Security Law and Cyber ​​Security Law, the Cyber ​​Security Review Office shall be implemented in accordance with the "Cyber ​​Security Review Measures". Cyber ​​security review.

According to the issues and clues discovered in the conclusions of network security review, the National Internet Information Office shall conduct investigations on suspected illegal acts of Didi in accordance with the law. During the period, the National Internet Information Office conducted an investigation and inquiry and technical evidence collection, and ordered Didi Company to submit relevant evidence materials to conduct in -depth verification and analysis of the evidence materials in this case, and fully listen to Didi Company's opinions to protect the legitimate rights of Didi. After investigation, Didi Company's illegal and illegal acts of violations of the "Cyber ​​Security Law", "Data Security Law" and "Personal Information Protection Law" is clear, the evidence is conclusive, the circumstances are serious, and the nature of it should be strictly punished.

Question: What are the illegal and illegal acts in Didi?

Answer: It is found that there are 16 illegal facts in Didi, and it is summarized mainly 8 aspects. First, the screenshot information in the user's mobile phone album was illegally collecting 11.9639 million pieces; the second was to over -collect the user's shear board information and the application list information of 8.323 billion pieces; the third is to over -collect the passenger face recognition information of 107 million pieces and the age group information of 53.092 million Articles, professional information of 16.3356 million, 1.3829 million affectionate information, 153 million pieces of "home" and "company" taxi address information; fourth, when over -collecting passenger evaluation services, app background in the APP, mobile phone connection orange view records The accurate location (latitude and longitude) information of the instrument equipment is 167 million; the fifth is to over -collect 142,900 driver's academic information, which stores 57.8026 million pieces of information in the form of a clear text; Intent information of 53.976 billion, the resident city information of 1.538 billion, and 304 million tourism information in different places/different places; seventh is the "telephone permissions" that frequently obtained by passengers when using the ride -winding service. 19 personal information processing purposes such as equipment information.

Earlier, network security review also found that Didi has serious data processing activities that seriously affect national security, and the clear requirements of refusing to perform the regulatory authorities, and other illegal issues such as Yang Fengyin and malicious evasion of supervision. The illegal operation of Didi Corporation has brought serious security risks to the security of national key information infrastructure security and data security. Because of national security, it is not disclosed according to law.

Question: How did the illegal subject of this case determine?

Answer: Didi was established in January 2013. The related domestic business lines mainly include online car rental, ride, two -wheeled vehicles, cars, etc. The related products include Didi Chuxing APP, Didi car owner APP, Didi Shunfeng car 41 APPs such as APP and Didi Enterprise APP.

Didi has the highest decision -making power on major issues in various business lines in the country. The internal system specifications formulated by the formulation of the enterprise internal systems are applied to all domestic business lines, and the responsibility for supervision and management of the implementation situation is responsible. The company participated in the decision -making guidance, supervision and management of the personal information protection committee and the personal information protection committee and the data security committee under it, and participated in the business lines such as online car rental and ride. The company's unified decision -making and deployment implementation. Based on this, the subject of the illegal act in this case was identified as Didi.

The chairman and CEO of Didi and Liu Qing, CEO, and president, are responsible for illegal acts.

Fourth, Q: What is the main basis for the decision to make network security review related administrative penalties?

Answer: The relevant administrative penalties for the cyber security review of Didi Company are different from ordinary administrative penalties and are special. The plot of Didi illegal behaviors is serious, and combined with network security review, it should be punished strictly. First, from the nature of illegal acts, Didi has not fulfilled network security, data security, and personal information protection obligations in accordance with relevant laws and regulations and regulatory departments. Data security brings serious hidden risks, and under the situation of regulatory departments, it has not carried out comprehensive and in -depth rectification, and its nature is extremely harsh. Second, from the perspective of the duration of illegal acts, related illegal acts of Didi started in June 2015. It has continued to this day and has been 7 years long. The "Data Security Law" implemented in the month and the "Personal Information Protection Law" implemented in November 2021. Third, from the perspective of illegal acts, Didi Company collects personal information such as user cutting information, screenshot information in the album, and family relationship information through illegal means, seriously infringe on user privacy and seriously infringe on user personal information rights. Fourth, from the perspective of the number of personal information illegal processing, Didi Company's illegal processing personal information reached 64.709 billion, which was huge, including many types of sensitive personal information such as face recognition information, accurate location information, and ID number. Fifth, from the perspective of illegal processing of personal information, Didi illegal acts involved multiple APPs, covering excessive collection of personal information, mandatory collection of sensitive personal information, frequent claims of apps, notification obligations of personal information processing, unsatisfactory network security Data security protection obligations and other situations. Considering the nature, duration, harm and situation of Didi Company's illegal behavior, the main basis for making the decision to make cyber security review related administrative penalties for Didi is the "Cyber ​​Security Law", "Data Security Law" and "Personal Information Protection Law". The relevant provisions of the Administrative Penalty Law.

V. Q: What are the key directions and fields of online law enforcement?

Answer: In recent years, the state has continuously strengthened the protection of network security, data security, and personal information. Laws and regulations such as network security review "and" Evaluation Measures for Data Outbound ".网信部门将依法加大网络安全、数据安全、个人信息保护等领域执法力度，通过执法约谈、责令改正、警告、通报批评、罚款、责令暂停相关业务、停业整顿、关闭网站、下架、 The handling of punishment measures such as responsible persons will be dealt with, and illegal acts such as endangering national cybersecurity, data security, and infringement of personal information of citizens are combated in accordance with the law, effectively safeguarded national network security, data security and public interests, and effectively protect the legitimate rights and interests of the people. At the same time, increase the exposure of typical cases, form a strong momentum and strong deterrent, to investigate and deal with one case, warn, and promote Internet companies to operate compliantly in accordance with laws, and promote the healthy and orderly development of enterprises.

Observation of Sichuan (Source: Net News China WeChat public account)

- END -