A: In July, 20021year, in order to prevent national data security risks, safeguard national security and safeguard public interests, the Network Security Review Office conducted a network security review of Didi Company in accordance with the National Security Law and the Network Security Law.
According to the conclusions of the network security review and the clues found, the National Internet Information Office filed an investigation into the suspected illegal activities of Didi Company according to law. During the period, the National Internet Information Office conducted investigation and technical evidence collection, ordered Didi Company to submit relevant evidence materials, comprehensively checked and analyzed the evidence materials in this case, fully listened to the opinions of Didi Company, and safeguarded the legal rights of Didi Company. It has been verified that Didi's violation of Network Security Law, Data Security Law and Personal Information Protection Law is clear in facts, conclusive in evidence, serious in circumstances and bad in nature, and should be severely punished.
2. Q: What are the illegal acts of Didi Company?
A: It has been found that Didi Company has 16 illegal facts, which can be summarized into eight aspects. First, illegally collect screenshots of users' mobile phone albums 1 1963900; Second, excessive collection of 8.323 billion user clipboard information and application list information; Third, excessive collection of passenger face recognition information of 6,543,807,000, age information of 53,509,200, occupation information of 6,543,806,600, family relationship information of 6,543,808+0,382,900 and taxi address information of "home" and "company" of 6,543,800; Fourth, when passengers evaluate the driving service, when the App is running in the background, and when the mobile phone is connected to the orange device, 654.38+67 million pieces of accurate position (latitude and longitude) information are collected; Fifth, 654.38+042.9 thousand pieces of driver's academic information were over-collected, and 57.8026 million pieces of driver's ID number information were stored in plain text; Sixth, without explicitly informing the passengers, we analyzed 53.976 billion pieces of information about passengers' travel intentions, 65.438+53.8 billion pieces of information about permanent cities and 304 million pieces of information about business/travel in different places. Seventh, passengers frequently ask for irrelevant "telephone rights" when using the ride service; Eighth, 19 user equipment information and other personal information processing purposes are inaccurate and unclear.
Previously, the network security review also found that Didi had data processing activities that seriously affected national security, as well as other illegal acts such as refusing to fulfill the clear requirements of the regulatory authorities, following the rules, and maliciously evading supervision. The illegal operation of Didi Company has brought serious security risks to the national key information infrastructure security and data security. Because it involves national security, it is not open according to law.
3. Q: How was the illegal subject identified in this case?
A: Didi Company was established in June 20 13, and its domestic related business lines mainly include renting a car, hitchhiking, two-wheeled vehicles and making cars. Its related products include 4 1 App such as Didi Travel App, Didi Owner App, Didi Free Ride App and Didi Enterprise App.
Didi Company has the highest decision-making power on major issues of domestic business lines, and the internal system norms formulated by the company are applicable to all domestic business lines, and it is responsible for supervising and managing the implementation. Through the Didi Information and Data Security Committee, its Personal Information Protection Committee and Data Security Committee, the company participates in the decision-making, guidance, supervision and management of related behaviors of business lines such as carpooling and hitchhiking, and the illegal behaviors of each business line are specifically implemented under the unified decision-making and deployment of the company. Accordingly, the subject of illegal activities in this case was identified as Didi Company.
Cheng Wei, Chairman and CEO of Didi Company, and Liu Qing, President of Didi Company, are responsible for the illegal acts.
4. Q: What is the main basis for Didi to make administrative punishment decisions related to network security review?
A: The administrative punishment related to the network security review of Didi Company is different from the general administrative punishment and has its particularity. Didi's violation of laws and regulations is serious, and it should be severely punished in combination with network security review. First, judging from the nature of illegal acts, Didi Company failed to fulfill its obligations of network security, data security and personal information protection in accordance with relevant laws, regulations and regulatory requirements, and ignored national network security and data security, which brought serious risks to national network security and data security, and even if the regulatory authorities ordered it to make corrections, it still failed to carry out comprehensive and in-depth rectification, which was extremely bad in nature. Secondly, in terms of the duration of illegal activities, the related illegal activities of Didi Company first started in June of 20 15, and have lasted for 7 years, continuously violating the network security law implemented in June of 20 17, the data security law implemented in September of 2002 1 year and1year. Thirdly, judging from the harm of illegal acts, Didi Company illegally collects users' personal information such as clipboard information, screenshot information in photo albums and family relationship information, which seriously infringes on users' privacy and personal information rights. Fourthly, in terms of the amount of illegal personal information processing, Didi Company illegally processed 64.709 billion pieces of personal information, which is huge, including sensitive personal information such as face recognition information, accurate location information and ID number. Fifth, from the perspective of illegal handling of personal information, Didi's illegal behavior involves multiple apps, including excessive collection of personal information, compulsory collection of sensitive personal information, frequent claims by apps, failure to fulfill personal information processing and notification obligations, and failure to fulfill network security data security protection obligations.
Considering the nature, duration, harm and situation of Didi's illegal behavior, Didi's decision on administrative punishment related to network security review is mainly based on Network Security Law, Data Security Law, Personal Information Protection Law and Administrative Punishment Law.
Verb (abbreviation of verb) Q: What is the key direction and field of network law enforcement in the next step?
A: In recent years, the state has continuously strengthened network security, data security and personal information protection, and has successively promulgated laws and regulations such as the Network Security Law, the Data Security Law, the Personal Information Protection Law, the Regulations on the Security Protection of Key Information Infrastructure, the Network Security Review Method and the Data Exit Security Assessment Method. The network information department will strengthen law enforcement in the fields of network security, data security and personal information protection according to law, and take punishment measures such as law enforcement interview, ordering to make corrections, warning, informed criticism, fine, ordering to suspend related businesses, suspending business for rectification, closing websites, taking them off the shelves, and handling those responsible, severely crack down on illegal acts that endanger national network security, data security and infringe citizens' personal information, and earnestly safeguard national network security, data security and social public interests. At the same time, increase the exposure of typical cases, form a strong momentum and powerful shock, investigate and punish together, warn together, educate and guide Internet companies to operate in compliance with laws and regulations, and promote the healthy, standardized and orderly development of enterprises. (Zhongxin Finance)