[Expert point of view] Beckham said security: observation of the "Didi" network security review related administrative penalty decision

On July 21, 2022, the official website of the National Internet Information Office released the "Decision to Make Cyber ​​Security Review Related Administrative Penalty in accordance with the law" (hereinafter referred to as "Decision"), and also released the "National Internet Information Office Relevant persons in charge decided to answer the reporter's decision on cyber security censorship in accordance with the law. "

The "Decision" pointed out that according to the conclusions and clues found in network security review, the National Internet Information Office shall conduct investigations on suspected illegal acts of Didi Global Co., Ltd. in accordance with the law. After investigation, Didi Global Co., Ltd. violated the "Cyber ​​Security Law", "Data Security Law" and "Personal Information Protection Law".

The "Decision" announced that in accordance with the "Network Security Law", "Data Security Law", "Personal Information Protection Law", and "Administrative Penalty Law" and other laws and regulations, it was fined 8.026 billion yuan in the Didi Global Co., Ltd. The chairman and CEO of the Co., Ltd. Cheng Wei and President Liu Qing were fined RMB 1 million.

From the content of "Decision" and "Answers to the reporter", the following understanding can be formed.

First, this is the "network security review related administrative penalties" made by "the conclusions and clues found in network security censorship". Compared with traditional testing and evaluation, network security review has different focus, focusing on national security. But it does not mean that other issues are ignored in network security censorship. If these problems are not solved, how can we maintain national security? The administrative penalties made this time cover the situation of infringing the rights and interests of citizens' personal information, but also involving the security and data security of key information infrastructure in the country. The "Decision" itself is not the conclusion of the censorship. According to the design of the network security review system, the conclusion can be disclosed.

Second, the fine of 8.026 billion is indeed huge, which is obviously made based on the proportion of turnover. Article 66 of the "Personal Information Protection Law" stipulates that if you deal with personal information illegally, or handle personal information that fails to fulfill the legal personal information protection obligations, such as serious circumstances, the department that shall be ordered by the provincial level or above to make corrections Illegal income and fined more than 50 million yuan or less than 50 % of the previous year. The law also stipulates that a fine of more than 100,000 yuan or more than 100,000 yuan or less than one million yuan for direct responsible persons and other responsible persons. It is not known how the national network information department has determined the turnover of "Didi" and the proportion of fines. However, from the two executives of "Didi", the punishment was punishment for one million yuan.

Third, the "top punishment" should be considered as the "Didi" illegal operation of illegal and illegal operations to the security of the national key information infrastructure and the safety risk of data security. The method of punishment by the ratio of turnover is indeed created by the Personal Information Protection Law, but it cannot be considered that the administrative penalties in the "Decision" only take into account the fact that the personal rights and interests of citizens are infringed. The impact of data security issues is comprehensive, and there should be a comprehensive understanding of this. In the case of "Didi", the severity of the problem lies in the impact of the security and data security of key information infrastructure, which should be the cause of the punishment "top".

Fourth, there are many speculations in the society about whether the "Didi" executives will be criminally punished, but this is not the content of "Decision". Criminal penalties should be based on the Criminal Law, and it is not the authority of the National Internet Information Office as the administrative department. Some people speculate that the "Decision" has a harsh wording, indicating that it will also take criminal penalties in the future, which is two different things.

Fifth, "Decision" still reflects "lenient and strictness." During the epidemic, global economic development was seriously affected, and people had different understanding of the platform economy's supervision methods and policies. The "Decision" has an iconic significance: resolutely safeguarding national security and citizen rights, which is not shaken; at the same time, it is necessary to promote the healthy development of the platform's economy. According to the law, in addition to fines, the means of punishment may also be ordered to suspend related businesses or suspend business and rectify, inform the relevant authorities to revoke relevant business licenses or revoke business licenses. However, in the "Decision", these penalties were not used.

Sixth, the "Didi" 8 aspects of "Didi" disclosed in "Answers to the Reporter" is not a case, and "Didi" cannot be the only one. Although this time the "Didi" was severely punished and unprecedented, from the 8 aspects of illegal facts described in the "Answers to the Reporter", this is by no means unique to "Didi", and it is not necessarily the most the most. serious. Although the facts in 8 aspects are shocking, to some extent, these illegal facts exist in many Internet companies. In the long run, it is impossible to have this case. my country's data security and personal information protection work is far away. It is necessary to further increase law enforcement, grasp more models, form a strong momentum and strong deterrent, and establish a long -term mechanism for maintaining data security.

(Reprinted: Beckham said safe)

- END -