On July 21, the Cyberspace Administration of China (CAC) imposed a fine of 8.026 billion yuan on Didi Global Inc. in accordance with laws and regulations including the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, and the Administrative Penalty Law.

This marks another hot topic for online platforms following the "sky-high fines" imposed on Alibaba and Meituan for monopolistic practices. Didi's illegal and non-compliant behavior of collecting user privacy has also sparked widespread indignation and condemnation among netizens.

In recent years, the rapid development of internet information technology has brought many conveniences to people's lives. However, the ensuing issues of personal privacy leakage and information data security are drawing increasing regulatory and public attention.

Simultaneously, the internet medical and pharmaceutical e-commerce industries have grown rapidly following the outbreak of the COVID-19 pandemic. This growth has led online pharmaceutical service platforms to accumulate vast amounts of patient information, test results, electronic prescriptions, and other data. Given the high value of this data, some consumers have also experienced privacy breaches, undoubtedly raising the bar for information security and regulatory oversight.

Industry observers believe that as "Internet + Healthcare" continues to deepen, laws and regulations are constantly improving, and regulatory authorities are taking tough actions. Internet medical and pharmaceutical service platforms must enhance their software and hardware technical capabilities and continuously improve standardized management systems. The outcome of the "8 billion yuan fine" against Didi serves as a wake-up call for these platforms.

Healthcare Big Data Draws "Attention" Privacy Risks Cannot Be Ignored

The Cyberspace Administration of China disclosed that this administrative penalty resulting from the cybersecurity review of Didi is unique compared to typical administrative penalties. Given the severity of Didi's illegal and non-compliant activities, combined with the findings of the cybersecurity review, a strict and severe penalty was imposed.

It was reported that Didi had 16 violations, primarily in the following eight areas:

1. Illegally collecting 11.9639 million screenshots from users' phone albums.

2. Excessively collecting 8.323 billion items of user clipboard data and application list information.

3. Excessively collecting 107 million passenger facial recognition records, 53.5092 million age range data points, 16.3356 million occupation data points, 1.3829 million family relationship data points, and 153 million "home" and "company" ride-hailing address records.

4. Excessively collecting 167 million precise location (latitude and longitude) data points of passengers when rating chauffeur services, when the App was running in the background, and when the phone connected to Jishi recorder devices.

5. Excessively collecting 142,900 driver education records and storing 57.8026 million driver ID card numbers in plain text.

6. Analyzing 53.976 billion passenger travel intention data points and 1.538 billion frequent city data points, as well as 304 million cross-region business/tourism data points, without explicitly informing passengers.

7. Frequently requesting irrelevant "phone permissions" when passengers used the ride-sharing service.

8. Failing to accurately and clearly explain the purposes for processing 19 types of personal information, including user device information.

It is evident that the illegal and non-compliant collection of information such as ID numbers, addresses, photo albums, facial recognition data, precise locations, and phone permissions, along with the flagrant disregard for privacy protection regulations and the infringement upon consumer privacy rights, were the main reasons for Didi's penalty.

In fact, scenarios such as excessive collection of personal information and forced collection of sensitive personal information also pose significant information compliance risks in the pharmaceutical field, and are attracting increasing regulatory attention.

As early as 2018, media reports exposed that several medical Apps were accessing private information. The involved privacy permissions included allowing the program to obtain user location, turn Wi-Fi on or off, access the camera for photos or videos, and read or write system settings.

On April 25, 2018, the General Office of the State Council issued the "Opinions on Promoting the Development of 'Internet + Medical Health'," proposing to study and formulate regulations on the rights confirmation, opening, circulation, trading, and property rights protection of health and medical big data, strictly implement information security and health data confidentiality regulations, and establish a sound system for protecting personal privacy information.

Subsequently, the Guangdong Provincial Public Security Department's official website exposed 44 Apps in 2019 for security issues such as overstepping boundaries to read user call logs and collect user address books. This included several healthcare-related applications, such as the internet medical service platform "SeeYou 160" for appointment registration and medical guidance, and the online medical book platform "Xiaotu Medicine."

Even more concerning, media reports revealed sellers on dark web forums peddling patient information, using titles like "Selling next-day real-time hospital registration data (available for various departments)" at a unit price of 3 yuan per record. Tests showed that the phone numbers and registered names matched. According to the data sale messages, the registrations were primarily handled by third-party agent appointment websites and platforms, leaving patient data fully "exposed."

In April 2020, the National Computer Virus Emergency Response Center monitored and identified over 20 Apps suspected of privacy non-compliance. The released information indicated that the non-compliant activities mainly included failing to explicitly declare all privacy permissions to users, failing to explain rules for collecting and using personal information, and failing to provide effective functions for correcting/deleting personal information or canceling user accounts.

Industry analysts pointed out that the reasonable use of medical big data can help medical professionals conduct better scientific research and enable ordinary people to receive better medical services. However, this must be predicated on protecting patient personal information, requiring data processing entities to strike a balance between data development and application and the protection of personal information and privacy. "After consulting about early pregnancy issues, advertisements for vitamins, folic acid, and even painless abortion were pushed to my phone! This phenomenon certainly warrants a warning in the pharmaceutical field!"

"The Fourth Terminal" Market Explosion Constant Vigilance on Legality and Compliance

Can the risk of privacy leakage be completely avoided if one only purchases medicine without consulting a doctor?

The situation is likely not that simple. The risks of pharmaceutical e-commerce infringing on user rights or posing security risks also cannot be ignored.

In fact, compounded by the impact of the COVID-19 pandemic, the market growth rate of online drug sales channels has consistently outpaced that of physical pharmacy terminals, making online drug sales a veritable "fourth terminal."

Data shows that in 2021, the total sales value at the retail pharmacy terminal reached 477.4 billion yuan, a year-on-year increase of 10.3%. Specifically, drug sales in the physical pharmacy market reached 440.5 billion yuan in 2021, a year-on-year increase of 7.8%, while drug sales in the online pharmacy market reached 36.8 billion yuan, a year-on-year increase of 51.5%.

With the rapid development of pharmaceutical e-commerce, the personal identification information of consumers involved in the process of purchasing drugs online and the health information generated during medical activities undoubtedly constitute personal health data. Pharmaceutical e-commerce companies inevitably collect, store, use, and process this personal health data during their operations, and these activities must comply with corresponding information protection regulations.

Prior to this, some pharmaceutical e-commerce companies had faced regulatory notifications for excessively collecting personal information.

In 2020, the Ministry of Industry and Information Technology (MIIT) released a list of 101 software applications infringing on user rights. The Jianke Online Pharmacy App, operated by Guangzhou Ark Pharmaceutical Co., Ltd., was cited for excessively collecting personal information.

In 2021, the Guangdong Communications Administration reported on its special rectification work on Apps from November to December 2020. Among the Apps ordered to rectify issues infringing on user rights and security vulnerabilities, seven were healthcare-related Apps. Notably, the "1 Drug Network" App (version V6.0.6), under Guangdong Yihao Pharmacy Chain Co., Ltd. ("Guangdong Yihao Pharmacy"), was cited for privately collecting personal information and privately sharing it with third parties.

Protecting patient privacy rights from infringement and safeguarding the security of medical data are essential requirements for strengthening the compliance construction of internet healthcare big data. Regulatory compliance oversight for third-party platforms will also continue to be stringent.

On November 9, 2021, the Jiangsu Provincial Consumer Protection Commission released a "Report on Issues Related to E-commerce Platforms Infringing on Consumer Rights." The report, which investigated terms and functions on seven e-commerce platforms including Taobao, JD.com, Suning.com, NetEase Yanxuan, and Vipshop, found issues such as forced collection of personal information, deceptive social features, and induced consumption.

The incident of Didi being fined 8 billion yuan for illegally collecting user privacy undoubtedly serves as a stark warning to the numerous internet medical and pharmaceutical e-commerce platforms. Strengthening industry self-discipline, rigorously cracking down on illegal and non-compliant activities, and regulating privacy information is a task that will never be "completed."