Shanghai releases 5 typical cases of failure to fulfill personal information protection obligations.

Case of data leakage of a certain new energy technology enterprise: The Internet Information Office found that the business of this enterprise is to provide battery exchange services for electric bicycles. For testing purposes, the enterprise imported the generated battery exchange logs and user data into a test database and allowed internet access without taking corresponding security measures, leading to suspected personal information data leakage. Upon investigation, it was found that the enterprise did not fulfill its obligations to protect personal information in accordance with the law, the relevant systems did not adopt technical measures and other necessary measures to ensure data security, user data was not encrypted, network security and data security management systems were not established, network security level protection assessments were not conducted, and network logs were not retained for at least six months, violating the Personal Information Protection Law, the Cybersecurity Law, and the Data Security Law, among other laws and regulations. The Internet Information Office ordered the enterprise to make corrections within a specified period in accordance with the law, and imposed warnings and fines as punishment.