Governing Platform Data in the Generative AI Era: Personal Information Protection Lessons from China’s Didi Cybersecurity Review Case

Abstract

 Generative artificial intelligence has transformed personal information protection from a narrow compliance issue into a broader problem of platform data governance. Although much current debate focuses on model outputs, hallucination, content moderation, or deepfake misuse, this study argues that a deeper source of risk lies in the data infrastructures that precede AI deployment. Using China’s Didi cybersecurity review and administrative penalty as a qualitative single-case study, the paper examines how large-scale platform data accumulation, sensitive personal information processing, algorithmic inference, and weak internal governance may create systemic privacy and security risks in the generative AI era. The Didi case is not a direct generative AI case. Rather, it provides a pre-generative-AI lesson: trustworthy AI governance depends on lawful, secure, transparent, and auditable platform data governance. Drawing on doctrinal legal analysis and regulatory document analysis, the study develops a platform-data-infrastructure framework that links data aggregation, algorithmic inference, AI reuse, and governance response. It shows that Didi’s violations involved excessive and unlawful processing of large volumes of personal information, including facial recognition information, precise location information, identity card numbers, and inferred travel-related data. The case reveals three governance challenges: platform data aggregation risk, heightened vulnerability of sensitive personal information, and the expansion of privacy risk from direct collection to algorithmic inference. The paper argues that generative AI governance should not begin only at the model layer. It should integrate training data compliance, sensitive information protection, platform accountability, data security audits, and lifecycle-based risk assessment. The study contributes to AI governance scholarship by linking platform data regulation with generative AI privacy protection and by highlighting upstream data governance as a precondition for responsible AI development.