Key findings
- Baidu earned the lowest score of all internet and mobile ecosystem companies in the Index, disclosing almost nothing about policies affecting freedom of expression and privacy.
- Baidu disclosed less about its process for censoring content and restricting user accounts than any other internet and mobile ecosystem company evaluated.
- Baidu improved its disclosure of how it handles user information, including disclosure of the types of user information it may collect, but disclosed less about privacy-related policies than any of its peers.
Analysis
Baidu earned the lowest score of all internet and mobile ecosystem companies evaluated, disclosing almost no information about its policies and practices affecting users’ freedom of expression and privacy. The company improved its disclosure of its handling of user information, including its disclosure of options users have to control if their information is used for targeted advertising. However, the company still fell short of meeting basic benchmarks for protecting users’ freedom of expression and privacy. While the Chinese internet environment is one of the most restrictive in the world, Baidu can still improve its transparency about basic policies affecting freedom of expression and privacy in key areas. The fact that Tencent outperformed Baidu on several such indicators shows that Baidu’s poor performance cannot be attributed to China’s restrictive legal and political environment alone.
- Be more transparent about security policies. Baidu should improve its disclosure of what it does to keep user information secure, including by communicating its policies for responding to data breaches.
- Increase transparency about private requests. Baidu can improve its disclosure about its processes for responding to private requests to restrict content or accounts and for user information.
- Improve grievance and remedy mechanisms. Baidu should disclose clear mechanisms for users to submit complaints related to freedom of expression and privacy.
Baidu Inc. provides internet search, cloud storage, social networking, and other services in China and internationally.
Governance
Baidu scored lowest of all internet and mobile ecosystem companies in the Governance category. The company made a commitment to respect users’ privacy, although it fell short of committing to protect privacy as a human right (G1). The company disclosed no evidence of senior-level oversight on freedom of expression or privacy issues (G2), or of employee training or a whistleblower program related to these issues (G3). It failed to disclose if it conducts human rights due diligence (G4), or if the company engages with stakeholders on freedom of expression or privacy issues (G5). China’s political and legal environment strongly discourages companies from making human rights commitments, but Baidu could still improve its disclosure of grievance and remedy mechanisms (G6).
G1. Policy Commitment
Baidu improved its score on this indicator by publishing a commitment to protect users' privacy, but fell short of articulating a broader commitment to human rights.
G6. Remedy
Baidu improved its disclosure of how PostBar users can submit complaints about account restrictions and content removals.
Freedom of expression
Baidu disclosed less about its policies affecting users’ freedom of expression than any other internet and mobile ecosystem company evaluated, including Tencent.
Content and account restrictions: Baidu disclosed less than all other internet and mobile ecosystem companies about the rules pertaining to different services and how they are enforced (F3, F4, F8). The company received some credit for its disclosure of what types of content or activities it prohibits on its services (F3), but disclosed no data about the volume and nature of content or accounts it restricts for violating these rules. Baidu did not commit to notify users when their content or accounts have been censored (F8).
Content and account restriction requests: Baidu was one of only two internet and mobile ecosystem companies to receive no credit on these indicators, along with Samsung (F5-F7). It did not disclose any information about its process for responding to government or private requests to restrict content or accounts (F5), nor did it publish data about the requests it received and with which it complied (F6, F7).
Identity policy: The company disclosed it requires users to verify their identities for all services (F11). Service providers offering internet access or information-related services in China are legally required to do so, as are messaging apps.
Privacy
Baidu received the lowest privacy score among all internet and mobile ecosystem companies, including Tencent, despite making some key improvements.
Handling of user information: Baidu disclosed less than almost all other internet and mobile ecosystem companies, other than the Russian internet company Mail.Ru, about how it handles user information (P3-P9). It provided relatively strong disclosure of the types of user information it may collect, on par with Oath, Tencent, and Twitter (P3), but gave significantly less information about what it shares (P4). Baidu improved its disclosure about whether it combines user information from various services and why it does so (P5) and about the user information it retains (P6). While the company improved its disclosure of options users have to control if their information is used for targeted advertising (P7), this suggests that targeted advertising is on by default.
Requests for user information: Baidu disclosed almost nothing about how it handles government and private requests for user information, scoring just above Tencent (P10-P12). Although the Chinese legal and political environment makes it unrealistic to expect companies to disclose most information about government requests, Baidu should be able to reveal if and when it shares user information via private requests and under what circumstances. The company did not disclose whether it notifies users when it receives government or private requests for their information (P12).
Security: Baidu disclosed the least of all internet and mobile ecosystem companies about its security policies (P13-P18). Baidu disclosed nothing about its internal security oversight processes (P13) or the company’s policies for responding to data breaches (P15). The company disclosed a bug bounty program through which security researchers can report vulnerabilities, although it did not disclose a time frame in which it will review these reports (P14). Baidu disclosed no information about encryption of user communications (P16). Chinese companies are required by law to provide user information when requested by government authorities, effectively prohibiting them from offering end-to-end encryption or requiring that they provide decryption assistance.
P2. Changes to privacy policies
The company improved its disclosure of its policies for directly notifying users of changes to its privacy policy.
P5. Purpose for collecting and sharing user information
Baidu improved its disclosure of the purpose for collecting and sharing user information, clarifying that it combines user information across its various services and the reasons for doing so.
P6. Retention of user information
The company improved its disclosure of what de-identified user information the company retains.
P7. Users’ control over their own user information
The company improved its disclosure of options users have to control how their information is used for targeted advertising.