Tencent Holdings Limited
Key findings
- Tencent disclosed little about policies affecting users’ freedom of expression and privacy, but was more transparent than Baidu, the other Chinese internet company evaluated.
- Tencent received one of the lowest privacy scores in the Index, although it improved its disclosure of how it handles user information for WeChat.
- The company tied with Facebook and Yandex for the highest score for its disclosure of how it addresses security vulnerabilities, but lacked transparency about other internal measures it takes to keep user information secure.
Analysis
Tencent ranked 10th out of the 12 internet and mobile ecosystem companies evaluated, disclosing little about its policies and practices affecting freedom of expression and privacy. The Chinese internet environment is one of the most restrictive in the world, which accounts for Tencent’s poor performance in some areas. Its score nonetheless increased slightly in the 2018 Index for improved disclosure of its terms of service enforcement for WeChat and for clarifying how that service handles user information. However, there are still areas in which Tencent could improve its disclosure without regulatory change, particularly regarding how it handles and secures user information. Tencent offered different versions of its terms of service and privacy policies for mainland Chinese users than for users outside of China. Versions in English and traditional Chinese characters (applied to non-Chinese users outside of the People’s Republic of China) contained different substantive content and commitments in some areas, generally with more detail and better disclosure. In addition, China’s surveillance-friendly legal environment does not fully excuse Tencent’s lack of basic information about its security practices.
- Increase transparency about private requests. Tencent should improve its disclosure of its processes for responding to private requests to restrict content or accounts and for user information.
- Disclose more information about data retention. For each type of user information it collects, Tencent should disclose how long it retains that information.
- Improve grievance and remedy mechanisms. Tencent should disclose clear mechanisms for users to submit complaints related to freedom of expression and privacy across all services.
Tencent Holdings Limited provides a broad range of internet and mobile value-added services, online advertising services, and ecommerce transactions services to users in China and internationally. It is one of the world’s largest internet companies.
Governance
Tencent ranked ninth out of 12 internet and mobile ecosystem companies in the Governance category, ahead of Baidu. The company stated that it values users’ privacy, although this was not within the context of privacy as a human right, and the company did not disclose a commitment to respect users’ freedom of expression (G1). To the contrary, its terms of service for mainland Chinese users stated that users’ accounts may be terminated for using Tencent’s services for political activity. The company provided some information about a general complaints mechanism for users that applied to all services, with WeChat providing somewhat more detail than QZone and QQ. While Tencent scored below average on this indicator (G6), it nonetheless scored above Facebook.
Freedom of expression
Tencent ranked 11th out of the 12 internet and mobile ecosystem companies in the Freedom of Expression category, just ahead of Baidu.
Content and account restrictions: Tencent disclosed less than most other internet and mobile ecosystem companies about policies for moderating content and accounts on its platforms (F3, F4, F8), but more than Apple and Baidu. The company disclosed some information about the types of content or activities it prohibits, and slightly improved its disclosure for WeChat by including more detailed examples to help users understand its rules (F3). Tencent failed to disclose the volume and nature of content or accounts it restricted when enforcing its rules (F4). It also did not commit to notify affected users when the company censors content or accounts (F8).
Content and account restriction requests: Tencent disclosed almost no information about how it handles government and private requests to censor content or user accounts, although it still scored slightly better on these indicators than Baidu and Samsung (F5-F7). It did not publish any data about government or private requests for content or account restrictions it received or with which it complied (F6, F7).
Identity policy: The company disclosed that it may, depending on applicable laws, require users to verify their identity with a government-issued ID for all services (F11). Network service providers offering internet access or information-related services in China are legally required to do so, as are messaging apps.
F3. Process for terms of service enforcement
Tencent improved its disclosure of what the rules are and how they are enforced for WeChat.
Privacy
Tencent received the fourth-lowest privacy score of the 12 internet and mobile ecosystem companies evaluated, ahead of Samsung, Mail.Ru, and Baidu.
Handling of user information: Tencent disclosed less than most of its peers about its policies for handling user information (P3-P9). Tencent disclosed limited information on options users have to control what the company collects about them, including for the purposes of targeted advertising (P7). The company disclosed nothing about how long it retains user information (P6). China’s Cybersecurity Law requires companies to retain network logs for at least six months but does not forbid disclosure of that fact.
Requests for user information: Tencent disclosed no information about how it handles government and private requests for user information, scoring slightly lower than Baidu on these indicators (P10-P12). While the Chinese legal and political environment makes it unrealistic to expect companies to disclose most information about government requests for user information, Tencent should be able to divulge if and when it shares user information via private requests and under what circumstances.
Security: Tencent disclosed little about its security policies, scoring better than only Baidu and Samsung on these indicators (P13-P18). However, the company tied with Facebook and Yandex for the highest score for its disclosure on how it addresses security vulnerabilities (P14). Like most other internet and mobile ecosystem companies, Tencent did not disclose any information about how it handles data breaches (P15). It disclosed almost no information about encryption of user communications (P16). Chinese companies are required by law to provide user information when requested by government authorities, effectively prohibiting them from offering end-to-end encryption or requiring that they provide decryption assistance.
P1. Access to privacy policies
Tencent made the WeChat privacy policy easier to find.
P2. Changes to privacy policies
The company clarified its policies for directly notifying WeChat users of changes to the privacy policy.
P5. Purpose for collecting and sharing user information
Tencent improved its disclosure of the purpose for collecting information from WeChat users.
P7. Users’ control over their own user information
Tencent improved its disclosure of options WeChat users have to control what information the company collects, and of how they can delete some of their information.
P13. Security oversight
Tencent improved its disclosure of its internal security oversight processes by stating that the company limits employee access to user information.