Internet and mobile ecosystem companies

Baidu, Inc.

Domicile: China
Link: www.baidu.com
Download company report: English | 简体中文

11

Key findings

  • Despite having the second highest score-improvement of all companies in the 2019 RDR Index, Baidu had the second-lowest overall score among internet and mobile ecosystem companies.
  • Baidu disclosed little about how it safeguards users’ right to freedom of expression, but made significant strides in disclosures regarding its respect of users’ privacy rights.
  • Baidu disclosed nothing about its process for responding to third-party requests to restrict access to content or accounts, and published no data about these types of restrictions.
Services evaluated

Analysis

Baidu earned the second-lowest score of all internet and mobile ecosystem companies, outperforming only Mail.Ru.1 However, Baidu significantly improved its disclosure of how it handles user information, and earned the second-highest score improvement of all companies evaluated.2 Baidu improved the accessibility of its privacy policy, provided more detailed information on its data sharing policies—including the types of user information it shares and for what purposes—and improved its disclosure of options users have to obtain a copy of their own information. This progress could be attributed, in part, to new regulations requiring companies to be more transparent about their purposes for processing data.3 However, the company still failed to meet basic standards for respecting users’ freedom of expression and privacy. While the Chinese internet environment is restrictive, there are no legal barriers to prevent Baidu from further improving its policies for handling and securing user information.4

 


 

Baidu, Inc. provides internet search, cloud storage, social networking, and other services in China and internationally.

Market cap: USD 59.5 billion5
NasdaqGS: BIDU

  • Improve disclosure of human rights due diligence: Baidu should disclose more information about its human rights due diligence, including whether it conducts human rights risk assessments on new and existing services and when entering new markets.
  • Increase transparency about private requests: Baidu should publish data about private requests to restrict content or accounts and for user information.
  • Improve user control of personal data: Baidu should improve users’ options to control and access their own information, including how that information is used for targeted advertising.

Governance

Baidu received the third-lowest governance score among all internet and mobile ecosystem companies, outperforming only Russian company Mail.Ru and Tencent, the other Chinese company included in the RDR Index. The company made a commitment to respect users’ privacy and personal information, although it fell short of committing to respect privacy as a human right (G1). Baidu improved its disclosure by committing to provide employee training on privacy-related issues (G3). It did not disclose any information about conducting human rights impact assessments, including whether or not it assesses freedom of expression and privacy risks associated with its automated decision-making and its targeted advertising policies and practices (G4). It offered a complaints mechanism for PostBar users to submit freedom of expression and privacy related grievances, but not for its other services evaluated (G6). China’s political and legal environment strongly discourages companies from making human rights commitments, but Baidu could still improve its disclosure of its grievance and remedy mechanisms (G6).

G3. Internal implementation

Baidu improved its disclosure of employee training on privacy and data security issues.

Freedom of Expression

Baidu disclosed little about policies and practices affecting freedom of expression, revealing less than any other internet and mobile ecosystem company evaluated, including its Chinese peer, Tencent. While Baidu published terms for its services that were easy to find and relatively easy to understand (F1), it failed to disclose if and how it notifies users when it introduces changes to these terms (F2). It disclosed limited information about what types of content and activities are prohibited on its services (F3) and offered no data about the volume and nature of content or accounts it restricted for violating these rules (F4). It also did not commit to notify users when it restricts their access to content or accounts (F8).

Along with Samsung, Baidu was one of only two internet and mobile ecosystem companies that did not disclose any information about content and account restrictions in response to third party requests (F5-F7). It did not disclose any information about its process for responding to government or private requests to restrict content or accounts (F5), nor did it publish data about the requests it received and with which it complied (F6, F7).

No score changes

Privacy

Baidu disclosed less than most of the internet and mobile ecosystem companies in this category, despite improvements. It disclosed minimal information about how it handles user data (P3-P9), disclosing nothing about how long it retains user information (P6) or whether it tracks users across third-party websites and apps (P9). However, it improved its disclosure of its data sharing policies, including the types of user information it shares and with whom (P4) and for what purposes (P5), and of options users have to obtain a copy of their user information (P8).

Baidu disclosed little about how it handles government and private requests for user information (P10, P11), but disclosed more than Tencent. It improved disclosure of its policies of notifying users of third-party requests for user data (P12) by disclosing the circumstances under which it may not notify users, but failed to reveal any data about such requests (P11). Although the Chinese legal and political environment makes it unrealistic to expect companies to disclose detailed information about government requests, Baidu should be able to reveal if and when it shares user information via private requests and under what circumstances.

Baidu disclosed less information about its security policies (P13-P18) than all internet and mobile ecosystem companies aside from Samsung. It significantly improved its disclosure of how it responds to data breaches (P15) and improved its disclosure of limits on employees’ access to user data (P13), but still failed to disclose any other information about its measures to keep user data secure (P13). It disclosed a bug bounty program through which security researchers can report vulnerabilities, but not a time frame in which it will review these reports (P14). It also disclosed that it uses encryption technologies (P16), but did not specify what types of data are encrypted and how.

P4, P5, P8. Handling of user information

Baidu provided more detailed information about the types of user information it shares, with whom, and why. It also disclosed it may provide users with a copy of some of their user information.

P6, P7. Handling of user information

Baidu no longer specified what types of personal information it deletes or anonymizes after a user deletes their account, and made it less clear whether users can control the company's collection of their user information for the purposes of targeted advertising.

P12. User notification about third-party requests for user information

Baidu provided some information about situations in which it would not notify users of third-party requests for their data.

P13, P15, P16. Security

Baidu revealed more information about its security policies, including limits on employees’ access to user data, its process for responding to data breaches, and its use of encryption technologies.

Footnotes

[1] The research period for the 2019 Index ran from January 13, 2018 to February 8, 2019. Policies that came into effect after February 8, 2019 were not evaluated in this Index.

[2] For Baidu’s performance in the 2018 Index, see: rankingdigitalrights.org/index2018/companies/baidu 

[3] “Personal Information Security Specification,” December 2017, www.gb688.cn/bzgk/gb/newGbInfo?hcno=4FFAA51D63BA21B9EE40C51DD3CC40BE

[4] “Freedom on the Net - China” (Freedom House, November 2018), freedomhouse.org/report/freedom-net/2018/china 

[5] Bloomberg Markets, Accessed April 18, 2019, www.bloomberg.com/quote/BIDU:US