Tencent Holdings Limited
Domicile: China
Website: www.tencent.com
Download company report: English | 简体中文
Key findings
- Tencent revealed more information about its handling of user information than in the past, but still failed to publish sufficient information about policies affecting privacy.
- Tencent disclosed almost nothing—and less than all of its peers—about its governance processes to ensure respect for users’ freedom of expression and privacy.
- Tencent disclosed nothing about how it responds to third-party requests to restrict user access to content and accounts, or to hand over user information.
- QZone (Social networking & blog)
- QQ (Messaging & VoIP)
- WeChat (Messaging & VoIP)
- Tencent Cloud (Cloud service)
Analysis
Tencent ranked tenth out of the 12 internet and mobile ecosystem companies evaluated in the 2019 Index, failing to disclose sufficient information about its policies and practices affecting users’ freedom of expression and privacy.1 Tencent did make key improvements to its privacy and security disclosures, particularly with regards to its disclosure of how it handles user information.2 This progress could be attributed, in part, to new regulations requiring companies to be more transparent about their purposes for processing data.3 However, it still failed to meet basic standards for respecting users’ freedom of expression and privacy rights. While the Chinese internet environment is restrictive and the law forbids disclosures related to government demands, there are no legal barriers to prevent Tencent from improving its policies related to handling and securing user information.4
Tencent Holdings Limited provides a broad range of internet and mobile value-added services, online advertising services, and e-commerce transaction services to users in China and internationally. It is one of the world’s largest internet companies.
Market cap: USD 474.4 billion5
SEHK: 700
- Improve disclosure of human rights due diligence: Tencent should disclose more information about its human rights due diligence, including whether it conducts human rights risk assessments on new and existing services and when entering new markets.
- Give users more control over their information: Tencent should provide users with more options to access and control their own information.
- Increase transparency about private requests: Tencent should improve its disclosure of how it responds to private requests to restrict content or accounts and for user information.
Governance
Tencent disclosed almost nothing about its governance and oversight over its impact on users’ human rights. While it committed to protect users’ privacy, it fell short of committing to protect privacy as a human right (G1). Tencent disclosed no evidence of conducting human rights impact assessments, including if it assesses risks associated with its use of automated decision-making and targeted advertising (G4). It also failed to disclose if it engages with a range of stakeholders on these issues (G5), and did not appear to offer any grievance and remedy mechanisms allowing users to submit grievances if they feel the company has violated their freedom of expression or privacy (G6). While the legal and political environment in China is not conducive to companies making strong human rights commitments, Tencent can still improve its grievance and remedy mechanisms (G6), even if there are no regulatory improvements.
No score changes
Freedom of Expression
Tencent disclosed little about policies affecting freedom of expression, receiving the second-lowest score of all internet and mobile ecosystem companies in this category, after Baidu. The company’s terms for its different services were not always easy to find or understand (F1), and did not indicate if and how it notifies users when it introduces changes to these terms (F2). Tencent disclosed limited information about its rules and how they are enforced (F3), and revealed nothing about actions it takes—such as removing content or deactivating accounts—to enforce its rules (F4). It also did not commit to notify affected users when the company restricts content or accounts (F8).
Tencent earned minimal points for disclosing limited information about how it responds to private requests to restrict access to content or accounts, but disclosed nothing about how it responds to such requests from governments (F5). It also did not publish any data about how many government or private requests for content or account restrictions it received or with which it complied (F6, F7).
No score changes
Privacy
Despite key improvements, Tencent still failed to publish sufficient information about policies affecting privacy. It disclosed a commitment to limit its collection of user information to what is directly relevant and necessary for QZone and QQ (P3) and that it will limit the use of user information to its original purpose, or otherwise obtain consent from users (P5). It improved its disclosure of options users have to control their own information by disclosing that QZone and QQ users can delete some types of user information (P7). However, the options users have to control and access their own information (P7, P8) remained insufficient. The company disclosed almost nothing about how long it retains user information, even though Chinese law does not prevent such disclosures (P6).
Tencent disclosed nothing about how it handles government and private requests for user information (P10-P12). While the Chinese legal and political environment makes it unrealistic to expect companies to disclose detailed information about government requests for user information, Tencent should be able to disclose if and when it shares user information via private requests and under what circumstances.
Tencent revealed less about its security policies than most other internet and mobile ecosystem companies. However, it improved its score by disclosing a policy of limiting employee access to user information (P13) for QZone and QQ, and a commitment to notify users in the event of a data breach (P15). While the company had one of the highest scores for disclosure on how it addresses security vulnerabilities (P14), it disclosed almost no information about encryption of user communications (P16), despite slightly improving its disclosure about the encryption of some user information on WeChat.
P3, P5. Handling of user information
Tencent disclosed a commitment to limit collection of user information to what is directly relevant and necessary for QZone and QQ, and committed to limit its use of user information or otherwise obtain consent from users across its services.
P4. Sharing of user information
Tencent disclosed less clear information on whether it shares WeChat users’ information with government authorities.
P6, P7. Handling of user information
Tencent disclosed that it deletes some types of user information after WeChat users terminate their accounts, and disclosed options for QZone and QQ users to delete some types of user information.
P9. Collection of user information from third parties
Tencent disclosed more about how and why it collects user information from third-party websites and apps through cookies, widgets, and other technical means.
P13, P15, P16. Security
Tencent disclosed that it limits employee access to user information for QZone and QQ, clarified how it responds to data breaches, and disclosed that some information is encrypted for secure transmission on WeChat.
Footnotes
[1] The research period for the 2019 Index ran from January 13, 2018 to February 8, 2019. Policies that came into effect after February 8, 2019 were not evaluated in this Index.
[2] For Tencent’s performance in the 2018 Index, see: rankingdigitalrights.org/index2018/companies/tencent
[3] “Personal Information Security Specification,” December 2017, www.gb688.cn/bzgk/gb/newGbInfo?hcno=4FFAA51D63BA21B9EE40C51DD3CC40BE
[4] “Freedom on the Net” (Freedom House, November 2018), freedomhouse.org/report/freedom-net/2018/china
[5] Bloomberg Markets, Accessed April 18, 2019, www.bloomberg.com/quote/700:HK