DOES PRIVACY PROTECTION
HAVE BORDERS?

China’s Data Localization Rule and
the Risks for U.S. Tech Companies

September 2018

INTRODUCTION

Data is the lifeblood of the digital economy and now the most valuable asset for many technology companies globally. But the potential value of data — including its financial value — is impacted by consumers’ trust in companies to safely manage their data. And that trust is a perishable commodity, easily endangered and lost.

Across the globe, human rights leaders, business leaders and elected officials are encouraging the implementation of data protection laws. The United Nations1 and other influential international entities like the Global Network Initiative2 have expressly recognized privacy as an important human right. A growing list of data protection laws worldwide reflects a trend toward respecting privacy, as well as recognition that solid data protection benefits economic and social progress.

However, some authoritarian regimes and governments instead prioritize government surveillance and information control over data protections. China is among them.3 This has caused serious problems reflected in the practices of many U.S.-headquartered technology companies doing business in China’s booming market.

In China, for example, users of Apple’s iCloud services find the following unique statement buried in their Terms and Conditions agreement:

  1. Universal Declaration of Human Rights, G.A. Res. 217(III)A, U.N. Doc. A/RES/217(III) (Dec. 10, 1948).

  2. The GNI Principles, Global Network Initiative, https://globalnetworkinitiative.org/gni-principles/ (last visited July 18, 2018).

  3. Unless otherwise expressly specified, hereinafter “China” all refers to the mainland China, excluding Hongkong, Macau and Taiwan.

You understand and agree that Apple and GCBD will have access to all data that you store on this service, including the right to share, exchange and disclose all user data, including Content, to and between each other under applicable law. 4

  1. iCloud operated by GCBD Terms and Conditions, Apple, https://www.apple.com/legal/internet-services/icloud/en/gcbd-terms.html (last visited June 5, 2018).

What Apple does not disclose to its users is that “GCBD” — Aipo Cloud (Guizhou) Technology Co., Ltd. — is a subsidiary of a Chinese government-owned enterprise5 with access to the encryption keys that can unlock any iCloud account for a Chinese-based iCloud user. (Previously, data and encryption keys were stored in the U.S.)6 That is, Chinese iCloud users’ data will be easily accessible by Chinese authorities.

Apple is not alone among major tech companies in such close partnerships with local Chinese companies. Amazon, IBM, Microsoft, LinkedIn, Airbnb and others have taken or announced similar steps to store the data of Chinese users with Chinese service providers.

A common explanation from the major tech companies is that they are merely complying with China’s Cybersecurity Law, which took effect in June 2017. Building on the country’s long track record of government control and widely criticized for its broadness and vagueness, this law imposes a strict data-localization requirement, among many other provisions which effectively legitimize the government’s numerous levels of control over Chinese consumers’ virtual world — with dangerous implications for their lived realities.

The reality is that by agreeing to store user data in China, U.S. tech companies have vastly weakened abilities to protect user data and are de facto facilitating the Chinese government’s easy access to that data. This represents a corporate trade-off: access to China, one of the world’s largest and most lucrative markets, in return for deviating from privacy and corporate responsibility principles publicly espoused elsewhere in the world, especially in the U.S.

This report focuses on China’s Cybersecurity Law but raises questions regarding data privacy beyond China. It aims to highlight the tensions — and critical risks — that companies confront as they weigh the dueling challenges of protecting user privacy while adhering to the laws of the countries where they do business.

  1. Introduction to Guizhou-Cloud Big Data Industry Co., Ltd., Guizhou-Cloud Big Data, https://english.gzdata.com.cn/c101/index.html (last visited July 18, 2018).

  2. Stephen Nellis & Cate Cadell, Apple moves to store iCloud keys in China, raising human rights fears, Reuters, Feb. 24, 2018,https://www.reuters.com/article/us-china-apple-icloud-insight/apple-moves-to-store-icloud-keys-in-china-raising-human-rights-fears-idUSKCN1G8060

The Changing Digital Landscape

A common vision for many is of an Internet in which digital information is stored on computer servers in various locations around the globe, with data flowing freely and securely across international borders. However, in recent years, there is an emerging trend of countries enacting so-called data localization laws that require data to be hosted on local servers while also restricting the transfer of data outside national borders. Some 34 countries — including Russia, China, Brazil, India, Indonesia and South Korea — have already proposed or enacted data localization laws, according to a May 2017 report by the Information Technology & Innovation Foundation.7

Advocates argue that data localization measures are beneficial for multiple reasons, including improved data privacy and security for a country’s citizens; better access to data by local law enforcement and government; and greater investment in local high-tech businesses and jobs.8 However, research suggests that data-localization may not lead to these outcomes and rather, will cause more harm than good, especially when implemented under authoritarian regimes like China.9

China’s Data Localization Requirement is Unique in Scope and Vagueness

China’s Cybersecurity Law took effect on June 1, 2017. The new law officially supports the Chinese government’s “cyberspace sovereignty,”10 or its ability to control China’s cyberspace, as if the virtual realm had physical boundaries. Sweepingly, the Cybersecurity Law applies to all “construction, operation, maintenance, and usage of networks” on its territory and goes far beyond the traditional scope of cybersecurity to cover an enormous range of issues, including cross-border data transfer, personal information collection and sharing, online content monitoring and real-name registration. Meanwhile, as is often the case in Chinese laws, this law leaves many key terms insufficiently defined or lacking specificity. For example, it imposes rigorous requirements on operators of “Critical Information Infrastructure” (“CII”), a term not yet clearly defined.11

  1. Nigel Cory, Cross-Border Data Flows, Where Are the Barriers, and What Do They Cost?, ITIF (May 1, 2017), https://itif.org/publications/2017/05/01/cross-border-data-flows-where-are-barriers-and-what-do-they-cost

  2. Bret Cohen, Britanie Hall & Charlie Wood, Data Localization Laws And Their Impact on Privacy, Data Security And the Global Economy, Antitrust, Fall 2017, https://www.americanbar.org/content/dam/aba/publications/antitrust_magazine/anti_fall2017_cohen.authcheckdam.pdf

  3. Erica Fraser, Data Localisation and the Balkanisation of the Internet, 13:3 SCRIPTed 359, available at https://script-ed.org/article/data-localisation-and-the-balkanisation-of-the-internet/

  4. Article 1 of China’s Cybersecurity Law: “This law is formulated in order to ensure cybersecurity, safeguard cyberspace sovereignty and national security, and social and public interests, to protect the lawful rights and interests of citizens, legal persons, and other organizations, and to promote the healthy development of the informatization of the economy and society.”

  5. Article 31 of China’s Cybersecurity Law: “(i) public communication and information services, energy, transportation, water resources, finance, public service, electronic governance; and (ii) other CII that, if being destroyed, losing function or leaking data, might lead to a serious threat to national security, national welfare and the people’s livelihood, or the public interest.” But how serious a threat should be to constitute “serious threat?” Plus, according to China’s National Security Law, “national security” encompass almost everything in the society: border security and military, finance, energy, food, socialism culture, technology, network and information security, ethnic group autonomy, religion, public healthy, ecosystem, world peace, and even outer space. Several released government rulemaking proposals show that “CII” may be more specifically defined in the near future .

Furthermore, compared to other countries adopting data-localization, China’s data localization rule is by far the most far-reaching — applying to any “important data” and not limited to certain specific industries — and the most rigorous, requiring foreign companies to establish partnerships with Chinese businesses to store the data locally.12

  1. Simply storing data within the Chinese borders is not sufficient to satisfy Chinese data-localization requirement. Many U.S. tech companies have to store the data on the servers of local Chinese companies. This is because of the China’s telecommunication policies, which require companies to obtain a license to operate cloud services in China. For the purpose of this paper, how this regulation framework exactly works is not addressed here. In short, many U.S. tech companies today are incapacitated to run cloud services and other big-data businesses by themselves in China and they have to cooperate with local Chinese companies owning the license.

Specifically, the law (Article 37) requires that companies (“CII operators”) store all personal information and “important data” from their Chinese business operations on servers located within China. Operators of big data businesses are covered under this provision. In order to transfer data abroad, these companies must prove business necessity and then pass a security assessment implemented by the Chinese government. In theory, these servers could be owned by either U.S. companies or Chinese companies. However, in order to comply with China’s telecommunication policies, in practice, most U.S. companies store user data only on servers owned by Chinese companies. Meanwhile, the Chinese companies who own the local servers are known to comply with government requests for data.

Compliance by U.S. Tech Companies

For example, in February 2018, Apple transferred the operation of its Chinese iCloud services to GCBD, a subsidiary of a Chinese government-owned enterprise.13 Through this transfer, GCBD became the sole provider for all iCloud services in China. Today, all the data generated by Chinese iCloud services, including contacts, photos, notes, documents, app data, iCloud emails, and some location-based services — as well as the encryption keys that provide access to all of that iCloud data — are stored locally.14

Apple is not alone. In China, Amazon Web Services (“AWS”), Amazon’s cloud service provider, is now operated by two Chinese companies and the cloud data is stored on servers owned by them.15 While the cloud services provided by AWS in China look similar to services offered elsewhere, AWS China16 differs in key ways: Chinese AWS clients sign contracts with the two Chinese operator companies rather than AWS, and the applied governance policies (such as the Privacy Policy) are issued by the Chinese companies.17 Companies such as Microsoft18, IBM19, Airbnb20 and LinkedIn21 all have similarly complied and stored data locally in China. With dangerous regularity, these tech companies are putting users in China at risk, diminishing or eliminating their data privacy altogether.

  1. See supra note 5.

  2. Stephen Nellis & Cate Cadell, Apple moves to store iCloud keys in China, raising human rights fears, Reuters, Feb. 24, 2018, https://www.reuters.com/article/us-china-apple-icloud-insight/apple-moves-to-store-icloud-keys-in-china-raising-human-rights-fears-idUSKCN1G8060

  3. Amazon’s cloud unit expands in China, with new partner in Ningxia, Reuters, Dec. 11, 2017, https://www.reuters.com/article/us-china-amazon/amazons-cloud-unit-expands-in-china-with-new-partner-in-ningxia-idUSKBN1E60CN

  4. In the Region Table of AWS official website, there is a section explaining how the business of AWS China Regions is effectively separated from the rest regions of the world. AWS China Regions, AWS, https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/ (last visited June 5, 2018).

  5. See AWS China (Beijing) Region Legal Terms & AWS China (Ningxia) Region Legal Terms, AWS China, https://www.amazonaws.cn/en/legal/ (last visited June 5, 2018).

  6. Shijihulian Yunying de Yinsi Shengming ( Microsoft Azure ), Microsoft Azure (Chinese version) https://www.azure.cn/zh-cn/support/legal/privacy-statement/ (last updated June, 2013).

  7. Barb Darrow, IBM Teams Up With Wanda On Chinese Cloud, Fortune, Mar. 19, 2017,http://fortune.com/2017/03/19/ibm-cloud-in-china/

  8. Airbnb tells China users personal data to be stored locally, Reuters, Nov. 1, 2016,https://www.reuters.com/article/us-airbnb-china-idUSKBN12W3V6

  9. John McDuling, LinkedIn is doing what Facebook, Google, and Twitter can’t: expanding in China, QUARTZ, Feb. 24, 2014, https://qz.com/180755/linkedin-is-doing-what-facebook-google-and-twitter-cant-expanding-in-china/.

Assessing the Risks

In effect, the data localization requirement is not simply a “location change” for Chinese users’ data — it is a legal and political change with dangerous implications for human rights. Storing data within Chinese territory subjects that data — and the people linked to that data — solely to Chinese jurisdiction and its domestic law, a system providing poor data privacy protections and enabling almost-absolute access by an authoritarian government.

With the doors flung wide open to unrestrained access to users’ personal data, companies face increased risk of data breaches and data leakages. While Apple, for example, has maintained that its new Chinese data center will allow it to keep “strong data privacy and security protections in place,”22 China still lacks a strong and effective data protection mechanism, and it is not common practice for Chinese companies to put a high value on data security or to be equipped with strong data security systems.23 Data security is frequently compromised in the face of government requests; media reports have offered scathing reviews of how Chinese tech giants have willingly cooperated in government surveillance.24 What evidence demonstrates that local data center partners will behave any differently?

Furthermore, China does not provide legal protections similar to those in the U.S. to restrain the government from access to personal data. Accordingly, when the U.S. companies hand over Chinese users’ data to their Chinese partners, they are effectively making available everything stored on the servers to the Chinese government, especially when encryption keys are included.25

The Data-Localization Law is Part of a Broader Legal Regime Designed to Repress Speech and Make Anonymous Speech Impossible

Perhaps more alarming, from a human rights perspective, is the risk that stems from providing expansive powers to the Chinese government to access information about the online behavior of Chinese citizens. In China, the government itself usually operates above the law: for example, while the Cybersecurity Law has a section regulating the collection and sharing of personal information, these restraints do not apply to the government itself.

China’s data localization requirement raises tremendous human rights concerns because China is a repressive regime with a track record of massive and intensive government surveillance over its people. Numerous examples point to how government control over cyberspace in China extends to the physical world in a variety of ways.

Example #1:
In China, residents are required to have an ID card. The Cybersecurity Law requires social media providers to impose a real-identity requirement for online platforms and instant messaging services; in the U.S., this would essentially be the equivalent of providing a social security number in order to sign up for a social media account. This rule enables the Chinese government to swiftly pin online behavior to offline identities and take action. The real-identity rule requires that users “provide real ID information” in order to sign up to use the platform or service.26 Thus, unless someone were to forge their ID card, which is almost impossible for ordinary citizens (similar to forging a social security number), all activity on social media can be linked to someone’s offline identity by the government. In effect, anonymity online is impossible due to government requirements and speech gets further controlled and chilled.

Example #2:
China is building up a social-credit system which will use people’s various online behaviors to score their credit to decide their social benefits in the physical world.27 Writing in the Financial Times, China analyst Sebastian Heilmann notes that the social credit system “aims to nudge citizens and companies into rule-abiding behaviour by evaluating data ranging from payment morale or compliance with traffic rules or environmental regulations to opinions voiced in online chatrooms. What sounds like a nightmare for proponents of a free and open society is a dream come true for authoritarian regimes focused on maintaining order.”28 Similarly, a paper by three experts on China’s digital policy points out that considering the history of the Chinese government activities, “there is no doubt that [the social-credit system] could … be abused for social control, prying into every aspect of Chinese citizens’ lives and automatically punishing those who don’t toe the party line.”29

Example #3:
In July 2017, Apple was forced by the Chinese government to remove “VPN” (Virtual Private Network) applications from its App Store.30 These apps allow users to bypass government censorship controls to connect to the unfiltered Internet including Google, Facebook, Twitter, and The New York Times and many other popular web service providers.

  1. Paul Mozur et al., Apple Opening Data Center in China to Comply With Cybersecurity Law, The New York Times, July 12, 2017, https://www.nytimes.com/2017/07/12/business/apple-china-data-center-cybersecurity.html

  2. Liza Lin & Josh Chin, China’s Tech Giants Have a Second Job: Helping Beijing Spy on Its People, The Wall Street Journal, Nov. 30, 2017,https://www.wsj.com/articles/chinas-tech-giants-have-a-second-job-helping-the-government-see-everything-1512056284

  3. Liza Lin & Josh Chin, China’s Tech Giants Have a Second Job: Helping Beijing Spy on Its People, The Wall Street Journal, Nov. 30, 2017,https://www.wsj.com/articles/chinas-tech-giants-have-a-second-job-helping-the-government-see-everything-1512056284

  4. It is unclear whether other U.S. tech companies have also locally stored the encryption keys, as Apple has. However, even if that hasn’t yet occurred, the encryption keys may still only provide limited safeguards because the China Cybersecurity Law also imposes a duty on tech companies to provide “technical support and assistance” to the government for preserving national security and investigating crimes. And the term “national security” is broadly defined under China’s National Security Law as encompassing almost every aspect of the society.

  5. Article 24 of China’s Cybersecurity Law: “Network operators handling network access and domain registration services for users, handling stationary or mobile phone network access, or providing users with information publication or instant messaging services, shall require users to provide real identity information when signing agreements with users or confirming provision of services. Where users do not provide real identity information, network operators must not provide them with relevant services.”

  6. Mara Hvistendahl, Inside China’s Vast New Experiment in Social Ranking, WIRED, Dec. 14, 2017, https://www.wired.com/story/age-of-social-credit/

  7. Sebastian Heilmann, Big data reshapes China’s approach to governance, Financial Times, Sep. 28, 2017, https://www.ft.com/content/43170fd2-a46d-11e7-b797-b61809486fe2

  8. Martin Chorzempa, Paul Triolo & Samm Sacks, China’s Social Credit System: A Mark of Progress or a Threat to Privacy?, PIIE (June 2018)https://piie.com/system/files/documents/pb18-14.pdf

  9. Cate Cadell, Apple says it is removing VPN services from China App Store, Reuters, July 29, 2017, https://www.reuters.com/article/us-china-apple-vpn/apple-says-it-is-removing-vpn-services-from-china-app-store-idUSKBN1AE0BQ

U.S. Companies’ Double-Standard for User Privacy

Any gap between a company’s words and its actions is a spark in the tinderbox of reputational risk. Some U.S. tech companies — many of which have been operating in China for decades — have professed the importance of user privacy while quietly abandoning those privacy standards in China, and they cannot pretend to be innocent under the guise of local law compliance.

This discrepancy raises red flags about a company’s integrity and does not go unnoticed. For example, when Facebook was found to have left the data of 87 million of its users unprotected, it quickly lost 6.8% — $36 billion — of its market value.31 But when Tim Cook criticized Facebook over the scandal, reporters were quick to turn the tables on Apple’s abandonment of consumer data privacy, critiquing the company’s “cozy relationship with China’s authoritarian regime.”32

In August 2018, Apple became the first company in the world with a stock market valuation of $1 trillion.33 It has experienced such growth thanks in large part to a consistent brand strategy that promises user-friendly products and values consumers’ data privacy. (“At Apple, we believe privacy is a fundamental human right,” the company website proudly declares.34) In 2016, Apple appeared to stand firm in this commitment when the company publicly and firmly resisted the FBI’s demand to provide technical support to unlock the iPhone of the San Bernardino shooter, including by pushing back against a court order that the U.S. government ultimately withdrew.35 At the time, Apple CEO Tim Cook expressed his conviction in an open letter to Apple customers:

“The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand… While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.” 36

Tim Cook has gone so far as to emphasize Apple’s “moral responsibility” to the United States and all other countries in which it operates.37 Yet, in December of 2017, Mr. Cook declared that Apple shared “a common future in cyberspace” with the Chinese government.38 Three months later, Apple made Chinese users’ iCloud data readily available to the Chinese government.

Like Apple, Amazon’s privacy standard is inconsistent in China. AWS leases computing power to other companies so that they don’t need to run their websites or other online services through their own hardware and software. For Amazon, to locally store the AWS data in China means all the data generated by the services of these client companies, including their users’ data, is stored on the servers of AWS’s two Chinese partner companies. Customers of AWS in China sign a contract with one of the two Chinese partner companies — rather than with Amazon or AWS; these partner companies are described as the operator and service provider.39 As it has been reported, “[w]hile the cloud services offered in both AWS China regions are the same as those available in other AWS regions, the China regions are isolated from all other AWS regions and operated by AWS’s Chinese partners separately from all other AWS regions.”40

For AWS customers, this raises questions about the inconsistency of their privacy protections. The global version of AWS’s privacy policy states that “customer trust is our top priority… We do not disclose customer content unless we’re required to do so to comply with the law, or with a valid and binding order of a governmental or regulatory body.”41 However, it is unclear whether this global policy also applies to users in China, where Amazon's Chinese partner, rather than Amazon or AWS, issues a separate privacy policy.42

It is important to note that Global Network Initiative (GNI) member companies have made strong privacy and human rights due diligence commitments that are a step in the right direction toward mitigating potential human rights abuses, including for companies operating in China. By participating in the Global Network Initiative, companies commit to adhering to GNI principles on transparency and human rights due diligence regarding freedom of expression and privacy. For example, companies commit to “employ protections with respect to personal information in all countries where they operate in order to work to protect the privacy rights of users” and “respect and work to protect the privacy rights of users when confronted with government demands, laws or regulations that compromise privacy in a manner inconsistent with internationally recognized laws and standards.”43

Microsoft, a member of the GNI, operates its cloud service Azure in China, now via local partner 21Vianet. As a GNI member, Microsoft indeed offers more transparency about its operations in China and provides more detailed and explicit disclosures than AWS (Amazon is not a member of the GNI at the time of writing). For example, Microsoft’s Trust Cloud Principle webpage expressly commits that China’s Azure will follow Microsoft’s approach to privacy and data protection to give customers’ control over their data and that 21Vianet will produce audits on their security and compliance programs.44 These are important demands of the local partner. However, like with AWS, Chinese customers of Azure also sign contracts only with 21Vianet, not Microsoft; the governance policies are only issued by 21Vianet; and Azure China is physically separate from Global Azure.45 Furthermore, the privacy policy provided by 21Vianet lacks the language around data privacy for users that is included in the global version of Microsoft’s privacy policy.46 While transparency and audits are critically important, there is more to be done for companies to ensure that users’ data privacy is protected.

Implications Within and Beyond China

Consumers everywhere want and deserve privacy. In March 2018, the China Economic Life Survey, a survey jointly conducted by the Chinese tech giant Tencent and the state broadcaster China Central Television, found that 76.3% of Chinese respondents see Artificial Intelligence as a threat to their privacy.47 Later that month, the CEO of Baidu — the Chinese equivalent of Google — faced major outrage online after he claimed at a public forum that Chinese people would be willing to trade their data privacy for convenience.48 The cultural, legal and political environment in China is unlike the United States, but human rights, including the right to privacy, extend to all people regardless of geography.

China’s data localization rule comes with dangerous implications for Chinese-based users, and it also raises questions for users globally. What precautions exist to ensure that the Chinese government cannot gain access to information of non-Chinese customers via corporate partnerships? How are major U.S. tech companies ensuring that only the information required by the Chinese government is shared, and that other information remains protected? If a U.S. company has a Chinese subsidiary that has to store its Chinese business-generated data in China, what precautions are in place to shield the data generated from non-Chinese business from the privacy risks of the data localization law? As U.S. companies participate in upholding privacy protections with “digital” borders, the answer to these questions become murky.

The rule raises questions about the collateral effect for users based in other countries who communicate with users based in China. That is, when consumers outside China share data and communicate with people whose iCloud data is stored in China, will their information also be locally stored and readily available to the Chinese government? Companies like Amazon and Microsoft have isolated the Chinese market from the rest of their global businesses, but we have seen how data systems can be intricate and intertwined. In the case of the Facebook-Cambridge Analytica scandal, it became evident that troves of personal data eventually ended up in the hands of Cambridge Analytica — and not only the personal data of users who participated in a Cambridge Analytica test, but also that of their Facebook friends.49 Privacy breach by proxy.

Furthermore, if a company is willing to compromise on privacy in one market, it raises questions for investors and consumers everywhere. Consumers may wonder, if government pressure is strong enough, and the market is lucrative, at what point will a company shed the morality it claims to hold firmly? What can companies do to ensure that their privacy policies maintain consistency and translate to real-world accountability and integrity for users all over the world?

Colluding with the demands of an authoritarian government may present reputational risks. As U.S. media reports have stated, China’s control-driven model “crashes headlong into the foundational principles of the internet in market-based democracies: online freedom, privacy, free international markets, and broad international cooperation.”50 These principles are also consistent with the espoused values of many successful U.S. tech companies which rely on consumer-centric marketing of tech “for good.” By complying with China’s data-localization requirement, these U.S. tech companies are significantly departing from their fundamental values and in some cases, their stated purpose.

  1. Tory Newmyer, The Finance 202: Facebook’s stock faces wild ride after Cambridge Analytica outrage, The Washington Post, Mar. 20,https://www.washingtonpost.com/news/powerpost/paloma/the-finance-202/2018/03/20/the-finance-202-facebook-s-stock-faces-wild-ride-after-cambridge-analytica-outrage/5ab0530130fb045e48d05a97/?utm_term=.94108deed3e9

  2. Matthew Sheffield, Facebook can’t be trusted — and everyone in the tech world is piling on, Salon, Apr. 4, 2018,https://www.salon.com/2018/04/04/facebook-trust/

  3. Apple is the first $1 trillion company in history, The Washington Post, Aug. 2, 2018,https://www.washingtonpost.com/business/economy/apple-is-the-first-1-trillion-company-in-history/2018/08/02/ea3e7a02-9599-11e8-a679-b09212fb69c2_story.html?utm_term=.f97d6a149c33

  4. Privacy, Apple, https://www.apple.com/uk/privacy//(last visited June 5, 2018).

  5. Eric Lichtblau and Katie Benner, Apple Fights Order to Unlock San Bernardino Gunman’s iPhone, The New York Times, Feb. 17, 2016, https://www.nytimes.com/2016/02/18/technology/apple-timothy-cook-fbi-san-bernardino.html

  6. A Message to Our Customers, Apple (Feb. 16, 2016),https://www.apple.com/customer-letter/

  7. Don Reisinger, Apple CEO Tim Cook Explains His Company’s ‘Moral Responsibility’, Fortune, Aug. 29, 2017,http://fortune.com/2017/08/29/apple-tim-cook-moral-responsibility/

  8. Simon Denyer, Apple CEO backs China’s vision of an ‘open’ Internet as censorship reaches new heights, The Washington Post, Dec. 4, 2017,https://www.washingtonpost.com/news/worldviews/wp/2017/12/04/apple-ceo-backs-chinas-vision-of-an-open-internet-as-censorship-reaches-new-heights/?utm_term=.0f7c11a93a29

  9. Privacy Policy for AWS (Beijing Region), AWS China (Dec. 12, 2017),https://www.amazonaws.cn/en/privacy/beijing/

  10. Steve Ranger, AWS just opened another cloud computing region in China, ZDNet, Dec. 12, 2017,https://www.zdnet.com/article/aws-just-opened-another-cloud-computing-region-in-china/

  11. Data Privacy: Overview, AWS, https://aws.amazon.com/compliance/data-privacy-faq/ (last visited Aug. 20, 2018).

  12. See supra note 39.

  13. See Supra note 2.

  14. Trust Cloud Principle, Microsoft Azure (Sep. 29, 2017),https://docs.microsoft.com/en-us/azure/china/china-overview-trust-cloud

  15. Azure China 21Vianet FAQ, Microsoft Azure (Oct. 13, 2017)https://docs.microsoft.com/en-us/azure/china/china-overview-trust-cloud

  16. Azure China 21Vianet FAQ, Microsoft Azure (Oct. 13, 2017),https://docs.microsoft.com/en-us/azure/china/china-overview-faq#can-i-merge-my-azure-china-21vianet-account-into-my-existing-global-azure-account

  17. Microsoft Privacy Statement, Microsoft (May 2018),https://privacy.microsoft.com/en-us/privacystatement

  18. Frank Hersey, Almost 80% of Chinese concerned about AI threat to privacy, 32% already feel a threat to their work, Technode, Mar. 2, 2018,https://technode.com/2018/03/02/almost-80-chinese-concerned-ai-threat-privacy-32-already-feel-threat-work/

  19. Yiting Sun, China’s citizens do care about their data privacy, actually, MIT Technology Review, Mar. 28, 2018https://www.technologyreview.com/the-download/610708/chinas-citizens-do-care-about-their-data-privacy-actually/

  20. Carole Cadwalladr & Emma Graham-Harrison, Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach, The Guardian, Mar. 17, 2018,https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election

  21. Samm Sacks, Beijing Wants to Rewrite the Rules of the Internet, The Atlantic, June 18, 2018,https://www.theatlantic.com/international/archive/2018/06/zte-huawei-china-trump-trade-cyber/563033/

Recommendations

For better or for worse, the internet has turned the world into a global village, and companies’ behavior in a country as influential as China can impact corporate responsibility and consumer privacy worldwide. If more countries are emboldened to join China in a clampdown on consumer privacy, U.S. tech companies will only find themselves more and more trapped between the competing challenges of protecting user privacy while adhering to local government regulation.

While there is no quick fix for establishing global privacy, nor for limiting repressive regimes’ access to harmful surveillance tools and private information of local citizens, companies that care about privacy and human rights for all should, at a minimum:

  • Declare a strong commitment to defend and uphold strong data privacy policies and practices for all users, regardless of where they live.
  • Ensure that users understand and are aware of the risks of a company’s privacy policies and practices, particularly when those policies and practices leave users vulnerable to government surveillance.
  • Conduct thorough and public human rights and privacy risk assessments. The assessments should demonstrate the process for assessing risk, including the balanced factors and their relative weights, external expertise, and the plan to mitigate any foreseen risks.
  • Publish regular transparency reports disclosing government requests for user data, including requests made of local partners that operate companies’ services in local markets.
  • Explore alternative and human-centric approaches to expanding their market without abandoning their principles. Moving forward, industry-wide discussions, commitments and coalitions serve as a model for how companies can uphold values of privacy and data security, even as they expand into new markets. Companies should engage a variety of stakeholders as they develop standards, including policymakers, industry experts, civil rights and human rights groups, and citizens in countries with authoritarian regimes.
resources footer image