Chinese ride-hailing app Didi has been fined $1.2 billion by state regulators for data privacy and security violations, complicating Western political narratives that have led to warnings about China-made apps like TikTok and their data harvesting practices.
The 8 billion yuan fine came down on Didi care of the Cyberspace Administration of China, which determined that Didi had violated multiple laws with practices including the collection of 107 million facial recognition profiles, the capture of 12 million screenshots from customers’ smartphone photo albums, and collecting relationship information concerning users’ families.
In addition to the overarching fine, the Cyberspace Administration of China dinged Didi President Jean Liu and Chairman Cheng Wei about $148,000 each.
It’s an awkward and, in some respects, confusing development in the context of discussions about the threat of Chinese surveillance practices in parts of the West.
Some of the latter concerns are pretty straightforward: The United Kingdom’s Biometrics and Surveillance Camera Commissioner recently warned that China-based Hikvision’s surveillance cameras could be activated remotely to collect face and voice biometrics, and helped to convince a number of lawmakers to push for a ban on the company’s technology.
A couple of months after doing so, TikTok faced an open letter from a pair of concerned US Senators asking the company to elaborate on its collection of user data and provide information about things like whether it shares data with third parties. Earlier this month, the Federal Communications Commission took the dramatic step of asking Apple and Google to delist TikTok from their app stores, with FCC Commissioner Brendan Carr asserting that it is a vehicle for Chinese Communist Party surveillance.
TikTok has faced variations of this argument before. One line of thinking goes that even if the CCP is not explicitly using TikTok as a surveillance tool, the fact that its corporate parent, ByteDance, is based in China means that it could be subject to the whims of the Chinese government. The CCP could demand that TikTok hand over customers’ biometric data, and it would have no choice but to comply. Whatever degree of conspiracy may be involved, these kinds of concerns helped to prompt the Trump administration to order the sale of TikTok to an American company. That directive never came to fruition, but the concerns remain.
The Cyberspace Administration of China’s handling of Didi muddies the picture. This is an arm of the Chinese government levying a huge fine on a private company over its collection of sensitive user data, including biometric data.
As The Washington Post notes, that fine comes after a new consumer data protection law took effect in China last November. The law is said to be based in broad terms on the European Union’s General Data Protection Regulation (GDPR), and it places restrictions on companies’ collection of personal data without consent, and on transmitting Chinese citizens’ data outside of the country. And that piece of legislation arrived after China’s Supreme People’s Court ruled last summer that businesses couldn’t use facial recognition without their customers’ consent.
So is China actually developing a regulatory framework to protect individuals from biometric data harvesting? And if so, does that mean Americans who are concerned about TikTok can rest easy?
Not so fast.
Before extrapolating too much from the Didi fine, it’s important to consider a little more context. The Chinese government’s investigation of Didi began about a year ago, well before the new data protection law came into effect. And it came amid what has been described as a populist campaign against big tech in China, with government authorities keen to be perceived as tackling corporate greed in their bid to improve the lives of nationals.
The timing of the attack against Didi is freighted with symbolism. The Cyberspace Administration of China announced its investigation just days after Didi made its debut on the New York Stock Exchange, sending its value tumbling and ultimately compelling the company to delist from the NYSE. With Chinese President Xi Xinping having touted his regime’s goal of “common prosperity”, Didi appeared to be one of many companies that irked the government’s ire by growing too big and leaving the people behind to seek success on the international stage.
The government’s investigation into Didi and its subsequent fine therefore represent a political, rather than principled, attack. Didi may have flouted data privacy laws – at least some of which weren’t yet codified when the investigation began – but it seems to have been targeted mainly as a gesture of government control and efficacy.
Would TikTok face the same regulatory scrutiny if it was found to be overreaching in its collection Chinese nationals’ data? Perhaps more to the point, would it be fined for collecting foreigners’ data? The answers aren’t clear. TikTok does not appear to have ticked off the CCP thus far, and theoretically its social media app remains a useful tool for surveillance purposes. Whether its collection of biometric data is ever restrained by the government probably won’t depend on principles of privacy and consent, but rather on whether the CCP perceives TikTok as a political problem or a strategic asset.
Much the same reasoning can be applied on the other side of the Pacific. A private US company would surely come under fire if it was found to be unlawfully collecting biometric data, and many have – especially in Illinois, with the state’s severe Biometric Information Privacy Act. But privacy protections aside, various government authorities have continued to pursue and deploy biometric technologies, sometimes in the face of criticism from privacy and civil rights advocates. Even Clearview AI, which is at this point more famous for its illegal collection of citizens’ biometric data than for its technology or any other selling point, remains a contractor for Immigration and Customs Enforcement, despite facing a range of fines and lawsuits in America and around the world. As in China, there are regulations in place in America aimed at protecting consumer privacy and biometric data, but they don’t necessarily have much bearing on how the government decides to use biometric technology.
Regulations and rights are one thing; state power is another. The Cyberspace Administration of China’s massive fine against Didi may tell us something about the state of privacy protections in China, but it doesn’t necessarily tell us anything about what kind of a “national security threat”, if any, TikTok represents to the US.
In any case, the fine certainly tells us something about what the CCP thinks of Didi.
July 22, 2022 – by Alex Perala