Background
Tencent Holdings Ltd. engages in the provision of value-added services and online advertising services. This includes online and mobile games, applications across various internet and mobile platforms, display- and performance-based advertisements, and software development to name a few.
Given the company’s business model is centred around digital-based services with a varied and wide-ranging customer base, we engaged to ensure the company had sufficient policies and principles in place that would safeguard consumers and guide the ethical use of artificial intelligence (AI).
In this regard, we also sought for Tencent’s to improve its data privacy disclosure. This is due to the large data sets that the company would hold and therefore the associated risks to privacy rights, which may be infringed upon by governments, hackers, or companies themselves.
Our engagement
We first began engagement on these issues in January 2019 when we met with the company and encouraged it to disclose its consideration of business ethics, including AI ethics, in its next ESG report. In May 2019, we published our Investor Expectations on Responsible AI and Data Governance and shared them with Tencent. The expectations are based on six principles of trust, transparency, action, integrity, accountability, and safety. We recommended that the company adopt its own principles for the ethical use of AI given its application of machine learning for many functions.
Over the course of 2020, we engaged in a deeper discussion on data privacy. Although security by design and privacy by design are principles highlighted by the company in its disclosure, we recommended a more elaborate description of the process, citing reports of inappropriate surveillance of WeChat accounts registered to foreign users.¹
In May 2019, we published our Investor Expectations on Responsible AI and Data Governance and shared them with Tencent.
We requested additional clarity on offshore jurisdictions where laws and regulations differ from Chinese legal standards, and periodic transparency reports disclosing data on government and third-party requests that impact data privacy. The company shared that it was prepared to comply with the Personal Information Protection Law, China’s first comprehensive legislation on data privacy.
In May 2022, we published our Digital Rights Principles and shared them with Tencent, highlighting to the company our updated expectations on AI and data privacy. The principles state that companies should disclose the range of purposes for which they use algorithmic systems, explain how they work, and enable users to decide whether to allow them to shape their experiences.
They also affirm the actions to eliminate unintended racial, gender, and other biases in algorithms, including those recommended by the EqualAI Checklist to Identify Bias. The principles further reference the Global Network Initiative best practices for data privacy.
We requested additional clarity on offshore jurisdictions where laws and regulations differ from Chinese legal standards.
In May 2023, we engaged the company in response to a Sustainalytics report alleging a breach of UN Global Compact Principle 2 related to content moderation and sharing of user data with the Chinese government.
We also raised concerns with the company’s low score on Ranking Digital Rights, an NGO that benchmarks the world’s largest tech companies on digital rights issues. We further
encouraged the company to add a commitment to user consent to its privacy policies and terms and conditions, and shared specific suggestions on making these documents easier to read and understand for its users.
Over the course of 2020, we engaged in a deeper discussion on data privacy. Although security by design and privacy by design are principles highlighted by the company in its disclosure, we recommended a more elaborate description of the process, citing reports of inappropriate surveillance of WeChat accounts registered to foreign users.
The company provided numerous examples of its ethical use of AI, such as its integration with medical services.
Engagement outcomes
Over the course of our engagement, we have observed the company’s annually published ESG reports continue to describe its evolving approach to AI and data privacy.²
In 2018, the company published its data privacy policies on a centralised platform to give users a comprehensive understanding, and introduced features on WeChat that enabled users to opt out of personalised advertisements. The company’s data privacy policies explicitly state that it needs to obtain consent from users before it collects, uses, and shares their personal information, and describes other measures we take to safeguard user data security.
The company’s data privacy policies explicitly state that it needs to obtain consent from users before it collects, uses, and shares their personal information.
In 2021, the company published its first Explainable AI Report, which showcased its efforts to implement its vision of “AI for Good”; a vision to help humans improve their quality of life and create new possibilities for social development³ whilst the report itself discusses the regulatory policies, development principles, and industry practices of explainable AI. The report was the first of its kind in China.
The company also spearheaded the development of two industry standards within the Shenzhen AI Industry Association, pertaining to cybersecurity for minors and facial recognition technology. The company provides numerous examples of its ethical use of AI, such as its integration with medical services, but not an exhaustive list, believing this would be burdensome.
The company also published a WeChat Governmental Request Policy, which states that when it faces government orders to provide user data, it respects and protects data privacy by verifying the government demands, and when such orders are valid, it complies with the law.⁴
Whilst the company has not published periodic transparency reports disclosing data on government and third-party requests that impact data privacy, it has begun to disclose the implementation of its WeChat content moderation policy in Chinese.⁵
In 2023, the company released and executed its AI Data Security Management Policy, which mandates key principles for all aspects of AI data handling, including data minimisation, legal compliance, and data categorisation. The policy mandates that all businesses strictly adhere to the principles, and is guided by the four principles of availability, reliability, comprehensibility, and controllability.
"[Tencent] holds itself to the highest standards of data security and user privacy protection."
EOS was subsequently notified that the company’s Sustainalytics ESG risk rating was upgraded from “Medium Risk” to “Low Risk.” The upgrade acknowledged the company’s progress in establishing a Personal Information Protection and Data Compliance Management Taskforce; collecting user data for only stated purposes and notifying users of any substantial policy changes or data breaches; and conducting Privacy Impact Assessments of products and services regularly.
The company was invited to share feedback on our case study. The company stated: “We hold ourselves to the highest standards of data security and user privacy protection, and strive to stay compliant with all laws and regulations in each country where we operate. We prioritise user privacy protection and has strengthened governance, oversight and transparency. As early as 2014, Tencent established a dedicated data privacy compliance team, making it one of the first internet companies in China to explore data compliance.”