Should Grindr users worry about what China will do with their data?
In April 2018, the Norwegian Consumer Council filed a complaint against Grindr, the most popular gay dating app in the world, in light of its decision to share its usersβ personal data β including HIV status and sexual preferences β with third parties. But the complaint and the outraged reaction overlooked another turn of events: in January 2018, Grindr was acquired by the Chinese corporate group Beijing Kunlun Tech for US$205m.
At the time, this prompted speculation as to whether Chinese authorities could access the data of the appβs 27m users in Europe and overseas. Grindr responded that the privacy of its users remained paramount, and that the government of China could not access data because βBeijing Kunlun is not owned by the Chinese governmentβ. But there are obviously questions about whether that confidence is justified. To make this judgement, it has to be established whether or not Grindr usersβ personal data are in fact being transferred to China.
Grindrβs privacy policy says that this data may be shared with a parent company β and that if Grindr is acquired, said owner βwill possess the personal dataβ. Coupled with the Chinese trend towards data localization requirements, which dictate that data should be processed within China itself, this provision means it may be possible for Grindr usersβ personal data to be transferred to China.
As far as European user data is concerned, the decision to authorize such transfers principally falls to the European Commission, whose assessment is based largely on βthe legal protections for human rights and fundamental freedoms in the third country, and access to transferred data by public authoritiesβ. This means that any decision over what happens to the data of these users should take into account the situation of the LGBTQ+ population in ChinaΒ β a situation that remains far from comfortable.
Between May and July 2017, a Chinese dating app for lesbian women was shut down, homosexual content online that was deemed βabnormalβ was banned, and a conference organized by an LGBTQ+ group was cancelled after police detained organizers. These sporadic but dramatic crackdowns on non-heterosexual people intersect with the governmentβs remarkable powers of surveillance and censorship.
And yet, despite Chinaβs ubiquitous surveillance and its proliferation of anti-gay laws, gay content is still readily available online. Indeed, one very successful Chinese gay app, Blued, is the largest gay social network in the world. But worryingly, Blued initially received substantial funding from the state-backed Beijing NewsΒ β suggesting that when it comes to gay life online, the only companies that thrive are ones with links with the Communist party. And thanks to the governmentβs authoritarian approach to life online, that in turn comes with serious privacy concerns.
Cracking down
As Human Rights Watch put it in a 2018 report, China is βone of the strictest online censorship regimes in the worldβ. Since 2014, the Anti-Spy Act has allowed surveillance of both Chinese nationals and foreigners, with few safeguards against the abuse of such powers. The 2014 act was recently strengthened by the National Intelligence Act; law enforcement agencies have a number of new powers including technological recognition measures.
Chinese intelligence operations are ostensibly required to be conducted in accordance with human rights, and to βpreserve the lawful rights and interests of individuals and organizationsβ. But given that obstruction can constitute a criminal offense and is punishable with 15 days of detention, it is hardly impossible that Grindr will have to comply with any requests made under this law.
The situation became even more worrisome in June 2017 when China imposed its Cybersecurity Act, one of the most wide-ranging cybersecurity statutes in the countryβs history. Many affected organizations, including international law firms, complained about the lawβs βexpansive scope, prescriptive requirements and lack of clarity on a range of critical issuesβ. And indeed, some of the lawβs provisions may directly affect Grindr, requiring it to abide by social morality and βaccept supervision by the governmentβ.
Then again, the law also obliges network operators to process personal data in a lawful, proper, and necessary way. In fact, the Cybersecurity Act is not all that different to the EU General Data Protection Regulation (GDPR); much like its European counterpart, it specifies that βpersonal information irrelevant to the service provided shall not be collectedβ.
The main difference between the GDPR and the Cybersecurity Act is that where the Chinese law is concerned, user privacy is trumped by security. That much is clear from the lawβs requirement that users provide their true identity. Itβs as yet unclear whether Grindr, many of whose users rely on anonymity, will comply with this requirement.
Behind the firewall
Many Western websites and social networks, among them Wikipedia, Facebook, and Twitter, cannot be currently accessed from within China, though Google is reportedly building China-specific versions of its products tailored to the governmentβs requirements. In 2017, new regulations were adopted to limit access to widely-used tools that allow online users to circumvent the so-called βGreat Firewallβ.
There is evidence that the Chinese government has access to private conversations online. In 2017, for instance, Beijing police arrested the creator of a WeChat group for discussing political and social issues. The company that owns WeChat has close links to the Communist party; the Financial Times has reported that the app βcensors politically sensitive messagesβ and social media posts and shares user identities with the police βwhen instructedβ.
Chinaβs recent legal innovations mean any company operating there could in theory be vulnerable to the Chinese Communist partyβs intentions. Perhaps Grindrβs users will feel reassured by the companyβs public commitment to their privacy, but a look at the fine print reveals that Grindr reserves the right to disclose their personal data βto comply with relevant lawsβ, and that the application of foreign laws may leave users βwithout a legal remedy in the event of a privacy breachβ.
Given that Chinese companies are boosting their overseas acquisitions, users of newly Chinese-owned apps and services urgently need to ask what rights they do and donβt have to their data. After all, they have the choice to obtain access to their data β and are arguably entitled to ask whatβs being done with it.
Asked for comment, Grindr responded:
The privacy and security of our usersβ personal data is a top priority for Grindr. Thatβs why, among other things, Grindr utilises highly sophisticated, state of the art data encryption, industry-leading security protocols, and extensive network penetration and application testing. Grindr also utilises anonymised data storage solutions to ensure our usersβ privacy and security. These and other safeguards help our users safely and securely connect and thrive, not only in the United States but in over 190 countries around the world.
Grindr has had a long history of working with various NGOs around the world to deploy safety features and tools in the app to give our users additional layers of protection. Grindr has never disclosed any user data (regardless of citizenship) to the Chinese government nor do we intend to. Grindr remains an American company governed and protected by the laws of the United States. We will continue to operate from our headquarters in West Hollywood, California.
Guido Noto La DiegaΒ is a Senior Lecturer in Cyber Law and Intellectual Property atΒ Northumbria University, Newcastle.
This article was originally published on The Conversation. Read the original article.
