Tencent Holdings announced a new privacy oversight committee tasked with assessing the company’s user data protections, making it the first Big Tech firm in China to set up such a body that will be required by law next month as questions remain about such a committee’s independence.
The social media and gaming giant is recruiting 15 members for the committee, the company said in a statement posted on its WeChat app last Friday. It will consist of legal and technical experts, lawyers, media professionals and “other members of the public”, to be recruited through both public listings and scouting.
The group, officially called the “personal information protection external oversight committee”, will “independently appraise” Tencent’s efforts to protect the privacy of its users and products, offering guidance and suggesting amendments to company practices as needed, according to the Shenzhen-based firm.
The announcement comes less than two weeks until China’s new Personal Information Protection Law (PIPL) goes into effect on November 1. One of the stipulations of what experts think will be one of the world’s strictest laws on personal data protection is that large tech companies establish an “independent body that consists mainly of external members”. The rule applies to companies with “a large number of users” that “provide important internet platform services”.
The law is loose on details, though. It does not say what constitutes a “large number” or explain how oversight from an “independent body” should work. This leaves room for interpretation, but legal experts question whether tech giants setting up its own committees will allow them to be sufficiently independent.
Tencent said it currently has nothing more to add on the topic beyond what is mentioned in the recruitment notice.
Mandating that independent bodies be involved in compliance oversight is not a unique concept internationally, according to Alex Roberts, a lawyer for the firm Linklaters in Shanghai. However, companies could have a difficult time finding independent experts amid a race to comply with new requirements and given their wide range of investments across industries and numerous start-ups, he said.
“China’s regulatory reset has already launched a war for talent in compliance circles, as tech players scramble to upskill and professional services firms also bulk up on cyber and data specialists,” Roberts said.
These bodies can still include some internal members, Zhang Xinbao, a law professor at Renmin University of China, told the Guangzhou-based news outlet Southern Metropolis Daily in May. The law only requires that they be composed “mainly” of external members, he said.
Even an independent body could have trouble operating without any influence from the company, according to Zhang, given that the results can affect profitability.
Some legal experts see a parallel between the new PIPL requirement and the results of Facebook’s settlement with the Federal Trade Commission (FTC) in 2019. Following the Cambridge Analytica scandal, which revealed the British consulting firm had harvested the data of millions of Facebook users, the FTC directed the social media giant to create an independent committee to oversee decisions affecting user privacy.
Some have questioned the effectiveness of such a committee. In a statement regarding Facebook’s settlement in 2019, FTC member Rohit Chopra argued that the committee’s power is limited because the members have no authority to veto management decisions.
To ensure such committees remain independent, companies should publicly disclose rules around the body’s operations, discussions, responsibilities and rights, said a Chinese lawyer specialising in data protection, who asked not to be named because the topic affects his firm’s clients.
Oversight committees should also publicly disclose their suggestions and be given enough rights to affect privacy management, he added.
In its recruitment notice, Tencent has also committed to publishing a social responsibility report on personal information protection, but the company did not specify the frequency or content of the report.Internet Explorer Channel Network