In April, the Norwegian Consumer Council filed a complaint against Grindr, the most popular gay dating app in the world, in light of its decision to share its users’ personal data – including HIV status and sexual preferences – with third parties. But the complaint and the outraged reaction overlooked another turn of events: in January, Grindr was acquired by the Chinese corporate group Beijing Kunlun Tech for $205m.
At the time, this prompted speculation as to whether Chinese authorities could access the data of the app’s 27m users in Europe and overseas. Grindr responded that the privacy of its users remained paramount, and that the government of China could not access data because “Beijing Kunlun is not owned by the Chinese government”. But there are obviously questions about whether that confidence is justified. To make this judgement, it has to be established whether or not Grindr users’ personal data are in fact being transferred to China.
Grindr’s privacy policy says that this data may be shared with a parent company – and that if Grindr is acquired, said owner “will possess the personal data”. Coupled with the Chinese trend towards data localisation requirements, which dictate that data should be processed within China itself, this provision means it may be possible for Grindr users’ personal data to be transferred to China.
As far as European user data is concerned, the decision to authorise such transfers principally falls to the European Commission, whose assessment is based largely on “the legal protections for human rights and fundamental freedoms in the third country, and access to transferred data by public authorities”. This means that any decision over what happens to the data of these users should take into account the situation of the LGBTQ+ population in China – a situation that remains far from comfortable.
Between May and July 2017, a Chinese dating app for lesbian women was shut down, homosexual content online that was deemed “abnormal” was banned, and a conference organised by an LGBTQ+ group was cancelled after police detained organisers. These sporadic but dramatic crackdowns on non-heterosexual people intersect with the government’s remarkable powers of surveillance and censorship.
And yet, despite China’s ubiquitous surveillance and its proliferation of anti-gay laws, gay content is still readily available online. Indeed, one very successful Chinese gay app, Blued, is the largest gay social network in the world. But worryingly, Blued initially received substantial funding from the state-backed Beijing News – suggesting that when it comes to gay life online, the only companies that thrive are ones with links with the Communist party. And thanks to the government’s authoritarian approach to life online, that in turn comes with serious privacy concerns.
Cracking down
As Human Rights Watch put it in a 2018 report, China is “one of the strictest online censorship regimes in the world”. Since 2014, the Anti-Spy Act has allowed surveillance of both Chinese nationals and foreigners, with few safeguards against the abuse of such powers. The 2014 act was recently strengthened by the National Intelligence Act; law enforcement agencies have a number of new powers including technological recognition measures.
Chinese intelligence operations are ostensibly required to be conducted in accordance with human rights, and to “preserve the lawful rights and interests of individuals and organisations”. But given that obstruction can constitute a criminal offence and is punishable with 15 days of detention, it is hardly impossible that Grindr will have to comply with any requests made under this law.
The situation became even more worrisome in June 2017 when China imposed its Cybersecurity Act, one of the most wide-ranging cybersecurity statutes in the country’s history. Many affected organisations, including international law firms, complained about the law’s “expansive scope, prescriptive requirements and lack of clarity on a range of critical issues”. And indeed, some of the law’s provisions may directly affect Grindr, requiring it to abide by social morality and “accept supervision by the government”.
Then again, the law also obliges network operators to process personal data in a lawful, proper, and necessary way. In fact, the Cybersecurity Act is not all that different to the EU General Data Protection Regulation or GDPR; much like its European counterpart, it specifies that “personal information irrelevant to the service provided shall not be collected”.
The main difference between the GDPR and the Cybersecurity Act is that where the Chinese law is concerned, user privacy is trumped by security. That much is clear from the law’s requirement that users provide their true identity. It’s as yet unclear whether Grindr, many of whose users rely on anonymity, will comply with this requirement.
Behind the firewall
Many Western websites and social networks, among them Wikipedia, Facebook, and Twitter, cannot be currently accessed from within China, though Google is reportedly building China-specific versions of its products tailored to the government’s requirements. In 2017, new regulations were adopted to limit access to widely-used tools that allow online users to circumvent the so-called “Great Firewall”.
There is evidence that the Chinese government has access to private conversations online. In 2017, for instance, Beijing police arrested the creator of a WeChat group for discussing political and social issues. The company that owns WeChat has close links to the Communist party; the Financial Times has reported that the app “censors politically sensitive messages” and social media posts and shares user identities with the police “when instructed”.
China’s recent legal innovations mean any company operating there could in theory be vulnerable to the Chinese Communist party’s intentions. Perhaps Grindr’s users will feel reassured by the company’s public commitment to their privacy, but a look at the fine print reveals that Grindr reserves the right to disclose their personal data “to comply with relevant laws”, and that the application of foreign laws may leave users “without a legal remedy in the event of a privacy breach”.
Given that Chinese companies are boosting their overseas acquisitions, users of newly Chinese-owned apps and services urgently need to ask what rights they do and don’t have to their data. After all, they have the choice to obtain access to their data – and are arguably entitled to ask what’s being done with it.
Asked for comment, Grindr responded:
The privacy and security of our users’ personal data is a top priority for Grindr. That’s why, among other things, Grindr utilises highly sophisticated, state of the art data encryption, industry-leading security protocols, and extensive network penetration and application testing. Grindr also utilises anonymised data storage solutions to ensure our users’ privacy and security. These and other safeguards help our users safely and securely connect and thrive, not only in the United States but in over 190 countries around the world.
Grindr has had a long history of working with various NGOs around the world to deploy safety features and tools in the app to give our users additional layers of protection. Grindr has never disclosed any user data (regardless of citizenship) to the Chinese government nor do we intend to. Grindr remains an American company governed and protected by the laws of the United States. We will continue to operate from our headquarters in West Hollywood, California.
Guido Noto La Diega, Senior Lecturer in Cyber Law and Intellectual Property, Northumbria University, Newcastle.
This article first appeared on The Conversation.
Limited-time offer: Big stories, small price. Keep independent media alive. Become a Scroll member today!
Our journalism is for everyone. But you can get special privileges by buying an annual Scroll Membership. Sign up today!