Emerging Technologies Law is a blog by William Ting which examines 21st century legal, business & Social tech issues.

Weaponizing Corporate Social Credit

Weaponizing Corporate Social Credit

All your data will belong to them. (iStock photo license)

All your data will belong to them. (iStock photo license)

It was a tale of two chambers of commerce.

On August 28, 2019, the US Chamber of Commerce of Hong Kong president spoke at a major China business conference in Hong Kong no doubt extolling the virtues of doing business in China. On the same day, the European Union Chamber of Commerce of China issued a warning on the potential abuses that may be done under China’s social credit system to be fully implemented by the end of 2020. It is highly doubtful whether this system was even mentioned at the Hong Kong conference as it would be very bad for foreign businesses operating in the PRC.

Many already know that the PRC with the help of its quasi-state owned enterprises like Alibaba and Tencent has rolled out a social credit system that collects, tracks and monitors every data trail of consumers. (I already discussed the potential pitfalls of combing through consumer data to spot people predicted to be criminals even before they commit any crime here.) But many don’t know that the PRC is also rolling out a social credit system for companies that will have five major consequences.

First, the proposed system will penalize companies for very vague “offenses” that could easily be defined in a politically motivated manner. For example, companies can be blacklisted for “endangering the national or public interest”, an extremely malleable standard depending on the political agenda of the day. 

Second, the proposed system will require companies to select and regularly monitor the socially “correct” partners and suppliers along their respective supply chain. This will present a fundamental shift in how firms should select vendors, a decision based on fair price and good performance. Now the proposed system threatens to up-end this fundamental business rule by making social or political “acceptability” as the key measure of vendor selection.  

Third, the proposed system will compel all companies doing business in the PRC including foreign companies to transfer all its key data to the PRC government authorities making the internal affairs of such companies appear like a fish bowl to PRC officials. This may encourage good business practices but undercuts the efforts of intensive R&D companies in the tech and biomedical sectors to keep their trade secrets reasonably confidential.

This system will be particularly damaging when combined with the PRC’s new Cybersecurity Law which requires a PRC national to review all data belonging to “critical infrastructure operators” to ensure that no “state secrets” are transferred outside of the PRC as “trade secrets”. 

Also the new system will present fresh challenges to the data privacy compliance regime for foreign companies facing many consumers (like foreign hotel chains and overnight couriers doing business in the PRC) because all of these consumer-related data will be required to be disclosed to the PRC authorities. 

Foreign companies should begin to think of how to revise their data disclosure policies to inform their consumers of the fact that all of their personal information and transactions will be required to be disclosed to PRC officials by the end of 2020. I don’t think most foreign companies holding a treasure trove of consumer data would like this because they don’t like sharing data for free. I don’t think any foreign consumers would feel comfortable that their private details will be shared as well, especially when they don’t live inside the PRC!  There is a substantial risk that foreign companies may lose consumers who disagree or refuse to “opt into” such a mandatory PRC disclosure scheme. In other words, complying with this directive may force companies to balance the potential decrease of global customer base versus the potential of gaining more PRC-based consumers….

Fourthly, there does not seem to be a robust mechanism for foreign companies to ensure that the PRC social credit system accurately collects, processes and monitors the credit standing of consumers and companies.  Will the system be prone to technical errors and how will such errors be resolved?

Fifthly, the proposed system will probably be the world’s largest “honeypot” ever, an enticing target for every hacker or hacking group world-wide. What can be better than stealing all the consumer & corporate data (potentially including trade secrets) inside the PRC in one fell swoop. What will be the data protection protocols of such a system, how will it be updated and whether industry groups can request  for certain cybersecurity safeguards to be implemented or refuse to disclose data.

the fattest data target ever (creative commons license)

the fattest data target ever (creative commons license)

Lastly, the EU Chamber of Commerce noted that “no one should be naive about” the PRC weaponizing such system to coerce foreign companies doing business in the PRC to champion PRC policies and agenda. This (likely) potential will put most foreign companies in an ethical dilemma: whether to toe the PRC’s party line or get booted. Already the PRC has threatened to sanction U.S. companies involved in the making of the F-16s recently approved to be sold to Taiwan. While auditing state-owned enterprises, major U.S. based accounting firms have faced increased pressure not to disclose what the PRC thinks are state secrets when US accounting rules require such disclosure. 

Foreign businesses must re-assess the perceived benefits and pitfalls arising from the proposed corporate social credit system to determine if chasing their respective China market dream would cause them to lose global consumers and valuable trade secrets.

weighing the perceived benefits & pitfalls of the (illusory?) China dream (iStock photo license)

weighing the perceived benefits & pitfalls of the (illusory?) China dream (iStock photo license)

U.S. Privacy Regulation: Glimmer of Hope? (Strategic Privacy Part 2)

U.S. Privacy Regulation: Glimmer of Hope? (Strategic Privacy Part 2)