Mapping Data Security Risks in China Tech

A key area under ESG’s governance pillar. 

Kate Lin 31 August, 2022 | 10:20
Facebook Twitter LinkedIn


One of the goals of China’s sweeping regulatory changes last year was to bolster personal data protection and cyber security. The authorities brought into the forefront of how tech firms handle and monetize the data they collect and store. This began with the launch of China’s version of the European General Data Protection Regulation, or GDPR, which launched probes into non-compliant tech platforms.

The e-commerce and internet industry has a heavy reliance on data analytics to improve customers’ online experience, which increases its exposure to data privacy and security risks. As investors, data protection issues fall under the governance pillar of ESG (environment, social, governance) considerations.

Morningstar identifies three risky data related areas, illustrated with potential or actual violation examples by Chinese tech firms.


Data Related Risks in China Tech Firms

  • Products and Services Risks: One example of this is the fact that cloud drives have become a default back-up for both individuals and enterprises, which could open the door to hackers siphoning away data and files. This has happened. In July, an anonymous hacker had claimed to have accessed a trove of personal information of more than one billion Chinese residents that the Shanghai police hosted on Alibaba’s cloud platform. The data was believed to have been retrieved through a dashboard that was left open on the internet for over a year without a password, according to a report by the Wall Street Journal. The investigation on the platform’s robustness is underway.
  • Regular Business Risks: Though social media platforms deny having ‘eavesdropped’ on our conversations from our devices, there are many other existing ways for companies to collect data and turn it into proprietary digital assets. After all, users’ digital footprints contribute to the development of their platforms, such as optimizing targeted business strategies as well as improving user experience. The storage of data would also increase the exposure of a tech firm and its users to data breach and leakage risks.
  • Data Privacy Risks: Data privacy law has been evolving to protect wider digital rights, with the toughest set of rules being Europe’s GDPR. In China, regulators have been ramping up guidelines in the past years, setting speedbumps for firms that have leveraged data and algorithms to maximize growth. This could raise the cost of strengthening data control and management.


Examples of Data Violations

Unlawful use of data doesn’t only have legal and financial implications, it also contains reputational risks, with very real business and market implications. Regulatory scrutiny over data usage could bring down business models that are reliant on monetizing data collected, or compromise some of the high-margin revenue streams for tech firms.

In 2021, China launched the Personal Information Protection Law that governs the collection of personal data. It is now illegal for Chinese firms to collect excessive amounts of personal data and obtain and use such data without an individual’s explicit consent.

In the same year, regulators suspended Tencent from releasing new mobile applications and updating existing ones after allegations that several of its products violated consumer interests. The country also launched a full-on probe on ride-hailing giant Didi Global’s data practices – one was anti-competitively using data for its own gain, and another was a potential exportation of nationally sensitive data to the United States through the firm’s IPO on the NYSE.


Didi Poses High Risks

Data privacy and security risk are incorporated in the governance part of Sustainalytics ESG risk rating assessment. 


According to Morningstar Sustainalytics research, Alibaba’s data privacy risk is of less severity than issues like anti-competitiveness practices, a domain that the Chinese authorities have also been emphasizing. But there are areas that Alibaba could improve, such as a lack of clarity on operations covered by the international certification it obtained for its Information Security Management System. It is also unclear if the company performs regular external security audits or vulnerability assessments, or penetration testing of the company’s systems, products and practices affecting user data.

Morningstar Sustainalytics found that Didi has no formal program in place for the firm to manage data privacy issues. For instance, the company has not assigned managerial level responsibility to oversee privacy management and it lacks regular privacy risk assessments.

Tencent’s exposure to these issues is moderately above the subindustry exposure. Tencent’s complexity of data privacy management stems from its utilization of personally identifiable information to optimize its sprawling social platforms, such as WeChat.


Data Privacy Risks Pose Challenges for Investors

Even as regulators have proactively introduced more rules to guide the behaviors around data collection and usage, access to reliable and consistent information regarding this particular risk is limited.

According to a thematic report by Morningstar analysts Emma Williams, Melissa Hudson, Tiffany Flaherty and Livia Toni, reasons for this include different incident reporting regimes, disincentives to report due to security concerns, lack of formalized reporting requirements, and even inconsistency in requirements from the regulators themselves. The authors gave one example: Companies have significant discretion over how they classify what is either an "incident" or a "breach" and whether to report the event, making it challenging to compare the management of such risks between companies.

As a result, it is challenging to understand the root cause of events and where the greatest exposure to risk lies.

“Further, anecdotal evidence following the implementation of GDPR legislation implies that companies have struggled to map their internal data collection especially across varied IT infrastructure or third parties, let alone disclose this publicly,” notes analysts at Morningstar.


5 Names to Play the Data Theme

Two strategies are available to play the data privacy theme, one is buying in stocks with negligible risks.

Blue Moon International (06993), Shenzhou International (02313), and Zhengzhou Yutong Bus Company (600066) are among the names that come with negligible data protection and security risks. They are also cheaply priced and rated with an economic moat.   

There’s another angle to it. Our analysts single out improvers. With high or severe data protection-related risk now, these companies are managed by average to strong team that will potentially mitigate such issues over time.

Tencent Holdings (00700) and its subsidiary Tencent Music Entertainment Group (TME) are said to be minimizing their risk exposure through strong practices that cumulatively include board level risk oversight, regular employee training and independent audits, policy commitments, and limiting data collection to only what is necessary for product function. At present, both companies trade in 5-star territory, representing material risk adjusted upside potential for investors.

Facebook Twitter LinkedIn

Securities Mentioned in Article

Security NamePriceChange (%)Morningstar Rating
Alibaba Group Holding Ltd Ordinary Shares83.00 HKD-1.66Rating
Blue Moon Group Holdings Ltd2.15 HKD0.47Rating
Shenzhou International Group Holdings Ltd80.15 HKD-0.74Rating
Tencent Holdings Ltd384.40 HKD0.21Rating
Tencent Music Entertainment Group ADR14.74 USD-1.70
Yutong Bus Co Ltd Class A24.37 CNY-5.80

About Author

Kate Lin

Kate Lin  is a Data Journalist for Morningstar Asia, and is based in Hong Kong

© Copyright 2024 Morningstar Asia Ltd. All rights reserved.

Terms of Use        Privacy Policy       Disclosures