Google has provided user data to the Hong Kong government in response to three requests made between July and December last year, making it the first US tech giant to disclose its compliance with requests from the local authorities for user data after the national security law was enacted last June.

google tech giant social media search engine
Photo: Mitchell Luo via Unsplash.

Alongside other tech and social media giants last year, the firm announced that it would stop responding to any request for user information coming from the city’s authorities, unless they were made via the US Justice Department. The latest disclosure indicates a reversal in the company’s position last year.

Google “produced some data” in response to three out of 43 requests it received from the Hong Kong authorities for user information during the second half of last year, the firm said in response to HKFP’s enquiry sent in May.

One of the requests it complied with was an emergency disclosure request involving a credible threat to life, the company said. Facebook, meanwhile, denied an emergency request last year. The remaining two Google complied with involved human trafficking – it said the two requests were unrelated to national security and were supported by search warrants signed by a magistrate as part of an investigation. They were processed according to the company’s global policy on government requests for user information, Google added.

None of the responses included users’ content data, the company said. Google’s general policy on responding to government requests states that it may provide other metadata, such as subscriber information including name, associated email and phone numbers, IP addresses, billing information, timestamps and email headers. 

google transparency report in 2020
Google provided user data to 7 per cent of requests it received from the Hong Kong authorities between July and December, 2020. Photo: Screenshot from Google’s Transparency Report.

The revelation means Google resumed its compliance with at least some user data requests from the local government. Last year, it said it would not respond to any of them unless they were made through the bilateral Mutual Legal Assistance Treaty (MLAT) with the US Justice Department, where the company is headquartered.

Google said the three Hong Kong requests they complied with were not made under the treaty. Emergency requests involving threats to life are not required to go through the treaty, according to its global policy, they added.

Requests received

In total, the 42 legal requests it received during the six-month reporting period involved 46 user accounts, whilst the one emergency disclosure request involved a single account.

The tech giant said it still requires the vast majority of Hong Kong government requests to be processed through diplomatic procedures, including any national security law related requests.

facebook headquarters singapore social media reaction like
File photo: Tom Grundy/HKFP.

Google’s policy states that the company responds to data requests in accordance with the laws of the requesting country and international norms. It also pushes to narrow down the scope of such requests and may inform the account holder of the request by email unless legally prohibited from doing so, its policy reads. Google did not respond to HKFP’s questions over whether they notified the Hong Kong users in the three requests.

The search giant, along with Twitter, said within a week of the national security law’s enactment last June that they had paused all data and information requests from the Hong Kong authorities, the Wall Street Journal reported at the time. A month later, it said it would stop responding directly to user data requests from the city’s authorities, according to a Washington Post report.

The company also notified the Hong Kong police that its requests would need to be directed via the US Justice Department to be processed under the MLAT – “a cumbersome process” that could take up to months, the newspaper reported.

Similar to Google, other US tech firms – Apple, Facebook and Microsoft – all said at the time that they had paused handling requests for user data emanating from the Hong Kong government as they reviewed the new law.

In the year preceding the law, the companies provided user data in response to hundreds of Hong Kong government requests, HKFP reported in May.

Hong Kong Police
Hong Kong police emblem. Photo: Candice Chau/HKFP.

Facebook’s transparency report published this June stated that it rejected all 202 requests from the Hong Kong authorities for user information in the latter half of 2020, including an emergency request. Meanwhile, Twitter also did not respond to one request from the Hong Kong government during this time.

Apple and Microsoft have not published their transparency reports for this period. According to an earlier report covering the six months before the law was enacted, Apple provided non-content information in response to 19 to 50 per cent of Hong Kong government’s requests for user data. Microsoft also provided non-content data in response to about 60 per cent of law enforcement requests from Hong Kong during the same period.

Alternatives for data privacy

Online privacy and security expert Eric Fan said Google’s latest revelations were “surprising,” as they appear to have contradicted their own public statement last year, and without explanation as to why it decided not to adhere to it. “Many people have higher [standards] for personal privacy in the wake of the national security law and social movement,” he told HKFP, referring to the 2019 protest and unrest.

Globally, he said there was calls for people to “DeGoogle” and boycott the services out of privacy concerns: “Some may choose to use Protonmail or search engine DuckDuckGo instead of Google. “There are alternatives for those who care about personal privacy, they do not have to only use one [company’s products],” Fan said.

But Fan said he could not speculate as to why Google responded to some requests, while other companies did not.

Office of the Privacy Commissioner for Personal Data
Office of the Privacy Commissioner for Personal Data. Photo: PCPD, via Wikimedia Commons.

The Hong Kong government has been looking into expanding the powers of the city’s privacy watchdog since May. Under proposed legislative amendments, the city’s Office of the Privacy Commissioner for Personal Data may request information from anyone to assist investigations into doxxing activities, which the authorities plan to criminalise.

Under the proposed law, authorities could be empowered to search and arrest suspects without a warrant, if they do not comply with requests. Hong Kong staff of service providers based overseas may also be at risk.

An industry group – with members including Google, Twitter and Facebook – issued a letter to the Hong Kong government on behalf of its members in July, saying tech companies may have no choice but to refrain from investing, or offering its services in the city, if the government moves forward with what it called a “completely disproportionate and unnecessary response” to doxxing. Doxxing involves the malicious publishing of private or identifying data.

HKFP was among several media outlets that received a Google grant in 2019 to help create a media funding solution.

Support HKFP  |  Policies & Ethics  |  Error/typo?  |  Contact Us  |  Newsletter  | Transparency & Annual Report | Apps

Help safeguard press freedom & keep HKFP free for all readers by supporting our team

contribute to hkfp methods
hkfp flask store
YouTube video

Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit.

Success! You're on the list.

Selina Cheng is a Hong Kong journalist who previously worked with HK01, Quartz and AFP Beijing. She also covered the Umbrella Movement for AP and reported for a newspaper in France. Selina has studied investigative reporting at the Columbia Journalism School.