The telecoms authority of China’s eastern Zhejiang province has told the cloud computing unit of Alibaba Group Holding that it violated the country’s Cybersecurity Law and should make rectifications following a complaint about a 2019 information leak.
In a letter dated July 5, the Zhejiang Communications Administration (ZCA) said it found Alibaba Cloud “disclosed user registration information to a third-party partner without consent, which violated the Cybersecurity Law”. The letter was issued after the bureau received and processed a complaint against China’s largest cloud service provider.
The authority did not identify the source of the complaint or when it was filed.
The ZCA has not published the letter publicly, but its contents were reported by local Chinese media this week, including the newspaper 21st Century Business Herald. The bureau has confirmed the authenticity of the letter.
Alibaba Cloud said in a statement that the incident took place during the Nov 11 Singles’ Day shopping festival in 2019, when “a telemarketing employee violated company discipline, privately obtained client contact information and leaked it to a distributor’s staff member”. Alibaba, the owner of the South China Morning Post, said it discovered the issue during an internal probe.
“The company strictly prohibits employees from disclosing user registration information to third parties. The company has seriously handled the case in accordance with company rules, taken active rectification measures as requested by the ZCA and corrected the shortcomings of personnel management,” Alibaba said, without offering further details.
The case has been made public amid increasing scrutiny in China of Big Tech companies’ data-handling practices. China’s Personal Information Protection Law, which goes into effect in November, and China’s Data Security Law, set to go into effect next month, have introduced stricter legal requirements on data service providers in the country.
Under the Cybersecurity Law, which has been in effect since June 2017, an order to take corrective measures is the lightest penalty for infringing on rules protecting user data. According to the law, the regulator is authorised to issue a fine of up to 1mil yuan (RM651,519) and to fine responsible individuals up to 100,000 yuan (RM65,151).
For serious violations, the regulator can levy heavier punishments, including suspending or revoking a business license.
Alibaba Cloud, which controls 40% of China’s public cloud market, has been accused of infringing on client rights before.
Ipip.net, a geographic location database company, complained that the cloud provider copied some of its product data. The two later settled and issued a joint statement in late July that said some Alibaba Cloud staff had violated corporate norms for product development. Alibaba said it would punish the employees involved and prevent similar incidents in the future. – South China Morning Post