This is a confession that they are doing unmentionable things :)

Coincidentally

Insert ROFLMAO emoticon here.

Can anyone suggest any other options?

Not sure how many of these might operate in China as they're fairly secure and end-to-end encrypted

• Signal
  
• Riot (Matrix)
  
• Wire
  
• Threema
  
• Semaphor
  
• Keybase

Tencent may have had a change of heart, putting out a message yesterday on QQ that the current version of QQi 4.3 iOS and 5.3 Android will no longer work on 2018 May 20, but European users could upgrade to QQi 5.0 iOS/6.0 Android, when it becomes available.

I think this means that Tencent will upgrade QQi for Europe, but this upgrade is not yet released. The current versions of QQi are 4.8.7 iOS/ 5.3.1 Android. Let's hope they put out the new version before the 2018 May 20 deadline.

How Tencent will comply with Europe's GDPR I do not know.

What I find strange, is that major companies are not yet ready for the GDPR. The GDPR has been decided in 2012 (6 years ago), the final text is from 2016 (2 years ago). So it left plenty of time, for companies to progressively adapt to these requirements.

What is interesting is that my Chinese contact, who is in daily contact with her Euro friends, did not even know that GDPR existed nor what it did. She thought that this was new and that there might be some negotiation involved to stop QQ stoppage, though the decision was made in 2016. A search on Baidu did not initially reveal much info.

Tencent Holding has a 2017 revenue of $39.6BUS, similar to Facebook's 2017 revenue of $40.7BUS. Tencent, however, need not explain their privacy policy to their government or any other.

I knew about GDPR, but had to tell lawyers on Japan what to look for. Some of them had no clue either as late as last year. There just isn't enough information available about how non-European companies are supposed to handle these sorts of rules and regulations. A lot of companies are looking to see how other companies will comply, and then plan to take action. There is a lot of confusion still.

There just isn't enough information available about how non-European companies are supposed to handle these sorts of rules and regulations

Non-EU companies have to be compliant with the EU GDPR rules, exactly as if they were EU companies. Now, how the EU can sue and fine a company which is not represented in the EU, that is another question. Some non EU companies can feel safe because of it, but I wouldn't count on it.

It's my opinion only :) taken from various official and semi-official comments that the EU will phase the GDPR in with a two-fold initial emphasis: one, on companies with an actual physical EU presence and, second, with written warnings pointing out concerns.
Note: I have no idea what quiet back channel warnings have already been issued to the biggest most egregious web players.

However, by this time next year we all should have had example warnings and initial (minimal, non-max) penalties to reinforce whatever methodologies have been found to work that I expect (1) EU present sites will be expected to be compliant and enforcement will become harsher, especially for egregious 'example' sites, and (2) sites and apps frequented by EU citizens hosted with physical prensence only outside the EU will begin to see warnings.

What I have been waiting on, and am still waiting to see, is discussion (public) between the EU and non-EU countries - while the GDPR is at heart a personal privacy initiative it also has international trade rammifications. Which is the primary reason I expect the EU to start internally and then look outside. What I do not expect is some sudden compliance wall with business ending no warning to come crashing down upon our heads, not even within the EU.

That said, my compliance methodology, explanations, opt-ins is now live and I'm watching metrics with great interest.

Added:
I'm especially interested in how the new GDPR compliance methodologies will be received in regards to my Chinese hosted sites. Both by visitors and government organisations.
Note: I did run things by the CNNIC (China Internet Network Information Centre) within the MIIT (Ministry of Industry and Information Technology) prior to going live, however, 'things' are always subject to change...

Tencent is based in Shenzhen, and listed in HK and Frankfurt. Their family of apps are global. They should be compliant, particularly because they collect personal information about every user.

news from China:
QQ forced to escape from Europe at night, Ma Huateng: I can't afford so many fines [c.m.163.com...]

Google Translate:
On April 13, Tencent suddenly announced that it would stop QQ's service in Europe starting May 20, 2018. It is necessary to know that Ma Huateng made his fortune by relying on the instant messaging software QQ. He sat on the domestic hundreds of millions of users and dug into his own bucket of gold. Since then, he has also established Tencent's dominance in the social field. There is no doubt that Ma Huateng's service to shut down Europe is tantamount to taking a break. He was forced to do so, most likely because of the impact of European data protection and privacy policies (GDPR). (Source: Keller Ring Looks at the World)

The thing is, stopping to operate in the EU is not enough. The GDPR applies to all data collected before May 25th too. The use, processing and storage of data collected before, also have to be compliant with the GDPR. Which means, for example that in fact, you shouldn't have the right to exploit data collected before this date, since you didn't obtained the explicit consent of users.

Tencent operates outside of Europe. How will the EU enforce this? The data is now with the Chinese government, so now what? Even if Tencent destroys its data, there is no guarantee that all the EU data is gone.

Tencent operates outside of Europe. How will the EU enforce this?

If the company owns assets in Europe (this can be anything, from a bank account, shares of another company, building, lands, or any other investments), the EU can block these assets or take them over to cover the fine, this can certainly be extended to the European assets of the owner(s). Of-course, this is extreme examples, which would be set up in extreme situations.

I knew about GDPR, but had to tell lawyers on Japan what to look for. Some of them had no clue either as late as last year.

"Singapore, Japan, Korea among least prepared for new EU data laws" : [zdnet.com...]

Singapore has a lot more historical ties to the EU via Britain, and the international nature of their economy would have lead me to believe that they might have been better prepared. However, like Japan , and possibly Korea, they share an island mentality. They're isolated in terms of borders, and in the case of Japan and Korea they are also unique in their languages. There's often one way of doing things inside the country and the outside world often isn't considered, and if it is, it's distinctly separate.

Unlike China, Japan and Korea don't have quite as large a globally dispersed population who want to use a home grown system that deals with personal data in the way that QQ does. The possible exception in Japan is the LINE service that was made by a Korean company subsidiary in Japan.

I think that once we see some GDPR enforcement against companies outside the EU, then more of these companies will begin to realize what needs to be done. They need examples to follow. There are still companies here that think putting up one of those cookie warning notifications on their English website is sufficient for GDPR compliance.

However, the EU is going to have to be fairly careful about enforcement of GDPR outside their borders. It's easy to see how it could backfire on them and result in retaliatory measures.

Hopefully GDPR compliance will not be what Tencent might do: completely disable their app for the EU. If Tencent cuts off access to QQ for the EU, what happens to all the data they have already accumulated and stored in China?

If an EU resident uses a VPN through North America and then use QQ, is Tencent no longer liable?

If an EU resident uses a VPN through North America and then use QQ, is Tencent no longer liable?

This is not the IP location which matters, but the citizenship of the user. So, yes, you are liable, if a EU citizen uses a VPN outside of the EU (same if a EU citizen travels, or lives outside the EU). However, remember that it concerns only personal data, so if the personal data collected are not giving enough information about the citizenship of the user (address, etc...), and the IP is ("was", because IP ranges can be bought and sold) not linked to a EU location, you can reasonably argue that you didn't know it was a EU citizen. But if this user, wants his data deleted, and prove he is EU citizen, you have to do it. (This is why at the end, it's easier to offer the same privacy coverage to all users, and not only EU citizens, finally, it will be more convenient for companies, than running different privacy levels, and risking to mess up).

(The GDPR applies to EU citizens, no matter where they live or travel, and I guess it also applies to non European citizens, who are living within the EU too)

So far no news on Tencent releasing a new version of QQ International version specifically for GDPR.

So 2018 May 20 and May 25 has passed and there is no change to QQ, but service has not stopped for the at least some Europeans. I do not know what this means for compliance. I'm pretty sure that the regular QQ is not compliant.

I confirmed that yesterday QQ and Wechat clients in Europe have had their access cut off from the rest of the QQ/Wechat community.

solution: redownload QQ/Wechat, state a non-EU country! Probably not the intended effect of GDPR