Tourists take selfies on June 7, 2019. Carl de Souza | AFP | Getty Images

Chinese companies are behind some of the most popular photo and video apps around the world. That may mean vast troves of user data are at risk of falling into Beijing's hands, according to cybersecurity experts. Concerns are on the rise globally about internet privacy security and data protection, and a recent focus has centered on photo apps. China's mobile programs count hundreds of millions of active users, but their capacity to ensure privacy remains a matter of debate — especially since there's less of an emphasis on that factor at home. In fact, Robin Li, the billionaire CEO of tech giant Baidu, sparked an uproar last year when he said Chinese people "are not so sensitive about privacy issues and they are often willing to exchange privacy for efficiency," according to CNBC's translation.

If companies don't comply with government requests, they'll get into trouble with the Communist Party. Leland Miller CEO of China Beige Book

The recent overnight popularity of Russian FaceApp's aging feature evoked some worries about tech companies' potential collaboration with governments. The app's CEO, Yaroslav Goncharov, reportedly told The Washington Post that Moscow does not have access to the photos and that the company does not share user data with any third parties. But unlike FaceApp, some of China's biggest camera apps explicitly state in their privacy agreements that they provide data to third parties. It remains unclear, however, whether the so-called third parties include any government agencies.

'Structural issue' in privacy law

China isn't lawless when it comes to cybersecurity. In fact, the country has several sets of guidelines, according to Samm Sacks, a cybersecurity policy and China digital economy fellow at think tank New America. In May this year, Beijing proposed new regulatory policies to punish companies who breach privacy agreements. Still, China employs "vague" language, Sacks said, and those laws are "enforced selectively as a tool as needed by the government." Government control is the salient point in China's approach to regulating digital businesses, experts told CNBC. In fact, that's part of what's driving Washington's warnings about telecommunications behemoth Huawei. "If companies don't comply with government requests, they'll get into trouble with the Communist Party," Leland Miller, CEO of independent data tracking company China Beige Book, told CNBC during a phone interview. "That does not mean government requests always happen," he said, adding that "there is no law sufficient enough to safeguard user data if the government chooses to request this information." That is, the data privacy situation in China isn't a "legal issue," but rather a "structural issue," according to Miller. He said that anyone using a Chinese app is realistically "vulnerable" to Beijing's reach.

Even one of China's most well-known tech companies, Tencent, was ambiguous on the issue. It wrote in its general privacy policy web page that it "may disclose your personal information ... to comply with the applicable laws and regulations." Tencent is the parent company of WeChat, the most widely used social media app in China, and various other internet services including photo editing app Tiantian P-Tu. When asked by CNBC whether the wording in its privacy policy means Tencent-developed apps provide user data to authorities, a company spokesperson simply said "no comment." Miller said language like Tencent's policy "is typically added in to provide notice that the company reserves the right to respond as it deems necessary to any laws or judgments that happen in the future, which (of course) opens a huge door for Beijing to utilize if it so chooses." As long as an app is developed by a Chinese company — even if the user lives abroad or the company is registered overseas — it will fall under the country's cybersecurity laws, and therefore will be subject to Beijing's requests, according to a blog post from Sara Xia, an attorney at Harris Bricken.

User data sharing

Chinese photo-editing app Meitu, which means "beautify pictures" in Chinese, offers features that can remove wrinkles, smooth pores, and lengthen legs. The mobile app had 332 million monthly active users in December last year, of which, nearly 68% were Chinese users and 32% were from the rest of the world according to its 2018 annual report. According to Meitu's privacy policies, it collects personal details such as names, genders, locations, types of devices, and even what network operators are used. The company wrote to CNBC it only uploads user information to the cloud with "expressed consent." Most of the content is processed on users' devices, according to Meitu. When asked for how long the company retains user information, Meitu responded by saying that its "retention period strictly abides by the applicable local laws and regulations of where our users are based." After repeated inquiries from CNBC, Meitu declined to deny it would ever share data with the Chinese government, instead saying that, as of now, it had not done so. "Meitu strictly abides by the applicable local laws and regulations," a spokesperson told CNBC.

CEO of MEITU Mobile introduces the function of the new MEITU M4 phone with his own pictures in Beijing, China. South China Morning Post | Getty Images