The release of revised Administrative Provisions on Mobile Internet Application Information Services (the draft App Administrative Provisions) by the Cyberspace Administration of China in early January 2022 underlines China’s committed approach to regulating the privacy and security posture of mobile apps.
Since around 2018, Chinese authorities have been engaged in active enforcement efforts in respect of apps, with nationwide, multi-agency campaigns following in 2019 and again in 2021. The 2019 campaign focused on the illegal and excessive collection of user data. The 2021 campaign had a broader remit, looking at the four key “problems” of violations of user rights (e.g. deceptive pop-ups and other attempts to mislead or force users to accept unwanted services), data security issues (including a failure to encrypt sensitive information in transit) and failures to obtain user consent before sharing personal data with third parties, and issues of unfair competition and other non-compliances.
The 2021 campaign culminated in December with over 100 apps being removed from app stores for violating user privacy, including one highly popular Chinese social media platform. 43 apps had been penalised a few months earlier for illegal transfers of user data. The total number of apps available in Chinese app stores is reported to have fallen by 40 per cent in the past three years, with the Ministry of Industry and Information Technology (MIIT) issuing rectification orders during this period mostly for (i) unlawful collection of personal data, (ii) mandatory, frequent or excessive requests for consent to data collection and use, and (iii) unlawful use of personal data (especially location data) (according to the MIIT’s own published reports).
Draft App Administrative Provisions
In so far as the draft App Administrative Provisions concern the privacy and security protection of apps, they lay down core rules that underpin the more detailed requirements of other existing and draft regulations in this space; namely the:
- Measures on Identification of Illegal Collection and Use of Personal Data by Apps (effective 28 November 2019)
- Interim Administrative Provisions on Personal Data Protection by Mobile Internet Applications (draft dated 26 April 2021)
- Circular on Issuing Rules on the Scope of Necessary Personal Data for Common Types of Mobile Internet Applications (effective 1 May 2021)
- TC 260’s national standard entitled Basic Specifications for Collecting Personal Information in Mobile Internet Applications (draft dated 15 January 2020).
The draft App Administrative Provisions establish general requirements for app providers to:
- publish privacy notices
- deploy technical measures to ensure data security and establish a full-process data security management system
- not compel users to consent to the collection and processing of personal data for purposes that are not essential the functioning of the app. Users cannot be denied access to the basic functions of an app if they refuse to give their consent to such non-essential processing.
The latter prohibition on bundling consents is a core tenet of the Personal Information Protection Law (PIPL) and, before that, the Personal Information Security Specification. The same theme is also seen in the draft App Administrative Provisions' prohibition of unwanted bundled downloads of apps.
The “main responsibility” for supervising apps' compliance with these requirements is delegated to app stores. App stores will be required to put in place management systems (i.e. platform rules and supervisory mechanisms) to regulate the privacy protections and data security, among other things, of the apps they host. App stores will additionally be required to review the collection and use of personal data by apps and to take down apps that violate personal privacy or contain security flaws. The extent of these supervisory obligations is not clear.
Other non-privacy/ security related obligations of the draft App Administrative Provisions include obligations to implement strict measures for real-name registration and the protection of minors from addictive practices, and obligations on app stores to verify (and publish) the credentials of app providers.
In addition to typical mobile apps, the draft App Administrative Provisions will also apply to mini apps and internet mini-programs (i.e. sub-applications on message apps) and browser plug-ins.
Measures on Identification of Illegal Collection and Use of Personal Data by Apps (effective 28 November 2019)
The Measures set out more detailed requirements on apps such as to:
- conspicuously prompt users to read privacy notices when an app is first opened, for example with a pop-up
- not make privacy notices difficult to access, for example by placing these more than four clicks away from the main function interface
- not make privacy notices difficult to read; with text that is either too small and dense, too light, or by not providing a simplified Chinese version
- not change a user’s privacy settings without their consent, including by reverting to the default settings
- ensure that apps provide means for users to withdraw privacy consents
- not provide personal data to third parties without the user’s consent, including by embedding third-party code or plug-ins within the app or linking to a third party app
- publish complaint and reporting channels, and respond to complaints within 15 working days.
Interim Administrative Provisions on Personal Data Protection by Mobile Internet Applications (draft dated 26 April 2021)
Those requirements are elaborated upon further in the draft Interim Administrative Provisions; namely:
- at a minimum, privacy notices should specify the purpose and method of processing, the type of personal data to be processed and the retention period (text links are acceptable in addition to pop-up windows)
- pre-ticked ‘opt-in’ boxes are not an acceptable way to obtain a user’s consent
- consent should be refreshed each time privacy notices are changed. (The draft Interim Administrative Provisions pre-date the final version of the PIPL, which permits personal data to be processed to the extent required for concluding or performing a contract, although the same provision had also been in the first draft of the PIPL, released in 2020.)
- privacy permissions should be requested for each independent function or feature of an app, without requiring users to agree to multiple system permissions as a package
- privacy permissions that are irrelevant to the current scope of service should not be requested repeatedly
- it is not permissible to make the provision of apps dependent on users consenting to provide their personal data for the purpose of making improvements to service quality, enhancing user experience, developing new products, to enable push notifications or for exercising risk control, etc.
- it should be made possible for users to disable independent features and functions without affecting other non-dependent features and functions
- where possible, users should be offered service configurations that do not use their personal data and are not specific to their personal characteristics.
Circular on Issuing Rules on the Scope of Necessary Personal Data for Common Types of Mobile Internet Applications (effective 1 May 2021)
Each of these regulations prohibits apps from denying essential features and functions if users refuse to give their consent to the collection and processing of their personal data for non-essential functions, or from requiring permissions to access personal data that exceed what is necessary to support those essential functions.
The Circular on Issuing Rules on the Scope of Necessary Personal Data for Common Types of Mobile Internet Applications sets out in detail, for each main category of app, what the authorities consider to be “necessary personal data”, i.e. personal data that is necessary for the normal running of the basic functions or services of an app and without which those basic functions and services could not be enabled.
For example, the Circular provides that for online payment apps, the basic functions and services are deemed to be “online payment, withdrawal and transfer of funds”, and the personal data it is necessary to collect is limited to:
- mobile phone number
- name, type, number and validity period of ID documentation
- bank account number.
Similarly, for ride hailing apps, necessary personal data is limited to:
- mobile phone number
- point of departure, point of arrival, location information and location tracking information
- time, amount and channel of payment.
The Circular covers 39 different categories of app in all.