China Reinforces Regulation on App’s Personal Data Processing

China - 24 / 05 / 2021

China Data Protection Alert

China’s data protection authorities have strengthened the regulations on personal information processing activities of mobile internet applications (App). Since May 1, 2021, in the law enforcement campaigns against over collection and coercive collection of personal information by Apps, a total number of 222 Apps have been ordered to be removed from App stores. On April 26, 2021, Communications Administration of Ministry of Industry and Information Technology of China released the 'Interim Provisions on Administration of Personal Information Protection of Mobile Internet Applications' (Draft for Public Comment) seeking for public opinions. The Provisions detailed the compliance requirements on the personal data protection for Apps and provided policies and standards reflected in the recent law enforcement proceedings comprehensively for the first time.

We would like to share with you the highlights of the Provisions as follows:

Scope of Application and Regulatory Authorities. The Provisions clarified that they are applicable to the activities of processing personal information carried out within the territory of the People's Republic of China by Apps running in the mobile smart terminals, and are widely applicable to App developers, App distribution platforms, third-party service providers, mobile smart terminal manufacturers and network access service providers. However, it is not clear whether the requirements for Apps are also applicable to other programs with similar functions, such as Wechat mini-apps.

The Provisions also specified that the Cybersecurity Administration of China (CAC) is responsible for the overall coordination of App’s personal information protection and related supervision and management affairs, but the CAC, Communications Administration, Public Security Department and Market Supervision Administration are all supervision and management departments for App’s personal information protection. Therefore, various departments may have their respective policies, standards and regulations within their respective jurisdictions. The relevant market entities may need to comply with the regulations issued by different authorities at the same time, if applicable.
Detailed Rules for Informed Consent and Data Minimization Principles. On one hand, the Provisions have provided detailed rules regarding the principle of “Informed Consent”. It is required that when engaging in personal information processing activities with an App, it is necessary to inform the users the personal information processing rules in clear and easy-to-understand language, and the user shall be able to make a voluntary and clear expression of intention with full knowledge. Specifically, the Provisions have provided “six do’s” requirements in obtaining consent from the users to process their personal information, including the requirements to timely display the privacy notice, seek “run-time” authorization, and apply for separate consent in case of processing sensitive personal information.

On the other hand, the Provisions have stated that those who engage in personal information processing activities through Apps shall have a clear and reasonable purpose and follow the principle of “data minimization”, i.e. to avoid any processing beyond the scope of user consent or irrelevant to the service scenario. In this sense, the Provisions have specifically put forward the requirements of “six don’ts” that prohibit the Apps from, among others, local processing beyond user consent, forced exit of Apps after user denied the authorization of processing, or forced processing based on improving product, developing new product, pushing message, or risk control reasons.

It is worth noticing that the Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications that came into effect on May 1, 2021 have clarified the basic functional services and the scope of necessary personal information for 39 types of common apps, expressly stating that the App operators shall not deny the users to access the basic functions and services of the App in case the user does not agree to the collection of non-essential personal information. It is necessary for the relevant market entities to define the data processing policy in accordance with the above regulations.
Compliance Obligations for Different Subjects. The Provisions established the obligations for the App developers, App distribution platforms, third-party service providers, mobile smart terminal manufacturers and network connection service providers respectively. For example, the Provisions required App developers and operators to implement data protection requirements in the process of design, development and operation of App products, regularly report to their customers on the handling of personal data, conclude agreements with third-party service providers on the handling of personal data and bear joint liability with such third parties, and take technical and organizational measures to ensure the security of personal data. As for the App distribution platforms, the Provisions emphasized their obligation to review the App developers as well as the App.
Detailed Administrative Proceedings and Measures. The Provisions expressly provided that in case the relevant entities engaged in personal information processing activities that violate the rules, relevant measures will be imposed on them, including notification for rectification, public announcement of the violation, removal, disconnection of access and credit management in turn, and also specified the time period of such process. In particular, it was noted that the Apps that do not implement rectification as required or have recurring violations or take technical countermeasures or commit other serious violations will be directly removed from the Apps platform, and the removed Apps will not be allowed to be accepted by the platforms again through any channel within 40 working days upon removal. In addition, the supervision authorities will instruct App distribution platforms and mobile smart terminal manufacturers to conduct risk alert in the integration, distribution, pre-installation and installation process, and will adopt measures to ban those Apps that violated the rules with serious circumstances from entry into the market.

The Provisions are a systematic summary for the recent development of China’s personal information protection policies and have also reflected comprehensively the compliance requirements for Apps in terms of personal information processing. It is recommendable for the players in this market (such as the companies which operate Apps) to review the legal compliance status of their personal information collection and processing activities via the Apps, and prepare the compliance works in advance taking into account the Provisions. Garrigues will continue watching the relevant legal update and share our observations our clients.