Review on China’s Recent Law Enforcement for Data Protection of Apps
China Data Protection Alert
On June 11, 2021, Chinese investors witnessed a sudden drop of stock price of iFlytek, a leading Chinese information technology company, which closed with a 6% down and RMB 9.4 billion loss at the company’s market capitalization. It is widely believed that the stock price drop is related to the incident that the company’s mobile phone app “iFlytek Voice Input” was removed from the major App stores. In a news release, iFlytek informed that such removal was due to the reason that the App was deemed by Cybersecurity Administration of China (CAC) as “illegally collected non-function related user data” on May 1, 2021 and failed to correct such irregularity within the time limit given by CAC.
On March 22, 2021, CAC jointly with Ministry of Industry and Information Technology (MIIT), Ministry of Public Security (MPS) and State Administration for Market Regulation (SAMR) issued Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications (Regulations), which defined the scope of necessary personal information for 39 common types of mobile phone applications (App) and prohibited the operators of the Apps from collecting “unnecessary” personal information from the users. From May 1, 2021 when the Regulations come into effective to June 11, 2021, CAC released four announcements on a total number of 351 apps with irregularities in personal information processing activities. In this article, we summarized the trends reflected in those recent law enforcement actions of CAC and provided several key points on the compliance works for personal information protection in the development and operation of Apps.
- Trends of Recent Law Enforcement
- CAC has become an active law enforcement authority on data protection. MIIT[1], MPS and SAMR have been enforcing the data protection laws and regulations from their respective authorities. However, after the issuance of the Regulations, CAC has released four public announcements to order a total number of 351 Apps to correct their irregularities within only around one month, which indicates that CAC has become an active law enforcement agency in this area.
- CAC’s four announcements have covered 17 of the total 39 common types of Apps listed in the Regulations. It is reasonable to expect that CAC will continue perform inspection to cover the 22 types of Apps and announce the results from time to time. It shall also be noted that the Regulations are also applicable to other types of software similar to mobile phone applications such as WeChat “mini program”. In practice, CAC has been reviewing the mini programs before their launch.
- CAC has expressly stated that the reason of the recent law enforcement campaign is to stop the illegal collection, over-collection, excessive request for authorization and other violation of personal data protection regulations. We have analyzed the irregularities of the total 351 Apps mentioned in the announcements of the CAC as follows:
No. |
Irregularity |
Number |
Proportion |
---|---|---|---|
1 |
Violation of the “Principle of Necessity” by collecting personal information unrelated to the services provided by the App |
259 |
74% |
2 |
Collection and using of personal information without the consent of the users |
153 |
44% |
3 |
Failure in providing functions allowing the deletion or correction of personal information |
37 |
11% |
5 |
Failure in publicly disclosing rules on collection and using of personal information |
24 |
7% |
6 |
Failure in publicly disclosing the purpose, methods and scope of collection and using of personal information |
4 |
1% |
7 |
Failure in providing compliant channel |
3 |
0.9% |
8 |
Inducing the users to authorize the App to access the contacts and send marketing messages to the users’ contacts |
1 |
0.3% |
- CAC usually requires the App operator to complete the correction of irregularities within 15 working days from the date of public announcement and send the report of correction to CAC’s official email address. In case an App operator fails to complete the correction within this time limit, CAC will further order the removal of the App from the App stores, imposing administrative penalties, etc. Such a short time limit would be a challenge to the Apps developers and operators.
- Key Points on Apps’ Data Protection Compliance
From the above trends of the recent CAC law enforcement actions, we recommend the enterprises that develop or operate the Apps to review their Apps and App-based business modes from the legal perspective and to be mindful of the below key points for the data protection compliance:
- Follow Principe of Necessity. The number one irregularity of the Apps is violation of the principle of necessity. Such principle requires that an App shall only collect that personal information that is necessary for the functions of such App. The App shall not deny the user to use its basic functions only because the user refuse to provide additional personal information. Therefore, it is important to be compliant with the basic functions and necessary personal information for each type of App as defined in the Regulations since CAC will likely deem any deviation from the scope defined in the Regulations as an irregularity. However, it is not clear from the Regulations that how an App offering multiple types of functions could divide functions into basic functions and additional/extended functions and define the “necessary personal information”. We consider that the approach could be to take into account not only the Regulations and other legal grounds, but also the regulatory criteria reflected in the law enforcement for similar Apps.
- Secure User Consent. So far, the user consent is still the only lawful ground for personal data processing through information network. Therefore, the Apps are not allowed to process personal information until the user consent is secured. The Chinese laws and regulations as well as national standards have already detailed the rules on how to seek user consent. For example, it is prohibited to seek user consent on an “opt-out” basis. There are also addition requirements for the collection of sensitive personal information and for the collection of personal information from children. The developers and operators of Apps should be mindful of those detailed rules and seek advice from legal experts.
- Improve Privacy Policy. The App shall have a well drafted privacy policy with the content and format to the satisfactory of the relevant laws and regulations. The privacy policy must contain the rules for collection and use of personal information. In the first run of the App, it shall remind the users to read its privacy policy and relevant rules via popup window or other obvious methods. For the above purpose, it is important to have a good coordination between business, IT and compliance teams to achieve an accurate understanding of the entire life cycle of the personal information processing of the App and explain the same to the users with clear and easy to understand wordings and, in the meantime, avoid affecting user experience. Considering the rapid renovation of the Chinese data protection regime, the privacy policy should also be well maintained in order to ensure its timely update.
- Establish Comprehensive and Dynamic Compliance Program. As mentioned above, the Apps are regulated by multiple government authorities in China based on their respective regulations and policies. The complexity of the legal framework makes it important for the operators of Apps to establish a comprehensive compliance program that covers all the compliance obligations under those different regulations and policies and make necessary adjustments in order to meet the changeable legal regime. Besides, the Apps shall also establish a response, complaints and reporting channels for users to exercise their rights. Specifically, those complaints and reports shall be responded within the committed time limit (no more than 15 working days), which requires the App operators to be highly efficient. Therefore, it would be necessary to give proper trainings to the team responsible for the operation of the Apps in order to help them to identify the personal information related complaints and reports and make correct and timely response to them.
In China, Apps have become important tools for enterprises to provide services or reach and interact with their customers. Taking into account the increasingly complex regulatory regime on Apps and the active law enforcement actions of government agencies, companies need to pay attention to compliance issues in App development and operation. The companies have to follow up on the changeable legal framework, and coordinate among the legal, compliance, operations, marketing, IT and other departments in order to establish and update from time to time the compliance program for the Apps.