China continues to be a hotbed of activity in the areas of privacy and cybersecurity legislation. For background on the draft Personal Information Protection Law (“PIPL”) and proposed modifications published in April 2021, please see:
China’s Personal Information Protection Law: What It Means to Companies (Client Alert)
China Releases Second Draft of the Personal Information Protection Law: Comparison of Proposed Changes to First Draft (Security & Privacy // Bytes Blog)
China’s Personal Information Protection Law (Second Draft) – What to Expect (Consumer Privacy World Blog)
In a related development, on April 26, 2021, the Ministry of Industry and Information and Technology of People’s Republic of China (the “MIIT”) issued draft Interim Measures on Personal Information Protection of Mobile Internet Applications “Measures”), for public comments.
This draft Measures follow several rounds of enforcement actions relating to mobile applications (“apps”) in recent years, targeting the over-collection of users’ personal information (“PI”) by demanding access to camera, microphone, photos, contact lists, etc. Currently, these activities are covered by two app-related practical guidelines, and the proposed Measures are the first comprehensive rules on the topic. The draft Measures specify various requirements and obligations applicable to app developers, distribution platforms, third-party app service providers, mobile device manufacturers and network access service providers. Other important provisions may be summarized as follows:
- Supervising Authorities. The PI processing activities of apps will be jointly supervised by the State Cyberspace Administration, the MIIT, the Public Security Bureau and the State Administration of Market Regulation. This arrangement is in line with current enforcement practices.
- Personal Information Processing. The draft Measures set out two general principles on PI processing through apps, i.e., “acknowledged and agreed”, and “minimal, as necessary”. Under each principle, detailed requirements are provided. For example, an app may request the user’s authorization to access PI to the extent that the data is in relation to the provision of the specified business function. The request for authorization must be made separately and not bundled with other information. Repeated requests for authorization to access PI that is irrelevant to the business function are not allowed. In general, these principles and requirements are consistent with the provisions of the second draft of the PIPL, which was published at around the same time. The principle of “minimal, as necessary” was also addressed in the two sets of practical guidelines and related national standards that were previously published, which require each app to differentiate “basic functions” from “extended functions” and makes clear that, other than the PI that is necessary for providing basic functions, collection of PI must be optional. In other words, an app operator may not refuse to provide basic function service if a user refuses to provide optional PI. Consent requests to collecting “basic function” PI and “extended functions” PI must be separate. One of the guidelines specifically lists 39 different types of apps, their respective “basic functions” and PI deemed to be “necessary PI”.
- Personalized Search Result. The draft Measures provide that personalized search results based on the PI collected must be generated on a fair and reasonable basis. Furthermore, the app developers must provide users with a de-personalized option.
- App Distribution Platform. The draft Measures impose various management obligations on app distribution platforms, including undergoing a data compliance review by the platforms (such as the app stores and similar app markets) before the launch of any new app, developing a mechanism to evaluate and monitor data compliance of app developers that provide services on the platforms, and the obligation to report to and cooperate with the supervisory authorities.
- Liabilities. If an app is in violation of the Measures, the authority will first order the relevant party to rectify the violation. In case of failure to do so, the app will be removed from the app stores for at least 40 working days; in the worst-case scenario, the app will be blocked from internet access indefinitely. App developers can apply to the supervisory authorities to restore the app on the platform once the violation has been rectified.
The period for providing public comment on the draft Measures will expire on May 26, 2021. These measures are likely to be officially enacted after the PIPL comes to effect. Given the extensive use of mobile apps, we expect that enforcement of privacy rules relating to mobile apps will continue to be a focus of enforcement activities for the supervisory authorities going forward.
Our Data Privacy & Cybersecurity team has established an internal working group comprising GDPR, US, Asia Pacific and China-based data privacy experts who have substantial experience advising on relevant regulations in China. If you would like specialist advice on these and related issues, please contact our team; Nicholas Chan, Scott Warren, Lindsay Zhu, Rosa Barcelo, Alan Friel, Ann LaFrance