In the last two years, the Chinese Ministry of Industry and Information Technology, together with other agencies in the Chinese government, launched a series of campaigns for the rectification of excessive personal information processing activities of mobile application developers, operators, and third-party service providers. Now, drawing on the insights from these special rectification campaigns, the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security (MPS), and the State Administration for Market Regulation (SAMR) jointly released the draft Interim Regulations on the Administration of Personal Information Protection for Mobile Internet Applications (Draft Interim Regulations) on April 26, 2021. The Draft Interim Regulations apply specifically to data collection via mobile applications and are intended to function alongside China's currently proposed omnibus data protection legislation, the Personal Information Protection Law (Draft PIPL). The Draft Interim Regulations will be open for public comment until May 26, 2021.
Drawing on the experience accumulated, and administrative measures taken in the special rectification campaigns during the past two years, the Draft Interim Regulations include specific rules applicable to businesses operating in the mobile applications industry. These include rules around informed consent, standards of minimum necessary use, obligations of key relevant parties, and administrative measures and legal liabilities for violation of the regulations. In this update, we summarize and provide analysis of some of the key provisions in the Draft Interim Regulations.
Scope of Application
Territorial Scope
Unlike the Draft PIPL, which would apply to activities outside of China in certain circumstances (including if the purpose of processing is to provide products and services to individuals in China or where conducting analysis or assessment of activities of individuals in China), the Draft Interim Regulations apply only to the processing of personal information in China collected via mobile applications used within China.
Relationship With Other Laws
The Draft Interim Regulations provide that to the extent other laws and administrative regulations have separate provisions governing personal information processing activities, such provisions will take precedence, which creates ambiguity as to how the scope of application of the Draft Interim Regulations will align with the scope of the Draft PIPL in practice.
No Definition of Mobile Application
The Draft Interim Regulations apply to processing of personal information collected via mobile applications. Such "processing activities" are defined in Section 3 of the Draft Interim Regulations to include collecting, storing, using, processing, and transmitting personal information via mobile apps operated on mobile smart terminals (defined by the MIIT as mobile devices that can connect to public mobile communications networks, have an operating system, and allow users to install and remove mobile applications). However, the Draft Interim Regulations do not define what it means to be a “mobile application.”
Principle of Informed Consent
The overall requirement of informed consent in the Draft Interim Regulations is similar to the requirement in the Draft PIPL, and requires that app developers/operators processing personal information collected via mobile applications inform the users of such mobile applications of the app developer/operator's personal information processing rules in clear and understandable language to ensure that users can make a voluntary, fully informed, and clear choice on whether to consent to the processing activities. Section 3 of the Draft Interim Regulations defines app developers/operators as those engaging in the activities of development and operation of mobile applications. "Personal information processing rules" is a term translated from Chinese that refers to information concerning the subjects, purpose, methods, and types of personal information processing, and duration of storage of the personal information.
The Draft Interim Regulations provide specific requirements for obtaining informed consent from a user of a mobile application:
- App developers/operators are required to inform users of their personal information processing rules on the login or registration page of the mobile application when it launches for the first time, in a simple, conspicuous, and easily accessible way (such as via a pop-up window, text link attachment, etc.). A checkbox for obtaining consent may not be checked in advance by default and no personal information may be processed before consent is obtained from a user or after a user refuses to provide consent.
- App developers/operators may ask for permissions to access other applications or information on a user's mobile device if such access is necessary for the operation of the mobile application, however, users cannot be required to provide consent to multiple access permissions requests at one time. Each request for access should be limited to what is necessary to perform the applicable function. The app developer/operator may not alter the status of the permissions set up by a user without the consent of such user.
- App developers/operators must provide notice to and obtain consent from users if the app developer/operator will share personal information with third parties. The notice shall include the third party's identity, contact information, their processing purposes and methods, and the types of personal information to be shared with such third party. However, it is unclear how the notice must be provided and whether notification via privacy policies will satisfy this requirement. It is also unclear whether the “third parties” referred to in the Draft Interim Regulations is intended to have the same meaning as “App Third-Party Service Providers,” defined under Section 3 of the Draft Interim Regulations as subjects that provide third-party services, such as SDK, packaging, reinforcement, and compiling environment.
- App developers/operators are required to separately inform users and obtain consent prior to processing sensitive personal information, such as race, nationality, religious beliefs, personal biometric features, medical history, health, financial account information, and precise location. The Draft PIPL also includes such personal information in its definition of sensitive personal information. However, in contrast to the Draft Interim Regulations, the Draft PIPL generally provides several legal bases for processing personal information without limiting the bases that can be relied on for processing sensitive personal information.
Principle of Minimum Necessary Use
Even though the Draft PIPL and other laws and regulations concerning the use of personal information in China require compliance with the principle of minimum necessary use, it is difficult to implement this principle in practice due to a lack of guidance on how such a principle should be implemented. In contrast to other data protection laws and regulations in China, the Draft Interim Regulations provides specific guidance on implementing the principle of minimum necessary use, including the following:
- The amount, frequency, and scope of personal information to be processed in connection with the mobile app as well as the relevant processing operations, such as local access, write-in, deletion, and revision, must be necessary to the services provided.
- After a user refuses to consent to a request for permission to access information or other applications on his or her mobile device, the app developer/operator shall not force the user to exit the mobile application or close the app.
- The app developer/operator shall not request access permissions beyond the business function or service of the mobile application and shall not repeatedly make requests for access permissions that are irrelevant to the current functioning of the mobile application, such as via frequent pop-up windows.
- The mobile application shall not self-start or start other related applications that are not necessary for its services or without a reasonable business purpose in relation to such services.
- Use of a mobile application service shall not be affected if users refuse to provide personal information not necessary to such service.
- App developers/operators shall not require users to consent to personal information processing activities beyond the scope or irrelevant to the service provided, such as for purposes of improving the service, enhancing user experience, developing new products, targeted advertising, risk control, etc.
The specificity of these recommendations will help stakeholders in the mobile app industry determine how to structure their data processing activities according to the principle of minimum necessary use.
Obligations of Key Parties
The Draft Interim Regulations impose specific obligations on each key party involved in the development, operation, and distribution of mobile applications. We summarize the obligations of such key players below:
App Developers/Operators
The Draft Interim Regulations require app developers/operators to implement measures to protect personal information throughout the application design, development, and operation stages. If the Draft Interim Regulations are adopted, it will be the first time that the requirement of “privacy by design” is established in China, which will help to protect personal information from the very beginning of the life of a mobile application.
Under the Draft Interim Regulations, app developers/operators must also periodically provide users with notice regarding the collection and use of their personal information, in a conspicuous and clear format. However, the Draft Interim Regulations do not prescribe the form and content of such notices, nor the method of providing such notices.
App developers/operators are further required to ensure that their mobile application products and services are not recommended or priced in a discriminatory way based upon the personal information of users. App developers/operators must provide options for users to close or opt out of mobile application service functions independent from other mobile application service functions if they do not consent to the data collection practices of such functions.
The Draft Interim Regulations require app developers/operators to develop policies to manage their compliance obligations with respect to app third-party service providers. App developers/operators are required to disclose the name, functions, and personal information processing rules of such service providers; enter into personal information processing agreements with such service providers; and supervise the processing activities of, and the information security risks posed by, such service providers. However, the Draft Interim Regulations do not specify the rights and obligations of each party required to be included in a personal information processing agreement, nor does it specify how app developers/operators must supervise app third-party service providers.
The Draft Interim Regulations provide that app developers/operators may be held jointly liable with app third-party service providers for any violations by such service providers, if the violation was a result of the app developer/operator's failure to fulfill their supervision obligations.
App Distribution Platforms
The Draft Interim Regulations, if passed, would be the first regulation in China to specify the personal information protection obligations of app distribution platforms. An app distribution platform is defined in the draft interim regulations as a software service platform that provides mobile application download and/or upgrade services via application stores, application markets, websites, etc. (e.g., the Apple App Store). App distribution platforms are required to perform real-name verification of app developers/operators; disclose the list of access permissions necessary for the operation of mobile applications available on their platform and the applications' rules for collection and use of personal information; conduct compliance reviews; establish compliance management mechanisms; implement robust reporting systems; and provide accessible communications channels for users to submit complaints.
App Third-Party Service Providers
Under the Draft Interim Regulations, app third-party service providers must disclose to the app developer/operator their personal information processing rules in a clear, understandable, and reasonable way; adopt appropriate management and technical measures for the protection of personal information; and disclose to app developers/operators security risks and changes to such service providers' personal information processing rules.
The Draft Interim Regulations provide that app third-party service providers shall not wake up, launch, or update their services without user consent or a reasonable business purpose. Additionally, app third-party service providers shall not share or transfer the personal information they collect without user consent. However, it is unclear from the Draft Interim Regulations whether the responsibility of obtaining such user consent falls on the app third-party service provider or the app developer/operator.
Other Parties
The Draft Interim Regulations define mobile smart terminal manufacturers as those that manufacture mobile smart terminal devices which connect to the public network and come with pre-installed mobile applications or the ability to install mobile applications. The Draft Interim Regulations require mobile smart terminal manufacturers to enhance terminal access control systems, establish management systems for application startup, establish warning systems for unauthorized access to sensitive functions, review pre-installed applications, and improve existing systems for identifying terminal equipment.
The Draft Interim Regulations also govern network access service providers (which are the telecommunications business operators that provide network access services for mobile applications, such as internet data centers, internet service providers, and content delivery network providers). The Draft Interim Regulations require network access service providers to conduct real-name verification when providing network access services for mobile applications and to take necessary measures against mobile applications that are not in compliance with data protection law.
Administrative Measures and Legal Liability
The Draft Interim Regulations do not impose monetary penalties for violations of its provisions. However, violation of the Draft Interim Regulations (if passed) include orders for rectification, public announcement of violations, removal of the infringing mobile application from the market, disconnection of network access, and enhanced scrutiny by governmental authorities. The time limit for an infringing party to comply with an order for rectification is only five business days.
Under the Draft Interim Regulations, government authorities may issue additional guiding opinions and notices. One area in which additional guidance is likely to be issued is with respect to mobile applications that have engaged in repeated violations or under to-be-defined egregious circumstances. Such guidance may impose requirements on app distribution platforms and mobile smart terminal manufacturers to impose warnings regarding such infringing mobile applications and mobile applications developed by the same app developer/operator, at the stages of integration, distribution, pre-installation, and installation.
The Draft Interim Regulations further provide that penalties available under other laws and regulations governing the processing of personal data, such as the Cybersecurity Law, may be imposed against infringing mobile applications, including potential criminal liability.
Responsible Authorities
Similar to the Draft PIPL, the CAC will be responsible for the overall planning and coordination of mobile application personal information protection and the associated supervision and management under the Draft Interim Regulations. The Draft Interim Regulations also require the CAC, together with the MIIT, MSP, and SAMR, to establish a joint regulatory mechanism for supervision and administration of mobile application personal information protection as well as the formulation of relevant policies and standards.
In addition, local government authorities at the level of provinces, autonomous regions, and municipalities directly under the central government's control will be responsible for the supervision and management of mobile application personal information protection within their respective administrative regions. This enforcement framework may create issues with the consistent application of the provisions of the Draft Interim Regulations if and when they are enacted.
[View source.]