The CAC has the support of the current top leadership, but it is nevertheless a fledgling, thinly-staffed agency by PRC government standards, with daunting challenges. To fulfill its objectives, the CAC relies heavily on the existing regulators to jointly administer and police cyberspace. Efforts have yielded tangible progress over the past two years, and cross-agency consensus has clearly been reached on several matters. For example, the MIIT seems fixed as being primarily responsible for telecom infrastructure and device manufacturing, with diminishing (yet still pertinent) authority over online content regulation. Leaving no vacuum, the SAPPRFT and MOC, with the CAC's oversight, have redoubled their efforts and have more than compensated for the MIIT's shifted focus.

This restructuring and realignment of responsibilities for internet administration has spurred notable legislation over the past several years—the most comprehensive being the PRC Cybersecurity Law, passed on November 7, 2016 and effective as of June 1, 2017. While its data retention and local storage rules have sparked the most debate, the Law's provisions intended to protect online personal information and prevent both cyberattacks and malware also highlight the concerns that have proved intractable under existing rules.

It is against this regulatory backdrop that the MIIT's Tentative Provisions for the Administration of the Pre-installation and Distribution of Application Software of Mobile Smart Terminals (Provisions) were issued on December 16, 2016. Taking effect on July 1, 2017, these rules are part of a series of inter-agency efforts to regulate smart-mobile terminal device software applications. The MIIT circulated a draft of the Provisions for public comment on November 18, 2015, and the final version has few substantive changes.

The Provisions regulate the pre-installation of apps through rules that target the manufacturers of mobile devices and the distribution of apps by internet information service providers (IISPs). The Provisions also seek to remedy notorious and rampant issues in the mobile space, including unfair business practices and “malicious programs” (or malware, defined as malicious software that propagate information theft, deceptive fraud and chargeback, system destruction or other harmful functions that otherwise damage users' rights or network security).

China's app industry

Ever since Apple Inc.'s game-changing introduction of the iPhone in 2007, mobile apps have become the prevailing conduit for online delivery of content and services. But what distinguishes China's industry is the state-of-play of the country's mobile device and app market.

According to the latest Kantar Worldpanel ComTech report, from November 2016 to January 2017, Apple's operating system (OS) iOS continues to gain market share in most of its key markets, but not in China, where it has declined to just 16.6% of the market, partly due to its continued operation from offshore as a result of regulatory constraints. (Even so, China has surpassed the U.S. as the world's largest market for iOS App Store revenue, earning more than $1.7 billion in Q3 2016.) The dominant OS in China is Google Inc.'s Android, with latest figures putting its share at a towering 83.2%. Again, unlike other major markets, the absence of Google Play has led to a flood of various device manufacturers and platform service providers in the mobile app distribution market. The top three Android app stores in China are 360 Mobile Assistant, Tencent App Store, and Baidu Mobile Assistant.

695 million people accessed the internet through mobile devices, according to December 2016 figures, representing over 95% of the total number of internet users in the country. China's most active app, Tencent's messaging and social network platform WeChat, reported last year that 768 million users log in to its app every day.

Due to the fragmented nature of the app market, industry players have shown little scruples in the development, supply, marketing and distribution of apps. Anti-competitive business practices, such as bundled marketing and leveraging one's dominant market position, were severe enough even before the rise of apps to spark public outcry and prompt the MIIT to firmly intervene in a 2009 landmark dispute between Tencent and 360. At present, these same practices show little sign of abatement and are treated by many as an afterthought. Malware and theft of personal data are also points of public criticism.

Legislative legacy

In a broad sense, the PRC Telecommunications Regulations (Telecom Regulations), issued by the State Council and amended in 2014 and 2016, and the Measures for the Administration of Internet Information Services (IIS Measures), issued by the State Council in 2000 and amended the following year, provide a framework for the regulation of apps, mainly because these rules do not distinguish mobile networks from the public internet and thus capture software that can be interpreted to include mobile apps. The MIIT's latest Provisions invoke these legacy regulations as their foundation.

The MIIT's Classified Catalogue of Telecommunications Services contains a category called “information publishing platforms,” a Type II value-added telecom service (VATS) broadly defined to cover services including IISPs. By setting this particular VATS permit requirement, the MIIT in theory has the leverage to regulate any excessive behaviors in the provision of these services. However, the MIIT and others have found themselves ill-prepared to effectively police the chaotic domestic mobile app market, which is swarming with scams and malware. Gone are the days when the public gateway for mobile content was narrowly confined to the platforms of a couple of state-owned mobile carriers, with whom the MIIT could deal directly and effectively based on an existing relationship. This change means that the MIIT's traditional practice of relying on ad hoc orders and sanctions (such as in the Tencent and 360 case) is proving ineffectual against the myriad app store operators and seemingly infinite number of app providers.

As such, a spate of regulations and policy papers were hurriedly promulgated that specifically target mobile apps, including:

The MIIT's 2011 Monitoring and Response Mechanisms for Mobile Internet Malicious Programs (移动互联网恶意程序监测与处置机制) (Mechanisms).
The MIIT's 2013 Circular on Strengthening the Administration of Network Access by Smart Mobile Terminals (关于加强移动智能终端进网管理的通知).
The CAC's 2016 Provisions for the Administration of the Information Services of Mobile Internet Application Programs (移动互联网应用程序信息服务管理规定) (CAC Provisions).

Taken together, these moves build a framework to make mobile app content providers liable for their products and services, with a focus on imposing greater responsibilities on the app distribution channels. In addition to requiring information service providers to hold the usual licenses (i.e. VATS permit and, as applicable, video/publication/game-related permits issued and administered by the SAPPRFT and MOC), Article 5 of the CAC Provisions requires app stores to file with the provincial CAC within 30 days of its business going online.

A guide to the MIIT's new rules

Much of the language of the new Provisions replicates that of the CAC Provisions and reiterates previous MIIT regulations. Accordingly, rather than being seen as a new set of tools, the Provisions are better understood as a regulatory surge in the mobile app space that is coordinated by the CAC and is intended to leverage the telecom industry watchdog's rapport with both the carriers and mobile device manufacturers.

They define a range of terms meaningful for industry regulations. “Mobile smart terminals” mean mobile communications terminal products or devices that access public mobile communication networks and are equipped with an OS through which users can install and utilize apps. Mobile apps are defined to include applications pre-installed on mobile devices, as well as those offered by IISPs for downloading, installing and upgrading on websites, app stores and other app distribution platforms. “Mobile application distribution platforms” include websites, app stores and other platforms on which apps can be downloaded for installation and upgrades. “Applications pre-installed on mobile smart terminals” refers to apps installed on mobile devices by manufacturers, independently or in conjunction with IISPs, before the device leaves the factory.

These definitions have only semantic differences with those found in the CAC Provisions. A textual comparison between the two pieces of legislation suggests that both the CAC and MIIT intend to distinguish mobile apps from: 1) any particular OS; and 2) any software applications used for PC or TV terminals. While the convergence of the different sectors blurs this line, the distinction is necessary because the continued rise of mobile internet usage requires specific attention. Also, other terminals may be excluded from the purview of the MIIT and CAC because, for instance, SAPPRFT's role and vigilant regulation has been invigorated with the advance of Internet video content on TV screens.

Although the MIIT's Provisions refer to information service providers generally, the more substantive clauses manifest a focus on platforms and phone/device manufacturers. Article 2 speaks to the pre-installation of apps by manufacturers and distribution services.

Article 3 recognizes the MIIT and its provincial bureaus as overseers of regulated services including IISPs, stressing “during-the-event and post-event” supervision. This language echoes a recurring objective of China's current leadership, namely to shift from a clunky approval-centric administrative regime to a more efficient, market-oriented system. As mentioned, this mandate does not alter the role of the CAC and its local counterparts, as stated under the CAC Provisions, to undertake “oversight and law enforcement work relating to mobile app information content“, nor does it change the fact that the SAPPRFT and MOC remain the regulators for content. A bird's eye view of the situation illustrates a paradox, as all the efforts at bureaucratic efficiency in the mobile internet sphere have led to minimal approvals being scrapped while additional procedures have been imposed (such as the CAC's app store filing requirements). For the foreseeable future, it appears that further regulation of this dynamic sector will be achieved through an all-too-familiar scramble for multi-party administration.

Article 4 of the Provisions lists out the types of content prohibited on mobile apps. The negative list concept is nothing new and exactly tracks the language under the Telecom Regulations and IIS Measures. The idea was also conveyed under Article 6 of the CAC Provisions, which forbids app providers and app store service providers from “[using] apps to engage in activities prohibited by laws and regulations, such as those that jeopardize national security, disrupt the social order or infringe the lawful rights and interests of others, and…to produce, duplicate, publish or communicate information content that are prohibited by laws and regulations.”

Manufacturers and IISPs are required to provide apps in a legal manner. Article 5 goes into specifics, for example, by prohibiting apps from: utilizing device functions unrelated to their underlying services; collecting users' personal information without their informed consent; bundling/promoting unrelated apps; and illegally sending “commercial electronic information” (whereby goods, services or business investment opportunities are introduced or peddled to users). Payment service providers are also warned against charging false fees and required to maintain user consent and billing data for five months. Device manufacturers must prevent sales and distribution channels from installing mobile apps without user consent.

Article 6 details information that the manufacturers and IISPs must clearly display with respect to the mobile apps they provide, including: device function descriptions and authorizations, the scope of personal data collection, and the standards and methods for charging fees. These requirements generally echo earlier MIIT and CAC regulations.

A distinction is drawn under Article 7 between normal mobile apps and basic function software (defined as software that “ensures the normal operation of the hardware and operating system of a mobile start terminal, and mainly includes the basic components of the operating system, applications that ensure the normal operation of the smart terminal hardware, basic communications applications, and app download channels”). No more than one piece of basic function software for a given functionality can be un-installable. Importantly, manufacturers are required to maintain consistency with respect to pre-installed apps before and after being issued a network access permit for their mobile device; and report any addition of pre-installed apps or significant alteration of app functions to the MIIT.

Under Article 8 of the Provisions, manufacturers and platforms are set various administrative duties, including:

Maintaining true identity records and contact information of app providers, operators and developers.

Establishing a system to verify and test the security and functions of included apps and to filter malware.

Requiring app providers to inform end users as to which mobile device features and information will be used and accessed through the software.

Retaining various data records for the apps, including related versions and live dates, for no less than 60 days.

Removing apps with prohibited content and malware identified by the MIIT from distribution.

These are consistent with, but more specific than, the more general criteria under the CAC Provisions.

Article 9 of the Provisions requires the MIIT to publicize regulatory non-compliance. With respect to malware, the MIIT vows to muster the resources of testing institutions, reminiscent of the 2011 Mechanisms directing the National Computer Network Emergency Response Technical Team (国家计算机网络应急技术处理协调中心) to be responsible for identifying and monitoring malware. But while the previous mechanisms largely relied on carriers to submit samples of suspected malware, the MIIT now holds device manufacturers and platforms directly responsible as the gatekeepers in these efforts.

All stakeholders are required in Article 10 to improve their service safeguard measures by establishing complaint systems for users to report malicious mobile apps. The MIIT also encourages apps to procure certification and accreditation by qualified agencies and expresses broad support for industry-wide self-regulation (including the establishment of an industry-generated malware blacklist based on input from testing agencies and end users).

Setting the tone

Since China opened up to private investment, laws have often amounted to an ambiguous set of rules, significantly removed from business activities on the ground and, in the case of regulations, lagging much behind fast-evolving commercial and technological realities—a contrast that has led market participants in recent years to conclude that while nothing is allowed, much is possible for bold aspirants. This can-do esprit has ushered in an era of great progress. Stellar growth in the mobile app sector is no small testimony to this success story. However, a failure to regulate the sector effectively has resulted in blatant disregard for, and serious violation of, customer welfare, user privacy and data security.

Accordingly, while the industry initially expected regulations, including these latest Provisions, to address internet sovereignty and cybersecurity as indicative of a more stringent governmental regime, the new legislative initiatives should rather be seen as a bona fide attempt within China's unique, evolving governance system to address legitimate policy issues.

The PRC authorities' recent moves are suggestive of a greater focus on strengthening information security, safeguarding the privacy of individuals, and countering anti-competitive and fraudulent practices. Legislation such as the Cybersecurity Law can be seen as setting out basic principles, while regulatory efforts such as the CAC Provisions and MIIT's Provisions provide more concrete enforcement tools tailored to specific areas.

One notable aspect of the recent Provisions is that there are no significant new legal obligations per se. Rather, they call for an enhanced enforcement of existing rules that were previously only sporadically implemented. Accordingly, industry players must appreciate that these laws are not legislative redundancies but instead demonstrate a heightened political will to tackle key areas of concern. They may echo the same words, but they strike a much more serious tone.

Kevin Guo, Partner, and Joshua Tintner, Of counsel
TransAsia Lawyers
Bejing

China's chief IT authority has called for a sweeping cleanup of the domestic mobile applications (apps) market, stressing security and consumer protection requirements for all individual apps, app stores and device manufacturers that cater to the world's largest population of smartphone users.

The release of these rules comes as the sprawling mobile industry becomes an increasing priority of the nation's evolving—and sometimes conflicting—internet legislation. By building on previous guidelines and striking a stronger tone on enforcement, the latest regulation from the Ministry of Industry and Information Technology (MIIT) signals a more serious intention to implement compliance and monitoring standards across the sector.

Online regulation: A turf war

Since President Xi Jinping ascended to the leadership in 2012, the government has worked to reshuffle the country's information security apparatus, with a specific focus on the internet, as signified by the 2014 creation of the Cyberspace Affairs Leading Group, China's ultimate governing body for the internet and headed by Xi himself. The Group's policy implementing arm, the Cyberspace Administration of China (CAC), is mandated with coordinating and streamlining the regulation of data security. This objective had long been needed to be met, as there has been a multitude of ministries competing for authority over internet regulation.

The primary regulator was the MIIT, whose responsibility emerged from its role as the longstanding overseer of the telecom sector and its direct ties to the dominant state-owned telecom carriers. The MIIT has also closely supervised telecom equipment manufacturers; for example, devices that access public communications networks are required to obtain a network access permit from the MIIT. However, the internet's pervasiveness throughout much of China's industries has seen the MIIT's role receded as other government ministries increasingly assert their jurisdiction in the online space.

For instance, the State Administration for Press, Publications, Radio, Film and Television (SAPPRFT)—which was merged between the State Administration of Radio, Film and Television (SARFT) and the General Administration of Press and Publications (GAPP) in 2013—and the Ministry of Culture (MOC) have carried themselves as the regulator for online content (in particular audio/video and cultural content). Typically, PRC ministries take a generous view of their gamut in supervising internet oversight, which often results in conflict of interest. For example, the turf war between the MOC and GAPP over online games became so farcical that it was even covered by the China Daily, a mouthpiece of the Chinese government.

The CAC has the support of the current top leadership, but it is nevertheless a fledgling, thinly-staffed agency by PRC government standards, with daunting challenges. To fulfill its objectives, the CAC relies heavily on the existing regulators to jointly administer and police cyberspace. Efforts have yielded tangible progress over the past two years, and cross-agency consensus has clearly been reached on several matters. For example, the MIIT seems fixed as being primarily responsible for telecom infrastructure and device manufacturing, with diminishing (yet still pertinent) authority over online content regulation. Leaving no vacuum, the SAPPRFT and MOC, with the CAC's oversight, have redoubled their efforts and have more than compensated for the MIIT's shifted focus.

This restructuring and realignment of responsibilities for internet administration has spurred notable legislation over the past several years—the most comprehensive being the PRC Cybersecurity Law, passed on November 7, 2016 and effective as of June 1, 2017. While its data retention and local storage rules have sparked the most debate, the Law's provisions intended to protect online personal information and prevent both cyberattacks and malware also highlight the concerns that have proved intractable under existing rules.

It is against this regulatory backdrop that the MIIT's Tentative Provisions for the Administration of the Pre-installation and Distribution of Application Software of Mobile Smart Terminals (Provisions) were issued on December 16, 2016. Taking effect on July 1, 2017, these rules are part of a series of inter-agency efforts to regulate smart-mobile terminal device software applications. The MIIT circulated a draft of the Provisions for public comment on November 18, 2015, and the final version has few substantive changes.

The Provisions regulate the pre-installation of apps through rules that target the manufacturers of mobile devices and the distribution of apps by internet information service providers (IISPs). The Provisions also seek to remedy notorious and rampant issues in the mobile space, including unfair business practices and “malicious programs” (or malware, defined as malicious software that propagate information theft, deceptive fraud and chargeback, system destruction or other harmful functions that otherwise damage users' rights or network security).

China's app industry

Ever since Apple Inc.'s game-changing introduction of the iPhone in 2007, mobile apps have become the prevailing conduit for online delivery of content and services. But what distinguishes China's industry is the state-of-play of the country's mobile device and app market.

According to the latest Kantar Worldpanel ComTech report, from November 2016 to January 2017, Apple's operating system (OS) iOS continues to gain market share in most of its key markets, but not in China, where it has declined to just 16.6% of the market, partly due to its continued operation from offshore as a result of regulatory constraints. (Even so, China has surpassed the U.S. as the world's largest market for iOS App Store revenue, earning more than $1.7 billion in Q3 2016.) The dominant OS in China is Google Inc.'s Android, with latest figures putting its share at a towering 83.2%. Again, unlike other major markets, the absence of Google Play has led to a flood of various device manufacturers and platform service providers in the mobile app distribution market. The top three Android app stores in China are 360 Mobile Assistant, Tencent App Store, and Baidu Mobile Assistant.

695 million people accessed the internet through mobile devices, according to December 2016 figures, representing over 95% of the total number of internet users in the country. China's most active app, Tencent's messaging and social network platform WeChat, reported last year that 768 million users log in to its app every day.

Due to the fragmented nature of the app market, industry players have shown little scruples in the development, supply, marketing and distribution of apps. Anti-competitive business practices, such as bundled marketing and leveraging one's dominant market position, were severe enough even before the rise of apps to spark public outcry and prompt the MIIT to firmly intervene in a 2009 landmark dispute between Tencent and 360. At present, these same practices show little sign of abatement and are treated by many as an afterthought. Malware and theft of personal data are also points of public criticism.

Legislative legacy

In a broad sense, the PRC Telecommunications Regulations (Telecom Regulations), issued by the State Council and amended in 2014 and 2016, and the Measures for the Administration of Internet Information Services (IIS Measures), issued by the State Council in 2000 and amended the following year, provide a framework for the regulation of apps, mainly because these rules do not distinguish mobile networks from the public internet and thus capture software that can be interpreted to include mobile apps. The MIIT's latest Provisions invoke these legacy regulations as their foundation.

The MIIT's Classified Catalogue of Telecommunications Services contains a category called “information publishing platforms,” a Type II value-added telecom service (VATS) broadly defined to cover services including IISPs. By setting this particular VATS permit requirement, the MIIT in theory has the leverage to regulate any excessive behaviors in the provision of these services. However, the MIIT and others have found themselves ill-prepared to effectively police the chaotic domestic mobile app market, which is swarming with scams and malware. Gone are the days when the public gateway for mobile content was narrowly confined to the platforms of a couple of state-owned mobile carriers, with whom the MIIT could deal directly and effectively based on an existing relationship. This change means that the MIIT's traditional practice of relying on ad hoc orders and sanctions (such as in the Tencent and 360 case) is proving ineffectual against the myriad app store operators and seemingly infinite number of app providers.

As such, a spate of regulations and policy papers were hurriedly promulgated that specifically target mobile apps, including:

The MIIT's 2011 Monitoring and Response Mechanisms for Mobile Internet Malicious Programs (移动互联网恶意程序监测与处置机制) (Mechanisms).
The MIIT's 2013 Circular on Strengthening the Administration of Network Access by Smart Mobile Terminals (关于加强移动智能终端进网管理的通知).
The CAC's 2016 Provisions for the Administration of the Information Services of Mobile Internet Application Programs (移动互联网应用程序信息服务管理规定) (CAC Provisions).