Tougher Measures on Collecting and Use of Personal Information via Mobile Apps in China

The Working Group, throughout 2019, successively released legal documents tackling irregularities regarding the collection and use of personal information via apps: the Self-Assessment Guidelines on the Collection and Use of Personal Information by Apps in Violation of Laws or Regulations (App违法违规收集使用个人信息自评估指南), Information Security Technology – Basic Specification for Collecting Personal Information in Mobile Internet Applications (App) (Draft) (信息安全技术 移动互联网应用（App）收集个人信息基本规范（草案）) and the Rules on Determination of Illegal Collection and Use of Personal Information by Apps (App违法违规收集使用个人信息行为认定方法).

After its establishment, the Working Group received many reports regarding non-compliance by different apps. To make reporting easier, the Working Group set up a WeChat platform called "App-Report on Personal Information" and an email contact ([email protected]) for the public to report apps that were in violation of laws and regulations of cybersecurity and personal information protection.

Major Apps Governance Campaigns and Projects

… public security bureaus carried out a campaign "Clean Net 2019", which was a clamp-down on the illegal collection and use of user personal information

The Office of the Ministry of Education published a work plan in February 2019 stating that the Ministry of Education would cooperate with the Cyberspace Administration of China by taking action to tackle irregularities found in apps used by schools.

From March to November 2019, public security bureaus carried out a campaign "Clean Net 2019", which was a clamp-down on the illegal collection and use of user personal information. Public security bureaus of Beijing, Zhejiang, Jiangsu and Guangdong announced typical cases in relation to jeopardizing cybersecurity and safety of personal information.

In August 2019, the Ministry of Education, the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, the State Administration for Market Regulation and three other government departments jointly issued a guideline on regulating the development of educational apps.

On Oct. 31, 2019, the Ministry of Industry and Information Technology officially announced that they would launch standardization and rectification of apps on four aspects and against eight issues, which mainly focus on the following points:

1.  Illegal collection of user personal information.

2 . Illegal utilization of user personal information.

3 . Unreasonable obtaining of users' authorizations.

4 . Setting obstacles for users' deregistration.

In November 2019, the Ministry of Education issued the Measures for the Administration of the Record Filing of Educational Mobile Apps (教育移动互联网应用程序备案管理办法) stating that all the providers of educational apps are required to file a record with administrations of education.

The ZAO App Case Study 

 Using AI technology, ZAO is a popular app that enables face-swap of characters in films, television or short videos with an image uploaded by the user to generate video clips. During the app's operation, ZAO obtains a large database of users' facial features by collecting images uploaded by users.

Under PRC law, the facial features of a person are considered to be sensitive personal information. If this information is leaked, illegally provided or abused, it may threaten personal or physical safety, and is highly likely to cause damage to a person's reputation, and physical and mental health, or may cause ongoing harm.

Therefore, in accordance with Article 5.4 of the Information Security Technology – Personal Information Security Specification（Personal Information Security Specification） (信息安全技术个人信息安全规范), the personal information controller (in this case, ZAO, the operator) must obtain explicit consent from the personal information subject (in this case, the users) for collection of sensitive personal information. Unfortunately, ZAO initially failed to explicitly notify its users of collection and processing of their sensitive personal information, and it also failed to obtain explicit consent from them to do so.

Moreover, ZAO did not disclose the specific information of the third party that may process or receive sensitive personal information of its users. Pursuant to the Rules on Determination of Illegal Collection and Use of Personal Information by Apps (App违法违规收集使用个人信息行为认定方法), users must be notified of the purpose, method and scope of the collection, and use of the user's personal information, as well as the recipient of the information. However, in the initial version of the privacy policy and user agreement, ZAO had vaguely introduced that the app's operator and its affiliates may enter into service agreements with third parties. The users had no way of knowing who would receive and process their personal information or who would be able to access it.

On Sept. 3, 2019, the Security Bureau of the Ministry of Industry and Information Technology reprimanded the parent company of ZAO and requested ZAO to self-assess its privacy policy and user agreement, and implement necessary rectification measures. On the same day, ZAO issued an apology statement to the public. ZAO's business reputation was strongly hit by the regulatory storm.

Putting Apps on High Alert

 Apart from the Working Group, other regulatory departments also paid close attention to cybersecurity and protection of personal information in relation to apps. These regulatory departments have initiated several specific assessments on apps. It was announced that more than 100 apps were non-compliant and regulators have urged those responsible for the apps to correct sub-standard data protection.

The Working Group released a list of 30 apps on July 11, 2019 that had compliance issues. Among them were 10 apps that did not have a privacy policy, which violated Article 41 of the Cybersecurity Law (网络安全法). Twenty apps had asked for broad authorizations from users to collect excessive amounts of personal information including a well-known app such as the Bank of China's mobile banking app. Shortly after that, the Working Group released another list of 40 apps that had compliance issues. The Working Group urged for such apps to take rectification measures as soon as possible.

In November 2019, the Ministry of Public Security released a list of 100 apps that were removed from app stores because they had failed to collect and process personal information in compliance with relevant rules and regulations

After two rounds of assessment and random checks, on July 25, 2019, the Working Group published a summary of assessment work that stated many of the apps named by the Working Group had taken rectification measures.

In November 2019, the Ministry of Public Security released a list of 100 apps that were removed from app stores because they had failed to collect and process personal information in compliance with relevant rules and regulations.

On Dec. 19, 2019, the Ministry of Industry and Information Technology released a list of 41 apps that illegally collected and processed user personal information.

On Dec. 20, 2019, the Working Group assessed a list of non-compliant apps and again found that 57 apps still had compliance issues that mainly related to the collection and use of personal information. The Working Group made publicly available a list of apps including the names, operators and data security issues of the apps in question.

Apps Governance Trends in 2020

In January 2020, the Standardization Commission of China published the Information Security Technology – Basic Specification for Collecting Personal Information in Mobile Internet Applications (App) (Draft for Comments) (信息安全技术 移动互联网应用（App）收集个人信息基本规范 (征求意见稿) ), which means the specifications for the governance of apps are expected to be formalized in a national standard in China. On March 7, 2020, the Personal Information Security Specification was formally published and will come into effect on Oct. 1, 2020.

Accessible privacy policies and user agreements

Apps should design a clear interface for users to read and access the privacy policy and user agreement. In the light of this, apps should focus on the following main points:

1 . Notify users to read the privacy policy and user agreement through a pop-window when users first access the app.

2 . Ensure the privacy policy and user agreement are easy to read and understand (with proper font size and line spacing) and written in simplified Chinese.

3 . Ensure users can easily access the privacy policy and user agreement by tapping the interface four times or less to access.

Obtaining consent from users

Under PRC law, apps must fully inform users in the privacy policy and user agreement of: (i) what user personal information will be collected and used; (ii) how the personal information will be collected and used; (iii) how the personal information will be stored and transferred; (iv) why the user personal information will be collected and used, etc. However, some users still find that they are being constantly prompted by apps to obtain their consent or authorization. Therefore, app operators should consider the following:

1 . Do not collect personal information from users that is beyond the scope approved by users.

2 . Do not repeatedly ask for the consent of users if users are not willing to grant an authorization (no more than once in 48 hours).

3 . Obtain explicit consent of the users instead of implicit consent.

4 . Do not ask for an authorization that has no connection to the app's core function.

5 . Do not ask for users' multiple authorizations at the same time.

Embedded software development kit

In the past, software development kits (SDKs) were embedded in apps and used to illegally obtain personal information of users without their consent. If apps do have embedded SDKs, attention should be drawn to the following:

1 . Notify users of the categories, purposes, and scope of the personal information collected by SDKs and obtain the consent of users for SDKs' collection of personal information.

2 . Do not connect the main functions of the app to users' authorization of SDKs' collection of personal information.

3 . Do not provide non-anonymized personal information to any third party without the consent of the user.

In practice, many apps do not offer portals for users to submit applications to change or delete their personal information or the ability to delete accounts if the app has been uninstalled

Deregistration of user accounts and report

Apps should provide portals for users to change and delete personal information or deregister their accounts in accordance with the Information Security Technology – Basic Specification for Collecting Personal Information in Mobile Internet Applications (App) (Draft for Comments) (信息安全技术 移动互联网应用（App）收集个人信息基本规范 (征求意见稿) ). In practice, many apps do not offer portals for users to submit applications to change or delete their personal information or the ability to delete accounts if the app has been uninstalled. Apps should also make it easier for users to report potential data security issues to developers or operators.

China has also strengthened the protection of children's privacy online in 2019

Children's personal information

In 2018, Tik Tok failed to comply with U.S.'s Children's Online Privacy Protection Rule and was investigated by the Federal Trade Commission (FTC). In order to settle with the FTC, Tik Tok agreed to pay US$ 5.7 million to the FTC.

China has also strengthened the protection of children's privacy online in 2019. On June 1, 2019, the Provisions for the Online Protection of the Personal Information of Children (儿童个人信息网络保护规定) was officially published. Apps that collect and use personal information relating to a minor aged 14 years or younger (child) should:

1 . Notify the child's guardian of the security measures taken to protect the child's personal information.

2 . Encrypt all stored information relating to the child, strictly limit access to the child's personal information and take technical measures to avoid the illegal using and downloading of the personal information of the child.

3 . Design special rules and end user license agreements (EULA) that protect the child's personal information.

4 . Appoint a person(s) responsible for the security of the personal information of the child.

In 2019, all kinds of apps faced huge regulatory pressure. After undergoing various rectification actions, most app operators have realized the importance of self-assessment and compliance review. However, laws and regulations of cybersecurity and personal information protection in China are complicated. It is likely that China's apps governance will become much more stringent in 2020.