By Mark Schaub, Tom Sh, Corporate & Commercial Group, King & Wood Mallesons

In recent years, China has been continually strengthening the privacy rights of Chinese citizens. Most of the privacy measures have been aimed at how corporations collect, use and interact with data gleaned from Chinese citizens and businesses.

With increasing use of mobile phones and their ubiquitous mobile internet applications (“Apps”) by consumers, Apps have been highly regulated with the establishment of a working group by four governmental departments in 2019 that is responsible for the compliance of Apps in collection and use of personal information[1].

The protection of privacy in respect of Apps will be further improved with the Ministry of Industry and Information Technology (“MIIT”) promulgating on 26 April 2021 for public comment the Interim Provisions on the Administration of Personal Information Protection of Mobile Internet Apps (Draft for Public Comments) (“Provisions”).

Main Principles

The Provisions consist of only 20 articles. Although, not long, the Provisions do mark the first time that personal information protection system of Apps in China have been specifically regulated. Compared with other laws and regulations that are already in force[2] the Provisions establish two important principles, namely 1) informed consent; and 2) minimum necessity.

In addition to establishing these two guiding principles, the Provisions also define obligations and liability for 5 types of entities involved in the life cycle of an App; as well as proposing standard requirements for supervision, inspection and how to report complaints. However, the Provisions do not limit themselves to theory but also set out the process and specific measures to be taken in case of non-compliant Apps.[3]

Breaking Down the Specifics

The main issues explored in the Provisions include:

1. Scope of application

The Provisions seek to cover personal information processing activities by Apps which are carried out within the territory of the PRC. This includes the collection, storage, use, processing and transmission of personal information by Apps installed on mobile phone by manufacturers which are also required to comply with the Provisions.[4]

2. Important principles of protection of personal information

The Provisions set out that collection of user information by Apps must comply with the two important principles: informed consent and minimum necessity.

(1) Informed consent

The principle of informed consent specifies a number of requirements which must be followed by the Apps. This means users shall receive the following:

Prominent Display of Rules – users must be informed of the rules of personal information processing through pop-up windows and other simple and prominent ways when they log into an App or register and operate the Apps for the first time.

No Blanket Consent – consent by users cannot be obtained by a default checkbox. In addition, the App shall not seek to compel users to provide a blanket consent to open multiple systems.

Specific Notifications – In addition, the principle of informed consent will also encompass several specific notification requirements, such as obtaining user consent before providing personal information to third parties, and strict individual notification requirements be followed before obtaining a user’s consent for processing sensitive personal information such as race or religious beliefs.

(2) Minimum necessity

The principle of minimum necessity stipulates that personal information shall not be processed more frequently than as is necessary for the service. Operations such as local reading of personal information must not exceed the scope of operations consented to by the user. The Apps must not force users to exit or shut down after the user has refused the relevant authorisation request. In addition, the services of the Apps must not be self-launched unless there is a valid reason.

3. Obligations and liability of entities at different stages of the life cycle of Apps

Who is Liable? The Provisions set out for the first time, the obligations and liability for 5 different types of entities representing the lifecycle of Apps. The Provisions seek to apply to App developers, App distribution platforms, App third-party service providers, mobile phone manufacturers and network access providers. This concept will seek to ensure a complete supervision cycle for Apps.[5]

This wide scope means liability for a failure to protect personal information will not only be borne by the App developers, but also by App distribution platforms that provide App downloading and updating services and also mobile phone manufacturers which provide pre-installed and post-installed Apps.

Risk Warnings – The supervision authorities will require Apps distribution platforms and mobile phone manufacturers to implement risk warnings at various stages (such as integration, distribution, pre-installation and installation, etc).

In serious cases, Apps may be banned outright if they trigger risk warnings. An example would be if the Apps distribution platforms are required to conduct a review of personal information processing activities of new Apps before being launched, and to establish management mechanisms such as credit points for App developers and operators, risky Apps watch list, platform information sharing and signature verification mechanisms.  Accordingly, mobile phone manufacturers must continuously optimise the activated state of personal information consent, particularly for recording, photographing and video recording in order to help users to understand their current state of personal information consent in a timely and accurate manner, and establish management mechanisms of Apps watch lists.[6]

4. Standard requirements for supervision, inspection and complaint reporting

A common issue in new areas of law in China can be a lack of consistency across authorities or regionally. In order to enhance consistency in interpreting and enforcing the Provisions and minimize confusion in the market as to how the laws and regulations will be applied the Provisions provides for joint working mechanisms for supervision and management of personal information protection collected on Apps across 4 departments, specifically the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security and State Administration for Market Regulation.

This will, hopefully, provide a more systematic and holistic approach in the enacting and implementation of policies, standards and specifications. Each department shall be responsible for the protection and supervision of personal information of the Apps within their respective areas of responsibility,[7] and this should avoid unnecessary overlapping of supervision obligations.

The Provisions also allow for the public to complain in respect of Apps that collect and process personal information.[8] Any organisation or individual who uncovers a violation of the Provisions are to report a complaint to the supervision and managing department, or the Internet Society of China or the Cybersecurity Association of China. Such complaint shall be investigated and handled by the supervision and managing department. This reflects a broader move in China generally whereby the public is encouraged to make consumer complaints.

5. Process and specific measures against non-compliant Apps

The Provisions back up the new framework by providing specific stipulations of actions to be taken in case of violation, as well as putting forward regulatory requirements for reporting complaints, supervision and inspection, disposal measures and risk warnings.

It is worth noting that the Provisions provide specified timing requirements for the infringing party to rectify the issue. Apps in which problems have been detected shall rectify and remove any hidden risks/dangers within 5 business days. If such problems are not rectified and removed after 5 business days, then the relevant Apps shall be suspended. Apps that have committed a serious violation, or have recurring problems or take technical countermeasures shall be suspended immediately. In such case, the App shall not be permitted to be launched through any platforms within 40 business days. The Provisions seek to increase the cost of violation for companies so as to deter illegal or non-compliant behaviour that infringes upon the user’s rights.

6. Conclusion

The mobile phone is likely to be the greatest point of vulnerability for Chinese consumers. Apps collect (often surreptitiously) massive amounts of data with the Chinese consumer having little inkling as to the purpose or extent to which their data is being processed and shared.

The Provisions signal a very welcome recognition that privacy on devices is important to safeguard privacy rights in real life. The Provisions recognize that standardization of measures and regulations are important so that there is a unified approach by the authorities.

The Provisions set common sense safeguards for personal information and, more importantly, also set out real life means by which to take action against errant Apps.

Although, the Provisions are being circulated for public comment it is unlikely that this will lead to any provisions being watered down. More likely, in the near future, the implementation of the Provisions, accompanied by the introduction of the Personal Information Protection Law, will provide a multi-layered legal system with sufficient teeth to protect personal information in China.

Thanks to Sun Yuting (intern) for her contribution in this article.

[1] Announcement of the Office of the Central Cyberspace Affairs Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation on Carrying out Special Campaigns against Mobile Internet Application Programs Collecting and Using Personal Information in Violation of Laws and Regulations.

[2] Such as the Measures for the Determination of the Illegal Collection and Use of Personal Information of Apps.

[3] Explanatory Memorandum of the Provisions.

[4] Laws or administrative regulations shall prevail if they provide otherwise for personal information processing activities.

[5] Provisions, Article 3.

[6]  Provisions, Articles  8 to 12.

[7]  Provisions, Articles 1 to 5.

[8] Provisions, Article 13.