The Office of the Central Cyberspace Affairs Commission (“CAC”) has been organizing and carrying out special examinations and management on the illegal collection and use of personal information by mobile internet applications (“Apps”) nationwide since 2019. CAC and the Ministry of Industry and Information Technology (“MIIT”) regularly published lists of Apps infringing personal information according to the Personal Information Protection Law[1], Cybersecurity Law[2], Method for Identifying the Illegal Collection and Use of Personal Information by Apps[3], and Rules on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications[4]. Some Apps were ordered to be rectified within a time limit and some were ordered to be removed from the App stores due to more severe infringements.
According to the aforementioned laws and regulations, in general, App operators should be responsible for the security of the personal information they obtain and take effective measures to strengthen the protection of personal information. App operators are required to follow the principles of legality, legitimacy, and necessity, and should not collect personal information unrelated to the services they provide. When collecting personal information, they should display the rules for collection and use of personal information in a clear and easy-to-understand way, and such collection and use should have been freely consented by the person concerned.
How should Apps operators collect personal information in a compliance manner and avoid legal punishment as much as they can? The new national standard — Information Security Technology — Basic Requirements for Collecting Personal Information in Mobile Internet Applications (GB/T 41391—2022, “Basic Requirements for Collecting Personal Information” or the “Requirements”), issued by the State Administration for Market Regulation and State Standardization Administration on April 15th, 2022, and effective on November 1st, 2022, may serve as a reliable and detailed reference. Even though the Basic Requirements are a recommendatory national standard rather than a compulsory one, it may gain mandatory nature in some cases. Examples can be the cases where recommendatory standards are quoted by laws or regulations, stated in product packages or manuals, or stipulated in contracts, etc. It is also worth noting that in some judicial and administrative cases, courts and other authorities use recommendatory national standards for personal information protection (such as Information Security Technology – Personal Information Security Specification, GB/T 35273-2020) as references or a basis for supervision and assessment.
Apps should only collect personal information to a minimal extent (i.e., necessary personal information) necessary for fulfilling the purpose of processing the information.
The Basic Requirements distinguish Apps’ basic business functions and extended business functions and further classify an App’s service types (39 types in total, including for instance: map navigation, ride-hailing, instant messaging, online communities, online payment, online shopping, food and beverage takeaway etc.) according to its basic business functions. For each service type, the Requirements specify the necessary personal information and the requirements for processing this information. The personal information requested from the users should not exceed the scope of the necessary personal information.
For example, for Apps of map navigation, the necessary personal information is limited to the location information, place of departure, and destination. The location should only be used to determine the user’s location, display the map and provide a navigation service. When a navigation service is used, the whereabouts obtained through continuous positioning should be used only for one-time navigation and should be deleted or anonymized right after the completion of the navigation.
Many Apps with multiple business functions are used to collect personal information necessary for all the functions that the Apps provide. However, this behavior might be considered as collecting personal information in violation of the principle of necessity.
The Requirements further set up some additional and detailed rules for the following 12 kinds of personal information, which are calendar information, Apps list, equipment information, text messages, call records, contacts, location, biometric information, video and audio recordings, sensor information, album, and files stored. For example, for album information, when collecting the location information of the place of shooting, users should be reminded of and consent to such collection. Without users’ separate consent, biometric information in the photo or video should not be extracted and analyzed for identifying the users, analyzing their hobbies or their health status.
The Requirements specify the content and method of notification for collecting personal information. Principally, users should be informed of the key content of the personal information policy, basic business functions, extended business functions, and the scope of necessary personal information, etc. in an obvious manner (such as pop-up windows, animation, or gif) and should be reminded to read the personal information policy and give consent to it.
The consent should be given separately to the necessary personal information and to the unnecessary but relevant personal information.
Furthermore, different types of functions, basic functions and extended functions should not be bundled to induce or force users to give one-time and collective consent when personal information is collected.
In addition, concerning sensitive personal information, separate consent is required when it is collected (such as biometric information, financial accounts, medical and health information, etc). Concerning Apps that provide multiple types of services, consent should be obtained for each type of service.
Meanwhile, users should be given the choice to refuse or withdraw their consent to the collection of unnecessary but relevant personal information, and such refusal or withdrawal should not prohibit or limit the users from using the basic business functions of the App.
When personal information is collected by an embedded third-party SDK (Software Development Kit), App’s operator should also conduct security management for the SDK embedded, ensuring that the personal information collected by the SDK is limited to the minimum scope of necessary personal information.
In addition, App’s operator should assess whether the SDK illegally collects personal information or transfers the personal information abroad before embedding an SDK. Meanwhile, rules for processing personal information and the responsibility of protection of personal information should be clarified with the third-party SDK, such as the purpose, method, and scope of personal information to be collected and whether the personal information would be transferred abroad.
In conclusion, based on the existing personal information and cybersecurity laws and regulations, these Requirements further detail rules concerning Apps’ collection of personal information, especially specific requirements of using each kind of necessary personal information for each type of service. It not only provides a comprehensive guideline for App’s operator when setting up its own rules and policies but also serves as the main reference for authorities when assessing whether an App infringes personal information during collection of personal information.
[1] Personal Information Protection Law, promulgated on August 20th, 2021 by the Standing Committee of the National People’s Congress and effective on November 1st, 2021
[2] Cybersecurity Law, promulgated on November 7th, 2016 by the Standing Committee of the National People’s Congress and effective on June 1st, 2017
[3] Method for Identifying the Illegal Collection and Use of Personal Information by Apps, promulgated by the Cyberspace Administration of China, Ministry of Industry and Information Technology, Ministry of Public Security on November 28th, 2019 and effective on the same date
[4] Rules on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications, promulgated by the Cyberspace Administration of China, Ministry of Industry and Information Technology, Ministry of Public Security on March 12th, 2021 and effective on May 1st, 2021
