A Curb On What Personal Information Is Necessary For Your App – Proposed Rule By The Cyber Administration Of China.

Legal News & Analysis - Asia Pacific - China - Cybersecurity

20 January 2021
 

Currently, Article 41 of the PRC Cyber Security Law provides that personal information should only be collected if it is necessary.  In the absence of judicial guidance, one of the challenges faced by app operators and individuals alike is which piece of personal information can be lawfully collected without falling foul of this legal requirement and will not be regarded by its supervisory regulators as conducting excessive collection. For example, can an app operator insist on having access to the individual's contact list before the individual can download the app?
 

The Cyber Administration of China (CAC) has also observed that individuals very often do not have a choice but to provide the personal information if they wish to download the apps. 
 

Earlier in 2020, the PRC government launched the process of publishing a national standard setting forth the limit on the types of personal information which an app operator may collect.  A draft national standard, "Information Security Technology – Basic Specification for Collecting Personal Information in Mobile Internet Applications" was duly published and the final version is currently being prepared.
 

However, to tackle this issue of excessive collection, on 1 December 2020, the CAC published a set of draft rules entitled "Scope of Necessary Personal Information for Common Types of Mobile Internet Applications" for consultation.  The consultation period was short: it ended on 16 December 2020.  It is therefore expected that the final rules will be promulgated shortly.
 

The set of rules proposed by CAC is straight forward:
 

  • it lists out 38 types of apps (see list below), the types of personal information which is considered necessary for the proper basic function of the apps, and the basic functions of these 38 types of apps; and

  • if an individual has agreed to provide the listed information, then the individual cannot be refused installation of the apps by the app operator.

The CAC has taken a view that in relation to many types of apps, no personal information is actually required to be provided by an individual before he can install the apps and enjoy the basic function.  Examples include:
 

  • App stores

  • E-books

  • Sports & fitness

  • Browser

As mentioned, the CAC also dictates what the basic functions of these 38 types of apps are. For example, for map navigation app, the basic function is orientation/positioning and navigation and therefore the information which an individual must provide is his location data. Other example includes: for recruitment app, the basic functions are job information search and submission of CVs, and therefore an individual should only be required to provide his mobile number (or other information which can identify the individual and the app operator must provide options for the individual to choose from) and the CVs of the individual.  

 

Observations
 

What may constitute excessive collection is likely to become a topical issue in the future, particularly when the data minimisation data protection principle has now been formally introduced into the draft PRC Personal Information Law (see Art. 6) (NB: the principle already exists in the National Standard on "Information Security Technology – Personal Information Security Specification", which has been in force since 2017). If the rules are issued in their current forms, they do provide very practical guidance to both app operators and individuals as the requirements and restrictions are fairly prescriptive.
 

It is worth noting that where the app provides more than the basic functions listed by the CAC, the app operators should in theory be free to decide the additional personal information required from the individuals within the parameters set by the applicable data protection rules. Whether excessive collection may result from such collection will then depend on the judicial development of the concept of data minimisation in China.

 

List of 38 types of Apps
 

  1. Map navigation

  2. Online car hailing booking

  3. Instant messaging

  4. Online community

  5. Online payment

  6. Online shopping

  7. Food delivery

  8. Courier & logistics

  9. Traffic ticketing

  10. Dating and marriage

  11. Job recruitment

  12. Online lending

  13. Property rental and sale

  14. Second-hand car trading and exchange

  15. Medical consultation and registration

  16. Tourism services

  17. Hotel booking services

  18. Online games

  19. Learning & education

  20. Local lifestyle

  21. Women health

  22. Vehicle/bicycle services (sharing and rental)   

  23. Investment and financial management

  24. Mobile banking

  25. Cloud mailbox

  26. Teleconference

  27. Webcast

  28. Online audio and visual

  29. Short videos

  30. News and information

  31. Sports and fitness

  32. Browser

  33. Input methods

  34. Security management

  35. E-books

  36. Photos/Films-editing

  37. App stores

  38. Utility & tools
     

 

For further information, please contact:

 

Michelle Chan, Partner, Bird & Bird

[email protected]