Strict Governance over Apps of China in 2019
Establishment of Apps Governance Working Group
At the beginning of 2019, the four regulatory departments of China (the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Market Supervision Bureau and the PSB) jointly appointed National Information Security Standardization Technical Committee (全国信息安全标准化技术委员会), China Consumers Association（中国消费者协会）, Internet Society of China （中国互联网协会）and Cybersecurity Association of China（中国网络空间安全协会）to establish an App governance working group ("Working Group"), which will centrally govern over the illegal collecting personal information by the Apps in China.
Through 2019, the Working Group successively released some legal documents in governance of Apps: the Self-assessment Guidelines for the Collection and Use of Personal Information by Apps（《App违法违规收集使用个人信息自评估指南》）, Information Security Technology Basic Specifications for Collecting Personal Information by Apps (《信息安全技术 移动互联网应用程序（App）收集个人信息基本规范》) and the Methods for Identifying Unlawful Acts by Applications (Apps) to Collect and Use Personal Information（《App违法违规收集使用个人信息行为认定方法》）.
After its establishment, the Working Group has received many reports of the non-compliance of different Apps. To make reporting an easier process, the Working Group set up a WeChat platform named “APP-Report on Personal Information” and an email (firstname.lastname@example.org) for the public to report Apps in violation of laws and regulations of cyber security and personal information protections.
Major Campaigns and Projects in relation to Apps Governance Conducted by Governmental Departments of China in 2019
In February 2019, the Office of the Ministry of Education officially published a work plan of 2019, stating that the Ministry of Education will cooperate with the Cyberspace Administration of China to take actions to check the Apps introduced to schools.
From March 2019 to November 2019, the PSB carried out a campaign named “Clean Net 2019” (“净网2019”)which was a clamp-down on the illegal collection and use of users’ personal information. The PSB of Beijing, Zhejiang, Jiangsu and Guangdong all announce the typical cases in relation to endangering cyber security and safety of personal information.
In August 2019, the Ministry of Education, the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the PSB, the Market Supervision Bureau and three other governmental departments jointly issued a guideline on regulating the development of educational Apps.
In November 2019, the Ministry of Education issued Measures on Recording Educational Apps （《教育移动互联网应用程序备案管理办法》）stating that all the providers of educational Apps should be recorded by administrations of education.
On October 31, 2019, the Ministry of Industry and Information Technology officially announced that they will assess the operation of Apps using a rubric of four aspects and eight points.
Case Studies and Enforcement in 2019
A Storm Raised by a Popular App in China
In 2019, a new App became popular in China. Using AI technology, the App replaces the faces of characters in films, television or short videos with the face photos uploaded by users to generate video clips. To this end, the App collects and uses the face photos of its users, so that it can obtain a large database of user facial features during its operation.
Under PRC law, the facial features of users are sensitive personal information, the misuse of which may threaten personal safety, property security, is highly likely to cause damages to personal reputations, physical and mental health, or may cause ongoing harm once leaked, illegally provided or abused. Therefore, in accordance with Article 5.5 of the Information Security Technology – Personal Information Security Specification（《信息安全技术 个人信息安全规范》）（“Personal Information Security Specification”）, the personal information controller (in this case the operator of the App) must obtain explicit consent from the personal information subject (in this case the users) for collection of sensitive personal information. Unfortunately, the App initially failed to clearly notify users of its collection and processing of users’ sensitive personal information, nor did it obtain explicit consent from its users to do so.
In addition, the former user agreement of the App requests users grant it and its affiliates “free, irrevocable, permanent, sub-licensable,” worldwide right to edit and disseminate users’ content and grant it the rights to the portrait the users uploaded to create the content.
Apps Assessment: Putting Apps on High Alert
Apart from the Working Group, other regulatory departments also pay close attention to the cyber security and protection of personal information in relation to Apps. These regulatory departments have initiated several specific assessments on Apps. More than a hundred of Apps are announced by these regulatory departments to urge non-compliant Apps to correct sub-standard data protections.
On July 16, 2019, the Working Group released another list of 40 Apps that have compliance issues. The Working Group urges such Apps to take rectification measures as soon as possible.
After two rounds of assessments and spot checks, on July 25, 2019, the Working Group published a summary of assessment work, stating that many of the Apps mentioned by the Working Group have taken rectification measures.
In November 2019, the PSB released a list of 100 Apps which were pulled from stores as they failed to collect and process personal information in compliance with relevant rules and regulations.
On December 19, 2019, the Ministry of Industry and Information Technology released a list of 41 Apps which illegally collect and process users’ personal information.
On December 20, 2019, the Working Group assessed its list of non-compliant Apps again and found that 57 Apps still have compliance issues, mainly relating to the collection and use of personal information. The Working Group has made publicly available a list of Apps that contains operator, its name and the data security flaw of the Apps.
Suggestions for Apps in 2020
Accessible Privacy Policies and User Agreements
Obtaining consent from the users
1.Do not collect personal information from users that is beyond the scope approved by users;
2.Do not repeatedly ask for the consent of users if users are not willing to grant an authorization;
3.Obtain explicit consent of the users instead of implicit consent;
4.Do not ask for an authorization that has no connection to the Apps’ core function;
5.Do not ask for users’ multiple authorizations at the same time.
Embedded Software Development Kit (“SDK”)
In the past, some SDKs have usually been embedded in Apps for obtaining the personal information of users without their consent. As a matter of fact, such embedded SDKs illegally collected users’ personal information. If Apps have some embedded SDKs, they should pay attention to the following essentials:
1.Notify users of the categories, purposes, and the scope of the personal information collected by SDK, and obtain the consent of users for the SDK’s collection of the personal information;
2.Do not connect the main function of the App to a users’ authorization of SDKs’ collection of personal information;
3.Don’t provide the non-anonymized personal information to any third party without the consent of the user.
Deregistration of the users’ accounts and report
Apps should provide portals for users to change and delete personal information or deregister their accounts. In practice, many Apps do not offer portals for users to submit applications to change or delete their personal information, nor do they delete accounts if the App has been uninstalled. Moreover, Apps should make it easy for users to report potential data security issues to the developer or the operator.
Children’s personal information
In 2018, Tik Tok failed to comply with the Children’s Online Privacy Protection Rule （《儿童在线隐私保护规则》）and was investigated by the Federal Trade Commission (“FTC”). In order to settle with the FTC, Tik Tok agreed to pay USD 5.7 million to the FTC.
China has also strengthened the protection of children’s online privacy in 2019. On June 1, 2019, the Provisions on Cyber Protection of Personal Information of Children （《儿童个人信息网络保护规定》）was officially published. The Apps that wish to collect and use personal information relating to minors aged 14 years or younger (“children”) should:
1.Notify the children’s guardians of the security measures taken to protect the children’s personal information;
2.Encrypt all stored information relating to children, strictly limit access to children’s personal information, and take technical measures to avoid the illegal copping and downloading of the personal information of children;
3.Design special rules and EULAs (End User License Agreement) that protect children’s personal information;
4.Appoint a person(s) responsible for the security of the personal information of children.
In 2019, all kinds of Apps faced huge regulatory pressure. After undergoing various rectification actions this year, most Apps have realized the importance of self-assessment and compliance review. However, the laws and regulations of cyber security and personal information protections in China are complicated. It is likely that China Apps governance is to become much more stringent in 2020.
1.Announcement on the Governance of the Unlawful Acts of Apps to Collect and Use of Personal Information of Apps
2.Notification on Urging 40 Apps to Rectify the Unlawful Acts of Collection and Use of Personal Information
3.Notification on the 61 Apps’ Unlawful Acts of Collection and Use of Personal Information
4.Methods for Identifying Unlawful Acts of Applications (Apps) to Collect and Use Personal Information
5.Information Security Technology – Personal Information Security Specification
6.Provisions on the Cyber Protection of Personal Information of Children