At the beginning of 2019, the four regulatory departments of China (the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Market Supervision Bureau and the PSB) jointly appointed National Information Security Standardization Technical Committee (全国信息安全标准化技术委员会), China Consumers Association（中国消费者协会）, Internet Society of China （中国互联网协会）and Cybersecurity Association of China（中国网络空间安全协会）to establish an App governance working group ("Working Group"), which will centrally govern over the illegal collecting personal information by the Apps in China.

Through 2019, the Working Group successively released some legal documents in governance of Apps: the Self-assessment Guidelines for the Collection and Use of Personal Information by Apps（《App违法违规收集使用个人信息自评估指南》）, Information Security Technology Basic Specifications for Collecting Personal Information by Apps (《信息安全技术 移动互联网应用程序（App）收集个人信息基本规范》) and the Methods for Identifying Unlawful Acts by Applications (Apps) to Collect and Use Personal Information（《App违法违规收集使用个人信息行为认定方法》）.

After its establishment, the Working Group has received many reports of the non-compliance of different Apps. To make reporting an easier process, the Working Group set up a WeChat platform named “APP-Report on Personal Information" and an email (pip@tc260.org.cn) for the public to report Apps in violation of laws and regulations of cyber security and personal information protections.

In February 2019, the Office of the Ministry of Education officially published a work plan of 2019, stating that the Ministry of Education will cooperate with the Cyberspace Administration of China to take actions to check the Apps introduced to schools.

From March 2019 to November 2019, the PSB carried out a campaign named “Clean Net 2019" (“净网2019")which was a clamp-down on the illegal collection and use of users’ personal information. The PSB of Beijing, Zhejiang, Jiangsu and Guangdong all announce the typical cases in relation to endangering cyber security and safety of personal information.

In August 2019, the Ministry of Education, the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the PSB, the Market Supervision Bureau and three other governmental departments jointly issued a guideline on regulating the development of educational Apps.

In November 2019, the Ministry of Education issued Measures on Recording Educational Apps （《教育移动互联网应用程序备案管理办法》）stating that all the providers of educational Apps should be recorded by administrations of education.

On October 31, 2019, the Ministry of Industry and Information Technology officially announced that they will assess the operation of Apps using a rubric of four aspects and eight points.

In 2019, a new App became popular in China. Using AI technology, the App replaces the faces of characters in films, television or short videos with the face photos uploaded by users to generate video clips. To this end, the App collects and uses the face photos of its users, so that it can obtain a large database of user facial features during its operation.

Under PRC law, the facial features of users are sensitive personal information, the misuse of which may threaten personal safety, property security, is highly likely to cause damages to personal reputations, physical and mental health, or may cause ongoing harm once leaked, illegally provided or abused. Therefore, in accordance with Article 5.5 of the Information Security Technology – Personal Information Security Specification（《信息安全技术 个人信息安全规范》）（“Personal Information Security Specification"）, the personal information controller (in this case the operator of the App) must obtain explicit consent from the personal information subject (in this case the users) for collection of sensitive personal information. Unfortunately, the App initially failed to clearly notify users of its collection and processing of users’ sensitive personal information, nor did it obtain explicit consent from its users to do so.

Moreover, the App did not disclose the specific information of the third party to which it may process or transfer sensitive personal information of users. Pursuant to the Methods for Identifying Unlawful Acts by Applications (Apps) to Collect and Use Personal Information（《App违法违规收集使用个人信息行为认定方法》）, users must be notified the purpose, method and scope of the collection and use of users’ personal information as well as the recipient of that personal information. However, in the initial version of the privacy policy and user agreement of the App, the App only roughly introduces that its operator and its affiliates may enter into service agreement with the third parties. Users have no way of knowing who will process and transfer their personal information, nor can they learn who will access it.

In addition, the former user agreement of the App requests users grant it and its affiliates “free, irrevocable, permanent, sub-licensable," worldwide right to edit and disseminate users’ content and grant it the rights to the portrait the users uploaded to create the content.

On September 3, 2019, the Security Bureau of the Ministry of Industry and Information Technology admonished the parent company of the operator of the App and requested the App self-assess its privacy policy and user agreement and implement necessary measures. On the same day, the App issued an apology statement to the public.

Apart from the Working Group, other regulatory departments also pay close attention to the cyber security and protection of personal information in relation to Apps. These regulatory departments have initiated several specific assessments on Apps. More than a hundred of Apps are announced by these regulatory departments to urge non-compliant Apps to correct sub-standard data protections.

On July 11, 2019, the Working Group released a list of 30 Apps that have compliance issues. Among them, 10 Apps don’t have a privacy policy, violating Article 41 of the Cyber Security Law. 20 Apps ask for broad authorizations from users to collect excessive amounts of personal information.

On July 16, 2019, the Working Group released another list of 40 Apps that have compliance issues. The Working Group urges such Apps to take rectification measures as soon as possible.

After two rounds of assessments and spot checks, on July 25, 2019, the Working Group published a summary of assessment work, stating that many of the Apps mentioned by the Working Group have taken rectification measures.

In November 2019, the PSB released a list of 100 Apps which were pulled from stores as they failed to collect and process personal information in compliance with relevant rules and regulations.

On December 19, 2019, the Ministry of Industry and Information Technology released a list of 41 Apps which illegally collect and process users’ personal information.

On December 20, 2019, the Working Group assessed its list of non-compliant Apps again and found that 57 Apps still have compliance issues, mainly relating to the collection and use of personal information. The Working Group has made publicly available a list of Apps that contains operator, its name and the data security flaw of the Apps.

Apps should design a clear interface for users to read and access the privacy policy and user agreement. In the light of this, Apps should focus on the following essentials:

1.Notify the users to read the privacy policy and user agreement through a pop-window when the user first operates the App;

2.Ensure the privacy policy and user agreement are easy to read, understand (with proper front size and line spacing) and written in simplified Chinese;

3.Ensure users can easily access the privacy policy and user agreement and they only need to tap the interface four times or fewer to access.

Under PRC law, Apps must fully inform users in the privacy policy and user agreement, of (i) what users’ personal information will be collected and used; (ii) how they will collect and use the users’ personal information; (iii) how they will store and transfer users’ personal information; (iv) why the users’ personal information will be collected and used, etc. However, some users find they are constantly prompted by Apps to obtain their consent or authorization. Therefore, Apps should follow the below points:

1.Do not collect personal information from users that is beyond the scope approved by users;

2.Do not repeatedly ask for the consent of users if users are not willing to grant an authorization;

3.Obtain explicit consent of the users instead of implicit consent;

4.Do not ask for an authorization that has no connection to the Apps’ core function;

5.Do not ask for users’ multiple authorizations at the same time.

In the past, some SDKs have usually been embedded in Apps for obtaining the personal information of users without their consent. As a matter of fact, such embedded SDKs illegally collected users’ personal information. If Apps have some embedded SDKs, they should pay attention to the following essentials:

1.Notify users of the categories, purposes, and the scope of the personal information collected by SDK, and obtain the consent of users for the SDK’s collection of the personal information;

2.Do not connect the main function of the App to a users’ authorization of SDKs’ collection of personal information;

3.Don’t provide the non-anonymized personal information to any third party without the consent of the user.

Apps should provide portals for users to change and delete personal information or deregister their accounts. In practice, many Apps do not offer portals for users to submit applications to change or delete their personal information, nor do they delete accounts if the App has been uninstalled. Moreover, Apps should make it easy for users to report potential data security issues to the developer or the operator.

In 2018, Tik Tok failed to comply with the Children’s Online Privacy Protection Rule （《儿童在线隐私保护规则》）and was investigated by the Federal Trade Commission (“FTC"). In order to settle with the FTC, Tik Tok agreed to pay USD 5.7 million to the FTC.

China has also strengthened the protection of children’s online privacy in 2019. On June 1, 2019, the Provisions on Cyber Protection of Personal Information of Children （《儿童个人信息网络保护规定》）was officially published. The Apps that wish to collect and use personal information relating to minors aged 14 years or younger (“children") should:

1.Notify the children’s guardians of the security measures taken to protect the children’s personal information;

2.Encrypt all stored information relating to children, strictly limit access to children’s personal information, and take technical measures to avoid the illegal copping and downloading of the personal information of children;

3.Design special rules and EULAs (End User License Agreement) that protect children’s personal information;

4.Appoint a person(s) responsible for the security of the personal information of children.

In 2019, all kinds of Apps faced huge regulatory pressure. After undergoing various rectification actions this year, most Apps have realized the importance of self-assessment and compliance review. However, the laws and regulations of cyber security and personal information protections in China are complicated. It is likely that China Apps governance is to become much more stringent in 2020.

Reference:

1.Announcement on the Governance of the Unlawful Acts of Apps to Collect and Use of Personal Information of Apps

《关于开展App违法违规收集使用个人信息专项治理的公告》

2.Notification on Urging 40 Apps to Rectify the Unlawful Acts of Collection and Use of Personal Information

《关于督促40款存在收集使用个人信息问题的App运营者尽快整改的通知》

3.Notification on the 61 Apps’ Unlawful Acts of Collection and Use of Personal Information

《关于61款App存在收集使用个人信息问题的通告》

4.Methods for Identifying Unlawful Acts of Applications (Apps) to Collect and Use Personal Information

《App违法违规收集使用个人信息行为认定方法》

5.Information Security Technology – Personal Information Security Specification

《信息安全技术 个人信息安全规范》

6.Provisions on the Cyber Protection of Personal Information of Children

《儿童个人信息网络保护规定》