A curb on what personal information is necessary for your app – proposed rule by the Cyber Administration of China

Written By

michelle chan module
Michelle Chan

Of Counsel
UK

I'm a technology, telecoms and media lawyer, providing strategic, corporate and commercial advice to major players in the Asia Pacific region. I am based in London and I am Of Counsel in our Corporate & Commercial team.

Currently, Article 41 of the PRC Cyber Security Law provides that personal information should only be collected if it is necessary.  In the absence of judicial guidance, one of the challenges faced by app operators and individuals alike is which piece of personal information can be lawfully collected without falling foul of this legal requirement and will not be regarded by its supervisory regulators as conducting excessive collection. For example, can an app operator insist on having access to the individual's contact list before the individual can download the app?

The Cyber Administration of China (CAC) has also observed that individuals very often do not have a choice but to provide the personal information if they wish to download the apps. 

Earlier in 2020, the PRC government launched the process of publishing a national standard setting forth the limit on the types of personal information which an app operator may collect.  A draft national standard, "Information Security Technology – Basic Specification for Collecting Personal Information in Mobile Internet Applications" was duly published and the final version is currently being prepared.

However, to tackle this issue of excessive collection, on 1 December 2020, the CAC published a set of draft rules entitled "Scope of Necessary Personal Information for Common Types of Mobile Internet Applications" for consultation.  The consultation period was short: it ended on 16 December 2020.  It is therefore expected that the final rules will be promulgated shortly.

The set of rules proposed by CAC is straight forward:

  • it lists out 38 types of apps (see list below), the types of personal information which is considered necessary for the proper basic function of the apps, and the basic functions of these 38 types of apps; and
  • if an individual has agreed to provide the listed information, then the individual cannot be refused installation of the apps by the app operator.

The CAC has taken a view that in relation to many types of apps, no personal information is actually required to be provided by an individual before he can install the apps and enjoy the basic function.  Examples include:

  • App stores
  • E-books
  • Sports & fitness
  • Browser

As mentioned, the CAC also dictates what the basic functions of these 38 types of apps are. For example, for map navigation app, the basic function is orientation/positioning and navigation and therefore the information which an individual must provide is his location data. Other example includes: for recruitment app, the basic functions are job information search and submission of CVs, and therefore an individual should only be required to provide his mobile number (or other information which can identify the individual and the app operator must provide options for the individual to choose from) and the CVs of the individual.  

Observations

What may constitute excessive collection is likely to become a topical issue in the future, particularly when the data minimisation data protection principle has now been formally introduced into the draft PRC Personal Information Law (see Art. 6) (NB: the principle already exists in the National Standard on "Information Security Technology – Personal Information Security Specification", which has been in force since 2017). If the rules are issued in their current forms, they do provide very practical guidance to both app operators and individuals as the requirements and restrictions are fairly prescriptive.

It is worth noting that where the app provides more than the basic functions listed by the CAC, the app operators should in theory be free to decide the additional personal information required from the individuals within the parameters set by the applicable data protection rules. Whether excessive collection may result from such collection will then depend on the judicial development of the concept of data minimisation in China.

List of 38 types of Apps

  1. Map navigation
  2. Online car hailing booking
  3. Instant messaging
  4. Online community
  5. Online payment
  6. Online shopping
  7. Food delivery
  8. Courier & logistics
  9. Traffic ticketing
  10. Dating and marriage
  11. Job recruitment
  12. Online lending
  13. Property rental and sale
  14. Second-hand car trading and exchange
  15. Medical consultation and registration
  16. Tourism services
  17. Hotel booking services
  18. Online games
  19. Learning & education
  20. Local lifestyle
  21. Women health
  22. Vehicle/bicycle services (sharing and rental)   
  23. Investment and financial management
  24. Mobile banking
  25. Cloud mailbox
  26. Teleconference
  27. Webcast
  28. Online audio and visual
  29. Short videos
  30. News and information
  31. Sports and fitness
  32. Browser
  33. Input methods
  34. Security management
  35. E-books
  36. Photos/Films-editing
  37. App stores
  38. Utility & tools
 

 

 

 


Latest insights

More Insights
Curiosity line green background

Key Privacy Issues in Adtech

1 minute Nov 22 2024

Read More
featured image

Bird & Bird marks World Children’s Day by announcing its forthcoming Global Comparative Guide to Children in the Digital World

7 minutes Nov 20 2024

Read More
The European Commission Modern office buildings in Brussels, Belgium.

VAT in the Digital Age (“ViDA”): prepare your business with Bird & Bird – 10 key insights for success

Nov 15 2024

Read More