Currently, Article 41 of the PRC Cyber Security Law provides that personal information should only be collected if it is necessary. In the absence of judicial guidance, one of the challenges faced by app operators and individuals alike is which piece of personal information can be lawfully collected without falling foul of this legal requirement and will not be regarded by its supervisory regulators as conducting excessive collection. For example, can an app operator insist on having access to the individual's contact list before the individual can download the app?
The Cyber Administration of China (CAC) has also observed that individuals very often do not have a choice but to provide the personal information if they wish to download the apps.
Earlier in 2020, the PRC government launched the process of publishing a national standard setting forth the limit on the types of personal information which an app operator may collect. A draft national standard, "Information Security Technology – Basic Specification for Collecting Personal Information in Mobile Internet Applications" was duly published and the final version is currently being prepared.
However, to tackle this issue of excessive collection, on 1 December 2020, the CAC published a set of draft rules entitled "Scope of Necessary Personal Information for Common Types of Mobile Internet Applications" for consultation. The consultation period was short: it ended on 16 December 2020. It is therefore expected that the final rules will be promulgated shortly.
The set of rules proposed by CAC is straight forward:
The CAC has taken a view that in relation to many types of apps, no personal information is actually required to be provided by an individual before he can install the apps and enjoy the basic function. Examples include:
As mentioned, the CAC also dictates what the basic functions of these 38 types of apps are. For example, for map navigation app, the basic function is orientation/positioning and navigation and therefore the information which an individual must provide is his location data. Other example includes: for recruitment app, the basic functions are job information search and submission of CVs, and therefore an individual should only be required to provide his mobile number (or other information which can identify the individual and the app operator must provide options for the individual to choose from) and the CVs of the individual.
What may constitute excessive collection is likely to become a topical issue in the future, particularly when the data minimisation data protection principle has now been formally introduced into the draft PRC Personal Information Law (see Art. 6) (NB: the principle already exists in the National Standard on "Information Security Technology – Personal Information Security Specification", which has been in force since 2017). If the rules are issued in their current forms, they do provide very practical guidance to both app operators and individuals as the requirements and restrictions are fairly prescriptive.
It is worth noting that where the app provides more than the basic functions listed by the CAC, the app operators should in theory be free to decide the additional personal information required from the individuals within the parameters set by the applicable data protection rules. Whether excessive collection may result from such collection will then depend on the judicial development of the concept of data minimisation in China.