03/26/2021 | News release | Distributed by Public on 03/26/2021 05:37
On March 22, 2021, China issued the Provisions on the Scope of Necessary Personal Information for Common Used Mobile Internet Applications ('《常见类型移动互联网应用程序必要个人信息范围规定》' in Chinese, hereinafter referred to as the 'Provision'), according to which, mobile apps and mini programs shall no longer collect personal information of users beyond the necessary scope.
This Provision, which will come into force as of May 1, 2021, is jointly released by China's four major regulators in data protection and cybersecurity area, namely the Cyberspace Administration of China, the Ministry of Industry and Information Technology (hereinafter referred to as 'MIIT'), the Ministry of Public Security, and the State Administration for Market Regulation.
The Provision defines the scope of mobile Internet applications (hereinafter referred to as 'Apps'), and clarifies the necessary scope of personal information collected by different types of Apps, which shall be paid great attention to by multinationals collecting personal information through Apps in China.
The Provision applies to Apps running on mobile smart terminals that collect users' personal information. Meanwhile, it makes clear that 'App' under the Provision shall include application software preset or downloaded and installed in mobile smart terminals, as well as 'mini programs' that are developed based on the open platform interface of application software and can be used by users without installation. That means, collecting personal information by mini programs which are accessed through other Apps such as WeChat and Alipay shall also comply with the Provision.
As stipulated under the Provision, Apps shall not refuse users to use their basic functions and services because users do not agree to provide personal information deemed unnecessary for basic functions. On this basis, the Provision outlines the scope of necessary personal information for commonly used 39 categories of Apps.
The Provision itself does not specify how offenders will be punished, but provides that any organization or individual who finds violations of the Provision can report to the relevant authorities, which will deal with it in accordance with the law after receiving the report. In practice, at the current stage, enforcers impose penalties according to the Cybersecurity Law of China. That means, offenders may face a fine of up to CNY 1 million (about USD 153,300), an order to make rectification, removal of App from app store, suspension of related business, shutdown of website, and/or revocation of business license.
China has always been proactive in regulating unscrupulous collection of personal information by Apps. As reported, by the end of last year, the MIIT has completed technical testing of 320,000 Apps in mainstream domestic app stores, and has urged more than 1,100 companies to make rectifications.
As China is stepping up the formulation of the Personal Information Protection Law, which is expected to be approved within this year, even more severe penalties, for example, fines counted on turnover basis like the GDPR, might be faced by offenders in the future. Therefore, multinationals operating Apps in China shall comply with the Provision and are suggested to pay close attention to the enactment of the Personal Information Protection Law to ensure compliance with the new law.