2019.03.29 DONG, Xiao (Marissa)、YUAN,Qiong、DONG, Junjie
On January 25, 2019, the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation jointly issued the Announcement of Launching a Special Crackdown on the Illegal Collection and Misuse of Personal Information by Apps, launching what is proposed to be a one-year special crackdown.
Various organizations, namely the National Information Security Standardization Technical Committee, the China Consumers Association, the Internet Society of China and the Cybersecurity Association of China have subsequently established a Working Group for the Special Crackdown on the Illegal Collection and Misuse of Personal Information by Apps (the “Working Group”), and on March 1, 2019 released the Self-Assessment Guidelines on the Illegal Collection and Misuse of Personal Information by Apps (the “Guidelines”).
The Guidelines’ requirements are based upon various pre-existing legislative items, namely the Cybersecurity Law, the Consumer Rights Protection Law, and the Information Security Technology - Personal Information Security Specification (the “Specification”), and a more recent draft, revised version, The Information Security Technology - Personal Information Security Specification Draft (the “Draft Revised Specification”) which was released for comment on January 30, 2019. Compared with the Specification and the Draft Revised Specification, the requirements prescribed in the Guidelines are stricter and more detailed, and include a number of new items. Some of the key aspects of the Guidelines are summarized below:
The Guidelines require that, when an App is seeking system authorization (excluding those circumstances where a user voluntarily enables the authorization voluntarily in their system settings), the App shall make it clear that the authorization is for the purpose of personal information collection.
The Guidelines also provide that App operators shall not require users to accept and agree to a one-time authorization to collect personal information for multiple services through bundling multiple services.
The Draft Revised Specification stipulates various opt-out mechanisms for personalized display: if personalized display is being used to push news or an information service to a user, the user shall be provided with a simple and intuitive option to withdraw from this personalized mode; if personalized display is being used to provide services to the users, they shall be given the option of deleting or anonymizing the personal information on which the targeted push activity is based should they choose to exit the personalized display mode.
According to the Guidelines, if personal information is transmitted to the server of a third party via an embedded third-party code, a plug-in or other means, the user shall be explicitly informed through a method such as a pop-up prompt. According to the Specification, if a personal information controller deploys a third-party plug-in that does not separately seek authorization from the subject to collect and use their personal information, then the personal information controller and the third party shall be regarded as joint personal information controllers and shall bear the obligation of explicitly informing the personal information subject. This requirement of the Guidelines also reflects the principle of the Specification above.
According to the Draft Revised Specification, a personal information controller shall not repeatedly solicit the consent of the personal information subject who rejects, turns off or quits specific services. The Guidelines set an even higher requirement, that is an App shall not ask the user again whether to turn on the corresponding authority for certain services.
The Guidelines include and on certain points go beyond the requirements already outlined in the Cybersecurity Law, the Specification and the Drafted Revised Specification, proposing detailed and stricter assessment standards. It seems many Apps in the market would currently be unlikely to meet the requirements laid out in the Guidelines unless further improvement is made.
At present, the Working Group suggests App operators should self-regulate through voluntarily conducting self-inspection, making corrections regarding the collection and use of personal information, and improving protection for personal information. In practice, we have not as yet come across any administrative penalty precedents based on the Guidelines.