2019.03.29 DONG, Xiao (Marissa)、YUAN,Qiong、DONG, Junjie
On January 25, 2019, the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation jointly issued the Announcement of Launching a Special Crackdown on the Illegal Collection and Misuse of Personal Information by Apps, launching what is proposed to be a one-year special crackdown.
Various organizations, namely the National Information Security Standardization Technical Committee, the China Consumers Association, the Internet Society of China and the Cybersecurity Association of China have subsequently established a Working Group for the Special Crackdown on the Illegal Collection and Misuse of Personal Information by Apps (the “Working Group”), and on March 1, 2019 released the Self-Assessment Guidelines on the Illegal Collection and Misuse of Personal Information by Apps (the “Guidelines”).
I. Key Points for Assessment
The Guidelines detail the requirements for App operators to self-regulate, by checking and correcting their own conduct in relation to personal information collection and use. There are 32 assessment items under nine headings, laid out in three main sections, namely: the text of the privacy policy; the actual practice in an App’s collection and use of personal information; and the protection of user rights when using Apps.
The Guidelines’ requirements are based upon various pre-existing legislative items, namely the Cybersecurity Law, the Consumer Rights Protection Law, and the Information Security Technology - Personal Information Security Specification (the “Specification”), and a more recent draft, revised version, The Information Security Technology - Personal Information Security Specification Draft (the “Draft Revised Specification”) which was released for comment on January 30, 2019. Compared with the Specification and the Draft Revised Specification, the requirements prescribed in the Guidelines are stricter and more detailed, and include a number of new items. Some of the key aspects of the Guidelines are summarized below:
1. The privacy policy shall clearly state each service and the types of the personal information collected for each function
Perhaps the most noteworthy aspects of the Guidelines are their emphasis upon and clear definition of the “necessity principle”. Where Apps provide multiple services, and each service requires users to provide different types of personal information, the Guidelines clearly indicate that the personal information required by each function shall separately listed in the privacy policy, and should not of being summarized or abbreviated by terms such as "etc.” and ‘”e.g.". In addition, personal information should be collected separately for each different service; it is not permitted that information collected for one service can be used across other business services.
2. Apps shall clarify the purpose of information collection before obtaining authorization for system use
The Guidelines require that, when an App is seeking system authorization (excluding those circumstances where a user voluntarily enables the authorization voluntarily in their system settings), the App shall make it clear that the authorization is for the purpose of personal information collection.
The Guidelines also provide that App operators shall not require users to accept and agree to a one-time authorization to collect personal information for multiple services through bundling multiple services.
3. The privacy policy shall explicitly describe how user profiles will be used to personalize the display of content
According to the Guidelines, if an App operator intends to use personal information for profiling or for personalizing the display of content, the privacy policy shall indicate the scenarios where the information will be used and its potential influence on a user.
The Draft Revised Specification stipulates various opt-out mechanisms for personalized display: if personalized display is being used to push news or an information service to a user, the user shall be provided with a simple and intuitive option to withdraw from this personalized mode; if personalized display is being used to provide services to the users, they shall be given the option of deleting or anonymizing the personal information on which the targeted push activity is based should they choose to exit the personalized display mode.
4. The types of personal sensitive information and the export of personal data shall be clearly marked in the privacy policy
According to the Guidelines, any content relating to sensitive personal information and the export of personal information shall be clearly marked in the privacy policy, for example through the use of bold font, asterisk, underline, italics, color or other methods that draw the user’s attention. When collecting personal and sensitive information, an App shall explicitly indicate the purpose, method and scope of collection and use of personal information in a prominent way, such as through pop-up prompts.
5. An App shall provide users with the right to close their accounts
The Guidelines not only require App operators to clearly explain in the privacy policy the process whereby a user can close their account, but also require an App to provide the means to close the account, such as an online interface that links to a customer service line. App operators are required to timely anonymize and delete a user’s personal information after the user has closed the account.
6. Embedding third-party code plug-ins to collect personal information
According to the Guidelines, if personal information is transmitted to the server of a third party via an embedded third-party code, a plug-in or other means, the user shall be explicitly informed through a method such as a pop-up prompt. According to the Specification, if a personal information controller deploys a third-party plug-in that does not separately seek authorization from the subject to collect and use their personal information, then the personal information controller and the third party shall be regarded as joint personal information controllers and shall bear the obligation of explicitly informing the personal information subject. This requirement of the Guidelines also reflects the principle of the Specification above.
7. Continuing to ask for authority and pester users having already been explicitly refused
According to the Draft Revised Specification, a personal information controller shall not repeatedly solicit the consent of the personal information subject who rejects, turns off or quits specific services. The Guidelines set an even higher requirement, that is an App shall not ask the user again whether to turn on the corresponding authority for certain services.
8. Other requirements
Among some of the other requirements included in the Guidelines are that the privacy policy shall be presented separately and shall be easy to read and visit, and be accessible within four clicks of the main function interface; the privacy policy shall explicitly list the App operator’s basic information, including the responsible person’s name, registered address and contact information; it is prohibited to include unreasonable conditions; and an App shall provide methods of searching, correcting, and deleting personal information.
II. Our Observations
The Guidelines include and on certain points go beyond the requirements already outlined in the Cybersecurity Law, the Specification and the Drafted Revised Specification, proposing detailed and stricter assessment standards. It seems many Apps in the market would currently be unlikely to meet the requirements laid out in the Guidelines unless further improvement is made.
At present, the Working Group suggests App operators should self-regulate through voluntarily conducting self-inspection, making corrections regarding the collection and use of personal information, and improving protection for personal information. In practice, we have not as yet come across any administrative penalty precedents based on the Guidelines.
