2019.06.12 DONG, Xiao (Marissa)、GUO, Jinghe、DONG, Junjie
On June 1, 2019, the National Information Security Standardization Technical Committee, also known as the TC260, issued a non-mandatory technical document, the Guidelines for Network Security Practices – a Specification of the Essential Information for the Basic Business Functions of Mobile Internet Applications (the “Specification”). The Specification is based on the data minimization principle of information collection and use, as stipulated in the national standard Information Technology Security - Personal Information Security Specification. It focuses on 16 basic types of mobile application (“App”) functions, including those relating to mapping and navigation, online ride-hailing, instant messaging, online social communities, network payments, online shopping, and food and beverage delivery, and stipulates the specific types of personal information required to ensure the normal operation of these Apps and the requirements on the use of such information.
The Specification’s release follows that of various initiatives introduced earlier this year. On January 25, 2019 the Cybersecurity Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security and State Administration for Market Regulation jointly released their Announcement to Launch a Special Crackdown on the Illegal Collection and Misuse of Personal Information by Apps. On March 1, the Working Group for the Special Crackdown on the Illegal Collection and Misuse of Personal Information by Apps released the Self-Assessment Guidelines on the Illegal Collection and Misuse of Personal Information by Apps. It is within this context of stronger regulation for Apps that the Specification provides an additional point of reference for legal compliance and law enforcement in the use of Apps in various scenarios. Key elements of the Specification are summarized as follows.
The principle of data minimization requires that personal information that is unrelated to the provision of services shall not be collected, and that Apps shall not attempt to seek authority to collect other, non-relevant information. That is, the only personal information that shall be collected is that which is required to perform an App’s business function, and it shall not be collected more frequently than is actually necessary for the App to perform its function.
“Essential information” means information that is necessary to both the basic business and general functions of Apps.
In terms of basic functions, the Specification lists basic business functions that 16 types of Apps may perform, the information that is required for such basic business functions, and the respective limitations on the use of these types of information.
For example, in the case of map navigation, which is classified as a basic function, the essential information collected by any App would be the location information, which includes accurate positioning information and tracking data. Accurate positioning information shall be only used for determining a user’s location, for conducting map searching and displaying and providing a navigation service. Tracking data shall be only used to assess a user’s real-time traffic status and to plan the route within the navigation service.
The Specification also details the essential information that can be collected and used by Apps to provide more general functions or to meet the requirements of laws and regulations.
(i) In terms of network access, log information shall be collected only to satisfy the requirements of laws and regulations, including those relating to network security;
(ii) In the case of security risks, device information shall only be collected to control risks such as cheating, fraud and the spread of illegal information;
(iii) Any records and the content of communications shall only be collected for the purposes of client servicing, such as handling client disputes.
Various issues need be taken into consideration when collecting personal online records:
(i) Whether collection of log information of users’ voluntary operation, such as “save, comment, post and report” is necessary should be determined based on the necessity of these users’ operations;
(ii) Operation records such as on browsing, searching and clicking are generally non-essential information and therefore users’ consent shall be obtained to collect such information;
(iii) A de-identification process is required when saving and using online records;
(iv) Users shall be informed when their profiles are used for personalized advertising and shall be provided with the option to withdraw from the method of targeted advertisement pushing.
While it is only a technical document that is not legally binding, the Specification provides some important references for the implementation of the principle of data minimization, particularly in the practical implementation of regulations, and their assessment and enforcement. The Specification provides more specific details than other supporting regulations and national standards that have been issued in the wake of the Cybersecurity Law. In particular, the Specification provides a framework for identifying basic business functions and essential information for Apps. If the information collection is beyond the scope of laid out in the Specification, an App service provider shall make a case for the necessity of such information collection and shall respect the users’ right to choose whether to provide such information.