China Publishes Draft Implementing Rules on Processing Personal Information in Apps

On 26 April 2021, a draft of the Interim Administrative Provisions on the Personal Information Protection in Internet Mobile Applications (“PI-in-App Provisions”) was published by China’s Ministry of Industry and Information Technology (“MIIT”); the public comment period will close on 26 May 2021. The PI-in-App Provisions, like the Rules for the Scope of Necessary Personal Information for the Common Category of Mobile Internet Applications (“Rules of Necessary Personal Information”), issued on 22 March 2021, add details to some of the general rules of China’s developing cybersecurity framework. In particular, the PI-in-App Provisions specify how apps should satisfy the principles of obtaining “informed consent” and carrying out only “minimum necessary” data collection and processing. They also create five categories of parties related to the provision of apps (e.g., developers and distribution platforms) and specify particular obligations for each category. Finally, they add some more details about how regulatory authorities may respond to violations. This Newsletter offers an overview of the key points of the PI-in-App Provisions.

Informed Consent

Obtaining informed consent has been a prerequisite to processing[1] personal information since at least the coming into effect of the PRC Cybersecurity Law, on 1 June 2017. However, app providers and other data processors have had little guidance on what constitutes informed consent. The PI-in-App Provisions fill in much of the gap:

• Inform the user of the personal information being processed about processing rules covering at least who is processing the personal information, the purpose for the processing, the method of processing, the type of processing (use, storage, transfer, publication, etc.), and the retention period, through pop-up windows, text links, and attachments and other concise, clear, and easily accessible ways on the app login registration page and the first run of the app. 
• Adopt a non-default checkbox to obtain the user's consent.
• Respect the user’s right to choose and do not process personal information before obtaining the user's consent or after the user has explicitly refused; if the personal information processing rules are changed, obtain the user's consent again.
• Dynamically apply for the permissions required by the app when the corresponding function is launched, do not compel the user to give blanket consent to open multiple system permissions, and do not change the status of the permissions set by the user without the user's consent.
• If it is necessary to provide personal information to a third party, inform the user of at least the third party’s identity, contact information, the type of personal information processed, the purpose for the processing, and the method of processing, and obtain the user's consent.
• When processing sensitive personal information, such as race, ethnicity, religion, personal biometrics, medical and health information, financial accounts, personal whereabouts, etc., inform the user, and obtain his/her consent, about the specific processing of sensitive personal information.

Minimum Necessity

Likewise, whereas the PRC Cybersecurity Law introduced the principle that no more data than necessary should be processed, virtually no details of the meaning and application of the principle have been available until the PI-in-App Provisions’ following rules:

• The quantity, frequency, and accuracy of personal information processing must be necessary for the service (and no personal information beyond that which is necessary for the service can be processed).
• All storage, deletion, and modification of personal information must be necessary for the service and be within the scope of consent granted by the user.
• After a user rejects a relevant authorization, the user cannot be forced to exit or close the app, permissions cannot be applied for in advance beyond the business functions or services the app provides, and frequent pop-up windows cannot be used to repeatedly apply for permissions that are not related to the services being used.
• Other apps should not be launched when not necessary for the service or otherwise reasonably required.
• Use of a service should not be affected for a user who has refused to provide personal information that is not necessary for that service.
• Users cannot be compelled to agree to the processing of personal information beyond the scope of or unrelated to the service use on the grounds of improving service quality, enhancing the user experience, developing new products, pushing information in a targeted manner, risk control, etc.

Categories and Obligations of Data Processors

The PI-in-App Provisions distinguish between the following five types of businesses that may be involved in or related to the processing of personal information through apps: app developers, app distribution platforms (e.g., app store), third-party service providers for apps, mobile intelligent terminal manufacturers, and network access service providers (i.e., IDC, ISP and CDN service providers).

For each category of processor, the PI-in-App Provisions stipulate particular obligations in the protection of personal information. For example, app developers must, inter alia:

• Effectively enhance the awareness of personal information protection in products and services, and implement personal information protection requirements in product design, development, and operation.
• Regularly inform users about processing rules and information (instead of informing them only when the rules are published or updated) in a prominent and clear manner. 
• If third-party services are used, formulate management rules to express the name, function, and personal information processing rules of the third-party service provider, and sign a personal information processing agreement with the third party service provider to clarify the relevant rights and obligations of both parties and to manage and supervise the personal information processing activities and information security risks of the third-party service provider. (If the app developer fails to fulfill its supervisory obligations, the PI-in-App Provisions impose joint and several liability on it and the third-party service provider.)

In comparison, the PI-in-App Provisions stipulate the following obligations, inter alia, for app distribution platforms:

• Register and verify the real identity, contact information, and other information of the app developers/providers.
• Prominently list the user terminal permissions and the type, content, purpose, scope, manner, use, and processing rules of personal information and other related information collected for the operation of the app.
• Complete a standardized audit of personal information processing activities before a new App is made available (or, for apps already available when the PI-in-App Provisions come into effect, complete an audit within one month of the effective date), and take any remedial measures needed based on the audit results. 
• Establish management mechanisms, such as a scoring of app developers, a list of apps at risk, platform information sharing, and signature verification.
• Set up a convenient complaint reporting portal, and timely handle public complaints and reports on the app distributed via the platform.

Penalties

Although the PRC Cybersecurity Law and regulations thereunder include general provisions about the measures that regulatory authorities may take in response to a violation of privacy or data protection rules, the PI-in-App Provisions outline potential regulatory responses in more detail. In the event of a violation of any rule of the PI-in-App Provisions, the following may ensue:

• Rectification and public announcement. The authorities will demand the violator remedy the violation within 5 working days of the demand, failing which, the authorities will issue a public announcement about the violation.
• “Off-shelf”. Five working days after the public announcement, if a violation or negative ramifications continue, the authorities may prohibit the app from being made available for download; in the case of repeated violations and other serious violations, the prohibition may extend for 40 working days and the app cannot be available for download through any channels.
• Disconnect access. If the violation or negative consequences are not remedied within the time prescribed by authorities during the “off-shelf” period, the authorities will take the necessary measures to completely block access to the app.

Of course, curing the violation (and, as may be requested by the authorities ad hoc depending on the nature of the violation and other circumstances, making additional technical, management, and/or corporate-level changes or commitments), will allow for the reversal of the “off-shelfing” and disconnecting of access. However, the PI-in-App Provisions provide for residual consequences: the violator’s record in the still-developing PRC universal “credit” system may be negatively affected.

Takeaways

The PI-in-App Provisions are a relatively big step forward for China’s cybersecurity framework, combine the requirements under a series of rules and notices issued by the MIIT, and intend to be unified rules for personal information protection in apps. If the PI-in-App Provisions take effect as currently drafted, thorough evaluation of each app’s data processing, disclosures, and other mechanisms as against the PI-in-App Provisions should be carried out to identify any deficiencies in compliance. The articles of the PI-in-App Provisions stipulating particular obligations for each of five categories of businesses involved in the provision of apps should also afford helpful guidance to such businesses, although some of said obligations remain somewhat vaguely articulated. It is to be hoped that the PI-in-App Provisions (assuming they are formally issued) can be relied upon in conjunction with other provisions, some already issued (e.g., the Rules of Necessary Personal Information) and some to be issued in the future, for businesses to understand and comply with the allocation of each relevant party’s responsibility for protecting users’ privacy and data.

[1] The word “processing” will be used hereon and should be understood to include “collecting”, “storing”, etc.