2021.03.25 DONG, Xiao (Marissa)、GUO, Chao、DONG, Junjie
On March 12, 2021, the Secretary Bureau of the Cyberspace Administration of China (“CAC”), the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation (“Four Ministries”) jointly issued the Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications (the “Regulations”). And the Regulations were formally released to the public on March 22. The Regulations, following the “principle of necessity” established in the Cybersecurity Law (the “CSL”), and elaborate on the basic functions of 39 different types of Apps as well as the specific type of personal information that is necessary for such Apps to perform basic features and services and relevant usage requirements.
The Regulations further specify the regulatory requirements for the principle of necessity. This article summarizes the highlights of the Regulations that we believe deserve attention.
The necessity principle is one of the basic principles established by the Decision of the Standing Committee of the National People’s Congress on Strengthening Network Information Protection in 2012 and are further stipulated by CSL for collecting and processing personal information. The national standard Personal Information Security Specification provides further interpretation regarding the necessity principle: the types of personal information collected should be directly related to the realization of the business function of the product or service; the frequency of automatic collection of personal information should be the minimum frequency necessary to realize the business function; and the amount of indirect personal information obtained should be the minimum quantity necessary for the business function of the service.
In January, 2019, the Four Ministries, in order to implement the CSL, jointly released the Announcement on the Launching of a Special Crackdown on the Illegal Collection and Misuse of Personal Information by Apps. It emphasized that App operators should comply with the principle of lawfulness, legitimacy and necessity and should not collect personal information unrelated to the services provided, which continuously strengthened the oversight and governance of Apps.
In furtherance of the principle of minimum necessity for collecting and using personal information, the National Information Security Standardization Technical Committee issued a non-mandatory technical document, the Guidelines for Cybersecurity Practices - a Specification for the Necessary Information for the Basic Business Functions of Mobile Applications, illustrating the basic functions of 16 different types of Apps and the types of necessary personal information.
The CAC published the draft Scope of Necessary Personal Information for Common Types of Apps (the “CAC Draft”) in December, 2020 for public comment. The CAC Draft stipulated the scope of the necessary personal information for 38 common types of Apps such as map navigation, online ride-hailing and instant messaging.
The Regulations specify the scope of necessary personal information from the following perspectives:
From the functionality perspective, necessary personal information refers to the personal information that is required to ensure the normal operation of Apps’ basic functions and services and in the absence of which, Apps will be unable to perform basic functions and services.
From the perspective of the data subject, necessary personal information refers to the personal information of consumption-side users, other than that of the users on the service provision side. The Regulations leave undefined the specific meaning of consumption-side users and service-provision-side users.
In addition to Apps downloaded and pre-installed on a mobile intelligent terminal, it is expressly provided for in the Regulations that the Regulations also apply to mini programs which are developed based on App open platform interfaces and available to users without installation thereof.
The Regulations enumerate the basic function services and the corresponding necessary information scope of 39 types of Apps, including instant messaging, online communities, e-payments, online shopping, job searches, travel services, hotel services, browsers, App stores and other Apps.
Take “instant messaging” Apps as an example. The Regulations prescribe that the services provided by instant messaging Apps include “texts, pictures, voice, videos and other online instant messaging services”, and the necessary personal information for instant messaging Apps shall include the mobile phone number and App account (including the account number and the instant messaging contact list) of the registered user.
The Regulations provide for a basic rule pertaining to the necessity principle; namely an App shall not deny a user’s access to its basic functions and services if the user refuses to share unnecessary personal information with the App. However, the Regulations are silent on how to implement the above basic principle and do not provide relevant compliance standards but leave them to be rectified and designed by Apps in the market based on their own conditions.
For Apps, in order to achieve the above basic purposes, they need to consider whether to conduct assessment and rectification from the following perspectives:
assess and confirm the basic functions of Apps and the scope of the necessary information corresponding to the basic functions based on the conditions of the Apps;
consider whether the privacy policies shall separately elaborate on the collection and processing of the necessary personal information and the unnecessary personal information;
provide the right to select and refuse the collection of unnecessary personal information for users.
Since the Regulations remain general in the provisions, there are still several issues to be clarified during the plan design process in practice, for example:
whether the express consent of the user is required for the collection and use of the necessary personal information of the user;
whether it is necessary to include two service modes, i.e. a basic function and an additional function, and to provide different privacy policies for users to agree to;
whether a visitor mode, where personal information is not collected, should be added.
The regulators’ requests on the above questions may greatly affect the relevant enterprises’ current practices in the collection and use of personal information as well as the design of user interfaces of Apps.
In practice, the types of personal information collected by Apps and mini programs and its subsequent use in many cases go far beyond the scope directly related to the provision of services, which have become market practice and have formed a business model. The regulators of various countries are also questioning such collection and use of personal information and tightening their corresponding requirements in different ways.
It can be seen that the Regulations are a response made by Chinese regulators to the issue of the excessive collection of personal information discovered in the process of law enforcement concerning Apps over the past three years, and also form a practical foundation for the interpretation of such issues in the coming Law on the Protection of Personal Information. The Regulations do not prohibit Apps from collecting personal information other than the necessary personal information enumerated in the Regulations, but focus on requiring Apps to provide users with an option to refuse the collection of their unnecessary personal information and to still have access to basic functions and services.
With respect to how to effect users’ options in an appropriate way, Apps with simple and direct business models may satisfy such requirements by modifying their respective privacy policies or popping up a request to collect information. However, for Apps with relatively complex business models, whether it will directly affect the business models of such Apps and associated services is worth further observation. Furthermore, the law enforcement of the Four Ministries was more focused on mobile Apps, while the Regulations further directly include mini programs in the category of Apps, indicating that strict law enforcement concerning mini programs is closer.
It is advised that relevant enterprises pay close attention to regulatory practices and make necessary assessment and adjustments to their respective business logic, privacy policies, and the design of interfaces and pop-ups before the Regulations come into force on May 1 this year.