2021.04.28 DONG, Xiao (Marissa)、GUO, Jinghe
The Interim Regulations on the Administration of Personal Information Protection for Mobile Internet Applications (Draft for Comments) (“Draft for Comments”) was drafted by the Cyberspace Administration of China together with the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation (the “Four Ministries”). It has been released for public comment until May 26, 2021.
On March 3, 2019, the Personal Information Protection Task Force on Apps issued the Guidelines for the Self-Assessment on the Illegal Collection and Use of Personal Information by Apps as entrusted by the Four Ministries. It aims to reinforce the self-assessment and self-rectification of app operators in the collection and use of personal information. Since then, the Four Ministries and the Personal Information Protection Task Force on Apps have carried out a range of law enforcements in their respective scope of authority and issued a series of practical guidelines and normative documents such as the Methods to Determine the Illegal Collection and Use of Personal Information by Apps.
The purpose of the Draft for Comments is to institutionalize the experience, practice and administrative measures that have matured over the past two years and provide reliable institutional support for the regulation of apps’ personal information processing activities. Given that the Draft for Comments is based on previous documents, the noteworthy issues are summarized below.
The Draft for Comments provides that “the personal information processing activities carried out by apps in the territory of the People’s Republic of China shall comply with this draft. If personal information processing activities are otherwise governed by any laws or administrative regulations, such laws or administrative regulations shall prevail”.
The Draft for Comments does not explicitly include mini-programs in the scope of the regulations, but whether mini-programs will be governed in reference to this draft at the time of and upon the official promulgation of this draft is still to be ascertained. How to interpret the “personal information processing activities carried out by apps in the territory of the People’s Republic of China”, particularly how to align the scope of the application of this Draft for Comments with the extraterritorial effect provided under the Personal Information Protection Law (Draft), as well as the interpretation in the current regulatory practice, remains to be ascertained.
Compared with the previous regulations that mainly focused on regulating app developers and operators, the Draft for Comments regulates five types of subjects through the entire process of app distribution and operation, including app distribution platforms, app third-party service providers, mobile intelligent terminal manufacturers and network service providers. It stipulates the obligations and responsibilities of the foregoing subjects respectively.
The Draft for Comments specifies a joint regulatory mechanism under which the Four Ministries will jointly supervise and regulate apps’ personal information protection, arrange and carry out the release of policies and standards specifications, and be responsible for app personal information protection as well as the supervision and administration thereof within their respective scope of authorities. This is basically consistent with the regulatory approach provided under the draft Personal Information Protection Law.
The Draft for Comments reiterates the principle of “informed consent” and the six requirements for the processing of personal information by apps. It should also be noted that under the Draft for Comments a separate notification and consent of data subjects is required for the processing of sensitive personal information, which, in turn, echoes the requirements of the Regulations on the Supervision and Administration of Online Transactions promulgated recently. (art. 6)
In response to market concerns and compliance challenges in practice, the Draft for Comments provides an interpretation of the minimum necessary standards for the first time, mostly reiterating the following six requirements for complying with the minimum necessary standards: (1) the amount, frequency and scope of personal information that is necessary for processing; (2) the necessity for local access, input, deletion and modification of personal information; (3) the consequence of users’ refusing the authorization; (4) terminal startup and associated startup apps in non-service scenarios; (5) the consequences of users’ refusing the collection of unnecessary personal information; and (6) the collection of unnecessary personal information on the grounds of, among other things, improving service quality, enhancing user experience, developing new products, directional push and risk control. (art. 7)
App Developers and Operators
The Draft for Comments reiterates the requirements for app developers and operators as previously established in the existing regulations, for example, periodically providing users with prominent and easily accessible information about an apps’ use of their personal information and offering users an opt-out/ unsubscribe option for independent service modules that will not affect other service functionalities. The Draft for Comments also dictates the requirements for personal information protection throughout the product design, development and operation process.
As for third-party services, it should be noted that under the Draft for Comments, in addition to reiterating the requirements for establishing management standards, clearly indicating the name, features and personal information processing policy of app third-party service providers, a personal information processing agreement is also required to be entered into with a third-party service provider for the purposes of conducting management and oversight of third-party service providers. In particular, the Draft for Comments emphasizes that app developers who fail to fulfill their oversight obligations shall bear joint and several liability with third-party service providers. (art. 8)
App Distribution Platforms
The Draft for Comments specifies the obligations of app distribution platforms for the protection of personal information, such as properly notification to users, conduct compliance reviews, establish management mechanisms for the credit scores of app developers, at risk app lists, platform information sharing and signature verification, and a number of other requirements. (art. 9)
App Third-party Service Providers
App third-party service providers denote the subjects, other than users and apps, that provide third-party services such as SDK, packaging, reinforcement, and compilation environment for apps, including service providers involved in the entire process of the development and operation of apps. Importantly, app third-party service providers are required comply with various requirements under the Draft for Comments, such as publish their personal information processing policies, not activate, deploy or update third-party services except with the users’ consent or otherwise under reasonable business scenarios. (art. 10)
This is the first time that statutory regulations have established requirements to directly regulate third-party service providers, which has important significance for guidance in practice.
Mobile Smart Terminal Manufacturers
The Draft for Comments also further strengthens the requirements for the management of apps by mobile smart terminal manufacturers based on the Interim Provisions on the Administration of the Pre-Installation and Distribution of Application Software for Smart Mobile Terminals. (Art. 11)
Internet Access Service Providers
The Draft for Comments imposes the obligations of Internet access service providers in the process of personal information management by apps, including registering and verifying the genuine identity and contact information of app developers and operators; and conducting necessary measures such as the termination of access against apps that are not in compliance with the applicable provisions as required by the regulatory authorities. (Art. 12)
Furthermore, the Draft for Comments provides that, if an entity engaged in the processing of personal information collected by apps needs to verify the genuine identity of the users, it shall conduct such verification through the online citizen identity verification and authentication service provided by the citizen identity authentication infrastructure uniformly built by the State. (Art. 13)
The Draft for Comments provides that, if an entity engaging in personal information processing is found to be in violation of the relevant requirements, the regulatory authorities may, within the scope of their respective authorities, take sanction measures including ordering the entity to make rectification, announce the violation to the public, remove the relevant app from the market, terminate the access and credit management process. It is noticeable that the Draft for Comments stipulates the relevant specific time limits for rectification is five business upon discovering the problem. (Art. 16)
Among the aforesaid sanction measures, the measures of ordering the entity to make rectification, announce the violation to the public and undertake a credit management process may apply to all five types of entities, while the measures of removing the relevant app from the market and terminating the access seem to be more likely to apply to app developers and operators, and may also theoretically apply to distribution platforms.
As for the rectification of an app with recurring problems and related apps developed by its development operator, the regulatory authorities may instruct and organize the app distribution platforms and mobile smart terminal manufacturers to remind users of the risks during the integration, distribution, pre-installation and installation process, and for apps materially violating the relevant requirements, a ban from the market will be imposed. (Art. 17)
The Draft for Comments summarizes the experience and administrative measures (such as the six separate “shall” and “shall not” to comply with the informed consent and minimum necessity principles) in the field of the special governance of apps in recent years into a systematic normative document.
The Draft for Comments imposes stricter requirements for personal information protection on app developers and operators through the privacy of design, expressly displaying the specific information of third-party services for apps and assuming the joint and several liabilities for third-party services for apps in case of failure to perform the supervision responsibilities. In addition, the Draft for Comments for the first time imposes more specific requirements for the management of apps during the integration, distribution, pre-installation and installation process on app distributors and hardware manufacturers from the perspective of personal information protection. It also imposes specific requirements on third-party service providers and Internet access service providers for apps.
With the promulgation of the Personal Information Protection Law and the issuance of the Draft for Comments, we expect that the special governance of apps in the future will be further strengthened and extended from app and micro-program developers and operators to entities engaging in various steps of the services for apps. It is advised that relevant entities in the industry review their compliance with the applicable regulations and prepare to comply with the Draft for Comments.