2020.08.13 DONG, Xiao (Marissa)、GUO, Jinghe、DONG, Junjie
At the end of July 2020, the supervision of the privacy protection of apps is strengthened, signaled by a series of standard formulation and law enforcement activities.
On July 22, 2020, the Cyberspace Administration of China (“CAC”), the Ministry of Industry and Information Technology of the People's Republic of China (“MIIT”), the Ministry of Public Security of the People's Republic of China and the State Administration of Market Regulation (“Four Ministries”) held a meeting in Beijing to launch the work of governing the illegal collection and use of personal information by apps in 20201;
On the same day, MIIT also announced the launch and promotion of rectification action for the infringement of users’ rights and interests by apps2;
The National Technical Committee of Information Security Standardization (“TC 260”) also issued on the same day a document titled Network Security Standard Practice Guidelines - Self-Assessment Guidelines on the Collection and Use of Personal Information by Mobile Internet Applications (formal effective version) (“TC260 Guideline”). It provides reference and direction for app operators to conduct self-assessment on the use of personal information, in the form of six evaluation points3.
1. Review and progress of standards and law enforcement
After the announcement of the launch of the special governance on the illegal collection and use of personal information by apps on March 3, 2019, in order to push app operators to conduct self-examination and self-correction on the collection and use of personal information, the app special governance working group on the illegal collection and use of personal information entrusted by the Four Ministries issued the Guidelines on Self-assessment on the Illegal Collection and Use of Personal Information by Apps (“Working Group Guidelines”), which has become an important guiding document for app operators to develop privacy practices and compliance. The Four Ministries issued the Determination Rules for Identifying the Illegal Collection and Use of Personal Information by Apps (“App Determination Rules”) on December 30, 2019. The TC260 Guidelines summarized the main points of self-assessment for app operators based on the requirements of a series of laws and regulations such as Cybersecurity Law and the App Determination Rules, in combination with the existing app testing and evaluation. Compared with the Working Group Guidelines issued a year ago, the TC260 Guidelines combine key points obtained from the experience of app privacy governance over the past year and provides more detailed implementation requirements.
On the basis of summarizing the app governance work in 2019, the 2020 governance work on the illegal collection and use of personal information by apps launched by the Four Ministries further emphasizes the key points of the app governance work in 2020.
MIIT carried out special in-depth rectification actions on the governance of the infringement of user rights and interests by apps, aiming to urge relevant enterprises to strengthen the protection of personal information by apps. It urged them to conduct rectification and eliminate problems such as the illegal collection and use of a user’s personal information, and the harassment, deception and misleading of users. It also discussed the inadequate implementation of management responsibilities by application distribution platforms, with the aim to purify the space of apps. MIIT also plans to run a national app technology testing platform management system before the end of August 2020, as well as complete all testing work covering 400,000 mainstream apps by December 10.
2. Key Points in Compliance
Based on the above, we recommend that enterprises pay special attention to the following app compliance points:
1) Expansion of the evaluation scope: the TC260 Guidelines clarify that in addition to app operators, operators of mini-programs and fast applications may also conduct self-assessment with reference to the applicable terms. An assessment on mini-programs and fast applications is also required in MIIT’s governance action. It is noticeable that the Network Security Standard Practice Guideline-Mobile Internet Application (App) Personal Information Security Prevention Guidelines (Draft for Comment) issued by TC260 in March also suggests that mini-program operators should refer to the guidelines. Therefore, the trend to include mini- programs and fast applications in the scope of the evaluation has become more prominent.
2) Emphasis on the protection of children's information: The TC260 Guidelines emphasize that if an app has a function of collecting and using a child's personal information, it is necessary for the app operators to formulate specific personal information protection rules for children. For example, educational apps which collect the personal information of minors under the age of 14 should formulate personal information protection rules for children. This regulation echoes the Provisions on the Network Protection of Children's Personal Information, which was issued by CAC in 2019, indicating that the protection of children's personal information is likely to become a focus of the regulation.
3) Strengthening the compliance requirements of SDK and third-party applications: On the basis of the Working Group Guidelines, the TC260 Guidelines further emphasize and refine the requirements for collecting personal information by third-party codes and plug-ins (such as SDK), including: when collecting personal information through embedded third-party codes and plug-ins (such as SDK), app operators should explain the type and the name of the third-party code or the plug-in, as well as the purpose, type and method of the personal information collection; when sending information to a third party through third-party codes and plug-ins (such as SDK) embedded in the client side, the user’s consent should be obtained in advance, though the personal information which has been anonymized is excluded from the above requirements. In addition, the TC260 Guidelines also stipulate the relevant requirements for an app regarding its connection with third-party applications and providing them with personal information. For example, an app should provide personal information to third-party applications after obtaining the user’s consent, and the app operators should check the legality, legitimacy and necessity of personal information collection by third-party applications.
4)Further clarify the notification method for permission applications and the collection of personal sensitive information: The Working Group Guidelines require that when collecting sensitive personal information, apps should clearly indicate to the users the purpose, method and scope of the collection and the use of personal information through pop-up prompts or other obvious methods. The App Determination Rules further propose that users should be notified of the purpose of the collection at the same time when collecting the above information. On this basis, the TC260 Guidelines combine and strengthen the above notification requirements by requiring that when applying to enable permission for personal information collection or requesting users to provide personal sensitive information, the user should be simultaneously notified of the purpose of the personal information collection in a significant way and the description of the purpose should be clear and easy to understand; the notification may be conducted through pop-up prompts, descriptions of the purpose, etc.
5) Further strengthening and refining the requirements for apps to apply for and use system permissions: the TC260 Guidelines combine and strengthen the requirements in the Work Group Guidelines and App Determination Rules. It states that when enabling the system permission for collecting personal information, users should be informed of its purpose at the same time and in an eye-catching way, and the description of the purpose should be clear and easy to understand.
On July 29, 2020, the TC 260 issued the Network Security Standard Practice Guidelines-Guidelines on the Application and Use of Mobile Internet Application (APP) System Permission (Draft for Comment) (“Permission Use Guidelines”). The Permission Use Guidelines stipulate the basic requirements and general principles for apps to apply for and use system permissions, as well as the application and use requirements for typical permissions of the Android system. Furthermore, it also introduces common sensitive system permissions of Android and iOS systems, common issues in the application and use of systems permissions, and system permissions which are not recommended to be applied for by apps in the provision of services. The Permission Use Guidelines provide a comprehensive reference for app operators to apply for and use users’ permissions in response to the current phenomenon of excessively claiming rights and abusing users' personal information. Some of these specific requirements are worthy of further attention such as except for security risk control situations, an app should not collect unique device identifiers that cannot be changed (such as IMEI); and the different requirements for personal information collection permission for mini-program operators.
6)Emphasizing and refining the requirements of the necessity principles: The TC260 Guidelines stipulate “whether to follow principles of necessity” as an independent evaluation point, and further refine the specific requirements for following the necessity principles, including: operators should not collect personal information irrelevant to their business, users can refuse the collection of unnecessary information, operators are not allowed to force users to collect personal information and the frequency of collecting personal information should not exceed the actual needs of the business. The TC260 Guidelines particularly emphasize that users should not be prompted to consent to the collection of personal information in a way that affects the user's use of functions under the mode of browsing, tourist or other modes that can be used without registration. In addition, the strengthening of the principle of necessity is also reflected in the Permission Use Guidelines. The principle of minimum necessity is one of the basic principles of app permission applications and is reflected in the specific requirements of the Permission Use Guidelines. It shows that the principle of necessity should become the focus of attention in the process of the collection and use of personal information by app operators.
7)User portraits and targeted push notifications: The Working Group Guidelines require that “application scenarios where personal information is used for user portraits and personalized display and the impact of such use on users’rights should be explained”. On this basis, the TC 260 Guidelines further require that if some business functions do not involve user portraits and personalized displays, it should be stated in the rules. Regarding targeted push notifications, the TC260 Guidelines stress that when a user’s personal information and algorithms are used to push information, the mechanisms for refusing to receive targeted push information, or stopping, exiting and turning off the corresponding function should be provided to the user as well as the pushing mode and option which is not based on personal information and personalized recommendation algorithms. This is also consistent with the requirements of the App Determination Rules.
8)Requirements on displaying and consenting to privacy policies: On the basis of the Working Group Guidelines and App Determination Rules, the TC260 Guidelines further require that privacy policies (or links) should be displayed in a fixed way on the interface and this should not be changed frequently; the operators should not obtain consent from users by non-expressive methods such as agreeing to privacy policies with tacit consent.
Except for the requirement that users should be notified to read privacy policies through express methods such as pop-ups at the first time of running the app or registration, if the users’ consent is obtained through settings such as a “next step" or “registration”, the logical relationship between the above actions and the privacy policy consent should also be clarified.
9) Responses, complaints and reporting channels for users to implement their rights on personal information protection: the TC260 Guidelines reiterate the requirements that the time limit for dealing with responses, complaints and tip-offs should not exceed 15 working days which was provided in the App Determination Rules. As for the channels for user complaints and reports on personal information, the original “faxing” method stipulated in the Working Group Guidelines has been replaced with “instant messaging account”.
3. Our observations
The introduction of the TC260 Guidelines and the recent governance activities of law enforcement authorities further illustrate the continuous strengthening of the law enforcement and supervision related to app privacy practices. Operators such as mini-programs and fast applications have also gradually become the focus of supervision. It is recommended that operators of various apps and small programs should strengthen compliance in the collection and use of users' personal information as soon as possible and pay close attention to the relevant legislation and regulatory developments.
1.http://www.cac.gov.cn/2020-07/25/c_1597240741055830.htm
2.http://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057709/n3057714/c8027149/content.html
3.The T260 released the draft version of such Guidelines for public consultation on March 19th.
