Personal Information and Mobile Apps

Nathaniel Rushforth

Nathaniel Rushforth is a cybersecurity and data law specialist, and a US-qualified attorney. He studied at the McGill University Faculty of Law in Montreal, Quebec and at the University of Arizona College of Law in Tucson. He holds a Juris Doctor from the University of Arizona College of Law, and a bachelor’s degree in computer science and engineering from New Mexico State University. Prior to joining DaWo, Nathaniel practiced as lawyer in the United States, representing clients in a variety of areas, including corporate matters, intellectual property, civil litigation, and criminal defense. He also served as an administrative law judge, presiding over more than 1000 administrative hearings.

On May 1, 2021, the “Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications”, jointly issued by the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security (MPS), and the State Administration for Market Regulation (SAMR) came into force. These Provisions aim to regulate personal information collection by mobile internet applications (apps, including mini programs) in order to protect the privacy and personal data of users.

“Necessary” Information
According to Article 3 of the Provisions, “necessary personal information” refers to personal information required to ensure the normal operation of the app’s basic functions – without this information, the basic functional services of the app would simply not work.
For 39 types of apps, the Provisions clarify the scope of basic functions and necessary personal information. Among them, 13 types of apps (including women’s health, online audio and video services, news and sport, e-books, web browsing, app store and ticketing services) the basic functional services do not include what would be deemed “necessary personal information.”
For other types of apps, such as online games and education, only the user’s mobile phone number is considered necessary.
Furthermore, app operators cannot refuse users who do not agree to provide non-essential personal information for the use of their app’s basic functions.

Any organization or individual who finds an app in violation of these Provisions can make a report to the relevant department, with the operator facing potential punishment in accordance with the law.  

Protecting Personal Information

More recently, the MITT and SAMR, under de guidance of the CAC, issued the ‘Provisions on Personal information protection management of mobile Internet application’ (Draft open for comment until May 26, 2021).
Under these Draft Provisions, apps are, for example, required to first obtain consent before collecting personal information and tell users what personal information will be collected and for what purposes. Apps should only collect a minimum amount of information and should not obtain personal information that goes beyond the scope of the user’s consent or which is not related to the app’s main purpose.
Furthermore, users should receive a separate notification if an app processes their sensitive personal information such as race, ethnicity, religion, biometrics, health, financial accounts, and personal whereabouts.
As you can see, these (Draft) Provisions are another example of China’s aim to protect personal data and its growing regulatory focus on the online economy.
Over the last year, we have seen Chinese authorities cracking down on illegal collection of personal information by apps, urging app operators to make rectifications or taking violating apps offline.
Companies in the industry need to comply with these regulations in order to avoid fines or other penalties. If you have any questions regarding this subject, please feel free to contact us.