The Chinese government has announced new provisions clarifying the collection of personal information by mobile apps. These provisions were first published in draft at the end of 2020 and will come into force on 1 May 2021.
Under China’s cybersecurity law, personal information may be only collected in line with principles of legitimacy, propriety, and necessity.
The new provisions help clarify what will be deemed ‘necessary’ in the context of mobile apps, and this will be interpreted fairly strictly to cover only such personal information as is necessary to ensure normal operation of an app’s basic functions.
By way of example, an instant messaging app will be able to insist upon collecting a user’s mobile number, account information and contact list in order to provide its basic functions of text, picture, voice, and video messaging. Likewise, an online payment will be able to require its customers’ phone numbers, names, proof of ID, and bank details. Additional services may be made conditional on a user providing additional information, but this must still comply with the principles listed above.
Notably, for six categories of app (including women’s health, online audio and video services, news and sport, e-books, web browsing, and ticketing services), there is no minimum ‘necessary’ personal information – i.e. these services must be made freely available, with no mandatory collection of personal data.
Breaches of the new provisions may result in corrections, warnings, fines, or even revocation of business permits and compulsory winding up.
The new rules are introduced in conjunction with other laws regulating e-commerce and livestreamed sales, and emphasise the broad impact of China’s data privacy laws and its growing regulatory focus on the online economy.
This memo presents an overview and commentary of the subject matter. It is not provided in the context of a solicitor-client relationship and no duty of care is assumed or accepted. It does not constitute legal advice.
© Moulis Legal 2021