The Chinese government has issued new rules that define for the first time the “necessary” personal information that mobile apps can obtain from their users, as Beijing intensifies its campaign against unauthorised data collection by Big Tech to further control the country’s digital economy.
Apps can collect necessary personal information from users that allows them to access basic functions and services, while users can decline to provide data outside what is deemed necessary and continue to use certain apps without obstruction, according to the new rules jointly released on Monday by agencies that include the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), the Public Security Bureau (PSB) and the State Administration for Market Regulation (SAMR).
The regulation on necessary personal information for common types of mobile Internet applications, which will take effect on May 1, also covers the basic functions and services for 39 app categories, including messaging, online shopping, payments, ride hailing, short video, livestream and mobile games.
The rules are needed at this time because the personal information users needed to provide to access apps has long been very vague, according to James Gong, who advises clients about the technology, media and telecommunications sectors at global law firm Herbert Smith Freehills. He said some app operators have previously exploited that loophole by requiring users to give a “bundled consent” for processing their personal information.
The necessary personal information for online shopping and food delivery apps, for example, includes a registered user’s phone number, a consignee’s name or username, address and contact number, and payment information.
For ride-hailing apps, the needed data covers a user’s phone number, departure point and destination, location and whereabouts, and payment information including the time, amount and method.
When registering for a phone number in China, customers are required to provide their official identification – a Chinese ID card for nationals and a passport for expatriates. Their ID is tied directly to their phone number, which can be used to verify a person’s identity across a variety of situations such as logging into online services and verification for more confidential services like banking.
Personal information considered necessary to access other common types of apps is more limited. Users of livestreaming, short video, news, browser and utility apps, such as calendar, weather and dictionary, should be able to access basic services on these platforms without providing any personal information.
The new rules come as China seeks to expand the Internet industry’s role in driving the country’s economic growth, while providing more protection for consumers’ personal information. It has also come ahead of China’s Personal Information Protection Law, which is still under review and is expected to be rolled out within this year.
Clarifying which necessary personal information users are expected to provide will certainly help keep app operators in line, according to Gong of Herbert Smith Freehills. “The regulation is quite detailed, covering most of the popular types of personal information [that apps collect],” he said.
Incidents in which apps were found to have accessed a user’s contacts, or other private data, have repeatedly triggered an online backlash in China, which has the world’s largest Internet population and smartphone market.
The MIIT recently singled out more than 100 app operators, including Tencent Holdings, for excessively collecting and mishandling user data. The CAC, MIIT, PSB and SAMR have regularly launched joint campaigns to investigate how apps collect and use personal data.
With the new rules, all app operators should review if they have implemented a non-essential bundled consent for personal information to users on their platforms, according to Gong of Herbert Smith Freehills.
Still, others indicate that more details are needed to effectively regulate how apps collect and use personal information. The new rules did not specify how unnecessary personal information should be collected, and that there should be more regulation on that, according to Samuel Yang, a partner at Anjie Law Firm.
“Compared to necessary personal information, the collection and use of unnecessary personal information is even more complicated and controversial in practice,” Yang said. – South China Morning Post