From the beginning of 2019, a pressing topic in the field of cybersecurity and personal information protection in China has been the regulation of mobile applications. Hundreds of apps have been admonished by the regulatory departments, and some were pulled from stores. The regulatory storm in 2019 presents a turning point as a tight regulatory regime becomes the norm for apps in China. It's therefore a reasonable assumption that this trend will continue in 2020 — with ever tighter regulation and governance.

Strict governance over apps of China in 2019

At the beginning of 2019, four major regulatory departments in China, including the Cyberspace Administration of China, jointly established an app governance working group, which will centrally govern over the illegal collecting personal information by apps in China.

In 2019, the working group and other regulatory departments conducted several rounds of apps assessment and spot checks. More than a hundred apps were announced by these regulatory departments in order to urge noncompliant apps to correct substandard data protections.

On July 11, 2019, the working group released a list of 30 apps that have compliance issues. Then, on July 16, 2019, the working group released another list of 40 apps that have compliance issues.

In November 2019, the Public Security Bureau released a list of 100 apps that were pulled from stores as they failed to collect and process personal information in compliance with relevant rules and regulations.

On Dec. 20, 2019, the working group assessed its list of noncompliant apps again and found that 57 still have compliance issues, mainly relating to the collection and use of personal information.

Case studies in 2019: A storm raised by Zao app

Zao was a popular app in 2019. Using artificial intelligence technology, it replaces the faces of characters in films, television or short videos with the face in photos uploaded by users to generate video clips. To this end, Zao collects and uses the face photos of its users so that it can obtain a large database of user facial features during its operation.

In accordance with Article 5.5 of the Information Security Technology — Personal Information Security Specification, the personal information controller (in this case, the operator of Zao) must obtain explicit consent from the personal information subject (the users) for collection of sensitive personal information. Unfortunately, Zao initially failed to clearly notify users of its collection and processing of users’ sensitive personal information (the face photos of users), and it did not obtain explicit consent from its users to do so.

Moreover, Zao did not disclose the specific information of the third party to which it may process or transfer sensitive personal information of users. Pursuant to the "Methods for Identifying Unlawful Acts of Applications to Collect and Use Personal Information," users must be notified of the purpose, method and scope of the collection and use of users’ personal information, as well as the recipient of that personal information.

On Sept. 3, 2019, the Security Bureau of the Ministry of Industry and Information Technology admonished the parent company of the operator of Zao and requested Zao self-assess its privacy policy and user agreement and implement necessary measures. On the same day, Zao issued an apology statement to the public. Zao's business reputation was strongly hit by the regulatory storm. 

Suggestions for apps in 2020: Accessible privacy policies and user agreements

Pursuant to Article 1 of the "Methods for Identifying Unlawful Acts of Applications to Collect and Use Personal Information," apps should design a clear interface for users to read and access the privacy policy and user agreement. Apps shall:

  • Notify the users to read the privacy policy and user agreement through a pop-up window when the user first operates the app.
  • Ensure the privacy policy and user agreement are easy to read, understand (with proper front size and line spacing) and written in simplified Chinese.
  • Ensure users can easily access the privacy policy and user agreement and they only need to tap the interface four times or fewer to access.

Obtaining consent from users

According to the Cyber Security Law and the Methods, apps must fully inform users in the privacy policy and user agreement of details of collecting and processing personal information. Therefore, apps should follow the below points:

  • Do not collect personal information from users that is beyond the scope approved by users.
  • Do not repeatedly ask for the consent of users if users are not willing to grant an authorization.
  • Obtain explicit consent of the users instead of implicit consent.
  • Do not ask for an authorization that has no connection to apps’ current functions.
  • If apps need to add new functions, let users to choose whether to use the new functions and provide necessary personal information.
  • Do not ask for users’ multiple authorizations at the same time.

Embedded SDK 

In the past, software development kits have usually been embedded in apps for obtaining the personal information of users without their consent. As a matter of fact, such embedded SDKs illegally collected users’ personal information as they failed to notify users of personal information collection. If apps have some embedded SDKs, they should pay attention to the following essentials:

  • Notify users of the categories, purposes and the scope of the personal information collected by SDK, and obtain the consent of users for the SDK’s collection of the personal information.
  • Do not connect the main function of the app to a users’ authorization of SDKs’ collection of personal information.
  • Don’t provide the non-anonymized personal information to any third party without the consent of the user.

De-registration of the users’ accounts and report

Apps should provide portals for users to change and delete personal information or de-register their accounts. In practice, many apps do not offer portals for users to submit applications to change or delete their personal information, nor do they delete accounts if the app has been uninstalled. Moreover, apps should make it easy for users to report potential data security issues to the developer or the operator.

Children’s personal information

China strengthened the protection of children’s online privacy in 2019. On June 1, 2019, the "Provisions on Cyber Protection of Personal Information of Children" was officially published. Apps that wish to collect and use personal information relating to minors aged 14 years or younger should:

  • Notify the children’s guardians of the security measures taken to protect the children’s personal information.
  • Encrypt all stored information relating to children, strictly limit access to children’s personal information, and take technical measures to avoid the illegal copping and downloading of the personal information of children.
  • Design special rules and End User License Agreements that protect children’s personal information.
  • Appoint a person or persons responsible for the security of the personal information of children.

After undergoing various rectification actions in 2019, most apps have realized the importance of self-assessment and compliance review. However, the laws and regulations of cybersecurity and personal information protections in China are complicated. It is likely that China's apps governance is to become much more stringent in 2020.

Photo by Alejandro Luengo on Unsplash