New guideline for APP privacy behaviour

The Chinese data protection regime has been constantly and rapidly developing in recent years. On November 28, 2019, the Cyberspace Administration of China (CAC) along with three national level ministries shed more light on the topic of how APP operators should collect and use personal information (PI) in a compliant way. The guideline outlines in quite straightforward terms those detailed acts of misconduct which should be avoided, which is similar in part to the GDPR requirements. It is rolled out under the roof of the PRC Cyber Security Law and serves as a good reference for companies to better design and manage their APP related business.

According to such Measures on Identifying Misconducts of APPs in Collection and Use of Personal Information in Violation of Laws and Regulations (Guo Xin Ban Mi Zi [2019] No. 191), good privacy policy practices should include the following features:

• existing in the APP and including rules on collection and use of PI,
• providing pop-ups to alert readers upon first run,
• easy to access (e.g. up to four clicks from the main page),
• reader friendly and in a remarkable way, and
• tailored for China market: available in simplified Chinese so do not forget a good translation!

Statutorily required disclosure on purpose, manner and scope (PMS) of PI collection and use will only be satisfied when an APP

• outlines PMS of each process including that of embedded coding, plug-in or by third parties,
• properly notifies users of any change of PMS (e.g. reminds users to read the updated privacy policy),
• discloses the purposes of use explicitly and clearly in an understandable way when asking for privilege for PI collection (particularly sensitive personal information like ID no., bank account, location), and
• contains easy-to-read privacy policy without using jargon.

Data subject’s consent will be deemed missing where the APP has any of the following:

• obvious misconduct like collection without, before or deviating from data subject’s consent or its privacy policy, or fraud and deceit,
• after being explicitly declined, frequently using pop-ups to seek consent thus interfering users’ normal use,
• opt-out instead of opt-in,
• changing privilege configuration e.g. via APP update,
• pushing information purely based on user profiling without an option for non-profiling pushing, or
• absence of means to withdraw the given consent.

Under the Measures, excessive collection of personal information exists if an APP.

• collects PI which is irrelevant to or beyond the actual demand of the offered services,
• bundles consent with offered services (including tie-up of extended consent with APP update)
• bundles consent with better services/experience, profiling-based pushing or new product R&D,
  bundled consents in one-go

Compared with rules in the past, the Measures stress the aspects set out below to which APP developers and operators shall pay particular attention:

Anonymization: any in-APP or via-APP transmission of collected data to third parties (including via embedded coding, plug-in or re-linking) shall be subject to a valid consent where anonymization plays an important role absence of which could potentially frustrate a given consent;

Right to be forgotten: APPs shall provide valid and reasonably accessible means for users to delete PI and de-register, where a deletion request shall be attended to promptly and the deletion completed within a deadline of maximum 15 working days;

Compliant handling: valid contact point for compliance shall be provided and a complaint shall be handled within a deadline of maximum 15 working days.

Many of the issues addressed by the Measures are blind spots commonly seen for a number of years in the fields of finance and retail when respective rules remained general and vague. Misuse, misleading and even deceptive practices on the market have given rise to serious complaints by consumers. Enforcement actions by regulators have been mainly driven by social complaints instead of detailed rules.

The Measures now set a very clear borderline for APP operators to behave themselves, which is good news particularly for those companies which have in place good data and privacy protection practice. In addition, to provide clear and practicable guidance, the Measures outline very specific acts of misconduct which are not meant to be exhaustive. This is a very pragmatic approach taken by the regulators to address concerns of society. Considering the fact that the whole data protection and cyber security regime in China is growing fast, it is foreseeable that more guidance and rules like the Measures will be rolled out in the near future.