The Chinese data protection regime has been constantly and rapidly developing in recent years. On November 28, 2019, the Cyberspace Administration of China (CAC) along with three national level ministries shed more light on the topic of how APP operators should collect and use personal information (PI) in a compliant way. The guideline outlines in quite straightforward terms those detailed acts of misconduct which should be avoided, which is similar in part to the GDPR requirements. It is rolled out under the roof of the PRC Cyber Security Law and serves as a good reference for companies to better design and manage their APP related business.
Statutorily required disclosure on purpose, manner and scope (PMS) of PI collection and use will only be satisfied when an APP
Data subject’s consent will be deemed missing where the APP has any of the following:
Under the Measures, excessive collection of personal information exists if an APP.
Compared with rules in the past, the Measures stress the aspects set out below to which APP developers and operators shall pay particular attention:
Anonymization: any in-APP or via-APP transmission of collected data to third parties (including via embedded coding, plug-in or re-linking) shall be subject to a valid consent where anonymization plays an important role absence of which could potentially frustrate a given consent;
Right to be forgotten: APPs shall provide valid and reasonably accessible means for users to delete PI and de-register, where a deletion request shall be attended to promptly and the deletion completed within a deadline of maximum 15 working days;
Compliant handling: valid contact point for compliance shall be provided and a complaint shall be handled within a deadline of maximum 15 working days.
Many of the issues addressed by the Measures are blind spots commonly seen for a number of years in the fields of finance and retail when respective rules remained general and vague. Misuse, misleading and even deceptive practices on the market have given rise to serious complaints by consumers. Enforcement actions by regulators have been mainly driven by social complaints instead of detailed rules.
The Measures now set a very clear borderline for APP operators to behave themselves, which is good news particularly for those companies which have in place good data and privacy protection practice. In addition, to provide clear and practicable guidance, the Measures outline very specific acts of misconduct which are not meant to be exhaustive. This is a very pragmatic approach taken by the regulators to address concerns of society. Considering the fact that the whole data protection and cyber security regime in China is growing fast, it is foreseeable that more guidance and rules like the Measures will be rolled out in the near future.