Data privacy: China defines for the first time ‘necessary’ information that apps can collect, closing ‘bundled consent’ loophole
- Users of live-streaming, short video, news, browser and utility apps can access basic services on these platforms without providing personal information
- The new rules come as China seeks to expand the internet industry’s role in economic growth, while providing more protection for consumers’ personal data
Apps can collect necessary personal information from users that allows them to access basic functions and services, while users can decline to provide data outside what is deemed necessary and continue to use certain apps without obstruction, according to the new rules jointly released on Monday by agencies that include the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), the Public Security Bureau (PSB) and the State Administration for Market Regulation (SAMR).
The rules are needed at this time because the personal information users needed to provide to access apps has long been very vague, according to James Gong, who advises clients about the technology, media and telecommunications sectors at global law firm Herbert Smith Freehills. He said some app operators have previously exploited that loophole by requiring users to give a “bundled consent” for processing their personal information.
China drafts new regulations to curb excessive data collection by smartphone apps
For ride-hailing apps, the needed data covers a user’s phone number, departure point and destination, location and whereabouts, and payment information including the time, amount and method.
When registering for a phone number in China, customers are required to provide their official identification – a Chinese ID card for nationals and a passport for expatriates. Their ID is tied directly to their phone number, which can be used to verify a person’s identity across a variety of situations such as logging into online services and verification for more confidential services like banking.
Personal information considered necessary to access other common types of apps is more limited. Users of live-streaming, short video, news, browser and utility apps, such as calendar, weather and dictionary, should be able to access basic services on these platforms without providing any personal information.
Clarifying which necessary personal information users are expected to provide will certainly help keep app operators in line, according to Gong of Herbert Smith Freehills. “The regulation is quite detailed, covering most of the popular types of personal information [that apps collect],” he said.
Data privacy: Beijing puts iFlyTek, Tencent and over 100 other app operators on notice for violations
With the new rules, all app operators should review if they have implemented a non-essential bundled consent for personal information to users on their platforms, according to Gong of Herbert Smith Freehills.
Still, others indicate that more details are needed to effectively regulate how apps collect and use personal information. The new rules did not specify how unnecessary personal information should be collected, and that there should be more regulation on that, according to Samuel Yang, a partner at Anjie Law Firm.
“Compared to necessary personal information, the collection and use of unnecessary personal information is even more complicated and controversial in practice,” Yang said.