Companies are increasingly using their own apps to tap the growth in e-commerce, capturing the personal information of users and improving their ability to customise and tailor their products to customers. While this undoubtedly means more convenience for consumers, the inherent risks to personal information security are also becoming clear.
To counter illegal and excessive collection, excessive requests for permissions and other such infringements of personal information, the Cyberspace Administration of China (CAC) has – in accordance with a growing legal and regulatory framework – been monitoring, examining and reporting apps with a wide user base.
The Personal Information Protection Law (PIPL), dedicated to protecting personal information in China, came into effect on 1 November 2021. In combination with the Cybersecurity Law, the Civil Code and the Data Security Law, China has taken a major step forward in terms of improving personal data protection through legislation.
The rollout of laws and regulations and the box-ticking regulatory approach have created numerous and detailed requirements for businesses and the day-to-day management and personal information processing of their corporate apps. Most importantly, the principle of “necessity” expressly required by law draws a line under the personal information an enterprise is allowed to collect through its app.
Non-essential collection and use
Following on from the CAC reports on illegal collection and use of personal information, non-essential or excessive collection and use of personal information by corporate apps can be broadly grouped as follows:
- Users must authorise the app to collect personal information, otherwise it cannot be used.
- The app’s user agreement contains bundling by default and unreasonable exclusion clauses.
- Collection of personal information unrelated to the functions and beyond the necessary scope of the enterprise’s own business, or non-essential and non-compliant collection of biometric information such as facial data, voice prints, and fingerprints.
- Mandatory acquisition in the background, or repeated prompting of requests for permissions unrelated to its functions, such as location, microphone, camera, receiving notifications, background start-up, associated start-up, and access to sensitive information for uploading stored personal information, recordings, photographs, etc.
Under article 5 of the PIPL, article 41 of the Cybersecurity Law and article 1035 of the Civil Code, the processors of personal information must abide by the principles of lawfulness, appropriateness and necessity, and personal information may not be collected or processed beyond the necessary scope.
Additionally, the Information Security Technology – Personal Information Security Specification sets out the “minimum necessary” principle for personal information security. In other words, only the minimum types and amount of personal information necessary – for which the subject has explicitly given authorisation and consent – may be collected. The specification expressly requires personal information processors to consider the boundary of collection and use from the following perspectives:
- The personal information collected must directly contribute to the realisation of the business function of the product or service.
- The frequency of personal information collection should be the minimum necessary to perform the business function of the product or service.
- The amount of personal information indirectly obtained should be the minimum necessary to perform the business function of the product or service.
The Measures for the Determination of the Collection and Use of Personal Information by Apps in Violation of Laws and Regulations, the Practical Guide to Cybersecurity Standards: Guide to Self-assessment of the Collection and Use of Personal Information by Mobile Internet Applications (Apps), and the Practical Guide to Cybersecurity Standards: Guidelines for the Personal Information Security Precautions Taken by Mobile Internet Applications (Apps) (Draft for Comment), set out the following basic requirements for companies to comply with the principle of necessity when collecting and using personal information with their apps:
- Only collect personal information directly connected to the business functions. In other words, information must be indispensable for the functioning of the product or service.
- Do not bundle or collect personal information in an inappropriate or unreasonable manner, such as if the user does not consent to the information collection or refuses to give any unnecessary authorisation, the app does not function.
- Allow users to refuse collection of non-essential personal information and refuse to grant non-essential authorisations to access personal information in the background.
- The frequency of personal information collection should be no more than that required for the app to function.
More detailed basic regulations on apps collecting personal information can be found in the Basic Requirements for Collecting Personal Information in Mobile Internet Applications (Apps) (Draft for Comment), and the Provisions on the Scope of Necessary Personal Information for Common Used Mobile Internet Applications (Apps), which set out full lists of information that may be collected by each type of app, as well as the boundaries and specific restrictions.
Excessive collection and use of personal information by corporate apps has become a major concern of relevant competent authorities, which are strengthening their oversight. In light of the more forceful legislation and law enforcement, companies can refer to the following recommendations to mitigate risks involved in collecting and using personal information:
- Understand the types of personal information necessary for the business functions of their apps, and avoid collecting and using personal information not directly connected to those functions.
- Unless absolutely needed for the performance of these functions, do not frequently prompt users to grant access to personal information, and do not abuse sensitive access such as recording and camera.
- Regularly refer to relevant guidelines and standards to check whether the app collects and uses personal information beyond the necessary scope and actively bring it into compliance.
- Keep an eye on legal and regulatory updates relating to corporate apps and special requirements for specific fields, and revise in a timely fashion the operating procedures for the collection and use of personal information by their apps.
Wei Jie is an associate at Tiantai Law Firm
Tiantai Law Firm
29/F, T1 Building, Raffles City
No.1133 Changning Road, Changning District
Shanghai 200051, China
Tel: +86 21 5237 7006
Fax: +86 21 5237 7009