Following the crackdown by Chinese authorities against non-compliant mobile apps in late 2019 (please see Episode 8 in this series), the authorities have issued a series of app compliance guidelines (including the Guide to Self-Assess Illegal Collection and Use of Personal Information by Apps, Methods for Identifying Unlawful Acts of Apps to Collect and Use Personal Information, and Draft Specification for Collecting Personal Information in Mobile Applications). These guidelines imposed detailed obligations and practical actions to urge mobile app operators to conduct self-assessments and to rectify any non-compliant data processing practices. Organisations may have noted that some of these guidelines contain conflicting requirements.

To join the dots and to take into account the recently updated Personal Information Security Specification (please see  Episode 11 in this series), the Chinese authorities have recently published a new set of practical draft guidelines for Chinese mobile app operators to self-assess compliance of its app interface design, and data processing activities. This new set of guidelines has provided much-needed practical guidance for app operators to lawfully process personal information, and to identify its data flows.

It also continues to show the authorities' continuous focus to strictly regulate apps in China. 

We have summarised some of our key observations below:

  1. A Simplified Chinese version of the app operator's privacy policy should be made available to users. For multinational companies operating apps in China, having an English-only privacy policy for its Chinese app users would no longer be enough to comply with PRC law. 
  2. Overseas data transfers: Mobile app operators should draw users' attention to types of data in the privacy policy which are subject to overseas data transfers (e.g. by way of underline, bold or a different colour). If app operators do not intend to transfer any data overseas, this should also be explicitly clarified in the privacy policy. 
  3. Overseas data storage: Mobile app operators should clarify where data is stored (e.g. specifying the country or region, inside or outside of the PRC). Given the rise of cloud hosted mobile apps, owners will need to understand their cloud provider infrastructure locations and contractual hosting location commitments in order to comply with this requirement. 
  4. No repeated requests for personal information: Operators should not repeatedly (within 48 hours) ask users for consent to collect and process personal information if users have previously refused to give such consent. 
  5. Explicit consent: The draft guidelines reiterated that explicit consent is needed for the collection and processing of personal information. Pre-checked boxes or implied consent to privacy policy is not acceptable. 
  6. Direct marketing: There should be a clear opt-out mechanism for use of personal information for direct marketing purposes. 
  7. Data subject rights: App operators should process all data subject access, de-registration requests, or correction requests within 15 working days upon receipt of such requests. 

Unfortunately, other important topics on PRC cybersecurity regime, such as localisation of personal information, were not clarified in these draft guidelines. App operators should review and update their China privacy programmes in light of the above, and continue to monitor changes as the China privacy landscape continues to evolve.

Originally published 9 April 2020 .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.