On 28 November 2019, six months after its draft ("Draft") was released for solicitation, the Measures for Determination of Illicit Collection and Use of Personal Information by Apps ( "Measures") were jointly released by Cyberspace Administration of China ("CAC"), the Ministry of Industry and Information Technology ("MIIT"), the Ministry of Public Security ("MPS"), and the State Administration for Market Regulation ("SAMR") with an intention to provide reference and guidance in details for regulators, app operators and the public.

The Measures, a department working document, serves as an important tool in the nationwide campaign against the illicit collection and use of personal information by Apps. It is consistent with the Self-Assessment Guide on the Illicit Collection and Use of Personal Information by Apps ("Self-Assessment Guide") issued by Apps Special Governance Working Group in March 2019; both have specified the most frequent personal information violations, which helps the implementation of the Cybersecurity Law of China together with and Information Security Technology- Personal Information Security Specification ("PISS"). While being cited as "reference", it reflects the relevant authorities' current enforcement practices and therefore is likely to be cited in the future enforcement activities.

Therefore, it is of importance for the stakeholders to fulfil relevant apps compliance requirements. The Measures are divided by scenarios as in the Draft. Comparing to its Draft, the Measures have provided, in general, more clear and specified guidance and further interpretation is provided in details below:

I. Acts Defined as Failing to Publicize the Rules of Collecting and Using Personal Information

Articles

Compliance Interpretation

1. Failing to set privacy policies or include collecting and using personal information rules in privacy policies;

Comparing to the Draft, the Measures has removed the requirement regarding user agreement; it emphasises the need to have a standalone privacy policy with collecting and using personal information rules included.

2. Failing to remind users to read the privacy policy and collection and use of personal information rules when the apps run for the first time in an obvious way such as a pop-up window;

Be aware that the wording adopted is more specified and narrowed as comparing to the Draft; "run for the first time" differs from "first registration" or "first log in". Therefore, it is important to have the privacy policies popped up the first time the app is launched.

3. Having a privacy policy or other collection and use rules difficult to access, requiring more than four clicks by users to access the privacy policy after entering the main interface of the Apps is one example;

The Measures slightly expanded the original wording in the Draft with a catch-all phrasing: difficult to access. It suggests that other situations such as absence of privacy policy or link failure may also be included.

4. Having a privacy policy or other collection and use rules difficult to read, like using small fonts with narrow word space, or setting very light word colour, or missing simplified Chinese-language version.

Having added this "easy to read" rule, the Measures has listed several key points for app operators to follow. It is advised that the app operators shall be careful when choosing the fonts and formats of privacy policies; bold fonts and underlines are recommended.

II. Acts Defined as Failing to Clarify the Purpose, Method, and Scope when Collecting and Using Personal Information

Articles

Compliance Interpretation

1. Failing to list the purpose, method, and scope of the collection and use of personal information by the app, including entrusted or embedded third-party codes and plug-ins;

To correspond to the current SDK issues, the Measures specifically requires the listing of the purpose, method and scope of the collection and use of personal information by the app as well as by any third-party codes or plug-ins that are entrusted or embedded.

The reason behinds this is that these types of codes or plug-ins usually do not obtain a separate authorisation from users and it is therefore impossible for the users to restraint their relevant conducts.

2. Failing to notify users when there is a change in the purpose, method, and scope; proper method includes updating the privacy policies and reminding users to read it;

The wording here implies that privacy policies need to be updated when relevant changes occur. Compared to the Draft, the Measures suggests a reauthorisation is no longer a must in such circumstances. Proper notification usually includes e-mails, mails, calls, messages, pop-up windows, floating windows, etc. For important updates, floating windows and pop-up windows are preferable for its better delivery performance.

3. Failing to notify users of the purpose or the purpose is stated in an unclear or difficult way to comprehend when applying for permission to collect personal information, or for collecting personal sensitive information such as user ID, bank account, location;

Besides the privacy policies, app operators shall state its collection purpose whenever it applies for permission to collect personal information.

4. Using obscure, lengthy, and complicated words, such as a large number of jargons, which renders collection and use of personal information rules difficult for users to understand.

This is another part of the "easy to read" requirements. Plain and clear languages are recommended when drafting relevant rules of collection and uses. A summary or extra assistance could be a plus.

III. Acts Defined as Collecting or Using Personal Information Without Obtaining Users' Consent

Articles

Compliance Interpretation

1. Collecting personal information or activating such authorisation before obtaining users' consent;

This specific rule deals with the collection of information such as IMEI, location prior to obtaining authorisation. Obtaining authorisation in time is critical.

2. Collecting personal information or activating such authorisation, or harassing users for authorisation for their personal information upon their explicit refusal;

Refusing to click "consent" or closing the pop-up window may be interpreted as refusal by the users. In practice, some apps tend to close down or popup windows with authorisation requests frequently when users refuse to authorise in the first place; such conducts fall under the regulation here.

3. Collecting personal information or activating such authorisation beyond the authorisation scope;

Comparing to the Draft, the Measures has added the "activating authorisation" part; actual collection is not necessary. Both missing certain collection or use of information scenarios or actual collection or use or authorisation going beyond the original scope shall be avoided.

4. Obtaining users' consent through implicit means such as the default settings;

This rule is new as comparing to the Draft. It is, however, consistent with the Self-Examination Guide. Users must voluntarily deliver its consent by clicking or ticking.

5. Changing the status of the data collection authorisation without obtaining users' consent;

It is recommended to avoid using means such as update to change user' authorisation setting.

6. Sending oriented information by using personal information and algorism, failing to provide non-oriented information options;

The wording "termination of oriented information options" from the Draft now changes to "non-oriented information options". It is advised to provide an easy way for users to so select.

7. Misleading the user to agree to collect personal information or open the authorisation to collect personal information by improper methods such as fraud, deception - intentionally deceiving or concealing the true purpose of collecting and using personal information;

This new rule emphasises the legitimacy of collecting personal information. It is therefore recommended to avoid the use of general or vague terms to mislead user or deceive users with fake rules or unreal interests.

8. Failing to provide channels and ways for users to revoke consents for personal information collection;

It is worth noticing that the revocation here includes both partial revocation; app operators shall consider design revocation methods in accordance with its core function and additional function differences.

9. Collecting or using personal information in violation of the privacy policy or rule.

This rule stresses the consistency of conducts by app operators. If an app provides a higher standard in its own privacy policy or rules, it shall so behave.

IV. Acts Defined as Violation of Necessary Principle

Articles

Compliance Interpretation

1. Collecting personal information or activating such authorisation that is irrelevant to the existing business functions;

The key here lies on the word "existing": the information collected or relevant authorisation obtained shall be consistent with the current functions, not past nor future.

Relevance of collection depends on whether or not such information is indispensable for the operation of relevant function or relevant risks absenting such information.

2. Refusing to provide certain functions when users reject providing unnecessary information or granting such authorisation;

This rule expanded the original scope in the Draft. Reference to necessary information shall be given to the PISS. Unless an information is deemed necessary for the operation of certain function, the app shall provide the user with relevant functions even if the user denies to provide such information.

3. Refusing to provide original business functions when users reject new business functions which acquires the collection of information beyond the scope of users' previous consent, except if the new functions replace the original services;

The rule here distinguishes two different scenarios: whether a new function runs with the existing functions or replace them. An app shall not discontinue provide existing functions if the user refuses to authorise the collection of information for a new function that does not replace the existing functions.

4. Collecting personal information at a frequency that exceeds the practical needs of the function;

The Measures has removed the "at the time of using app" requirement from the Draft, it is therefore important for the app operators to refrain from collecting information too frequently. Worth noticing is that collection information is not the same as sending information back to the server.

5. Forcing users to give consent for personal information collection only for the purpose of improving service quality, enhancing users' experience, sending directional push, and developing new products;

As the purposes mentioned here usually wouldn't constitute core function, hence it is prohibited to force users to consent for such reasons alone. Conversely, combining with other legitimate justification or providing voluntary consent shall be treated differently.

6. Requiring users to agree to provide multiple authorisation to collect personal information at one time and not allowing customers to use the app if they reject.

This rule targets at the bundling authorisation in practice. It is advised that the app seeks authorisation separately.

V. Acts Defined as Violation of Personal Information Sharing Principle

Articles

Compliance Interpretation

1. Providing personal information to third parties (including through embedded third-party codes and plug-ins) without obtaining user consent or anonymising the personal information;

This rule and the other two rules in the same section mainly regulates the illicit personal information sharing without consent, directly providing and indirectly providing personal information to third parties without consent or anonymization alike.

The app shall, therefore, either obtain consent from the user or anonymise relevant personal information before sending to third parties.

2.Failing to obtain user consent or anonymizing the data before uploading it to back-end servers and sending to third parties;

This rule is similar to the previous one. The only difference is here the information is sent back to the app's own server first. Cautions shall be given in such scenario as well.

3. Failing to obtain user consent before connecting to third-party apps and sending users' personal information.

The "catch-all clause" in the Draft now changes to a more specific requirement. App operators shall therefore ensure its management of the third-party apps; express user consent is requested.

VI. Acts Defined as Violation of Right to Rectification, Right to Erasure and

Failing to Publish Complaint or Reporting Channels

Articles

Compliance Interpretation

1. Failing to allow users to change or delete their personal information or delete their accounts;

It is advised that the app operators shall specify the relevant process to for users to change or delete their personal information or delete their accounts in its privacy policy or rules and have such functions properly implemented in the apps.

2.Setting unnecessary or unreasonable conditions for users to change or delete their personal information or delete their accounts;

This new rule responds to the app governance action taken by the relevant authorities.

In practice, the apps operators shall avoid setting complicated or hidden channels for users to conduct relevant conducts nor require users to provide unreasonable conditions such extra information, precise browsing history. Setting barriers using connected services or apps, promotion activities shall also be limited to reasonable ranges.

3. Failing to complete review and processing procedures in time or within a promised time period (promised time period shall not exceed 15 working days; promised time period is considered as 15 days if not specify), where manual intervention is needed;

The two timing requests of review and processing in the Draft are combined into one. Prompt response is the base line and 15-day maximum time limit is mandated in the case of manual intervention.

4. Failing to correspond in the server, respond when users complete the process for changing or deleting their personal information or deleting their accounts;

The Measures has provided more specific guidance as comparing to the Draft; it now clearly requires the synchronous operation by the server in response to the relevant operations by the users.

5. Failing to establish and publish complaint and reporting channels to deal with personal information security matters, or failing to handle complaints or reports within a promised time period (promised time period shall not exceed 15 working days; promised time period is considered as 15 days if not specify).

This new added rule provides the safeguard for users. It is important for the operators to ensure the proper functioning of complaint and reporting channels; mere setting will not be sufficient.

With the regulators increasing their efforts to crackdown infringement of personal information, relevant companies are recommended to conduct self-examination and rectification in accordance with the Measures while enhancing overall data security and compliance capabilities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.