On March 22, 2021, China issued the Provisions on the Scope of Necessary Personal Information for Common Used Mobile Internet Applications ("《常见类型移动互联网应用程序必要个人信息范围规定》 " in Chinese, hereinafter referred to as the "Provision"), according to which, mobile apps and mini programs shall no longer collect personal information of users beyond the necessary scope.

This Provision, which will come into force as of May 1, 2021, is jointly released by China's four major regulators in data protection and cybersecurity area, namely the Cyberspace Administration of China, the Ministry of Industry and Information Technology (hereinafter referred to as "MIIT"), the Ministry of Public Security, and the State Administration for Market Regulation.

The Provision defines the scope of mobile Internet applications (hereinafter referred to as "Apps"), and clarifies the necessary scope of personal information collected by different types of Apps, which shall be paid great attention to by multinationals collecting personal information through Apps in China.

"Apps" to be Regulated by the Provision

The Provision applies to Apps running on mobile smart terminals that collect users' personal information. Meanwhile, it makes clear that "App" under the Provision shall include application software preset or downloaded and installed in mobile smart terminals, as well as "mini programs" that are developed based on the open platform interface of application software and can be used by users without installation. That means, collecting personal information by mini programs which are accessed through other Apps such as WeChat and Alipay shall also comply with the Provision.

Necessary Scope of Personal Information Collection

As stipulated under the Provision, Apps shall not refuse users to use their basic functions and services because users do not agree to provide personal information deemed unnecessary for basic functions. On this basis, the Provision outlines the scope of necessary personal information for commonly used 39 categories of Apps.

  • Among the 39 categories, 13 of them require no personal information for basic functions, including women's health, online live broadcasting, online audio and video, short video, news, sports and fitness, browser, input method, security management, e-book, photo beautification, app store, and utilities (such as calendar, weather, dictionary, calculator, remote control, flashlight, compass, clock alarm, file transfer, file management, wallpaper and ringtones, screenshot, recording, document processing, smart home assistant, constellation personality test, etc.).
  • In regard to the remaining 26 categories, 6 of them require the registered user's mobile phone number only as necessary personal information for basic functions. Those categories are network community, online game, education, local life assistance, mailbox and cloud drive, and teleconference.
  • For the other remaining 20 categories, the Provision lists the scope of necessary personal information based on their basic functions respectively. For example:
    • Online ride-hailing: the registered user's mobile phone number; the places of departure, arrival, location information, and whereabouts of the passenger; payment information such as time, amount, methods, among others.
    • Instant-messaging: the registered user's mobile phone number; account information, including account number and the list of instant messaging contacts.
    • Online payment: the registered user's mobile phone number, name, identity card type, identity card number and validity period, and bank card number.
    • Online shopping: the registered user's mobile phone number; name, address, and contact number of the receiver; payment information such as time, amount, and methods, among others.
    • Mail express: the sender's identification information such as name, identity card type and number; the sender's address and contact phone number; the recipient's name, address, and contact phone number; and name, nature and quantity of the items to be delivered.
    • Job search: the registered user's mobile phone number; and resume provided by job applicant.
    • Hotel service: the registered user's mobile phone number; the hotel guest's name and contact information; check-in and check-out time; and name of hotel.

Legal Consequence of Violating the Provision

The Provision itself does not specify how offenders will be punished, but provides that any organization or individual who finds violations of the Provision can report to the relevant authorities, which will deal with it in accordance with the law after receiving the report. In practice, at the current stage, enforcers impose penalties according to the Cybersecurity Law of China. That means, offenders may face a fine of up to CNY 1 million (about USD 153,300), an order to make rectification, removal of App from app store, suspension of related business, shutdown of website, and/or revocation of business license.

Looking Forward

China has always been proactive in regulating unscrupulous collection of personal information by Apps. As reported, by the end of last year, the MIIT has completed technical testing of 320,000 Apps in mainstream domestic app stores, and has urged more than 1,100 companies to make rectifications.

As China is stepping up the formulation of the Personal Information Protection Law, which is expected to be approved within this year, even more severe penalties, for example, fines counted on turnover basis like the GDPR, might be faced by offenders in the future. Therefore, multinationals operating Apps in China shall comply with the Provision and are suggested to pay close attention to the enactment of the Personal Information Protection Law to ensure compliance with the new law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.