As per the draft rules, 38 types of apps are now required to tell users about the personal information they collect, and are prohibited from collecting any data not related to the services they offer.
In an effort to tackle cybersecurity and privacy failures, China on Tuesday, December 1 revealed new draft guidelines to limit how tech companies collect personal data through mobile apps.
According to the draft rules published by the Cyberspace Administration of China, 38 types of apps, including online shopping, mobile payment, instant messaging, ride-hailing, online food delivery and bike sharing, are now required to tell users about the personal information they collect. They are also required to obtain users’ consent before data collection.
“In recent years, mobile Internet applications have been widely used and have played an important role in promoting economic and social development and serving people’s livelihoods,” the cyber administration said in a statement, according to Reuters.
“At the same time, it is common for apps to collect … personal information beyond their scope, and users cannot install and use them if they refuse to agree,” it added.
Furthermore, apps are prohibited from collecting data that is not related to the services they provide. For instance, while ride-hailing apps can collect a user’s phone number or other personal identity information, their location, and destination, a smartphone payment platform may only collect information such as users’ phone numbers and bank card numbers, but not their location. Similarly, map apps can only collect location data.
The draft guidelines are open for public feedback until December 16, after which the government is expected to finalize the guidelines and put them into effect.
Recently, Lu Chuncong, deputy director of the Information and Communications Administration under the Ministry of Industry and Information Technology (MIIT), rebuked some of China’s biggest Internet companies for weak user data protection in their apps, reported South China Morning Post, citing Chinese media.
At a meeting in Beijing, Li accused app operators of defying the government’s order to strengthen consumer data privacy, stating that an official review found many popular apps to lack strong personal data protection. These included 40 apps from Alibaba Group Holding, 20 from Baidu, and 30 each from Tencent Holdings and TikTok operator ByteDance, among others.
Draft Personal Information Protection Law
The new guidelines is the latest in a series of measures recently taken by China to clampdown on the tech industry.
In October 2020, China unveiled its first draft of the Personal Information Protection Law (PIPL), which, if passed, will become the country’s first set of laws regulating the collection and processing of personal information. PIPL was released for public comments on October 21, and the consultation window closed on November 19.
While currently, China’s Cybersecurity Law (CSL) governs the protection of personal information, it does not specifically address personal data protection. PIPL will be a more comprehensive law that covers more aspects of personal information protection and specifies rules for processing “personal information” and “sensitive personal information,” the rights of individual data subjects, data protection principles, and penalties for breaches, among others.
Legal experts have welcomed the draft, with Wang Zhicheng, associate professor of finance at the Guanghua School of Management at Peking University stating that the past two decades have been a “wild era” for China’s Internet.
While PIPL has proposed an increase in penalties of up to 50 million yuan (USD $7.6 million) or 5% of annual revenue for companies responsible for data breaches, it has not detailed what companies should do to be compliant. The draft is in line with Europe’s General Data Protection Regulation (GDPR) which was the first to introduce the concept that each person should have ownership of their own data.
PIPL, together with China’s existing Cybersecurity Law and draft Data Security Law is expected to control how platforms collect and use consumers’ personal information and curb tech behemoths’ control over personal data.
Last month, China drafted new anti-monopoly rules for tech firms, which came on the heels of Alibaba spin-off Ant Group’s $35 billion IPO being suspended over regulatory concerns.
The regulations (“Guidelines for Antitrust in the Field of Platform Economy”) issued by China’s bureau for regulating monopolies, the State Administration for Market Regulation (SAMR), were seemingly aimed at tech giants like Alibaba Group Holding Ltd. and Tencent Holdings Ltd. SAMR stated that the guidelines were meant to protect fair competition in the market and safeguarding consumers’ interest.
While many apps from major Chinese Internet companies already take permission from users for data collection, several also gather data that is considered irrelevant to their service, with “super apps” being of particular concern.
A super app, such as TikTok, Tencent Holdings’ WeChat chat app, and Alibaba’s Alipay app are huge Internet platforms that provide a wide range of services. According to analyst Fu Xiaoyan, “the goal of the Antitrust Guidelines is not to prevent the birth of “super apps”, but to regulate their behavior.”
Within days of the guidelines, Chinese tech shares plummeted, with biggest tech giants losing $280 billion of their market value. According to Morgan Stanley analysts, the potential implementation of the antitrust regulations has “negative implications for major Internet companies with dominant positions across segments.”
As per the “Statistical Report on China’s Internet Development Status,” there are 940 million Internet users in China, as of June 2020. There is 67% internet penetration in the country and 409 million people use online food delivery, 381 million use online education, 340 million use online car-hailing, and 276 million use online medical services; all leading to a swell in data growth in the country.
As China continues to digitize its economy, privacy infringements and information breaches have become significant issues in the country. Last year, the China Cybersecurity Centre penalized 100 apps from various industries for incorrect collection of personal data, lack of privacy agreements, or ambiguous rules. Early last year, China’s National Computer Network Emergency Response Technical Team (CN-CERT) also said that the illegal use of personal data had become “a prominent issue.”