Press "Enter" to skip to content

Interim Provisions on the Protection and Management of Personal Information in Mobile Internet Applications (Draft for Solicitation of Comments)

[Source]http://www.cac.gov.cn/2021-04/26/c_1621018189707703.htm

Article 1: These provisions are drafted on the basis of the Cybersecurity Law of the PRC in order to protect rights and interests in personal information, to regulate the personal information handling activities of mobile internet applications (hereinafter simply APPs), and to promote the reasonable use of personal information.

Article 2: Apps' personal information handling activities carried out within the [mainland] territory of the PRC shall comply with these provisions. Where laws and administrative regulations have other provisions on personal information handling activities, those provisions control.

Article 3: "APPs' personal information handling activities" as used in these Provisions refers to applications operating on mobile smart terminal's activities of collecting, storing, using, processing, or transmitting personal information.

The term "app developers and operators" as used in these Provisions refers to an entity engaged in App development and operation activities.

The “App distribution platform” as used in these Provisions refers to a software service platform that provides App download and update services through app stores, app markets, websites, and so forth.

The term “App third-party service provider” as mentioned in these Provisions refers to an entity that provides third-party services such as software development kits (SDK), packaging, reinforcement, and compilation environments for apps other than users and apps.

The term "Mobile smart terminal production enterprise" as used in these Provisions refers to entities that produce mobile smart terminal equipment that can access the public networks and provide pre-installed APPs or have the ability to install APPs.

The term "network access service providers" as used in these Provisions refers to telecommunications operators engaged in internet data center (IDC) operations, Internet access service (ISP) operations, and content distribution network (CDN) operations, that provide network access services to APPs.

Article 4: The State Internet Information Office is responsible for overall planning and coordination of efforts on APP's protection of personal information and relevant oversight and management work, and is to establish and complete a joint working mechanism for the oversight and management of APPs' protection of personal information in conjunction with the Ministry of Industry and Information, Ministry of Public Security, and State Administration for Market Regulation to plan the advancement of efforts on policies, standards, specifications, and so forth, and strengthening information sharing and guidance of APPs' efforts to protect personal information. Each department is responsible for App's protection of personal information and oversight and management efforts within the scope of their respective duties.

Provincial, autonomous region, or directly governed municipality internet information offices, bureaus for telecommunications management, public security offices (bureaus), and bureaus for market regulation are responsible for efforts on the oversight and management of Apps' protection of personal information within that administrative region.

The departments provided for in the preceding two paragraphs are collectively referred to as the 'departments performing oversight and management of App's protection of personal information.

Article 5: App's personal information handling activities shall use methods that are lawful and proper and comply with the principles of good faith, and they must not use methods such as fraud or misdirection in handling personal information, to truly safeguard users' rights of consent, knowing, and election, and the security of their personal information, and APPs' are to be responsible for their personal information handling activities.

In accordance with relevant laws, standards, and provisions, related industry organizations and professional bodies are to carry out appraisals and certifications of Apps' capacity to protect personal information.

Article 6: Those engaged in personal information handling activities shall notify users of the principles for handling personal information in clear and understandable language, and the users are to make voluntary and clear expressions of their preferences so long as they are fully informed.

(1) Pop-up windows, text links, attachements, and other such methods shall be used on App's login and registration pages, and when the App is used for the first time, to notify users of the rules for handling personal information, such as the entities handling personal information, the purposes and methods of handling personal information, the types of handling, the period of retention, and so forth;

(2) User consent shall be obtained through methods other than default selection;

(3) Users' right of election shall be respected, and their personal information must not be handled before their consent is obtained or after they express refusal; and where there is a change in the rules for handling personal information, users' consent shall be newly obtained;

(4) When activating corresponding operational functions, shall request all permissions the app requires and should not request users give blanket consent to permissions in multiple systems, further, the status of permissions set by users must not be changed with the users' consent.

(5) Where it is necessary for third parties other than the app to provide personal information, notice shall be given to the users of the third parties' identity, contact methods, the purpose and methods of handling, and the types of personal information to be handled, and other such matters, and the users' consent shall be obtained;

(6) Where sensitive personal information such as on race, ethnicity, religion, personal biometrics, medical health, financial accounts, or personal whereabouts is handled, individual notice shall be given to the users, and the sensitive personal information may only be handled after the user's consent is obtained.

Article 7: Those engaging in personal information handling activities shall have a clear and reasonable purpose and comply with the minimum necessary principle, they must not engage in personal information handling activities that exceed the scope of the users' consent or that are unrelated to service situations.

(1) Factors such as the volume, frequency, and precision of personal information handling shall be as necessary for services, and personal information must not be handled exceeding this scope;

(2) Local reading, writing, deletion, modification and other operations on personal information shall be necessary for the service and must not exceed the scope of operations that the user has consented to;

(3) After users reject a request for authorizations, they must not be forced to exit or close the App; advance authorization exceeding operational functions or services must not be requested, and frequent pop-up windows must not be used to request authorization the exceeds current service scenarios;

(4) The app must not be self-activated or activate other apps where unnecessary for the service or without a reasonable scenario;

(5) When users refuse to provide personal information that is not necessary for that service type, it must not impact the users' use of that service;

(6) Users must not be forcibly required to consent to personal information handling that exceeds the scope or is unrelated to service scenarios on the basis of improving service quality, enhancing user experience, developing new products, pushing targetted information, risk control and so forth.

Article 8: App developer-operators shall perform the following obligations to protect personal information:

(1) Increase awareness of personal infromation protections in products and services, putting requirements for the protection of personal information in stages such as product design, development, and operation; and using conspicuous and clear methods to periodically present the App's collection and usage of personal information to users.

(2) When providing users with search results of goods or services based on personal information, it shall be ensured that the results are fair and reasonable, and simultaneously provide users with options that are not targetted to their personal characteristics, to respect and equally protect the legitimate rights and interests of users;

(3) Where third-party services are used, rules for management shall be formulated indicated information such as the name, function, and personal information handling rules for the third-party service provider; an agreement should be signed with the third-party service provider on the handling of personal information, indicating the rights and obligations of both parties and management and oversight are to be conducted over the third-party service providers handling of personal information and information security risks; and where app developer-operators fail to fulfil oversight obligations, they shall bear join responsibility with the third-party service providers.

(4) For independent service function blocks that do not impact other services, an option to close or exit from the independent service function shall be provided to users, and the provision of other services must not be refused to users for exiting or closing it;

(5) Strengthen efforts such as front and back-end security protections, access controls, technical encryption, security audits, and so forth, and actively monitor and discover leaks and other violations of personal information, and promptly respond to handling requirements;

(6) Other obligations to protect personal information as provided by the state.

Article 9: App distribution platforms shall perform the following obligations to protect personal information:

(1) Register and verify the real name information, contact methods, and other information of App developer-operators and providers.

(2) Indicate the list of user terminal authorizations that the App requires for operation in a conspicuous location, as well as the types, content, scope, methods, and usage of personal information collected, the rules for handling it, and other relevant information.

(3) Must not trick or mislead users to download Apps;

(4) Conduct a regulatory review of newly released Apps' personal information handling activities prior to their being placed in the market, complete supplemental reviews of already released Apps within one month of the release of these Provisions, and conduct updates or clean ups based on the outcomes of the reviews;

(5) Establish management mechanisms for App developer-operators such as a credit point system, a list of risky apps, platform information sharing, and signature verification;

(6) As requested by the departments for oversight and management, improve reporting mechanisms and promptly cooperate with departments for oversight and management in efforts to report, respond to, and address problematic Apps;

(7) Setup convenient portals for complaints and reports, and promptly address complaints and reports from the public on Apps distributed by the platform;

(8) Other obligations to protect personal information as provided by the state.

Article 10: App third-party service providers shall perform the following obligations to protect personal information:

(1) Formulate and disclose rules for the handling of personal information;

(2) Disclose the purpose of personal information handling, the methods and types of handling, the retention period, and other such content to the APP developer-operator in a clear, understandable, and reasonable fashion; and their personal information handling activities shall remain consistent with the disclosed rules for handling personal information;

(3) Actions such as activation, calls to apps, or updates must not be carried out without users' consent or a reasonable business scenario;

(4) Employ sufficient management measures and technical means to protect personal information, and when security risks or changes to rules for handling personal information are discovered, they shall promptly update them and notify the APPs' developer-operators;

(5) Users' personal information that has been collected must not be shared or transferred without the users' consent;

(6) Other obligations to protect personal information as provided by the state.

Article 11: Mobile smart terminal producing enterprises shall perform the following obligations to protect personal information:

(1) Improve mechanisms for the management of terminal authorizations, promptly making up for holes in authorization management, continuously optimizing and regulating the ability to record sensitive conduct, and proactively facilitating requests for user authority and notifications;

(2) Establish a management mechanism for terminal startup and associated startup of Apps, providing users with the option of turning off self-starting and associated startup;

(3) Continue to optimize the use status of personal information authorizations, especially mechanisms for conspicuous reminders of the usage status of sensitive authorizations such as for recording, photos, and videos, to help users promptly and timely understand the usage state of their personal information authorizations;

(4) Establish a list of key apps for attention as a management mechanism and improve measures for the management of mobile smart terminal Apps;

(5) Conduct reviews of pre-installed apps and continuously monitor security risks in pre-installed Apps' handling of personal information;

(6) Notify users of the list of personal information requested by the app in a conspicuous fashion during installation;

(7) Improve mechanisms for the management of terminal equipment identification;

(8) Other obligations to protect personal information as provided by the state.

Article 12: Network access service providers shall perform the following obligations to protect personal information:

(1) When providing apps with network access services, register and check the real names, contact methods, and other information of the App developer-operators;

(2) As requested by departments for oversight and management, lawfully employ necessary measures against Apps that violate rules such as stopping access or obstructing continued violations that infringe on users' personal information and other lawful rights and interests;

(3) Other obligations to protect personal information as provided by the state.

Article 13: Relevant entities engaged in App personal information handling activities shall strengthen education and training for personnel, formulate internal management systems for the protection of personal information and implement multi-level cybersecurity protections, response plans, and other such system requirements; employ technical security measures such as encryption or de-identification to prevent unauthorized access and risks such as leaks, theft, alteration, or deletion of personal information; and where it is necessary to verify users' real name information, it shall be done using the national uniform citizen identification verification infrastructure.

Article 14: Where any organization or individual discovers conduct in violation of these provisions they may make a complaint or report to the departments for oversight and management or to the Internet Society of China or the Cyberspace Security Association of China, and the departments for oversight and management and relevant organizations shall promptly accept, investigate, and address them.

Entities engaged in Apps' personal information handling activities shall conscientiously accept societal oversight.

Article 15: The departments for oversight and management may carry out inspections of personal information protections for Apps that have issues, based on public complaints and reports or issues discovered during regulation.

Entities engaged in Apps' personal information handling activities shall cooperate with departments for oversight and management carrying out oversight inspections in accordance with law.

Article 16: Where it is discovered that entities engaged in personal information handling activities have violated rules, the departments for oversight and management may employ the following measures to address in based on their respective duties:

(1) Order corrections and public announcements. In proposing rectifications for the developer-operators of the apps that have detected problems, app distribution platforms, third-party service providers, and related entities require that rectification be conducted within 5 working days to promptly eliminate threats; and where the rectification is not completed, a public announcement is to be made.

(2) Removal from market. Where after public announcement for 5 days, rectification is still not completed, relevant entities may be requested to take apps off-market; where problems repeatedly manifest or technical resistance measures are employed, and the situation is serious, they may be directly removed from the market; and Apps removed from the market must not be returned to the market through any means for 40 workdays.

(3) Cutting access. Where failing to complete corrections as required after being taken off-market, necessary measures such as cutting off access are to be employed.

(4) Put back on market. After Apps that have been removed from the market have completed corrections, improved technical and management mechanisms, and made pledges for the enterprise to self-discipline, they may apply to the departments for oversight and management that made the decision to remove them from the market, requesting to be put back on the market.

(5) Restore access. After Apps that have had network access cut off have made corrections, they may apply to the departments for oversight and management that made the decision to cut off their access, requesting that they restore access.

(6) Credit management. Relevant entities that break rules may be included in credit management for the implementation of joint punishments.

Article 17: The departments for oversight and management may guide and organize app distribution platforms and mobile smart terminal producing enterprises to conduct risk alerts in stages such as assembly, distribution, pre-installation, and installation of Apps with repeated issues and related Apps from the developer-operator, and where the circumstances are serious employ measures such as entry prohibitions.

Article 18: Where engaging in Apps' personal information handling activities infringes on personal information rights, punishments will be given in accordance with relevant provisions; where a crime is constituted, the public security organs are to pursue criminal responsibility in accordance with law.

Article 19: The departments for oversight and management shall preserve the confidentiality of personal information they learn of in the performance of their duties and must not leak, alter, destroy it, sell it, or illegally provide it to others.

Article 20: These Provisions will take effect on _/__/__.

Click to rate this post!
[Total: 0 Average: 0]

Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Translate