[Source]http://www.cac.gov.cn/2022-01/05/c_1642983962594050.htm Comment Period: Until January 20, 2022
Chapter I: General Provisions
Article 1: These Provisions are drafted on the basis of the Cybersecurity Law of the PRC, the PRC Data Security Law, the Personal Information Protection Law of the PRC, The PRC Law on the Protection of Minors, The Measures on the Administration of Internet Information Services, The Provisions on the Management of Internet News Information Services, The Provisions on the Governance of the Online Information Content Ecosystem, and other relevant laws, so as to regulate mobile internet application information services, protect the lawful rights and interests of citizens, legal persons, and other organizations, and to preserve national security and public interest.
Article 2: Those using mobile internet applications (hereinafter simply 'applications') to provide information services, and those engaging in internet application store and other application distribution services, within the mainland territory of the PRC shall obey these Provisions.
"Application Information Services" as used in these Provisions refers to activities using applications to provide users with services such as the production, reproduction, publication, and transmission of information such as text, images, speech, or video; including information service types such as instant messaging, news, question and answer, forum communities, online livestreaming, e-commerce, online audio-video, and lifestyle services.
"Engaging in internet application store and other application distribution services" as used in these Provisions refers to activities using the internet to provide users with services such as publishing, downloading, and dynamic updating of applications; including types of platform distribution services such as application stores, quick apps, internet mini-programs, and browser plugins.
Article 3: The State Internet Information Office is responsible for oversight, management, and law enforcement efforts on applications' information content nationwide. Local internet information offices are responsible for oversight, management, and law enforcement efforts on applications' information content within the corresponding administrative region and on the basis of their duties.
Article 4: Application providers and application distribution platforms shall comply with laws and regulations, follow public order and good custom, perform social responsibilities, adhere to the correct political, public opinion and values orientation, carry forward the Core Socialist Values, developing an active and healthy online culture, maintaining a positive cyberspace, enriching the people's spiritual and cultural lives, and promoting the progress of society and civilization.
Application providers and application distribution platforms must not exploit mobile internet applications to engage in activities prohibited by laws and regulations such as those endangering national security, disrupting social order, or violating the lawful rights and interests of others.
Article 5: Application providers and application distribution platforms shall perform entity responsibility for information content management, establishing and completing management systems such as for information content security management, governance of the information content ecosystem, protection of online data protection, protection of personal information, and protection of minors, to ensure the security of online information, create a positive online ecosystem, and strengthen the protection of users' rights and interests.
Chapter II: Application Providers
Article 6: Where applications provide users with services such as information publication and instant messaging, they shall conduct an authentication of the real identity information of the users applying for registration, based on means such as their mobile phone numbers, identification numbers, or uniform social credit code. Where users do not provide real identity information or fraudulently use the identity information of organizations or other people to falsify register, they must not be provided with the relevant services.
Article 7: Internet news information service permits shall be obtained by application providers using apps for the provision of Internet news information services; and internet new information service activities must not be carried out without a permit or beyond the scope of the permit.
Where the provision of other internet information services requires the review and consent of relevant departments or obtaining a related permit in accordance with law, the services may only be provided after the review and consent of the relevant departments or after a permit is obtained.
Article 8: Application providers shall draft and disclose management rules and platform conventions, sign service agreements with registered users, clarify the rights and obligations of both parties, and require registered users to abide by these Provisions and relevant laws and regulations.
Article 9: Application providers shall establish and complete mechanisms for the management of information content reviews; establish and improve management measures such as for user registration, account management, information reviews, routine inspections, and emergency response and handling; and allot professional personnel and technical capabilities corresponding to the scale of the services.
Application providers shall employ measures such as warnings, limiting functions, and closing accounts to address registered users who violate relevant laws, regulations, and service agreements, and shall store records and report them to the relevant competent departments.
Article 10: Application providers shall standardize business management conduct, and must not induce user downloads through actions such as false promotions and bundling downloads, or by using illegal and negative information; and they must not rig rankings, rig volume, or control reviews and ratings through either machine or manual methods to create fake traffic.
Article 11: Applications shall comply with the mandatory requirements of national standards related to cybersecurity. When application providers discover that their applications have security flaws, vulnerabilities, or other risks, they shall immediately adopt remedial measures, and follow provisions to promptly inform users and report to the competent departments.
Article 12: Those carrying out activities handling application data shall perform data security protection obligations, establish and complete systems for managing data security throughout the entire process, employ technical measures and other security measures for ensuring data security and enhancing risk monitoring; they must not endanger national security or the public interest, and must not harm the lawful rights and interests of individuals or organizations.
Article 13: Those engaging in activities handling personal information in applications shall abide by the principles of legality, propriety, and good faith, have clear and reasonable goals, and disclose the rules for handling, shall obey provisions related to the necessary scope of personal information, standardize personal information handling activities, and employ necessary measures to ensure the security of personal information; they must not mandatorily require that users consent to unnecessary handling of personal information for any reason, and must not refuse to let users their basic functions and services because they did not agree to provide personal information that is not necessary.
Article 14: Application providers shall adhere to the principle of the best interest of minors, pay attention to the healthy growth of minors, perform each obligation to protect minors online, and strictly implement real-name registration and login requirements for minors' accounts; they must not provide products and services that induce internet addiction to minor users in any form.
Article 15: Application providers that have new technologies, applications or functions with public opinion properties or capacity for social mobilization shall conduct security assessments in accordance with relevant state provisions.
Chapter III: Application Distribution Platforms
Article 16: Application distribution platforms shall file for the record with the provincial, autonomous region, or directly governed municipality's internet information office within thirty days of business operations going online. The following materials shall be submitted when handling filings:
(1) The basis situation of the platform operating entity;
(2) Information such as the platform's name, domain name, access service, service credentials, and the types of applications offered;
(3) Materials such as for-profit internet information service permits that the platform has obtained, or not for profit internet information service filings;
(4) Documents related to the systems that article 5 of these Provisions requires to be established and completed;
(5) Platform management rules, conventions, service agreements, and so forth.
The provincial, autonomous region or municipal Internet information offices shall review the veracity and completeness of the filing materials. and shall file those that meet the requirements.
The State Internet Information Office is to publicly publish the list of application distribution platforms that have completed filing procedures.
Article 17: Application distribution platforms shall establish systems for categorical management and implement categorical management of offered apps, and file the applications with the internet information office for the province, autonomous region, or directly governed municipality where the platform is located.
Article 18: Application distribution platforms employ measures such as composite verification to conduct an authentication of the real identity information of application providers applying to offer apps, based on means such as their mobile phone numbers, identification numbers, or uniform social credit codes. Information such as the names and uniform social credit codes of application providers are to be displayed based on their differing entity types.
Article 19: Application distribution platforms shall conduct reviews of the names, logos, profiles, information services, and collection and use of personal information by application providers applying to offer and update apps, and must not provide them with services where discrepancies with the entity's registered real identity information are discovered, especially where regulations are violated by using symbols of the Party of state or fraudulently using the name of state organs.
Where application providers' information services are within the scope provided for in article 7 of these Provisions, the application distribution platform shall conduct a verification of the relevant permits and other situations; and where they are within the scope provided for in article 15 of these Provisions, the application distribution platform shall conduct a verification of the security assessment situation. The provision of services shall be stopped for those who do not pass verification.
Article 20: Application distribution platforms shall establish mechanisms for monitoring and assessing applications, increase technical capacity and management efficacy, to resolutely combat black and grey market products, and to prevent false promotions through methods such as the fabrication of download volumes and reviews.
Article 21: Application distribution platforms shall sign service agreements with application providers, clarifying the rights and obligations of both parties, and shall perform management responsibilities in accordance with laws and agreements.
Application distribution platforms shall establish and complete management and technical measures to promptly discover and prevent applications' conduct in violation of laws and regulations.
Application distribution platforms shall employ methods to address applications that violate laws, regulations, and service agreements, such as giving warnings, suspending services, and removal from the market, and shall store records and report to the competent departments.
Chapter IV: Oversight and Management
Article 22: Application providers and application distribution platforms shall Conscientiously accept societal oversight, establish conspicuous and convenient portals for complaints and reports, publish the methods for making complaints and reports, and establish mechanisms such as for their acceptance, handling, and giving feedback, to promptly handle public complaints and reports.
Article 23: Internet industry organizations are encouraged to establish and complete self-discipline mechanisms, to draft and improve industry specifications and self-discipline conventions, and to guide member units to establish and complete service specifications, provide information services in accordance with laws and regulations, preserve market fairness, and promote the healthy development of the industry.
Article 24: Internet information departments, in conjunction with relevant competent departments, are to establish and complete work mechanisms to oversee and guide application providers' and application distribution platforms' engagement in information service activities in accordance with laws and regulations.
Application providers and application distribution platforms shall cooperate with oversight inspections lawfully carried out by the competent departments, and provide necessary technical support and assistance.
Article 25: Where Application providers and application distribution platforms violate these Provisions, the internet information departments and other competent departments are to handle it in accordance with relevant laws and regulations within the scope of the duties.
Chapter V: Supplemental Provisions
Article 26: "Mobile Internet Applications" as used in these Provisions refers to applications software using mobile smart terminals to provide users with information services.
"Mobile Internet Application Providers" as used in these Provisions refers to the owners or operators of mobile internet applications providing information services.
"Mobile Internet Application Distribution Platforms" as used in these Provisions refers to internet information service providers providing distribution services such as the publication, downloading, and dynamic loading of mobile internet applications.
Article 27: This regulation will take effect from XX/XX/2022.