Promulgation Date: 2022-6-14 Title: Provisions on the Management of Mobile Internet Applications' Information Services Document Number: Expiration date: Promulgating Entities: Cybersecurity Administration Source of text: http://www.cac.gov.cn/2022-06/14/c_1656821626455324.htm
Chapter I: General Provisions
Article 1: These Provisions are drafted on the basis of the Cybersecurity Law of the PRC, the PRC Data Security Law, the Personal Information Protection Law of the PRC, The Measures on the Administration of Internet Information Services, The PRC Law on Protection of Minors, The Provisions on the Management of Internet News Information Services, The Provisions on the Governance of the Online Information Content Ecosystem, and other relevant laws, so as to regulate mobile internet application information services (hereinafter 'applications'), protect the lawful rights and interests of citizens, legal persons, and other organizations, and to preserve national security and the public interest.
Article 2: Those using applications to provide information services, as well as those engaging in internet application stores and other application distribution services within the mainland territory of the PRC shall obey these Provisions.
"Application Information Services" as used in these Provisions refers to activities using applications to provide users with services such as the production, reproduction, publication, and transmission of information such as text, images, speech, or video; including categories such as instant messaging, news, question and answer, forum communities, online livestreaming, e-commerce, online audio-video, and lifestyle services.
"Application information distribution services" as used in these Provisions refers to activities providing services such as the publication, downloading, and dynamic storage of applications through the internet, including application stores, quick app centers, internet mini-program platforms, browser plugin platforms, and other such categories.
Article 3: The State Internet Information department is responsible for efforts on the oversight and management of applications' information content nationwide. Based on their duties, local internet information departments are responsible for efforts on the oversight and management of applications' information content within the corresponding administrative region.
Article 4: Application providers and application distribution platforms shall comply with the Constitution, laws, and administrative regulations, carry forward the Core Socialist Values, persist in the correct political orientation, public opinion guidance orientation, and value orientation; respect public order and good customs, fulfill social responsibility, and maintain a clean and positive cyberspace.
Application providers and application distribution platforms must not exploit mobile internet applications to engage in activities prohibited by laws and regulations such as those endangering national security, disrupting social order, or violating the lawful rights and interests of others.
Article 5: Application providers and application distribution platforms shall perform entity responsibility for information content management, establishing and completing management systems such as for information content security management, governance of the information content ecosystem, protection of online data protection, protection of personal information, and protection of minors, to ensure cybersecurity and maintain a positive online ecosystem.
Chapter II: Application Providers
Article 6: Where applications provide users with services such as information publication and instant messaging, they shall conduct an authentication of the real identity information of the users applying for registration, based on means such as their mobile phone numbers, identification numbers, or uniform social credit code. Where users do not provide real identity information or fraudulently use the identity information of organizations or other people to falsify register, they must not be provided with the relevant services.
Article 7: Where application providers provide other internet information services that require review and consent of relevant departments or the obtaining of related permits in accordance with law, the services may only be provided after the review and consent of the relevant departments or after a permit is obtained.
Where application providers provide other internet information services that require review and consent of relevant departments or the obtaining of related permits in accordance with law, the services may only be provided after the review and consent of the relevant departments or after a permit is obtained.
Article 8: Application providers shall be responsible for the results of information presentation, must not produce or transmit illegal information, and are to conscientiously prevent and reject negative information.
Application providers shall establish and complete mechanisms for the management of information content reviews; establish and improve management measures such as for user registration, account management, information reviews, routine inspections, and emergency response and handling; and allot professional personnel and technical capabilities corresponding to the scale of the services.
Article 9: Application providers must not induce user downloads through actions such as false promotions and bundling downloads, using machine or manual methods to rig rankings, rig volume, or to control reviews and ratings, or by exploiting illegal and negative information.
Article 10: Applications shall comply with the mandatory requirements of national standards. When application providers discover that applications have security flaws, vulnerabilities, or other risks, they shall immediately adopt remedial measures, and follow provisions to promptly inform users and report to the competent departments.
Article 11: Application providers carrying out activities handling application data shall perform data security protection obligations, establish and complete systems for managing data security throughout the entire process, and employ technical measures and other security measures for ensuring data security and enhancing risk monitoring; they must not endanger national security or the public interest, and must not harm the lawful rights and interests of others.
Article 12: Application providers handling personal information shall abide by the principles of legality, propriety, and good faith, have clear and reasonable goals, and disclose the rules for handling; they shall obey provisions related to the necessary scope of personal information, standardize personal information handling activities, and employ necessary measures to ensure the security of personal information; they must not mandatorily require that users consent to the handling of personal information for any reason, and must not refuse to let users their basic functions and services because they did not agree to provide personal information that is not necessary.
Article 13: Application providers shall adhere to the principle of the best interest of minors, pay attention to the healthy growth of minors, perform each obligation to protect minors online, and strictly implement the registration of real identification information and login requirements for minors' accounts in accordance with law; they must not provide products and services that induce internet addiction to minor users in any form, and must not create, reproduce, publish, or transmit content that endangers the physical and psychological health of minors.
Article 14: Application providers that have new technologies, applications or functions with public opinion properties or capacity for social mobilization shall conduct security assessments in accordance with relevant state provisions.
Article 15: Application providers are encouraged to actively employ Internet Protocol Version 6 (IPv6) in providing information services to users.
Article 16: Application providers shall draft and disclose management rules based on relevant laws, regulations, and state provisions, sign service agreements with registered users, and clarify the rights and obligations of both parties.
Application providers shall employ measures such as warnings, limiting functions, and closing accounts to address registered users who violate these provisions and related laws, regulations, and service agreements, and shall store records and report them to the relevant competent departments in accordance with law.
Chapter III: Application Distribution Platforms
Article 17: Application distribution platforms shall file for the record with the provincial, autonomous region, or directly governed municipality's internet information office within thirty days of the business going online. The following materials shall be submitted when handling filings:
(1) The basis situation of the platform operating entity;
(2) Information such as the platform's name, domain name, access service, service credentials, and the types of applications offered;
(3) Materials such as for-profit internet information service permits that the platform has obtained, or not for profit internet information service filings;
(4) Documents related to the systems that article 5 of these Provisions requires to be established and completed;
(5) Platform management rules, service agreements, etc.
After the provincial, autonomous region, or directly governed municipality internet information department receives the filing materials, they shall file them where the materials are complete.
The State Internet Information Department is to promptly publish the list of application distribution platforms that have completed filing procedures.
Article 18: Application distribution platforms shall establish systems for categorical management and implement categorical management of offered apps, and file the applications with the internet information department for the province, autonomous region, or directly governed municipality where the platform is located.
Article 19: Application distribution platforms employ measures such as composite verification to conduct an authentication of the real identity information of application providers applying to offer apps, based on means such as their mobile phone numbers, identification numbers, or uniform social credit codes. Information such as the names and uniform social credit codes of application providers are to be displayed based on their differing entity types, to facilitate oversight and inquiries from the public.
Article 20: Application distribution platforms shall establish and complete management mechanisms and technical measures, and establish and improve management measures such as for pre-release reviews, routine management, and emergency response.
Application distribution platforms shall conduct reviews of applications applying for release or updates, and must not provide services where illegal or negative content is discovered in an application's name, images, or description, where there are inconsistencies with the entity's real identification information, or where there are violations of laws and regulations in business type.
Where application providers' information services are within the scope provided for in article 7 of these Provisions, the application distribution platform shall conduct a verification of the relevant permits and other situations; and where they are within the scope provided for in article 14 of these Provisions, the application distribution platform shall conduct a verification of the security assessment situation.
Application distribution platforms shall strengthen routine management of available applications, and must not provide services to those that have illegal or negative information, data fraud such as on download volumes or ratings, contain latent data security risks, or endanger the lawful rights and interests of others, etc.
Article 21: Application distribution platforms shall draft and disclose management rules based on relevant laws, regulations, and state provisions, sign service agreements with application providers, and clarify the rights and obligations of both parties.
Application distribution platforms shall employ methods to address applications that violate these provisions and related laws, regulations, and service agreements, such as giving warnings, suspending services, and removal from the market, and shall store records and report to the competent departments.
Chapter IV: Oversight and Management
Article 22: Application providers and application distribution platforms shall Conscientiously accept societal oversight, establish conspicuous and convenient portals for complaints and reports, publish the methods for making complaints and reports, and establish mechanisms such as for their acceptance, handling, and giving feedback, to promptly handle public complaints and reports.
Article 23: Internet industry organizations are encouraged to establish and complete self-discipline mechanisms, to draft and improve industry specifications and self-discipline conventions, and to guide member units to establish and complete service specifications, provide information services in accordance with laws and regulations, preserve market fairness, and promote the healthy development of the industry.
Article 24: Internet information departments, in conjunction with relevant competent departments, are to establish and complete work mechanisms to oversee and guide application providers' and application distribution platforms' engagement in information service activities in accordance with laws and regulations.
Application providers and application distribution platforms shall cooperate with oversight inspections lawfully carried out by the internet information departments and related competent departments, and provide necessary technical support and assistance.
Article 25: Where Application providers and application distribution platforms violate these Provisions, the internet information departments and other competent departments are to handle it in accordance with relevant laws and regulations within the scope of the duties.
Chapter V: Supplementary Provisions
Article 26: "Mobile Internet Applications" as used in these Provisions refers to applications software using mobile smart terminals to provide users with information services.
"Mobile Internet Application Providers" as used in these Provisions refers to the owners or operators of mobile internet applications providing information services.
"Mobile Internet Application Distribution Platforms" as used in these Provisions refers to internet information service providers providing distribution services such as the publication, downloading, and dynamic loading of mobile internet applications.
Article 27: These Provisions will come into force on August 1, 2022. The Provisions on the Administration of Mobile Internet Application Information Services promulgated on June 28, 2016, are concurrently repealled.