30 June 2016
The Cyberspace Administration of China (‘CAC’) released, on 28 June 2016, Provisions on the Administration of Mobile Internet Applications Services (‘the Provisions’), aimed at regulating the increasing use of mobile apps, enhancing the healthy development of the industry and protecting citizens’ rights. In particular, Articles 7 and 8 of the Provisions impose privacy compliance obligations on mobile app service providers and app stores.
Manuel Maisog, Partner at Hunton & Williams’ Beijing Office, informed DataGuidance, “The Chinese Government has started to place a higher level of priority on cybersecurity and personal data protection on the internet. The business operators in relevant industry sectors should be more prudent in their processing of personal information.”
Article 7 of the Provisions requires mobile app service providers to establish user information protection mechanisms, as well as to inform users of the purpose, means and scope of data usage when obtaining users’ consent, whilst also ensuring compliance with the principles of lawfulness and necessity when collecting and using personal data. Article 7 also prescribes that in the absence of user knowledge or users’ consent, mobile app service providers shall not collect location data or users’ contact numbers, as well as not use camera or voice recording functions from users’ mobile devices.
Maisog explained, “The Provisions do not specify that consent must be given in writing, or in any other specific form. Therefore, consent could be given in electronic forms, such as by clicking an ‘I agree’ button to express consent to the user’s policy before registering as a user of a mobile app. The one potential complication is that consent must be ‘express’ and may therefore not be implied or tacit.”
“Regulatory authorities shift liabilities to app service providers and app stores (Articles 7 and 8), and they will most likely intervene directly on a case by case basis”
In addition, Articles 8 and 9 of the Provisions require app stores to supervise app service providers regarding the protection of users’ information, and to clarify responsibilities via service agreements with app service providers for compliance purposes. Gregory Louvel, Partner at LEAF, pointed out, “Unfortunately, as a rule of thumb data privacy is not yet a concern for app stores and app services providers.”
Louvel also noted, “Regulatory authorities shift liabilities to app service providers and app stores (Articles 7 and 8), and they will most likely intervene directly on a case by case basis. Further adjustments of Provisions are likely in the future, as regulatory bodies are feeling the stones to cross the river.”
Article 10 of the Provisions ask app service providers and app stores to coordinate with supervisory authorities in supervision and administration activities, as well as maintain a channel of whistleblowing for the public and promptly respond to such reports. Aside from Article 10, the Provisions do not provide further detail about enforcement.
Dr. Michael Tan, Partner at Taylor Wessing, concluded, “The Provisions reflect the fast growth and importance of the mobile economy in China. The fact that such Provisions were rolled out by the CAC instead of the Ministry of Industry and Information Technology (‘MIIT’) demonstrates some political importance of this topic. Although there are no explicit punishments addressed under the Provisions, we expect that these principles will be pushed down to business circle by further implementing measures (which likely will come from other ministries like the MIIT). ‘Big names’ and sizeable operations might more easily become targets of any future governmental campaigns against data breach cases.”
The Provisions will enter into force on 1 August 2016.
Ningxin Xie | Privacy Analyst