The National Information Security Standardisation Technical Committee of China (‘TC260’) announced, on 5 May 2019, that the special governance working group for apps (‘the Working Group’) had launched a consultation on measures for the collection and use of personal information for mobile application operators (‘the Draft Measures’). The consultation, on the Draft Measures follows an assessment conducted by the Working Group, in which it outlined violations on the collection and use of personal data carried out by app operators. In particular, the Draft Measures aim to provide guidance for app operators on, among other things, privacy policies, user agreements and the use of methods such as pop-up windows or links to remind users to read their privacy policies.
Julian Sun, Associate at Taylor Wessing Shanghai Representative Office, told DataGuidance by OneTrust, “In the view of some app operators, the privacy policies and terms merely exist for the sake of appearance, and obtaining ‘compulsory’ consent is all they need to fulfil compliance requirements. Such a mindset is partially caused by the lack of clear and easily implemented laws and regulations […] However, the picture is changing rapidly, due to public concern regarding the abuse of personal information that could cause monetary damages to data subjects […] The Draft Measures emphasise the importance of readability and accessibility for privacy policies, and provide more concrete and measurable criteria for app operators. App operators may need to adjust or redesign their apps’ user interface to fully comply with the Draft Measures.”
In particular, the Draft Measures outline that app operators must follow the principles of legality, legitimate purpose and necessity, and must not collect personal information irrelevant to the services they provide. Furthermore, the Draft Measures highlight that app operators must not request user consent by default and that consent should be unbundled from other terms and conditions, as well as provide users with the option to opt-out of marketing emails.
Children should be subject to specific protection measures regarding their information, consent, data collection and data processing
Sun added, “Some app operators collect a wide range of personal information for the purpose of promoting other services provided by their business partners or affiliated companies […] To better regulate such activities, it is necessary to strike the root cause of excessive collection and use of personal information […] From a compliance perspective, app operators may in the future be required to rectify their practices; and collecting personal information for the purpose of ‘improving service quality, improving user experience and developing new products’ may very likely be considered excessive.”
In addition, the Draft Measures highlight that app operators had collected or used personal information of minors under the age of 14 without guardian consent. Finally, the Draft Measures affirm that app operators had also used algorithms to carry out illegal personalised advertisements and marketing activities to target minors under the age of 14 without guardian consent.
Gregory Louvel, Partner at Leaf Law Firm concluded, “Children should be subject to specific protection measures regarding their information, consent, data collection and data processing […] we have witnessed in the past few weeks an increase of scrutiny on child protection […] This area is clearly a major focus for Chinese authorities and China takes a very aggressive position in this respect. Content review as well as age classification and screen time are the two key focus points of Chinese authorities.”
Comments can be submitted to [email protected] by 26 May 2019.
CLAUDIA STRUGNELL Privacy Analyst