Personal information protection has been in the spotlight in recent years as various programs, especially Apps, collect an increasing amount of personal information. This article provides a brief update on China's regulation of collection of personal information by Apps, and offers a glimpse at how this issue is addressed in the draft Data Security Law issued on July 3, 2020.
Update on Regulation and Enforcement of Collection of Personal Information by Apps
As we discussed in our previous article, (http://blog.galalaw.com/post/102g64j/personal-information-data-protection-in-china-looking-towards-2020-part-i-th), the 2017 PRC Cyber Security Law ("CSL") was succeeded by various implementing rules and standards intended to improve personal information management, including the Information Security Technology — Personal Information Security Specification (信息安全技术 -个人信息安全规范 ), and the Measures for Identification of Illegal Collection and Use of Personal Information by Apps (App违法违规收集使用个人信息行为认定方法).
On July 22, 2020, the Cyberspace Administration of China, the Ministry of Industry and Information Technology ("MIIT"), the Ministry of Public Security, and the State Administration for Market Regulation held a meeting to summarize the achievements of the Special Rectification Program of Illegal Collection and Use of Personal Information by Apps of 2019 (2019年App违法违规收集使用个人信息治理工作 ), which achievements include more than 2,300 Apps being ordered to make changes, and the exposure of 230 illegal Apps. The meeting was also the occasion to launch the Special Rectification Program of 2020 (2020年App违法违规收集使用个人信息治理工作 ). The 2020 Special Rectification Program will focus on the illegal collection of personal facial features and other biometric information, the abuse of the right to record a user's voice or access user photos, and the unauthorized uploading of personal information.
Two days after the launch of the Special Rectification Program of 2020, 58 Apps were identified by the MIIT for infringing users' rights. The MIIT also issued the Practical Guide to Cyber Security Standards: Guide to Self-assessment of Collection and Use of Personal Information by Mobile Internet Applications ("Apps") (网络安全标准实践指南 —移动互联网应用程序（ App）收集使用个人信息自评估指南 ), which enumerates the following six points to help App operators self-assess their collection and use of personal information:
(i) whether the rules on collection and use of personal information are published within the App;
(ii) whether the purpose, method and scope of the collection and use of personal information are all expressly stated;
(iii) whether personal information is collected and used only after obtaining user consent;
(iv) whether personal information is collected only to the extent necessary for provision of the specific services;
(v) whether personal information is provided to third parties after obtaining user consent; and
(vi) whether the App includes the means to delete or correct personal information and to file complaints.
How the Issue is Dealt with under the draft Data Security Law
On July 3, 2020, the Standing Committee of the National People's Congress published the draft Data Security Law (the "Draft DSL"). The Draft DSL covers a broad gamut of data security topics, including laying out measures aimed at supporting and promoting data security and development; obligations in ensuring data security; and safety and openness of government data. Notable among other provisions, the Draft DSL clarifies that, "If any organization or individual outside of China conducts data activities that harm the national security, public interest or the legitimate rights and interests of citizens and organizations of China, such organization or individual's legal liability shall be pursued according to the law." This is the clearest legal statement to date expressing China's intent to claim extraterritorial jurisdiction over data protection, which is likely viewed as being necessary in order to meaningfully achieve the Draft DSL's goals, given the prevalence of cross-border data activities worldwide nowadays. From an enforcement perspective, the implementation of extraterritorial jurisdiction may cause conflicts of law and jurisdiction, and thus would doubtless be complicated.
The Draft DSL is only in draft form for public comments until August 16, 2020 and, as a foundational law similar to the CSL, there are still many supporting details that will need to be addressed by the promulgation of implementing regulations and other ancillary documents. If the Draft DSL is enacted in its current version, it will increase the data compliance obligations not only for Apps within China, but for those outside of China who have PRC users. In the meantime, we are also monitoring the expected drafts of the Personal Information Protection Law and the Export Control Law and the implementation of security management on cross-border data transmission in pilot areas, including in Beijing, Shanghai, Hainan and Xiong'an New Area according to the Plan for Comprehensively Promoting Innovative Development Pilots of Trade in Services (全面深化服务贸易创新发展试点总体方案 ) issued by the Ministry of Commerce on August 12, 2020. We will provide updates accordingly
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.