May 09, 2019 07:43 PM

Proposed Guidelines Highlight China's Fragmented Protection of Online Privacy

China, like the rest of the world, has struggled to keep up with privacy protections as apps proliferate. Photo: VCG
China, like the rest of the world, has struggled to keep up with privacy protections as apps proliferate. Photo: VCG

This week’s release of a new set of privacy guidelines for app users has rekindled concerns that China’s fragmented system for protecting for personal data online could use an overhaul.

The guidelines from the National Information Security Standardization Technical Committee (TC260), which were released for public comment this week, state that mobile apps should not collect and use personal information without user consent, collect and use personal information unrelated to the services they provide, or provide personal information to third parties without user consent. While the guidelines are not legally binding, they provide a baseline that future privacy laws from the Cyberspace Administration of China (CAC) can be built on.

However, there is a concern that the decentralized nature of China’s current system for managing online privacy — divided between the State Administration for Market Regulation (SAMR), the Ministry of Public Security, and the CAC — will hinder its ability to enforce user protections.

“The current laws and regulations on the protection of personal information are relatively fragmented,” said Xue Jun, a professor at Peking University’s School of Law. “The relevant legal provisions have some general provisions for the collection of personal information, but there is no particularly strong operability.”

The issue came up at the annual session of China’s legislature in March, when a spokesperson for the National People’s Congress called for greater protections for personal data online and “specific laws to regulate a joint force.”

Xue suggested that authorities follow the example set by the European Union with its General Data Protection Regulation and “establish a one-stop, unified law enforcement department to be responsible for personal information protection” while stipulating punishments for violations.

“Who is responsible if the rules are violated? Who is the competent authority requiring companies to make rectifications or impose penalties? These issues are not particularly clear at present,” Xue added.

In the internet age, network service providers have taken dangerous liberties with the collection and use of personal information in mobile phone apps — particularly in China, which in 2018 accounted for nearly half of global app downloads according to a report from AppAnnie. A Renmin University survey of 200 Chinese finance apps published last year found that more than 90% have flaws in their privacy policies and pose risks to users’ personal data.

Recently, there have been a number of incidents in China involving the over-collection of private user data. In December, the personal data of 30 million people using the dating app Momo — including phone numbers and passwords — was found to be for sale online. Meitu, a selfie beautification app, saw its shares plummet 10% after the China Consumer Association published a report criticizing it for collecting too much personal information from users. Scan-to-use products, where users must scan a QR code and allow access to their social media profile, are extremely common — including to get toilet paper in a public restroom.

China, like the rest of the world, has struggled to keep up with privacy protections as apps proliferate. The TC260’s first guidelines on user privacy online only came into effect on May 1, 2018. The committee, which reports to the China National Institute of Standardization of the SAIC, released amendments to the guidelines for public comment in February.

The draft of the guidelines for user privacy on mobile apps summarizes seven situations involving illegal or excessive collection of user information: no publicly-available user rules; no explicit statement of the purpose, method, or scope of collecting user information; information collection without consent; collecting personal information unrelated to the service provided; failure to delete or correct personal information as required by law; infringement of minors’ legal rights and interests.

The deadline for public comment on the new guidelines is May 26.

Contact reporter Ren Qiuyu (

You've accessed an article available only to subscribers
Share this article
Open WeChat and scan the QR code