China Outlines Cyber Privacy Violations by Apps

China’s regulators designated as illegal six types of activities by apps related to collection and misuse of personal information online.

The Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation jointly issued a document Monday providing a reference for regulators to identify violations and guidance for app operators to carry out self-checks and for netizens to monitor apps’ practices.

The six types of violations are failing to make explicit the purpose, means and scope of the use of personal information; collecting and using personal information without consent; violating the minimum-necessary principle and collecting personal information unrelated to the service provided; providing personal information to third parties without consent; failing to provide features for users to delete or correct their personal information; and failing to make available a complaint procedure.

China launched a crackdown on illegal collection of personal information by apps at beginning of this year amid rising consumer anxiety over privacy breaches as people’s lives become increasingly digitalized. A recent report by the Chinese Academy of Social Sciences found that more than 90% of Chinese people are worried about their personal information and activity records stored by third parties.

Earlier this month, authorities took offline 100 apps ranging from banks to retailers and an online book platform. These apps were found to lack privacy agreements, provide inexplicit descriptions of the scope of use of personal information and collect unnecessary personal information, the Ministry of Public Security said.

The Ministry of Public Security said it has investigated nearly 700 apps for illegally collecting personal information since the launch of the crackdown. More than 8,000 apps have completed self-checks and corrected wrongdoing, according to the Ministry of Industry and Information Technology.

The crackdown has made app operators realize that the collection and use of personal information is an issue they need to take seriously, but it’s still a common practice for apps to force users to agree to the use of their personal information, said Xue Jun, a law professor at Peking University.

Xue said unclear responsibilities on the supervisory side have been a problem. The Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation all play a regulatory role on the matter, but there has been a lack of clear authority for specific enforcement, he said.

Xue suggested that a single department should be designated as the regulator of online privacy, as in the European Union.

Under current regulations, violators in collecting personal information either face jail time or walk away with no penalties, making many medium-sized to small operators choose to take chances, said He Yuan, executive director of the Data Law Research Center of Shanghai Jiao Tong University.

“If the benefits of using personal data far exceed the cost of compliance, it’s hard to avoid such violations,” He said. He suggested the introduction of an administrative settlement mechanism as in the U.S. Regulators and companies can negotiate settlement penalties for violations, and huge fines can deter future violations, He said.

Contact reporter Denise Jia (huijuanjia@caixin.com)