China is issuing regulations on “the amount of personal data required for common types of mobile internet applications”.
On March 12, 2021, the Cyberspace Administration of China published regulations on “The amount of personal information required for common types of mobile Internet applications” (the “Regulations”) (available here in Chinese).
The rules are generally in line with the draft previously posted for public comment on December 1, 2020, and include additional details and new rules regarding ticket requests (e.g. for purchasing seats during performances).
According to the Cybersecurity Law of China, the collection of personal data must adhere to the principles of legitimacy, adequacy and necessity. In the provisions, “necessary personal information” is defined as personal information that is required for the regular operation of mobile applications (“apps”), ie personal information without which the apps could not provide their intended basic functions. Apps are prohibited from denying users the use of the basic functions of the apps if users do not provide additional personal information beyond the required personal information. For an online shopping app, the required personal information includes, for example, the mobile phone numbers, names, addresses and payment information of registered users (such as payment time, payment amount and payment channel). For example, if the online shopping app requests location information from users, the app would also need to provide basic functionality to users who have declined requests for location information.
The regulations set out 39 common types of apps and the amount of personal information required that these apps can collect and use. This depends on the type of app. Common types of apps include: (1) map navigation; (2) online hail services; (3) instant messaging; (4) online communities; (5) online payment; (6) online shopping; (7) delivery of food and beverages; (8) Post, express mail and shipping and delivery; (9) transportation ticket; (10) marriage and dating; (11) job search and recruitment; (12) online lending; (13) rental and sale of apartments; (14) used car dealership; (15) doctor inquiries and appointments; (16) tourism services; (17) hotel services; (18) online games; (19) online education; (20) local life; (21) women’s health; (22) car services; (23) Investment and Financial Management; (24) mobile banking; (25) email and cloud storage; (26) remote conferencing; (27) webcasting; (28) online audio and video; (29) music video clips; (30) news; (31) exercise and health; (32) surfing the internet; (33) input methods; (34) security management; (35) e-books; (36) improvement of photography; (37) application memory; (38) Utilities and Practical Tools; and (39) ticketing.
The types of apps that do not require the collection of personal information for their basic functions and services include webcasting, online audio and video, music video clips, news, sports and health, web browsing, input methods, safety management books, photo enhancements, application storage, Utilities and handy tools as well as ticketing. For these apps, users can install and use the basic functionality of the apps without providing any personal information.
The provisions come into force on May 1, 2021.