Draft rules help China take step to online privacy though fuzzy provisions remain

China’s internet watchdog last week took the first step toward developing online privacy protection norms when it released a new set of draft privacy guidelines for app operators.

The draft guidelines by the National Information Security Standardization Technical Committee (TC260)—which is jointly administered by the Cyberspace Administration of China (CAC) and the Standardization Administration of China—outlined seven situations that constitute the illegal collection and use of personal data. These included the collection and use of users’ personal information or the provision of personal information to third parties without the consent of the user.

The draft rules, which currently are not legally binding, have been released for public comment. Once finalized, they will be used by China’s cyberspace watchdogs, including the CAC, the State Administration for Market Regulation, and the Ministry of Public Security, to enact privacy laws.

A commentary (in Chinese) published Tuesday by state-run news agency Xinhua said the guidelines were “the world’s first legislative attempt” to categorize illegal behavior against app users’ personal data.

“The big data economy based on personal information has begun to come in conflict with the old legal system … the protection of personal data is critical to safeguard cybersecurity and internet users’ legal rights,” the commentary from Xinhua said.

A special administration working group dedicated to apps (in Chinese) was set up by the TC260 and the Internet Society of China, a non-governmental organization supported by the Ministry of Industry and Information Technology, in January to promote closer evaluation of illegal collection and use of personal data by mobile apps.

Up to the beginning of April, the working group had received around 3,500 reports by app users involving more than 1,300 apps, according to the overseas edition of the People’s Daily (in Chinese).

A report (in Chinese) by the China Consumers Association, a national organization operating under the instruction and supervision of the State Administration for Industry and Commerce, showed that 91 out of 100 apps the association had reviewed involved the excessive collection of users’ private data.

Popular selfie app Meitu was criticized by the report for excessively collecting users’ biometric information and personal financial information. The report also accused Industrial and Commercial Bank of China of not containing a privacy policy in its app.

In a report covering the third quarter of 2018, China’s Ministry of Industry and Information (MIIT) singled out premium ride-hailing service providers Shenzhou and Shouqi Yueche for not “releasing explanations regarding collection of passengers’ personal information.”

Qi Aimin, a professor at the Chongqing University’s School of Law, told TechNode that the draft guidelines would effectively contain the chaotic situation in China’s app market where the users’ right to privacy is frequently violated.

“The draft provided law enforcement departments with clear guides, and it’s beneficial for the mobile app industry to improve its standard of privacy protection,” said Qi.

The guidelines also cautioned against the collection of personal data of minors under the age of 18 and subjecting them to advertisements without guardians’ consent.

According to a report (in Chinese) by China Internet Network Information Center, an administrative agency responsible for internet affairs supervised by the CAC, the number of internet users under the age of 18 in China reached 169 million up to the end of 2018, accounting for 93.7% of the country’s minor population. There is no dedicated legislation in the country to protect minors from online personal information gathering.

However, the draft guidelines could face challenges when it comes to enforcement.

“The guidelines have listed almost all situations of illegal collection and use of private data that are common in the industry, but some of the situations may be hard to identify in reality,” said Qi the law school professor.

The guidelines, for example, said privacy policies of mobile apps should not be “unintelligible and lengthy,” which is impossible to define, Qi noted.