Smartphone apps from several of China’s top banks over-collect user data and force customers to give up personal information to use their apps, according to a report released on Friday.

Why it matters: Chinese authorities have attempted to crack down on widespread unnecessary data collection over the past year, calling out companies for collecting more personal information than necessary.

  • In December, legislators promised to start drafting China’s own laws for data privacy and personal information, moving away from the fragmented laws governing personal data protection.
  • Earlier this week, China’s banking sector recently found itself in the spotlight after a popular comedian complained that China CITIC Bank had shared his personal information with a third party without his permission.

Details: The Pudong Development Bank, Bank of Beijing, Bank of Shanghai, and Bank of Jiangsu force users to give access to their mobile phone information in order for the banks’ apps to work correctly, the Nandu Personal Information Protection Research Center said on Thursday.

  • The Agricultural Bank of China requests access to a user’s contacts, location, calendar, and camera, among others. The bank’s privacy policy only specifies why it needs access to location data, Nandu said.
  • The organization said that financial institutions should only require access to a device’s storage, according to national standards governing data collection in apps, and apps should work correctly if a user chooses not to authorize access to certain data.
  • However, most apps need access to information about a mobile phone as well as their location data.
  • Some apps will obtain permissions by default, bypassing the need for users’ to authorize access.
  • The Nandu Personal Information Protection Research Center is a think-thank affiliated with the Southern Metropolis Daily, a newspaper in the southern Chinese city of Guangzhou. The organization investigated apps from 20 banks in China.

Context: China introduced its landmark Cybersecurity Law in 2017, which has served as a framework for developing data protection regulations.

  • Since then, companies including Tencent, Xiaomi, and Sina Weibo have found themselves at odds with the law for their data collection practices. Fintech companies have been some of the worst-hit given the sensitive nature of the data they collect.
  • The outbreak of Covid-19 in China earlier this year prompted the Cyberspace Administration of China (CAC), the country’s internet watchdog, to restate data collection rules following data leaks after people from the areas at the center of the outbreak found their personal information circulating online.
  • The CAC has also sharpened its focus on non-consensual personal data collection, in which apps lack a privacy policy or do not include prompts for users to read how their data will be processed when they first use the app.

Chris Udemans

Christopher Udemans is a Shanghai-based data and graphics reporter. He covers Chinese artificial intelligence, mobility, and cybersecurity. You can contact him at chrisudemans [at] technode [dot] com.