CAC seeks comments on scope of necessary personal information required for 38 types of Apps
On December 1, 2020, the Cyberspace Administration of China (“CAC”) issued the Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications (Draft for Comment) (the “Draft for Comment”) for public comments by December 16, 2020.
The Draft for Comment stipulates the scope of necessary personal information required for 38 common types of Apps such as map navigation App, online car-hailing App, and instant messaging App. In particular, the Draft for Comment provides that as long as a user gives consent to the collection of its necessary personal information required for an App, such App shall not refuse the user’s installation and use. Meanwhile, a total of 12 types of Apps, including online live streaming App, online audio and video App, short video App, and browser App, shall provide basic functional services without asking personal information of users.
On December 2, 2020, the Ministry of Commerce (the “MOC”), the State Cryptography Administration (the “SAC”) and the General Administration of Customs (the “GAC”) jointly released the Announcement on Issuing the Import Licensing List and Export Control List of Commercial Cryptography and Relevant Administrative Measures (the “Announcement”).
Main contents of the Announcement are as below:
- In order to safeguard national security and public interests, it is hereby decided to carry out import licensing and export control for relevant commercial cryptography.
- Regarding the import of items and techniques set out in the Import Licensing List of Commercial Cryptography, i.e., encrypted telephone sets, encrypted fax machines, cryptographic machines (cards) and encrypted VPN equipment, the import license of dual-use items and techniques shall be applied for with the MOC.
- Regarding the export of items and techniques specified in the Export Control List of Commercial Cryptography, including security chips, key management products, special cryptographic equipment and cipher development and production equipment, the export license of dual-use items and techniques shall be applied for with the MOC.
This Announcement shall enter into force on January 1, 2021, and the Announcement No. 18 of the State Cryptography Administration and the General Administration of Customs, the Announcement  No. 64 of the General Administration of Customs and the State Cryptography Administration, the Announcement No. 27 of the State Cryptography Administration and the General Administration of Customs, and the Announcement No. 38 of the State Cryptography Administration, the Ministry of Commerce and the General Administration of Customs are to be repealed simultaneously.
On December 21, 2020, the Ministry of Industry and Information Technology (“MIIT”) announced the seventh batch of apps for infringement on users’ rights and interests. The main problems involved are as follows:
- collecting and using personal information in violation of laws and regulations;
- asking for permission mandatorily and in an excessively frequent way;
- deceiving and misleading users to download Apps; and
- App information on the App distribution platform is not clear.
On December 23, 2020, the Ministry of Human Resource and Social Security (“MHRSS”) issued the Administrative Provisions on Online Recruitment Services (the “Provisions”), which will take effect from March 1, 2021.
On personal information protection, the Provisions provide:
- A human resource service agency engaged in online recruitment services shall strengthen cybersecurity management, fulfill cybersecurity protection obligations, and take technical or other necessary measures in accordance with the requirements of national cybersecurity laws, administrative regulations and multi-level protection system of cyber security, to ensure the security of the recruitment service network, information system and user information.
- A human resource service agencyshall establish and improve the information protection system for online recruitment service users, and shall not disclose, tamper with, damage or illegally sell, or illegally provide other people with the ID card number, age, gender, address, contact information and business status of the employer.
- Ahuman resource service agency shall conduct self-examination on the information protection of online recruitment service users at least once a year, record the self-examination situation, and timely eliminate the security risks found in the self-examination.
- Where a human resource service agency engaged in online recruitment services does need to provide an overseas institution with the personal information and important data collected and generated in its operations within the territory of China due to business needs, it shall comply with relevant laws and administrative regulations of the State.
On December 25, 2020, the Ministry of Industry and Information Technology (“MIIT”) issued the Construction Guidelines of Data Security Standard System in Telecom and Internet Industry (the “Guidelines”)
The Guidelines include standards of basic generality, critical technology, safety management and critical areas. The standards of basic generality include the definition of terms, data security framework, data classification and grading, etc., which provide basic support for various standards. The critical technology standards regulate the critical technology of data security from a whole life cycle dimensions of data collection, transmission, storage, processing, exchange, destruction, etc. Security management standards include data security specification, data security assessment, monitoring, early warning and disposal, emergency response and disaster backup, security capability certification, etc. Critical areas standards include 5G, mobile Internet, Internet of vehicles, Internet of things, industrial Internet, cloud computing, big data, artificial intelligence, blockchain and other critical areas.
Data security standards in the field of the Internet of vehicles mainly include the data security of the cloud platform of the Internet of vehicles, the data security of V2X communication, the data security of the intelligent connected vehicle, and the data security of the mobile App of the Internet of vehicles, etc.
Data security standards in the field of mobile Internet mainly include personal information protection of mobile applications, SDK security of mobile applications, etc.
Data security standards in the field of artificial intelligence mainly include data security of artificial intelligence platform, personal information protection of artificial intelligence terminal, etc.
If you would like to receive our legal update via email, please contact firstname.lastname@example.org.
For more information, please contact:
Samuel Yang | Partner
AnJie Law Firm
P: +86 10 8567 2968
M: +86 1391 0677 369
Hongquan (Samuel) Yang is a partner with AnJie Law Firm. He has worked as in-house counsel and external lawyer in the technology, media and telecoms (TMT) sectors for nearly 20 years and is regarded as a true expert in these areas. He advises clients on a wide range of regulatory, commercial and corporate matters, especially in telecommunications, cybersecurity, data protection, internet, social networking, hardware and software, technology procurement, transfer and outsourcing, distribution and licensing, and other technology-related matters. He also advises clients on compliance and investigation matters.
Samuel has been recognized as a Leading Individual in PRC TMT firms (Legal 500, 2020), a Band 1 Cyber Security & Data Protection Lawyer (LEGALBAND, 2019, 2020) and one of the Top 10 Cyber Security and Data Protection Lawyers in China (LEGALBAND, 2018). Legal 500 commented that Samuel and his team at AnJie have a particular strength in “telecom-related regulatory and general commercial legal services” and “issues such as cyber security and data protection areas” and have “built a real niche” in these areas.
Samuel mainly serves Fortune 500 companies, large state-owned enterprises and leading Chinese internet companies. Samuel is a regular contributor to many legal journals and his publications regarding Chinese data protection and cybersecurity laws are well-received and widely reproduced.
Before joining AnJie, Samuel worked for British Telecom, CMS and DLA Piper.