Your support means a lot to me!
🔥 Hi, I’m Peng. This article has been included in GitHub · Android-Notebook. Here are Android advanced growth route notes & blog, like-minded friends, welcome to grow with me. (Contact & Group entry on GitHub)
preface
- In recent years (especially in the last half year), we can clearly feel the importance of relevant national authorities on APP personal information protection. In fact, the overall compliance of APP personal information protection in China is still far from ideal, especially with the “strictest” General Data Protection Regulation of the European Union. In order to conform to the international development trend, it is no wonder that the country will be so vigorously promoted;
- Therefore, as APP developers, if we just wait for the rectification notice from the national authorities, it will inevitably disrupt the established business rhythm (imagine receiving the rectification notice on the night of release). We should change “passive rectification” into “active discovery”.
directory
1. Concepts related to personal information protection
To help you understand personal information protection, LET me summarize some basic concepts.
1.1 Related Units
At present, China’s departments related to personal information protection mainly include:
- Standing Committee of the National People’s Congress
- Public Security Organs (Ministry of Public Security)
- General Administration of Regulation (State Administration for Market Regulation)
- Cyberspace Administration (CAC)
- Ministry of Industry and Information Technology
1.2 Five types of normative bodies
Five subjects of APP personal information protection and governance work:
- 1. APP developers and operators: Tiktok, wechat, etc.;
- 2. APP distribution platforms: Such as APP Treasure and APP Mall;
- 3. Third-party service providers of APP: such as various SDK providers;
- 4. Network access service providers: such as China Mobile, China Unicom and other operators;
- 5. Mobile intelligent terminal manufacturers: Xiaomi, OPPO and other manufacturers.
1.3 Definition of Personal Information (key points)
According to Article 4 of the Personal Information Protection Law, personal information refers to all kinds of information related to identified or identifiable natural persons recorded electronically or in other ways, excluding the information after anonymization. The legal provisions are too abstract for us. Here’s a quote from the explanation posted by @CapitalPolice on Douyin:
| Personal Information Category | describe |
|---|---|
| The basic information | Name, sex, age, id card number, telephone number, home address, marriage, occupation, income, etc |
| Equipment information | Location, MAC address, and SD card of a mobile or fixed terminal |
| Account information | Online banking, third-party payment, social software, email account, password, etc |
| Privacy information | Address book information, call and SMS records, personal chat records, videos, photos, etc |
| Social relationship information | Good friend relationship, family member relationship, work unit information, etc |
Scenario Example: Are household air conditioner usage records personal information? If only one person uses a family air conditioner, judicial interpretation is highly likely to consider it as user’s personal information; If the home air conditioner is used by more than one person, the judicial interpretation is not generally considered to be personal information of the user (this is the case cited by the corporate legal department).
1.4 Two Important Principles (Important)
- 1. Informed consent principle: The user shall be informed of the personal information processing rules in a clear and understandable language, and the user shall make a voluntary and clear expression of intention on the premise of full knowledge;
- 2. Principle of minimum necessity: it shall have a clear and reasonable purpose and shall not engage in personal information processing activities beyond the scope agreed by users or irrelevant to service scenarios.
2. Manage the axe
2.1 Governance by law — top-level design
In recent years, the country came out much about the laws and regulations of individual information protection in succession, provided the basis of legal level for administrative work. Since December 28, 2012, when the Standing Committee of the National People’s Congress mentioned personal information protection for the first time from the legislative level, I have counted relevant laws/regulations introduced in the past 10 years:
| Laws/regulations | Release the unit | Release time | The implementation of the time |
|---|---|---|---|
| Decision of the Standing Committee of the National People’s Congress on Strengthening Online Information Protection | Standing Committee of the National People’s Congress | 2012/12/28 | 2012/12/28 |
| Regulations on The Protection of Personal Information of Telecommunications and Internet Users | Ministry of industry | 2013/7/19 | 2013/9/1 |
| Cyber Security Law of the People’s Republic of China | Standing Committee of the National People’s Congress | 2016/11/8 | 2017/6/1 |
| Interim Provisions on the Presetting and Distribution Management of Mobile Intelligent Terminal Application Software | Ministry of industry | 2016/12/16 | 2017/7/1 |
| Provisions on Network Protection of Children’s Personal Information | Cyberspace Administration of China | 2019/8/22 | 2019/10/1 |
| Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications | Cyberspace Administration, Ministry of Industry and Information Technology, Ministry of Public Security, State Administration of Regulation | 2021/3/22 | 2021/5/1 |
| Interim Provisions on The Protection and Administration of Personal Information of Mobile Internet Applications (Draft) | Ministry of industry | 2021/4/26 | 2021/4/26 |
| Data Security Law of the People’s Republic of China | Standing Committee of the National People’s Congress | 2021/6/10 | 2021/9/1 |
| Data Regulations of Shenzhen Special Economic Zone | Standing Committee of Shenzhen People’s Congress | 2021/6/29 | 2022/1/1 |
| Personal Information Protection Law of the People’s Republic of China | Standing Committee of the National People’s Congress | 2021/8/20 | 2021/11/1 |
2.2 Standard Guidelines — Quantification
“Laws” alone are not enough, the country also needs to formulate relevant “standards” to ensure the smooth implementation of laws. This is because laws only regulate the protection of personal information from the top-level design, and in the actual implementation process, they need to rely on more detailed and quantitative standards to carry out smoothly.
For example, the Personal Information Protection Law requires apps to follow the “minimum necessary” principle when collecting personal information. So what is the measure of “minimum necessary”? Do delivery reservation apps and deliveryman apps have the same minimum necessary criteria for location permissions? Is the minimum necessary to obtain location information the same as the minimum necessary to obtain personal information? Obviously, these questions cannot be answered by law alone and need to be quantified by standards. I have counted relevant national standards/group standards issued in recent years:
| standard | Release the unit | Latest version/release time | The implementation of the time |
|---|---|---|---|
| National Standard information Security Technology Mobile Internet Application (App) Basic Specification for Collection of Personal Information (Draft) | National Technical Committee on Information Security of Standardization Administration | 2019/8/8 | 2019/8/8 |
| National standard “Information security Technology Personal Information Security Specification” | Standardization Administration of China | GB/T 35273-2020 | 2020/10/1 |
| There are 10 group standards, appraised Standards for the Protection of APP Users’ Rights and Interests | Telecommunications Terminal Industry Association | T/TAF 078-2020 | 2020/11/26 |
| There are 17 standards for assessing the Minimum need for APP to Collect and Use personal Information | Telecommunications Terminal Industry Association | T/TAF 077-2020 | 2020/11/26 |
| Group Standard Personal Information Protection Guide for Mobile Intelligent Terminals (Draft) | China Cyberspace Security Association | 2021/11/3 | 2021/11/3 |
| Group Standard “Application Store App Personal Information Collection and Use Review and Management (Draft)” | China Cyberspace Security Association | 2021/11/3 | 2021/11/3 |
2.3 Special rectification — focus on key points
Laws and standards constitute the basic basis for APP personal information protection and governance, but there are too many compliance issues involved. In order to address the most obvious key problems perceived by users as soon as possible, national authorities will publish special rectification notices.
Generally speaking, the special rectification action will start from the head of Internet enterprises, and then gradually applied to the overall application market. For example, the recent special rectification “Notice on carrying out action to Improve awareness of information and communication Services” was limited to the first 40 enterprises. I have counted the special rectification actions released in recent years:
| Rectification of | Release the unit | Release time |
|---|---|---|
| Announcement on The Special Governance of App Illegal Collection and Use of Personal Information | Cyberspace Administration, Ministry of Industry and Information Technology, Ministry of Public Security, State Administration of Regulation | 2019/1/23 |
| Interpretation of the Announcement on the Special Governance of App Illegal Collection and Use of Personal Information | Cyberspace Administration, Ministry of Industry and Information Technology, Ministry of Public Security, State Administration of Regulation | 2019/11/6 |
| Identification Method for App’s Illegal Collection and Use of Personal Information | Cyberspace Administration, Ministry of Industry and Information Technology, Ministry of Public Security, State Administration of Regulation | 2019/12/30 |
| Self-assessment Guide for App’s Illegal Collection and Use of Personal Information | App special governance working group | 2019/3/1 |
| Notice of the Ministry of Industry and Information Technology on The Special Rectification of APP Infringement on Users’ Rights and Interests | Ministry of industry | 2019/10/31 |
| Notice on Launching in-depth Special Rectification Action for APP Infringement on Users’ Rights and Interests | Ministry of industry | 2020/7/22 |
| “The Ministry of Industry and Information Technology severely punished the” March 15 “party exposed” induced the elderly to download APP “, “APP illegal collection of the elderly personal information” and other violations. | Ministry of industry | 2021/3/16 |
| The Ministry of Industry and Information Technology vigorously promotes the rectification of the problem of harassing users with APP popup information | Ministry of industry | 2021/7/8 |
| Notice on The Action to Promote Awareness of Information and Communication Services | Ministry of industry | 2021/11/1 |
| Interpretation of the Notice on The Promotion of Awareness of Information and Communication Services | Ministry of industry | 2021/11/5 |
Simple differences between laws, regulations and standards:
- Law: the product of a legislative body, enforced by the coercive force of the State and having the highest effect;
- Law: the product of authority, enforced by the state;
- Standards: products of recognized institutions, more detailed and quantified than laws and regulations.
2.4 Application Market Rectification Guide
In addition to national governance, some app markets will also publish privacy rectification guidelines. But the application market will not define norms in a vacuum, so the rectification guide information caliber is still based on the above “three plate axe”. I’ve put together some guidelines for the app market:
- huawei
- millet
- VIVO
- OPPO
- Application of treasure
- Apple StoreÂ
3. Summary
Here, we have finished the governance mechanism of national APP personal information protection: laws and regulations regulate personal information protection from the legislative level, while standards set more detailed and quantifiable norms for personal information protection. Key problems will be rectified by state authorities. For APP developers, “Personal Information Protection Law” is the criterion on our compliance road, but we should focus on systematic interpretation and investigation of national special rectification actions and national standards. In addition, remember to pay attention to the wechat public account @app personal information protection governance, pay attention to the latest developments of national departments.
The resources
- Mobile Internet Application (APP) Personal Information Protection Governance White Paper
Your likes mean a lot to me! Wechat search public number [Peng Xurui], I hope we can discuss technology together, find like-minded friends, we will see you next time!
