MIIT Solicits Opinions on APP Personal Information Protection and Processing

Entering the digital and information age, the widespread application of big data and artificial intelligence has made people's production and life more convenient and brought unprecedented quality experience. However, the privacy and security issues it has spawned have also caused concerns in the whole society. In recent years, many software apps have introduced various intelligent technologies, which not only makes people's privacy increasingly "naked", but also breeds many "killing familiarity" incidents.

In this context, it is urgent to strengthen APP management and rectification, strengthen App personal information protection, and standardize App personal information processing. As early as 2019, my country has launched several special rectification actions against APP infringement of user rights, and issued warnings, interviews, and dealt with a large number of illegal APPs. Recently, the Ministry of Industry and Information Technology once again solicited opinions on the protection and processing of APP personal information, in order to thoroughly eradicate it from the source through legal improvement.

On April 26, the Ministry of Industry and Information Technology, together with the Ministry of Public Security and the State Administration for Market Regulation, drafted the "Interim Provisions on the Protection and Management of Personal Information of Mobile Internet Applications (Draft for Comments)" and solicited opinions for a month. In the draft for comments, specific and detailed requirements for the protection and management of APP personal information were made, and the different obligations of different entities for the protection of APP personal information were emphasized. In addition, the punishment measures for violating the regulations were clarified.

Specifically, the draft opinion proposes that three requirements should be met when conducting APP personal information processing activities:

First, legal and legitimate methods should be adopted, the principle of good faith should be followed, the user's right to consent, right to know, right to choose and personal information security should be effectively protected, and the personal information processing activities should be responsible. Second, the rules for personal information processing should be informed to users in clear and understandable language, and users should make voluntary and clear expressions of intent on the premise of being fully informed. Third, there should be clear and reasonable purposes, and the principle of minimum necessity should be followed.

Among them, in the second requirement, the draft opinion emphasizes that on the App login and registration page and when the App is first run, users should be informed of the personal information processing rules through pop-ups, text links, attachments and other concise, obvious and easy-to-access methods; non-default check boxes should be used to obtain user consent; the user's right to choose should be respected, and personal information shall not be processed before obtaining the user's consent or after the user clearly expresses his or her refusal.

At the same time, in the third requirement, the draft opinion states that the quantity, frequency, accuracy, etc. of processing personal information should be necessary for the service; local reading, writing, deletion, modification and other operations of personal information should be necessary for the service and must not exceed the scope of user consent; after the user refuses the relevant authorization application, the App shall not be forced to exit or close; when the user refuses to provide personal information that is not necessary for such service, it shall not affect the user's use of the service.

The draft opinion also proposes corresponding obligations for different APP entities:

For example, App developers and operators should enhance awareness of personal information protection in products and services, and implement protection requirements in product design, development and operation. When providing users with search results of goods or services based on personal information, they should ensure that the results are fair and reasonable. When using third-party services, they should formulate management rules and clearly indicate the information of third-party service providers of App. They should strengthen front-end and back-end security protection and actively monitor and discover violations.

App distribution platforms. Register and verify the real identity, contact information and other information of App developers, operators and providers; indicate in a prominent position the list of user terminal permissions and personal information collection information required for App operation; do not deceive or mislead users into downloading Apps; conduct standardized review of newly listed Apps; establish a management mechanism for App developers and operators; promptly cooperate with regulatory authorities in carrying out work related to problematic Apps; and set up a convenient complaint and reporting portal.

App third-party service providers . Formulate and publicize personal information processing rules; disclose personal information processing related content to App developers and operators in a clear, understandable and reasonable manner; do not wake up, call, update, etc. without the user's consent or in the absence of reasonable business scenarios; take adequate management measures and technical means to protect personal information; do not share or transfer collected user personal information without the user's consent.

Manufacturers of mobile smart terminals . Improve the terminal permission management mechanism and promptly fill in the loopholes in permission management; establish a terminal startup and associated startup app management mechanism; continuously optimize the status of personal information permissions in use, especially the prominent prompt mechanism for sensitive permissions in use; establish a key app attention list management mechanism and improve app management measures; review pre-installed apps and continuously monitor personal information security risks; and improve the terminal device identification management mechanism.

Network access service providers . When providing network access services to apps, they must register and verify the real identity, contact information, and other information of the app developer and operator; in accordance with the requirements of the supervisory and management departments, they must take necessary measures such as suspending access to illegal apps in accordance with the law to prevent them from continuing to violate user personal information and other legitimate rights and interests.

Once the relevant subject violates the regulations, it will be ordered to make rectifications and be subject to a series of disposal measures such as public announcement, removal from shelves, disconnection of access, restoration of shelves, restoration of access, credit management, etc. If the circumstances are serious, a ban will be imposed. At the same time, if the App personal information processing activities infringe on the rights and interests of personal information, it will be punished in accordance with relevant regulations; if it constitutes a crime, the public security organs will pursue criminal liability in accordance with the law.