On March 12, 2021, the Ministry of Industry and Information Technology and the Ministry of Public Safety jointly issued the Rules on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications (“Rules”), effective May 1, 2021. The Rules are promulgated based on China’s Cybersecurity Law1 (“Cybersecurity Law”) and aim to regulate the collection of personal information by mobile internet applications (“Apps”) and to safeguard personal information of Chinese individuals.
Under the Rules, Apps are not allowed to decline to provide their basic functions to users if those users refuse to provide personal information other than what is categorized as “necessary personal information” (“Necessary PI”). In other words, users who provide the Necessary PI to an App should be able to use the App’s basic functions. Or, in cases where the Rules identify no Necessary PI, users should be able to have unfettered access to the App’s basic functions without providing any personal information. “Personal information” is defined as information recorded in electronic or any other form that is used either alone or in combination with other information to identify an individual, including but not limited to: the individual’s name, date of birth, ID number, personal biological information, address and telephone number.2
App developers and businesses should be aware of and comply with the Rules and be especially careful in collecting information outside the Necessary PI. According to Article 41 of the Cybersecurity Law, network operators (broadly defined to include App developers and owners) should not collect personal information that is not relevant to the service being provided. Violating this article will result in administrative penalties to the business, including a warning, forfeiture and/or fines up to 10 times any illicit gains (or fines up to RMB 1,000,000 if no illicit gain), depending on the circumstances. Directly responsible person(s) can also be subject to fines up to RMB 100,000. Serious violations can even result in suspension of the business, closure of the website and/or revocation of licenses and permits.
What is considered Necessary PI for common Apps under the Rules is listed below: