China’s Ministry of Industry and Information Technology (“MIIT”) has continued to amplify its scrutiny over media companies and the apps that they operate in the context of user data protection. One of the more visible examples includes the suspension of certain apps in late 2021, including WeChat, the ubiquitous Chinese social communications platform owned by the Chinese internet services giant Tencent. Given the popularity of such messaging apps in workplaces and how common it is for employees to use these apps for business purposes, companies with operations in China should consider the implications of potential further action by the MIIT or other Chinese authorities and the interplay between data privacy and the ability to monitor workplace conduct, as well as maintenance of accurate business records.
Recent Actions by the MIIT
On November 24, 2021, the MIIT suspended Tencent from updating its existing apps or launching any new apps as part of its “temporary administrative guidance,” and has required all new apps and updates to go through a review process by the MIIT that took place between November 24 to December 31, 2021 before the apps could be uploaded to app stores.1 Tencent only received a regulatory green light to resume updates for nine of its apps on December 17, 2021. During the suspension period, the existing version of WeChat remained in use and downloadable in China, although updates to the app were not available to consumers.
As a result, nine large state-run Chinese companies, including China Mobile Ltd., China Construction Bank Corp. and China National Petroleum Corp., reportedly instructed employees to delete and stop using WeChat work group chats soon thereafter, citing data security concerns. Private institutions do not appear to have taken similar measures, though certain international companies and banks have historically banned the use of personal phones and messaging apps at work.
The order marked the latest move in a continuing regulatory crackdown in China involving data privacy across a range of sectors, and arrived days after China's Personal Information Protection Law (“PIPL”), a sweeping ordinance dictating online privacy practices, went into full effect. Not only do such developments impact data privacy obligations, it could also potentially impact the ability to conduct business and maintain records, given the significant use of messaging platforms to conduct business communications.
Other MIIT Initiatives
The MIIT sanctions against Tencent were made in a broader context of increased regulatory scrutiny over data privacy. In particular, the MIIT made various announcements on November 1, 2021, emphasizing initiatives to enhance user protection and service, including requiring 39 major technology companies and their main apps (including WeChat) to maintain a “Double List” of collected personal data and personal data shared with third parties, which should be made available to users by the end of December 2021.2 As such, the MIIT has spread a wide net, targeting a number of technology companies that offer both personal and business-related services.
Regulatory enforcement has only continued. On November 3, 2021, MIIT further identified 38 apps as problematic for reasons including “deceiving, misleading and forcing users,” “collection of personal data exceeding scope,” and “App forcibly, frequently, overly requests authorization.” Since 2019, there have been 21 such lists recording violations related to excessive data collection and app permissions that require “special rectification actions” as part of Beijing’s efforts to rein in the use of consumer data in a once laxly regulated internet sector.3
More recently, on February 18, 2022, the MIIT ordered the rectification of 107 apps, which were found to have “illegally collected individual data,” “forced users to turn on notifications” or “forcefully, frequently and excessively requested permissions.”4 This list included hotel booking apps for Shangri-La and IHG. The MIIT has since published two additional lists of Chinese apps that were found to have violated laws on data collection and usage in March and April 2022.
The MIIT has also taken action where app developers have failed to rectify data privacy violations as required by the MIIT. On December 9, 2021, the MIIT removed 106 apps from Chinese app stores. The MIIT also alluded to administrative penalties that would be imposed on app operators who refused to rectify serious violations.
Although there have been some reports that the Chinese government may ease its focus on the technology sector, given recent enforcement trends Chinese regulators’ attention on the sector could continue.
Nonetheless, data privacy remains a key concern for the authorities and recent actions by the MIIT raises implications for the security and accessibility of company information exchanged via such messaging platforms, given the Chinese government’s apparent willingness to suspend certain apps at short notice. In light of the U.S. FCPA requirements that corporations implement appropriate guidance and controls to ensure retention of business records or communications that take place over messaging apps, companies may wish to consider their existing policies and controls from a data preservation and books and records perspective if employees are using external apps for company business.