• Login
  • Register
  • PRO
    • PRO Compliance plan
    • PRO Compliance
    • PRO subscription plans
    • Curated articles
    • In-depth
    • Market intelligence
    • Practice guides
    • PRO Reports New
    • Lexology GTDT
    • Ask Lexy
  • PRO
  • Latest
  • GTDT
  • Research
  • Learn
  • Experts
  • Store
  • Blog
  • Events
  • Popular
  • Influencers
  • About
  • Explore
  • Legal Research
  • Primary SourcesBeta
  • PRO Compliance

Introducing PRO Compliance
The essential resource for in-house professionals

  • Compare
  • Topics
  • Interviews
  • Guides
Getting The Deal Through joins Lexology
GTDT and Lexology Navigator have merged

CONTENT DEVELOPMENT

Become your target audience’s go-to resource for today’s hottest topics.

  • Trending Topics New
  • Discover Content
  • Horizons Beta
  • Ideation

CLIENT INTELLIGENCE

Understand your clients’ strategies and the most pressing issues they are facing.

  • Track Sectors
  • Track Clients
  • Mandates New
  • Discover Companies
  • Reports Centre New

COMPETITOR INTELLIGENCE

Keep a step ahead of your key competitors and benchmark against them.

  • Benchmarking
  • Competitor Mandates New

Lexology PRO

Power up your legal research with modern workflow tools, AI conceptual search and premium content sets that leverage Lexology's archive of 900,000+ articles contributed by the world's leading law firms. 

PRO Compliance plan
PRO subscription plans

Premium content

  • Curated articles
  • In-depth
  • Market intelligence
  • Practice guides
  • PRO Reports New

Analysis tools

  • Lexology GTDT
  • Ask Lexy
Explore all PRO content PRO Compliance
  • Find experts
  • About
  • Firms
Introducing Instruct Counsel
The next generation search tool for finding the right lawyer for you.
Back Forward
  • Save & file
  • View original
  • Forward
  • Share
    • Facebook
    • Twitter
    • Linked In
  • Follow
    Please login to follow content.
  • Like
  • Instruct

add to folder:

  • My saved (default)
  • Read later
Folders shared with you

Register now for your free, tailored, daily legal newsfeed service.

Questions? Please contact [email protected]

Register

Corporate Compliance - Legal Risks in Relation to Excessive Collection of Personal Information

Broad & Bright
MEMBER FIRM OF Meritas

To view this article you need a PDF viewer such as Adobe Reader. Download Adobe Acrobat Reader

If you can't read this PDF, you can view its text here. Go back to the PDF .

China September 19 2019

I. Foreword 

China Consumers’ Association (CCA) released a report on November 28th, 2018, Report on Evaluation over 100 Apps’ Personal Information Collection and Privacy Policy (the “Evaluation Report on 100 Apps”),i which finds that excessive collection or even use of all sorts of personal information, including sensitive personal information, is an issue with a large number of apps commonly used by consumers. The Internet Society of China (ISC) held an expert assessment meeting in Beijing on December 29th in the same year, on the collection and use of user’s personal information by mobile apps,ii which found 18 apps were suspected of excessively collecting sensitive information from users. 

The Office of the Central Cyberspace Affairs Commission, jointly with three other government agencies, released the Announcement of Launching Crackdown Directed at Illegal Collection and Use of Personal Information by Apps (the “Crackdown Announcement”) on January 25th,iii which announced the a crackdown especially launched and directed at illegal collection and use of personal information by apps through the entire calendar year of 2019. On March 3rd, 2019, the panel organized for such crackdown (the “Panel”) released the Guidance to Self-Assessment on Apps regarding Illegal Collection and Use of Personal Information to guide app operators to carry out self-investigation and correction of their own behavior on the collection and use of personal information. 

With the effectiveness of the Cybersecurity Law in June 2017 and the regulations and standards issued for its implementation, enterprises are facing more challenge in legal compliance of personal information protection. This article attempts to analyse, with case studies, the compliance requirements, how to achieve compliance and legal risks that enterprises may face in relation to excessive collection of personal information, with a view to provide a reference for enterprises in achieving legal compliance in the relevant businesses.   

II. The Category of Personal Information 

Pursuant to the Information Security Technology – Personal Information Security Specifications (GB/T 35273-2017) (“Personal Information Security Specifications”), personal information (“Personal Information”) refers to various types of electronic information, or recorded otherwise, that can be used independently or in combination with other information to identify a certain natural person or his/her various activities, including but not limited to a natural person’s name, 

birthday, ID card No., personal biometric information, contact information, records and contents of communication, accounts and passwords, credit rating information, or roundabouts, etc. 

An information may be determined as to whether it is a Personal Information by, primarily, either of the following criteria: (a) “distinguishable”, or “identifiable”, which refers to an information through its particularity a specific natural person can be identified. That is to say, an information falls under the definition of Personal Information if it contributes to identifying specific individuals, either alone or integrated with other information; and (b) “connected”, i.e. connection between the individual and the information. That is to say, in relation to an identified specific natural person, any information such person generates from his/her activities (such as information on personal location) is of Personal Information. Information that meets one of the aforementioned two criteria shall be determined as Personal Information. 

Further from Cybersecurity Law, Personal Information Security Specifications add one more criteria of Personal Information, i.e. information reporting the activities of a specific natural person. The report of CCA and conclusion of the meeting of ISC, as described in the Foreword above, would suggest that any information in relation to a certain natural person also falls into the category of Personal Information, even if which is unable being used to identify such certain natural person. 

III. Principles and Rulings on Restrictions for Collection of Personal Information 

The Cybersecurity Law and Personal Information Security Specifications and other relevant regulations set forth, directly or indirectly, a number of principles for the protection of Personal Information, under which two are the primary principles which restrict the collection of Personal Information. 

1. Principle of Restriction - Purpose of Collection The principle of restriction is to define the purpose of a legal collection of Personal Information, i.e. collection of Personal Information must have a lawful, legitimate, necessary and clearly-defined purpose, and shall not go beyond such purpose (the “Purpose Restriction Principle”). 

As CCA pointed out in the Evaluation Report on 100 Apps that many apps collected Personal Information that are of no obvious relevance to the functions of such apps commonly understood by consumers, and such collection even far exceeding a reasonable extent. A typical example is that apps of video and audio play and apps of photographing and beautification tend to collect information on user’s location, which is unnecessary for providing such services. It is hence suspected of an excessive collection. 

Broad & Bright - Ding Zhenyu and Michelle Cao
Back Forward
  • Save & file
  • View original
  • Forward
  • Share
    • Facebook
    • Twitter
    • Linked In
  • Follow
    Please login to follow content.
  • Like
  • Instruct

add to folder:

  • My saved (default)
  • Read later
Folders shared with you

Filed under

  • China
  • IT & Data Protection
  • Litigation
  • Broad & Bright

Tagged with

  • Unfair competition

Popular articles from this firm

  1. Age Labeling for Online Games in China *
  2. 《关于平台经济领域的反垄断指南》解读 *
  3. 债券“暴雷”案件中各参与机构的责任承担 *
  4. Government greenlights national oil and gas pipeline network company *
  5. Why Unauthorized Reskinned Games Constitute Copyright Infringement under China Copyright Law *

If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].

Powered by Lexology
loading...

Related topic hubs

  1. China
  2. IT & Data Protection
  3. Litigation
Bob Lindsay
Privacy Manager
HP Enterprise Services
What our clients say

“I find the Lexology newsfeeds very informative as they provide concise and to-the-point content. Thanks for providing a very good service.”

Back to Top
  • Terms of use
  • Cookies
  • Disclaimer
  • Privacy policy
  • GDPR compliance
  • RSS feeds
  • Contact
  • Submissions
  • About
  • Login
  • Register
  • Follow on Twitter
  • Search
Law Business Research

© Copyright 2006 - 2021 Law Business Research