I. Foreword
China Consumers’ Association (CCA) released a report on November 28th, 2018, Report on Evaluation over 100 Apps’ Personal Information Collection and Privacy Policy (the “Evaluation Report on 100 Apps”),i which finds that excessive collection or even use of all sorts of personal information, including sensitive personal information, is an issue with a large number of apps commonly used by consumers. The Internet Society of China (ISC) held an expert assessment meeting in Beijing on December 29th in the same year, on the collection and use of user’s personal information by mobile apps,ii which found 18 apps were suspected of excessively collecting sensitive information from users.
The Office of the Central Cyberspace Affairs Commission, jointly with three other government agencies, released the Announcement of Launching Crackdown Directed at Illegal Collection and Use of Personal Information by Apps (the “Crackdown Announcement”) on January 25th,iii which announced the a crackdown especially launched and directed at illegal collection and use of personal information by apps through the entire calendar year of 2019. On March 3rd, 2019, the panel organized for such crackdown (the “Panel”) released the Guidance to Self-Assessment on Apps regarding Illegal Collection and Use of Personal Information to guide app operators to carry out self-investigation and correction of their own behavior on the collection and use of personal information.
With the effectiveness of the Cybersecurity Law in June 2017 and the regulations and standards issued for its implementation, enterprises are facing more challenge in legal compliance of personal information protection. This article attempts to analyse, with case studies, the compliance requirements, how to achieve compliance and legal risks that enterprises may face in relation to excessive collection of personal information, with a view to provide a reference for enterprises in achieving legal compliance in the relevant businesses.
II. The Category of Personal Information
Pursuant to the Information Security Technology – Personal Information Security Specifications (GB/T 35273-2017) (“Personal Information Security Specifications”), personal information (“Personal Information”) refers to various types of electronic information, or recorded otherwise, that can be used independently or in combination with other information to identify a certain natural person or his/her various activities, including but not limited to a natural person’s name,
birthday, ID card No., personal biometric information, contact information, records and contents of communication, accounts and passwords, credit rating information, or roundabouts, etc.
An information may be determined as to whether it is a Personal Information by, primarily, either of the following criteria: (a) “distinguishable”, or “identifiable”, which refers to an information through its particularity a specific natural person can be identified. That is to say, an information falls under the definition of Personal Information if it contributes to identifying specific individuals, either alone or integrated with other information; and (b) “connected”, i.e. connection between the individual and the information. That is to say, in relation to an identified specific natural person, any information such person generates from his/her activities (such as information on personal location) is of Personal Information. Information that meets one of the aforementioned two criteria shall be determined as Personal Information.
Further from Cybersecurity Law, Personal Information Security Specifications add one more criteria of Personal Information, i.e. information reporting the activities of a specific natural person. The report of CCA and conclusion of the meeting of ISC, as described in the Foreword above, would suggest that any information in relation to a certain natural person also falls into the category of Personal Information, even if which is unable being used to identify such certain natural person.
III. Principles and Rulings on Restrictions for Collection of Personal Information
The Cybersecurity Law and Personal Information Security Specifications and other relevant regulations set forth, directly or indirectly, a number of principles for the protection of Personal Information, under which two are the primary principles which restrict the collection of Personal Information.
1. Principle of Restriction - Purpose of Collection The principle of restriction is to define the purpose of a legal collection of Personal Information, i.e. collection of Personal Information must have a lawful, legitimate, necessary and clearly-defined purpose, and shall not go beyond such purpose (the “Purpose Restriction Principle”).
As CCA pointed out in the Evaluation Report on 100 Apps that many apps collected Personal Information that are of no obvious relevance to the functions of such apps commonly understood by consumers, and such collection even far exceeding a reasonable extent. A typical example is that apps of video and audio play and apps of photographing and beautification tend to collect information on user’s location, which is unnecessary for providing such services. It is hence suspected of an excessive collection.