The Chinese government has imposed new regulations on companies that engage in data collection in the country, targeting 41 apps that were found to be out of compliance with existing rules.
Data privacy in China is primarily regulated by the Personal Information Security Specification, a cybersecurity law that was adopted in 2018 and is modeled after Europe’s General Data Protection Regulation (GDPR). Renewed focus was put on compliance with these standards in 2019, as the government appointed a special task force to spend the entire year reviewing commonly-used smartphone apps to ensure that they do not collect excessive data. In May of 2019 the government also issued an updated data security regulation that helps to centralize and clarify standards for software and app developers.
The government has indicated that companies that did not get their data collection practices into compliance by the end of 2019 could face substantial fines, and possibly even a loss of business licenses.
China’s data collection standards
The 41 apps that were cited include some of the most frequently used in the country, from some of the biggest publishers. Tencent Holding Ltd.’s instant messaging app QQ, Sohu News and Xiaomi Finance were among those found to be out of compliance with regulations.
The Chinese government did indicate in a statement that the QQ app was flagged for requiring users to turn over too much personal data and making it too hard to deactivate accounts, and the Sina Sports app was collecting personal information it was not authorized to have. To date, 10 companies have been fined for data privacy violations and two have been put under criminal investigation due to the manner in which they collect personal information.
In total China has notified over 100 companies of necessary changes since the new data collection standards went into effect, and over 8,000 apps have been modified as a result. The Ministry of Industry and Information Technology (MIIT) stated that the government would continue to crack down on apps that do things like continuing to track the locations of users after they have been closed, and apps that require users to provide information that isn’t really necessary.
The government’s current enforcement action is focusing on five specific points of interest: apps that collect more data than they need (or notify the user about), making consent to unreasonable permissions a requirement of use of the app, making it too difficult to cancel or delete accounts, using collected data improperly, and failing to notify the user of the sharing of data with third parties.
China’s National Computer Network Emergency Response Technical Team has called the unauthorized use of personal data a “prominent issue” and says that 30% of the mobile apps investigated in the first half of 2019 were accessing privileges and data that they did not need to function.
The extent of data privacy in china
In addition to following the public data collection terms, app and software developers in China are also required to comply with the government’s policies on censoring certain information. These terms are much less transparent and are generally believed to be privately communicated to each social media and app company by the government.
Some of the app issues are attributable to data collection violations, but it remains unclear how much (if any) due to failure to comply with censorship policies. The Chinese government has been known to swiftly strip media companies of their business licenses not just for publishing forbidden material, but for allowing users to publish it. Earlier this year the government revoked the business license of game publisher Indievent for involvement with a title that was perceived as having elements that mocked president Xi Jinping, and several years ago publishing giant Sina Corp temporarily lost a business license for allowing a handful of articles and videos considered to be “pornographic” to be published by users through its web portal.
To a casual observer, it might seem that the Chinese government would not be in a hurry to restrict its companies from data collection. The country’s much-publicized intelligence and espionage laws essentially give the Ministry of Public Security and other agencies unlimited access to any data that private companies within its borders collect.
It may be that the government feels it already has all the citizen data it needs, but a more likely explanation is that this is all in a response to a boom in cyber crime. Data siphoning has become a lucrative business in the country, with organized crime getting involved and re-selling stolen data for very low prices. In April, a data theft ring of 32 people was broken up by the government after trading some 39 million records of personal information. Earlier in the year, 200 million resumes from Chinese job portal sites were scraped and put up for sale.
One key difference between the Chinese data collection laws and regulations and the GDPR is that while internet users there have fairly extensive rights to notifications, opt-ins and to the ability to close accounts, there is little right to access and alter stored personal data.