Privacy & Information Security Law Blog

On March 12, 2021, the Cyberspace Administration of China released Provisions on the “Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications” (the “Provisions”) (available here in Chinese).

The Provisions generally are consistent with the draft version previously issued for public comments on December 1, 2020 and include additional details, as well as new provisions relating to ticketing applications (e.g., those for purchasing seats at performances).

According to the Cybersecurity Law of China, collection of personal information must follow the principles of legitimacy, propriety and necessity. Under the Provisions, “necessary personal information” is defined as personal information that is necessary to the regular operation of mobile applications (“apps”), i.e., personal information without which the apps could not provide their intended basic functions. Apps are prohibited from refusing users the ability to use the apps’ basic functions in the event that users do not provide additional personal information beyond necessary personal information. For instance, for an online shopping app, the necessary personal information would include registered users’ mobile phone numbers, names, addresses and payment information (such as payment time, payment amount and payment channel). If, for example, the online shopping app requested location information from users, the app still would have to provide basic functions even to users who rejected the request for location information.

The Provisions specify 39 common types of apps and the scope of necessary personal information these apps may collect and use, which varies depending on the specific type of app. The common types of apps include those for: (1) map navigation; (2) online car-hailing services; (3) instant messaging; (4) online communities; (5) online payment; (6) online shopping; (7) food and beverage delivery; (8) mail, express mail and posting and delivery; (9) transportation ticketing; (10) marriage and dating; (11) job search and recruitment; (12) online lending; (13) housing rental and sales; (14) used car trading; (15) doctor inquiries and appointments; (16) tourism services; (17) hotel services; (18) online gaming; (19) online education; (20) local living; (21) women’s health; (22) car services; (23) investment and financial management; (24) mobile banking; (25) email and cloud storage; (26) remote conferencing; (27) webcasting; (28) online audio and video; (29) music video clips; (30) news; (31) sports and health; (32) internet browsing; (33) input methods; (34) safety management; (35) e-books; (36) photography enhancement; (37) application stores; (38) utilities and practical tools; and (39) ticketing.

The types of apps that do not require the collection of any personal information for basic functions and services include those for webcasting, online audio and video, music video clips, news, sports and health, internet browsing, input methods, safety management, e-books, photography enhancement, application stores, utilities and practical tools, and ticketing. For these apps, users may install and use the apps’ basic functions without providing any personal information.

The Provisions will become effective beginning May 1, 2021.