China is one step closer to unscrupulous data collection by app developers. This week, the country's cybersecurity watchdog was looking for comments on the user information apps from instant messengers to hail services are allowed to collect.
The move follows in the footsteps of a proposed data protection law that was published in October and is currently under review. The comprehensive data protection law should be a "milestone" if it is passed and implemented, wrote the editorial of China Daily, the official mouthpiece of the Chinese Communist Party. The law is intended to restrict data practices not only by private companies but also by government agencies.
"Some loss of personal information has resulted in economic loss for individuals if the information is used to cheat the target out of their money," the party newspaper said. "As technology has advanced, the collection of personal information has expanded to include biological information such as a person's face or even genes, which can have serious consequences if such information is misused."
Apps in China often force users to divulge excessive personal information by denying access when users deny consent. The draft regulations published this week target practice by defining the types of data collection that are "legal, proper and necessary".
According to the draft, "necessary" data is the one that ensures the "normal operation of the basic functions of apps". As long as users have allowed the required data to be collected, apps must give them access.
Below are some examples of the personal data deemed "necessary" for different types of apps that have been translated by China Law Translate.
Hail Ride: The registered user's actual identity (usually in the form of their mobile phone number in China) and location information
Messaging: The actual identity and contact list of the registered user
Payment: The real identity of the registered user, the bank details of the payer / payee
Online shopping: the real identity of the registered user, payment details, information about the recipient such as name, address and telephone number
Games: The real identity of the registered user
Dating: The actual identity of the registered user and the age, gender, and marital status of the person seeking marriage or dating
There are also categories of apps that are required to give users access without first collecting personal information: live streaming, short video, video / music streaming, news, browsers, photo editors, and app stores.
It's worth noting that while the draft provides clear rules for apps, it doesn't provide details on how to enforce them or how to punish offenders. For example, will app stores include the benchmark in their approval process? Or will internet users be the watchdog? It remains to be seen.