On November 1, 2022, the national standard GB/T 41391-2022 “Information Security Technology Basic Requirements for Mobile Internet Applications (Apps) Collecting Personal Information,” published in April, will come into force. It applies to all app operators in China and is intended to regulate personal information collection activities. This standard is relevant to all companies that operate or plan to launch an app in China. The comprehensive standard includes in-depth information as well as detailed requirements for apps regarding the collection, storage and further use of personal data.
The guideline, which is not legally binding but is expressly recommended, follows the principle of minimum necessity with regard to the processing of personal data and aims to ensure transparent data collection or processing. Personal data collected by apps should have a clear, adequate and specific purpose of processing, as well as be limited to the minimum necessary to achieve the purpose of processing.
The published standard sets out the basic requirements for apps to collect personal data and provides the scope and clear guidance on the use of the required personal data for common types of services, such as map navigation, instant messaging, online shopping, and even online payments. The scope of data typically includes the type, frequency, amount, and accuracy of personal data collected. Henceforth, these should be collected in a way that has the least impact on privacy rights, and the impact of privacy rights is usually related to the sensitivity of personal data. Also, the monitoring, management as well as evaluation of personal data collection activities by supervisory authorities and external evaluation agencies is addressed and not excluded.
The new provision is closely aligned with the already existing Cyber Security Law, Data Security Law, as well as the Personal Information Protection Law. Companies operating in China that have already aligned their IT compliance with the applicable laws should review and, if necessary, adjust the data collection and processing of their apps in China until the new standard comes into force. Companies that have not yet taken any measures under the CSL and DSL should first start implementing necessary measures to achieve IT compliance with laws already in force.