China continues to regulate the collection of private data in apps. For example, the importance of compliance with software development kits (SDKs) has increased significantly. Since June 2021, the authorities have been cracking down on the illegal use of SDKs in apps with SDK Security Special Actions.
A software development kit is a collection of software development tools in an installable package. The app operator can integrate different kits provided by SDK vendors depending on the functional requirements. For Western companies that want to operate apps in China, legal risks may arise when integrating SDKs into their apps, especially when SDKs process personal data.
The legal risks for app operators depend on the role of SDK providers in processing personal data. If the provider is the app operator’s commissioned processor, i.e., it does not have the purpose of using personal data itself but merely processes it according to the app operator’s instructions, the operator bears the responsibility.
If the provider is an independent processor of personal data, then the operator is still in the position of a platform party. If the SDK provider violates data protection laws, the operator may be liable to pay damages for assistance.