China continues to regulate the collection of private data in apps. For example, the importance of compliance with software development kits (SDKs) has increased significantly. Since June 2021, the authorities have been cracking down on the illegal use of SDKs in apps with SDK Security Special Actions.
A software development kit is a collection of software development tools in an installable package. The app operator can integrate different kits provided by SDK vendors depending on the functional requirements. For Western companies that want to operate apps in China, legal risks may arise when integrating SDKs into their apps, especially when SDKs process personal data.
The legal risks for app operators depend on the role of SDK providers in processing personal data. If the provider is the app operator’s commissioned processor, i.e., it does not have the purpose of using personal data itself but merely processes it according to the app operator’s instructions, the operator bears the responsibility.
If the provider is an independent processor of personal data, then the operator is still in the position of a platform party. If the SDK provider violates data protection laws, the operator may be liable to pay damages for assistance.
To avoid the legal risks arising from the integration of SDK products into apps, we suggest that app operators set out the rules for handling personal data and the responsibilities to be borne through agreements with SDK providers or otherwise, inform data subjects about the handling of personal data by SDKs in the privacy policy, and disclose the purpose of use, personal data collected, and contact information, etc. of SDK providers. In addition, the data processing activities of the providers should be monitored and audited regularly. An appropriate contingency plan should be in place to enable operators to act quickly and minimize risks.
Picture: Shutterstock
China Intellectual Property Blog 