On June 28, 2016, the Cyberspace Administration of China (CAC) issued Administrative Rules on Information Services via Mobile Internet Applications (the Apps Rules).
The Apps Rules became effective on August 1, 2016. With the largest number of mobile Internet users in the world, China is estimated to host more than 4 million mobile apps. Mobile apps are widely used by businesses for marketing promotions and for online sale of goods and services.
However, problems with illegal or improper use of mobile apps have emerged – for example, for terrorism or for pornography. The purpose of the Apps Rules is to increase regulatory control over mobile apps by imposing certain verification obligations on app providers and app store operators.
App providers will be required to verify their users’ identification by way of a mobile number or by other means. While app users can still use a public alias, their real names must now be registered with the relevant app provider, which must keep users’ activity logs for at least 60 days.
App store operators will be required to conduct authentication verification of app providers and must check on the security and legal compliance of apps. App store operators will also be required to file a registration with local CAC authority at provincial level before they can start any app store business. App store operators are required to supervise the app providers to protect users’ information.
A key focus of the Apps Rules is the protection of personal data. The Apps Rules state that app providers must comply with the principles of legality, appropriateness and necessity in collecting and using personal data. App providers will be required to give notice to app users about the purpose, means and scope within which personal data will be collected and used, and consent from users will be required before app providers can collect such personal data.
Where an app provider wishes to have access to a user’s geographic location, contacts list, recorded video and audio, or wishes to activate unnecessary services or to bundle unnecessary functions, the app provider will need to seek the express consent from the app user in order to do so.
The Apps Rules emphasise the protection of IP rights of app providers and others. Under the Apps Rules, app providers shall not develop and publish apps which pirate rivals' products or infringe IP rights of others. App store operators will be required to protect the IP rights of app providers and to supervise the publication of apps.
The Apps Rules require app providers to sign an agreement with app store operators, with a view to allocating respective rights and obligations between them. If an app provider fails to comply with the requirements under the Apps Rules, the relevant app store operator may issue warnings, suspend release of relevant apps or remove them from the store. The Apps Rules envisage that the CAC, as regulator, will set up a whistle-blowing system so that the public can report any irregularities to the authorities.
The implementation of the Apps Rules will have significant implications for businesses which are using or intending to use mobile apps for their businesses in China. Such businesses will now need to review their operational practices in order to ensure compliance with the new obligations imposed by the Apps Rules.
For example, app providers may need to revise and update their apps so that they can verify the identity of users and record users’ activities for a minimum period of 60 days (if this has not been done under their current operational practices).
In addition, with roll-out of the new real name registration scheme, a vast amount of personal data will be handled by app providers and app store operators. Each of them will be required to comply with the requirements laid down in the Apps Rules and in other applicable Chinese data rules in the collection and use of personal data. App providers and app store operators must now review their personal data policies to see whether any necessary changes have to be made in order to comply with the new law.
The issuance of the Apps Rules appears to be consistent with China’s increased regulatory focus in favour of a safer cyber environment. Several days before the promulgation of the Apps Rules, a new regulation on Internet information search services was passed to tighten oversight over search engines and the draft Law was submitted to China’s top legislature for a second review. We expect that the final draft of the Cybersecurity Law will be issued later this year.
Barbara Li is a Partner at Norton Rose Fulbright. Olivia Yang is an Associate at Norton Rose Fulbright.