In a document dated July 11, an interagency working group for “app governance” published a list of 30 applications that violate the Cybersecurity Law by excessively collecting user data. Ten applications, including the Bank of China’ banking app, are accused of having no privacy policy. Twenty others, including the Tinder-like dating app TanTan, are called out for asking users for excessive data access and making this access a condition for being able to use the app.
The app providers have 30 days to address these issues. The article refers back to a January announcement by the CAC, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation (SAMR), which announced a year-long campaign to identify violators of laws pertaining to personal information collection. (In March, the SAMR published a separate notice on a six months special enforcement action, which DigiChina has translated here.)
In mid-June, China Information Security reported that the working group had received 5,500 reports of illegal data collection, which fell into five categories: data collected is not relevant to or necessary for the purpose of the app (31.2%), no public policy on data collection or privacy policy (19%), accounts cannot be deleted or logged out from or data is not deleted after account cancellation (16.3%), forcing users to accept data collection for basic and additional functions as a bundle (9.6%), personal information is collected without user consent, or personal information is collected and uploaded before displaying the privacy policy (8.1%).
According to the article, the working group reprimanded 30 apps for serious violations in early April, all of which addressed the data protection issues within a one-month deadline or after a reminder. This list of violators seems to have been different from the one published on July 11, indicating that the working group may have moved from direct reprimands to publicly naming violators or might still be determining the most effective way of enforcing compliance.
The two lists are notable indicators of an ongoing enforcement effort regarding data protection practices in China. While there is no indication that these laws will restrain the collection of personal data by government institutions, the working group’s announcements indicate that it scrutinizes data protection practices by commercial and some government-affiliated applications, such as that of the Bank of China.