On behalf of the 240 members of the US-China Business Council (USCBC), we appreciate the opportunity to submit comments on the draft Regulations on Mobile App Personal Information Protection (hereby referred to as “the Draft”) to the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation. We appreciate efforts to clarify how companies should treat personal information within mobile applications and to increase protections of user information.
USCBC received comments from companies across sectors that could be impacted by the Draft. We respect the Draft’s emphasis on protecting personal information and promoting user consent. It aims to establish standards for collection of personal information among app developers, operators, and third parties, articulating consent procedures and technical requirements.
However, USCBC and its member companies would like to encourage the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation to take note on areas of feedback that stand to broadly impact US businesses operating in China. In particular, we would like to note the following suggestions:
- Overlap with existing regimes: Article 2 of the Draft specifies that other personal information laws and regulations will take precedent with regards to processing personal information. It is at present unclear how the Draft would intersect with other legislation, including the draft Personal Information Protection Law. We recommend clarifying how the Draft will align or differ with related regulations to avoid confusion or unnecessary compliance burdens.
- Clarify key definitions: The Draft provides definitions of key actors, including mobile app personal information processing activities, developers and operators, and third party service providers. It does not, however, provide a comprehensive definition of a mobile application itself, including mini programs, pop-up windows, and private domain apps, nor does it distinguish clearly between third party app services and the app developer/operator. In order to avoid confusion, we recommend clearly defining these key terms.
- Extraterritorial application: As per Article 2, the scope of the current Draft concerns apps developed within the territory of the People’s Republic of China. We recommend clarifying the territorial component of this regulation, including, for example, if the regulation will apply to apps developed outside of China that are then distributed through China-based app stores. We recommend clarifying that the Draft’s regulatory scope applies to applications developed, operated, registered or with a server or distribution platform located within mainland China.
- Expanding the legal basis for information collection: Article 6 establishes consent as the legal basis for collecting personal information within mobile apps. We recommend that the Draft align with the draft Personal Information Protection Law to include legal frameworks other than consent, including collecting personal information on the grounds of “legitimate interest” (as per the European Union’s General Data Protection Regulation). This will both allow for businesses to navigate complex processing requirements, including public health emergencies, and encourage regulatory consistency with other emerging privacy regimes.
- Extending compliance timelines: Article 16 of the Draft provides for a timeline of 5 business days to correct non-compliant practices. We recommend extending this timeline for 10-15 days and including mechanisms for review, clarification, and appeal.