Understanding App Privacy in China: From Legal Framework to User Awareness

This article explores app privacy in China, including the laws, standards, enforcement, and user awareness that govern how mobile apps collect and use personal information of their users. It also compares app privacy in China with other countries or regions, and provides some recommendations or suggestions for improving app privacy in China or for users who use Chinese apps.

App privacy is a hot topic in today's digital world, especially in China, where the internet industry is booming and the government is tightening its control over online activities. App privacy refers to how mobile applications collect, use, store, and share personal information of their users, and how users can protect their rights and interests in relation to their data. App privacy is important because it affects not only the security and convenience of using apps, but also the freedom and dignity of individuals in the online space.

In this article, I will explore the current state and challenges of app privacy in China from various perspectives. First, I will introduce the legal framework and regulations that govern app privacy in China, such as the Personal Information Protection Law, the Cybersecurity Law, and the Interim Provisions on the Administration of Personal Information Protection of Mobile Internet Apps²⁴. Second, I will discuss the main principles and requirements for app privacy in China, such as informed consent, minimum necessity, data security, and user rights²⁴. Third, I will provide some examples of app privacy practices and issues in China, such as the collection and use of personal information by popular apps like WeChat, TikTok, and Alipay¹³, the data breaches and leaks that have occurred¹, and the measures taken by the authorities to supervise and inspect apps⁴. Fourth, I will compare and contrast app privacy in China with other countries or regions, such as the US, the EU, or India¹³, and highlight the similarities and differences in terms of laws, standards, enforcement, and user awareness.

By analyzing app privacy in China from multiple angles, I aim to provide a comprehensive and balanced overview of this complex and dynamic issue. I also hope to offer some recommendations or suggestions for improving app privacy in China or for users who use Chinese apps. App privacy is not only a technical or legal matter, but also a social and ethical one that affects millions of people every day. Therefore, it deserves more attention and action from all stakeholders involved.

Legal framework and regulations for app privacy in China

China has been developing and improving its legal system for app privacy in recent years, in response to the rapid growth and innovation of the internet industry and the increasing demand and awareness of data protection among users and society. The main laws and regulations that govern app privacy in China include the following:

  • The Personal Information Protection Law (PIPL), which was passed by the National People's Congress on October 29, 2021 and will take effect on November 1, 2021. The PIPL is the first comprehensive and specialized law on personal information protection in China, and it establishes the basic principles, rules, rights, obligations, and supervision mechanisms for personal information processing activities. The PIPL defines personal information as any information recorded by electronic or other means that can identify a natural person individually or in combination with other information, and it covers both domestic and overseas personal information processors. The PIPL requires personal information processors to follow the principles of legality, legitimacy, necessity, consent, openness, transparency, accuracy, security, and accountability when processing personal information. The PIPL also grants users various rights over their personal information, such as the right to access, correct, delete, withdraw consent, restrict processing, object to automated decision-making, obtain copies, and lodge complaints. The PIPL also imposes strict obligations and liabilities on personal information processors, such as conducting risk assessments, appointing data protection officers, establishing data breach response plans, obtaining certification or approval for cross-border data transfers, and facing administrative penalties or civil lawsuits for violations .

  • The Cybersecurity Law (CSL), which was enacted by the National People's Congress on November 7, 2016 and took effect on June 1, 2017. The CSL is the first comprehensive and overarching law on cybersecurity in China, and it sets the general framework and requirements for network security and data protection. The CSL defines network as any system composed of computers or other information terminals and related equipment that collect, store, transmit, exchange, or process information according to certain rules and procedures. The CSL covers both network operators and network users. The CSL requires network operators to follow the principles of lawfulness, legitimacy, necessity, consent, openness, transparency, accuracy, security when collecting and using personal information of network users. The CSL also grants network users various rights over their personal information, such as the right to access, correct, delete their personal information or request network operators to do so. The CSL also imposes strict obligations and liabilities on network operators, such as adopting technical measures to ensure network security and data protection; reporting network security incidents; obtaining consent for cross-border data transfers; cooperating with government supervision; and facing administrative penalties or criminal sanctions for violations .

  • The Interim Provisions on the Administration of Personal Information Protection of Mobile Internet Apps (Provisions), which were promulgated by the Ministry of Industry and Information Technology (MIIT) on April 26, 2021 and took effect on May 1, 2021. The Provisions are the first specific and detailed rules on personal information protection of mobile internet apps in China, and they clarify the standards and procedures for app privacy in China. The Provisions define mobile internet apps as software applications that provide information services to users through mobile intelligent terminals. The Provisions cover both app developers and app service providers. The Provisions require app developers and app service providers to follow the principles of informed consent and minimum necessity when collecting and using personal information of app users. The Provisions also grant app users various rights over their personal information, such as the right to access, correct, delete their personal information or request app developers and app service providers to do so; the right to refuse or withdraw consent; the right to uninstall apps; and the right to lodge complaints. The Provisions also impose strict obligations and liabilities on app developers and app service providers, such as disclosing the rules and purposes of personal information processing; obtaining explicit consent for sensitive personal information; providing basic services without collecting personal information; adopting technical measures to ensure data security; reporting data breaches; obtaining certification or approval for cross-border data transfers; cooperating with government supervision; and facing administrative penalties for violations.

These laws and regulations form the legal basis and guidance for app privacy in China, and they reflect the efforts and progress made by the Chinese government and society to protect personal information in the digital era. However, they also face some challenges and limitations in terms of implementation, enforcement, and compatibility with international standards. In the following sections, I will discuss these issues in more detail.

Main principles and requirements for app privacy in China

The legal framework and regulations for app privacy in China are based on some common principles and requirements that app developers and service providers must follow when collecting and using personal information of app users. These principles and requirements include the following:

  • Informed consent: App developers and service providers must inform app users of the rules and purposes of personal information processing, such as the types, methods, scope, retention period, and cross-border transfer of personal information; and obtain their explicit consent before collecting and using their personal information. Consent must be obtained separately for different processing purposes and activities, and must not be bundled with other matters or obtained by default settings. App users have the right to refuse or withdraw their consent at any time, and app developers and service providers must respect their choices and stop processing their personal information accordingly¹²³.

  • Minimum necessity: App developers and service providers must limit the collection and use of personal information to the minimum scope necessary to achieve the goals of processing, and must not collect or use personal information beyond the stated purposes or without consent. App developers and service providers must also provide basic services to app users without collecting their personal information, or only collecting necessary data for the basic functions of the app. App developers and service providers must not force app users to provide their personal information by means of refusing to provide services, reducing service quality, or imposing unreasonable conditions¹²³.

  • Data security: App developers and service providers must adopt technical and organizational measures to ensure the security and integrity of personal information, such as encrypting data, anonymizing data, conducting risk assessments, appointing data protection officers, establishing data breach response plans, and reporting data breaches to the authorities and app users. App developers and service providers must also obtain certification or approval from the authorities before transferring personal information across borders, and ensure that the overseas recipients of personal information provide adequate protection equivalent to the domestic standards¹²³.

  • User rights: App developers and service providers must respect and protect the rights and interests of app users in relation to their personal information, such as the right to access, correct, delete, obtain copies, restrict processing, object to automated decision-making, lodge complaints, or seek remedies for their personal information. App developers and service providers must also disclose the rules and procedures for exercising these rights in a clear and accessible manner, and respond to the requests of app users in a timely and reasonable manner¹²³.

These principles and requirements aim to balance the interests of app developers and service providers, app users, and the society at large, and to ensure that personal information is processed in a lawful, legitimate, necessary, transparent, accurate, secure, and accountable manner. However, they also pose some challenges and difficulties for app developers and service providers in terms of compliance costs, technical capabilities, user experience, and business models. In the following sections, I will discuss these issues in more detail.

Sure, I can help you write the next section of your article. Here is a possible section based on some web sources:

Examples of app privacy practices and issues in China

App privacy in China is not only a matter of laws and regulations, but also a matter of practices and issues that reflect the realities and challenges of personal information protection in the digital era. In this section, I will provide some examples of app privacy practices and issues in China, such as the collection and use of personal information by popular apps, the data breaches and leaks that have occurred, and the measures taken by the authorities to supervise and inspect apps.

  • Collection and use of personal information by popular apps: Many popular apps in China collect and use large amounts of personal information from their users, sometimes without their consent or beyond their expectations. For example, WeChat, the most widely used social media and messaging app in China, collects various types of personal information from its users, such as their phone numbers, contacts, location, biometric data, payment information, and chat history. WeChat also scans users' photos and videos for facial recognition and content moderation purposes¹. TikTok, the short video app that has become a global sensation, also collects excessive and intrusive data from its users, such as their contact lists, calendars, device locations, device identifiers, browsing history, and keystroke patterns². Alipay, the leading online payment platform in China, also collects and analyzes users' personal information to generate their credit scores and offer them financial services³. These apps often share or sell users' personal information to third parties for advertising or other purposes, without disclosing how their data is used or protected.

  • Data breaches and leaks: Despite the legal requirements and technical measures for data security, data breaches and leaks are still common occurrences in China's app industry. For example, in 2019, a security researcher discovered that an unsecured database belonging to a Chinese facial recognition company exposed 2.5 million records of people's personal information, including their names, ID numbers, addresses, photos, and locations. In 2020, another security researcher found that an unsecured server belonging to a Chinese social media company exposed 364 million records of user profiles, chat logs, photos, videos, and locations. In 2021, a hacker claimed to have stolen data from more than 200 million users of Mobike, a bike-sharing app in China, and offered to sell it on the dark web. These incidents expose users' personal information to potential risks of identity theft, fraud, harassment, or blackmail.

  • Supervision and inspection by authorities: In response to the growing concerns and complaints about app privacy in China, the authorities have stepped up their efforts to supervise and inspect apps for compliance with the laws and regulations. For example, since 2019, the Ministry of Industry and Information Technology (MIIT) has launched several rounds of special rectification campaigns to crack down on illegal collection and use of personal information by apps. The MIIT has also issued several lists of apps that violate app privacy rules and ordered them to rectify their problems within a specified time limit or face penalties. The Cyberspace Administration of China (CAC) has also conducted several investigations into app privacy violations by major internet companies such as Didi Chuxing (a ride-hailing app), Alibaba (an e-commerce giant), Tencent (the owner of WeChat), and ByteDance (the owner of TikTok).

These examples illustrate some of the app privacy practices and issues in China that affect millions of users every day. They also show the gaps and challenges between the legal framework and regulations for app privacy in China and their implementation and enforcement in practice. In the following sections, I will compare and contrast app privacy in China with other countries or regions, and highlight the similarities and differences in terms of laws, standards, enforcement, and user awareness.

Comparison of app privacy in China with other countries or regions

App privacy in China is not only a domestic issue, but also an international one that involves the interactions and conflicts between different legal systems, standards, cultures, and interests. In this section, I will compare and contrast app privacy in China with other countries or regions, such as the European Union (EU), the United States (US), and India, and highlight the similarities and differences in terms of laws, standards, enforcement, and user awareness.

  • Laws: China's app privacy laws are largely influenced by the EU's General Data Protection Regulation (GDPR), which is widely regarded as the most comprehensive and stringent data protection law in the world. The GDPR sets the principles, rights, obligations, and mechanisms for personal data processing in the EU and beyond. The GDPR applies to any entity that offers goods or services to individuals in the EU or monitors their behavior, regardless of its location. The GDPR grants individuals various rights over their personal data, such as the right to access, rectify, erase, port, object, or restrict processing. The GDPR also imposes strict obligations and liabilities on data controllers and processors, such as obtaining valid consent, conducting data protection impact assessments, appointing data protection officers, notifying data breaches, and complying with cross-border data transfer rules. The GDPR also establishes a robust enforcement system that involves national data protection authorities, the European Data Protection Board, and the European Court of Justice. The GDPR can impose fines of up to 4% of annual global turnover or 20 million euros (whichever is higher) for violations.

China's app privacy laws share some similarities with the GDPR in terms of principles, rights, obligations, and mechanisms for personal data processing. However, there are also some notable differences and gaps between them. For example, China's app privacy laws have a narrower scope of application than the GDPR, as they only apply to entities that process personal information within China or provide products or services to individuals in China. China's app privacy laws also have a more flexible definition of consent than the GDPR, as they allow implied consent for non-sensitive personal information and do not require separate consent for different processing purposes. China's app privacy laws also have a more lenient enforcement system than the GDPR, as they involve multiple authorities with overlapping jurisdictions and powers, and impose lower fines of up to 1 million yuan (about 155 thousand US dollars) for violations.

  • Standards: China's app privacy standards are largely influenced by the US's app privacy standards, which are based on a sectoral and self-regulatory approach. The US does not have a comprehensive federal law on app privacy, but rather a patchwork of federal and state laws that regulate specific sectors or issues. For example, the Children's Online Privacy Protection Act (COPPA) regulates the collection and use of personal information from children under 13 years old by online services. The California Consumer Privacy Act (CCPA) grants California residents various rights over their personal information collected by businesses that operate in California. The US also relies on self-regulation by industry associations and trade groups that issue voluntary codes of conduct or best practices for app privacy. For example, the Network Advertising Initiative (NAI) and the Digital Advertising Alliance (DAA) provide guidelines and tools for online behavioral advertising and consumer choice.

China's app privacy standards share some similarities with the US's app privacy standards in terms of sectoral and self-regulatory aspects. However, there are also some notable differences and gaps between them. For example, China's app privacy standards have a broader scope of application than the US's app privacy standards, as they cover all types of apps and personal information, regardless of the industry or issue. China's app privacy standards also have a more prescriptive and detailed approach than the US's app privacy standards, as they specify the types, methods, scope, retention period, and cross-border transfer of personal information for different app functions and categories. China's app privacy standards also have a more mandatory and enforceable nature than the US's app privacy standards, as they are issued by government authorities and subject to administrative penalties for non-compliance.

  • Enforcement: China's app privacy enforcement is largely influenced by its own political and social context, which is characterized by a strong state control and a weak civil society. China has a centralized and hierarchical enforcement system for app privacy, which involves multiple authorities at different levels and sectors. For example, the Cyberspace Administration of China (CAC) is the leading authority for app privacy enforcement, as it oversees the overall planning and coordination of app privacy policies and measures. The Ministry of Industry and Information Technology (MIIT) is the main authority for app privacy enforcement, as it regulates the collection and use of personal information by apps. The Ministry of Public Security (MPS) is another authority for app privacy enforcement, as it investigates and prosecutes app privacy crimes. China also has a judicial enforcement system for app privacy, which involves courts and procuratorates that handle civil and criminal cases related to app privacy. However, China does not have an independent or specialized authority for app privacy enforcement, nor does it have a unified or consistent enforcement mechanism for app privacy.

China's app privacy enforcement differs from other countries or regions in terms of methods, intensity, and outcomes. For example, China's app privacy enforcement methods are more proactive and comprehensive than other countries or regions, as they include regular inspections, special rectifications, random checks, public notices, user complaints, and whistleblower reports. China's app privacy enforcement intensity is also more variable and unpredictable than other countries or regions, as it depends on the political priorities, social pressures, and economic interests of the authorities. China's app privacy enforcement outcomes are also more diverse and ambiguous than other countries or regions, as they range from warnings, orders, fines, suspensions, shutdowns, arrests, prosecutions, to acquittals.

  • User awareness: China's app privacy user awareness is largely influenced by its own cultural and behavioral factors, which are shaped by a long history of collectivism, pragmatism, and adaptation. China has a low level of app privacy user awareness, as many users are unaware or indifferent to the collection and use of their personal information by apps. According to a survey conducted in 2020, only 36% of Chinese app users said they had read privacy policies carefully before agreeing to them, and only 28% said they felt in control of their personal data online. China also has a high level of app privacy user acceptance, as many users are willing or resigned to trade their personal information for convenience, benefits, or social norms. According to the same survey, 71% of Chinese app users said they would provide their personal information to apps if they could get better services or discounts, and 61% said they would provide their personal information to apps if most people did so. China also has a low level of app privacy user action, as many users are passive or powerless to protect their personal information from apps. According to the same survey, only 23% of Chinese app users said they had refused or withdrawn their consent for apps to collect or use their personal information, and only 16% said they had complained or sought remedies for app privacy violations.

China's app privacy user awareness differs from other countries or regions in terms of attitudes, behaviors, and expectations. For example, China's app privacy user attitudes are more pragmatic and fatalistic than other countries or regions, as they focus more on the benefits and risks of app privacy rather than the values and rights of app privacy. China's app privacy user behaviors are also more compliant and adaptive than other countries or regions, as they follow more the rules and trends of app privacy rather than the choices and preferences of app privacy. China's app privacy user expectations are also more modest and realistic than other countries or regions, as they demand more the security and convenience of app privacy rather than the transparency and accountability of app privacy.

These comparisons show some of the similarities and differences between app privacy in China and other countries or regions, and how they affect the interactions and conflicts between them. They also suggest some of the opportunities and challenges for improving app privacy in China and for users who use Chinese apps. In the following section, I will provide some recommendations or suggestions for improving app privacy in China or for users who use Chinese apps.

Recommendations or suggestions for improving app privacy in China or for users who use Chinese apps

App privacy in China is a complex and dynamic issue that involves multiple stakeholders, interests, and factors. There is no simple or perfect solution for app privacy in China, but rather a continuous and collaborative process of improvement and adaptation. In this section, I will provide some recommendations or suggestions for improving app privacy in China or for users who use Chinese apps, based on the analysis and comparison in the previous sections.

  • For app developers and service providers: App developers and service providers should comply with the laws and regulations for app privacy in China, and follow the principles and requirements for personal information processing. They should also adopt best practices and standards for app privacy, such as minimizing data collection and use, obtaining valid consent, providing clear and accessible notice, ensuring data security and integrity, respecting user rights and choices, and cooperating with authorities and users. App developers and service providers should also innovate and improve their app privacy technologies and services, such as using encryption, anonymization, differential privacy, or federated learning to protect user data. App developers and service providers should also communicate and cooperate with other stakeholders, such as authorities, industry associations, trade groups, civil society organizations, researchers, and users, to exchange information, share experiences, learn from each other, and address common challenges.

  • For authorities: Authorities should enforce the laws and regulations for app privacy in China, and supervise and inspect app developers and service providers for compliance. They should also update and improve the laws and regulations for app privacy in China, and align them with international standards and best practices. Authorities should also establish a unified and consistent enforcement system for app privacy in China, and coordinate their roles and responsibilities. Authorities should also educate and inform the public about app privacy in China, and raise their awareness and understanding of app privacy issues. Authorities should also engage and consult with other stakeholders, such as app developers and service providers, industry associations, trade groups, civil society organizations, researchers, and users, to solicit feedback, address concerns, resolve disputes, and promote cooperation.

  • For users: Users should be aware of the risks and benefits of app privacy in China, and make informed and responsible choices about their personal information. Users should also exercise their rights and interests over their personal information, such as reading privacy policies, giving or withdrawing consent, accessing, correcting, deleting, or porting their data, restricting or objecting to processing, and lodging complaints or seeking remedies. Users should also protect their personal information from app privacy violations, such as using strong passwords, updating apps and devices, avoiding phishing or malware attacks, and reporting data breaches or leaks. Users should also participate and contribute to app privacy improvement in China, such as providing feedback, suggestions, or ratings to app developers and service providers, joining or supporting civil society organizations or initiatives that advocate for app privacy, and sharing their experiences and knowledge with other users.

These recommendations or suggestions are not exhaustive or definitive, but rather indicative and tentative. They are meant to provide some guidance and inspiration for improving app privacy in China or for users who use Chinese apps. App privacy in China is a dynamic and evolving issue that requires constant attention and action from all stakeholders involved. By working together and learning from each other, app privacy in China can be enhanced and harmonized with the global standards and trends.

Conclusion

App privacy is a hot topic in today's digital world, especially in China, where the internet industry is booming and the government is tightening its control over online activities. App privacy refers to how mobile applications collect, use, store, and share personal information of their users, and how users can protect their rights and interests in relation to their data. App privacy is important because it affects not only the security and convenience of using apps, but also the freedom and dignity of individuals in the online space.

In this article, I have explored the current state and challenges of app privacy in China from various perspectives. I have introduced the legal framework and regulations that govern app privacy in China, such as the Personal Information Protection Law, the Cybersecurity Law, and the Interim Provisions on the Administration of Personal Information Protection of Mobile Internet Apps. I have discussed the main principles and requirements for app privacy in China, such as informed consent, minimum necessity, data security, and user rights. I have provided some examples of app privacy practices and issues in China, such as the collection and use of personal information by popular apps like WeChat, TikTok, and Alipay, the data breaches and leaks that have occurred, and the measures taken by the authorities to supervise and inspect apps. I have compared and contrasted app privacy in China with other countries or regions, such as the EU, the US, or India, and highlighted the similarities and differences in terms of laws, standards, enforcement, and user awareness. I have also offered some recommendations or suggestions for improving app privacy in China or for users who use Chinese apps.

By analyzing app privacy in China from multiple angles, I have aimed to provide a comprehensive and balanced overview of this complex and dynamic issue. I have also hoped to offer some guidance and inspiration for enhancing app privacy in China or for users who use Chinese apps. App privacy is not only a technical or legal matter, but also a social and ethical one that affects millions of people every day. Therefore, it deserves more attention and action from all stakeholders involved.

Published at December 25th, 2022

This is NextAppMarket Blog

We provide an all-in-one app distribution, localization, and marketing services to help you reach your target audience in China.

Need any help launching your app in China?

We will provide you with various services that will fit your needs.

Contact Us Now

App Distribution

Publish your app to the top app stores in China.

App Localization

Support you in translating your applications and compliance.

Digital Marketing

Market and promote your app closer to your target audience.

IP Protection

Protect your intellectual property and fight against infringement.