Third-party SDK collection of user information may become the focus of APP inspection and rectification

Starting from May 1, 2021, the Central Cyberspace Administration of China will conduct 4 centralized inspections on the illegal and illegal collection and use of personal information by APP. The law enforcement has been strong, and obvious rectification results have been achieved. By analyzing the laws and regulations on which relevant inspection notifications are based and the development trends in the implementation process, we can look forward to the development trend of subsequent APP illegal collection and use of personal information.

  Overview of the notification

On May 1, May 10, May 21, and June 11, 2021, the Central Cyberspace Administration of China will report 291 apps in 17 categories in 4 batches. In terms of the categories involved, 44% of the 39 categories of the “Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications” have been notified, and 22 categories will still be reflected in the follow-up inspection.

After comprehensively reporting the inspection results, we found that the identification categories related to illegal collection and use mainly involve:

“Violation of the principle of necessity, collection of personal information irrelevant to the services provided” 141 paragraphs, accounting for 48%, plus paragraph 103 that also violates the “Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications”, accounting for 84% , Is the top priority of the current inspection work;

“Collecting and using personal information without user consent” 146, accounting for 50%, is also the main focus of inspection;

“Failing to provide functions for deleting or correcting personal information as required by law” 28 paragraphs, accounting for 9.6%;

“Undisclosed collection and use rules” 11 paragraphs, accounting for 3.7%;

Other types of violations such as “the purpose, method and scope of the collection and use of personal information are not clearly stated”, “providing personal information to others without consent”, “not publishing information such as complaints, reporting methods, etc.” are only involved in sporadic cases.

  Brief analysis of laws and regulations

On November 28, 2019, the State Internet Information Office, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration of Market Supervision and Administration jointly formulated the “Approval Methods for the Collection and Use of Personal Information in Violations of App Laws and Regulations” for the collection and use of personal information for major applications Announcement on the basis of judgment, including: “undisclosed collection and use rules”, “not expressly indicating the purpose, method and scope of the collection and use of personal information”, “collecting and using personal information without the user’s consent”, “violating the principle of necessity, collecting and providing information “Personal information irrelevant to the service”, “Providing personal information to others without consent”, “Failing to provide the function of deleting or correcting personal information in accordance with the law” or “Not publishing information such as complaints, reporting methods, etc.”.

On March 22, 2021, the State Internet Information Office, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation jointly formulated the “Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications” (hereinafter referred to as the “Regulations”. ), to regulate the scope of personal information in 39 categories of APPs, including map navigation, online ride-hailing, instant messaging, online communities, online payments, online shopping, and short videos, which will be implemented on May 1.

Relevant App operators should follow the requirements of the “Regulations”, check the basic functions of the App and the scope of necessary personal information, and conduct a self-examination of the collection and use of personal information by the operated App before May 1st, and promptly conduct self-examinations for those that do not meet the requirements of the “Regulations”. correct.

After the “Regulations” are formally implemented, distribution platforms such as app stores should review the apps that have been applied for listing in accordance with the “Regulations”, and those apps that do not meet the requirements of the “Regulations” will not be listed; review the apps that have been put on the shelves and do not meet the requirements of the “Regulations” Should be removed. Relevant departments should strengthen the supervision and inspection of app operators and app stores and other distribution platforms in accordance with the requirements of the “Regulations”, promptly investigate and deal with illegal collection and use of personal information, and earnestly safeguard the legitimate rights and interests of citizens in cyberspace.

  Future trend outlook

Third-party SDK collection of user information may become the focus of APP inspection and rectification

Chart: Trends in Violations of Laws and Regulations

Judging from the trend of the categories of violations of the notified batches, the violation of the necessary principles combined with the minimization of the “Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications” is still the focus of the illegal and illegal collection and use of APP. The informed consent terms for users to agree to the collection and use have gradually increased since the second batch and become a key issue. The transparency of collection and use rules and the user rights protection of deletion and correction accounted for less than 10%, which involves the further refinement of monitoring and evaluation standards and specifications. It is expected that after the completion of the first round of inspection and notification, it will be the second in the future The key points of the round of inspection and notification.

For the provision of information to others without consent, the detailed analysis of more complex business processes and the complexity of the interaction level of the back-end system, the four batches did not involve notification. However, whether the collection and use of user information by the third-party SDK back-end service is defined as providing information to others without consent, it is still necessary to refine the identification standards or independent supervision. At present, the phenomenon of third-party SDK collecting user information is still serious, or it will be the focus of the next inspection and rectification.

At present, industry authorities have issued penalties for ordering rectification announcements, removing APPs, or even disconnecting access to the violations of APP operation-related entities. App operators who have repeatedly violated the rules and have serious circumstances will take measures to prohibit entry and further increase penalties. At present, the industry is waiting for the “Interim Provisions on the Management of Personal Information Protection and Management of Mobile Internet Applications” to be officially released and implemented, which will put a greater test on the personal information collection security and compliance capabilities of APP operating companies.

The Links:   MG150Q2YS51 2DI200M-050 LCD-Inverter