China's Personal Information Protection Law came into force on November 1, 2021, which puts forward clear provisions on the collection, use, and preservation of personal information, which further demonstrates the attitude and determination of the Party and the state in protecting personal information.
In practice, APP is the "hardest hit area" for infringement of citizens' personal information, and in recent years, the relevant state departments have also continuously increased the punishment for infringement of personal information.
Since December 19, 2019, the Ministry of Industry and Information Technology has issued a total of 20 batches of APP rectification notices, requiring 1234 apps to be rectified, of which 311 apps that have not been rectified since then have been required to be removed.
Through the refinement of the 1234 app types and specific rectification contents required by the Ministry of Industry and Information Technology, the author summarizes the compliance issues that MAY be involved in APP enterprises, and proposes specific solutions to the problems.
Since December 19, 2019, the Ministry of Industry and Information Technology has issued a total of 20 batches of rectification notices, of which the 1st-9th batch is the notification before January 1, 2021, the 10th-20th batch is the notification after January 1, 2021; the APP removal notice issued by the Ministry of Industry and Information Technology is a total of 13 batches, the 1st-5th batch is the notification before January 1, 2021, and the 6th-13th batch is the notification after January 1, 2021. The number of APP for 20 batches of rectification is shown in the following table:
Among them, the number of APP for rectification in 20 batches totaled 1234, of which 84 were notified more than twice; the number of apps involved in the 13 batches of removal notices totaled 311, of which 2 APP were removed twice.
In addition, according to Article 5 of the Provisions on the Scope of Personal Information Necessary for Common Types of Mobile Internet Applications, the classification of APP is 39 categories such as map navigation, online ride-hailing, and instant messaging, and 1234 APP in these 20 batches of notifications are involved.
In order to further understand the specific problems existing in the protection of personal information of APP enterprises, we have classified and integrated the problems involved in all rectification and removal notices, thus reflecting the following aspects:
First of all, from the types and distribution of problems involved in the APP in the rectification notice, it can be seen that the illegal collection of personal information is the focus of supervision by the regulatory authorities, and it is also the most high-incidence illegal situation, reaching 36.48%. The second is that the APP is mandatory, frequent, and excessively demanding permissions, reaching 19.31%.
In the statistics on the types and distribution of problems involved in the APP in the takedown notice, the importance of illegal collection of personal information in APP compliance is further reflected, accounting for an overwhelming 81.76% of the statistics.
It is common for the same app to be pointed out multiple rectification issues. In the 20 batches of notifications, the same APP was required to rectify the most problems up to 6.
There are six problems that need to be rectified in a news and information APP
There are five problems that need to be rectified in a housing rental and sale APP
(Notified twice by the Ministry of Industry and Information Technology)
There are five problems that need to be rectified in an e-book APP
There are many compliance risk points for APP enterprises in the three important links of user registration, use and cancellation, and the author analyzes the civil, administrative and criminal liabilities that APP enterprises may face in combination with relevant provisions such as the Personal Information Protection Law.
In terms of civil liability, if the APP infringes on the user's personal information rights and interests and causes damages, and it cannot prove that it is not at fault, the APP enterprise shall bear tort liability such as damages.
According to Article 69 of the Personal Information Protection Law: Where the handling of personal information infringes upon the rights and interests of personal information and causes damages, and the personal information processor cannot prove that he is not at fault, he shall bear tort liability such as damages.
The liability for damages provided for in the preceding paragraph shall be determined on the basis of the losses suffered by the individual as a result or the benefits obtained by the personal information processor as a result; where the losses suffered by the individual as a result and the benefits obtained by the personal information processor as a result are difficult to determine, the amount of compensation shall be determined on the basis of the actual circumstances.
In terms of administrative liability, if the APP infringes on the user's personal information, it may be ordered by the corresponding organ to correct, warn, and if the circumstances are serious, it may be fined and imposed with corresponding administrative penalties.
According to Article 66 of the Personal Information Protection Law: Where personal information is handled in violation of the provisions of this Law, or where the handling of personal information fails to perform the obligations of personal information protection provided for in this Law, the department performing personal information protection duties shall order corrections, give warnings, confiscate illegal gains, and order the suspension or termination of the provision of services for applications that illegally handle personal information; those who refuse to make corrections shall be fined not more than 1 million yuan; and the directly responsible managers and other directly responsible personnel shall be fined between 10,000 and 100,000 yuan.
Where there is an illegal conduct provided for in the preceding paragraph, and the circumstances are serious, the department performing personal information protection duties at the provincial level or above shall order corrections, confiscate the illegal gains, and impose a fine of not more than 50 million yuan or not more than 5 percent of the turnover of the previous year, and may also order the suspension of relevant business or suspension of business for rectification, notify the relevant competent departments to revoke the relevant business license or revoke the business license; and impose a fine of between 100,000 and 1 million yuan on the directly responsible managers and other directly responsible personnel. It may also be decided to prohibit him from serving as directors, supervisors, senior management personnel and persons in charge of personal information protection of relevant enterprises for a certain period of time.
Article 67 of the Personal Information Protection Law: Where there are illegal conduct provided for in this Law, it is to be recorded in the credit archives in accordance with the provisions of relevant laws and administrative regulations, and to be made public.
Article 70 of the Personal Information Protection Law: Where personal information processors handle personal information in violation of the provisions of this Law, infringing on the rights and interests of many individuals, the people's procuratorates, consumer organizations provided for by law, and organizations determined by the state internet information departments may lawfully raise a lawsuit with the people's courts.
Article 71 of the Personal Information Protection Law: Where violations of the provisions of this Law constitute violations of the administration of public security, a public security administration punishment is given in accordance with law.
The specific types of penalties are detailed in the figure below:
In terms of criminal liability, the Personal Information Protection Law clearly stipulates that if the APP infringes on the user's personal information and constitutes a crime, it will be investigated for criminal liability according to law.
According to article 253-1 of the Criminal Law [Crime of infringing on citizens' personal information], whoever, in violation of relevant state provisions, sells or provides citizens' personal information to others, if the circumstances are serious, shall be sentenced to fixed-term imprisonment of not more than three years or criminal detention, and shall also be fined or fined alone;
Whoever, in violation of the relevant provisions of the State, sells or provides to others citizens' personal information obtained in the course of performing their duties or providing services shall be given a heavier punishment in accordance with the provisions of the preceding paragraph; where citizens' personal information is stolen or illegally obtained by other means, it shall be punished in accordance with the provisions of the first paragraph; where a unit commits the crimes mentioned in the preceding three paragraphs, it shall be fined, and the persons who are directly responsible for the crime and other persons who are directly responsible for the crime shall be punished in accordance with the provisions of that paragraph.
In the information age, data is king. At a time when China's Internet economy is booming, APP enterprises coexist with opportunities and crises. Through the analysis of the above rectification notice, we can also see that the violation of the APP enterprise is more serious, in this regard, Zhou Tai lawyer put forward the following specific compliance suggestions from the three links of advance, process and aftermath:
First of all, APP enterprises should fully grasp the relevant laws and regulations, identify and prevent risks in advance, and understand all compliance risks that they may face.
With the development of the times, China's laws and regulations on data protection have become increasingly perfect, and a relatively complete legal system for personal information protection has been formed. APP enterprises should fully grasp the relevant laws and regulations, understand the compliance risk points that may be faced in the operation of the APP, and always pay attention to the release of relevant department documents in the field of information protection.
The main normative documents involved in the operation of the APP are as follows:
Decision of the Standing Committee of the National People's Congress on Strengthening the Protection of Online Information (2012.12.28), Cybersecurity Law (2016.11.07), Personal Information Security Specifications (Draft for Solicitation of Comments) (2019.10.22), Methods for Determining the Unlawful Collection and Use of Personal Information by APP (2019.11.28), Guidelines for Self-Assessment of App Illegal Collection and Use of Personal Information (Draft for Solicitation of Comments) (2020.03.19) The Civil Code (Personality Rights and Tort Liability) (2020.05.28), Provisions on the Scope of Personal Information Necessary for Common Types of Mobile Internet Applications (Draft for Solicitation of Comments) (2020.12.1), Data Security Law (2021.06.10), Personal Information Protection Law (2021.08.20), and Guidelines for the Classification and Grading of Internet Platforms (Draft for Comment) (2021.10.19).
If there are doubts about the understanding of the provisions of the above and other documents, it is recommended to consult professional lawyers in the field for advice.
The mastery of APP laws and regulations should not be limited to the legal department of the enterprise, but should be widely required for all employees of the APP enterprise. Moreover, the relevant compliance training should be carried out for different objects to improve the pertinence of the training, so as to improve the awareness and practical value of the APP enterprises on the compliance risks in the operation of the APP.
APP enterprises shall establish a full-process compliance monitoring system, that is, focus on controlling the three important links of APP user registration, use and cancellation. In particular, in view of the many violations that the Ministry of Industry and Information Technology has reported, it has strengthened compliance supervision in a targeted manner.
In view of the possible civil, administrative and criminal liabilities, APP enterprises should make a preliminary plan in advance and propose targeted solutions for different compliance risks.
First, for civil liability, APP enterprises should first stop the infringement of users' personal information, reduce losses to a minimum, and reach a settlement with individuals as much as possible.
The second is administrative responsibility, because administrative punishment is often carried out progressively, for the problems found by the initial administrative organs, enterprises should be rectified in a timely manner to avoid accepting more severe penalties because they refuse to make corrections.
Third, for criminal liability, APP enterprises should strive for compliance with the procuratorate and not prosecute. Combined with the pilot work of the Supreme People's Procuratorate on non-prosecution in the past two years, according to the April 2021 "Work Plan on Carrying Out the Pilot Work Plan for Enterprise Compliance Reform", APP enterprises admit guilt and accept punishment, and voluntarily accept compliance reform, and strive to make a decision not to prosecute after the acceptance of compliance rectification and acceptance of enterprises, or put forward a sentencing recommendation for lenient punishment, thereby minimizing the adverse impact.
In recent years, with the country's emphasis on personal information protection, law enforcement departments have gradually strengthened the supervision of APP. APP enterprises should comprehensively sort out and focus on information compliance issues to facilitate the long-term development of enterprises.
(Author: Cao Li, Senior Consultant of Beijing Zhoutai Law Firm, And Cao Li, Intern)
For more information, please download the 21 Finance APP