Personal information can be copied and transferred, special rules are established for minors, rights of the deceased ... These data rules, which are designed to respond to societal concerns, appear in the Personal Information Protection Act ("Individual Protection Act"), which came into effect in November. More than a month has passed, how has corporate compliance done?
On December 17, the Personal Information Protection Research Center of Southern Metropolis Daily held the "2021 Woodpecker Data Governance Forum" in Beijing and released the "Annual Report on Personal Information Security (2021)" (hereinafter referred to as the "Report").
The report shows that of the 150 apps tested from ten industries, the number of apps with "high" privacy policy transparency is zero, but the score gap between apps has become significantly smaller than in previous years. In terms of implementing the right to personal information portability, less than 40% of apps promise to provide copies of personal information, and only 10% say that they provide transfer channels.
1
No app has high transparency, and only 5 models disclose non-SDK third parties
Since 2017, the Nandu Personal Information Protection Research Center has released a privacy policy transparency assessment for five consecutive years, and the evaluation standards have been continuously revised in accordance with laws and regulations. The more transparent the Privacy Policy, the clearer and more comprehensive the description of how a business collects, uses, stores, and protects personal information.
This year's report selects a total of 150 apps from the top ten industries as evaluation samples, of which five are the first, middle and tail of each industry. The evaluation results show that Zhihu and Dingdang Fast Medicine ranked first with 89 points, while Kuaishou and Ctrip ranked second with a difference of two points. There are 27 apps that scored "fail". The average scores of the various industries do not differ much.
Top-ranked apps and their scores
It is worth noting that the number of apps with high transparency is zero. According to the analysis of the report, this is due to the fact that the latest version of the privacy policy of most apps has not yet implemented the innovative provisions in the personal insurance law, so there are more points lost. For example, only 40 apps provide dedicated privacy policies for minors, and fewer than 10 apps mention the rights of the deceased.
On the same day that the Individual Protection Law came into effect, the Ministry of Industry and Information Technology issued the Notice on Carrying Out Actions to Improve the Perception of Information and Communication Services, proposing that before the end of December this year, relevant Internet enterprises should establish a "double list" of personal information protection - "list of collected personal information" and "list of personal information shared with third parties".
According to the results of the evaluation, 135 out of 150 apps list embedded third-party SDKs (software development kits) and inform them of their names, purposes of processing, types of personal information and links. However, the report believes that third-party SDKs are not the only objects for apps to share users' personal information, but also include advertisers and their agencies, affiliates, authorized partners, etc. However, only five apps, such as "Zhihu" and "Vipshop", disclosed some of the above information, such as the Vipshop App listing carriers, payments, advertisers, media and other third parties.
Despite the problems of unclear privacy policy information, plagiarism, and large gaps in the scores of the head and tail apps, the average score this year still reached 70.1 points, which is almost the same as in 2019 when the evaluation standards are more stringent. This means that the transparency of the app's privacy policy has been significantly improved.
2
Many App customer service said that they did not know what a copy of personal information was
According to Article 45 of the Individual Protection Law, individuals have the right to consult and copy their personal information from personal information processors, and also have the right to request the transfer of personal information to the personal information processor designated by them. The report is modelled on the EU's General Data Protection Regulation, which abbreviates as the "right to portability".
The report found that apps typically provide copies of personal information and promise portability. Of the 150 apps, 57 specify that users can request copies of their personal information, accounting for 38%. However, as of the end of the evaluation, only copies of personal information provided by the 14 apps were received.
As far as the content of the few copies of personal information received is concerned, the vast majority of them are information and device information provided by users, such as user ID, nickname, registered mobile phone number, registration time, etc. In addition, many apps promise "in name only", such as "Homework Help", although it lists a variety of contact methods for users to obtain copies of personal information, but none of them reply.
As for what is a copy of personal information, the understanding of customer service of each App is different. For example, Xueersi Online School and Zebra App said that the way to obtain a copy of personal information is to "take a screenshot" by itself. There are also many app customer service bluntly said that "I don't know what a copy of personal information is".
Some apps have set up authentication thresholds to require users to provide information other than the personal information provided during registration. For example, the Dingdang Fast Medicine App requires users to submit mobile phone business hall payment vouchers, hand-held ID card photos, transfer personal information to provide the recipient's personal information certificate, willing to receive personal information certification materials, receiving methods.
The report pointed out that only 15 of the 150 apps promised to provide personal information transfer services, and basically required users to provide information such as the receiving method and interface of the other app. However, none of the apps explicitly tells users how to obtain this information. According to the report, this further increases the difficulty of users fulfilling their right to portability.
3
All app stores lose points on the privacy policy link
In January this year, the Ministry of Industry and Information Technology named Tencent App Treasure, Xiaomi App Store, Pea Pod, OPPO Software Store, and Huawei App Market Field as the main responsibility of the management of the five major app store platforms. In April, the Ministry of Industry and Information Technology (MIIT) issued the Interim Provisions on the Administration of Personal Information Protection of Mobile Internet Applications (Draft for Solicitation of Comments), which clarifies the eight major personal information protection obligations of software service platforms such as app stores that provide App download and upgrade services.
The report evaluates the audit mechanism of the top ten common app stores of OPPO Software Store, Huawei App Market, 360 Mobile Assistant, Xiaomi App Store, Vivo App Store, Tencent App Bao, Baidu Mobile Assistant, PP Assistant, Pea Pod, and Samsung App Store.
The evaluation results show that OPPO Software Store, Huawei Application Market, and 360 Mobile Assistant ranked in the top three with 82.4, 79.1, and 70 points respectively, while PP Assistant, Samsung App Store, and Pea Pod scored unsuccessfully. The overall average score is less than 60.
Store audit mechanism score
It is worth noting that there are two general loss points in the evaluation of the app store audit mechanism. First, the 10 app stores tested all had privacy policy link problems, including not providing privacy policy links, privacy policy links that could not be opened, and privacy policy versions that were inconsistent with the app.
For example, the OPPO software store has seven app display pages without privacy policy links, including many well-known apps such as Youjian and Huayitong; in the vivo app store, the privacy policy link on the Ctrip Travel App display page is a privacy design document, not a privacy policy; and the privacy policy of nine apps in the Xiaomi app store is inconsistent with the in-app version.
It is worth noting that when the vast majority of app stores display the list of permissions that the app will obtain, they usually use the default expression such as "allow the app..." Only the permission details page of the Xiaomi App Store allows app developers to change the purpose of permission acquisition.
For example, the Dolphin Discount - Shopping Rebate Platform App has modified the location of its app store display page, mobile phone information, camera, and recording The purpose of obtaining four permissions - such as obtaining positioning is to "locate the city and let users buy movie tickets", obtaining mobile phone information is to "prevent illegal elements from using software to violate laws and regulations, using cameras is to "contact customer service and upload pictures", and recording is to "contact customer service and upload recordings".
Dolphin Offer - Shopping Rebate Platform App Screenshot
The report believes that the permission description stated by the system by default is for most apps, usually a general description, and cannot accurately take care of the permission application purpose of each app. Allowing app developers to modify can make users more clear about why the app should obtain this permission, which helps protect the user's right to know.
Producer: Nandu Personal Information Protection Research Group
Written by: Fan Wenyang, trainee reporter of Nandu, and sun chao