When apps collect users' personal information, problems such as excessive collection of personal information, unauthorized non-use, and repeated claims for rights have existed for a long time. In response to such questions, the Basic Requirements for the Collection of Personal Information by Information Security Technology Mobile Internet Applications (Apps) (hereinafter referred to as the "Requirements") provides a response. It refines the principle of minimum necessity, necessary personal information, and notification and consent.
The above-mentioned "Requirements" were issued by the State Administration for Market Regulation and the Standardization Administration of the People's Republic of China. The "Requirements" proposes that if it is really necessary to achieve relevant functions through system permissions, only the specific photos selected by the user should be read; without the user's separate consent, the biometric information in the photo video of the photo album should not be analyzed and extracted, or used to analyze and mine the user's specific identity, hobbies, health status, etc.
Only specific photos selected by the user should be read
On April 15, the recommended national standard "Basic Requirements for the Collection of Personal Information by Mobile Internet Applications (Apps)" was approved and released.
It is understood that this document stipulates the basic requirements for app collection of personal information in accordance with the requirements of the Cybersecurity Law, data security, personal information protection law and other laws and regulations, gives the necessary personal information scope and use requirements for common service types of Apps, and the drafting unit is 34 units such as the China Electronics Technology Standardization Institute and the Beijing Institute of Technology, china network security review technology and certification center.
In terms of the basic requirements for app collection of personal information, the Requirements make detailed requirements on the minimum necessary principle, necessary personal information, specific types of personal information, notification and consent, refusal or withdrawal of consent, system permissions, and third-party collection and management.
As far as specific types of personal information collection requirements are concerned, the Requirements stipulate the collection of application lists, photo album information, etc.
By reading the Application Programming Interface (Application Programming Interface), an app may access the list of applications that are running or installed on the end device to obtain the application name, package name, file path, installation information, etc.
The "Requirements" proposes that app collection of application lists should clearly inform the purpose and necessity of processing the application list in the personal information protection policy; should not collect the application list by default, and only synchronously inform the user of the purpose when the user uses the relevant business functions, and obtain the user's consent; if it is only to determine whether a specific app is installed, it should be processed on the mobile intelligent terminal; the use of the application list to carry out user portraits, targeted push and other activities should be used to inform the user by means of enhanced notification or instant prompt , and obtain the express consent of the user.
The issue of personal information protection of album information is also the focus of attention. In October last year, the news that "weChat/QQ/Taobao and other apps repeatedly read user albums in the background" attracted attention. Subsequently, WeChat responded that the function was prepared for the convenience of users to quickly send pictures, only completed locally on mobile phones, and promised to cancel the function in the latest version.
The "Requirements" proposes that when users use functions such as previewing, uploading, and sharing specific photos (not all photos), it is advisable to use the method of not opening the system permission to realize the user's independent selection of photos, if it is really necessary to achieve relevant functions through the system permissions, only the specific photos selected by the user should be read; before collecting the shooting location information contained in the photos, the user should be prompted and obtained his consent.
It is worth noting that the "Requirements" also proposes that without the user's separate consent, the biometric information in the photo and video of the photo should not be analyzed and extracted, or used to analyze and mine the user's specific identity, hobbies, health status, etc.; if there is a cloud automatic backup photo or cloud recognition photo function, the user should be informed of the purpose, method, scope, frequency, etc. of the backup or recognition, and obtain the user's consent, while providing the function of stopping automatic backup.
"Non-essential but associated personal information" cannot be compulsorily collected
On May 1 last year, the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation jointly issued the Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications, which stipulates the scope of necessary personal information for 39 common types of apps such as online shopping, online payment, and instant messaging, and emphasizes that Apps must not refuse users to use their basic functional services because users do not agree to provide non-essential personal information.
After the above provisions were announced, the scope of personal information necessary for apps has become the focus of discussion and attention of many Internet companies.
In this regard, the Requirements divide App functions into basic business functions and extended business functions. When the app type falls within the above common service types stipulated by the Cyberspace Administration of China, the use of necessary personal information shall comply with its requirements.
When the app type does not belong to the common service type specified by the Cyberspace Administration of China, the basic business functions of the App are: the business functions that realize the main purpose of the user's use, and the extended business functions are: the business functions other than the basic business functions provided by the App.
For example, if the map navigation App also provides online shopping and online ride-hailing services, the business functions of online shopping and online ride-hailing services are extended business functions.
The personal information collected by the app's extended business functions and the personal information that can be optionally collected by the app's basic business functions constitute "non-essential but associated personal information." ”
"Non-essential but associated personal information may also be collected, but it should be selected and rejected by the user, and cannot be forcibly collected." Zhou Chenwei and Hu Ying, who participated in the drafting of the above-mentioned "Requirements", said when writing the interpretation article.
What kind of personal information cannot be collected even if the user agrees or voluntarily provides it? The above interpretation article said that even if the user may agree or may provide, the platform should not collect, or in any way seek consent from the user to collect personal information unrelated to the services it provides.
In addition, in terms of notification and consent, the Requirements stipulate that the app's collection of personal information should clearly indicate to the user the basic business functions of the App, expand the business functions and the scope of necessary personal information, and make a clear distinction between necessary and non-essential personal information; the necessary personal information and non-essential personal information consent of the App should be split; the user should be provided with the inquiry method for the type of personal information that has been collected, and the inquiry should be displayed through the App's independent interface, etc.
When a user refuses or withdraws an App's consent to the collection of personal information, permission application, or use of business functions, the App shall not frequently apply for authorization to interfere with the user's normal use, unless the user actively triggers the business function, and the business function cannot be realized without the personal information or permission to participate.
Specifically, the form of "frequent" includes, but is not limited to, the number of times a pop-up window prompts the user to open the permission more than once within 48 hours after the user refuses authorization, and whenever the user reopens the App or uses unrelated business functions, the user will be asked for authorization again or the user is prompted to lack relevant authorization.
Synthesis: Nandu reporter Sun Chao
![BYD destroyer 05, new name new standard new vision, the interior is fresher than the "Qin" series[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)