Infringement of user rights and excessive requesting permissions How to strengthen App personal information protection

One hundred and five apps were notified of illegal collection and use of personal information

How to strengthen App personal information protection

　　Our reporter Zhao Chenxi

　　People who like to listen to concerts are no strangers to the Damai App. Recently, this "ticketing expert" was removed from the shelves because of infringement of user rights, illegal collection of personal information, forced, frequent, and excessive requests for permissions by the app.

　　On May 21, the National Internet Information Office notified 105 apps that illegally collect and use personal information.

The notification requires that the relevant App operators should complete the rectification within 15 working days from the date of publication of this notification in response to the problems found in the test.

　　In order to strengthen the protection of personal information in mobile Internet applications (App) and standardize personal information processing activities in apps, under the overall guidance of the State Internet Information Office, the Ministry of Industry and Information Technology, together with the Ministry of Public Security and the State Administration of Market Supervision, drafted the "Mobile Internet Application Individual Interim Provisions on Information Protection Management (Draft for Solicitation of Comments)" to openly solicit opinions from the public.

　　The draft has a total of 20 articles, which define the scope of application and the subject of supervision; establish the two important principles of "informed consent" and "minimal necessity"; detail App development operators, distribution platforms, third-party service providers, and terminal manufacturers , The network access service provider has five types of main responsibilities and obligations; four regulatory requirements including complaints and reports, supervision and inspection, handling measures, and risk warnings have been proposed.

　　Zhao Zhanzhu, a special researcher of the E-commerce Research Center of the Net Economics, said in an interview with a reporter from the Rule of Law Daily that the problem of app collection of personal information is a commonplace, and there are many laws and regulations related to related content. The draft for comments is specifically aimed at The special regulations on the handling of personal information by apps have transformed mature experience practices and management measures in recent years into institutional normative documents, and comprehensively strengthened the management of personal information protection in apps from the perspective of the entire chain, the entire subject, and the entire process.

Clarify the principle of "informed consent" and "least necessary"

　　Whether to allow the authorization to open the album, whether to allow the authorization to open the address book, whether to allow the opening of the location... Nowadays, when using an app, people seem to have become accustomed to these authorization requirements of the "default" platform. After all, if you click close or reject, You may be unable to use the service normally, or even the App may crash directly.

Some apps even automatically select the default tick for the user "intimately", and easily obtain all kinds of personal information of the user in the seemingly convenient way.

　　According to Zhang Tao, a partner of Beijing DeHeng Law Firm, the helpless "acquiescence" of users just shows that the App has many problems in handling users' personal information.

　　In order to provide users with related services, it is reasonable for App to collect necessary personal information under legal premises such as informing and obtaining user consent. However, some current App operators have "excessive claims", "excessive claims" and without user consent. "Illegal acquisition" and even "illegal sale" of users' personal information.

　　Zhao Zhanzhi has been in contact with many cases of App illegally collecting users' personal information. He found that there are two common ways to violate the rules: one is that the collection of users' personal information is not necessarily related to the business to be provided, that is, beyond the scope of collection User personal information; second, if the user does not agree to the App’s request to collect user personal information, the App will not provide the user with related products or services, and in this way force the user to agree to the App’s collection of personal information.

　　In response to these issues, the consultation draft clarifies that those engaged in App personal information processing activities should follow the two important principles of "informed consent" and "minimal necessity". At the same time, the consultation draft specifically points out that non-default selection methods should be adopted. With the user's consent.

　　If “informed consent” requires personal information processing activities of the app, the user shall be informed of the personal information processing rules in clear and easy-to-understand language, and the user shall make a voluntary and clear expression of intention with full knowledge; “minimal necessity” requires Those engaged in App personal information processing activities shall have a clear and reasonable purpose and follow the principle of minimum necessity, and shall not engage in personal information processing activities beyond the scope of user consent or irrelevant to the service scenario.

Wide range of punishments

　　Zhao Occupy’s first impression of this consultation draft is that it is wide-ranging and severely punished.

　　"Broadness" is embodied in the clarification and refinement of the responsibilities and obligations of all parties involved in the App.

This means that all parties including App developers, distribution platforms, third-party service providers, mobile smart terminal manufacturers, and network access service providers are included in the category of persons responsible for personal information protection.

　　"Strict" is reflected in the detailed procedures and specific measures for handling violations, and it is clear that the relevant entities engaged in personal information processing activities violate the requirements, in order to follow the notice rectification, social announcement, removal from the shelves, disconnection, and credit management procedures. Disposal, and specify the specific time limit requirements.

　　The draft for comments specifically proposes that apps with serious violations such as failure to complete rectifications as required, recurring problems, and technical confrontations, will be directly removed; and apps that are removed from the shelves shall not be approved within 40 working days. Management requirements for the channel to be listed again.

　　According to Ouyang Rihui, deputy dean of the China Internet Economics Research Institute of Central University of Finance and Economics, the reason why some App platforms are "unscrupulous" is that the cost of illegal violations is too low, especially for some small and medium-sized platforms that have not yet formed a reputation. They will be less binding.

　　In the draft for comments, the stipulation that “corresponding violators can be included in credit management and joint disciplinary action” has attracted the attention of Ouyang Rihui. He believes that this regulation will have a great deterrent effect on violators and include those who violate the regulations. After credit management, joint punishments should be imposed on them, and at the same time, the way of prohibiting market access should be considered. This can have a great deterrent effect on violators.

　　For "recidivists", the draft for comments has given the highest possible penalty.

Article 17 of the consultation draft stipulates that for apps that have recurring problems and related apps developed by their developers and operators, the supervision and management department can guide and organize App distribution platforms and mobile smart terminal manufacturers in the integration, distribution, pre-installation and installation Prompt risk in other links, and take prohibition measures if the circumstances are serious.

Strictly regulate the provision of personal information by apps

　　Personal information leakage is a key factor in the successful implementation of fraud, and a major source of personal information leakage is App.

　　Zhang Tao noticed that while the draft for comments regulates the use of personal information by the App, it also strictly regulates the personal information provided by the App to the outside world.

　　Article 6 of the draft for comments stipulates that if personal information needs to be provided to a third party other than this App, the user shall be informed of his identity information, contact information, processing purpose, processing method, and type of personal information and other matters, and the user's consent shall be obtained.

　　Compared with existing laws and regulations, there is no clear requirement that App should inform users of the identity information and contact information of third parties.

For example, Article 42 of the Cyber ​​Security Law stipulates that network operators must not provide personal information to others without the consent of the person being collected.

　　"The draft for comments has made more detailed regulations on this, which fully protects users' right to know." Zhang Tao said.

　　However, in the view of Liu Xinyu, a partner of Zhong Lun Law Firm, the feasibility of this provision still needs to be explored.

In practice, many apps involve more third-party subjects in providing personal information externally, and these third-party subjects are not static, and some of them change frequently. These factors all increase the difficulty of informing third-party identity information and contact information.

Convergence with personal information protection law

　　Regardless of whether it is the cyber security law or the e-commerce law, in recent years, my country has continued to strengthen the protection of personal information on the Internet.

Only for the collection and use of personal information for apps, several regulations have been issued in the past two years.

　　Not only that, the draft of the Personal Information Protection Law, which is more directly related to the protection of personal information, is also under review.

　　Zhang Tao noticed that many of the provisions in the draft for solicitation of comments echoed the draft personal information protection law.

For example, the term "sensitive personal information" first appeared in Article 29 of the draft personal information protection law. Article 6 of the draft for comments requires that the handling of sensitive personal information should be separately notified and consent is obtained. The protection of personal information is followed. The provisions of the draft law are consistent with the enumeration of sensitive personal information.

　　In addition, the relevant content of the draft for soliciting comments is basically consistent with the draft personal information protection law in terms of legislative spirit and principles, including the "information-consent principle" and "the least necessary principle".

　　In Zhang Tao's view, Article 2 of the Draft for Comments states that "If laws and administrative regulations have other provisions on personal information processing activities, those provisions shall apply." This reserves sufficient space for the future connection between the Draft for Comments and the Personal Information Protection Law. And the necessary space.