On June 28, 2016, the Cyberspace Administration of China (CAC) issued Administrative Rules on Information Services via Mobile Internet Applications (the Apps Rules). With the largest number of mobile Internet users in the world, China is estimated to host more than 4 million mobile apps. Mobile apps are widely used by businesses for marketing promotions and for online sale of goods and services.
However, problems with illegal or improper use of mobile apps have emerged – for example, the use of mobile apps for terrorism or for pornography. The purpose of the Apps Rules is to increase regulatory control over mobile apps by imposing certain verification obligations on apps providers and apps store operators. The Apps Rules become effective on August 1, 2016.
New Obligations Under the Apps Rules
Identity verification and real-name registration
Under the Apps Rules, apps providers and apps store operators have new verification obligations. Apps providers will be required to verify their users’ identification by way of a mobile number or by other means. While apps users can still use a public alias, their real names must now be registered with the relevant apps provider, which must keep users’ activity logs for at least 60 days.
Apps store operators will be required to conduct authentication verification of apps providers and must check on the security and legal compliance of apps. Apps store operators will also be required to file a registration with local CAC authority at provincial level before they can start any apps store business. Apps store operators are required to supervise the apps providers to protect users’ information.
A key focus of the Apps Rules is the protection of personal data. The Apps Rules provide that apps providers must comply with the principles of legality, appropriateness and necessity in collecting and using personal data. Apps providers will be required to give notice to apps users about the purpose, means and scope within which personal data will be collected and used, and consent from users will be required before apps providers can collect such personal data.
Where an apps provider wishes to have access to a user’s geographic location, contacts list, recorded video and audio, or wishes to activate unnecessary services or to bundle unnecessary functions, the apps provider will need to seek the express consent from the apps user in order to do so.
Protection of intellectual property (IP) rights
The Apps Rules emphasise the protection of IP rights of apps providers and others. Under the Apps Rules, apps providers shall not develop and publish apps which pirate rivals' products or infringe IP rights of others. Apps store operators will be required to protect the IP rights of apps providers and to supervise the publication of apps.
Liability for failing to comply
The Apps Rules require apps providers to sign an agreement with apps store operators, with a view to allocating respective rights and obligations between them. If an apps provider fails to comply with the requirements under the Apps Rules, the relevant apps store operator may issue warnings, suspend release of relevant apps or remove them from the store. The Apps Rules envisage that the CAC, as regulator, will set up a whistle-blowing system so that the public can report any irregularities to the authorities.
The implementation of the Apps Rules will have significant implications for businesses which are using or intending to use mobile apps for their businesses in China. Such businesses will now need to review their operational practices in order to ensure compliance with the new obligations imposed by the Apps Rules.
For example, apps providers may need to revise and update their apps so that they can verify the identity of users and record users’ activities for a minimum period of 60 days (if this has not been done under their current operational practices).
In addition, with roll-out of the new real name registration scheme, a vast amount of personal data will be handled by apps providers and apps store operators. Each of them will be required to comply with the requirements laid down in the Apps Rules and in other applicable Chinese data rules in the collection and use of personal data. Apps providers and apps store operators must now review their personal data policies to see whether any necessary changes have to be made in order to comply with the new law.
The issuance of the Apps Rules appears to be consistent with China’s increased regulatory focus in favour of a safer cyber environment. Several days before the promulgation of the Apps Rules, a new regulation on Internet information search services was passed to tighten oversight over search engines and the draft Law was submitted to China’s top legislature for a second review. We expect that the final draft of the Cybersecurity Law will be issued later this year. We will continue to keep close watch over regulatory developments in China and will provide an update as developments occur.