Data privacy: China defines for the first time ‘necessary’ information that apps can collect, closing ‘bundled consent’ loophole

Users of live-streaming, short video, news, browser and utility apps can access basic services on these platforms without providing personal information

The new rules come as China seeks to expand the internet industry’s role in economic growth, while providing more protection for consumers’ personal data

Reading Time:3 minutes

Commuters browse their smartphones as they walk by a mobile phone app advertisement at a subway station in Beijing. Photo: AP

Published: 10:00pm, 22 Mar 2021Updated: 11:23pm, 22 Mar 2021

The Chinese government has issued new rules that define for the first time the “necessary” personal information that mobile apps can obtain from their users, as Beijing intensifies its campaign against unauthorised data collection by Big Tech to further control the country’s digital economy.

Apps can collect necessary personal information from users that allows them to access basic functions and services, while users can decline to provide data outside what is deemed necessary and continue to use certain apps without obstruction, according to the new rules jointly released on Monday by agencies that include the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), the Public Security Bureau (PSB) and the State Administration for Market Regulation (SAMR).

The regulation on necessary personal information for common types of mobile internet applications, which will take effect on May 1, also covers the basic functions and services for 39 app categories, including messaging, online shopping, payments, ride hailing, short video, live stream and mobile games.

The rules are needed at this time because the personal information users needed to provide to access apps has long been very vague, according to James Gong, who advises clients about the technology, media and telecommunications sectors at global law firm Herbert Smith Freehills. He said some app operators have previously exploited that loophole by requiring users to give a “bundled consent” for processing their personal information.

The necessary personal information for online shopping and food delivery apps, for example, includes a registered user’s phone number, a consignee’s name or username, address and contact number, and payment information.

For ride-hailing apps, the needed data covers a user’s phone number, departure point and destination, location and whereabouts, and payment information including the time, amount and method.