China has set new rules that spell out data that local app-makers can collect and store, but won't sanction apps that go beyond the permitted data collection regime.
The notice outlining the new rules was signed on 12 March by four administrative offices and issued on a government website last week. The rules come into effect on May 1.
The principle underpinning the rules mirrors China's network security law, which insists that network operators collect only personal information relevant to the services they provide.
The data that apps are allowed to require is therefore restricted to items the app needs to offer its basic functions. Games, educational apps, tools to sell second-hand goods and women's health apps are therefore restricted to requiring a phone number.
Many apps must also provide basic functions without any data being harvested. Women’s health apps, webcasting, online audio and video playing, news, sport and fitness, online browsers, basic testing, malware and online security and malware, e-books, beautifying photo filters and similar, app store search and download, and phone utilities, all fall under that rule.
The published document does not, however, offer a definition of "basic functioning", which leaves plenty of scope for apps to collect data.
And Chinese apps are known to collect plenty: a recent analysis of Douyin, the Chinese version of TikTok, found it collects plenty of data, shares it with third parties, and also includes automated censorship tools. The version of TikTok offered outside China was also famously-but-ineffectually banned by the Trump administration over data collection policies that were branded a national security threat.
Biden administration pauses pursuit of TikTok and WeChatREAD MORE
Chinese companies were also recently cut out of the loop by big-in-Asia messaging app LINE, over privacy fears.
And of course China conducts pervasive surveillance of citizens' online activities, so even if apps don't snoop there's a decent chance government agencies do.
Below is a detailed list of data collection China permits for various types of app.
- Navigational map: location, place of departure and arrival.
- Taxi rides: mobile number, departure, arrival, location tracking, payment information such as time, amount and channel.
- Instant messaging with text, pictures, voice, video etc: mobile number, account information such as number and contact list.
- Withdrawal and transfer of money, and other payments: mobile phone, name, ID type and number, ID expiration, and bank card number
- Purchase of goods: mobile number, name, address, contact number, payment details including time, amount and channel.
- Food and beverage delivery: mobile number, name, address, contact number, payment details including time, amount and channel.
- Mail delivery such as letters, parcels printed materials: sender’s name, ID and ID number, address and telephone; recipients name, address, contact number; the items name, nature and quantity.
- Travel booking: mobile number, passenger name, ID type and number, details of passenger type (child, adult, student, senior etc), details about the trip including departure location and time, destination location, vessel number, seat number, class of travel, vehicle license plate and color. Payment details including time, payment amount, and channels.
- Dating and marriage: mobile phone number, sex, age and marital status.
- Job search: mobile number and resumes.
- Personal loan application services and other lending: mobile number, borrower’s name, ID type and number, ID expiration date, and bank card number.
- Housing rental and sales: mobile phone number, house address, area/household type, and expected price.
- Used car sales: mobile phone, buyers name, buyer’s ID type and number, name of seller, seller’s ID type and number, vehicle’s license plate and VIN.
- Medical appointment: mobile phone number, patient’s name, ID type and number, hospital and department, condition description.
- Tourism: mobile phone, traveler’s name, ID type and number, contact information, destination, and travel time.
- Hotel reservations: mobile phone, name and contact information of the person staying, check-in and check-out time, hotel name.
- Bike and car shares and rentals: mobile phone, ID type and number, driving documents of users, payment details like time, amount and channels, vehicle’s location.
- Investment and financial management: mobile phone number, name, ID type and number, ID expiration, ID photocopy, bank account information like bank card and payment account number.
- Mobile banking: mobile phone, payer’s name, ID type and number, ID expiration, ID photocopy, bank card number, bank reserved mobile phone number; payee’s bank card number and other details vital for money transfer.
- Entertainment tickets: mobile phone, seat number, payment information like time, amount and channel.