Beijing's new privacy rules ban apps collecting unnecessary data, require free service without data slurps

Rules are tight, but also leave plenty to the imagination

China has set new rules that spell out data that local app-makers can collect and store, but won't sanction apps that go beyond the permitted data collection regime.

The notice outlining the new rules was signed on 12 March by four administrative offices and issued on a government website last week. The rules come into effect on May 1.

The principle underpinning the rules mirrors China's network security law, which insists that network operators collect only personal information relevant to the services they provide.

The data that apps are allowed to require is therefore restricted to items the app needs to offer its basic functions. Games, educational apps, tools to sell second-hand goods and women's health apps are therefore restricted to requiring a phone number.

Many apps must also provide basic functions without any data being harvested. Women’s health apps, webcasting, online audio and video playing, news, sport and fitness, online browsers, basic testing, malware and online security and malware, e-books, beautifying photo filters and similar, app store search and download, and phone utilities, all fall under that rule.

The published document does not, however, offer a definition of "basic functioning", which leaves plenty of scope for apps to collect data.

And Chinese apps are known to collect plenty: a recent analysis of Douyin, the Chinese version of TikTok, found it collects plenty of data, shares it with third parties, and also includes automated censorship tools. The version of TikTok offered outside China was also famously-but-ineffectually banned by the Trump administration over data collection policies that were branded a national security threat.

Chinese New year 2021 year of the ox

Biden administration pauses pursuit of TikTok and WeChat


Chinese companies were also recently cut out of the loop by big-in-Asia messaging app LINE, over privacy fears.

And of course China conducts pervasive surveillance of citizens' online activities, so even if apps don't snoop there's a decent chance government agencies do.

Below is a detailed list of data collection China permits for various types of app.

  • Navigational map: location, place of departure and arrival.
  • Taxi rides: mobile number, departure, arrival, location tracking, payment information such as time, amount and channel.
  • Instant messaging with text, pictures, voice, video etc: mobile number, account information such as number and contact list.
  • Withdrawal and transfer of money, and other payments: mobile phone, name, ID type and number, ID expiration, and bank card number
  • Purchase of goods: mobile number, name, address, contact number, payment details including time, amount and channel.
  • Food and beverage delivery: mobile number, name, address, contact number, payment details including time, amount and channel.
  • Mail delivery such as letters, parcels printed materials: sender’s name, ID and ID number, address and telephone; recipients name, address, contact number; the items name, nature and quantity.
  • Travel booking: mobile number, passenger name, ID type and number, details of passenger type (child, adult, student, senior etc), details about the trip including departure location and time, destination location, vessel number, seat number, class of travel, vehicle license plate and color. Payment details including time, payment amount, and channels.
  • Dating and marriage: mobile phone number, sex, age and marital status.
  • Job search: mobile number and resumes.
  • Personal loan application services and other lending: mobile number, borrower’s name, ID type and number, ID expiration date, and bank card number.
  • Housing rental and sales: mobile phone number, house address, area/household type, and expected price.
  • Used car sales: mobile phone, buyers name, buyer’s ID type and number, name of seller, seller’s ID type and number, vehicle’s license plate and VIN.
  • Medical appointment: mobile phone number, patient’s name, ID type and number, hospital and department, condition description.
  • Tourism: mobile phone, traveler’s name, ID type and number, contact information, destination, and travel time.
  • Hotel reservations: mobile phone, name and contact information of the person staying, check-in and check-out time, hotel name.
  • Bike and car shares and rentals: mobile phone, ID type and number, driving documents of users, payment details like time, amount and channels, vehicle’s location.
  • Investment and financial management: mobile phone number, name, ID type and number, ID expiration, ID photocopy, bank account information like bank card and payment account number.
  • Mobile banking: mobile phone, payer’s name, ID type and number, ID expiration, ID photocopy, bank card number, bank reserved mobile phone number; payee’s bank card number and other details vital for money transfer.
  • Entertainment tickets: mobile phone, seat number, payment information like time, amount and channel.


Broader topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022