Recently, in order to consolidate the effectiveness of governance and create a good environment for jointly safeguarding consumer rights and interests, the Ministry of Industry and Information Technology launched a "look back" to rectify mobile Internet applications (Apps) that infringe on user rights. It organized third-party testing agencies to conduct focused spot tests on issues such as illegal push pop-up information and excessive requests for permissions by Apps. A total of 38 Apps were found to have problems. Problems include frequent self-starting and associated startup, illegal push pop-up information, deceiving and misleading users to provide personal information, illegal collection of personal information, forcing users to use targeted push functions, over-the-range collection of personal information, deceiving and misleading forced users, insufficient explicit information about Apps on the application distribution platform, and forced, frequent, and excessive requests for permissions by Apps. Among them, Yingke live broadcast, Lilac doctor , etc. are listed. The problems involved are the App’s forced, frequent and excessive request for permissions.
As smartphones have become an indispensable part of people's lives, apps have penetrated into every corner of life, from news browsing, entertainment and communication to mobile payment . At the same time, in order to protect consumer rights and , the demand for App supervision is also increasing.
On March 15, 2019, the State Administration for Market Regulation and the Cyberspace Administration of China jointly issued the "Announcement on Carrying out App Security Certification Work." The announcement clearly stated that in order to regulate the collection and use of user information, especially personal information, by apps, and to strengthen the protection of personal information security, in accordance with the "Cybersecurity Law of the People's Republic of China" and the "Certification and Accreditation Regulations of the People's Republic of China", the State Administration for Market Regulation and the Central Cyberspace Administration decided to establish an App security certification system. The role of
App security certification is to regulate the market, guide companies to provide more reasonable products, safeguard consumer rights, and scientifically guide the rapid and steady development of the industry. In terms of certification value, corporate guidance, compliance points, legal responsibilities, etc., it is worthy of serious compliance and application by App operators.
The value of App security certification
Currently, my country’s App security certification is carried out by China Cyber Security Review Technology and Certification Center . Products that pass the evaluation must be able to meet the requirements of "GB/T35273-2020 Information Security Technology Personal Information Security Specification" for the collection, transmission, storage, processing, and use of personal information by Apps, which can fully protect the security of users' personal information. The value of
App security certification is reflected in: the certification authority is credible and can achieve long-term control. First of all, carrying out App security certification provides a guarantee for maintaining user information security. The China Cybersecurity Review Technology and Certification Center follows the principle of voluntary application by App operators, and the certification agency evaluates the App's collection, storage, transmission, processing, use of personal information and other activities in accordance with relevant national standards. Once the requirements are met, a security certification certificate is issued and the use of the certification mark is allowed.
Secondly, the implementation of the App security certification system can effectively control the App consumption and usage environment. During the security certification process, certification agencies have put forward strict requirements for App operators. App operators who violate relevant laws and regulations are not allowed to apply for certification; certified App operators should continue to conduct post-certification self-evaluations and cooperate with the certification agency's supervision activities; if a certified App operator engages in improper behavior such as deception, concealment, or breach of commitments during the certification process, the certification agency will suspend the certificate or even revoke the certification.
Finally, App security certification is binding and will actively promote the construction of industry integrity standards and promote the healthy development of the industry.
The role of App security certification for enterprises
The role of App security certification for enterprises is reflected in the following points:
First, obtain the App security certification certificate, indicating that the App complies with "GB/T 35273-2020 Information Security Technology" "Personal Information Security Specifications" requires enterprises to obtain authoritative certification of personal information protection compliance, demonstrating their determination and strength in protecting personal information data.
Second, during the certification implementation process, App operators can improve their data compliance capabilities by adopting appropriate technologies and measures, which can further standardize the App’s collection and use of personal information and help improve their personal information protection awareness and capabilities.
Third, certified App operators can display App security certification certificates on their websites, workplaces, and promotional materials, and app stores will also clearly identify and give priority to recommended Apps that have passed the certification. Today, when users are increasingly aware of the protection of personal information, certified Apps have a clear trust advantage among the user group compared to competing products.
App compliance points and suggestions
In order to help App operators better understand the compliance requirements for the collection and use of personal information, we combined the problems discovered during the actual inspection process and the current regulatory trends to put forward the following compliance suggestions:
First, App operators should first clearly divide basic business functions and extended business functions. According to "GB/T 41391-2020 Basic Requirements for Collection of Personal Information by Mobile Internet Applications (Apps)", the service type belonging to the business functions that achieve the user's main purpose of use is the type of App. The service types are based on the 39 common service types given in the " Common Types of Personal Information Necessary Scope of Mobile Internet Applications Provisions". If the App does not fall into these 39 common service types, the business functions that achieve the user's main purpose of use should be divided into the basic business functions of the App.
Second, App operators should conduct internal self-examination. According to the service type of the App, sort out the scope of personal information that needs to be collected and actually collected during the operation of the App, and determine whether it is personal information that must be collected. Personal information that is not must be collected should be collected according to the following principles: collection cannot be forced, and basic business functions will not be provided if the user does not agree; after the user refuses, the user's consent cannot be frequently asked to interfere with the user's normal use; the corresponding personal information should be collected only when the corresponding function is triggered, and cannot be collected in advance.
The third is to improve the content and notification form of the privacy policy. The privacy policy should clearly inform the app of the business scenarios and purposes of collecting and using personal information, and adopt appropriate enhanced methods (such as pop-up prompts) to inform users; when the privacy policy is updated, appropriate methods should also be used to inform users.
The fourth is to obtain the user's authorization and consent, and follow the following requirements: no user information can be collected before the user agrees to the privacy policy; when collecting personal information, the rules for collection and use should be informed, and the user's consent should be obtained, and non-explicit methods such as consent should be avoided by default; the user's express consent should be obtained when collecting personal sensitive information, and the user should be informed separately and the user's express consent should be obtained before collecting personal biometrics.
The fifth is to provide special protection for minors. The rules for collecting and using the personal information of minors (including those over 14 years old and those under 14 years old) should be clearly stated in the privacy policy; if the App service type is games and education and other main business functions involve the collection of minors' information, a children's personal information protection policy should be formulated and effective filtering conditions should be set to determine whether a minor is a minor.
Sixth, avoid excessive collection of information. The type of personal information collected should be directly related to the realization of the business functions of the product or service; the requirements for the "minimum frequency" and "minimum amount" of collection should be met.
Seventh is third-party network management. When an App connects to a third party, it should meet the following requirements: the privacy policy clearly lists the third party's identity information, contact information, personal information collected and purpose; and the third party clearly clarifies the security responsibilities of both parties and the personal information security measures that should be implemented through contracts and other forms; and conducts continuous supervision of the third party.
Eighth, pay attention to the application of foreign laws. If an App is operated and used across borders, the App operator must comply with foreign laws and regulations. Some foreign laws are different from our country's laws and policies in the definition and protection of personal information, and have put forward more stringent requirements for operators in some areas.For example, when making automated personal decision-making and profiling, operators in the EU region should inform the subject of the processed personal information of the relevant processing, provide the subject of personal information with convenient methods for manual intervention or questioning, and conduct regular checks to ensure that the automated personal decision-making and profiling system operates in a predetermined manner.
Legal liability for illegal collection
The "App Security Certification Implementation Rules" clearly point out that passing certification does not exempt the certified App operator from the legal responsibility for the certified App. The legal responsibilities referred to here are reflected in the "Consumer Rights and Interests Protection Law of the People's Republic of China (Amended in 2013)", "The Cyber Security Law of the People's Republic of China", "Criminal Law of the People's Republic of China (Amended in 2020)", "Interpretations of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues Concerning the Application of Laws in Handling Criminal Cases of Infringement of Citizens' Personal Information" and other laws and regulations. Illegal collection, use or provision of personal information may not only result in civil liability or administrative liability, but may also result in criminal liability, and may face a penalty of up to 7 years in prison.
App security certification is of great significance and role to both App operators and users. We hope that more companies will pass the certification, create a good environment for app consumption and use, establish a standardized industry ecosystem for collecting and using personal information, and promote the healthy development of the industry.
The author is China Network Security Review Technology and Certification Center Information Industry Information Security Evaluation Center Chen Ping
Source: Consumer Guide Magazine
