The Cyberspace Administration of China (CAC) released in June a set of new rules regulating mobile applications (apps), i.e., the Administrative Provisions on Mobile Internet Applications Information Services (2022 Provisions). The 2022 Provisions came into force on 1 August 2022, repealing the original rules effective since 2016 (2016 Provisions).

Mobile apps have long been put under heavy scrutiny from a data privacy and wider regulatory perspective in mainland China. Since the first official announcement of the regulators’ focus on cleaning up this part of the digital ecosystem in January 2019, a coordinated series of rectification campaigns and app-specific rules and compliance guidance have targeted the misuse of data by apps operating in China.

Based on publicly disclosed sanctions about these enforcement actions in 2021, 1,549 mobile apps across various industries were censured for data non-compliance, and 514 apps failing to rectify issues were removed from app stores and penalised with disciplinary orders ranging from suspension of services to monetary fines.

The 2022 Provisions, by referencing the three pillars of China’s data laws – the Cybersecurity Law (CSL), the Personal Information Protection Law (PIPL), and the Data Security Law (DSL) – are another step to tighten app regulation in this vast mobile economy.

Expanded scope of application 

Compared with the 2016 Provisions that only apply to apps and app stores, the 2022 Provisions have expanded coverage to apps and app distribution platforms, the latter of which include not only app stores but also other types of app distribution platforms such as fast app centres, mini program platforms (as sit within super apps like WeChat and Alipay) and browser plug-in platforms. This change echoes the development of app distribution models in the Chinese market, aiming to further regulate various apps that provide information services and platforms that provide app distribution, download and dynamic loading services.

Tech and other companies that operate apps or app distribution platforms in China must ensure their compliance with the new rules.

Key obligations for app providers

  • Enhanced information security and data protection: The 2022 Provisions mandate app providers to implement real-name authentication and content review measures, which align with existing requirements under the 2016 Provisions and the CSL. Following the DSL and PIPL’s introduction last year, the 2022 Provisions also set high-level requirements in terms of data security, vulnerability reporting, and personal information protection.

In particular, the 2022 Provisions specifically prohibit app providers from forcing users to consent to their processing activities, and refusing to provide basic business functions due to users’ disagreement to provide unnecessary personal information. This echoes another set of app provisions effective in May last year, which specify the scope of necessary personal information for 39 types of app.

  • Security assessment: Apps with technology or functions that could influence public opinion must seek a security assessment. Tech compliance teams may wonder how this concept of a “security review” sits alongside other similar security review schemes adopted under PRC law, including the mandatory security review required before the cross-border transfer of certain data under the PIPL and its recently released implementation measures; the cybersecurity review of network products procured by critical information infrastructure operators and data processing by network platforms that may endanger national security under the Cybersecurity Review Measures; and the broader security review regime forecast under the DSL.

In fact, the 2022 Provisions’ assessment regime is not new – it was implemented in 2018 under rules regulating internet information services that enable the sharing of public opinions or are capable of social mobilisation, and enforcement has taken place. For example, the Chinese authorities summoned 11 leading online enterprises and platforms for talks in 2021 in respect of their failure to complete the necessary security assessments. In addition, apps that can “shape public opinion” or “mobilise society” are subject to strict scrutiny in utilising algorithm. The CAC requires these app operators to file with a submission pack that includes a self-assessment report on the use of algorithms.

 Key obligations for app distribution platforms

  • Filling requirements: The 2022 Provisions require app distribution platforms to conduct a recordal with the local branch of the CAC within 30 days of going online.
  • Supervision on distributed apps: App distribution platforms are obliged to supervise apps launched on their platforms.

Apart from the existing requirement to enter into service agreements with app providers to agree on each party’s rights and obligations, the 2022 Provisions also newly mandate app distribution platforms to establish classified management systems for the apps launched on their platforms, and implement other procedures for apps’ listing reviews, routine management, and emergency response.

Another new requirement is identity verification – app distribution platforms must adopt measures such as compound verification to authenticate real identity information of app providers applying to launch new apps. Certain identity information will be disclosed for public supervision purposes.

The gloves are off (if they were not already)

Mobile penetration in the mainland continues to attract tech and other businesses to launch applications, but compliance risk is real. With the new rules coming into force, we expect to observe enhanced regulation and supervision on apps in China.

Indeed, the Shanghai Communications Administration just launched a campaign targeting data compliance practices of apps with more than 5 million downloads/installations in an app store.

App operators and distribution platforms looking to thrive in the Chinese mobile app market must quickly assess their compliance gaps relating to the increasingly dense web of app regulations. We have been working with clients seeking to remedy unforeseen issues. Is it time for your audit?