March 2, 2020
A Chinese government social media platform last week published detailed recommendations (translated below) for developers of online tools to assist in epidemic response, reminding developers that urgency does not absolve them of their data protection obligations. The recommendations show both the intensity and limits of government efforts to protect personal information.
The Feb. 26 post by the "App Governance Working Group"*—established by the official IT standards group TC260, the China Consumers Association (CCA), the Internet Society of China (ISOC), and the Cybersecurity Association of China (CSAC)—followed a Feb. 9 notice from the Cyberspace Administration of China (CAC) encouraging various actors to "vigorously use big data including personal information" in the fight against the novel coronavirus, while still following established data protection rules. (See DigiChina translation.)
The new recommendations, like the CAC notice, draw on existing rules and standards such as the Personal Information Security Specification. What sets them apart is that the CESI group said it had received more than 300 reports of epidemic-related data collection issues through its online portal, accounting for about 15 percent of this year's total so far.
The post paid special attention to online classroom apps and tools—like video conferencing apps—seeing a surge in use as people try to resume life under quarantine. Online education through apps was already a growing market in China, and the CESI group reported serious deficiencies in privacy practices, including intrusive requirements to enable remote access to mobile phone cameras or microphones. Moreover, several apps reportedly failed to gain required parental consent for users under the age of 14.
No New Limits on Government Data Collection or Automated Restrictions
Even if every online tool fighting the virus followed these recommendations, however, there would still be significant questions about privacy and personal autonomy.
The New York Times reported March 1 that Ant Financial, Alibaba's payments affiliate, had worked with authorities in the company's home province of Zhejiang to assign citizens a color-coded health status that can be checked, for instance, before entering mass transit. How a user's status is generated is not transparent, and the Times found the app appears to report a user's location to police whenever their code is scanned.
Like most elements of Chinese privacy regulations, these new recommendations are silent on sharing data with security services, instead focusing on potential abuses or unsafe practices by companies. Even there, enforcement is often limited to name-and-shame campaigns or small fines.
The Zhejiang health status app and other data-driven public health efforts raise concerns about accountability, accuracy, and personal autonomy, but the new recommendations do not address these risks, even though Chinese authorities sometimes address negative outcomes of "big data" or "AI," including discrimination, in the context of personal information protection.
While CAC's recent notice did limit personal health data collection to those authorities specifically authorized, and it did call for prevention of discrimination based on location, these recommendations appear geared toward emphasizing existing standards and responsibilities, rather than addressing new challenges specific to virus response.
*Correction: This introduction has been corrected to indicate that the App Governance Working Group was established by TC260, CCA, ISOC, and CSAC. It originally said it was part of the China Electronics Standardization Institute (CESI). CESI is listed as the sponsoring work unit for the group's Wechat account, but the post lists the other four entities as having jointly established the working group itself. We regret the error. –Ed. (March 20, 2020)
Recommendations for Tools Urgently Launching Operations
In order to assist in epidemic prevention and control work, many online tools are being urgently developed in short periods of time and put into operation. This leads many tool developers and operators to be insufficiently attentive and careful in considering personal information protection. As such, the [App Governance] Working Group has the following recommendations:
- Online tools should clearly clearly specify their developer and operator on the homepage or in another prominent place. Those that have obtained development authorization or assistance from relevant authorities should clearly specify the relevant authorization or relationship.
- Tools that involve data queries should clearly specify the data source.
- Clearly specify the tool's main purpose, and ensure that personal information collection always has a direct relationship with that purpose. Where changes to the tool's functionality entail a change in scope, etc., of collection or use of personal information, supplementary notice should be given.
- Where the tool requests permission to use location, phone number, storage, or other such personal data collection, it should at the same time notify the user of the purpose, and the user should voluntarily give consent. Coercive requests, frequent interruptions, and other such methods should not be used.
- Tools that already have privacy policies and launch updates with epidemic prevention and control functionality should provide supplementary explanation where personal information collection or use rules are entailed.
- Clearly specify user personal information processing methods, and ensure minimization in personal information collection. For example, where functionality like a query into the local epidemic situation uses geographical positioning, employ localized processing methods, as there is no need to upload to the server. Notify users of the processing method in the interface.
- Clearly specify the user personal information processing lifecycle, establishing a plan for the scope of use, retention period, post-event handling measures, etc., of personal information. Where account registration is entailed, cancellation functionality should be provided.
- Where display or publication of epidemic prevention and control–related data is involved, de-identification measures such as non-displaying fields should be in place. Where citizens may query the travel and activity logs of themselves, family members, etc., mandatory verification measures such as mobile phone verification and query rate limits should be set up. The interface for query results can obscure parts of fields to prevent information leaks.
- Carefully monitor user feedback and complaints, as well as relevant outside evaluations, to engage in rapid iteration and perfect tool functionality.
Thanks to Rui Zhong for contributing to the editing of this piece.