China's Pre-Installed Apps Rules, Other Signs Suggest Privacy Regime Coming

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Michael Standaert  


SHENZHEN, China--A new regulation prohibiting smart device manufacturers from installing prior to purchase applications that could violate laws on privacy, content restriction, or security, as well as several recent notices issued by the Chinese government, signal that the country is moving closer to a comprehensive data protection regime, legal experts on China told BNA.

Multinationals operating in China should implement global best practices on data privacy management in the country--particularly at the point of collection--or they risk potentially breaking the new rules, even if there is not full clarity on what they mean, the experts warned.

The regulation on pre-installed apps, which was issued in April by China's Ministry of Industry and Information Technology (MIIT) and is slated to take effect Nov. 1, also prohibits smart device manufacturers from using apps: to collect or modify user information or access other networks without notice and consent; that would affect the safe and normal operations of the device or network; or that include content restricted by other Chinese laws.

Post-sale installation of apps is not covered by the regulation, but the experts predicted that forthcoming regulations could cover such issues, as well as the operations of mobile app stores.

Manufacturers to Face New Costs

The regulation will impose “obligations on smart mobile device manufacturers to incur certain costs, to reexamine their marketing strategies, and to modify these strategies if necessary or appropriate,” Manuel Maisog, a partner with Hunton & Williams LLP, in Beijing, recently told BNA.

The regulation was issued in response to consumer concerns over “perceived potential for abuse” from pre-installed applications that were “something of a 'mystery box’ as far as the ordinary consumer was concerned,” he said. Users feared that such applications “might be aggressively or destructively collecting and using information without the device owner's knowledge,” Maisog said.

“[S]o long as a manufacturer of smart mobile devices applies for [a] network access license, files the required record with the [MIIT], and does not pre-install aggressively or destructively invasive applications, the entity should be in compliance.”

The regulation will have substantial costs for companies that were indeed pre-installing aggressive or invasive apps, he said, but even for competitors that did not engage in such now-unlawful behavior, “filing for record could also prove time consuming and costly.”

Rules Lack Clarity …

Although there is no single, comprehensive law on data privacy in China, recent moves such as the regulation on pre-installed applications show that the country is moving forward on a more comprehensive framework for data privacy that companies must be prepared to deal with, Scott Thiel, a data privacy expert with DLA Piper, in Hong Kong, recently told BNA.

Two other significant data protection developments happened at the turn of the year, Thiel said.

In December 2012, the Standing Committee of the National People's Congress issued a “Decision on Strengthening Online Information Protection” (12 PVLR 6, 1/7/13) and in January, the MIIT issued a “Guideline for Personal Information Protection System for Public and Commercial Services,” Thiel noted.

Those announcements “as with almost every aspect of recent developments” regarding data privacy frameworks in China, are “not very clear” but do signal an overall shift toward a comprehensive data privacy regime.

Clarity is lacking, particularly regarding “who is administering” the various regulations and guidelines, though they could have huge impacts on multinationals operating in the country who should now be in a “watch-this-space mode” according to Thiel.

A draft “Personal Information Protection Law” was submitted to the State Council in 2008, but no progress or announcements about a specific law have been mentioned since then, Thiel said.

Coverage of data privacy issues has often been given front-page treatment in China's state-run media over the past year, signaling that there is a commitment toward a stronger data privacy regime, even if an over-arching law might be further down the road, he said.

… But Still Carry Weight

The December 2012 National People's Congress (NPC) decision provides the most detailed language yet on prohibitions on the theft, sale, collection, use, confidentiality, security, and marketing or personal information contained in communications, Thiel said. The decision has “the same legal force as national legislation,” he said.

The MIIT January guidelines cover the collection, processing, transfer, retention, and deletion of personal data in computer networks and potentially prohibit transfer of personal data outside of China without the expressed consent of the subject, Thiel said. Although they technically serve only as a recommendation for national standards, they could “be used for reference by authorities and courts,” as a form of “indirect enforcement,” he said.

Maisog said the NPC decision from December 2012 was “potentially the more significant” of the two notices, because that decision is legally binding and because it adopts “data protection requirements, such as notice and consent, security safeguards, and adoption and publication of a privacy policy, that are consistent with international approaches.”

The NPC decision is not “necessarily … a movement toward a single, coordinated data privacy law,” he added. “But that does not mean it is unimportant. The December 2012 decision may instead be an illustration of a creeping development of data privacy law, in which standards and requirements that are developed in the context of one industry sector are then extended to apply also to new sectors, on a sector-by-sector and one-by-one basis. Even if this falls short of a dramatic, one-time enactment of a comprehensive, coordinated, self-contained data privacy law, if it pans out as a consistent trend, it would still be a very important development,” Maisog said.

Compliance Advice

To deal with the increasingly growing framework of regulations, notices, and guidelines on data privacy in China, Thiel suggested that companies take the initiative to implement data protection global best practices, particularly to get clear consent from data subjects at the point of data collection. At the moment, “most businesses in China are not doing what they would need to be doing” to comply with that framework, particularly if they are transferring data offshore, he said.

Businesses should move to comply with the Chinese guidelines and decisions because “they can suddenly become law” and go into effect with “retrospective” effect, Thiel warned.

Maisog, however, said he was unsure how important the MIIT guidelines will be, because they are advisory and not binding.

“Business operators often already feel burdened with other commercial and legal pressures and may choose not to add to their burden by adopting the standards that are recommended under the [MIIT] guidelines,” Maisog said. “In particular, a business operator could easily feel pressure to disregard the guidelines once their competitors have decided to disregard it.”

Still, the guideline restrictions on transfer of personal data outside the country have been worrying companies, Thiel said, particularly because the statement detailed sanctions including fines, criminal liability, or revocation of business licenses. Having a license revoked, a sanction that largely does not exist elsewhere in the world, is potentially an “awfully big stick,” he said.


The MIIT regulation notice, “Regarding Strengthening the Management of Network Access for Mobile Smart Terminals,” is available, in Chinese, at

Dec. 28, 2012 “Decision on Strengthening Online Information Protection” by the Standing Committee of the NPC can be found here:

The MIIT “Guideline for Personal Information Protection System for Public and Commercial Services” is available at