PUBLICATIONS

Obtaining Consent When Collecting and Using Personal Information

The issue of personal information protection has been attracting an increasing amount of attention from enterprises and users in recent years. One very important part of personal information protection is obtaining users’ consent in the process of collecting and using their personal information, which enterprises must pay great attention to.

The purpose of this article is to explain, from a legal compliance perspective, how enterprises should obtain users’ consent when collecting and using their personal information, especially when doing so through Apps.

Definition and Method of Consent

Article 4 of the General Data Protection Regulation (“GDPR”), a regulation for personal data[1] protection and privacy in the European Union and European Economic Area, defines consent as “any freely given, specific, informed and unambiguous…statement or…clear affirmative action” by which a person gives permission for their personal data to be processed in a particular way.

The Information Security Technology— Personal Information Security Specification (“PI Specification”), which details specific guidelines for consent and how personal information should be collected, used and shared in China, categorizes the method of consent into “express consent” and “authorized consent”. “Express consent” refers to the behavior of the personal information subject who voluntarily makes a statement in paper or electronic form through written or verbal means, or makes an affirmative action on his or her own to expressly authorize the specific processing of his or her personal information. Affirmative action includes the personal information subject actively ticking a box, clicking “agree”, “register”, “send”, “call “, or providing the personal information by filling out a form etc.

In contrast, “authorized consent” refers to the act of express authorization by the  personal information subject for the specific processing of his or her personal information, which includes both authorization through positive actions (i.e., express consent) and authorization through negative inactions (e.g., the personal information subject in the information collection area does not leave the area after being informed of the collection of his or her information).

Furthermore, “separate consent” and “written consent” is a new requirement introduced by the second draft version of the Personal Information Protection Law (“PIPL Draft”), although such requirement is not yet clearly defined. According to the PIPL Draft, situations requiring separate and/or written consent include:

  1. the personal information being provided to a third party or made public;
  1. the collection of personal images and personal identity characteristic information through devices in public places and providing this to other persons or making it public;
  1. the processing of sensitive personal information; and
  1. the transferring of personal information outside the territory of China, etc.

Principles for Notification and Consent

The draft Information Security Technology—Guidelines for Personal Information Notices and Consent (for Public Comment) (“Draft Guidelines”) set out the principle of express consent as precedence, and authorized consent as exception.

In addition to the general principle of lawfulness, legitimacy and necessity, the Draft Guidelines stipulates the following basic principles when implementing the notification of consent in order to ensure that the notification process and the process of obtaining consent are effective and efficient:

With respect to the notification process:

  1. Open and Transparent – announcing the scope and purpose of collecting and using personal information, not concealing the personal information collected by the product or service and the purpose of its use, and not inducing the personal information subject to skip the content of the notice by deliberately obscuring or hiding it.
  1. Communicate One by One – informing the personal information subject of the relevant content one by one, or in case of significant difficulties, by means of announcement.
  1. Simultaneous and Real-Time – when personal information processing scenarios such as collection and use of specific business functions are involved, or when personal information collection behavior is triggered, informing the personal information subject immediately.
  1. True and Accurate – reflecting the true and accurate scope and purpose of personal information collection and use of products or services.
  1. Specific and Clear – the type and purpose of personal information to be collected and used must be combined with the actual business scenario, without the use of formatted terms.
  1. Clear and Easy to Understand – the text of the notification should be in accordance with the language habits of the personal information subject(e.g. simplified Chinese), using standardized language, figures, diagrams, etc., and should avoid the use of ambiguous language.

With respect to obtaining consent:

  1. Consistent with Notification – the scope of authorization to obtain consent should be consistent with what is notified.
  1. Self-Determined Choice – the option to obtain consent should be actively displayed to the personal information  subject to support his or her own choice, and when consent is not given, only the normal use of the current type of service should be affected.
  1. Appropriate Timing – consent should be obtained from the personal information subject before the act of personal information subject collection occurs and when the content of the notification is communicated simultaneously, so as to improve the personal information subject’s understanding of the relevance of business functions related to the personal information collected.
  1. Independence and Classified – after distinguishing the type of service of the product or service, the consent of the personal information subject should be separately obtained, and the personal information subject should not be forced to accept or reject all personal information that may be collected all at once.  

Exceptions for Obtaining Consent

Obtaining Consent is generally required when personal information is collected and used, the purpose of use is changed, the personal information is provided to the public, and in other cases.

Unlike the GDPR, the lawful basis for processing personal information in China is relatively limited under the current legal framework (which includes the Cybersecurity Law as the main overarching law), with consent being typically required in connection with the general processing of personal data. China’s new Civil Code, which came into force on January 1, 2021, extended the legal basis for processing personal information, and the PIPL Draft, which currently follows the personal information-related provisions contained within the Civil Code, is expected to contain more exceptions for obtaining consent in the final version.

Under the Civil Code, the infringer shall not bear civil liability when processing personal information under the following circumstances:

  1. When the processing is essential for:
    • acts performed reasonably within the scope agreed by the natural person or his or her guardian;
    • reasonably processing the information made public by the natural person himself or herself or other information that has been legally made public; and
    • other reasonable acts performed to protect the public interests or the legitimate rights and interests of the natural persons.
  1. Actions for the public interest such as news reporting and public opinion supervision within the reasonable scope of processing.
  1. Other circumstances as stipulated by laws and administrative regulations.

The PI Specification also provides detailed exceptions to obtaining consent of the personal information subject for the collection and use of his or her personal information as follows:

  1. When related to the fulfillment of personal information controllers’ obligations imposed by laws and regulations.
  1. When directly related to national security and national defense.
  1. When directly related to public safety, public health, and significant public interests.
  1. When directly related to criminal investigation, prosecution, trial, judgment and enforcement, etc.
  1. When safeguarding the major lawful rights and interests, such as life and property, of personal information subjects or other persons, and it is difficult to obtain the authorized consent of the personal information subject.
  1. When the personal information subject voluntarily discloses the collected personal information to the general public.
  1. When necessary to sign and perform a contract according to the personal information subject’s request (note, however, that the main function of the personal information protection policy is to disclose the scope and rules of the collection and use of personal information by the controller of personal information, which should not be treated as a contract in this context).
  1. When the personal information is collected from legitimate public information channels, such as legitimate news reports and government information available to the public.
  1. When necessary to maintain the safe and stable operation of the provided products or services, such as to detect and handle product or service malfunctions.
  1. When necessary for the personal information controller, such as a news agency, to make legal news reports.
  1. When necessary for the personal information controller, such as an academic research institute, to conduct statistical or academic research in the public interest, and the personal information has been de-identified in the publication of the academic research or results.

Rules Related to Obtaining Consent Through Apps

The protection of personal information collected and used in connection with Apps has recently attracted much attention. In recent years, the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation (hereinafter collectively referred to as “regulatory departments”) have carried out several rounds of special rectification due to actual or potential personal information breaches that arose or may have arisen as a result of the increasingly large amount of personal information collected and used by Apps.

With regard to the issue of illegal collection and use of personal information through Apps, regulatory departments have set up corresponding user reporting channels to receive user complaints and reports and handle them accordingly. For example, the working group on the illegal collection and use of personal information by Apps has set up a public number for “Apps personal information reporting” and the website pip.tc260.org.cn; the Cyberspace Administration of China has set up the “illegal and undesirable information reporting center”; and the Internet Society of China, entrusted by the Ministry of Industry and Information Technology, has set up a center for reporting and handling undesirable information and spam disseminated through a network, and from time to time publicizing a list of Apps that illegally collect and use personal information.

For those Apps for which a public notification has been issued, if the enterprise refuses to rectify the problems, it may be subject to penalties based on the Cybersecurity Law and other laws and regulations, including but not limited to warnings, confiscation of illegal income, and a fine of more than double or less than ten times the illegal income (without illegal income, a fine of less than one million yuan), suspension of business, revocation of business and other licenses, closure of the website, etc. In addition, serious cases, such as the illegal sale or provision of citizens’ personal information to others, may further incur criminal liability.

A series of standards provides basic guidelines for the protection and regulation of personal information, including the Method for Identifying the Illegal Collection and Use of Personal Information by Apps, the Guide to the Self-Assessment of Illegal Collection and Use of Personal Information by Apps etc. The following guidelines from these standards are worth noting:

  1. Consent shall be obtained before the collection of personal information or permitting access to the personal information which may be collected in the future, and the user must be provided with the option to agree or disagree.
  1. Personal information should not be collected in any form after a user has explicitly disagreed with the collection.
  1. Consent should not be frequently requested after the user explicitly disagrees with the collection (which may interfere with the normal use of the personal information), such as frequently asking the user (more than once in 48 hours) each time they reopen the App or use a business function (although the action of asking for consent for a specific function that the user actively chooses to use is not considered a frequent interference).
  1. Consent should not be asked for in a non-explicit manner, such as setting users to agree to the privacy policy by default. If the user’s consent is sought by requiring users to click “Next”, “Register”, “Login means consent”, etc., in addition to prominently displaying the privacy policy and other rules of collection and use, the user’s consent must also be explicitly stated. Furthermore, the logical relationship between the execution of the above actions and consent to the privacy policy must also be made clear in order to achieve the effect of actively reminding users to read the privacy policy followed by seeking their consent.
  1. Not obtaining the user’s consent should not change the status of his or her permission to have his or her personal information collected.
  1. Users shall not be misled to agree to having their personal information collected in an improper way, and they shall not be intentionally deceived by, for example, disguising the true purpose of collecting and using their personal information. Furthermore, users shall not be induced to agree to having their personal information collected or to permit access to the personal information which may be collected in the future (for example, the App prompts users to permit access to the address book in order to participate in activities such as red packets, gold coins and lotteries).
  1. Users shall be provided with ways and means to withdraw their consent to having their personal information collected. If the user refuses or turns off the access for the collection of their personal information, this shall not affect the user’s normal use of business functions not related to the permission, and shall not result in the suspension of other business functions, or reduce the service quality of other business functions.
  1. The personal information processing activities shall be carried out in strict compliance with the disclosed privacy policy and other rules on collection and use of the personal information and be in compliance with the agreement of the user; if the purpose, manner and scope of use of personal information changes, the user’s consent shall be obtained again.

In relation to the g) above, the Provisions on the Scope of Necessary Personal Information for Common Types of Internet Applications, which came into force on May 1, 2021, specifies the essential information for different categories of businesses and requires that Apps shall not deny users access to its basic functional services when they do not agree to provide non-essential personal information. This has become an important basis for the regulatory departments to inspect and supervise all kinds of Apps, specifically those that violate the principle of necessity and collect personal information that is not related to the products or services provided.

Last but not least, from the draft Interim Provisions on the Administration of Personal Information Protection for Apps (for Public Comment), released on April 26, 2021, we can see that the protection of personal information collected through Apps is a systematic objective, as the responsibilities of specific types of entities will be more clearly defined in the regulation, including not only App developers and operators, but also third-party service providers, distribution platforms, intelligent terminal manufacturers and network access service providers.

Concluding Remarks

For evidence retention and compliance requirements, enterprises should ensure they have an effective audit trail of when and how consent was given so that they can demonstrate they are meeting their compliance obligations and provide related evidence if challenged.

We consider that enterprises may need to be more proactive to meet compliance requirements based on their own business type and model. When collecting and using personal information, how consent should be obtained may differ depending on various scenarios, such as the collection and use of personal information through Software Development Kit (SDK), Internet of Things (IoT), personalized recommendations, Internet finance, vehicle mounted, and online shopping, etc. Enterprises are advised to carry out a self-audit based on their own situation.

As China is still in the process of establishing its data compliance and cybersecurity legal framework, the related laws and regulations are quickly updated. Therefore, it is advisable to closely and continuously pay attention to the legislative developments of personal information protection in related industries and areas.