UGGC Shanghai – Newsletter April 2021: China reinforces protection of personal data collected by Apps and strengthens obligations of Network trading platform operators

UGGC - Logo uggc avocats

On March 12, 2021, China issued the Provisions on the Scope of Necessary Personal Information for Common Used Mobile Internet Applications (the “Provisions”), according to which, mobile apps and mini programs shall no longer collect personal information from users beyond the necessary scope.

Moreover, on March 15, 2021, China’s State Administration for Market Regulation (“SAMR”) issued Measures for the Supervision and Administration of Online Transactions (the “Measures”). The Measures implement rules for the E-commerce Law of China and provide specific rules for addressing registration of an online operation entity, supervision of new business models (such as social e-commerce and live streaming), platform operators’ responsibilities, protection of consumers’ rights and protection of personal information.

Below are the main changes introduced by the Measures and the Provision.

The Provision

Necessary scope of personal information collection
The Provision applies to Apps. The term Apps includes application software preloaded or downloaded and installed on mobile smart terminals; mini applications developed on the basis of open platforms and application software that can be used without requiring installation by users.

As stipulated under the Provision, apps cannot stop users from using their basic functions and services because they do not agree to provide personal information deemed unnecessary for basic use. On this basis, the Provision outlines the scope of necessary personal information for commonly used 39 categories of Apps.

Among the 39 categories, 13 of them require no personal information for basic functions (such as weather, sports and fitness or news); 6 of them require the registered user’s mobile phone number only as necessary personal information for basic functions (for example, remote conferencing with “providing audio or video conferencing online” or local living with “domestic cleaning and repairs, furniture and decor, trading in used goods, and other routine life services”.)

For the remaining 20 categories, the Provision lists the scope of necessary personal information based respectively on their basic functions. For example, a hotel service requires the registered user’s mobile phone number; the hotel guest’s name and contact information; check-in and check-out time and name of the hotel.

Where any organization or individual discovers conduct violating these Provisions, they may report it to the relevant departments. The authorities will deal with violations of the Provision in accordance with the law after receiving the report.

Coming into effect
The Provisions are to take effect on May 1, 2021.

The Measures

Published only a few days later and in line with the Provision, the Measures reinforce the protection of personal information and the protection of consumers’ rights by introducing liability and sanctions for online transaction operators.

The Measures apply to online transaction operators (legal persons and unincorporated organizations, including network trading platform operators, operators within the platform, self built website operators and network trading operators through other network services who carry out network trading activities).

Network trading platform operators are those involved in network trading activities and providing network business premises and infrastructure to carry out independent network trading.

Operators within the platform are those online transaction operators who carry out network trading activities through the network trading platform.

Protection of consumers’ right

  • Deception

Online transaction operators are prohibited from deceiving or misleading consumers by making false or misleading commercial propaganda (fictitious transactions, fabricated user reviews, fictitious clicks etc.).

  • Commercial prospection

Online transaction operators are now prohibited from sending commercial information to consumer’s without their consent. While sending commercial information, the online transaction operator must expressly provide its identity and contact information along with a simple way to refuse future solicitation.

  • Automatic renewals

In terms of automatic renewals, before consumers accept a service, the online transaction operator must notify consumers of the renewal five days prior to the date of automatic renewal and allow consumers to choose whether or not to renew the service. The online transaction operator must also provide consumers with a simple option for cancellation and must not charge an unreasonable fee.

  • Prohibited provisions

The Measures give a list of content that may not be inserted in standard terms, notifications and statements used for the provision of merchandise or services, such as the (1) elimination or restriction of repairs, exchanges, returns, compensation, liquidated damages and other reasonable damages; (2) elimination or restriction of complaints and reports, requesting mediation or filing arbitrations or law suits; (3) elimination or restriction of the amendment or cancellation of contracts; and (4) terms stating that the online transaction operator is entitled to the unilateral right of interpretation or right of ultimate interpretation.

Protection of personal information

  • Consent for collection

The online transaction operator must obtain separate consent from customers on an individual basis in cases of collection and use of sensitive personal information (personal biometric, medical and health, financial accounts, personal whereabouts and other sensitive information).

They are also required to disclose the use they will have of the collected information.

Moreover, they are prohibited from adopting one-time general authorization, implied authorization and bundled authorization, as well as from stopping installation, or using other means, to force consumers to consent to providing information not directly related to their business operation.

Network trading platform operators’ duty of care and liability

The network trading platform operators is required to verify the operators registering to use the platform and provide services through the platform. They should verify the identity, address, contact information etc. The Measures also imposes a regular monitoring of the activities of the trading operators in particular the network trading platform operator should handle the operator within the platform’s illegal behavior and is allowed to warn, suspend or even terminate the services for such operators.

The Measures also specify a joint liability when the operator within the platform knew or should have known of the violations of the trading operator and did not take the necessary measures to stop him.


Multiple sanctions are stipulated throughout the Measures and correspond to a specific violation of the obligations listed. The measures specify the sanctions for some violations such as not requesting consent to collect personal information from users. The maximum fine for this violation is 30.000 RMB. On the other hand, other violations are sanctioned in accordance to other laws (Electronic Commerce Law, Anti-Unfair competition Law).

Coming into effect

The Measures will come into force on May 1, 2021 and the 2014 Measures for the Administration of Internet Transactions will be repealed.

For further information, please contact:

Jenny CAO:
+86 21 6249 030