On March 15, 2019, the State Administration for Market Regulation and the Cyberspace Administration of China (“CAC”) jointly issued the Announcement on the Implementation of App Security Certification (the “Announcement”), creating a voluntary (but state-sanctioned) security certification scheme for mobile applications (“Security Certification Scheme”).
Operators of mobile applications are encouraged to obtain this certification to demonstrate their compliance with China’s national standard, GB/T 35273 Information Security Technology — Personal Information Security Specification (“the Standard”), in terms of their collection and use of personal data (our previous blogpost about the Standard can be found here). Search engines and mobile application stores are encouraged to recommend certified applications to users.
The Implementation Rules on Security Certification of Mobile Internet Application (“Implementing Rules”), which set out detailed procedural requirements for the Security Certification Scheme, were also released at the same time as an annex to the Announcement.
Although not mandatory, as the state-sanctioned certification scheme for personal information protection, the creation of this program illustrates the Chinese regulators’ willingness to use soft tools to encourage best practices in the marketplace.
According to the Announcement and the Implementing Rules, the China Cybersecurity Review Technology and Certification Center (“CCRC,” official website is available here) has been designated as the certification institution for the Security Certification Scheme. CCRC has the right to appoint technical testing agencies to perform technical testing and inspection as part of the certification process.
Operators of mobile applications (“Applicant”) can apply to CCRC to certify their mobile applications against the Standard. If the application has multiple versions available on different operating systems (e.g., iOS or Android), separate applications must be filed for each version.
An Applicant may not be allowed to file a certification application if:
- it has violated relevant laws and regulations;
- it has suffered a serious security incident within the past 12 months;
- a similar certification previously owned by the Applicant was revoked and such Applicant is not allowed to apply for a new certification within a certain period; or
- other circumstances occur as specified by CCRC.
The Implementing Rules have not defined “serious security incident,” and it is also unclear what a “similar certification” refers to in this context.
After CCRC accepts the certification application, the Applicant is required to submit a sample for verification. The mobile application must first be verified by technical testing agencies (“Technical Verification”) followed by CCRC’s on-site review (“On-site Review”). CCRC will issue technical specifications for the Technical Verification and On-site Review, as required by the Implementing Rules. In the event that a testing agency or CCRC discovers any inconsistency between the mobile application sample and the technical specifications, the Applicant will be required to remedy the deficiencies. If the Applicant fails to remedy the deficiencies within the period specified by the testing agency or by CCRC, the certification process may be suspended.
CCRC will make its final decision after evaluating the application materials and the results of the Technical Verification and On-site Review. The Applicant may file a complaint to CCRC within ten business days after the receipt of the certification decision if its application is denied. CCRC will determine whether to accept the complaint within five business days and issue a final decision within thirty business days.
Ongoing Compliance and Supervision
According to the Implementation Rules, the certified mobile application operator is required to submit a self-assessment report to CCRC under the following circumstances:
- the distribution channel of the certified mobile application has changed;
- the certification mark will be used in ways different from the description in its application;
- the certified mobile application is updated in a way that changes the purpose, data types or means of the collection, processing and use of personal information;
- if there is any change to the recipient, means or the purpose of sharing, transfer or public disclosure of personal information collected by the mobile application; or
- the mobile application operator received any complaints about the certified mobile application.
In addition to ongoing monitoring of the operation of certified mobile applications, CCRC may also launch special inspections if:
- the certified mobile application’s personal information protection practices are questioned by users, media or industry regulators and it is proven liable after the investigation;
- there is any material change to the internal organization structure or service model of the certified mobile application operator, or the mobile application operator is involved in a merger or liquidation process;
- CCRC discovers any non-compliance of the certified mobile application during CCRC’s regular monitoring process.
Certificate and Mark
The certified mobile application operator is allowed to display the certificate on its website, in its office, and on promotional materials. It may also use the certification mark in accordance with requirements of CCRC.
The certificate may be suspended or revoked under certain circumstances, such as non-compliance with certification requirements or violation of laws or regulations. The suspension term is 180 days and the certified operator is prohibited from using the certificate during such a period.
The Announcement is yet another step taken by Chinese regulators to tackle data over-collection in the mobile application context. In early 2019, the CAC and three other government agencies (including the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration of Market Regulation) led a campaign to audit the collection and use of personal information by mobile applications nationwide (see CAC press release here in Chinese). The campaign (and the creation of the Security Certification Scheme) signals the enforcement priorities of the government and is likely to significantly impact companies’ data protection practices in China.