On March 15, 2019, the State Administration for Market Regulation and the Cyberspace Administration of China (“CAC”) jointly issued the Announcement on the Implementation of App Security Certification (the “Announcement”), creating a voluntary (but state-sanctioned) security certification scheme for mobile applications (“Security Certification Scheme”).

Operators of mobile applications are encouraged to obtain this certification to demonstrate their compliance with China’s national standard, GB/T 35273 Information Security Technology — Personal Information Security Specification (“the Standard”), in terms of their collection and use of personal data (our previous blogpost about the Standard can be found here).  Search engines and mobile application stores are encouraged to recommend certified applications to users.

The Implementation Rules on Security Certification of Mobile Internet Application (“Implementing Rules”), which set out detailed procedural requirements for the Security Certification Scheme, were also released at the same time as an annex to the Announcement.

Although not mandatory, as the state-sanctioned certification scheme for personal information protection, the creation of this program illustrates the Chinese regulators’ willingness to use soft tools to encourage best practices in the marketplace.

Certification Institution

According to the Announcement and the Implementing Rules, the China Cybersecurity Review Technology and Certification Center (“CCRC,” official website is available here) has been designated as the certification institution for the Security Certification Scheme.  CCRC has the right to appoint technical testing agencies to perform technical testing and inspection as part of the certification process.

Certification Procedure

Certification Application

Operators of mobile applications (“Applicant”) can apply to CCRC to certify their mobile applications against the Standard.  If the application has multiple versions available on different operating systems (e.g., iOS or Android), separate applications must be filed for each version.

An Applicant may not be allowed to file a certification application if:

  • it has violated relevant laws and regulations;
  • it has suffered a serious security incident within the past 12 months;
  • a similar certification previously owned by the Applicant was revoked and such Applicant is not allowed to apply for a new certification within a certain period; or
  • other circumstances occur as specified by CCRC.

The Implementing Rules have not defined “serious security incident,” and it is also unclear what a “similar certification” refers to in this context.

Technical Verification

After CCRC accepts the certification application, the Applicant is required to submit a sample for verification.  The mobile application must first be verified by technical testing agencies (“Technical Verification”) followed by CCRC’s on-site review (“On-site Review”).  CCRC will issue technical specifications for the Technical Verification and On-site Review, as required by the Implementing Rules.  In the event that a testing agency or CCRC discovers any inconsistency between the mobile application sample and the technical specifications, the Applicant will be required to remedy the deficiencies.  If the Applicant fails to remedy the deficiencies within the period specified by the testing agency or by CCRC, the certification process may be suspended.

CCRC will make its final decision after evaluating the application materials and the results of the Technical Verification and On-site Review.  The Applicant may file a complaint to CCRC within ten business days after the receipt of the certification decision if its application is denied.  CCRC will determine whether to accept the complaint within five business days and issue a final decision within thirty business days.

Ongoing Compliance and Supervision

According to the Implementation Rules, the certified mobile application operator is required to submit a self-assessment report to CCRC under the following circumstances:

  • the distribution channel of the certified mobile application has changed;
  • the certification mark will be used in ways different from the description in its application;
  • the certified mobile application is updated in a way that changes the purpose, data types or means of the collection, processing and use of personal information;
  • if there is any change to the recipient, means or the purpose of sharing, transfer or public disclosure of personal information collected by the mobile application; or
  • the mobile application operator received any complaints about the certified mobile application.

In addition to ongoing monitoring of the operation of certified mobile applications, CCRC may also launch special inspections if:

  • the certified mobile application’s personal information protection practices are questioned by users, media or industry regulators and it is proven liable after the investigation;
  • there is any material change to the internal organization structure or service model of the certified mobile application operator, or the mobile application operator is involved in a merger or liquidation process;
  • CCRC discovers any non-compliance of the certified mobile application during CCRC’s regular monitoring process.

Certificate and Mark

The certified mobile application operator is allowed to display the certificate on its website, in its office, and on promotional materials.  It may also use the certification mark in accordance with requirements of CCRC.

The certificate may be suspended or revoked under certain circumstances, such as non-compliance with certification requirements or violation of laws or regulations.  The suspension term is 180 days and the certified operator is prohibited from using the certificate during such a period.

The Announcement is yet another step taken by Chinese regulators to tackle data over-collection in the mobile application context.  In early 2019, the CAC and three other government agencies (including the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration of Market Regulation) led a campaign to audit the collection and use of personal information by mobile applications nationwide (see CAC press release here in Chinese).  The campaign (and the creation of the Security Certification Scheme) signals the enforcement priorities of the government and is likely to significantly impact companies’ data protection practices in China.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.