A concept photo of cybersecurity Photo: VCG

In a move to strengthen personal data protection, China's top internet regulator has drafted new rules governing how mobile applications collect and use personal information and is now seeking public consultation.

The Cyberspace Administration of China (CAC) announced the provisions on personal information collection and use for internet applications (draft for comments) on its official WeChat account on Saturday. The proposal aims to safeguard user rights while promoting the reasonable use of data in the digital ecosystem.

Under the proposed rules, app operators must clearly inform users about data collection practices and obtain their consent before processing personal information. For sensitive data, separate and explicit user consent would be required, unless otherwise stipulated by law.

The collection and use of personal information should be carried out in a way that has the least impact on the rights and interests of the personal information subject, and be limited to what is necessary for providing products or services. Personal information must not be collected or used beyond the scope.

For instance, internet applications should only invoke camera and microphone permissions when users actively choose to use functions such as taking photos, sending voice messages, and recording and videography. They must not invoke camera and microphone permissions when users stop using the relevant functions or in irrelevant scenarios.

Internet applications collecting biometric information such as facial features, fingerprints and voiceprints should have specific purposes and sufficient necessity, adopt methods that have the least impact on individual rights and interests, and implement strict protective measures.

This draft represents a significant step in implementing China's evolving personal information protection framework, Wang Sixin, vice dean and professor at the School of Politics and Law at the Communication University of China, told the Global Times on Saturday 

"This is intended to enhance the protection of personal information, prevent app operators from over-exploiting personal information for secondary or even tertiary uses, and prevent them from appropriating all related rights and interests for themselves," Wang said.

He added that the rules provide clearer operational guidelines for developers and platforms, which could help curb data misuse and foster a healthier digital environment.