Govt trains its guns on illegal data collection

China's central government launched an annual special campaign on Thursday, targeting common problems involving the illegal collection and use of personal information in internet services and key sectors, including education and transportation.

The campaign was announced in a notice issued by the Office of the Central Cyberspace Affairs Commission, together with the Ministry of Industry and Information Technology, as well as the Ministry of Public Security.

According to the notice, internet services under scrutiny include apps and software development kits, or SDKs, while key sectors include online advertising, education, transportation, healthcare and finance.

The notice said targeted violations by apps and SDKs include failure to disclose rules on the collection and use of personal information, as well as inconsistencies between the stated purpose, method and scope of data collection and actual practices.

In the online advertising sector, enforcement will focus on the collection and use of personal information by intermediary platforms and media operators.

Key problems include collecting personal information beyond what is necessary and failing to specify the types of personal information provided to third parties, as well as the purpose, method, recipients' names and contact details.

In the education sector, the campaign will focus on colleges and universities, primary and secondary schools, kindergartens, and off-campus training institutions.

Educational institutions will be penalized if they process the personal information of minors under age 14 without establishing dedicated rules or obtaining consent from parents or other guardians.

They will also face penalties if their offline venues, websites or apps use facial recognition as the sole means of identity verification for parents or students, even when non-facial-recognition methods could achieve the same purpose.

In the transportation sector, the campaign will target operators across various modes of transport, online ticket-booking platforms, and postal and courier companies.

Authorities will check, for example, whether their websites and apps collect location, contacts or other personal information, or request access to microphones, storage and other permissions in irrelevant scenarios.

Postal and courier companies, as well as online ticket-booking platforms, will also be examined for possible leaks of users' contact information, home addresses, travel itineraries and other personal data.

In the healthcare sector, hospitals and medical institutions will be checked to determine whether inadequate identity verification processes allow unauthorized access to medical records.

They will also be scrutinized for disclosing medical images, text descriptions or other information containing patients' personal data without consent.

Authorities will also examine whether internal information systems of medical institutions have adopted effective technical safeguards, including encryption and de-identification measures.

The campaign calls for stronger personal information protection in financial institutions.

Authorities will look into whether websites and apps operated by such institutions collect unnecessary personal information — including contacts, text messages, call logs and location data — or request access to microphones and storage under the pretext of security risk control or loan services.

The campaign will also intensify efforts to crack down on crimes related to personal information.