原标题：周亮等：科技改进与法律前沿系列著述之七 - APP内接入第三方做事或居品的数据合规分析 跟着《个人信息保护法》及配套文献的出台，企业渐渐宠爱数据合规问题。近期，多家企业向
原标题：周亮等：科技改进与法律前沿系列著述之七 - APP内接入第三方做事或居品的数据合规分析
With the promulgation of the Personal Information Protection Law and the other supporting documents， companies put more emphasis on data compliance. Recently， several companies consulted us about how to establish data compliance regime with regard to the implantation of third-party services or products into apps. We understand that there is a huge potential risk for app operators implanting third-party services or products into apps. Based on our observation， in the course of the implantation of third-party services or products， the following problems may arise constantly and lead to penalties imposed on app operators:1. 第三方守密个人信息麇集鸿沟； Third-party services or products conceal the scope of the collection of personal information; 2. 超鸿沟麇集用户个人信息； Third-party services or products collect users' personal information beyond the scope; 3. APP方未向用户美满败露第三方。 Apps fail to fully disclose third-party services or products to users.
Risks for apps operators to implant third-party products or services
Since the launch of the "Special Governance Action against the Collection and Use of Personal Information by Apps in Violation of the Laws and Regulations"， many apps have been punished by the regulatory authorities due to the non-compliance of the implanted third-party products or services.
For example， on 26 August， 2022， the Information and Communications Administration of the Ministry of Industry and Information Technology had inspected apps in the categories of hotels and catering， applications for teenagers， etc. A total of 227 apps with third-party services and products were found to infringe the users’ rights and interests by collecting personal information beyond the scope and failing to disclose fully to the users about the scope of collection. Such apps were requested to rectify the violation within a certain period.
根据《信息安全技巧 个人信息安全纪律》（GB/T 35273-2020）的规定，APP运营者与第三方居品或做事的提供者在个人信息处理方面的合营存在三种场景：
In accordance with the Information Security Technology—Personal Information Security Specification (GB/T 35273-2020)， there would be three circumstances with regard to the cooperation in processing the personal information between app operators and the third-party products and services providers:1. APP运营者录用第三方处理个人信息； App operators entrusts the third party to process personal information; 2. APP运营者与第三方共同处理个人信息； App operators jointly process personal information with the third party; 3. 第三方独自处理个人信息。 The third party solely process personal information.
The key points and liabilities the app operators shall be aware of aredifferent under each circumstance. However， in general， with reference to Article 30 of the Administrative Measures on Data Security (Exposure Draft)， if a data security incident occurs to a third-party application， causing losses to users， the network operator shall bear part or all of the liability unless it can prove that it is not at fault. Therefore， if there is violation in the process of the jointly processing between app operators and third-party products and services， or there exists inadequate supervision of third-party products and services by app operators， app operators may also be liable and subject to penalties such as rectification and even removal of the app from shelves by the regulatory authorities.
Non-compliance circumstances after the implantation of third-party services or products
Based on our observation in our previous projects， the common non-compliance circumstances after the implantation of third-party services or products are as follows:
Third-party services or products conceal the scope of the collection of personal information
In general， it is difficult for users to intuitively perceive what personal information has been collected by third-party services or products due to the interactive interface design of apps. Even app operators may be ignorant of the collection of personal information by third-party services or products. For example， it was exposed that the third-party SDKs implanted into more than 50 mobiles apps read IMEI numbers (a kind of equipment identifiers)， address books， text messages and other private information in the users’ mobile phones without users' knowledge and transmit the data to designated servers for storage.
Third-party services or products collect users' personal information beyond the scope
In the process of data compliance review for the online system of a bank， we found that the third-party services implanted into the system requires a mandatory packaged authorization for accessing to the mobile phone function of the device， modifying or deleting the contents in the SIM card and reading the system logs.
According to Article 14 of the Network Security Practice Guide – Specifications for Necessary Information of Basic Business Functions of Mobile Internet Applications， the necessary information collected for basic financing business includes: "mobile phone number" "account information" "identity information"， "bank account information" "personal credit information"，"emergency contact information" and "loan transaction records".
It is obvious that the system logs and other information collected by the above-mentioned third-party services are not the necessary information required to be collected for basic financing business. Therefore， such collection is a violation of regulations and the third party would be deemed to collect the information beyond the scope.
Apps fail to fully disclose third-party services or products to users
三、APP运营者的风险防护措施Prevention measures to be taken by app operators
Based on the above analysis， the non-compliant collection of personal information by third parties will also lead to penalties imposed on app operators and bring huge legal risks to app operators. Besides， the behaviors of concealing the scope of the collection of personal information or collecting personal information beyond the scope of third-party services or products are common in practice. Therefore， from the perspective of app operators， we suggest that app operators shall take the following measures to avoid the administrative penalty or liability due to the implantation of third-party products or services:
Enter into cooperation agreement with the third party to divide the liabilities among app operations and the third party with regards to the collection and processing of personal information
App operators shall enter into cooperation agreement with third-parties and pay attention to the content of the cooperation agreement. The cooperation agreement shall clarify the legal relationship between the apps and the third-party， the responsibilities of both parties for information protection， the purpose， method and scope of personal information collection and use， the security measures that shall be implemented for the processing of personal information and the methods for the processing of personal information after the expiration of the cooperation period.
Properly supervise third-party services or products and keep the track record
In the process of cooperation， apps operators shall record the collection and the use of personal information by third parties in the form of technical detection and storage， proving that it has fulfilled reasonable and necessary duty of care. In addition， if it is found that third-party products or services illegally collect personal information of users， apps operators shall promptly launch the disposal procedure to avoid being identified by the regulatory authorities as a failure to perform its notification and supervision obligations due to malicious operation by third-party products or services (such as malicious mandatory delivery of information)， concealed collection of personal information of users or information leakage due to security vulnerabilities， etc.
The cooperation between apps and third-party services or products expands the scope of services and improves the user experience on the one hand， but also leads to potential legal risks on the other hand. From the perspective of legal requirements and the supervision in practice， app operators may also be liable and punished by the regulatory authorities due to the non-compliant collection and processing of personal information of third-party services or products. In addition， the implantation of third-party services or products would be easy to cause violation behaviors such as concealment of the scope of collection and collection of personal information beyond the scope. Therefore， in order to avoid being jointly liable， app operators shall clearly clarify their rights and obligations by entering into agreement with third-party services or products， fully disclose third-parties’ information to users and supervise the third-parties to minimize their own risks.