APP内接入第三方服务或产品的数据合规分析

随着《个人信息保护法》及配套文件的出台，企业逐渐重视数据合规问题。近期，多家企业向笔者咨询APP内接入第三方服务或产品如何做好数据合规。我们认为，APP内接入第三方服务或产品，对于APP运营者来说隐藏着巨大的法律风险。根据我们观察，在APP接入第三方服务或产品的过程中，经常会出现以下几种问题，导致APP受到行政处罚：

With the promulgation of the Personal Information Protection Law and the other supporting documents, companies put more emphasis on data compliance. Recently, several companies consulted us about how to establish data compliance regime with regard to the implantation of third-party services or products into apps. We understand that there is a huge potential risk for app operators implanting third-party services or products into apps. Based on our observation, in the course of the implantation of third-party services or products, the following problems may arise constantly and lead to penalties imposed on app operators:

1. 第三方隐瞒个人信息收集范围；

Third-party services or products conceal the scope of the collection of personal information;

2. 超范围收集用户个人信息；

Third-party services or products collect users' personal information beyond the scope;

3. APP方未向用户完整披露第三方。

Apps fail to fully disclose third-party services or products to users. 

为避免APP接入第三方产品或服务之后产生上述风险，结合我们的项目经验，我们建议APP运营者完善以下措施：

In order to avoid the above risks after the implantation of third-party products or services, based on our previous experience, we suggest that app operators shall take the following measures:

1. 事前与第三方以协议形式明确双方的权利义务；

Enter into agreement with the third party to clarify the rights and obligations of both parties;

2. 完善APP隐私政策，完整披露接入的第三方及其处理信息规则；

Improve privacy policy of apps and fully disclose the information of third parties and the  rules of processing;

3. 做好对第三方的监督留痕工作。

Properly supervise third-party services or products and keep the track record.

一、接入第三方产品或服务对于APP运营者的风险

Risks for apps operators to implant third-party products or services

自“APP违法违规收集使用个人信息专项治理行动”开展以来,因接入第三方产品或服务存在不合规情况而导致受到监管部门处罚的APP不在少数。

Since the launch of the "Special Governance Action against the Collection and Use of Personal Information by Apps in Violation of the Laws and Regulations", many apps have been punished by the regulatory authorities due to the non-compliance of the implanted third-party products or services. 

例如，2022年8月26日，工业和信息化部信息通信管理局对酒店餐饮类、未成年人应用类等APP进行检查，发现APP内接入第三方存在超范围收集个人信息、收集个人信息明示、告知不到位等侵害用户权益行为的共227款APP，对APP运营者发出了限期整改要求。

For example, on 26 August, 2022, the Information and Communications Administration of the Ministry of Industry and Information Technology had inspected apps in the categories of hotels and catering, applications for teenagers, etc. A total of 227 apps with third-party services and products were found to infringe the users’ rights and interests by collecting personal information beyond the scope and failing to disclose fully to the users about the scope of collection. Such apps were requested to rectify the violation within a certain period. 

根据《信息安全技术 个人信息安全规范》（GB/T 35273-2020）的规定，APP运营者与第三方产品或服务的提供者在个人信息处理方面的合作存在三种场景：

In accordance with the Information Security Technology—Personal Information Security Specification (GB/T 35273-2020), there would be three circumstances with regard to the cooperation in processing the personal information between app operators and the third-party products and services providers:

1. APP运营者委托第三方处理个人信息；

App operators entrusts the third party to process personal information;

2. APP运营者与第三方共同处理个人信息；

App operators jointly process personal information with the third party;

3. 第三方独自处理个人信息。

The third party solely process personal information.

对于APP运营者而言，不同场景下APP运营者需要注意的要点和承担的责任有所不同。但总体来说，参考《数据安全管理办法（征求意见稿）》第30条的规定，如果第三方应用发生数据安全事件对用户造成损失，除非网络运营者能证明自己无过错，否则应当承担部分或全部责任。由此可见，如果存在第三方共同处理数据时出现违规或APP运营者对第三方处理数据监管不到位的情况，APP运营者也可能会受到牵连，例如受到监管部门发出的限期整改、下架APP等处罚。

The key points and liabilities the app operators shall be aware of aredifferent under each circumstance. However, in general, with reference to Article 30 of the Administrative Measures on Data Security (Exposure Draft), if a data security incident occurs to a third-party application, causing losses to users, the network operator shall bear part or all of the liability unless it can prove that it is not at fault. Therefore, if there is violation in the process of the jointly processing between app operators and third-party products and services, or there exists inadequate supervision of third-party products and services by app operators, app operators may also be liable and subject to penalties such as rectification and even removal of the app from shelves by the regulatory authorities. 

二、第三方接入常见不合规情况

Non-compliance circumstances after the implantation of third-party services or products

根据我们在多个数据合规项目中的观察，APP内接入第三方后常见的个人信息安全问题主要体现在以下方面：

Based on our observation in our previous projects, the common non-compliance circumstances after the implantation of third-party services or products are as follows:

1. 隐瞒个人信息收集范围

Third-party services or products conceal the scope of the collection of personal information

由于交互界面设计问题，在一般情况下，用户较难直观感知第三方具体收集了哪些个人信息，甚至APP的运营者也未必知道这些第三方接入的产品收集了哪些个人信息。例如，有50多款手机APP就曾被曝光其接入的第三方SDK在用户不知情的情况下读取用户手机IMEI号（一种设备标识符）、通讯录、短信等隐私信息，并将数据传送到指定的服务器存储。

In general, it is difficult for users to intuitively perceive what personal information has been collected by third-party services or products due to the interactive interface design of apps. Even app operators may be ignorant of the collection of personal information by third-party services or products. For example, it was exposed that the third-party SDKs implanted into more than 50 mobiles apps read IMEI numbers (a kind of equipment identifiers), address books, text messages and other private information in the users’ mobile phones without users' knowledge and transmit the data to designated servers for storage. 

2. 超范围收集用户个人信息

Third-party services or products collect users' personal information beyond the scope

我们在为某银行线上贷系统进行数据合规审查中发现，其接入的第三方服务强制要求获得如“访问设备的手机功能及修改或删除存储卡中的内容、读取系统日志”等一揽子打包授权。

In the process of data compliance review for the online system of a bank, we found that the third-party services implanted into the system requires a mandatory packaged authorization for accessing to the mobile phone function of the device, modifying or deleting the contents in the SIM card and reading the system logs. 

根据《网络安全实践指南——移动互联网应用基本业务功能必要信息规范》第十四条的规定，金融借贷基本业务功能收集的必要信息包括：“手机号码”“账号信息”“身份信息”“银行账户信息”“个人征信信息”“紧急联系人信息”以及“借贷交易记录”7项内容。

According to Article 14 of the Network Security Practice Guide – Specifications for Necessary Information of Basic Business Functions of Mobile Internet Applications, the necessary information collected for basic financing business includes: "mobile phone number" "account information" "identity information", "bank account information" "personal credit information","emergency contact information" and "loan transaction records". 

而上述第三方服务所收集的手机系统日志等信息，明显不属于金融借贷基本业务收集的必要信息。因此，这种情况就属于第三方违规越权、超范围收集用户个人信息。

It is obvious that the system logs and other information collected by the above-mentioned third-party services are not the necessary information required to be collected for basic financing business. Therefore, such collection is a violation of regulations and the third party would be deemed to collect the information beyond the scope.

3. 未披露或完整披露接入的第三方名单

Apps fail to fully disclose third-party services or products to users

广东省通信管理局曾随机对二百余款APP收集使用个人信息的情况进行了测评。测评发现，大部分APP应用在向用户披露接入的第三方信息方面做的非常不到位，其中涵盖银行、证券、互联网金融等类型的金融类APP。比如某大型银行APP未在隐私政策等公示文本中逐一列明APP所集成第三方被点名整改、通报批评。

Guangdong Communications Administration conducted a random inspection on the collection and use of personal information by more than 200 apps. It was found in the inspection that most of the apps did a very poor job in disclosing the information of the implanted third-party services or products to users, including the apps targeting finance industry like banking, securities, internet finance, etc. For example, the app of a large bank were singled out for criticism and rectification for its failure to specify the third-party services or products implanted into the app in its privacy policy and other relevant notification documents. 

而在笔者近期处理的一个银行内部自查APP合规治理项目中，也曾发现其手机银行APP未在隐私政策中完整披露接入的第三方信息，未尽到如实披露的义务。后来该银行在我们提醒和指导下对其接入的第三方服务商进行全面梳理并对APP隐私政策进行整改，最终使得APP顺利上架。

Similarly, in a bank’s self-inspection project handled by our team, we found that its mobile banking app did not fully disclose the information of the implanted third parties in the privacy policy and failed to fulfill the obligation of truthful disclosure. Under our reminder and guidance, the bank sorted out the third-party service providers it had implanted into and revised the app's privacy policy, which finally made the app successfully launched. 

三、APP运营者的风险防范措施

Prevention measures to be taken by app operators

根据上述分析，第三方违规收集个人信息的行为同样会导致APP受处罚，从而对APP运营者带来巨大法律风险。而在实践中，第三方服务或产品时常出现隐瞒个人信息收集范围、超范围收集个人信息的行为。因此，站在APP运营者的角度，为避免因接入第三方产品或服务而受到行政处罚或被追究责任，我们建议APP运营者应完善以下措施：

Based on the above analysis, the non-compliant collection of personal information by third parties will also lead to penalties imposed on app operators and bring huge legal risks to app operators. Besides, the behaviors of concealing the scope of the collection of personal information or collecting personal information beyond the scope of third-party services or products are common in practice. Therefore, from the perspective of app operators, we suggest that app operators shall take the following measures to avoid the administrative penalty or liability due to the implantation of third-party products or services:

1. 与第三方签订合作协议，划分APP与第三方关于收集、处理个人信息的责任

Enter into cooperation agreement with the third party to divide the liabilities among app operations and the third party with regards to the collection and processing of personal information 

APP运营者应与第三方签订合作协议，并注意合作协议的约定内容。合作协议中应明确APP与第三方之间的法律关系，各方信息保护责任，收集使用个人信息的目的、方式和范围等内容，明确处理个人信息应实施的安全措施，并对合作期满后个人信息处理办法作出事前约定。

App operators shall enter into cooperation agreement with third-parties and pay attention to the content of the cooperation agreement. The cooperation agreement shall clarify the legal relationship between the apps and the third-party, the responsibilities of both parties for information protection, the purpose, method and scope of personal information collection and use, the security measures that shall be implemented for the processing of personal information and the methods for the processing of personal information after the expiration of the cooperation period. 

2. 完善APP的《隐私政策》，向用户明示接入的第三方及其收集、处理信息类型

Improve the privacy policy of the app, expressly disclose to the users the implanted third-party products or services and the type of the information being collected and processed

依据《APP违法违规收集使用个人信息行为认定方法》的要求，为了保障用户在使用APP时的知情权和选择权，APP应在隐私政策中逐一完整披露APP接入的所有第三方及该等第三方收集使用个人信息的目的、方式、范围等，并设置合理的强制阅读时间。例如，APP运营者可以在APP的隐私政策中附上超链接，超链接内附上接入的第三方名称、使用目的以及官网链接等内容。

In accordance with the requirements of the Notice on Promulgation of the Method for Identifying the Illegal Collection and Use of Personal Information by Apps, in order to protect the right of users to know and choose when using app, app shall fully disclose all third-party products or services implanted into the app, the purpose, method and scope of the collection and use of personal information by such third-party products or services in the privacy policy and set a reasonable mandatory time for reading. For example, app operators can attach a hyperlink in the privacy policy of the app, in which shows the name of the third-party products or services implanted into the app, the purpose of use, the official website of such third-party products or services, etc. 

3. 对第三方进行严格安全监管，并留痕监督记录

Properly supervise third-party services or products and keep the track record

APP运营者应在合作过程中采用技术检测、存储方式记录第三方收集、使用个人信息的情况，通过留存证据证明已对第三方尽到合理必要的注意义务。合作过程中如发现第三方违规调取用户个人信息时应及时启动处置程序，避免因第三方恶意操作（如恶意强制推送信息）、隐蔽收集用户个人信息，或因安全漏洞引发信息泄露等，导致被监管部门认定为自身未尽到告知、监督义务。

In the process of cooperation, apps operators shall record the collection and the use of personal information by third parties in the form of technical detection and storage, proving that it has fulfilled reasonable and necessary duty of care. In addition, if it is found that third-party products or services illegally collect personal information of users, apps operators shall promptly launch the disposal procedure to avoid being identified by the regulatory authorities as a failure to perform its notification and supervision obligations due to malicious operation by third-party products or services (such as malicious mandatory delivery of information), concealed collection of personal information of users or information leakage due to security vulnerabilities, etc.

四、结语

Conclusion

APP与第三方服务或产品的合作一方面拓展了服务范围，提升了用户体验，另一方面也存在潜在的数据合规风险。从法规及实践监管的角度来看，当第三方收集及处理个人信息出现数据合规问题时，APP运营者也同样会受到行政处罚或被追究责任。且在实践中，APP内接入第三方服务或产品时，也容易产生第三方隐瞒个人信息收集范围、超范围收集个人信息等违规情况。因此，为避免受牵连，APP运营者应在与第三方进行合作时以合同形式划分清楚权责，向用户完整披露第三方信息，并对第三方做好监督工作，以最大化降低自身风险。

The cooperation between apps and third-party services or products expands the scope of services and improves the user experience on the one hand, but also leads to potential legal risks on the other hand. From the perspective of legal requirements and the supervision in practice, app operators may also be liable and punished by the regulatory authorities due to the non-compliant collection and processing of personal information of third-party services or products. In addition, the implantation of third-party services or products would be easy to cause violation behaviors such as concealment of the scope of collection and collection of personal information beyond the scope. Therefore, in order to avoid being jointly liable, app operators shall clearly clarify their rights and obligations by entering into agreement with third-party services or products, fully disclose third-parties’ information to users and supervise the third-parties to minimize their own risks.

特别声明：

大成律师事务所严格遵守对客户的信息保护义务，本篇所涉客户项目内容均取自公开信息或取得客户同意。全文内容、观点仅供参考，不代表大成律师事务所任何立场，亦不应当被视为出具任何形式的法律意见或建议。如需转载或引用该文章的任何内容，请私信沟通授权事宜，并于转载时在文章开头处注明来源。未经授权，不得转载或使用该等文章中的任何内容。