3.1 The users are residents using it within their jurisdiction and/or using it outside their jurisdiction.
No, as long as the collection of personal data occurs within the territory of mainland China.
If the personal data are collected online, the “collection” occurs where the servers of the health app are located.
According to National Health and Medical Big Data Standards, Safety and Service Management Measures (For Trial Implementation) (2018) Article 30, health and medical big data (which according to Article 4 refers to health and medical related data generated during the process such as treating or preventing diseases and health management) should be stored on domestic servers. If it is really necessary to provide it overseas due to business needs, a safety assessment review shall be conducted in accordance with relevant laws, regulations and requirements.
According to Population Health Information Management Measures (For Trial Implementation) (2014) Article 10, population health information must not be stored on overseas servers and must not be hosted or leased in servers outside the country.
According to Cybersecurity Law (2017) Article 2, if the servers are located within the territory of mainland China, then Chinese data protection laws apply. Therefore, the location of the server of the app/software matters. The location of the users does not matter.
It is worth noting that according to the Draft Guidelines for Data Cross-Border Transfer Security Assessment (2017) Section 3.2, if the servers are located outside of the territory (e.g., an individual who is physically located in mainland China visited and provided some personal data to an app hosted in another country), then Chinese data protection laws do not apply, except if the Chinese language or currency is used during the operation, the operator of the app actively advertise or market the app in China, or if goods are delivered into China.
However, the draft has not been finalized yet.
3.2 It is a “B2B” (business to business) rather than “B2C” (business to end consumer) service.
It matters whether it is a “B2B” or “B2C” service in regard to the procedure for collecting personal information or sensitive personal information from the users.
For the collection of medical data that constitutes personal information, in accordance with the requirements of the Information Security Technology--Personal Information Security Specifications (2017), the consent of the person being collected should be obtained when collecting it directly (“B2C”). If collecting personal sensitive information, explicit consent should also be obtained. In the case of indirect collection (“B2B”), the personal information provider shall be required to explain the source of the personal information and confirm its legality, and at the same time shall understand the scope of authorization and consent for processing the personal information that has been obtained.