13 June, 2019
On May 31, 2019, the Cybersecurity Administration of China (“CAC”) released the Provisions on Protecting Children’s Personal Information on the Network (Draft for Comment) (the “Draft”), which will remain open for public comment for one month until June 30, 2019. This is the first draft of a regulation officially released in China that specifically focuses on the protection of children’s personal information online.
Following is a summary of key items of the Draft.
1. Defining “Children” for the First Time
The Law on the Protection of Minors (revised in 2012) stipulates that “Minors mean citizens under the age of eighteen.” Meanwhile, the General Provisions of the Civil Law (2017) takes an approach to define minors that combines age with the degree of financial autonomy, in which a minor above the age of 16 years and who is economically self-sufficient is deemed as a person with full capacity for his or her civil conduct. A minor above eight years old is deemed as a person of limited capacity for civil conduct, and his or her civil conduct requires the consent and acknowledgement of a legal guardian. However, any such minor may independently undertake civil conduct that is for profit or the performance of which is compatible with his or her age and intelligence.
Other previous relevant standards and drafts for comment relating to the network, such as the recommended national standard Information Security Technology – Personal Information Security Specification, Measures for Acknowledgment of Illegal Collection and Misuse of Personal Information by Apps (Draft for Comment) and the Administrative Measures for Data Security (Draft for Comment), had already indicated that the age of 14 years is the benchmark age below which a guardian’s permission is required prior to collecting a child’s personal information.
The Draft for the first time provides a legal definition of children specifically in relation to the network. Article 27 stipulates that “For the purpose of this law, children mean minors under the age of 14.” It provides a series of provisions in which the subject for protection is the “personal information of children.”
2. Requirements and Principles for Processing Information
The Draft conforms with the general principles of information collection and processing of the Cybersecurity Law (the “CSL”). It requires that “Network operators shall comply with the principles of necessity and proportionality, informed consent, clear purpose, security guarantee and legal use when collecting, storing, using, transferring and disclosing children’s personal information.” (Article 3)
3. Special Policies and Responsible Personnel
Article 5 of the Draft for the first time provides that network operators shall draft special policies and user terms to ensure the protection of children’s personal information, and shall engage a personal information protection specialist or appoint a specific person to take responsibility for the protection of children’s personal information. Network operators will need to take into account these new requirements.
4. Special Requirements for Informed Consent
In terms of the collection and processing of children’s personal information, the Draft puts forward more detailed and stricter requirements than those included in the CSL, specifically:
If a network operator collects and uses a child’s personal information, it shall make this apparent to his or her guardian in an open and transparent way, and shall obtain the explicit consent of the guardian; the consent shall be clear, specific, definite and on a voluntary basis (Article 7);
When obtaining consent, the operator shall provide the option to deny consent; it shall be clearly communicated where a child’s personal information is stored, how it will be handled after expiry, and what security measures are in place; and a child’s guardian’s explicit consent shall be obtained once again if any of the informed items changes substantially (Article 8);
If the intended use of information goes beyond the agreed purpose and scope, the explicit consent of the child’s guardian shall again be obtained (Article 11);
When a child’s personal information is shared jointly with a third party or transferred to a third party, their guardian’s explicit consent shall be obtained (Articles 13 and 14);
Exceptions to the need to obtain explicit consent include: to maintain the national security or the public interest; to eliminate any immediate danger to a child or to property; and other circumstances as stipulated by laws and administrative regulations (Article 18).
5. Further Provisions on the Rights of Information Subjects
The provisions on the rights of the information subjects in the Draft are essentially the same as in the CSL, with the addition of various scenarios in which the right of deletion applies:
When the collection, storage, use, transfer or disclosure of a child’s personal information is beyond the scope of purpose or required period of time;
When a child’s guardian withdraws their consent;
When a child or his or her guardian terminates the use of the product or service by deregistering the accounts or through other methods.
6. Restrictions on Internal Access
The Draft for the first time proposes that internal staff will require authorization in order to be able to access the personal information of children, and that the scope of such access shall be strictly controlled. Article 12 stipulates that staff members will require the approval of the in-house personal information protection specialist or the authorized manager in order to access children’s personal information. Any access shall be recorded and technical measures shall be taken to avoid illegal copying or downloading of children's personal information.
7. Outsourcing Process Requirements
In the case of outsourcing the processing of children’s personal information, Article 13 of the Draft requires the network operators (the “entrusting party”) to conduct a security assessment on the entrusted party and to obtain a written agreement in relation to their services. The Draft includes a mandatory requirement for the entrusted party to assist the entrusting party in replying to any applications submitted by a child’s guardian, to take measures to ensure information is secured and to promptly give feedback to the entrusting party in the event of any security incidents relating to the leaking of a child's personal information. The Draft also requires that a child’s personal information shall be promptly deleted when an entrustment relationship finishes, and stipulates that the entrustment cannot be subcontracted.
8. Various Regulatory Measures
The Draft provides for a variety of possible regulatory approaches:
Inspection: The network operator shall cooperate in any supervision and inspection conducted by the CAC and other relevant departments according to law (Article 21).
Reporting: Any organization or individual who discovers any violation of the regulation may report it to the CAC and other relevant authorities (Article 23).
Interview: If, due to a network operator not implementing the necessary security requirements for children’s personal information, there is a high security risk or actual occurrence of a security incident, the CAC may arrange an interview with the network operator according to the law, and the network operator shall take timely measures to rectify and eliminate any security gaps according to the requirements raised in the interview (Article 24).
Administrative penalties: Any violation of the regulation may be considered as a violation of Article 64 of the CSL and will be subject to the corresponding penalties (Article 25).
Credit file record: Any violations of the regulation which result in the imposition of legal liabilities shall be recorded into the violator’s social credit file in accordance with the relevant laws and administrative regulations, and shall be published (Article 26).
9. Our Observations
The Draft includes some important developments, including, for the first time, clarification of the age up until which there is a requirement to protect a minor’s personal information. In addition, it puts forward more detailed requirements on the protection of children's personal information, including the need for specialist personnel, specific policies, a mechanism for obtaining a guardian’s consent and so on. This will, of course, also all need to be implemented within the existing framework for the protection of personal information more generally.
There remain, however, a series of questions to be addressed in practice. It is not currently clear, for example, how a guardian's consent should be obtained and how to actually implement the special privacy policy for children.
