The Provisions on the Protection of Children’s Personal Information Online were officially implemented on 1 October 2019. As the first set of regulations of this kind, the provisions regulate the collection, storage, use, transfer, disclosure, etc., of the personal information of children on the basis of current laws for protecting the personal information of citizens. This article looks at key points of these provisions.
Scope of application
The provisions specify the principle of territorial jurisdiction, such that any entity that engages in such activities as the collection, storage, use, transfer and/or disclosure of the personal information of children through a network in China is required to comply with the requirements of the provisions.
Subject of protection
The definition of “child” varies in different countries’ legislation for the protection of personal information. The US Child Online Privacy Protection Act accords special protection to the personal information of children under the age of 13. The EU’s General Data Protection Regulation gives special protection to the processing of the personal data of minors under the age of 16, and provides that member countries may adjust the age threshold provided that it is not reduced to less than the age of 13.
Pursuant to article 2 of China’s provisions, a “child” for the purposes of the provisions is a minor under the age of 14. This is consistent with the definition of “child” found in the national standard on personal information protection, officially entitled GB/T35273-2017 Information Technology – Personal Information Security Specification, issued by the Standardization Administration of China.
Article 7 of the provisions specifies five major principles governing the protection online of the personal information of children, namely: legitimate necessity, informed consent, clear purpose, assurance of security and lawful use. Of those, the operability of the principle of informed consent is relatively low, which is why the provisions address this issue in detail, specifically including:
(1) Securing consent. When collecting the personal information of a child, a network operator is required to prominently and clearly inform the child’s guardian, and secure the guardian’s consent. If, as required for business, the network operator is to exceed the specified purpose or scope of use of the child’s personal information, it is again required to secure the guardian’s consent.
(2) Revocation of consent. When seeking the consent of a guardian, a network operator is required to provide the guardian the option of refusal and expressly inform him or her of the purpose, method and scope of collection, storage, use, transfer and disclosure of the child’s personal information, the place where and the amount of time for which the information is stored, and how it is to be disposed of after the passage of such period of time, its measures for protection of the security of the information, etc. If there is any change of the above, the network operator is again required to secure the guardian’s consent.
(3) Correction of information. In the event of an error in a child’s personal information that is collected, stored, used, transferred and/or disclosed by a network operator, the child, or his or her guardian, has the right to demand correction and the network operator is required to promptly do so.
(4) Warning of a security breach. If a network operator discovers that the personal information of children has or could be leaked, damaged or lost, it is required to inform the affected children and their guardians of the relevant details of the event by e-mail, push notification, etc. If informing them one by one is impossible, it is required to publish the relevant warning information in a reasonable and effective manner.
Special protection mechanism
China’s Cybersecurity Law sets out the basic principles and systems for protecting the personal information of citizens. Cybersecurity Law provisions further establish a dedicated mechanism for protecting the personal information of children. This special protection mechanism includes
(1) Dedicated responsibility. Article 8 of these provisions requires network operators to put in place rules and a user agreement specifically for the protection of the personal information of children, and additionally requires them to designate specific persons to be responsible for protecting the personal information of children.
(2) Minimum authorization. To prevent the theft or leakage of the personal information of children by working personnel, article 15 of these provisions requires that working personnel be granted only minimal access to such information, strictly controlling the scope of children’s personal information to which they may be privy. Additionally, a network operator is to adopt technical measures to prevent the illegal reproduction and download of children’s personal information.
(3) Security assessment. Articles 16 and 17 of these provisions specify that if a network operator engages a third party to process the personal information of children, or transfers such information to a third party, it is required to conduct a security assessment.
(4) Right of deletion. Article 20 of these provisions specifies that a child, or his or her guardian, has the right to demand that the network operator delete the child’s personal information that it has collected, stored, used, and/or disclosed, and enumerates specific circumstances under which such right of deletion may be exercised, including exceeding the objective or scope, or the necessary period for, the collection, storage, use, transfer and disclosure of the child’s personal information, withdrawal of consent by the child’s guardian, etc.
The issuance of these provisions marks the entry into a new stage of the online protection of the personal information of children in China. However, these provisions still leave a number of issues unaddressed, including the method of certifying the true identity of children’s guardians, the specific rules for the sharing of the personal information of children, the requirements for the security assessments of the personal information of children, etc.
Such issues still require further exploration and clarification, and the authors recommend that internet enterprises keep a close eye at all times on the regulatory trends in the field of protection of the personal information of children, and explore how to incorporate current rules into the development and operation of their online products and services so as to strike the proper balance between protecting the rights and interests of children and their own business interests.
Tao Shan is a partner and He Wei is an associate at Hylands Law Firm
Hylands Law Firm
12F Fortune Financial Center (FFC)
No.5 Dongsanhuan Zhong Road
Chaoyang District, Beijing 100020, China
Tel: +86 10 6502 8888
Fax: +86 10 6502 8866/8877