Among other regulations the new Provisions on Cyber Protection of Children's Personal Information marked another milestone in Chinese Personal Data Protection regulations.
China has been moving fast especially in the last 2 years to develop new regulations that enhance protection of consumers and personal data in the cyber space environment.
In this context, China's top internet regulator, the Cyberspace Administration of China ("CAC"), continues to show interest in setting more stringent rules governing also the protection of minors in the context of online activities and data privacy.
To this extent, CAC released additional Provisions on Cyber Protection of Children's Personal Information ("Provisions") effective as of October 1st 2019, which contain significant provisions addressing minors' data privacy.
While there were already another legal bodies regulating the treatment of personal data online, this is the first piece of legislation focusing on the protection of children's personal information in China.
Below are some highlights from this new Provisions:
- Definition of Children:
"Children" in the Provisions refers to minors under 14 years old.
- Object of the Provisions:
The Provisions only govern activities relating to the collection, storage, use, transfer and disclosure of children's personal information through networks within the territory of China. The Provisions do not apply to similar activities conducted offline.
- Main requirements and obligations:
Article 9 clearly states "where network operators collect, use, transfer, or disclose children's personal information, they shall inform the children's guardians in a conspicuous and clear manner, and shall acquire the children's guardians' consent".
The Provisions set up a higher standard of consent than the usual set out in the Cybersecurity Law to regulate treatment of personal data. In order for a network operator to obtain informed consent from a guardian, it must provide a rejection option and specifically inform guardians of the following:
- Purpose, means and scope of collection, storage, use, transfer and disclosure of children's personal information;
- Storage location of children's personal information, retention period and how the relevant information will be handled after expiration of the retention period;
- Safeguard measures protecting children's personal information;
- Consequences of rejection by a guardian;
- The channels and means of filing or reporting complaints; and
- How to correct and delete children's personal information.
- Additional measures
Network operators must not collect children's personal information unrelated to the services they provide and Network operators' retention of children's personal information must not exceed the time period necessary to realize the purpose of collecting or using it.The network operator also must restrict internal access to children's personal information. Specifically, personnel must obtain approval from the person in charge of protecting children's personal information, or an authorized administrator, before accessing such information.
- Third Parties treatment of children's personal information
If children's personal information is processed by a third-party data processor or children's personal information is to be transferred to a third party, the network operator must conduct a security assessment of the data processor entrusted with the children's personal information and enter into an entrustment agreement with the data processor.
The data processor is required to assist the network operator in complying with the guardian's request to delete a child's information after termination of service. Sub-entrustment or subcontracting by the data processor is forbidden.
- Rights of guardians to correct, delete or cancel children's data collected
Children or their guardians are entitled to request the deletion of children's personal information in certain circumstances and are also entitled in all cases to the correction of children's personal information wherever any such information collected, stored, used or disclosed by a network operator is erroneous.
Additionally, guardians have the right to withdraw consent altogether.
- Notification of Breach
Where network operators discover that leaks, destruction or losses of children's personal information has occurred or might occur, they shall immediately initiate emergency response plans and employ remedial measures.
If there is or there might be serious consequences arising from the breach, the network operator must immediately report the breach to competent authorities as well as notify the affected children and their guardians.
If it is difficult to send the notice to each affected individual, the network operator shall undertake reasonable and effective means of publishing the relevant notice.
However, there is no specific definition of serious consequences.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.