China’s Cyberspace Administration Office recently issued Regulations on Network Protection of Children’s Personal Information (《儿童个人信息网络保护规定》) to take effect on October 1, 2019. These regulations set out general rules regarding online collecting and processing of personal information of children under the age of 14.
General Duties of Network Operators
According to the regulations, network operators shall:
- Establish personal information protection rules.
- Utilize user agreements.
- Designate a person responsible for protecting children’s personal information.
- Obtain parental consent for collecting using, transferring or disclosing children’s personal information.
- Safeguard children’s personal information by encryption or other means.
- Comply with all laws and regulations and with its user agreement regarding the purpose and scope of collecting and using children’s personal information.
- Not collect any personal information not relevant to the services provided by the network operators.
- Not disclose children’s personal information, unless required by law or explicitly allowed pursuant to the parental consent agreement with the child’s parents.
Network operators must also limit their employees’ access to children’s personal information only to the extent access is necessary. Any access to children’s personal information by employees must be authorized by the designated children’s personal information protection officer and any such access must be recorded.
To obtain the required parental consent, network operators must inform the parents of the information they will be collecting, the use to which they will be putting it and the reason why they need it and this must be clearly and conspicuously conveyed, to include the following:
- The purpose, method and scope of collection, storage, use, transmission and disclosure of children’s personal information.
- Where and for how long data will be stored.
- How the data will be handled upon expiration of the retention period.
- The measures that will be undertaken to safeguard children’s personal information.
- The consequence of not giving parental consent.
- How to lodge a complaint.
- How to modify or delete children’s personal information.
- Other matters of which the parents should be aware;
If any of the above changes substantively, or the use or processing of the personal information exceeds the previously agreed purpose or scope, the network operator must so inform the parents and obtain new parental consent.
Third Party Processing
If a network operator engages a third party to process children’s personal information, it must conduct a security assessment of the third party and sign an agreement with the third party in addition to obtaining parental consent to utilize the third part. The agreement between the network operator and its third-party processor must specify relevant details of the processing, such as each party’s responsibilities, the duration of the relationship and what is to be processed and the purpose of the processing.
The regulations provide that the Cybersecurity Law and Measures for the Administration of Internet Information Services will apply in the event of violation. See China’s New Cybersecurity Law: The 101. It is, however, unclear how the Information Services Measures will apply to violations of the Children’s Personal Information Regulations, especially since the Internet Information Services Measures focus on regulating information service activities (such as requiring approval for certain websites) but make no references to personal information protection.
As is true of so many other laws and regulations related to cybersecurity and data privacy in China, many issues under these new regulations will need to be clarified. Nonetheless, these Children’s Personal Information Regulations signal China’s first step towards protecting children’s online privacy and network operators that collect and process children’s personal information need to prepare for them.