China - Provisions On Protecting Children’s Personal Information In Cyberspace Released.
Legal News & Analysis - Asia Pacific - China - Cybersecurity
4 September, 2019
On August 23, the Cybersecurity Administration of China (“CAC”) issued the Provisions on Protecting Children’s Personal Information in Cyberspace (the “Provisions”), which will come in to effect from October 1, 2019. This is the first regulation in China specifically regulating a child’s personal information. Enterprises are now required to adjust their privacy practices regarding children in accordance with the Provisions.
1. Changes in the Provisions against the Draft
On May 23, 2019, CAC released a draft of the Provisions (“Draft”) to solicit public comment for one month. The Provisions have retained most of the provisions in the Draft, with some changes made as summarized below.
(a) “Explicit Consent” has been changed to “Consent” for the collection, usage, transfer and disclosure of a child’s personal information
The Draft provides that the collection, usage, transfer and disclosure of the personal information of a child is subject to the explicit consent of the child’s guardian. Explicit consent should be specific, clear and definite.
The Provisions has deleted “explicit” but keeps the requirement of “consent by a child’s guardian” (Article 9).
Although the Cybersecurity Law (the “CSL”) is silent on the formality of consent, the recommended national standard Personal Information Security - Personal Information Security Specifications (“PI Specification”) lists a child’s personal information as being sensitive personal information and requires explicit consent by the subject for collecting sensitive personal information. It further requires explicit consent to be given on a fully known basis, and it should be given voluntarily, specifically and clearly. The collection of the personal information of a minor who is over 14 years of age is subject to the explicit consent by the minor him/herself or his/her guardian. The collection of the personal information of a minor under 14 years of age is subject to the explicit consent by his or her guardian.
The requirement under the Draft is similar to that under the PI Specification. The Provisions have kept the requirement general and it is unclear whether a company needs to follow the explicit consent requirement. It will be subject to further clarification by the relevant authorities.
Article 10 of the Provisions states that “when a network operator requests consent, it should provide the option of refusal at the same time, and specify the following:
(1) The purpose, method and scope of the collection, storage, usage, transfer, and disclosure of the personal information of the child;
(2) The storage location and the duration of the storage of the personal information of the child, and the processing method after the storage term expires;
(3) The security measures taken in regard to the personal information of children;
(4) The consequences of refusal;
(5) The channels and methods for complaints and whistle-blowing;
(6) The methods and approaches to revise or delete the personal information of children;
(7) Other matters that should be rectified.
If material changes occur to the matters above, the network operator should obtain consent from the child’s guardian again.”
(c) Removing exemptions to the requirement for guardians’ consent
The Draft provides a few exceptions to the requirement for the guardian’s consent to the collection, usage, transfer and disclosure of a child’s personal information, including for the safeguarding of national security or public interest, or for eliminating present danger to the personal or property security of children, or under other situations provided by legal or administrative measures. However, such exemptions are removed in the Provisions.
(d) Adding a special rule for the information that is automatically stored by an information system but cannot be identified as a child’s information by the system
Article 28 of the Provisions adds that “any information automatically stored and processed by an information system but cannot be identified as a child’s personal information can be processed according to other relevant regulations.” This reveals the intention of the regulator to provide a practical solution for enterprises which are not be able to identify a child’s personal information in practice when the information system automatically stores and processes this information. It is still subject to further review how this article will be interpreted and implemented.
Other than the above, we suggest enterprises pay attention to the requirements as below:
2. The Concept of “Children” was Defined for the First Time
The Provisions, for the first time, provide the legal definition of “Children” in the context of the network, which stipulates that “for the purpose of this law, children mean minors under the age of 14” and provides a series of provisions in which the “personal information of a child” is the subject of protection.
3. Specific Responsible Personnel and Specific Agreement
The Provisions provide for the first time that, the network operators shall draft specific regulations on protecting children’s personal information and users’ agreement, and appoint specific personnel to take charge of the protection of children’s’ personal information. This article puts forward brand-new requirements for the current practice of various enterprises. Based on the Provisions, enterprises need to redraft their privacy practices regarding collection and usage of children’s personal information and draft specific rules. In addition, they shall appoint specific personnel to be responsible for the protection of children’s’ personal information.
4. Minimum Authorization
The Provisions put forward for the first time that internal staff shall be provided with minimum authorization. A staff member’s access rights shall be strictly set and their scope of knowledge of the children’s personal information shall be controlled. To access a child’s personal information, staff members need to be approved by the specific children’s personal information protection personnel or his authorized administrative staff. Access should be recorded and technical measures should be undertaken to avoid the illegal copying and downloading of a child's personal information.
5. The Requirements on the Commissioned Processing
In case of commissioned processing of Children’s personal information, the Provisions require that a security assessment is undertaken on the entrusted party and the entrustment’s conduct, and require the signing of the entrustment agreement in writing. The Provisions also demand that the entrusted party shall assist in replying to the applications submitted by a child’s guardian, take measures to ensure information security and promptly notify the entrusting party in the event of a child's personal information being compromised. The Provisions also demand that a child’s personal information shall be promptly deleted when the relationship of entrustment is terminated and that the entrustment cannot be transferred.
6. Our Observations
We believe that the Provisions clarify the age limit of the protected information subjects as 14 years of age for the first time; it puts forward more detailed requirements on the protection of a child's personal information. In practice, for enterprises which do not provide services to children, they should consider how to avoid the collection of children’s personal information. For enterprises which provide services to children, they should consider how to comply with the Provisions, to establish internal management policies and external special privacy policies.
Marissa (Xiao) Dong, Partner, Jun He