On May 31, 2019, the Cyberspace Administration of China (“CAC”) released the draft Regulation on the Protection of Children’s Personal Information Online (“Draft Regulation”) for public comment. (An official Chinese version is available here and an unofficial English translation of the Draft Regulation is available here.) The comment period ends on June 30, 2019.

As mentioned in our last blog post (available here), CAC issued the draft Measures for Data Security Management (“Draft Measures”) just last week, which set out the general regulatory framework that will govern the collection and use of personal information by network operators (broadly defined as “owners and managers of networks, as well as network service providers”). The release of this new Draft Regulation demonstrates CAC’s intention to set out more stringent requirements for network operators if they collect, store, use, transfer or disclose the personal information of minors under 14 years old. We discuss the key requirements of the Draft Regulation in a greater detail below.

Notice and Consent

The Draft Regulation requires network operators to adapt their policies and agreements, as well as internal procedures, for handling children’s personal information (Article 5). Also, guardians have to notify in a prominent and clear manner of the collection and use of children’s personal information and network operators must obtain “explicit consent” from guardians for such collection and use (Article 7).

Similar to the requirements specified in the Draft Measures, the Draft Regulation requires that privacy notices to guardians include the following information:

  • the purposes, scope and methods for the collection, storage, use and “transfer” of children’s personal information, as well as the retention period (it is uncertain whether “transfer” here also include cross border data transfer);
  • location of data storage and what the network operator will do with the data after the retention period expires (e.g., delete or anonymize);
  • security measures adopted to protect children’s personal information;
  • contact details of the personal information protection officer or other designated responsible person; and
  • consequences for refusing to provide consent.

Although “explicit consent” is not defined in the Draft Regulation, its definition can be found in China’s national standard for personal information protection (GB/T 35273-2017 Information Technology – Personal Information Security Specification信息安全技术-个人信息安全规范, hereafter the “Standard”) (see our previous blog post here). The Standard defines “explicit consent” as a “written statement or affirmative action that expressly authorizes the processing of personal information” (e.g., proactively ticking a box or clicking “agree,” “register,” “send,” or “call”).

If there are any substantial changes to the information provided in the privacy notice, then network operators are required to obtain explicit consent from guardians for those changes (Article 8).

Children’s Personal Information Protection Officer

The Draft Regulation requires network operators who collect and use children’s personal information to formally appoint a children’s personal information protection officer or otherwise designate a person responsible for this task (Article 5). It is unclear whether this requirement also applies to companies that collect children’s personal information during their general business operations, but do not specifically target children, although in general the Draft Regulation does not make this distinction.

Internal Access Controls

The Draft Regulation requires network operators to establish internal access controls to protect children’s information. The access to children’s personal data by employees must be authorized and recorded by the children’s personal information protection officer. Network operators are also required to adopt technical measures to prevent employees from illegally copying or downloading children’s personal information (Article 12).

Third-Party Processors and Joint Controllers

When third-party vendors are engaged to process children’s personal information, network operators are required to conduct a security assessment and specify security obligations and requirements in agreements with these vendors. It is uncertain whether this assessment has to be conducted before engaging a vendor.

The Draft Regulation also imposes specific obligations on vendors, requiring them (Article 13):

  • to process children’s personal information according to the instructions of network operators;
  • to provide assistance to network operators in responding to requests made by guardians of children;
  • to adopt measures to protect children’s personal information and timely report the occurrence of any data breaches to network operators;
  • to timely delete children’s personal information when the processing agreement is terminated; and,
  • not to engage any sub-processors to process children’s personal information.

If a network operator and a third party are going to use children’s personal information jointly, the network operator must obtain explicit consent from guardians (Article 14).

Sharing and Disclosure of Children’s Personal Information

The Draft Regulation requires network operators to conduct a security assessment and obtain explicit consent from guardians prior to sharing children’s personal information (Article 15). Furthermore, network operators are prohibited from publicly disclosing children’s personal information unless required by law or explicitly agreed to by guardians (Article 16).

Under the following circumstances, network operators may collect, use, transfer and disclose children’s personal information without the explicit consent of guardians (Article 19):

  • to protect national security and public interest;
  • to eliminate danger to children’s lives or property; and,
  • in other circumstances prescribed by law.

Rights to Children’s Personal Information

Children and/or their guardians have the right to require network operators to correct children’s personal information that is inaccurate (Article 17), as well as to require the deletion of children’s personal information (Article 18) if:

  • the network operator collects, stores, uses, transfers or disclose children’s personal information in violation of laws, regulations or user agreements;
  • the network operator collects, stores, uses, transfers or disclose children’s personal information for unnecessary purposes or for a period beyond the necessary retention period;
  • a guardian withdraws consent;
  • a child or its guardian indicates that it no longer uses the respective products or services (e.g., by closing an account or other similar actions).

These rights are largely consistent with general personal information rights found in the Standard – for example, both have a straightforward “account cancellation” right. However, the Draft Regulation is less prescriptive in certain aspects. For example, while the Standard requires that rights requests be complied with in less than 30 days (or other legally stipulated period), the Draft Regulation only requires their fulfillment “in a timely manner.”

Incident Response

Network operators are required to carry out their emergency response plan and adopt remedial measures when a data breach occurs (or is suspected to have occurred). Additionally, if the data breach results in (or may result in) “serious consequences” (a term which is not defined in the Draft Regulation), then network operators must report this to regulators and notify affected children and their guardians. If individual notification presents an undue burden to network operators, an announcement shall be issued in a reasonable and effective manner (Article 20).

Again, this requirement is consistent with the breach notification requirements in the Standard, which require “network operators” to notify an incident to regulators and affected individuals when there has been actual or potential “leakage, damage, or loss” of personal data.

Potential Penalties

CAC may “summon” a network operator to discuss the issues with them, if (i) it fails to comply with its data protection obligations; or (ii) its handling of children’s personal information presents high security risks; or (iii) a data breach occurs. After meeting with CAC, the network operator may be ordered to rectify its conduct (Article 24). The CAC or other agencies may also impose a fine up to RMB one million for violations of the Draft Regulation, and the violator may face additional penalties (such as shutting down websites and/or revoking a license) for serious violations. If the violation constitutes a crime, the network operator may be subject to criminal prosecution (Article 25).