On August 22, 2019, the Cyberspace Administration of China (“CAC”) promulgated the Regulation on Cyber Protection of Children's Personal Information ("Regulation"), which will take effect on October 1, 2019. As the first regulation in China specifically regulating children's personal information (“PI”), it sets the age of a child for online privacy purposes and stipulates the online activities to be regulated by setting out several requirements that Network Operator (defined below) must follow.
Definition of “child” and activities to be regulated
Definition of “child”: Different countries have their own age threshold when defining a child for online privacy protection purposes determined by factors like cultural differences and the context of a particular legislative scope. For example, the USA’s Children’s Online Privacy Protection Act (“COPPA”) sets the age at 13, whereas the EU’s General Data Protection Rules (“GDPR”) sets the age at 16 and allows EU members to lower the threshold downward to 13.
The Regulation defines “children” as individuals under the age of 14, which is consistent with other regulations in China that have piecemeal provisions regarding the age threshold, including the Interpretations of the Supreme People's Court on Several Issues concerning the Specific Application of Law in the Trial of Criminal Cases of Abduction and Trafficking of Women and Children and the Information Security Technology - the Personal Information Security Specifications.
Targeted Activities: The Regulation addresses the collection, storage, use, transfer and disclosure of children's PI through the Internet within the territory of China. The focus of the Regulation is on websites and applications with underage users, such as online games, e-commerce sites and social media platforms.
Geographic Scope: The Regulation applied to activities that occur within China, irrespective of the registration jurisdiction of the Network Operator (discussed below). Accordingly, any activities of an app or website that occur in China, even if operated from offshore, still fall under the scope of the Regulation. It is unknown how the regulators intend to enforce this extra-territorial aspect of the Regulation.
Requirements on Network Operators
The term “Network Operators” is defined in China’s Cybersecurity Law as the owners or administrators of a network as well as internet service providers; in practice this includes website and app operators, etc.
In practice, many companies whose target consumers are children, including MNCs such as Disney and Lego as well as Chinese enterprises such as Qihoo360, have already formulated such specialized policies and provisions.
The requirement to appoint a privacy specialist is a familiar one for online industries in China, with several laws and regulations requiring Network Operators to appoint specialists for such matters as cybersecurity (Cybersecurity Law), PI protection (Information Security Technology – the Personal Information Security Specifications), and data security (Administrative Measures for Data Security (draft)). Broadly speaking, Network Operators should be prepared to incorporate an information protection department with particular personnel responsible for various areas of network security as a necessary step towards compliance.
b. Guardians’ prior consent mandatory
Obtaining the consent of a child’s guardian before collecting, using, transferring or disclosing a child’s PI plays an important role in protecting children online. The Regulation provides details of how and when Network Operators must obtain such consent, as follows:
i. if Network Operators intend to collect, use, transfer or disclose a child’s PI, they must notify the child’s guardian in a prominent and clear manner and obtain their consent, while offering the guardian the option to withhold such consent (Articles 9&10);
ii. if any of the details of the foregoing matters change substantially, the Network Operator must reobtain the consent (Article 10);
iii. if Network Operators have to use the child’s PI beyond the agreed purpose and scope, the consent of the guardians must be obtained again (Article 14);
iv. if the Network Operator finds that a child’s PI is leaked, damaged or lost, it must immediately take remedial measures and report to the competent authorities if serious consequences occurred or may occur, and inform the affected children and their guardians (Article 21); and
v. if the Network Operator stops providing products or services, it must immediately stop collecting children's PI, delete all stored children's PI, and timely inform the guardians (Article 23).
Notwithstanding the obligation stated above, the Regulation does not provide details for how to identify the children, what the form of the guardians’ consent should be and how to verify such consent is actually from the guardian. Given the rapid changes in China’s ID technology, this question is particularly relevant: ID card recognition is widely used by online games, but facial recognition, verification by answering personal questions and SMS confirmation are also common for online verification. Network Operators should pay close attention for detailed rules on the implementation in the future, which often follow the promulgation of a new regulation in China.
c. Security assessment and entrustment agreement for third parties
According to the Regulation, if Network Operators entrust third parties to handle children's PI, they should conduct a security assessment on the entrusted party and the underlying arrangement, and execute an entrustment agreement with the third party to clarify the scope of authorization. If Network Operators transfer children's PI to third parties, they must conduct a security assessment on the third parties.
However, it is not clear under the Regulation whether the security assessment should be conducted by Network Operators themselves or qualified third parties, nor what methods and standard should be used. Such questions need to be clarified in detailed rules.
Consequences of violations and exception
The Regulation does not directly stipulate the administrative punishment for violating the Regulation. Instead, if the Network Operator fails to meet the requirements of the Regulation and a serious security risk exists or security accident occurs, then cybersecurity & information administration officials will interview the Network Operator and require the Network Operator to rectify and eliminate the potential risks. If the Network Operator’s behavior involves a violation of other laws or regulations (including the Cybersecurity Law or the Administrative Measures on Internet Information Services), then authorities will impose appropriate liability (including criminal) accordingly.
Given the lack of a clear consequence for violation of the Regulation, it is helpful to look at the related laws, most importantly the Cybersecurity Law. According to Article 64 of the Cybersecurity Law, where Network Operators infringe the rights on personal information protection, they shall be subject to one or more of a rectification order, a warning, confiscation of illegal gains, or a fine of one-to-ten times the illegal gains; where there is no illegal gain, a fine of no more than CNY1 million (around USD 140k) shall be imposed. Additionally, the persons directly in charge and other directly responsible persons shall be imposed a fine of CNY10,000 (around USD 1.4k) to CNY100,000 (around USD 14k). Where the circumstances are serious, they shall be ordered to suspend the relevant business, terminate operation for rectification or close down the website, or the relevant business permits or business licenses may be revoked.
The last article of the Regulation provides an exception for Network Operators: where data is automatically retained and processed in the computer system, and therefore cannot be identified as the PI of a child, then the Regulation will not apply and instead other relevant regulations should be followed. This exception seems intended by the legislators to leave room for enterprises to not put in place the new requirements for certain Network Operators. However, this provision is ambiguous and requires elaboration as to what circumstances should be deemed as “automatic store and process” and which “relevant regulation” will apply.
However, the Regulation leaves unclear some details of its implementation, especially with respect to identifying the guardians and obtaining consent. Nonetheless, Network Operators can already make certain adjustments for compliance: operators of websites and apps used by children should prepare user terms and privacy protection rules specifically for children that designate special personnel in charge of the children's PI protection; Network Operators without underage users should adjust their registration rules to ensure that their services are not used by children.