The Cyberspace Administration of China (CAC) has, for the first time, issued legislation dedicated to protecting child privacy online. The Regulation on Protection of Children’s Personal Information Online (《儿童个人信息网络保护规定》) is due to take effect on 1 October 2019.

BACKGROUND

The Cyber Security Law (CSL) lays down general principles on data protection in China, but there has not been any dedicated regulation specifically on the protection of children’s privacy online until the new regulation. The Personal Information Security Standards (《个人信息安全规范》)(Security Standards) are a set of recommended standards for personal information protection which took effect on 1 May 2018. These expressly require data controllers to treat the personal information of children as sensitive personal information and to obtain express consent from the children’s guardians for processing of personal information. The special protection measures applicable to sensitive personal information under the Security Standards will also apply to children’s personal information. These required measures including separate consent for each function of a service or product, encryption of data for storage and transmission, request-based internal access authorisation, prior notification and express consent before data sharing or transferring. The model privacy policy attached to the Security Standards also includes a section on processing of children’s personal information.

The CAC released the draft new regulation for public consultation on 30 May 2019, the eve of the International Children’s Day in China. With the formal version released less than three months later, the CAC is expediting the new regulation through its legislative process. The new regulation has made mandatory some of the data protection measures in the Security Standards and also created a range of measures designated to enhance protection of child privacy.

HIGHLIGHTS OF KEY PROVISIONS

1. Identification of children and consent of their guardians

The new regulation defines children as minors under the age of 14, which is consistent with the Security Standards. The new regulation does not define "personal information" or "network operators", which presumably will have the same meanings as in the CSL.

In relation to personal information of children, network operators must obtain consent from a child’s guardian in the following circumstances:

  1. collecting, using, transmitting and disclosing personal information, after having notified details to the guardians;

  2. changing any details of the proposed data processing activities previously notified; and

  3. using the personal information beyond the agreed purpose or scope.

2. Notification and data protection rules and policy

Network operators must have designated data protection rules and a user agreement for children, and must notify guardians of the following information when obtaining their consent:

  1. the purpose, means and scope for collecting, storing, using, transmitting and disclosing the personal information;

  2. the storage location and period and how the personal information will be processed at the expiry of the retention period;

  3. the security protection measures;

  4. the consequences of refusal to give consent;

  5. ways and channels for making a complaint;

  6. ways to rectify or delete the personal information of children; and

  7. other matters that should be notified.

The network operator must also notify guardians when ceasing the product or service or if there is any leakage, destruction or loss of personal information.

3. Right to rectify and delete

The guardian has the right to request that the network operator rectifies a child’s personal information where it is incorrect and may request the child’s personal information is deleted in the following circumstances:

  1. the network operator violates laws and regulations or the agreement with the data subjects;

  2. the network operator collects, stores, uses, transmits or discloses child’s personal information beyond the notified purpose, scope or period;

  3. the guardian withdraws consent; or

  4. the child or guardian ceases to use the product or services, for example by cancelling their account.

4. Third-party processing

Apart from obtaining consent from guardians, where a third party will process children’s personal information, network operators must also conduct a security assessment and sign an agreement with the third party. The agreement must specify details of the third-party processing, including the responsibilities of the parties, matters to be processed, and the period, nature and purposes of the processing. In particular, the third-party processor must:

  1. process the personal information as requested by the network operator;

  2. assist the network operator in responding to requests by guardians;

  3. take information security measures and report to the network operator in the event of a data breach incident;

  4. timely delete personal information when processing is completed;

  5. not assign the processing activities to another party; and

  6. comply with other data protection obligations required by law.

5. Data protection officer

Network operators are required to appoint a designated person to be responsible for protecting child privacy. The new regulation does not specify the detailed responsibilities of such a person except that they have the power to approve internal access to children’s personal information.

6. Legal liabilities

The new regulation provides that the penalties under the CSL and the Administrative Measures for Internet Information Service (Internet Measures) will apply. The administrative actions and penalties for breach of personal information protection provisions under the CSL include requirements to attend meetings with the CAC, orders for rectification, warnings, forfeiture of illegal income and fines. In serious cases, a network operator may be ordered to suspend its operations or shut down its website, and its operation permit or business license could be revoked or withdrawn. A violation notice will also be filed against the credit record of the network operator.

However, it is not clear how the Internet Measures will apply in the context of child privacy protection, as there is no reference to personal information or privacy of children in that regulation.

OUR OBSERVATIONS

1. Consent – an absolute duty?

The new regulation places great emphasis on the requirement that network operators should obtain prior consent from a child’s guardian in a number of circumstances. However, current technology makes it difficult to verify that each consent has actually been given by the guardian. Therefore, in Europe and the US, a reasonable efforts test is applied given the practical challenges and current technology limitations. For instance, under the General Data Protection Regulation (GDPR), controllers are required to make reasonable efforts to verify that a consent is given by the guardians, taking into consideration available technology. Under the Children’s Online Privacy Protection Rule (COPPA), an operator should choose a method reasonably designed in light of available technology to ensure that the person giving the consent is the child’s parent.

In other words, under regulations in Europe and the US, data controllers or operators will not be liable for failing to obtain the consent of guardians if they can demonstrate that they have made reasonable efforts to verify that the consent had been given by the child’s guardian. Europe and the US may have different views as to the level of effort that is considered reasonable, but their approach to the issue is similar. Both GDPR and COPPA have given some guidelines on the accepted verification methods.

The new regulation, on the other hand, has not shed any light on the level of effort that network operators have to make to verify that the consent is given by the child’s guardian. Nor has the new regulation given any guidance on the accepted methods for verification. The current language renders the obligation to obtain the guardian’s consent an absolute duty of the network operator and a failure to obtain consent could give rise to legal liabilities.

Given the practical difficulties and current technology limitations, the CAC should clarify whether the obligation to obtain guardian consent is intended to be an absolute duty of the network operator. If not, in order to make the new regulation viable in practice, it should be made clear in supplementary guidelines what level of effort is required after taking into account the available technology.

2. Consent – threshold lowered?

Whilst the new regulation appears to make obtaining guardian consent an absolute duty of network operators before any personal information of children can be processed, the final version of the new regulation has removed the requirement for "express" consent. The earlier draft of the regulation specified that express consent must be "specific, unambiguous, clear and voluntary". The final version of the new regulation seems to have lowered the threshold for network operators to obtain guardian consent as it does not have be in the form of an affirmative act or written statement as defined in the Security Standards. This lowered requirement could indicate a lesser level of effort to verify that the consent is actually given by the guardian.

In practice, questions will arise as to how network operators or the CAC can be satisfied that guardian consent has been obtained without an express consent. It could potentially render the requirement for guardian consent less effective if it is reduced to the level of a formality, such as a simple check box, which lacks any level of meaningful check on the identity of the person giving the consent.

This approach is, however, contradictory with the requirement for express consent under the Security Standards, where personal information of children is afforded a higher level of protection as sensitive personal information.

The removal of "express" from the consent requirement between the draft and final version of the new regulation does not provide much clarity for network operators in implementing the new regulation. Once again, the CAC should clarify the level of effort required in obtaining guardian consent in future guidelines .

3. Consent – to obtain or not to obtain?

The final version of the new regulation has also removed the requirement for consent where the network operators share children’s personal information with third parties or transfer such personal information to third parties. The CAC has given no explanation on the removal.

It is worth noting that it is an express requirement under the CSL that network operators should not provide personal information to third parties without consent of the individuals. This is the position taken by the CAC in its draft Administration Measures for Data Security and also in the Security Standards.

It would be unreasonable to assume that the new regulation now imposes a lower requirement than that applicable to personal information of adults. However, the CAC should clarify whether the removal means that guardian consent is no longer required in these circumstances or whether the obligation has simply been merged with the general requirement to obtain guardian consent for "collecting, using, transmitting and disclosing" children’s personal information under article 8 of the new regulation.

On the other hand, the final version of the new regulation has removed the exceptions to the consent requirement provided for in the earlier draft, which permitted network operators to obtain children’s personal information without their guardians’ consent on the basis of national security, public interest, protection of children’s physical or property safety or statutory reasons. This eliminates the possibility of network operators abusing such exceptions to circumvent the requirement. It remains to be seen how this will be reconciled with the exceptions to obtaining consent provided for by the Security Standards.

4. Limitation to applicability

The new regulation applies to "collection, storage, use, transmission and disclosure of children’s personal information online within the territory of China". The language seems to carve out two situations from its application:

  1. Offline processing activities: the new regulation appears to only apply to processing activities carried out online in relation to children’s personal information. Processing activities conducted offline are not subject to the new regulation. Questions arise where part of the processing activities are carried out offline as to whether the online processing activities will be caught. For instance, what would the position be where children’s personal information is collected offline and stored or used or disclosed online? Does the new regulation apply to those online processing activities? If so, will the new regulation also retrospectively apply to the collection?

  2. Processing activities carried out cross-border or offshore: the geographical applicability of the new regulation is restricted to the territory of China. An offshore entity carrying out the processing activities in relation to personal information of children residing in China appears to fall outside of the jurisdiction of the new regulation. This situation appears to be left to be regulated by the personal information export regulations which are yet to be finalised (click here for further reading).

At the end of the new regulation, the CAC carves out from its application the situation where information is automatically retained by computer systems that cannot identify whether the retained information is children’s personal information. This could be intended to deal with the scenario where the collection of information is automated and technically cannot differentiate or identify the age of the data subjects, for instance, visitor IP address records could fall into this category. In any case, further clarification from the CAC with a defined scope would help network operators to understand whether this carve-out applies to them.

5. Other issues to be clarified

The new regulation requires network operators to have dedicated data protection rules and a user agreement in relation to children’s personal information. It is unclear whether these will need to be standalone documents. In the model privacy policy attached to the Security Standards, the data protection rules for children are set out as a chapter of the general privacy policy. Besides, in practice, it is unusual to have a standalone user agreement designated for children. With the requirement for concise and plain language being removed from the final draft of the new regulation, the need for standalone data protection rules and user agreement seems even less necessary.

In relation to the dedicated person responsible for protecting children’s personal information, it is unclear whether this position can be held by a person who is also charged other data protection responsibilities.

The new regulation concerns minors under the age of 14, but leaves a regulatory gap for minors aged 14 or above. In particular, this could also give rise to issues such as what rights minors will have in relation to their personal information which has already been collected when they reach the age of 14 and whether they should be treated as adults under data protection laws at that time.

CONCLUSIONS

Despite the many issues to be clarified and questions to be answered, the new regulation marks the first regulatory step towards stepping up protection of children’s online privacy in China. Network operators processing personal information of children should prepare themselves for the implementation of the new regulation which will take effect in the coming month.