Data Protection

China Implements Regulation Increasing Protections for Children’s Personal Data

By YUET MING THAMCOLLEEN THERESA BROWN AND CHRISTOPH MURPHY

On 22 August 2019, the Cyberspace Administration of China (CAC) announced the implementation of the Online Protection of Children’s Personal Data Regulation (儿童个人信息网络保护规定), (“the Regulation”) which came into force on 1 October 2019. The Regulation comprises a list of rules which seek to ensure the safety of children’s personal data and promote a healthy upbringing for children.

This constitutes the latest step in China’s drive to sophisticate its data protection regime and adds to legislation under the framework of the Cybersecurity Law, implemented in 2017. It contains similarities to the Children’s Online Privacy Protection Act (COPPA) in the U.S. and the GDPR in the EU.

As there is no official English translation of the Regulation, this article summarises its key points.

Application

The Regulation has a wide application. Most provisions apply to network operators (defined as network owners, administrators or service providers) engaged in the collection, storage, use, transfer and disclosure of personal data of children (defined as anyone under the age of fourteen), carried out within the PRC.

In contrast with COPPA in the U.S., which limits its application to online services targeting children (and operators with actual knowledge of the online collection of children’s data), the Chinese Regulation appears to catch all networks operators, including those based in foreign countries.

Obligations on Network Operators

Under the Regulation, network operators should, in relation to the protection of children’s data:

  • develop dedicated rules and user agreements;
  • appoint a dedicated member of staff for children’s privacy compliance;
  • notify and obtain consent from parents for the collection, use, transfer or disclosure of their child’s personal data;
  • use encryption or other safeguards to secure children’s personal data;
  • limit access to children’s data only to specially authorised employees; and
  • require any third party receiving the data to undergo a security assessment and enter into an contractual provisions that provide protections to the children’s data.

When seeking consent from parents for use of their child’s personal data, the network operator should provide an option to refuse consent, along with the following information:

  • the purpose, method, and scope of the use of the data;
  • where the data will be stored;
  • the duration for which the data will be kept and how the data will be disposed;
  • security measures;
  • the consequences of refusing to consent;
  • how to file a complaint;
  • how to correct or delete the data; and
  • any other relevant information about the processing of the children’s data which the parent should be notified.

Consequences of Breach

Violations of the Regulation may constitute a breach of the Cybersecurity Law (as well as other laws), potentially resulting in fines and other sanctions on network operators and responsible individuals.

Exception

Where a network operator automatically collects personal data and its systems cannot identify whether that personal data belongs to a child, the Regulation will not apply. The exact criteria for determining the application of this exception remain ambiguous, however it may in practice be somewhat similar to the COPPA concept of actual knowledge (or the potentially more stringent concept under the California Consumer Privacy Act concept of wilful disregard.)

Other Characteristics

Whilst most of the obligations are imposed specifically on network operators, one provision notably imposes an obligation on parents to educate their children on protecting their personal data. Another encourages “organisations in the internet industry” to draw up industry standards and codes of conduct for the protection of children’s personal data.

Consequences of the Regulation

Though the Regulation is partially an example of the Chinese government’s increasing regulatory pressure on the online gaming industry, its consequences will also be felt in industries that don’t specifically target children.

As all network operators are theoretically within scope, any online company collecting children’s personal data, such as those in the medical or telecommunications industries, will need to consider the impact of the Regulation on their operations. Network operators with Chinese users will need to monitor their operations closely and take steps to ensure compliance.

However, as the Regulation is so new, many questions about the practical enforcement remain, including whether any industries or companies might benefit from the exception, and whether enforcement action will be taken against network operators based outside China. 

As daily internet use becomes normalised among children, we are likely to see further examples of governments legislating or regulating increased safeguards for children’s personal data.

In addition to the Regulation in China, Korea recently announced amendments to its children’s data protection laws. Moreover, the U.S. Federal Trade Commission is seeking public comments on COPPA with a view to potential amendments, and has stepped up enforcement with a recent record $170 Million settlement with Google.