(Oct. 28, 2019) On August 22, 2019, the central internet information regulator of the People’s Republic of China (PRC or China), the Cyberspace Administration of China, issued the Provisions on Online Protection of Children’s Personal Information. The new data privacy regulation “sets forth high-level requirements for the collection, storage, use, transfer, and disclosure of the personal information of children within PRC territory,” according to lawyers practicing in China. It is China’s first law specifically regulating the protection of children’s personal information on the internet. The Provisions took effect on October 1, 2019. (Art. 29.)
Under the Provisions, children under the age of 14 are defined as minors. The new regulation applies to the online collection, storage, use, transfer, and disclosure of the personal information of children that are conducted within the territory of the PRC. (Arts. 2, 3.)
The Provisions require network operators to adhere to the principles of righteousness, necessity, informed consent, definite purpose, guaranteed security, and lawful use when they collect, store, use, transfer, or disclose the personal information of children. Under the Provisions, network operators must set up specific policies and user agreements for protecting children’s personal information. (Arts. 7, 8.)
Parental or guardian consent must be obtained prior to the collection, use, transfer, or disclosure of children’s personal information. (Art. 9.) When obtaining consent, network operators must provide the option of refusal and provide the following information:
- The purposes, methods, and scope of the collection, storage, use, transfer, and disclosure of children’s personal information.
- The storage location, period of storage, and treatment of information after the agreed storage period expires.
- Security measures to safeguard the personal information of children.
- The consequences of refusing to allow the use, transfer, disclosure, and storage of children’s personal information.
- The means of reporting violations or filing complaints with the network operator.
- The means of correcting and deleting children’s personal information.
- Other matters about which network operators must provide information. (Art. 10.)
The regulation prohibits network operators from storing children’s personal information beyond the period necessary to achieve the purposes of collection and use, and requires operators to ensure the security of information through encryption or other methods. (Arts. 12, 13.)
The use of children’s personal information by a network operator must not violate laws and administrative regulations or the purpose and scope of use agreed on by both parties. Under the principle of minimum authorization, network operators are required to set strict access restrictions on their personnel who are permitted to handle children’s personal information. Network operators must also conduct a security assessment before they engage any third-party vendors or transfer children’s personal information to a third party. (Arts. 14, 15, 16, 17.)
The Provisions do not contain specific penalties for violations. Rather, violators of the Provisions are subject to penalties—including criminal penalties—under other relevant laws and regulations, such as the Cybersecurity Law and the Administrative Measures on Internet Information Services. (Art. 26.)