On May 31, 2019, the Cyberspace Administration of China (the “CAC”) published Draft Regulations on Network Protection of Minor’s Personal Information (the “Draft Regulations”), timing the release to coincide with International Children’s Day. The Draft Regulations, based on the existing Cybersecurity Law of China (the “Cybersecurity Law”), is more protective of minors’ information than the Information Security Technology — Personal Information Security Specification (GB/T 35273 – 2017) (the “Specification”) and its draft amendment, which also address some limited provisions on network operators’ use and treatment of minors’ information.
Below is a summary of notable requirements under the Draft Regulations.
“Minor” refers to a person under 14 years old.
Requirement for Consent
In general, the Draft Regulations’ requirements for obtaining consent to the collection of, storage, use, sharing, transfer and disclosure of a minor’s personal information are stricter than the requirements described either under the Cybersecurity Law or in the Specification. Network operators are obligated to notify the minor’s guardian in a “distinct and clear” way of the proposed treatment of the personal information, which includes providing relevant details such as the purpose, scope, method of and duration of the collection; information regarding the storage, use, transfer or disclosure of the data; security safeguard measures; the network operator’s contact information; and the consequences of withholding consent. Network operators also must give the guardian the option to withhold consent.
In addition to providing such information, network operators must obtain the guardian’s express consent prior to moving forward. Such express consent shall be specific, clear, definite and voluntary. There are certain exceptions to the requirement, such as for national security reasons and/or for eliminating imminent emergencies harm to a minor or to a minor’s properties.
Special Protection Policy and User Agreement
Network operators are required to stipulate that they provide certain safeguards with respect to minors’ information and designate a specific person in charge of protecting minors’ personal information. Network operators are also required to provide a simple, easy to understand user agreement for the minors.
Data Processing by Third Party
Under Article 13 of the Draft Regulations, a network operator that contracts with a third party to process minors’ personal information, must conduct a security assessment of the third party, and such third party should be obligated to:
- process personal information in accordance with the network operator’s requirements;
- assist the network operator in replying to requests from guardians;
- delete personal information upon completion of contracted-for work;
- do not sub-contract the relevant processing work to any others; and
- fulfill other legal obligations.
Under Article 20, if network operators discover any existing or potential security incidents which may affect minors’ personal information, such as disclosure, corruption or loss of personal information of the minor, the network operator should initiate the emergency plan and take appropriate measures.
For cases likely to or resulting in serious consequences, the network operator must immediately report the incident to the competent authorities and notify the affected minor and the minor’s guardian of such incidents by email, letter, telephone or by a push notification. If it is difficult to notify each affected individual, the network operator should employ reasonable and effective means to inform the relevant persons.
Violation of the Draft Regulations would subject network operators to the relevant legal liabilities under Article 64 of the Cybersecurity Law. Depending on the specific circumstance, a violation may result in fines, suspension or closure of the business, shutting down the relevant website and revocation of a permit or business license.
The comment period for the Draft Regulations ends on June 30, 2019.