On October 1, 2019, China’s Provisions on Cyber Protection of Children’s Personal Information (“Provisions”) became effective. The Cyberspace Administration of China had released the Provisions on August 23, 2019, and they are the first rules focusing on the protection of children’s personal information in China.

Definition of Children

“Children” in the Provisions refers to minors under 14 years old. This is consistent with the definition under the national “Information Security Technology – Personal Information Security Specification.”

Jurisdiction

The Provisions only govern activities relating to the collection, storage, use, transfer and disclosure of children’s personal information through networks within the territory of China. The Provisions do not apply to such activities conducted outside of China, nor to similar activities conducted offline.

Informed Consent 

The Provisions set up a higher standard of consent than the Cybersecurity Law of China. In order for a network operator to obtain informed consent from a guardian, it must provide a rejection option and specifically inform guardians of the following:

  •  Purpose, means and scope of collection, storage, use, transfer and disclosure of children’s personal information;
  • Storage location of children’s personal information, retention period and how the relevant information will be handled after expiration of the retention period;
  • Safeguard measures protecting children’s personal information;
  • Consequences of rejection by a guardian;
  • The channels and means of filing or reporting complaints; and
  • How to correct and delete children’s personal information.

Special Protection

The network operator also must restrict internal access to children’s personal information. Specifically, personnel must obtain approval from the person in charge of protecting children’s personal information, or an authorized administrator, before accessing such information.

If children’s personal information is processed by a third-party data processor, the network operator must conduct a security assessment of the data processor entrusted with the children’s personal information and enter into an entrustment agreement with the data processor. The data processor is required to assist the network operator in complying with the guardian’s request to delete a child’s information after termination of service. Sub-entrustment or subcontracting by the data processor is forbidden.

In the event children’s personal information is to be transferred to a third party, the network operator shall conduct a security assessment of the entrusted party, or retain a third party to perform such an assessment.

Rights of Children or Guardians

Children or their guardians are entitled to request the deletion of children’s personal information in certain circumstances and are also entitled in all cases to the correction of children’s personal information wherever any such information collected, stored, used or disclosed by a network operator is erroneous. Additionally, guardians have the right to withdraw consent altogether.

Notification of Breach

In cases of actual or potential data breaches, the network operator must immediately initiate its contingency plan and take remedial measures. If there is, or if there is a possibility of, serious consequences arising from the breach, the network operator must immediately report the breach to competent authorities as well as notify the affected children and their guardians by email, letter, telephone or push notification. If it is difficult to send the notice to each affected individual, the network operator shall undertake reasonable and effective means of publishing the relevant notice. However, there is no specific definition of serious consequences.

In the event the data breach is caused or observed by a data processor, the data processor is required to notify the network operator in a timely manner.