Oct 152019

China Implements Regulation Increasing Protections for Children’s Personal Data

Colleen Theresa Brown, Yuet Ming Tham and Christoph Murphy
, , , , , ,

On 22 August 2019, the Cyberspace Administration of China (CAC) announced the implementation of the Online Protection of Children’s Personal Data Regulation (儿童个人信息网络保护规定), (“the Regulation”) which came into force on 1 October 2019. The Regulation comprises a list of rules which seek to ensure the safety of children’s personal data and promote a healthy upbringing for children.

This constitutes the latest step in China’s drive to sophisticate its data protection regime and adds to legislation under the framework of the Cybersecurity Law, implemented in 2017. It contains similarities to the Children’s Online Privacy Protection Act (COPPA) in the U.S. and the GDPR in the EU.

As there is no official English translation of the Regulation, this article summarises its key points.

Application

The Regulation has a wide application. Most provisions apply to network operators (defined as network owners, administrators or service providers) engaged in the collection, storage, use, transfer and disclosure of personal data of children (defined as anyone under the age of fourteen), carried out within the PRC.

In contrast with COPPA in the U.S., which limits its application to online services targeting children (and operators with actual knowledge of the online collection of children’s data), the Chinese Regulation appears to catch all networks operators, including those based in foreign countries.

Obligations on Network Operators

Under the Regulation, network operators should, in relation to the protection of children’s data:

  • develop dedicated rules and user agreements;
  • appoint a dedicated member of staff for children’s privacy compliance;
  • notify and obtain consent from parents for the collection, use, transfer or disclosure of their child’s personal data;
  • use encryption or other safeguards to secure children’s personal data;
  • limit access to children’s data only to specially authorised employees; and
  • require any third party receiving the data to undergo a security assessment and enter into an contractual provisions that provide protections to the children’s data.

When seeking consent from parents for use of their child’s personal data, the network operator should provide an option to refuse consent, along with the following information:

  • the purpose, method, and scope of the use of the data;
  • where the data will be stored;
  • the duration for which the data will be kept and how the data will be disposed;
  • security measures;
  • the consequences of refusing to consent;
  • how to file a complaint;
  • how to correct or delete the data; and
  • any other relevant information about the processing of the children’s data which the parent should be notified.

Consequences of Breach

Violations of the Regulation may constitute a breach of the Cybersecurity Law (as well as other laws), potentially resulting in fines and other sanctions on network operators and responsible individuals.

Exception

Where a network operator automatically collects personal data and its systems cannot identify whether that personal data belongs to a child, the Regulation will not apply. The exact criteria for determining the application of this exception remain ambiguous, however it may in practice be somewhat similar to the COPPA concept of actual knowledge (or the potentially more stringent concept under the California Consumer Privacy Act concept of wilful disregard.)

Other Characteristics

Whilst most of the obligations are imposed specifically on network operators, one provision notably imposes an obligation on parents to educate their children on protecting their personal data. Another encourages “organisations in the internet industry” to draw up industry standards and codes of conduct for the protection of children’s personal data.

Consequences of the Regulation

Though the Regulation is partially an example of the Chinese government’s increasing regulatory pressure on the online gaming industry, its consequences will also be felt in industries that don’t specifically target children. As all network operators are theoretically within scope, any online company collecting children’s personal data, such as those in the medical or telecommunications industries, will need to consider the impact of the Regulation on their operations. Network operators with Chinese users will need to monitor their operations closely and take steps to ensure compliance.

However, as the Regulation is so new, many questions about the practical enforcement remain, including whether any industries or companies might benefit from the exception, and whether enforcement action will be taken against network operators based outside China.  As daily internet use becomes normalised among children, we are likely to see further examples of governments legislating or regulating increased safeguards for children’s personal data. In addition to the Regulation in China, Korea recently announced amendments to its children’s data protection laws. Moreover, the U.S. Federal Trade Commission is seeking public comments on COPPA with a view to potential amendments, and has stepped up enforcement with a recent record $170 Million settlement with Google.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Yuet Ming Tham

Singapore, Hong Kong

ytham@sidley.com

Christoph Murphy

Hong Kong

cmurphy@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

Substantial changes to Hong Kong’s privacy laws coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.