China has finally released its own version of the U.S. Children's Online Privacy Protection Act. On Aug. 23, the Cyberspace Administration of China released the final version of the "Measures on Online Protection of Children’s Personal Data," which will come into force Oct. 1. The measures provide further clarity on how to protect children’s personal data online under the framework of China's Cyber Security Law.
Not only do the measures have a broader application compared to its counterpart in the U.S., but these measures also include prescriptive requirements on management measures to safeguard children’s personal data. This article analyzes the difference between the measures and two prominent legislations on the protection of children’s personal data, i.e., the EU General Data Protection Regulation and the U.S.'s COPPA and introduces the key requirements under the measures.
The applicability
The measures apply to any collection, storage, processing, transfer and disclosure of personal data of the children who are under the age of 14 by using the network in China. The application of the measures do not look at if the network operator’s website or online services are “directed to children” or the network operator has any “actual knowledge” of processing of children’s personal data. But in practice, it is foreseeable that to establish jurisdiction in law enforcement action, CAC would also need to consider objectively whether the network operators indeed process children’s personal data by looking at the contents of the websites or online services, unless the network operator provides the statistics of the users’ age to prove that there is indeed no children’s personal data.
'Network' in China
The CSL defines the network broadly to include internet, intranet and industrial control system. Collection and processing children’s data via websites or apps would fall into the scope of the Children Data Protection Measures. Uploading the data to an intranet or internal information system subsequent to offline paper-based collection of children’s personal data would also render the companies subject to the measures.
Extraterritorial effect?
Although the CSL does not include a similar provision for exterritorial application as Article 3(2) of the GDPR, the draft "Measures on Administration of Data Security," which were released by the CAC in June for public consultation seem to suggest the extraterritorial application of the CSL. Given CAC’s interest in protecting data subjects in China targeted by network located outside of China, CAC may have a consistent take on the extraterritorial effect for the measures, as well. Foreign websites operators and online service operators that directing to children in China may also be subject to the measures.
Possible carve-out?
There seems to be a carve-out of the application of the measures, i.e., the automatic collection of information in the network log which alone cannot identify or determine if it is related to a child. For those general audience websites or business-to-business websites, it is arguable that the website operators may not be able to identify if the website user is a child or not before the user registers and logs in to the website. However, for companies operating websites or apps that have content that likely attracts children, it is arguable that the safe harbor provision would not apply because these website or app operators will be processing the personal data of children (e.g., IP address or device ID and other browsing history) in case of automatic collection of information when children visit the websites or use the online services. General audience websites or online service operators in China can identify the contents that attract children and accordingly revisit the consent mechanism on a website or app for compliance with the measures.
Parental consent
The measures provide the requirement on “notice + parent consent” for processing children’s data.
- The measures require the notice to be directed to the parent and the notice shall be specifically for children. The notice requirements in the measures are not so different from the notice requirements under the GDPR. In the past two years, the Chinese authorities have been promoting the transparency of processing of personal data and protection of personal data. Chinese authorities also announced their new law enforcement agenda to cure certain privacy practices, such as bundled consent and released guidance on privacy notice.
- On consent, the final version of the measures did not include the requirement of "explicit consent." The explicit consent in the draft version of the measures requires that the consent shall be clear, specific, unambiguous and freely given. The consent requirement in China has been subject to heavy debate mostly because the CSL does not clearly define such requirements. It is worth watching the space how much CAC is willing to consider the practices in the U.S. on obtaining "verifiable parental consent" in China.
- The final version of the measures removed the exemptions to parental consent, i.e., processing in the national interest or public interest, to mitigate the danger to children’s property or personal safety, or other circumstances provided by laws. It is worth noting that the CSL does not include exceptions to consent as well. Recognizing the necessity of exceptions in practice, the recommended national standard "Personal Information Security Specification" includes a few exemptions of consent, such as compliance with laws, performance of contract, processing in the national and public interest. While the recommended national standard has been largely endorsed by the relevant regulators and law enforcers in practice, it is yet to be seen how the regulators and law enforcers reconcile the recommended national standard and the measures particularly on handling sensitive personal data like children’s personal data.
Mandatory limited retention
Article 12 of the measures specifically provides the limited retention principle and filled in the gap in the CSL. It is time for network operators in China that process the personal data of children to prepare the retention schedule to identify the retention period requires by the business and the minimum retention period under various Chinese laws and regulations.
Dedicated responsible person to protect children’s data
The measures require network operators to appoint a dedicated person to protect children’s personal data. While there is no residency requirement on such dedicated person to be responsible for protecting children’s data, looking at the responsibilities provided by the measures, it is very clear that CAC would expect such dedicated person to be responsible for day-to-day operation. Although there is no clear requirement that such person should be based in China, depending on the nature and volume of data that are processed, having the internal data protection office located in the headquarters outside China to shoulder these daily operational tasks may not practical, and it may not be able to meet such regulator’s expectation considering the accessibility of the internal data protection office outside China.
Outsourcing
Article 16 of the measures provides that in the context of outsourcing the processing activities in relation to children’s personal data, the network operator shall conduct security assessment on the outsourcing and sign data-processing agreements. The mandatory clauses in the measures are similar to Article 28 of the GDPR.
Data subject’s right to deletion
The CSL provides that the right to deletion is only exercisable when the network operator violates the law or is in breach of the agreement with the data subject. The measures provide that the right to deletion can also be exercised by withdrawing the parental consent. Imagine the situation in which the parents have just scolded the children for playing a game excessively and notifying the game operator to withdraw the consent to their children’s registration on the game platform. Should the game operator delete the children’s account and user information immediately? Or within a specific period? There is no clear “cooling-off” period in the measures.
Reportable data breach threshold
The Children's Data Protection Measures specified a reportable data breach threshold, i.e., reporting to relevant departments and the affected data subject is only mandatory if the data breach has or may result in serious impact. What constitutes “serious impact” is not clearly set out in the measures.
Expect future updates to children's privacy as 2019 comes to a close.
Photo by Yasmin Dangor on Unsplash