The Cyberspace Administration of China (‘CAC’) published, on 31 May 2019, draft measures on the collection, storage, use, transfer, and disclosure of children’s personal information (‘the Draft Measures’). In particular, the Draft Measures set standards for informed consent, communicating purpose of use, and data security management. Moreover, the Draft Measures define children as minors under 14 years of age and seek to encourage network operators to develop industry codes of conduct and strengthen self-regulation.
The Draft Measures stipulate that network operators would need to establish dedicated children’s personal information protection rules and clear user agreements, as well as designate data protection officers or similar personnel to manage such information. Additionally, the Draft Measures specify that consent and security assessments would be required to transfer children’s personal information to third parties, with exceptions made for safeguarding national security, the public interest, eliminating imminent danger to the child, and as in accordance with other laws and regulations.
Penalties under the Draft Measures are still not comparable with those under the GDPR
Tan added, “The Draft Measures are a very prompt response to the development of the Technology, Media, and Communications sector where more and more junior users are now exposed to various internet related services. The Draft Measures provide clearer guidance for .com players to better manage minors’ data protection issues, [and] many principles are quite similar to those under the GDPR, such as parental involvement.”
The Draft Measures propose that network operators obtain express consent from children’s guardians in order to collect or use children’s personal information. Express consent is defined as specific, clear, and voluntary. Furthermore, the Draft Measures outline that network operators would be obliged to provide information to guardians including, among other things, the purpose, scope, duration, storage location, and security measures for processing children’s personal information, as well as the consequences of refusing to give consent. Moreover, the Draft Measures highlight that violations to its provisions would be subject to Article 64 of the Cybersecurity Law 2016, which came into effect on, 1 June 2017.
Tan concluded, “Penalties [advanced] under the Draft Measures are still not comparable with those under the GDPR. The maximum fine amount addressed is RMB 1 million (approx. €128,500). At the same time, it is not clear if the Draft Measures shall also apply to foreign companies who [are not established] within China but deal with Chinese minors’ data from abroad.”
Comments on the Draft Measures can be submitted to [email protected] by 30 June 2019.
ANGUS YOUNG Junior Privacy Analyst