Provisions on the Cyber Protection of Children’s Personal Information

Promulgation Authorities: Cyberspace Administration of China

Release Date: 2019-08-28

Effective Date: 2019-10-01

Source: http://www.cac.gov.cn/2019-08/23/c_1124913903.htm

Original Title: 儿童个人信息网络保护规定

Provisions on the Cyber Protection of Children’s Personal Information

Order of the Cyberspace Administration of China No.4

The Provisions on the Cyber Protection of Children’s Personal Information, adopted upon deliberation at the executive meeting of the Cyberspace Administration of China, are hereby promulgated, effective October 1, 2019.

Director: Zhuang Rongwen

August 22, 2019

Provisions on the Cyber Protection of Children’s Personal Information

Article 1 These Provisions are formulated in accordance with the Cyber Security Law of the People’s Republic of China, the Law of the People’s Republic of China on the Protection of Minors and other laws and regulations to ensure children’s personal information security and promote the healthy growth of children.

Article 2 The term “children” as mentioned in these Provisions refers to minors under the age of 14.

Article 3 The Provisions shall apply to the collection, storage, use, transfer and disclosure of children’s personal information via the network within the territory of the People’s Republic of China.

Article 4 No organization or individual may produce, release or disseminate the information that infringes upon children’s personal information security.

Article 5 Children’s guardians shall correctly fulfill their duties of guardianship, educate and guide children to enhance children’s awareness and capability of personal information protection, and protect children’s personal information security.

Article 6 Internet industry organizations are encouraged to guide and promote network operators to formulate the industry norms and code of conduct for the protection of children’s personal information, strengthen industry self-regulation, and fulfill social responsibilities.

Article 7 Any network operator collecting, storing, using, transferring or disclosing children’s personal information shall follow the principles of properness and necessity, informed consent, explicit purpose, security assurance and lawful use.

Article 8 Network operators shall establish special rules and user agreements for the protection of children’s personal information, and designate persons to take charge of the protection of children’s personal information.

Article 9 To collect, use, transfer or disclose a child’s personal information, any network operator shall inform the child’s guardians in a noticeable and clear manner, and shall obtain the consent of the child’s guardians.

Article 10 Network operators shall, upon seeking consent, provide the option of rejecting the application and explicitly inform of the following matters:

(I) the purpose, method and scope of collection, storage, use, transfer and disclosure of the personal information of children;

(II) the place and term of storage of children’s personal information and the way of disposal after the expiration;

(III) measures for guaranteeing the security of children’s personal information;

(IV) the consequences of refusal; and

(V) channels and ways of complaints and reports; and

(VI) channels and methods for correcting and deleting children’s personal information; and

(VII) other matters that shall be informed.In case of any substantial change in the informed matters set forth in the preceding paragraph, consent shall be obtained from the child’s guardians again.

Article 11 Network operators shall not collect children’s personal information unrelated to the services they provide, nor shall they collect children’s personal information in violation of the provisions of laws and administrative regulations and the agreements reached by both parties.

Article 12 Network operators shall not store children’s personal information beyond the time limit necessary for the purpose of collection and use of such information.

Article 13 Network operators shall store children’s personal information by taking such measures as encryption so as to ensure information security.

Article 14 Network operators’ use of children’s personal information shall not violate the provisions of laws and administrative regulations and the purpose and scope agreed upon by the two parties. If it is really necessary to use such information beyond the agreed purposes and scope due to business needs, consent shall be obtained from the child’s guardians again.

Article 15 Network operators shall strictly set the information access authority for their staff in the principle of minimal authorization, and control the scope of children’s personal information access. Staff’s access to children’s personal information shall be examined and approved by the person in charge of the protection of children’s personal information or the manager authorized thereby who shall record the access and take technical measures to avoid illegal copying or downloading of children’s personal information.

Article 16 Where a network operator entrusts a third party with the processing of children’s personal information, it shall conduct security assessment of the entrusted party and the acts of entrustment, sign an entrustment agreement, specifying responsibilities of both parties, matters to be handled, handling period, nature and purpose of the handling. The entrustment shall not exceed the scope of authorization.The entrusted party as prescribed in the preceding paragraph shall perform the following obligations:

(I) process children’s personal information according to the provisions of laws and administrative regulations and the requirements of the network operator;

(II) assist the network operator in responding to applications filed by children’s guardians;

(III) take measures to ensure information security, and timely give feedback to the network operator when children’s personal information is divulged; and

(IV) delete children’s personal information in a timely manner upon recission of the entrustment relationship;

(V) no transfer of entrustment; and

(VI) other obligations of protecting the personal information of children that shall be performed in accordance with the law.

Article 17 Where network operators intend to transfer children’s personal information to a third party, they shall carry out security assessment by themselves or entrust a third party institution to do so.

Article 18 Network operators shall not disclose the personal information of children, except for the information that shall be disclosed as required by laws and administrative regulations or may be disclosed as agreed with the guardians of children.

Article 19 In the case of discovery of any error in a child’s personal information collected, stored, used or disclosed by a network operator, the child or his/her guardians have the right to require the network operator to correct such error. The network operator shall take measures to make corrections in a timely manner.

Article 20 Where a child or his/her guardians require a network operator to delete the child’s personal information collected, stored, used and disclosed thereby, the network operator shall take measures to delete such information in a timely manner, including but not limited to the following circumstances:

(I) where the network operator collects, stores, uses, transfers or discloses the child’s personal information in violation of the provisions of laws and administrative regulations or the agreement reached by and between the Parties;

(II) where the network operator collects, stores, uses, transfers or discloses the child’s personal information beyond the scope of purposes or the necessary time limit;

(III) where the guardians of the child withdraw the consent; or

(IV) where the child or his/her guardians terminate the use of products or services by means of deregistration or otherwise.

Article 21 Any network operator who finds out that the personal information of children has been or may be divulged, damaged or lost shall immediately initiate the contingency plan and take remedial measures; where a serious consequence has been caused or is likely to be caused, the network operator shall immediately report the same to the relevant competent authority, and inform the affected children and their guardians of the relevant situations by mail, letter, telephone, push notice, etc., and if it is difficult to inform them one by one, the network operator shall take reasonable and effective measures to release the relevant warning information.

Article 22 Network operators shall cooperate in the supervision and inspection conducted by cyberspace administration and other relevant authorities in accordance with the law.

Article 23 Where a network operator ceases the operation of products or services, it shall immediately cease the collection of children’s personal information, delete the children’s personal information it holds, and inform the children’s guardians of the cessation in a timely manner.

Article 24 Any organization or individual that finds any practice in violation of the Provisions may report the same to the cyberspace administration and other relevant authorities.Upon receipt of relevant reports, the cyberspace administration and other relevant authorities shall timely handle the same according to their respective duties.

Article 25 Where a network operator fails to fulfill the responsibility for children’s personal information security management, resulting in a greater security risk or occurrence of a security incident, the cyberspace administration shall, according to its duties, conduct an interview with the network operator, which shall take timely measures to make rectification and eliminate hidden dangers.

Article 26 Violations of the Provisions shall be handled by cyberspace administration and other relevant authorities ex officio in accordance with the Cyber Security Law of the People’s Republic of China, the Administrative Measures for Internet Information Services and other relevant laws and regulations; if a crime is constituted, criminal liability shall be pursued in accordance with the law.

Article 27 Where legal liability is pursued for violation of these Provisions, the violation shall be recorded in the creditworthiness files pursuant to the provisions of the relevant laws and administrative regulations, and shall be announced to the public.

Article 28 Where information is automatically processed or retained through the computer information system and it is impossible to identify that the retained or processed information is children’s personal information, other relevant provisions shall apply.

Article 29 These Provisions shall come into force as of October 1, 2019.