Children’s Data Protection: where does the new PRC regulation go?

12 June 2019

Children merit a particular attention with regard to their personal data, as it has been clearly stated in prominent jurisdictions by the EU regulator (EU GDPR, namely Recital 38), the US regulator (with a dedicated regulation: Children’s Online Privacy Protection Act, or “COPPA”) and now the PRC regulator in the authority of the Cyberspace Administration of China (“CAC”) with the publication of the Children’s Personal Information Network Protection Regulation in its draft stage.(the “Draft”) issued on the 31st of May 2019 for 1-month public consultation.

First and foremost, a child is defined by his/her age, varying here according for each legal framework:

– 13 for the COPPA,

– 14 for the PRC Draft,

– 16 for the EU GDPR, or lower where a State Member has stricter regulation.

The underlying principles and key measures in the EU GDPR and the US COPPA can be found in the PRC Draft, namely:

– Personal information: data protection measures apply to Personal Information understood as all kinds of information recorded in an electronic or other forms, which can be used, independently or in combination with other information, to identify a natural person’s personal identity, including device information (I.P., MAC address, device serial number).

– Information: the data controller shall communicate with the children in clear and understandable language, and clearly state the scope of data collected and the processing goals;

– Parental consent: the data controller shall expressly seek the consent of legal guardians and renew such consent collection if the scope of data collected and processed changes;

– Data minimisation: the array of personal information shall be strictly necessary for the provision of a services to the data subject;

– Prize incentives: data controller shall refrain from requesting children to input personal information in order to win a prize or enter a lottery, if this information is not directly necessary for the execution of the game, on the same principle as data minimisation;

– Data retention: in alignment with the data minimisation principle, personal information shall be retained during the strict period necessary to fulfil the purpose of its collection and use;

– Data access, modification and erasure: the data controller shall comply with any request from the legal guardian regarding the children’s personal information;

– Third party assessment: when entrusting a third party to process children’s personal information, network operators shall conduct a security assessment on the third party. Furthermore, the processing of children’s personal information by a third party shall be covered by an agreement to include the following obligations for the third party to:

(1) process in accordance with the data controller’s requirements,

(2) assist the data controller,

(3) ensure information security,

(4) delete children’s personal information in a timely manner when the relationship is dissolved,

(5) prohibit the subcontract of the processing.

Although those fundamental principles are shared among the different regulations, it is worth noting a specific emphasis from the PRC regulator on security assessment. As commonly observed in previous regulations, the regulator follows the trend of stating an obligation whose technical implementations remain to be defined.

Furthermore, a data controller may disclose children’s personal information to safeguard national security or public interest, leaving the authorities a broad range of interpretation and thus creating a permanent data leak risk.

As PRC regulation drafts represent usually a close version to the final text, it appears critical for foreign data controller operating in the PRC to stay ahead of the curve by implementing information protection processes in compliance with the PRC regulations, while assessing the inherent risks of such compliance and potential conflicts with other jurisdictions, namely on data storage and data transfer.

To know more, please contact Gregory Louvel g.louvel@leaf-legal.com

The TL Group is a team providing tech and legal services.

The alliance between Leaf, a law firm, and TekID, a Data intelligence firm, is providing a comprehensive cyber security and data management offering which will help you enhance your security with a holistic approach. This team of cyber / data experts and lawyers can offer services to companies and managers such as compliance audits and programs in cybersecurity, structuring deals involving data assets, understanding and managing the life cycle of data and the associated risks, forensic investigations, among others.