Source:http://www.gov.cn/xinwen/2019-06/03/content_5397071.htm So as to regulate the collection and use of children's personal information and other such conduct, to protect the lawful rights and interests of children, and to create a positive online environment for the healthy growth of children, our office has drafted these "Provisions on the Protection of Children's Personal Information Online (Draft for Solicitation of Comments)", and hereby releases them for solicitation of public comments. The public may give feedback through the following channels and methods: 1.EMAIL:firstname.lastname@example.org. 2. Mailing Address: Beijing, Xicheng District, 11 Cheguangzhuang Avenue, Policy and Regulation Bureau of the State Internet Information Office, with receipients: LI Min, Xu Xiu An, Zip code:100044. Please write "Solicited Comments on the Provisions on the Protection of Children's Personal Information Online" on the envelope. The deadline for Comments and Feedback is June 30, 2019. Attachments: he “Provisions on the Protection of Children's Personal Information Online (Draft for Solicitation of Comments)" State Internet Information Office May 31, 2019
Provisions on the Protection of Children's Personal Information Online (Comments Draft)
Article 1: These Provisions are formulated on the basis of the "Cybersecurity Law of the P.R.C.", the "P.R.C. Law on Protection of Minors" and other relevant laws and regulations so as to protect the security of minors' personal information and promote the healthy growth of children.
Article 2: These Provisions are applicable to activities such as the collection, retention, use, transfer, or disclosure of children's personal information through the internet in the mainland territory of the People's Republic of China.
Article 3: Where network operators collect, retain, use, transfer, or disclose children's personal information, they shall follow the principles of legitimate necessity, informed consent, clear purposes, security safeguards, and lawful use.
Article 4: Internet industry organizations are encouraged to guide and urge network operators to draft industry specifications, behavioral norms, and so forth for protection of children's personal information, strengthening industry self-discipline and fulfilling social responsibility.
Article 5: Network operators shall set up special rules and user agreements on the protection of children's personal information, and establish special personal information personnel or designated personnel with responsibility for protection of children's information. User agreements applicable to children shall be concise and easily understood.
Article 6: Network operators must not collect children's personal information unrelated to the services they provide; and must not violate the provisions of laws, administrative regulations or user agreements to collect children's personal information.
Article 7: Where network operators collect or use children's personal information, they shall inform the children's guardians in a conspicuous and clear manner, and shall acquire the children's guardians' explicit consent consent. Explicit consent shall be specific, clear, definite, and rooted in voluntariness.
Article 8: When network operators acquire consent, they shall concurrently provide an option to refuse, and give clear information of the following matters:
(1) The purpose, scope, methods, and time period for the collection, retention, use, transfer, or disclosure of children's personal information;
(2) The location for storing children's personal information, and the means by which it is processed after the period ends.
(3) Security safeguard measures for children's personal information;
(4) Contact information for personal information protection personnel or others;
(5) The consequences and impact of refusing;
(6) Other matters on which information shall be given.
Where substantive changes occur in the information items provided for in the preceding paragraph, the explicit consent of children's guardians shall be acquired again.
Article 9: Network operators' retention of children's personal information must not exceed the time period necessary to realize the purpose of collecting or using it.
Article 10: Network operators shall employ measures such as encryption of stored children's personal information to ensure information security.
Article 11: Network operators' use of children's personal information must not exceed the purpose and scope agreed upon. Where it is truly necessary to exceed the purpose and scope due operational requirements, the explicit consent of children's guardians shall be acquired again.
Article 12: Network operators have the principle of smallest possible authorization for their personnel and strictly put in place limits on information access authority, controlling the scope of those aware of children's personal information. Staff access to children's personal information shall be upon review of the personal information protection staff or managers that they authorize, shall record the circumstances of the access, and employ technical measures to avoid unlawful reproduction or downloading of children's personal information.
Article 13: Where network operators retain third-parties to process children's personal information, they shall conduct security assessments of the retained party, the retained conduct, and so forth; and shall sign a retention agreement clarifying the responsibilities of both sides, the period for processing, the nature and goals of the processing, and so forth; and conduct by the retained party must not exceed the scope of authorization.
Retained parties provided for in the preceding paragraph shall perform the following obligations:
(1) Process children's personal information in accordance with the network operators' requirements;
(2) Assist network operators in responding to applications from children's' guardians;
(3) Employ measures to safeguard information security, and when discovering security incidents leaking children's personal information, promptly reflecting this to the network operators;
(4) promptly deleting children's personal information when the retention relationship is dissolved;
(5) the retention must not be transferred;
(6) Other obligations to protect children's personal information that shall be performed in accordance with law.
Article 14: Where network operators and third-parties jointly use children's personal information, they shall acquire the children's guardians' explicit consent.
Article 15: Where network operators transfer children's personal information to third-parties, they shall conduct security assessments, either on their own or by retaining a third-party body, and acquire the explicit consent of the children's guardians.
Article 16: Network operators must not disclose children's personal information, except where laws and administrative regulations provide it shall be disclosed, or where disclosure is necessary based on agreements with children's guardians.
Article 17: Where children's guardians discover that children's personal information gathered or stored by network operators has errors, they have the right to request the network operators make corrections. Network operators shall promptly employ corrective measures.
Article 18: Where children or their guardians request that network operators delete their children's personal information that has been collected, retained or used; the network operators shall promptly employ measures to delete it, including but not limited to the following circumstances:
(2) Where the purpose, scope, or time period for the collection, retention, use, transfer, or disclosure of children's personal information was exceeded;
(3) Where the children's guardians withdraw consent;
(4) Where children or their guardians terminate use of the products or services through methods such as deregistration.
Article 19: In any of the following circumstances where network operators collect, use, transfer, or disclose children's personal information, they may do so without the children's guardians' explicit consent:
(1) For the preservation of national security or the societal public interest;
(2) To eliminate emergency threats to children's person or property;
(3) Other situations provided for by law or administrative regulations.
Article 20: Where network operators discover that leaks, destruction, or losses of children's personal information has occurred or might occur, they shall immediately initiate emergency response plans and employ remedial measures; where serious consequences are caused or might be caused, they shall immediately report to the relevant competent departments and inform impacted children and guardians of the incident by means such as e-mail, post, phone, or push message; and where it individual notice is difficult, shall employ reasonable and effective measures to publish related warning information.
Article 21: Network operators shall cooperate with oversight inspections carried out by the State Internet Information Office and other relevant departments in accordance with law.
Article 22: Where network operators stop product or service operations, they shall immediately stop activities collecting children's personal information, delete children's information in their possession, and immediately inform children's guardians of the operation stoppage.
Article 23: Where any organization or individual discovers conduct violating these Provisions, they may report it to the State Internet Information Office or other relevant departments.
Where the State Internet Information Office and other relevant departments receive reports, they shall handle it based on their duties.
Article 24: Network operators that insufficiently implement responsibility for security management of children's personal information, and there are larger security risks of security incidents occur, the State Internet Information Office is to give them a talking to in accordance with law, and the network operators shall follow the requests of the talk to promptly employ measures, carry out corrections, and eliminate the threats.
Article 25: Where these provisions are violated, the State Internet Information Office and other relevant departments, in accordance with their duties, and based on article 64 of the "P.R.C. Cybersecurity Law" are to order that corrections be made, and either independently or concurrently give warnings, confiscation of unlawful gains, and/or fines of between 1 to 10 times the amount of unlawful gains; where there are no unlawful gains the fine is up to 1,000,000 RMB, and a fine of between 10,000 and 100,000 RMB is to be given to directly responsible managers and other directly responsible personnel, where the circumstances are serious, a fine of between 50,000 and 500,000 RMB is to be given, and the relevant competent departments may order a temporary suspension of operations, a suspension of business for corrections, closing down of websites, cancellation of relevant operations permits, or cancellation of business licenses; where a crime is constituted, criminal responsibility is pursued in accordance with law
Article 26: Where legal responsibility is pursued for violations of these Provisions, record it in the credit archives and make it public in accordance with relevant laws and administrative regulations.
Article 27: 'Children' as referred to in these Provisions refers to minors who are not yet 14 years-old.
Article 28: These Provisions take effect on XX/XX 2019.