China Strengthens the Protection of Minors in Cyberspace

On 24 October 2023, China issued the Regulations on the Protection of Minors in Cyberspace (the "Regulations"), which will take effect on 1 January 2024.

In this article, we introduce the key provisions of the Regulations and set out our views.

Background

I. Seven-year consultation process

In 2014, the State Council included the Regulations in the legislative programme. In September 2016, the Cyberspace Administration of China (“CAC”) issued the first draft of the Regulations and solicited comments from the public. In January 2017, the former Legislative Affairs Office of the State Council solicited second-round comments on the Regulations. In March 2022, the CAC solicited comments for the third time. In 2023, the State Council re-emphasis the Regulations again in the annual legislative programme. In September 2023, the State Council reviewed and approved the Regulations and issued on 24 October 2023.

The Regulations took a long time to finalise, considering:

  1. the convergence with other relevant laws and regulations, including the Provisions on the Cyber Protection of Children's Personal Information (“Children Information Provisions”) issued in 2019, Minors Protection Law (2020 revision), and the Personal Information Protection Law (“PIPL”) issued in 2021;

  2. the rapid development in internet industry, such as short videos and live streaming.

II. The legal framework for the protection of minors in cyberspace

The Regulations are formulated in accordance with the Minors Protection Law, Cybersecurity Law and the PIPL. The Regulations also refer to other regulations, thus constituting China's first specialised comprehensive legislation to protect minors in cyberspace.

  1. Minors’ Protection Law: Chapter 5 outlines general guidelines for information management in cyberspace, the protection of minors' information and the prevention of addiction among minors. The regulations build on these requirements with more detailed provisions.
  2. PIPL: Article 28 defines the data of minors under the age of fourteen as sensitive personal data and Article 31 requires data controllers to establish special rules for the processing of personal data of children and to obtain the consent of the child's parents or guardians for the processing of the child's personal data.
  3. Cybersecurity Law: Article 13 states that China supports the research and development of internet products and services beneficial to the minors and legally punishes activities that use the internet to harm the physical and mental health of minors. The regulations refine these provisions in Chapters 2 and 3.
  4. Children Information Provision It sets out several requirements for the processing of personal data of minors under the age of fourteen. The Regulations refer to some of these provisions. Compared to the Children Information Provision, the scope of the Regulations extends to all minors from those who have not reached the age of 14. The Regulations have a higher legal effect than the Children Information Provision. In the event of any inconsistency between the Children Information Provision and the Regulations, the Regulations shall prevail.

There are also various regulations related to the protection of minors in cyberspace issued by various departments, such as the Notice on Preventing Minors from Becoming Addicted to Online Games, the Opinions on Regulating Online Live Streaming Rewards and Strengthening the Protection of Minors, and the Notice on Further Strengthening the Management of Chaos in "Fans Clubs".

KEY PROVISIONS AND OBSERVATIONS

I. Scope of application and definitions

The regulations apply to schools, guardians and various market players who carry out activities in cyberspace in relation to minors.

  1. Minors: The Regulations do not specify the age of minors. According to the Minors Protection Law, minors are defined as citizens under the age of eighteen. It is assumed that the Regulations follow this definition.

    PIPL and the Children Information Provision target minors under the age of fourteen. The Regulations extend the requirements for processing the personal information of minors to those between the ages of fourteen and eighteen.

  2. Market entities:
    1. Providers of internet products and services: The Cybersecurity Law defines the “internet” as a system that collects, stores, transmits, exchanges, and processes information according to certain rules and procedures using computers or other information terminals and related equipment. Therefore, "Internet product and service providers" cover a wide range. Specific sectors mentioned in the Regulations include internet education, online gaming, live streaming, audio-video services and social networking.
    2. Personal information processors: The Regulations do not define personal information processors. According to the PIPL, personal information processors are organisations or individuals who independently determine the purposes and means of processing personal information.
    3. Manufacturers and sellers of smart terminal products: Smart devices are networked devices such as mobile phones and computers that can connect to the Internet, have an operating system and allow users to install application software.
  3. Regulatory institution: The CAC is responsible for supervising and coordinating the protection of minors in cyberspace. Sectoral regulators such as the National Press and Publication Administration, the State Film Administration, the Ministry of Education, the Ministry of Telecommunications, the Ministry of Public Security, the Ministry of Civil Affairs, the Ministry of Culture and Tourism, the National Health Commission, the State Administration for Market Regulation and the State Administration for Radio and Television are responsible for supervising the activities related to the protection of minors online in their respective sectors.

II. Promoting Minors' Cyber Literacy

The Regulations set forth provisions to improve the ability of minors to use the internet effectively:

  1. Promoting the use of internet technologies, products, and services for minors: The Regulations encourage the development of protective software, smart terminal products suitable for minors, modes, and designated areas specifically designed for minors.
  2. Minor protection software and smart terminal products should have minor-specific functions: It should include the ability to effectively identify illegal information, content that may harm minors' physical and mental health, protect their personal information rights, prevent internet addiction, and facilitate guardians in performing their duties. 
    The CAC will then issue standards or requirements to assess the effectiveness of such software and products.
  3. Smart devices for minors should install protection software for minors: Manufacturers must install minor protection software on products or clearly inform users about installation channels and methods. Sellers should also inform users about the installation of such software before selling the product.
  4. Specific obligations for service providers of online platforms with a large number of minor users or with a significant impact on the minor community
    1. Conduct regular impact assessments on the protection of minors online. The specific content and methodologies for these assessments are to be clarified and will be guided by subsequent rules or standards;
    2. Provide a minor mode or designated area for minors;
    3. Establish an independent body, composed mainly of external members, to oversee the protection of minors online;
    4. Developing platform rules setting out the obligations of product or service providers on the platform for the protection of minors online and prominently informing minor users of their legal rights to protection online and of the remedies available in the event of harm online;
    5. Discontinue the provision of services to providers within the platform that seriously violate laws and regulations, harm the physical and mental health of minors, or violate other legal rights of minors;
    6. Publish an annual social responsibility report on the protection of minors online.

Compared to the Draft 2022, the Regulations clarify that online platform service providers only need to meet either the quantitative standard (i.e., a large number of users) or the qualitative standard (i.e., a significant impact on the group of minors). The CAC will later issue rules to define these criteria.

III. Managing Online Information Content

  1. Prohibition of online information harmful to the health of minors: Compared to the 2022 draft, the Regulations specifically identify information harmful to minors' health as content that promotes obscenity, pornography, violence, cults, superstition, gambling, self-harm, suicide, terrorism, separatism, extremism, etc.

    Most of these categories correspond to the "illegal information" outlined in the CAC 2020 "Regulations on the Ecological Management of Network Information Content".

    Information promoting self-harm and suicide comes from the CAC's 2020 special campaign on the online environment for minors during the summer holidays, which included a comprehensive search for groups and circles promoting self-harm among young people, such as the "Blue Whale Death Game".

  2. Restricting the presentation of information potentially harmful to minors' health: This includes information that could lead to unsafe behaviour, violation of social ethics, extreme emotions or bad habits among minors. The CAC will later define the specific types, scope and criteria for such information.

    For the management of internet information that may affect the mental and physical health of minors, the regulations impose the following requirements:

    1. For network products or services that are not exclusively aimed at minors, organisations and individuals may produce, copy, publish and disseminate such information, but should provide a prominent warning before the information is displayed, otherwise the information may not be transmitted.
      The CAC will determine the requirements for such notices.
    2. For internet products and services specifically targeted at minors, any organisation or individual is prohibited from creating, copying, publishing or disseminating such information.
    3. Providers of internet products and services shall not present such information in prominent parts of their product or service, such as the home page, pop-ups, or trending searches, that are easily visible and likely to attract users' attention.
  3. Prohibition of automated decision-making in commercial marketing to minors: Providers of online products and services are prohibited from using automated decision making for commercial marketing to minors.

    The PIPL requires options for non-personalised advertising or easy opt-out for automated decision making in personal information push and marketing. Considering minors' immature views on consumption and lower self-control, the regulations offer stricter protection.

  4. Prohibition of cyberbullying: This includes insulting, slandering, threatening, or maliciously damaging the image of minors.

    Providers of Internet products and services should:

    1. Establish mechanisms for early warning, identification, monitoring, and handling of cyberbullying;
    2. Provide channels for minors and their guardians to save records of cyberbullying and exercise notification rights;
    3. Offer options to protect against cyberbullying, such as blocking unknown users, controlling visibility of posts, prohibiting reposts or comments, and blocking messages;
    4. Build a database of cyberbullying characteristics and optimize algorithms using AI, big data, and manual review to strengthen identification and monitoring.
  5. User management obligations for providers of online products and services: Providers should take effective measures to prevent the production, copying, publication and dissemination of information harmful to the mental and physical health of minors, potentially harmful information in products or services aimed at minors, and cyberbullying.

    If harmful information is discovered, service providers must immediately take measures such as deleting, blocking or disabling links to prevent its dissemination, keep relevant records, report to authorities such as the CAC and public security authorities, and act against users who produce, copy, publish or disseminate such information, including issuing warnings, restricting functions, suspending services or closing accounts.

IV. Protecting Personal Information of Minors

  1. The obligations in line with the PIPL
    1. Exercise of personal information rights: The Regulations contain stricter provisions than the PIPL regarding the exercise of personal information rights by minors or their guardians. For example, if a personal information processor refuses a request by a minor or his or her guardian to exercise his or her rights, the processor must notify the requestor in writing and explain the reasons. The PIPL does not specify the requirement for a written explanation.
    2. Annual compliance audit requirements: The PIPL requires personal information processors to conduct regular compliance audits of their personal information processing activities. However, the Regulations specifically require processors to conduct an annual compliance audit of their activities involving the personal information of minors and to report the audit results to the CAC and other relevant departments in a timely manner. In practice, it remains to be clarified whether companies need to conduct a separate audit for the processing of minors' personal information in addition to the audit required by the PIPL, or whether the latter can be integrated as part of the annual audit. Further rules or standards are expected to provide clarity on this issue.
  2. The obligations in line with the Children Information Provision
    1. Measures in response to personal information incidents: In case of actual or potential leakage, alteration or loss of minors' personal information, personal information processors shall immediately initiate a personal information security incident contingency plan, take remedial measures, promptly report to the CAC and other relevant departments, and notify the affected minors and their guardians of the incident by e-mail, letter, telephone or information push according to national regulations.

      Compared to Article 21 of the Children Information Provision, the requirements are more stringent. While the Children Information Provision only requires reporting to the relevant authorities in cases that are likely to have serious consequences, the Regulations require the timely reporting of all actual or potential personal information incidents to the regulatory authorities.

    2. Access Management: When employees access the personal information of minors, they must obtain the approval of the responsible person or authorised manager, record the access details and implement technical measures to prevent the unlawful processing of the personal information of minors.
  3. Other obligations:
    1. Verification of true identity information:
      • Internet service providers offering services such as information publishing and instant messaging to minors shall legally require minors or their legal guardians to provide the minors' real identity information.
      • Providers of live streaming services shall establish a dynamic verification mechanism for the real identity information of live stream broadcasters. They should not provide live streaming services to minors who do not meet the legal requirements.
    2. Management of private information:

      According to the Civil Code, private information refers to information relating to the private life of an individual and personal information that the individual does not wish to be known by others, such as photographs of body parts.

      Article 73 of the Minors Protection Law sets out requirements for the protection of private information, which are further elaborated in the Regulations:

      • If Internet service providers discover that private information of minors or private information involving minors has been published online, they shall immediately report it and take necessary protective measures, such as stopping the transmission of such information, to prevent its dissemination.
      • If Internet service providers find that private information of minors may cause harm to a minor, they shall immediately take the necessary measures to preserve relevant records and report to the public security authorities.

V. Preventing Addiction to the internet

  1. Anti-addiction system: Internet product and service providers are required to establish and improve an anti-addiction system. They must not provide products and services that are addictive to minors and should change any content, functions or rules that could potentially lead to addiction. Providers are also expected to publish annual reports on their anti-addiction efforts and be open to public scrutiny.
  2. Special obligations for providers of online games, live streaming, audio-Video Services, and Social Networking:

The Regulations require providers of internet services such as games, live streaming, audio-video and social networking services to impose restrictions on minors in terms of time spent, money spent and participation in fan voting or ranking activities. As the Regulations do not specify the precise standards for these restrictions, effective implementation should currently follow other existing rules.

  1. Time and duration restrictions: Providers should set minor modes based on the age and usage characteristics of minors, and provide services in accordance with national regulations and standards regarding usage times, duration, functions and content.
    For example, the national press and publication administration's 2021 notice limits minors to one hour of online gaming services daily between 8pm and 9pm on fridays, saturdays, sundays and legal holidays, and does not provide services at other times.
  2. Consumption restrictions:Providers should reasonably limit the amount minors spend per transaction and total daily spending, and should not provide paid services beyond their civil capacity.
    The 2019 Notice on Preventing Minors from Becoming Addicted to Online Games stipulates that online companies should not provide paid services to users under 8 years old. For the same online gaming company, users aged over 8 but under 16 are limited to a single recharge amount of no more than RMB 50 and a total monthly recharge amount of no more than RMB 200. Users aged over 16 but under 18 are limited to a single recharge amount of no more than RMB 100 and a total monthly recharge amount of no more than RMB 400.
    The 2022 Opinions on Regulating Online Live Streaming Rewards and Strengthening the Protection of </span><span>Minors</span><span> state that minors are prohibited from participating in live streaming tipping, and that no form of tipping service, such as cash recharge, purchase of ;">
  3. Limitations on Fan Culture (Chasing Stars): Providers should not create online communities, groups or topics for the purpose of fundraising, voting and manipulating views or comments. They should prevent and discourage users from encouraging minors to participate in such activities.
    The Notice on Further Strengthening the Governance of Chaos in "Fan Clubs" prohibits minors from spending on fan support, restricts their participation in voting, and specifies that online activities of fan clubs should not interfere with minors' normal study and rest, and should not organise online meetings.
  4. Additional obligations for online game service providers: In addition, game service providers should use uniform electronic identity authentication systems for minors, not offer account rental or sale services to minors, and implement age-appropriate warnings.

CONCLUSION

The Regulations set out several different requirements based on the nature of the products or services and the data processing behaviour of providers of network products and services, processors of personal data, and manufacturers and sellers of intelligent terminal products. Companies should, in accordance with their own roles, especially those that tend to overlap in practice, comply with the requirements for the protection of minors on the network at all stages of the design, research and development, and operation of their network services and products, and at the same time be mindful of the convergence with the PIPL and the Children's Information Provision, and pay attention to the subsequent implementation of the relevant standards.

Latest insights

More Insights
Carabiner

CSDDD is here to stay; the EU clock is ticking for mandatory supply chain due diligence

Jul 12 2024

Read More
pink tiles on grey background

Compliance countdown begins as EU AI Act prepares to take effect

Jul 12 2024

Read More
Multiple Magnifying Glasses on teal background

The Civil Collective Proceedings Act

Jul 12 2024

Read More