China
Cyber protection of Children’s Personal Information
China’s cyberspace administration has enacted a law titled “Cyber Protection of Children’s Personal Information” to protect children’s online privacy. The Act contains various provisions that require network operators to maintain the rightness, purpose and security guaranteed when collecting, transferring or disclosing data. The law applies only to children under 14 years old on the territory of mainland China. The term “network operator” used pursuant to the Act applies to all network operators, websites and application operators. Section 9 of the Act requires that network operators obtain parental consent prior to collecting, using, and transferring personal information about children. The guardian and the children have the right to request the operator to delete and modify all data stored in it if deemed erroneous. In case of a threat of data breach, the network operator must inform the guardian of this threat via email, phone or push notification. In case of a threat of data breach, the network operator must inform the guardian of this threat via email, phone or push notification. If the network operator breaches provisions of the Act, this can have several consequences.
For example, if the system operator does not comply with the requirements of the regulations and there is a significant safety risk or a safety accident. Cybersecurity and information administration officials may have to interview the network operator and require the network operator to correct and eliminate the potential risks. If the Network Operator’s behaviour involves a violation of other laws or regulations (including the Cybersecurity Law or the Administrative Measures on Internet Information Services), authorities impose appropriate liability (including criminal) accordingly.
As China’s first legislation focused on protecting children’s PI in China, the Regulation is a milestone. Key concepts include:
- the designation of an individual primarily responsible for protecting children’s PI,
- specialized terms of use and privacy policy, and
- prior consent of guardians.
However, the Regulations do not specify specific details of its implementation, particularly for identifying guardians and obtaining consent. Nonetheless, network operators can already make certain compliance adjustments: operators of websites and applications used by children should prepare conditions of use and privacy regulations specific to children who designates a particular person in charge of the children’s PI protection; network operators without minor users would need to adjust their registration rules to ensure that children are not using their services.
European Union
General Data Protection Regulation (GDPR)
The European Union’s General Data Protection Regulation recognizes that children’s data should be afforded special protection because they may be little aware of the risks and consequences of data sharing. General Data Protection Regulation or GDPR refers to the world’s most robust set of data protection laws that regulates the data shared by the people to the organizations and the safety, privacy, concerns to be taken by them regarding such data. The European Parliament and Council agreed upon GDPR in April 2016 to replace the Data Protection Directive 95/46/EC in Spring 2018 as the primary law regulating how companies protect EU citizens’ data. The US law COPPA and China’s children’s privacy protection laws are drawn based on the GDPR. This Regulation was enacted across 28 European Union member states regarding the protection of data breaches. GDPR provides the citizens of the EU nations to have control over their data used for business purposes by the organizations so that the citizens can bloom with the businesses in the European Union. This law works on seven principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality (security); and accountability. It sets the liability over controllers and processors of an organization’s data to legally collect the owner’s data and secure it from any data breach.
As far as the right to privacy of children is concerned, the provisions of the GDPR stipulate that the processing of a child’s data is legal when the children are 16 years old. If the children are less than 16 years old, the data processing will be legal only after the consent given by the parent or authority. The minimum age for children under the Act is 13.
The reforms designed reflect the world we live in now and bring laws and obligations around personal data, privacy and consent across Europe up to speed for the internet-connected age.
Fundamentally, almost every facet of our lives is data-driven. Whether it’s social media companies, banks, retailers, or governments, virtually all the services we use include collecting and analyzing our data.
The data comprises name, address, credit card number and more are collected, analyzed and, perhaps most importantly, stored by organizations.
When it comes to compliance, under the terms of GDPR, not only do organizations have to ensure that personal data is gathered legally and under strict conditions but those who collect and manage it are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so. If they fail to comply, it can result in a fine ranging from 10 million euros to four per cent of its annual global turnover.
Fines depend upon the seriousness of the violation and whether the company has taken safety compliance and Regulation sufficiently seriously.
As of now, the maximum fine of 20 million euros or four per cent of worldwide turnover for infringements of the rights of the data subjects, unauthorized international transfer of personal data, and failure to put procedures in place for or ignoring subject access requests for their data.
India
The personal data protection bill 2019
The Personal Data Protection Bill,2019, was first tabled by the government of India in Parliament in December 2019. The bill seeks to protect the personal data of the individual and establishment a data protection authority for the same. Chapter IV of the Personal data protection bill provides provisions for processing the children’s and sensitive personal data. It further provides that the government shall do the personal data processing, companies incorporated in India and foreign companies dealing with the personal data, collectively known as “data fiduciary”. Section 16 of the bill lays down the grounds regarding data processing. It states that every fiduciary shall process the data in such a manner that serves the children’s best interest, protecting the children’s rights. The data fiduciary shall verify the age of the children and obtain parental consent before processing any personal data in case of minors. This Regulation brings the data fiduciaries like online commercial services or websites directed to children for educational or extensive data processing purposes as the “guardian fiduciaries”. The guardian fiduciaries providing counselling or child protection shall be exempted from obtaining parental consent. The provision shall bring the educational institutions and the counselling institutions within the ambit of “guardian fiduciaries”. The Data Protection Authority, a regulating body, incorporated under the Act’s provisions, shall have the right to protect the interest of individuals and prevent the misuse of data. If the data fiduciary is found to have indulged in violation or irregularities while processing data, it shall be punished with a fine of 15 crores or 4 per cent of the total annual turnover, whichever is higher.
Now, since the bill hit due to the pandemic, and the bill passes and becomes a fully-fledged Act, the children’s right to privacy shall be protected under the provided provisions of the Act.
United Kingdom
The UK Council for Child Internet Safety (UKCCIS)
UK Council for Child Internet Safety was a group of more than 200 organizations drawn from government, industry, law, academia and charity sectors that work in partnership to help keep children safe online. It has several publications focusing on kids’ privacy and safety.
Some of them include:
Education for a Connected World- Framework
The education for a Connected World framework describes the Digital knowledge and skills that children and young people should have the opportunity to develop at different ages and stages of their lives. Its impact on behaviour and development and their skills to navigate it.
The document supports a vital objective of the Government’s Internet Security Strategy to help children remain safe and contribute positively online, enabling teachers to develop effective strategies to understand and manage online risks.
Children’s Code or Code
The Children’s Code was released by the UK Information Commissioner (ICO) in September 2020, was mandated by Section 123(1) of the UK Data Protection Act of 2018 (UK DPA); it comprises 15 age-appropriate design standards covering entities to must adopt and implement.
The Code was designed to provide a risk-based approach to protecting children’s data, allowing children to enjoy the benefits of online services while ensuring companies engage in proportionate data collection and use. By conforming to the standards, businesses should comply with the UK Data Protection Act and EU General Data Protection Regulation that govern the handling of children’s data.
The Code applies broadly to online services “provided for remuneration”—including those supported by online advertising—that process the personal data of and are “likely to be accessed” by children under 18 years of age, even if those services are not targeted at children.
The ICO intended that this phrase be interpreted broadly to cover services that business targets to children and those that children are “more probable than not” to access while not covering all services that children could access.
Factors to consider include whether children are likely to be attracted to the nature and content of the service and how users can access the service (e.g., whether a business uses an age-gate). To make this determination, businesses can analyze market research, other sources of online user behaviour, or the user base of similar services.
Distinct to the US the Children’s Privacy Act, which gives parents the power to control the collection, the use and disclosure of their kids’ data, the Code requires companies to process data for the best interests of children and that children receive the information and tools necessary to exercise control over their data.
The Code’s standards are meant to be technology-neutral design principles that are flexible enough for businesses to apply to different services and technologies. The standards do not ban or specifically prescribe services and “will never replace parental control and guidance, [but] will help people have greater confidence that their children can safely learn, explore and play online.”
Brazil
Bill 4695/20
This unique named bill 4695/20 determines that distance learning technology platforms observe, in the collection and sharing of personal data of students, parents and teachers, the requirements set out in the General Data Protection Law (LGPD).
The Data Protection Law was developed under analysis by the Chamber of Deputies; this proposal amends the Law on Educational Guidelines and Bases, establishing that platforms must guarantee, whenever possible:
- The use of technology without providing and sharing personal data; and
- Failure to collect and make sensitive data sensitive to racial or ethnic origin, religious or political beliefs, membership in a union or organization of a religious, philosophical or political nature, health or sexual life, genetics or user biometrics.
Additionally, the text provides that the processing, collection and sharing of data from education professionals, parents or guardians and students only occur with their prior and express consent. The data for training artificial intelligence systems will also need to have consented.
Did we miss any? If yes, do write to us.
