China’s Regulation on Protection of Minors in Cyberspace

Decree No. 766 of the State Council of the People’s Republic of China, also known as the Regulations on the Protection of Minors on the Internet, was adopted at the 15th executive meeting of the State Council on September 20th, 2023. Following its adoption, the Cyberspace Administration of China (CAC) published the Regulations on October 24th, 2023. The CAC is responsible for supervising and coordinating the protection of minors in cyberspace.

The Regulations carry several obligations for various government bodies, departments, schools, online products, and service providers, especially those providing network products and services to minors.

These obligations require all subject organizations to consider the impact of their offerings on the physical and mental health of minors and ensure through the design, implementation, development, and research to mitigate any harmful effects.

These regulations and the subsequent obligations will come into effect on January 1st, 2024.

Application of the Regulation

The regulations apply to guardians, schools, and various market players who carry out activities in cyberspace in relation to minors. The following entities comprise the market players:

1. Internet product and service providers: The Cybersecurity Law defines the “internet” broadly as a system that collects, stores, transmits, exchanges, and processes information according to certain rules and procedures using computers or other information terminals and related equipment.
2. Personal information processors: The Regulations do not define personal information processors. However, the Personal Information Protection Law defines personal information processors as organizations or individuals who independently determine the purposes and means of processing personal information.
3. Manufacturers and sellers of smart terminal products: Smart devices are networked devices such as mobile phones and computers that can connect to the Internet, have an operating system, and allow users to install application software.

General Provisions

The general provisions of these Regulations include the following:

• These Regulations have been formed in accordance with the Law of the People's Republic of China on the Protection of Minors, the Cyber Security Law of the People's Republic of China (CSL), the Personal Information Protection Law of the People's Republic of China (PIPL) and other relevant regulations;
• All regulations meant to protect minors must adhere to the leadership of the Communist Party of China, the guidance of socialist core values, and the principle that is most beneficial to minors;
• The State Network Information Department shall be responsible for coordinating the network protection of minors;
• Any organization or individual that finds a violation of the provisions of these Regulations may complain and report to relevant departments;
• The department that receives the complaint and report shall deal with it in a timely manner in accordance with the law;
• Organizations and individuals that make outstanding contributions to the network protection of minors will be commended and rewarded in accordance with the relevant provisions of the State.

Promotion of Network Literacy

All relevant organizations subject to these Regulations must undertake the following measures related to the promotion of network literacy:

• Any software developed for specific use by minors must have the appropriate in-built mechanisms to effectively identify illegal information that may impact the physical and mental health of minors, prevent minors from using the Internet, or pose any significant threats to the minors’ personal information;
• Manufacturers of all smart devices designed specifically for minors must install appropriate network protection software on all such products before they leave the factory while also providing the necessary resources to inform the users of these measures;
• Network platform service providers that have a significant number of users or possess a significant impact on a group of minors are subject to the following obligations:
  • They must fully consider the characteristics of the physical and mental health development of minors while designing, researching, developing, and operating their network platform services by carrying out regular impact assessments;
  • Provide minors with specific platforms or areas within existing platforms to facilitate their physical and mental health;
  • Establish and improve a compliance system in accordance with national regulations as well as an independent body composed mainly of external members to supervise the network protection of minors on the platform;
  • Follow the necessary principles of openness, fairness, and justice when creating guidelines meant to protect minors on the platform;
  • Cease services to products or service providers that seriously violate the physical and mental health of minors or infringe on other legitimate rights and interests of minors in violation of other administrative regulations;
  • Issue a special social responsibility report on the online protection of minors on their platform annually.

Specifications of Network Information Content

• No organization should produce, reproduce, publish, or disseminate network information that contains content that endangers the physical and mental health of minors;
• No organization may produce, copy, publish, disseminate, or hold obscene and pornographic online information about minors;
• If any network product or service contains information that may result in minors imitating unsafe behaviors or acts, developing bad hobbies, or generating extreme emotions that affect the mental and physical health of minors, the organization developing such a product or service must display a significant prompt or warning before any such information is displayed and no organization or individual shall produce, copy, publish or disseminate the information;
• The State Department of Network Information, together with the State Press and Publication, Film Department and the Education, Telecommunications, Public Security, Culture and Tourism, Radio and Television, and Other Departments of the State Council, must collaborate and determine the specific types, scope, judgment standards and tips of information that may affect the physical and mental health of minors;
• No organization can coax or force a minor to access online information that may contain content harmful to their physical or mental health;
• No organization can engage in behaviors that insult, slander, threaten, or damage the image of minors in the form of text, pictures, audio, and video through the Internet;
• Network product and service providers must establish an early warning, prevention, identification, monitoring, and disposal mechanism for cyberbullying;
• Network product and service providers must set up functions and channels to facilitate minors and their guardians to keep records of cyberbullying and make it easier for minors to block users engaging in cyberbullying;
• No organization or individual will organize, instigate, coerce, induce, deceive, or help minors to commit illegal and criminal acts in the form of text, pictures, audio, and video through the Internet;
• Network product and service providers must take strict actions to restrict the unlawful release of users’ information;
• Network product and service providers must take relevant actions such as deletion, blocking, and disconnection of links providing access to such information;
• Network product and service providers must issue warnings, restrict functions, and, in extreme cases, suspend services for users that produce, copy, release, and disseminate such information.

Protection of Personal Information

Here are the measures all subject organizations must undertake related to protecting any personal information they may have collected:

• If an Internet service provider provides a product or service specifically for minors, it must require the guardian or the minor to provide their true identity in accordance with the necessary regulations. In case such identification cannot be provided, the service provider cannot give such users access to their services;
• The service provider must establish a dynamic verification mechanism that verifies the user information promptly;
• All such service providers must adhere to the provisions of the national network information department and relevant departments when processing non-essential personal information;
• The guardians of minors that use such services must adequately educate and guide minors to raise their awareness related to protecting their personal information and understanding the security risks of personal information;
• The guardians must also guide minors in exercising their right to access, copy, correct, supplement, and delete all personal information collected from them;
• If a minor or their guardians request to access, copy, correct, supplement, and delete all personal information collected from them, the personal information processor must abide by the following obligations:
  • Provide a convenient method to exercise their rights;
  • Provide convenient functions within the method to exercise their rights;
  • If a minor or their guardian’s request to access, copy, correct, supplement, and delete all personal information collected from them is denied, they must be informed in writing with the relevant reasons.

The personal information processor shall provide a way to transfer if the request made by the minors or their guardians is made in accordance with the law and the conditions of the national network information department;

• In case of a data breach affecting minors’ personal information, the personal information processor must immediately initiate the incident response plan and take the necessary remedial and administrative measures necessary under various relevant regulations;
• If the personal information processor cannot inform each affected individual of the data breach, they must publish the news within the stipulated period and abide by the laws and administrative regulations;
• The personal information processor must set strict limits on the rights of its own staff members’ access to minors’ personal information based on the principle of least privilege;
• The personal information processor must conduct an annual compliance audit of the measures in place to handle minors’ personal information;
• If the personal information processor discovers minors’ personal information published anywhere on their network, they must promptly take the necessary steps to prevent the proliferation of such information.

Prevention & Control of Internet Addiction

Here’s what each subject organization must do related to the prevention and control of minor’s internet addiction:

• All network product and service providers must establish an anti-addiction system, refrain from addition-inducing products and services, modify the contents functions and rules timely, and announce anti-addiction work to the public every year;
• All online games, online live broadcasts, online audio and video, online social, and other network service providers must adhere to the principles of integration, friendliness, practicality, and effectiveness in accordance with relevant national regulations and standards and provide time management, authority management, consumption management, and other functions for guardians to perform guardianship duties;
• All online games, online live broadcasts, online audio and video, online social, and other network service providers must undertake measures to limit the single-day internet consumption of minors of different ages;
• All online games, online live broadcasts, online audio and video, online social, and other network service providers must not set up online communities, groups, and topics with the theme of assistance fund-raising, voting, ranking, volume control, and evaluation to induce minors;
• All online games, online live broadcasts, online audio and video, online social, and other network service providers must verify the true identity of all minors using their platforms and must not provide game account rental and sales services for minors;
• All online games, online live broadcasts, online audio and video, online social, and other network service providers must limit minors’ access to functions that may potentially affect their mental and physical health;
• It is strictly prohibited for an organization or individual to interfere in internet addiction and infringe upon the rights and interests of minors by using tactics that exploit or coerce minors on the internet.

Legal Liability

• Any network service providers found in violation of their obligations may face fines ranging from 50,000 yuan to 500,000 yuan. The staff and other directly responsible personnel shall be fined not less than 10,000 yuan but not more than 100,000 yuan;
• If any network platform service provider fails to make corrections, they can be fined not more than 1 million yuan;
• The staff and other directly responsible personnel shall be fined not less than 10,000 yuan but not more than 100,000 yuan;
• In case of serious issues, government departments such as network information, press, telecommunications, public security, culture, and tourism may order corrections, confiscate illegal income, and impose fines (up to 50 million yuan or a percentage of the previous year's turnover);
• Any network service providers that do not display appropriate warnings to minors may face a fine of not more than 100,000 yuan;
• Any network service providers that are found violating their obligations may face a fine of not more than 100,000 yuan;
• Violations of these Regulations resulting in harm to a minor's rights lead to civil liability. Public security violations incur punishment according to relevant laws, and if a crime is committed, criminal responsibility will be investigated according to the law.

How Securiti Can Help

China is one of the few countries to have adopted a highly proactive approach toward protecting its citizens’ data and information. Its three distinct regulations, the Personal Information Protection Law (PIPL), the Data Security Law (DSL), and Cyber Security Law (CSL), all carry various obligations related to various aspects of organizations related to how they must manage their users’ data.

These Regulations are another addition to a series of measures China’s CAC has adopted to manage how the Internet evolves and is used within the country. Hence, organizations need an effective and efficient solution to address these obligations.

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments.

The Data Command Center gives organizations access to critical modules and solutions designed to ensure compliance with the plethora of obligations China’s extensive data regulations place on organizations.

Request a demo today and learn more about how Securiti can help your organization comply with CAC’s latest Regulations on the Protection of Minors on the Internet, as well as all of China’s other data-related regulations.