根据共青团中央维护青少年权益部、中国互联网络信息中心联合发布的《2019年全国未成年人互联网使用情况研究报告》,中国有1.75亿未成年人是互联网用户,占18岁以下总人口的93.1%;而小学生在学龄前就使用互联网的比例已达32.9%。尽管互联网“冲浪”有着很多裨益,随之而来的风险也不可忽视——未成年人个人信息暴露在网络世界中可导致网络霸凌、不恰当内容浏览、网络诈骗等。据中国新闻网报道,在今年的全国两会上,全国政协委员、北京市通州区人民法院副院长李迎新提交了《关于进一步加强未成年人个人信息保护的提案》,提出我国关于未成年人个人信息保护的法律法规虽然在不断完善,但依然存在一些不足。律师与行业专家指出,若要为未成年人营造安全可靠的互联网环境,仍需社会各方的共同努力。
法律严保护的同时仍需更明晰的规定
中国在法律、行政法规、部门规章、地方立法和国家标准等方面均对未成年人个人信息保护做出了相关规定。斐石律师事务所顾问张德昊律师告诉ALB,整体而言,中国在未成年人个人信息保护方面,既要遵循《民法典》《网络安全法》等关于个人信息的一般保护的规范,同时要遵守《未成年人保护法》等特别法中关于未成年人个人信息保护的相关规定,结合网信办的《儿童个人信息网络保护规定》,中国对未成年人个人信息正在实施更加严格的保护。
然而,张律师还指出,法律仍需对互联网产品和服务实际使用过程中存在的诸多问题做出明确规定,才能得以健全。
1. 未成年人用户的识别
“如何知道屏幕对面的人是未成年人?很多企业的产品是不区分使用者年龄的。此时,未成年人个人信息的收集和存储与一般成年人个人信息相比并无二致。如果要进行区分,就可能需要未成年人的年龄或出生日期。若产品本身不收集这类信息,仅为区分儿童用户和非儿童用户而收集,是否又超出了正常产品功能所需个人信息的必要范围?企业将因此陷入两难,尤其是前几日四部委刚刚出台了《常见类型移动互联网应用程序必要个人信息范围规定》,其中对必要个人信息的范围进行了进一步明确,很多类型的app上是不需要出生日期或者年龄作为必要信息的。”张律师举例说道。
2. 监护人对处理未成年人个人信息的同意
尽管《App违法违规收集使用个人信息行为认定方法》上要求个人明确同意隐私政策,以及同意手机权限、SDK清单等,但在张律师看来,这也只是在形式上完成了同意,无法保证用户真正阅读并理解隐私政策,知悉他们所同意的内容。因此,张律师建议强制性法律明确个人信息保护中“同意”的有效条件和标准,或提供一套类似美国COPPA取得监护人有效同意的指引,从而降低未成年人个人信息保护中取得同意的难度。
企业能做什么
张律师呼吁企业重视未成年人个人信息保护问题,并建议,如果其产品或服务涉及未成年人个人信息,那么企业应在设计产品之前就考虑Privacy by Design的问题,甚至考虑进行数据保护影响评估(DPIA);在产品设计中,企业应引入未成年人个人信息保护的特别关注,比如隐私政策等通知、监护人同意机制、产品适龄性设计等。
张律师还强调,在保护未成年人个人信息之前,企业还需要思考自身是否已经建立起一套保护所有用户(包括成年人和未成年人)个人信息合规体系。
“很多时候,对未成年人的保护是基于对所有用户的保护基础之上的,如果地基都没有,无论多高的楼都只是空中花园。”张律师说。
ALB Analysis: To protect kids online, it takes a village
According a report last year from the Chinese Communist Youth League Central Committee and the China Internet Network Information Center, a total of 175 million Chinese minors are Internet users, accounting for a staggering 93.1 percent of the country’s population below the age of 18. While online access has plenty of advantages, it comes with a number of risks, like inappropriate content, cyberbullying, and online predators. At China’s joint NPC & CPPCC National Committee session this year, proposals were made to pass laws that will ensure a clearly regulated process of protecting the information of adolescents that use the Internet.
A framework exists, but more clarification is necessary
The protection of minors’ personal data has been written into laws, administrative regulations, departmental rules, regional laws and government standards in China. Dehao Zhang, a counsel at Fieldfisher, tells ALB that the Civil Code and Cybersecurity Law of the People’s Republic of China (PRC) have set rules for general protection of personal information. Meanwhile special laws like the Law of the PRC on the Protection of Minors have made rules especially to protect the personal information of minors, with the Regulation on the Protection of Children's Personal Information Online, published by the Cyberspace Administration of China in 2019, providing additional support.
That said, there are still many practical issues that occur during the use of Internet services, and this calls for clearer rules, so that the protection can be strengthened. Zhang raises two points that need to be clarified.
The first involves recognising a user is a minor. “How can an app tell if it is an adult or a teenager on the other side of the screen? It needs information like age or date of birth to distinguish them, but such information itself has been ruled as unnecessary information for many apps to collect. It puts many Internet companies in a dilemma,” Zhang says.
The second point involves the guardians’ consent for Internet services to processing minors’ personal information. Although Measures for the Determination of the Collection and Use of Personal Information by Apps in Violation of Laws and Regulations has required that individuals need to provide clear agreement to the privacy policies of apps, in Zhang’s opinion, it cannot guarantee that users have actually read and understood these policies.
“Sometimes, the users do not know what they agreed to when they hit the ‘agree’ button,” says Zhang, who therefore suggests the mandatory law clarify the conditions and standards to measure if the consent given by guardian is effective, or provides guidelines for obtaining valid consent of the guardian similar to the Children's Online Privacy Protection Act (COPPA) in the U.S.
What can companies do?
Zhang advocates that companies should take adolescents’ information protection seriously, and he suggests that if the services involve such information, the company should consider Privacy by Design and conduct a Data Protection Impact Assessment before designing the product. During the design phase, a company should emphasise minors’ personal information, such as communicating the privacy policy to users, building a proper guardian consent mechanism and evaluating if the product is age-appropriate.
Additionally, as Zhang stresses, before building a compliance system that protects the personal information of minors, a company should ask itself if it provides the same to all users, regardless of age.