Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

International: Handling children's personal data in the APAC region - Part one

The processing of children's personal data, from collection to destruction, generally carries with it special considerations. Indeed, the level of protection afforded to children is often higher, due to in part their capacity to understand the consequences of providing their information and the potential risks associated with their use or misuse. In part one of this series, OneTrust DataGuidance considers the rules in the APAC region which govern children's personal data, featuring perspectives from Australia, China, India, and Japan.

For insight into handling children's personal data in New Zealand, the Philippines, and Singapore, please see part two here.

Cavan Images / Essentials collection / istockphoto.com

Australia

What is the age threshold for children?

The age threshold for children in Australia is generally 18 years old1. However, according to the Office of the Australian Information Commissioner ('OAIC'), the threshold is generally accepted as 16 years old with regards to privacy-related matters.

The OAIC has provided that entities should determine on a case-by-case basis whether an individual under the age of 18 years has the capacity to give consent. As a general principle, an individual under the age of 18 has the capacity to consent when they have sufficient understanding and maturity to understand what is being proposed2.

Are there any special rules in relation to children's personal data?

Obtaining children's consent

The Australian Privacy Principles ('APPs') establish principles to protect an individual's personal information and provide them certain rights in respect of such, regardless of their age. However, an individual must have the 'capacity' as regards privacy choice and decision-making if the collection of their personal information is to be valid under the APPs.

As such, a child under 16 without the requisite understanding of privacy will not have the capacity as an individual to understand that they are being asked to decide whether to give or withhold their personal information.

Unless a child's capacity can be established on a case-by-case basis, it is safest to assume only a person who is 16 years old or older has the capacity to provide their personal information.

Informing children and other privacy policy practices

APP 5 requires an entity that collects personal information about an individual to take reasonable steps to either notify the individual of certain matters (e.g. in a privacy policy) or to ensure the individual is aware of those matters.

This obligation remains the same where the individual is a child with the capacity to choose (e.g. 16 years old or older). However, for children without capacity, a parent or guardian must consent to the provision of personal information under the privacy policy.

Children's rights to access, rectify, erasure, etc.

Children with the capacity to choose can exercise all rights under the APPs themselves as adults may. For children without capacity, only their parent or guardian can exercise these rights on their behalf.

Other obligations

The Online Safety Act 2021 (Cth), which commenced in January 2022 and is overseen by the eSafety Commissioner, sets out 'Basic Online Safety Expectations' applicable to online service providers. This includes expectations regarding the safe use of the online service by end-users, certain material and activity on an online service, as well as reports and complaints.

Further guidance

The OAIC and the eSafety Commissioner have issued various resources, including guidance on children and young people and Safety by Design3.

China

What is the age threshold for children?

The age threshold for the processing of children's personal information is a minor under the age of 14 years (Section 28(1) of the Personal Information Protection Law of the People's Republic of China ('PIPL')) and Article 72 of the Law of the People's Republic of China on Protection of Minors ('the Minors Protection Law')). 

However, generally, under the Minors Protection Law, a minor will refer to a citizen under the age of 18 (Article 2 of the Minors Protection Law).

Are there any special rules in relation to children's personal data?

Obtaining children's consent

The PIPL and the Minors Protection Law provide special rules for the processing of children's personal information. Moreover, under the PIPL, minors' personal information is classified as 'sensitive personal information'. 

When processing the personal information of minors under the age of 14, the personal information processor must obtain the consent of the parents or other guardians of the minors (Article 31 of the PIPL).

Under the Minors Protection Law, such requirement is not applicable where otherwise prescribed by laws and administrative regulations (Article 72 of the Minors Protection Law).

Informing children and other privacy policy practices

The PIPL and the Minors Protection Law do not provide special requirements for informing children about the processing of their personal information or other information related to privacy policies.

General information that must be provided to the data subject prior to the processing of their personal information, in an easy-to-notice manner and using clear and easy-to-understand language, includes (Article 17 of the PIPL):

  • the name and contact information of the personal information processor;
  • the purposes and means of personal information processing, and the categories and storage periods of the personal information to be processed;
  • the methods and procedures for the individual to exercise their rights as provided in the PIPL; and
  • other matters that the individual should be notified of as provided by laws and administrative regulations.

Specific to sensitive data, the personal information processor must also inform the data subject of the following, except where such notification is not required in accordance with the provisions of the PIPL: 

  • the necessity of the processing of their sensitive personal information; and
  • the impact it has on the data subjects' rights and interests.

Children's rights to access, rectify, erasure, etc.

Where the minors, their parents, or other guardians require the information processor to correct or delete the personal information of the minor, the information processor must take timely measures to correct or delete the personal information of the minor, except as otherwise prescribed by laws and administrative regulations (Article 72 of the PIPL).

More generally, the PIPL provides right to data subject which include:

  • the right to know;
  • the right to decide relating to their personal information;
  • the right to consult and copy;
  • the right to data portability;
  • the right to correction;
  • the right to deletion;
  • the right to withdraw consent; and
  • the right to request personal information handlers explain personal information handling rules.

Other obligations

The PIPL provides that personal information processors processing the personal information of minors under the age of 14 must develop special rules for processing such personal information (Article 31(2) of the PIPL). In addition, an information processor must, in processing personal information of minors through the internet, follow the principle of lawfulness and justification and process personal information within a necessary limit (Article 72 of the Minors Protection Law).

In relation to network service providers, such providers are required, upon discovering that a minor publishes private information through the network, to prompt them in time and to take necessary protective measures (Article 73 of the Minors Protection Law). 

Further guidance

The Cyberspace Administration of China has published Regulations on the Protection of Children's Personal Information Online ('the Regulation')4. The Regulation applies to activities such as collecting, storing, using, transferring, and disclosing children's personal information through the Internet within the territory of the People's Republic of China.

India

As of now, India does not have a dedicated data protection law in place. The Personal Data Protection Bill, 2019 was introduced to the legislature in 2019 and is currently undergoing deliberations. In the absence of such legislation, there is no regulatory framework to deal with issues such as the personal data of children or obtaining their consent. However, this by no means implies that cyber issues concerning children are unchecked.

Presently, the Information Technology Act, 2000 is the statute whereunder the offences pertaining to cybercrimes, including ones concerning children, are dealt with. To broaden such law, the Government of India has also issued the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules of 2021 ('the Rules'). The Rules empower social media users by laying down mechanisms for redressing their grievances. Rule 3, for example, establishes due diligence duties for social media intermediaries. It also requires intermediates to publish on its website or mobile application, among other things, instructions not to indulge in activities that are harmful to children.

Japan

What is the age threshold for children?

As of March 2022, Article 4 of Japan's Civil Code provides that the age of majority (in the sense that a person at this age or higher is not subject to the requirement of parental consent when entering into contracts) is 20. 

An amendment to this Article will come into force on 1 April 2022, lowering the age of majority to 18 for the first time in approximately 140 years.

The transitional details are as follows:

Date of birth

When a person reaches/has reached the age of majority

Age of majority

1 April 2002 or before

20th birthday

20

2 April 2002 to 1 April 2003

1 April 2022

19

2 April 2003 to 1 April 2004

1 April 2022

18

2 April 2004 or after

18th birthday

18

 

Are there any special rules in relation to children's personal data?

Obtaining children's consent

The Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2015) ('APPI') does not explicitly set out a certain age.

However, the Personal Information Protection Commission ('PPC') has advised in its Q&As5 that while the exact age of a child at or below which parental consent is required should be judged on an individual case basis by considering the category of personal information at issue and the nature of business for which the personal information will be used, generally speaking, parental consent is required in connection with a child at the age of 15 or lower.

Given this, it should be the practice of a Personal Information Handling Business Operator ('PIHBO') to seek parental consent when a data subject is at the age of 15 or lower.

Informing children and other privacy policy practices

This matter is not well discussed or clarified in Japan. Practically speaking, no material risks are expected when a PHIBO deems, without verifying the ages of data subjects at issue, that its notifications to the data subjects as required under the APPI are validly made.

Children's rights to access, rectify, erasure, etc.

While this matter is not well discussed or clarified in Japan, as a matter of practice, a PIHBO should, without verifying a child's age nor waiting for parental consent, duly disclose to a child, rectify, erase, or stop its use of personal data, when they receive from a child a notice to exercise their rights under the APPI.

Karan Chao Senior Privacy Analyst
[email protected]
Keshawna Campbell Lead Privacy Analyst
[email protected]

Comments provided by:
Alec Christie Partner
[email protected]
James Wong Associate
[email protected]
Clyde & Co LLP, Sydney

Siddharth Jain Co-Founding Partner
[email protected]
PSL Advocates & Solicitors, New Delhi

Ryuichi Nozaki Partner
[email protected]
Atsumi & Sakai, Tokyo


1. See: Section 5 of the Age of Majority Act 1974 (ACT); Section 4 of the Age of Majority Act 1974 (NT); Section 6(1) of the Minors (Property and Contracts) Act 1970 (NSW); Section 17 of the Law Reform Act 1995 (Qld); Section 3(1) of the Age of Majority (Reduction) Act 1971 (SA); Section 3(1) of the Age of Majority Act 1973 (Tas); Section 3(1) of the Age of Majority Act 1977 (Vic); Section 5 of the Age of Majority Act 1972 (WA)
2. See: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-b-key-concepts#capacity
3. See: https://www.oaic.gov.au/privacy/your-privacy-rights/children-and-young-people; https://www.oaic.gov.au/privacy/your-privacy-rights/children-and-young-people/privacy-tips-for-parents-and-carers; https://www.esafety.gov.au/industry/safety-by-design; and https://www.esafety.gov.au/about-us/who-we-are/basic-online-safety-expectations
4. See: http://www.cac.gov.cn/2019-08/23/c_1124913903.htm (only available in Chinese)
5. See: https://www.ppc.go.jp/files/pdf/2109_APPI_QA_4ejj3t.pdf (only available in Japanese)