儿童数据适龄保护规则构建

Constructing Age-appropriate Protection Rules for Children's Data

大数据时代,儿童数据在网络环境中面临着人格权益风险、人身安全风险和经济风险等诸多风险。目前,世界多数国家有关儿童数据保护立法的不足主要在于,采用对全部儿童适用完全相同的数据保护措施的“一刀切”模式,忽视了不同年龄阶段儿童个体成熟度的现实差异,无法达到提供有针对性的、恰如其分的儿童数据保护的效果。应考虑对儿童数据采用适龄保护,以更大化地发挥现有法律规则的作用并弥补其不足。对此,国际社会中已有的儿童数据适龄保护规则中的有益成分,或可以作为进一步健全完善儿童数据保护规则的参考。为充分实现适龄保护的应有效果,在构建相关规则过程中应当注重保障规则能够切实贴合儿童数据保护的显著特征和特别需求,弥补儿童被动创建数字身份的法律规制的空白,以及吸纳多利益相关方共同参与儿童数据的治理。

Nowadays,children's use of the Internet has exhibited the following characteristics and trends globally:an increasing number of users,a significantly lower age of first contact with the Internet,and prolonged time spent online.As children engage and even immerse themselves in the Internet,a giant amount of children's personal data are circulated in cyberspace and are at great risk of being abused.The risks of infringing on personal rights,personal safety and economy in the process of personal data circulation and utilization are even more special and specific to children's data security.To address the risks to children's data,most countries around the world have adopted a domestic legislative model that establishes a certain age threshold and provides special protection for all children's data below that threshold.While it does provide more expeditious and a higher level of protection for children's data than general personal data protection,this"one-size-fits-all"model,which ignores the reality of differences in the maturity of individual children at different ages,does not provide comprehensive and appropriate protection for children's data.In contrast,the main advantage of age-appropriate protection for children's data as a better way to deal with data risks for children is that it fully takes into account the differences in the maturity of children at different ages,and based on this,it goes further than the existing legal rules,i.e.,it further subdivides the specific ages of children and adjusts and refines the relevant data protection rules accordingly,so that they can better satisfy the characteristics and needs of children's data protection at different ages.In other words,the age-appropriate protection of children's data can make greater use of the existing legal rules and meanwhile compensate for their shortcomings.Moreover,it complies with the development requirements of the"contextual integrity"principle,and effectively strikes a balance between"empowerment and protection"in the protection of children's rights.Heralded as the world's first code to provide age-appropriate data protection for children,UK's Age Appropriate Design Code,issued in 2020,has provided some useful lessons for improving and perfecting children's data protection.While retaining the basic principles and institutional framework of the general data protection rules,the Code has clarified the delineation of different age ranges of children and validated it.Then it has established 15 design standards that ISPs need to follow so as to provide services to children,and clarified the standards to be followed for new technologies adopted as a result of children's use of online services.Age-appropriate protection should be the direction for developing the rules for children's data protection to ensure the security of children's data.Based on the proper meaning of age-appropriate protection and in order to fully realize its designated effect,we should,in the process of constructing age-appropriate protection rules for children's data,emphasize that the rules need to effectively fit the distinctive characteristics and special needs of children's data protection,fill the gaps in the legal regulation concerning children's passive creation of digital identities,and incorporate multi-stakeholder participation in the governance of children's data.