To print this article, all you need to do is be registered or log in to Mondaq.com.
In this briefing, the draft “Basics for a child-friendly approach to data processing” (the “Basics“) recently by the Data Protection Commission of Ireland (the”DPC“) with the age-appropriate design code (the”AADC“) prepared by the Information Commissioner’s Office in Great Britain (the”ICOThe AADC was passed in September 2020 and organizations have until September 2, 2021 to comply. See our briefing on the basics here.
The basics apply to both online and offline services that you want children to refer to. The fundamentals are broader than the AADC, as the AADC, in contrast, focuses on the privacy features that need to be built into services used by children. Still, the basics are consistent with the AADC, especially since the principle of the best interests of the child underlies both the AADC and the basics. The AADC should focus on the best interests of the child in developing online services that a child is likely to have access to. The fundamentals have a wider reach, as the best interests of the child should be paramount in any decision about how to process children’s data.
Under both the AADC and the Fundamentals, organizations can apply certain privacy standards to all users or take a risk-based approach to verifying the age of users to ensure that the relevant standards for processing child data are applied. In contrast to the AADC, the Fundamentals note that technology and internet organizations (i.e. whose business models are based on the use of digital and online technologies) have a higher burden in their efforts to both age-verify and verify consent a was granted to a legal guardian.
After the basics, organizations cannot just rely on the fact that a service cannot be used by children under a certain age. When organizations provide such a service, they must take steps to ensure that their age verification mechanisms are effective in preventing children under that age from accessing the service. When this is not possible, organizations need to protect the position of users below and above the minimum age.
The GDPR transparency requirements explicitly mention children, so it’s not surprising that the Basics and AADC emphasize this strongly. Both stipulate that information should be presented to children in a clear, concise and accessible manner. The basics also stipulate that children should be able to ask organizations directly (e.g. via instant chat or a privacy dashboard) about the transparency of the information received. The Fundamentals do not contain specific recommendations on the type and detail of information that should be provided to different age groups, as is the case with the AADC.
The fundamentals lay a strong line on profiling that child data should not be collected in order to profile and advertise them unless it can be clearly shown how and why it is in the best interests of the child are. The DPC recognizes that while this should be easily implemented in services specifically aimed at children, it is more complex in “mixed use” Internet environments. In these cases, the DPC states that organizations must be able to identify and protect children or implement a policy without profiling. The Fundamentals state that organizations have a heavy burden of proving that profiling is in a child’s best interests and that there will be a “very limited range of circumstances” under which it can be demonstrated that this is a legitimate, lawful one Activity is.
The ICO’s approach is also underpinned by the best interest principle. The AADC states that child profiling should be disabled unless a compelling reason to disable such an option can be demonstrated taking into account the best interests of the child. The ICO emphasizes that profiling by default does not mean profiling is prohibited. If the steps set out in the AADC such as effective consent are followed, profiling can be done safely and fairly.
Organizations whose services fall within the scope of the fundamentals should conduct a data protection impact assessment (“DPIA“) in relation to the different types of processing operations that are carried out on children’s personal data. The DPC states that the well-being of children must be a key criterion in any DPIA. A DPIA is for profiling children for targeted marketing compulsory or online services with them.
The AADC provides that a DPIA should be conducted to assess and mitigate the risks arising from processing the rights and freedoms of children who are likely to have access to a service.
Exercising the rights of the data subject
The DPC states that there is no such thing as a “magic age” when children are equipped to exercise data protection rights. The basics therefore provide that a child can exercise their data rights at any time as long as the child is able to do so and this is in the best interests of the child. The DPC emphasizes that children should also be able to be represented by an adult.
The AADC also does not set a specific age from which children should be able to exercise their data protection rights. Instead, the AADC states that accessible tools should be made available to children to exercise their rights, and guidance to organizations on the types of such tools depending on the age of the users.
Bake it in
The “Bake it in” foundation contains a number of AADC standards:
- default settings – The Fundamentals and AADC state that children should have the highest privacy settings. The DPC states that if the default data protection settings are changed at the end of a user session, the setting should be reset to the default setting. The ICO takes a different approach, stating that when changing their settings, users should have the choice of whether to change the settings permanently or just for the current session.
- Data minimization – Both the basics and the AADC stipulate that only the minimum amount of personal data is collected from children. The Fundamentals contain a higher standard than the AADC to reduce the granularity and accuracy of the types of data collected from children.
- Data transfer – The basics are that data should not be shared without the clear knowledge, awareness and control of parents. Children’s identities and contact details should not be made available to others without parental involvement. Restricted audience selection should be the default setting for disclosure and children should be made aware of potential risks associated with disclosure of personal data. The AADC provides that data from children should not be disclosed unless there is compelling reason to do so with the best interests of the child in mind.
- Geolocation – According to both the Basics and the AADC, geolocation should be disabled by default unless the Basics say the service is dependent on location data or the AADC says there is a compelling reason not to do so. Any disclosure of location data should be obvious to the child. The fundamentals also provide that the accuracy of geolocation data relating to children should be significantly reduced, if not necessary.
- Parental controls – Both the basics and the AADC stipulate that if parental controls are available, the child should be able to see that a parent / legal guardian is monitoring the child’s activity. and
- Nudging techniques – The Basics and the AADC take the same approach to nudge techniques, that is, nudge techniques should not be used to encourage children to provide unnecessary information or to turn off privacy. It is permissible to use data protection pushes if necessary.
The fundamentals define further requirements for organizations that must comply with them and do not have a corresponding standard in the AADC. For example, the fundamentals state that if a service is run or likely to be used by children, an organization cannot circumvent its obligations by excluding children or withholding them from a rich user experience.
The “Bake it in” foundation discussed above also covers a number of areas that are not covered by the AADC. These include areas such as user selection, personal data breaches, and security.
The AADC states that children’s data must not be used in a manner that has been found to be detrimental to their wellbeing and that violates industry codes, government regulations, or government recommendations. The AADC also encourages organizations to adhere to their guidelines and community standards. There are no directly corresponding requirements in the basics.
Organizations should review the processing of children’s data and take steps to ensure compliance with the AADC and applicable fundamentals. While the AADC was being adopted, the DPC did not set a timeline for adoption of the final version of the Basics. While the content of the final bases may change depending on the response to the DPC consultation, it should be noted that the DPC has stated that the final version will affect its approach to surveillance, regulation and enforcement in this area. The DPC has also made it clear that it will comply with its obligations under Section 32 of the Data Protection Act 2018 to encourage organizations to create sectoral codes in this area.
This article is a general summary of developments and is not a complete or final legal statement. If necessary, specific legal advice should be obtained.
AI and health data: crack the privacy code
There is no doubt that AI can transform health practices and drive changes in the health sector – whether it’s following the fastest ambulance routes, communicating with patients about their symptoms, …
European law on cookies – Ireland
DLA Piper – Ireland
DLA Piper has published a new guide that summarizes the different approaches to the cookie law across Europe.