knowledge | 22 February 2021 |
GDPR and Children
The Irish Data Protection Commission (the “DPC”) recently published draft guidance on fundamental principles for a child-oriented approach to data processing (the “Fundamentals”) for public consultation.
The Fundamentals set out principles and practical recommendations that are intended to flesh out requirements in the GDPR regarding the processing of children’s data and provide insights on the DPC’s expectations of organisations that engage in such processing, whether in an online or an offline setting. The DPC emphasises that the best interests of children should be a primary consideration in all decisions relating to the processing of their personal data. They establish 14 ‘fundamentals’, which include the following:
Floor of Protection
The DPC has identified two options for complying with the Fundamentals. Organisations that process children’s data may either apply the requirements of the Fundamentals across the board, so that all users benefit from a high and uniform level of data, or they may take a risk-based approach to verifying the age of their users and apply the Fundamentals to the processing of children’s personal data only. The DPC states that this is consistent with the approach adopted by the UK ICO in its children’s code. According to the Fundamentals, the DPC will expect organisations that choose to use age verification to “go the extra mile” to be able to prove those measures are effective.
To comply with the transparency obligation set out in Article 12 GDPR, organisations must tailor their transparency information for optimum accessibility and comprehension. The DPC points out that complex, legalistic, vague or jargon-driven approaches to providing transparency for data subjects would be inappropriate in any scenario, particularly when directed towards a child. The Fundamentals note that there is no ‘one-size-fits-all’ solution for conveying transparency details to children. However the DPC sets out a few basic factors that organisations should consider when drafting transparency notices (for instance, whether the use of cartoons or videos can assist).
Age of Digital Consent
Article 8 GDPR requires that where a digital service is being offered to a child on the legal basis of consent to process the child’s personal data, parental consent must be obtained where the child is below the ‘age of digital consent’, which can vary in different Member States. In Ireland, the age of digital consent is 16. An online service provider must make reasonable efforts, taking available technology into consideration, to verify that a person with parental responsibility has consented to the processing of an under 16-year-old’s personal data where consent is their legal basis for processing.
The Fundamentals underline a few important themes arising from the mechanics of the age of digital consent. First, consent is not the only legal basis for processing a child’s personal data. When processing a child’s data, an organisation may rely on one of the other five legal bases under the GDPR (provided it is appropriate and the applicable child-friendly data protection principles are conformed with). The Fundamentals caution, however, that reliance on ‘legitimate interests’ will be permissible only if their pursuit will not have any negative impact on the best interests of the child. This signals a narrow interpretation of when legitimate interests can be the legal basis for processing children’s data. Second, organisations must comply with the Fundamentals even where parental consent is obtained for the processing of a child user’s personal data, or where the child user is of/above the age of digital consent.
Right to Rights
The Fundamentals emphasise that children are data subjects irrespective of their age, and as such, they can exercise their rights under the GDPR at any age, provided they have the capacity to do so and it is in their best interests. Provision should be made to allow children to be represented through a parent, guardian, or expert third party/advocate, to prevent the absence of maturity or capacity from exhausting their rights in this regard.
In tandem, the DPC also warns against depriving children of their rights under the United Nations Convention on the Rights of the Child. Effectively, compliance with the requirements of the Fundamentals should not serve as a justification for “locking out” children from a rich user experience on foot of purported data protection compliance. The Fundamentals stress that this may result in child users circumventing age verification measures and accessing a service which does not adhere to the highest levels of data protection.
Section 30 of the Irish Data Protection Act 2018 on micro-targeting and profiling of children is an unusual provision that has not been brought into force. Nevertheless, the Fundamentals indicate that the DPC is of the view that the profiling of children, or subjecting child users to automated-decision making, or otherwise using their personal data, for advertising or marketing purposes, will rarely be justifiable. The one exception identified by the DPC is where an organisation can demonstrate how and why it is in the best interests of children to do so. Organisations should be wary of utilising this exception as it comes with a high burden of proof, and the DPC has indicated that there will be very limited circumstances where utilising this exception will be justified.
The Fundamentals affirm that where a DPIA is required to be conducted in relation to the processing of children’s data, the principle of the ‘best interests of the child’ must be a key criterion and prevail over any conflicting commercial interests pursued by the organisation. The extent to which an organisation has conducted a meaningful DPIA in relation to the processing of children’s data will also be considered by the DPC in any assessment of organisation’s compliance with the requirement to be able to demonstrate its compliance under Article 24 GDPR.
Public consultation on the Fundamentals concludes on 31 March 2021. The DPC has stated that the Fundamentals will inform its approach to supervision, regulation and enforcement in the area of processing of children’s personal data. This area is likely to be a high priority for the DPC. Any organisation that is subject to the DPC’s jurisdiction and processes children’s may wish to make submissions before the Fundamentals are finalised and, in any event, should review its practices in light of the Fundamentals.
Also contributed by Aishwarya Jha.
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.