Children front and centre
The Data Protection Commissioner (DPC) has published its draft Children Front and Centre: Fundamentals for a Child-Orientated Approach to Data Processing. ‘The Fundamentals’ will introduce data protection principles and measures designed to protect children.
The Fundamentals, which DPC says all organisations collecting and processing children’s data should comply with, have been created “to drive improvements in standards of data processing”. They will “introduce child-specific data protection interpretative principles and recommended measures that will enhance the level of protection afforded to children against the data processing risks posed to them by their use of/access to services in both an online and offline world”.
The Fundamentals will also assist those organisations that do process children’s data by clarifying the principles to which they are expected to adhere, which arise from GDPR obligations. The draft document released by the DPC for the purpose of stakeholder consultation which closed on 31 March 2021 outlines 14 principles for organisations to follow.
These are:
- Floor of protection: the provision of a minimum level, or “floor”, of protection by service providers.
- Clear-cut consent: that consent given by a child for the processing of their data be “freely given, specific, informed and unambiguous, made by way of a clear statement or affirmative action”.
- Zero interference: service providers should ensure that their “pursuit of legitimate interests” does not interfere with the best interests of the child.
- Know your audience: service providers should take steps to identify their users and ensure that their child-specific services have child-specific data protection measures in place.
- Information in every instance: children are entitled to receive information about the processing of their data “irrespective of the legal basis relied on and even if consent was given by a parent on their behalf to the processing of their personal data”.
- Child-oriented transparency: information about how data is used must be provided “in a concise, transparent, intelligible and accessible way, using clear and plain language that is comprehensible and suited to the age of the child”.
- Let children have their say: service providers “shouldn’t forget that children are data subjects in their own right and have rights in relation to their personal data at any age”. The DPC states that a child can exercise these rights at any given time, provided “they have the capacity to do so and it is in their best interests”.
- Consent doesn’t change childhood: consent obtained from children and/or their parents/guardians should not be used to justify the treatment of them as adults.
- Your platform, your responsibility: companies who derive revenue from providing or selling services through digital and online technologies are expected to “go the extra mile” to prove that their age verification methods are effective.
- Don’t shut out child users or downgrade their experience: services that are “directed at, intended for, or likely to be accessed by children” cannot bypass their obligations under the fundamentals by “shutting them out or depriving them of a rich service experience”.
- Minimum user ages aren’t an excuse: user age thresholds are not a reason for organisations to ignore controller obligations under GDPR where underage users are concerned.
- Prohibition on profiling: service providers “should not profile children and/or carry out automated decision making in relation to children” or use their personal data for marketing/advertising purposes “due to their particular vulnerability and susceptibility to behavioural advertising” unless it can be clearly demonstrated that it is in the best interests of the child to do so.
- Do a DPIA: providers should undertake a data protection impact assessment (DPIA) in order to minimise data protection risks to their service and to the children. The “principle of the best interests of the child” is expected to be a key aspect of any DPIA and to take precedence over the commercial interests of the provider.
- Bake it in: service providers that consistently process children’s data must have high levels of data protection “baked in” across the services they provide.
Writing in her foreword to the Fundamentals, the Commissioner for Data Protection, Helen Dixon said: “About a quarter of Ireland’s population are children, all of whose data is processed every day online and offline, in educational, health, recreational and sporting, social services and commercial contexts. It is with this in mind that the DPC has produced this guidance to set out the standards that all organisations should follow when collecting and processing children’s data. The core message of the Fundamentals is that the best interests of the child must always be the primary consideration in all decisions relating to the processing of their personal data.”
“The core message of the fundamentals is that the best interests of the child must always be the primary consideration in all decisions relating to the processing of their personal data.”
Helen Dixon, Commissioner for Data Protection
The move to lay down principles by which companies must abide with regard to children’s data follows on from the UK Information Commissioner’s Office’s Age Appropriate Design Code, published in August 2020. The DPC has noted that its Fundamentals differ from those of their UK counterparts in that the UK document focuses on privacy-by-design features that must be engineered into services used by children, whereas the DPC fundamentals take on a broad-based approach. The DPC has otherwise stated that its Fundamentals are “entirely consistent” with the UK’s code.
The Fundamentals include a list of recommended actions for online service providers, although it is stressed that “there is no one-size-fits-all solution to data protection by design and default”. These recommendations include: ensuring the strictest privacy settings are applied to services likely to be accessed by children; ensuring that child users have meaningful choice in a mixed-audience setting; minimising the amount of data collected from children in the first place; not systematically sharing a child’s data with third parties without clear parental knowledge; turning off geolocation by default for children unless the service provided is dependent upon it; turning off profiling identifiers, techniques and settings; avoiding the use of nudge techniques that encourage children to provide unnecessary information; and the provision of layered, child-friendly information that is available to children throughout the user experience.