In the wake of rising awareness for the importance of data protection and the concepts of the EU GDPR (General Data Protection Regulation), it is imperative not to forget the extra protection that should be and is required to be given to one of the most vulnerable groups in society: children.
Article 1 of the UN Convention on the Rights of the Child (the “UNCRC”) defines a child as “a person under the age of 18 years”, as does the UK Data Protection Act 2018. Although the GDPR does not explicitly define a child, Article 8 of the GDPR indicates that consent of the child can be relied on by a controller when ‘the child is at least 16 years old’. Member state law may provide for a lower age if it is not below 13 years. Accordingly, the GDPR protects all persons under the age of 13 years as children, and by default, individuals younger than 16 will be considered children.
Children generally enjoy the same rights as adults over their personal data. These rights are set out in Chapter III and VIII of the GDPR. A child may exercise them on their own behalf, provided they are competent to do so. Recital 38 of the GDPR states that children require specific protections with regard to their personal data because “they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.” Thus, the GDPR attempts to compensate children’s possible lack of awareness by increasing compliance requirements for organisations.
Recent Developments
Legislative efforts to protect children’s data rights have been gaining momentum. The UK government has introduced legislation aimed at offering children greater protections online. Organisations that are found to be at fault will face large financial penalties of up to £18 million or 10% of qualifying worldwide revenue.
In recent months, regulatory authorities have also been emphasizing children’s data subject rights. Most notably, in September 2022, the Irish Data Protection Commissioner issued their highest ever breach fine of €405 million against Instagram for GDPR violations relating to children’s data.
In May 2022, the Irish Data Protection Regulatory Authority (“DPA”) issued three guides for teens on data protection and their rights under GDPR. The guides are aimed at children who are aged 13 and over as this is the age at which children generally can sign up for social media platforms of their own accord. In December 2020, the Irish Data Protection Commission published draft guidance entitled “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing” (the “Fundamentals”). These Fundamentals were informed by the output of the two-streamed public consultation which the DPC ran during the first half of 2019, followed by extensive legal analysis and expert input over the course of 2019 and 2020.
The fundamentals include the following advice for organisations:
Key recommendations:
– Data Sharing: Do not systematically share a child’s personal data with third parties without clear parental knowledge, awareness, and control; Build in parental reminders/notifications, where appropriate.
– Profiling: Turn off identifiers, techniques or settings which allow any tracking of activity online for advertising purposes.
– Nudge techniques: Avoid the use of nudge techniques that encourage or incentivise children to provide unnecessary information or to engage in privacy disrupting actions.
– Encourage privacy enhancing behaviour: push notices/just-in-time notifications emphasizing that one or more option(s) provides a greater level of privacy than the action the child user is about to pick.
– Opt to process personal data on the user’s device, as opposed to transferring the data to the cloud.
– Avoid the use of personalised auto features, such as autoplay features and reward loops where children’s personal data is used to support these features.
– Provide parents with an overall view of activity (including any history of activity) and settings that their child has available to them. Consider allowing parents to modify child account controls and settings, where appropriate.
– Make it visible to the child that their parent(s) can tell which app/ website/ program etc. they are using or that their parent(s) can later review their activity history.
– Higher security settings for child account data may be appropriate, including the possibility of isolating or “air gapping” child personal data from adult personal data. Administrator accounts for child data should be flagged or have a specific role so that internal organisational access can be easily distinguished, monitored, audited, and altered.
– Avoid the collection and processing of children’s biometric data.
– Where a child can share communications, content, or data, ensure limited audience selections by default. Contact from others outside of the child’s authorised contacts should not be possible for younger children without parental knowledge, awareness, and intervention.
Geolocation:
– Turn off geolocation by default for child users unless the service being provided is necessarily dependent upon it. If this is the case, make it clear to the child (e.g., through the use of symbols/icons) that their location is available to the service or can be seen by other users.
– Provide clearly visible controls to allow the child to change this at any time or following each session, after a short time period, or once the event or feature requiring location has completed.
– Significantly reduce the level of accuracy of geolocation data collection except where necessary.
– These key recommendations clearly show that organisations need to be aware of numerous risks in the area of children’s data. To coordinate compliance efforts, it is imperative to seek competent advice.
The role of DPO’s and their benefits
Data Protection Officers (DPOs) have a key role to play in keeping children’s data safe and ensuring that organisations process and manage their data in a manner which is compliant with standards set out in the relevant data protection legislation. DPOs can offer services such as audits, data breach assistance, and advice on data subject requests. DPOs are compliance watchdogs who ensure that organisations act in accordance with local and international Data Protection legislation.
In other words, DPOs guard the rights of the most vulnerable. DPOs also protect your organisation’s interests. To ensure ongoing compliance, it is essential for the success of any organisation to invest in a strong data protection infrastructure. An experienced DPO, as part of a comprehensive data protection approach, can protect your organisation’s profits and reputation against adverse effects that might result from non-compliance with children’s data rights.
For data protection and privacy-related support, please contact us at dpo@hewardmills.com.
