On the 18 December, 2020 the Irish Data Protection Commission published its draft fundamentals for a child-oriented approach to data processing for the purpose of consulting with all stakeholders and interested parties. All of whom are invited to respond to the draft fundamentals by making submissions and/or providing their observations by the 31 March 2021.
These draft fundamentals have come about as a result of two-streamed public consultation that the Data Protection Commission (DPC) ran during the first half of 2019, one addressed to children and young people and the other addressed to all other stakeholders including parents, educators and children’s rights organisations, as well as organisations which process children’s data.
Following the conclusion of this current consultation process, a final version of the fundamentals will be published, which will inform the DPC’s approach to supervision, regulation and enforcement in the area of processing of children’s personal data.
The aims of the draft fundamentals are twofold:-
- They aim to introduce child-specific data protection interpretative principles and propose measures that will enhance the level of protection afforded to children against the data processing risks posed to them by their use of/ access to services in both an online and offline world;
- It is also hoped that they will assist organisations that process children’s data, by clarifying the principles, arising from the high-level obligations under the GDPR, to which the DPC expects such organisations to adhere.
In Ireland, for data protection purposes, a child is somebody under the age 18.
For the purposes of this consultation the DPC has identified 14 Fundamentals that organisations should follow to improve the levels of protection afforded to children in the processing of their personal data and they are as follows:-
- Online service providers must provide a “floor of protection” i.e. they must provide a high and standardised level of data protection sufficient to protect the rights of any child users
- Where a child has given consent for their data to be processed that consent must be clear-cut, informed consent given by way of a clear statement or affirmative action
- When processing children’s data online service providers must ensure that they do not interfere with and/or negatively impact at any level the best interests of the child
- You must know your audience and online service providers must take all necessary steps to ensure that services directed at and/or likely to be accessed by children have the requisite child-specific data protection measure in place
- Children are entitled to be told about the processing of their own personal data regardless of the legal basis for that processing and even if the consent to that processing was given by a parent on their behalf
- Information about how personal data is used must be provided in clear plain language that can be understood and is appropriate to the age of the child
- Online service providers are reminded that children are data subjects in their own right and have rights in relation to their personal data at any age, children are entitled to have their say about how their data is used
- Consent obtained from children or from the guardians/ parents should not be used as a justification to treat children of all ages as if they were adults
- Where online providers use age verification and/ or rely on parental consent for processing personal data, the DPC will expect those providers to go the extra mile in ensuring that their measures around age verification and verification of parental consent are effective
- If an organisation’s service is directed at, intended for, or likely to be accessed by children, that organisation cannot bypass its obligations simply by shutting children out or depriving them of that service
- Minimum user age thresholds for accessing services doesn’t excuse organisations from complying with their controller obligations under GDPR and/or the standards that are being established as part of these Fundamentals
- Online service providers should not profile children and/ or carry out automated decision making in relation to children, or otherwise use their personal data, for marketing/advertising purposes unless they can show how it is in the best interest of the child to do so
- Online service providers should undertake data protection impact assessments (DPIA) to minimise the data protection risks that may arise from the processing of children’s personal data and when carrying out such a DPIA the best interests of the child must prevail over the commercial interests of the provider and/or organisation
- Online service providers that routinely process children’s personal data should, by design and by default, have a consistently high level of data protection.
The DPA accepts that adopting a Child-Oriented approach to data processing and protection will be costly and will require ingenuity on the part of the online service providers however, the DPC notes that 1 in 3 users are children and they represent the adult market of the future.
Readers of this blog who are supplying online services to and/or processing children’s personal and sensitive data in Ireland would be well advised to review their existing terms and conditions in light of the draft Fundamentals and consider whether they wish to take part in the consultation on or before the 31 March, 2021. For those based outside of Ireland there are also merits in considering these recommendations and applying them accordingly as the principles will apply in other jurisdictions too.
The full text of the DPC’s draft Fundamentals can be viewed here.