GDPR and Children’s Data: What Lawyers Need to Know
28/01/2022 09:16:39To mark Data Protection Day on 28 January, the IP & Data Protection Law Committee shares essential principles for practitioners and others dealing with children's data.
Data Protection Day falls on the 28 January each year. Given the proximity of this date, we thought it would be worthwhile to set out some details of recent Data Protection Commission guidance which is relevant both to the solicitors’ profession and many of our clients.
Following an extensive public consultation process conducted between 2018 and 2021, the Data Protection Commission recently published the final version of its guidance entitled 'Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing' (the 'Fundamentals').
The Fundamentals set out principles and a range of practical recommendations that are intended to flesh out requirements in the GDPR regarding the processing of children’s data and provide valuable insights on the DPC’s expectations of organisations that engage in such processing, whether in an online or an offline setting. The DPC emphasises that the best interests of children should be a primary consideration in all decisions relating to the processing of their personal data.
The Fundamentals establish 14 child-specific data protection principles, which include the following:
Floor of Protection
The DPC has identified two options for complying with the Fundamentals. Organisations that process children’s data may either (i) apply the requirements of the Fundamentals across the board, so that all users (i.e. adults and children) benefit from a high and uniform level of data protection, or (ii) they may take a risk-based approach to verifying the age of their users and apply the Fundamentals to the processing of children’s personal data only.
The DPC states that is the Fundamentals are consistent with the approach adopted by the UK Information Commissioner’s Office in its children’s code. According to the Fundamentals, the DPC will expect organisations that choose to use age verification to “go the extra mile” in order to be able to prove that those measures are effective.
Child-Oriented Transparency
To comply with the transparency obligation set out in Article 12 of the GDPR, organisations must tailor their transparency information for optimum accessibility and comprehension. The DPC points out that complex, legalistic, vague or jargon-driven approaches to providing transparency for data subjects would be inappropriate in any scenario, particularly when directed towards a child. The Fundamentals note that there is no ‘one-size-fits-all’ solution for conveying transparency details to children. However the DPC does set out a few basic factors that organisations should consider when drafting transparency notices (for instance, whether the use of cartoons or videos can assist).
Age of Digital Consent
Article 8 of the GDPR requires that where a digital service is being offered to a child on the legal basis of consent to process the child’s personal data, parental consent must be obtained where the child is below the ‘age of digital consent’, which can vary in different Member States. In Ireland, the age of digital consent has been specified as 16. An online service provider must make reasonable efforts, taking available technology into consideration, to verify that a person with parental responsibility has consented to the processing of an under 16-year-old’s personal data where consent is their legal basis for processing.
The Fundamentals underline a few important themes arising from the mechanics of the age of digital consent.
First, the Fundamentals remind us that consent is not the only legal basis for processing a child’s personal data. When processing a child’s data, an organisation may rely on one of the other five legal bases under the GDPR (provided it is appropriate and the applicable child-friendly data protection principles are conformed with). These legal bases include (i) processing necessary for the performance of a contract with the child, (ii) processing which is necessary for compliance with a legal obligation, (iii) processing which is necessary to protect the vital interests of the child or another person, (iv) in the case of public bodies, processing which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority or (v) processing which is necessary for the legitimate interests of the organisation or a third party.
The Fundamentals caution, however, that reliance on ‘legitimate interests’ will be permissible only if their pursuit will not have any negative impact on the best interests of the child. This appears to signal a narrow interpretation of when legitimate interests can be relied on as the legal basis for processing children’s data.
Second, organisations must comply with the Fundamentals even where parental consent is obtained for the processing of a child user’s personal data, or where the child user is of/above the age of digital consent.
Data Subject Rights
The Fundamentals emphasise that children are data subjects irrespective of their age and, as such, they can exercise their rights under the GDPR at any age, provided that they have the capacity to do so and it is in their best interests. Provision should therefore be made to allow children to be represented through a parent, guardian, or expert third party/advocate, in order to prevent the absence of maturity or capacity from exhausting their rights in this regard.
In tandem, the DPC also warns against depriving children of their rights under the United Nations Convention on the Rights of the Child. Effectively, compliance with the requirements of the Fundamentals should not serve as a justification for “locking out” children from a rich user experience simply on the basis of purported data protection compliance. The Fundamentals stress that this may result in child users circumventing age verification measures and accessing a service which does not adhere to the highest levels of data protection.
Profiling
Section 30 of the Irish Data Protection Act 2018 on micro-targeting and profiling of children is an unusual provision that has not been brought into force. Nevertheless, the Fundamentals indicate that the DPC is of the view that the profiling of children, or subjecting child users to automated-decision making, or otherwise using their personal data, for advertising or marketing purposes, will rarely be justifiable. The one exception identified by the DPC is where an organisation can demonstrate how and why it is in the best interests of children to do so. Organisations should however be wary of utilising this exception as it comes with a high burden of proof, and the DPC has indicated that there will be very limited circumstances where utilising this exception will be justified. For example, the DPC has indicated that it does not consider that it is in the best interests of children to show them advertisements for games/services/products/videos etc. which they might be interested in where such advertisements are based on profiling.
Data Protection Impact Assessments
The Fundamentals affirm that where a DPIA is required to be conducted in relation to the processing of children’s data, the principle of the ‘best interests of the child’ must be a key criterion and prevail over any conflicting commercial interests pursued by the organisation. The extent to which an organisation has conducted a meaningful DPIA in relation to the processing of children’s data will also be considered by the DPC in any assessment of organisation’s compliance with the requirement to be able to demonstrate its compliance under Article 24 GDPR.
Implications for the Solicitors' profession
It may be thought that the Fundamentals are primarily targeted at organisations that offer digital services to children. However, that is not the case. The Fundamentals equally apply to any organisations that process children’s data. As such, solicitors who deal with or act for children need to be cognisant of their obligations under the GDPR and the guidance set out in the Fundamentals. The following are key matters to consider:
- Transparency: Solicitors are already obliged to ensure that their clients are provided with an appropriate crafted data protection notice which sets out various details relating to the processing of client data. Solicitors will also need to consider a carefully crafted child-focussed notice which is clear and concise and easily understood by children. The use of pictures, cartoons or videos may assist.
- Legal Basis for processing: Solicitors will need to give consideration to what legal basis applies to their processing of children’s data. Given that the DPC have taken a restrictive view of ‘legitimate interests’, is it safer to get the express consent of a parent or guardian or, if the child is sufficiently mature, of the child itself?
- Children are data subjects: Solicitors will need to be aware that children are data subjects in their own right with rights to make access requests, object to processing etc. whether by themselves (if they have sufficient maturity) or via a parent or guardian.
- Data Protection Policies: A key obligation of the GDPR is to document and evidence compliance. One main way of doing this is to have appropriate data protection policies which organisations can prove they have implemented and comply with. There would be merit in having a dedicated policy (or part of a policy) which focuses on the processing of children’s data and the solicitor’s approach to compliance.
Further guidance notes and resources for practitioners can be found on the Intellectual Property and Data Protection Law Committee page.