On March 26, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its comments on the Irish Data Protection Commissioner’s (“DPC”) draft guidance on safeguarding the personal data of children when providing online services, “Children Front and Centre—Fundamentals for a Child-Oriented Approach to Data Processing” (the “Draft Guidance”).
The Draft Guidance, issued on December 20, 2020, adds to a growing body of work carried out by regulators, including the UK Information Commissioner’s Office (“ICO”) in their Code of Practice for Age Appropriate Design for Online Services (the “ICO Age Appropriate Code”).
In its comments, CIPL encourages the development of shared, consistent approaches to children’s data, including the development of a common interpretation of General Data Protection Regulation (“GDPR”) requirements as they relate to the processing of children’s data and a common, broader approach to protection of children in data processing situations.
CIPL notes that the fundamental approaches of both the Draft Guidance and the ICO Age Appropriate Code have much in common, including a focus on the centrality of the interests of the child as a guiding principle and the adoption of a risk-based approach in some areas. However, there are also some fundamental differences between them, including an outright prohibition on the profiling of children in the Draft Guidance. The Draft Guidance also applies to all organizations that process children’s data, not just providers of Information Society Services (“ISS”), and has a broader scope than the ICO Age Appropriate Code, covering issues such as how to address security standards, handle data breaches and use biometrics. CIPL recommends that the approach of the Draft Guidance be reconciled with the ICO where possible, in the interests of consistency.
CIPL has further identified some key practical and strategic issues with the Draft Guidance. In particular, CIPL recommends that the Draft Guidance:
- Provide clarification as to the scope of organizations to which it applies, and avoid capturing all online businesses, just because there is a possibility that users may be children;
- Have a clearer focus on and leverage the GDPR concept of a risk-based approach, such as by recognizing that not all processing of personal data relating to children raises the same level of risk;
- Take a practical and proportional approach to age verification, such as by limiting the scope of the age verification requirement to services that are specifically targeted at children, or have a high likelihood of being visited by children because of the nature of the service or goods;
- Not be prescriptive, e.g., by avoiding mandating prescriptive or granular requirements with respect to design and how to provide transparent information;
- Clearly link the list of design and default measures provided to the substantive guidance in the body of the Draft Guidance rather than adding them as a separate list;
- Acknowledge children’s other fundamental rights and freedoms, such as their right to autonomy, association, play, access to information, education and freedom of expression;
- Take a risk-based approach to profiling and acknowledge that when profiling is used, the best interest of the child should be assessed, with particular attention to the purpose of the processing, the role that profiling plays in the provided service and the safeguards put in place to address likely and serious harms, as well as the fact that there are beneficial uses of data for children, including profiling;
- Enable organizations to adapt their online services to different child audiences and provide examples of how to do so; and
- Provide that the obligation not to “downgrade” services should only apply to services intended for children.
CIPL provides further recommendations with respect to the approach of the Draft Guidance, including in relation to proposed “strictest” privacy settings, arrangements around account migration and retention for users turning 16, a higher standard of security for children compared to adults, the consistency of service across different devices and platforms, the use of biometrics, the tailoring of privacy setting to different users on a shared device and the processing of children’s data at a device level instead of in the cloud.
CIPL’s full comments can be reviewed here.