On 17 December 2021, the Irish Data Protection Commission ("DPC") published its final report (the "Fundamentals")1 detailing its guidance on processing children's personal data, entitled "Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing".

"The Fundamentals have immediate application and operational effect, now forming the basis for the DPC's approach to supervision, regulation and enforcement in the area of processing of children's personal data."

(DPC press release, 17 December 2021)

In addition to giving 14 principles for processing children's data, the Fundamentals contains the DPC's advice on:

  • particular obligations under the General Data Protection Regulation ("GDPR") including legal basis requirements under Article 6, digital age of consent verification under Article 8 and transparency under Article 12; and
  • the ability of children to assert their own data protection rights and the ability of parents and guardians to assert data protection rights on their child's behalf.

This article will outline the scope of these Fundamentals, the Fundamentals themselves, guidance on GDPR obligations and outline how a child's data protection rights can be exercised.

PART 1: SCOPE OF THE FUNDAMENTALS

The Fundamentals are addressed to organisations whose services are "directed at, intended for or likely to be accessed by children." The "core message ...is that the best interests of the child must always be the primary consideration in all decisions relating to the processing of their personal data."

Applying to both online and offline organisations, this cuts across a broad spectrum of industries from educational providers, sports and social clubs, health and social support providers through to websites, apps and other Internet of Things ("IoT") services. The DPC makes clear that the Fundamentals are to cover services that a significant number of children are in reality using (as opposed to any service that is offered online).

The DPC has taken into account a broad spectrum of voices, including those of children, as well as the "Age Appropriate Design Code" for online services processing children's data of the UK Information Commissioner's Office ("ICO"). The DPC noted that its focus was broader than the ICO's as DPC was not focused solely on the engineering and design of online products and services. The Fundamentals are viewed by the DPC as consistent with the UK Code. In addition, the DPC has reinforced its commitment to child data protection by reference to the Court of Justice of the European Union and the European Court of Human Rights recognising the binding nature of the UN Convention on the Rights of the Child.

Questions are raised and, where appropriate, answers given by the DPC around digital age of consent, capacity, online harms, advertising that rely on tracking and profiling, "mixed use" internet environments, online and offline contexts and more.

Read More: Matheson Bulletin - Ready to Enter the Metaverse?

"Even if the GDPR hadn't told us so, it is very clear that children warrant special protection when it comes to the processing of their personal data. After all, in every other area of society, be it sport, education, access to alcohol, or voting rights, the special position and the evolving capacities of children are universally recognised facts. We have an opportunity now to correct issues of unwarranted and high-risk processing of children's data that may have been unwittingly or even negligently implemented across many sectors. The DPC is determined, through these "Fundamentals", to drive that transformation in how the personal data of children is handled."

Helen Dixon, Data Protection Commissioner

PART 2: THE FUNDAMENTALS

The 14 Fundamentals are summarised as follows:

  1. FLOOR OF PROTECTION: Unless using a risk-based approach to verify users' ages, organisations should provide a default "floor" of higher protection for all users irrespective of whether they are a child or not. If organisations choose not to apply the "floor", then they are to take a risk-based approach. Organisations may want to consider their options more broadly in light of the EU Single Digital Market legislation, EU Artificial Intelligence Regulation and Irish legislation soon to be enacted Consumer Rights Bill 2021.
  2. CLEAR-CUT CONSENT: Organisations should obtain "clear-cut consent" from a child if relying on consent as a basis for processing.
  3. ZERO TOLERANCE: When an organisation is relying on legitimate interests, this must not conflict with or override a child's best interests. The Fundamentals says there should be "zero interference" with the best interests of a child. In the earlier consultation report, the DPC said it had received "significant pushback" on the zero interference concept. The DPC's response is that while controllers are not prohibited from relying on legitimate interests to process child data, no level of interference of child data subject interests should be allowed for. This is because of the GDPR's explicit mention of the need to protect child data subjects when legitimate interests are relied on. The DPC did clarify that in situations where the interference with the child's best interests could be mitigated such that there is "no resultant interference", this would comply with the zero interference principle.
  4. KNOW YOUR AUDIENCE: Steps should be taken to identify a service's likely audience and whether this includes children. In the consultation report, concerns were expressed that this would require collecting additional information about users in contravention of data minimisation. The DPC did not accept this point.
  5. INFORMATION IN EVERY INSTANCE: Children must be notified of the basis on which their data is being processed, regardless of what that basis is (including parental consent under Article 8).
  6. CHILD-ORIENTED TRANSPARENCY: Required information must be provided in a language suitable to the age of the child throughout their experience, using non-textual measures if appropriate.
  7. LET CHILDREN HAVE THEIR SAY: Children are equivalent to adult data subjects in terms of exercising their rights, and may do so at any time once they have capacity and it is in their best interests to do so (discussed further below).
  8. CONSENT DOESN'T CHANGE CHILDHOOD: Organisations must not treat a child's personal data the same as that of an adult simply because the child's consent or consent from their parent or guardian has been obtained. Children's data must be afforded "specific protection".

To read the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.