The European Data Protection Board (EDPB) has issued its first meaningful statement on age assurance in the digital environment.
While it does not introduce fundamentally new concepts, this statement is significant as it shapes age assurance regulatory expectations within Ireland and Europe, alongside Comisiún na Meán's online safety code and the Data Protection Commission's (DPC) Child Fundamentals.
Overview of the EDPB Statement
The EDPB outlines ten principles for processing personal data when determining an individual's age or age range, acknowledging the three primary categories of age assurance: age estimation, age verification, and self-declaration. Each principle is based on existing General Data Protection Regulation (GDPR) requirements, a summary of which is outlined below:
1. Rights and Freedoms
Age assurance must respect all fundamental rights, with the
child's best interests being a primary consideration. This
includes their right to data protection, protection from violence
and all other forms of exploitation.
2. Risk-Based Assessment of
Proportionality
Providers should adopt a risk-based approach, demonstrating the
necessity and proportionality of age assurance measures by
assessing risks to children's rights. They must also respect
users' rights and freedoms by conducting a Data Protection
Impact Assessment (DPIA) when necessary to balance
safety measures with data protection. The EDPB also adds that a
Child Rights Impact Assessment (CRIA) can form
part of a DPIA.
Outside the realm of the GDPR, there was an indication from the EU's European Board for Digital Services' board minutes late last year that CRIAs will be recommended via guidelines by the EU in the context of Article 28 Digital Services Act compliance. We will continue to monitor any development in this regard.
3. Prevention of Data Protection Risks
Age assurance must not lead to unnecessary tracking, profiling, or
personal data risks. Viable alternative age assurance methods and
technologies should be provided to users who cannot or do not wish
to use a specific method of age assurance due to the data
protection risks they present.
While not specific to this EDPB statement, there is some relevance and application here with the EDPB's recent Opinion on AI models, which we previously discussed here. In this opinion, the EDPB considers location and financial data "types of ordinary personal data" that reveal highly sensitive information about individuals. This may be potentially relevant if used (particularly location data) for tracking/profiling, etc.
4. Purpose Limitation and Data
Minimisation
Controllers should collect only the personal data necessary,
adequate, and relevant for their intended purposes, ensuring data
minimisation aligns with the principles of necessity and
proportionality. For instance, the EDPB suggests that a tokenised
approach may be used where a third-party provider verifies age, and
the service provider only sees if the user is over or under a
certain age threshold.
5. Effectiveness
Age assurance should be broadly accessible, offering alternative
methods for those at risk of discrimination and complying with
accessibility legislation. It must be reliable in determining
age-related requirements, with appropriate redress mechanisms for
affected users. Additionally, age assurance should be robust,
capable of handling unexpected situations and resisting attempts to
bypass the system.
6. Lawfulness, Fairness, and Transparency
Service providers must have a valid legal basis and ensure clear,
transparent communication about age assurance processes.
Transparency is particularly important when it comes to children,
and service providers must ensure they convey information to
children, when concerned, in a way that is clear and easy for them
to understand.
Again, while not specific to this EDPB statement, there is some relevance and application here with the EDPB's recent Opinion on AI models. In the opinion, the EDPB considered alternative approaches to meeting transparency requirements such as media campaigns, e-mail campaigns using graphic visualisation, FAQs, transparency labels/cards, and annual transparency reports voluntarily.
7. Automated Decision-Making
If automated systems are used, safeguards such as human
intervention and appeal mechanisms must be in place. Particular
attention should be taken when children are concerned. The
statement also states that depending on the architecture of the age
assurance process, controllers must identify who the data subject
should contact to exercise their rights.
8. Data Protection by Design and Default
Controllers must ensure data protection by design and default,
avoiding unnecessary access to personal data and regularly updating
systems to reflect technological advancements. The EDPB recommends
using state-of-the-art technologies (i.e. Privacy Enhancing
Techniques) that favour user-held data and secure local processing,
allowing properties like 'unlinkability' and selective
disclosure, single-use credentials, zero-knowledge proofs, etc.
9. Security
Given the legal pressure to implement age assurance, controllers
need to implement and maintain appropriate technological and
organisational measures to detect and react promptly to breaches
and ensure the resilience and availability of the age assurance
system. The EDPB adds that breaches should be expected and, as
such, providers should be ready for them.
The EDPB provides that the ability to promptly restore the availability of age assurance after a security breach, should also be considered essential. It is crucial to ensure the resilience of the age assurance ecosystem, favouring the existence of different alternatives and loosely coupled parties that do not depend so much on each other that the failure or breakdown of one would cause significant access limitations. This principle has cross over with the Network and Information Security 2 Directive requirements for digital providers (see our NIS2 article series here).
10. Accountability
Providers must maintain governance frameworks to define
responsibilities, ensure age assurance is auditable, and promote
transparency and trust among data subjects.
Practical Implications: Another Layer in a Patchwork of Rules
As things stand, the 'rules' for age assurance in Europe consist of a patchwork of legal frameworks from the GDPR, the Digital Services Act and the Audiovisual Media Services Directive – each of which implies or explicitly requires age assurance. However, the specifics remain unclear and are left to providers to determine.
For those operating in the online space, especially where user bases are primarily children, it is essential to use this statement as a reference point. While EDPB statements are non-binding, this latest development provides a road map towards GDPR compliance, as it will be taken into account by data protection authorities from an enforcement and supervision perspective. This statement is a positive move towards providing stakeholders with greater clarity in this area.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.