CIPL provides comments on the Irish DPC’s guidelines on the protection of children’s personal data
On March 26, 2021, the Center for Information Policy Leadership (“CIPL”) in Hunton Andrews Kurth shared its comments on the Irish Data Protection Commissioner’s (“DPC”) draft policy on the protection of children’s personal information when providing online services. Children’s Front and Center – Basics for a Child-Friendly Approach to Data Processing ”(the“ Draft Directive ”).
The draft directive, issued on December 20, 2020, complements a growing body of work being carried out by regulators, including the UK’s Information Commissioner’s Office (“ICO”) in its Code of Conduct for Age Appropriate Design for Online Services (“ICO”) Age Appropriate Code “).
In its comments, CIPL advocates developing common, consistent approaches to child data, including developing a common interpretation of the General Data Protection Regulation (GDPR) requirements regarding the processing of children’s data and a common, broader approach to protecting children in data processing situations.
CIPL notes that the basic approaches of both the draft policy and the ICO Age Appropriate Code have much in common, including an emphasis on the centrality of child interests as the guiding principle and the adoption of a risk-based approach in some areas. However, there are some fundamental differences between them as well, including a total ban on child profiling in the draft directive. The draft guideline also applies to all organizations that process children’s data, not just information society service providers (“ISS”), and has a broader scope than the ICO Age Appropriate Code, which addresses issues such as the treatment of security standards and the handling of data covers violations and uses biometric data. CIPL recommends that the approach of the draft directive be brought into line with the ICO as far as possible in the interests of consistency.
With the draft guidelines, CIPL has identified a number of important practical and strategic issues. In particular, CIPL recommends that the draft directive:
- Clarify the scope of the organizations it applies to and avoid covering all online businesses just because of the chances that users are children.
- Focus more clearly on the GDPR concept of a risk-based approach and take advantage of it, for example by recognizing that not all processing of personal data relating to children carries the same risk.
- Practical and proportionate approach to age verification, e.g. B. by limiting the scope of the age verification requirement to services that are specifically aimed at children or that are highly likely to be visited by children due to the nature of the service or goods;
- Not being prescriptive e.B. by avoiding mandatory or detailed requirements related to the design and the provision of transparent information;
- Clearly link the list of draft and standard measures provided to the substantive guidance in the main body of the draft directive rather than adding them as a separate list.
- Recognition of the other fundamental rights and freedoms of children, such as B. their rights to autonomy, association, gaming, access to information, education and freedom of expression;
- Use a risk-based approach to profiling and acknowledge that if profiling is used, the best interests of the child should be assessed, with particular reference to the purpose of the processing, the role profiling plays in the service being provided, and the security measures in place. which can address the likely and serious harms and the fact that data is being used to benefit children, including profiling;
- Enable organizations to tailor their online services to target different audiences of children and provide examples. and
- Provided that the obligation not to downgrade services should only apply to services intended for children.
CIPL offers further recommendations regarding the approach of the draft policy, including regarding the proposed “strictest” privacy settings, account migration and binding agreements for users aged 16 and over, a higher level of security for children compared to adults, the consistency of service over across different devices and platforms, using biometrics, adapting privacy settings to different users on a shared device, and processing children’s data at the device level rather than in the cloud.
CIPL’s full comments can be viewed here.