The “Children’s Fundamentals” – A guide to protecting children’s personal data
18th March 2021
The DPC published a comprehensive draft guidance document at the end of last year entitled “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing” (or “the Fundamentals” for short). The Fundamentals set out 14 key principles for organisations to follow when processing children’s data, and should be complied with by all organisations processing children’s data. This includes services that are directed at / intended for, or are likely to be accessed by children. In Ireland, for data protection purposes, a child is somebody under the age of 18 years.
The 14 key principles of the Fundamentals are as follows:
- Floor of protection: Online service providers should provide a “floor” of protection for all users, unless they take a risk-based approach to verifying the age of their users so that the protections set out in the Fundamentals are applied to all processing of children’s data.
- Clear-cut consent: Where a child gives consent to the processing of their data, that consent must be freely-given, specific, informed and unambiguous, made by way of a clear statement or affirmative action.
- Zero interference: If you are relying on legitimate interest(s) as a lawful basis for processing children’s personal data, you need to ensure that these legitimate interests do not interfere with, conflict with or negatively impact, at any level, the best interests of the child.
- Know your audience: Online service providers should take steps to identify their users and ensure that services directed at, intended for or likely to be accessed by children have child-specific data protection measures in place.
- Information in every instance: Children are entitled to receive information about the processing of their own personal data irrespective of the legal basis relied on. This is even the case where consent was given by a parent on their behalf to the processing of their personal data.
- Child-oriented transparency: Privacy information about how personal data is used must be provided in a concise, transparent, intelligible and accessible way, using clear and plain language that is easy to understand and suited to the age of the child.
- Let children have their say: Remember that children are data subjects in their own right and have rights in relation to their personal data at any age. As such, the DPC considers they should be allowed to exercise their data protection rights at any age so long as they have the capacity to do so and it is in their best interests.
- Consent doesn’t change childhood: Just because you have valid consent from a child or their parent/guardian doesn’t mean you can treat the child like an adult. You still need to provide the specific protection that children merit under the GDPR.
- Your platform, your responsibility: Companies who derive revenue from providing or selling services through digital and online technologies pose particular risks to the rights and freedoms of children. Where such a company uses age verification and/ or relies on parental consent for processing, the DPC will expect it to go the extra mile in proving that its measures around age verification and verification of parental consent are effective.
- Don’t shut out child users or downgrade their experience: If your service is directed at, intended for, or likely to be accessed by children, you can’t bypass your obligations simply by shutting them out or depriving them of a rich service experience.
- Minimum user ages aren’t an excuse: You can’t absolve yourself of your controller responsibilities to child users by simply stating that children below a certain age aren’t welcome on your platform/service. If your service isn’t intended for children under a certain age, then you need to take steps to ensure that your age verification mechanisms are effective at preventing children below that age from accessing your service. If this is not a viable option, then you need to ensure that appropriate data protection measures are in place to safeguard the position of child users, both below and above the official user age threshold.
- Prohibition on profiling: Don’t profile children for marketing or advertising purposes unless you can clearly show how and why it is in their best interests to do so.
- Do a DPIA: You should do Data Protection Impact Assessment for all processing of children’s personal data given their particularly vulnerability. The best interests of the child must be a key consideration in any DPIA and should outweigh your commercial interests or those of a third party.
- Bake it in: Online service providers that routinely process children’s personal data should, by design and by default, have a consistently high level of data protection which is “baked in” across their services
The Fundamentals are open for public consultation until the end of this month (31st March), following which a final version will be published. Submissions from all stakeholders are welcome and can be sent to firstname.lastname@example.org.
Given that the Fundamentals will inform the DPC’s approach to supervision, regulation and enforcement in the area of processing of children’s personal data, all controllers who process children’s data should carefully review this guidance and take its recommendations on board.