Seán O’Donnell: A child-oriented approach to data processing
Seán O’Donnell, partner at ByrneWallace, examines the 14 principles underpinning Ireland’s regulator’s approach to data processing.
On 18 December 2020 the Data Protection Commission published its draft Fundamentals for a Child-Oriented Approach to Data Processing. Building on existing guidance, the draft Fundamentals contain 14 principles which set out higher standards around the best interests of the child, respecting the autonomy of children’s rights, consent and transparency. The draft Fundamentals are the latest part of an ongoing public consultation process, and any interested party is invited to make submissions on the document by 31 March 2021.
With this guidance, the DPC seeks to introduce child-specific data protection interpretative principles and recommended measures in order to enhance protection against data processing risks posed to children. At the same time, it aims to assist organisations processing children’s data by clarifying the principles to which the DPC expects them to adhere. While subject to further consultation, they are unlikely to change substantially:
- Organisations should take a risk-based approach to verifying age online or provide a floor of protection for all users
- Children’s consent must be “clear-cut” (effectively explicit consent)
- The pursuit of legitimate interests online should not interfere with, conflict with or negatively impact, at any level, the best interests of the child
- Ensure that services directed at/ intended for or likely to be accessed by children have child-specific data protection measures
- Children’s right to information applies irrespective of legal basis or the parental consent
- Information provided must be transparent, intelligible and accessible, using clear and plain language that is comprehensible and suited to the age of the child
- Children should be permitted to exercise their data protection rights where they have capacity and it is in their best interests
- Children should not be treated like adults just because they are able to consent
- Companies generating revenue online are expected to go the extra mile to demonstrate their age verification and parental consent measures are effective
- Children should not be shut out from a service in order to bypass an organisations obligations to them
- Theoretical user age thresholds for accessing services don’t displace obligations of organisations
- Organisations must demonstrate how using children’s data for marketing/advertising purposes (including profiling and automated decision-making) is in the child’s best interests
- Online service providers should undertake data protection impact assessments on the specific risks to children
- A high level of protection is expected by design and default
Following the conclusion of the public consultation process, the draft Fundamentals will be finalised and published. Organisations processing children’s data, particularly those operating online, should begin familiarising themselves with the draft Fundamentals, and where appropriate make submissions to the DPC in relation to them, as then finalised they will inform the DPC’s approach to supervision, regulation and enforcement of processing of children’s personal data.