On March 26, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its comments on the Irish Data Protection Commissioner’s (“DPC”) draft guidance on safeguarding the personal data of children when providing online services, “Children Front and Centre—Fundamentals for a Child-Oriented Approach to Data Processing” (the “Draft Guidance”).

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

The Draft Guidance, issued on December 20, 2020, adds to a growing body of work carried out by regulators, including the UK Information Commissioner’s Office (“ICO”) in their Code of Practice for Age Appropriate Design for Online Services (the “ICO Age Appropriate Code”).

In its comments, CIPL encourages the development of shared, consistent approaches to children’s data, including the development of a common interpretation of General Data Protection Regulation (“GDPR”) requirements as they relate to the processing of children’s data and a common, broader approach to protection of children in data processing situations.

CIPL notes that the fundamental approaches of both the Draft Guidance and the ICO Age Appropriate Code have much in common, including a focus on the centrality of the interests of the child as a guiding principle and the adoption of a risk-based approach in some areas. However, there are also some fundamental differences between them, including an outright prohibition on the profiling of children in the Draft Guidance. The Draft Guidance also applies to all organizations that process children’s data, not just providers of Information Society Services (“ISS”), and has a broader scope than the ICO Age Appropriate Code, covering issues such as how to address security standards, handle data breaches and use biometrics. CIPL recommends that the approach of the Draft Guidance be reconciled with the ICO where possible, in the interests of consistency.

CIPL has further identified some key practical and strategic issues with the Draft Guidance. In particular, CIPL recommends that the Draft Guidance:

  • Provide clarification as to the scope of organizations to which it applies, and avoid capturing all online businesses, just because there is a possibility that users may be children;
  • Have a clearer focus on and leverage the GDPR concept of a risk-based approach, such as by recognizing that not all processing of personal data relating to children raises the same level of risk;
  • Take a practical and proportional approach to age verification, such as by limiting the scope of the age verification requirement to services that are specifically targeted at children, or have a high likelihood of being visited by children because of the nature of the service or goods;
  • Not be prescriptive, e.g., by avoiding mandating prescriptive or granular requirements with respect to design and how to provide transparent information;
  • Clearly link the list of design and default measures provided to the substantive guidance in the body of the Draft Guidance rather than adding them as a separate list;
  • Acknowledge children’s other fundamental rights and freedoms, such as their right to autonomy, association, play, access to information, education and freedom of expression;
  • Take a risk-based approach to profiling and acknowledge that when profiling is used, the best interest of the child should be assessed, with particular attention to the purpose of the processing, the role that profiling plays in the provided service and the safeguards put in place to address likely and serious harms, as well as the fact that there are beneficial uses of data for children, including profiling;
  • Enable organizations to adapt their online services to different child audiences and provide examples of how to do so; and
  • Provide that the obligation not to “downgrade” services should only apply to services intended for children.

CIPL provides further recommendations with respect to the approach of the Draft Guidance, including in relation to proposed “strictest” privacy settings, arrangements around account migration and retention for users turning 16, a higher standard of security for children compared to adults, the consistency of service across different devices and platforms, the use of biometrics, the tailoring of privacy setting to different users on a shared device and the processing of children’s data at a device level instead of in the cloud.

CIPL’s full comments can be reviewed here.

By admin