The European Data Protection Supervisor (“EDPS”) has issued an opinion on Europe’s strategy for protecting children on the Internet.  The European Commission consults with the EDPS on a variety of data protection issues.  However, the opinions of the EDPS are not legally binding. 

Among other things, the EDPS expressed support for: 

  • The implementation of technical tools, such as age-appropriate default privacy settings, to enhance the privacy of children online.     
  • Clear notice about the impact a change to a default setting would have on a child’s privacy and the potential harm it may cause. In particular, the EDPS suggested that in some circumstances a child might not be permitted to change the default settings, or might change the defaults only with parental consent, stating that the “extent to which a child may change the default privacy settings should also be linked to the age and level of maturity of the child.  It should be explored to what extent, and within which age group, parental consent would be required to validate a change of privacy settings.” 
  • A requirement that service providers inform children about the level of sensitivity of each piece of information they provide when creating an online profile and about the potential risks or harms they may encounter when such information is disclosed to a defined group of people or to the public. 
  • A restriction on industry’s ability to create online behavioral advertising segments that target children.
  • A legal mandate for industry to deploy an EU-wide reporting tool for content that is harmful to children.

 

Although the EDPS noted that the Commission added a “right to be forgotten” online in the proposed Data Protection Regulation because disclosure of children’s personal data on social networking sites might have long term consequences for children and others who are mentioned in the child’s comments or photos, the EDPS also recognized that, “in practice, deleting or rectifying information that has been posted online can be a challenge.”

And with respect to age verification, the EDPS stated that volunteered age information may not be reliable, but also recognized that age verification models that are designed to infer a user’s age or verify the user’s identity may involve a disproportionate amount of data collection and processing and could be unreliable as well. Without taking a firm position on age verification, the EDPS stated that age verification tools must take care to collect and maintain only “necessary data” and indicated that a future opinion will address the proposed Regulation on electronic identification and trust services.

As background, EU law currently does not include specific requirements for children. Instead, data protection authorities have interpreted existing data protection laws to require children’s privacy and data protection rights to be respected in a manner appropriate to the child’s level of maturity and comprehension.

The proposed EU Data Protection Regulation, however, would include requirements specific to children and harmonize children’s privacy laws across the member states. Article 4(18) of the proposed Regulation would define a child as a person under the age of 18 years. Among other things, data controllers would be required to provide information to children in a language that the child can easily understand, provide children with a “right to be forgotten” online, and provide children with certain default, age-appropriate privacy settings. In addition, the proposed Data Protection Regulation would require verifiable parental consent before personal data of children under the age of 13 could be processed in the context of information society services.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.