On December 18, 2020, the Irish Data Protection Commission (“DPC”) published its draft Fundamentals for a Child-Oriented Approach to Data Processing (the “Fundamentals”). The Fundamentals introduce child-specific data protection principles and measures, which are designed to protect children against data processing risks when they access services, both online and off-line. The DPC notes that all organizations collecting and processing children’s data should comply with the Fundamentals. The Fundamentals are open for public consultation until March 31, 2021.

The Fundamentals are comprised of 14 principles that organizations should follow when processing children’s data, including (among others):

  • providing a “floor” of protection for all users of online services, unless they take a risk-based approach to verifying the age of users so that the protections set out in the Fundamentals are applied to only the processing of children’s data;
  • where relying on consent, obtaining clear-cut consent from children to processing (subject to the limits imposed by Ireland’s digital age of consent, which is 16);
  • ensuring that the pursuit of legitimate interests does not interfere with the best interests of the child;
  • taking steps to know their audience, and ensuring that services intended for or likely to be accessed by children have child-specific data protection measures in place; and
  • ensuring that children receive appropriate information about how their information is handled in a child-friendly manner.

(See Section 1.2 of the Fundamentals for the full list).

The Fundamentals also provide a non-exhaustive list of practical measures that organizations should incorporate into the design processes for their products and services, such as strict default privacy settings, clear and flexible user controls, and parental oversight (see Section 7.3 of the Fundamentals for the full list of recommended practical measures).

The Irish DPC’s Fundamentals follow shortly after the UK Information Commissioner’s Office (“ICO”) issued its Age Appropriate Design Code (the “ICO Code”) in August 2020 . Both documents highlight the risks to children’s data privacy in the digital age and are underpinned by the principle of upholding the best interests of the child, among other guiding principles. The DPC notes that a key difference between the two documents is that the ICO Code focuses more on the necessary privacy-by-design features that must be engineered into services used by children, whereas the Fundamentals take a broad-based approach. That said, the DPC also notes that the Fundamentals are “entirely consistent” with the ICO Code.

We will continue monitoring the Fundamentals’ progress until they are finalized.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Sam Jungyun Choi Sam Jungyun Choi

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such…

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such as AI, digital health, and autonomous vehicles.

Sam is an expert on the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act, having advised on these laws since they started to apply. In recent years, her work has evolved to include advising companies on new data and digital laws in the EU, including the AI Act, Data Act and the Digital Services Act.

Sam’s practice includes advising on regulatory, compliance and policy issues that affect leading companies in the technology, life sciences and gaming companies on laws relating to privacy and data protection, digital services and AI. She advises clients on designing of new products and services, preparing privacy documentation, and developing data and AI governance programs. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Photo of Shona O'Donovan Shona O'Donovan

Shóna O’Donovan is an associate in the technology regulatory group in the London office. She advises clients, particularly in the technology industry, on a range of data protection, e-privacy and online content issues under EU, Irish and UK law.

Shóna advises multinational companies…

Shóna O’Donovan is an associate in the technology regulatory group in the London office. She advises clients, particularly in the technology industry, on a range of data protection, e-privacy and online content issues under EU, Irish and UK law.

Shóna advises multinational companies on complying with EU and UK data protection and e-privacy rules. She regularly defends clients in regulatory investigations and inquiries, and provides strategic advice on incident response. She advises clients on existing and emerging online content laws, including those affecting intermediary services and audiovisual media services. In this context, she regularly advises clients on the intersection between online content and privacy rules.

Shóna also counsels clients on policy developments and legislative proposals in the technology sector, and the impacts of these developments for their business.

In her current role, Shóna gained experience on secondment to the data protection team of a global technology company. In a previous role, she spent seven months on secondment to the European data protection team of a global social media company.

Shóna’s recent pro bono work includes providing data protection advice to the International Aids Vaccine Initiative and a UK charity helping people with dementia, and working with an organization specializing in providing advice to states involved in conflict on documenting human rights abuses.

Photo of Stacy Young Stacy Young

Stacy Young is an associate in the London office. She advises technology and life sciences companies across a range of privacy and regulatory issues spanning AI, clinical trials, data protection and cybersecurity.