On December 18, 2020, the Irish Data Protection Commission (“DPC”) published its draft Fundamentals for a Child-Oriented Approach to Data Processing (the “Fundamentals”). The Fundamentals introduce child-specific data protection principles and measures, which are designed to protect children against data processing risks when they access services, both online and off-line. The DPC notes that all organizations collecting and processing children’s data should comply with the Fundamentals. The Fundamentals are open for public consultation until March 31, 2021.
The Fundamentals are comprised of 14 principles that organizations should follow when processing children’s data, including (among others):
- providing a “floor” of protection for all users of online services, unless they take a risk-based approach to verifying the age of users so that the protections set out in the Fundamentals are applied to only the processing of children’s data;
- where relying on consent, obtaining clear-cut consent from children to processing (subject to the limits imposed by Ireland’s digital age of consent, which is 16);
- ensuring that the pursuit of legitimate interests does not interfere with the best interests of the child;
- taking steps to know their audience, and ensuring that services intended for or likely to be accessed by children have child-specific data protection measures in place; and
- ensuring that children receive appropriate information about how their information is handled in a child-friendly manner.
(See Section 1.2 of the Fundamentals for the full list).
The Fundamentals also provide a non-exhaustive list of practical measures that organizations should incorporate into the design processes for their products and services, such as strict default privacy settings, clear and flexible user controls, and parental oversight (see Section 7.3 of the Fundamentals for the full list of recommended practical measures).
The Irish DPC’s Fundamentals follow shortly after the UK Information Commissioner’s Office (“ICO”) issued its Age Appropriate Design Code (the “ICO Code”) in August 2020 . Both documents highlight the risks to children’s data privacy in the digital age and are underpinned by the principle of upholding the best interests of the child, among other guiding principles. The DPC notes that a key difference between the two documents is that the ICO Code focuses more on the necessary privacy-by-design features that must be engineered into services used by children, whereas the Fundamentals take a broad-based approach. That said, the DPC also notes that the Fundamentals are “entirely consistent” with the ICO Code.
We will continue monitoring the Fundamentals’ progress until they are finalized.