The European Data Protection Supervisor (“EDPS”) has issued an opinion on Europe’s strategy for protecting children on the Internet. The European Commission consults with the EDPS on a variety of data protection issues. However, the opinions of the EDPS are not legally binding.
Among other things, the EDPS expressed support for:
- The implementation of technical tools, such as age-appropriate default privacy settings, to enhance the privacy of children online.
- Clear notice about the impact a change to a default setting would have on a child’s privacy and the potential harm it may cause. In particular, the EDPS suggested that in some circumstances a child might not be permitted to change the default settings, or might change the defaults only with parental consent, stating that the “extent to which a child may change the default privacy settings should also be linked to the age and level of maturity of the child. It should be explored to what extent, and within which age group, parental consent would be required to validate a change of privacy settings.”
- A requirement that service providers inform children about the level of sensitivity of each piece of information they provide when creating an online profile and about the potential risks or harms they may encounter when such information is disclosed to a defined group of people or to the public.
- A restriction on industry’s ability to create online behavioral advertising segments that target children.
- A legal mandate for industry to deploy an EU-wide reporting tool for content that is harmful to children.
Although the EDPS noted that the Commission added a “right to be forgotten” online in the proposed Data Protection Regulation because disclosure of children’s personal data on social networking sites might have long term consequences for children and others who are mentioned in the child’s comments or photos, the EDPS also recognized that, “in practice, deleting or rectifying information that has been posted online can be a challenge.”
And with respect to age verification, the EDPS stated that volunteered age information may not be reliable, but also recognized that age verification models that are designed to infer a user’s age or verify the user’s identity may involve a disproportionate amount of data collection and processing and could be unreliable as well. Without taking a firm position on age verification, the EDPS stated that age verification tools must take care to collect and maintain only “necessary data” and indicated that a future opinion will address the proposed Regulation on electronic identification and trust services.
As background, EU law currently does not include specific requirements for children. Instead, data protection authorities have interpreted existing data protection laws to require children’s privacy and data protection rights to be respected in a manner appropriate to the child’s level of maturity and comprehension.
The proposed EU Data Protection Regulation, however, would include requirements specific to children and harmonize children’s privacy laws across the member states. Article 4(18) of the proposed Regulation would define a child as a person under the age of 18 years. Among other things, data controllers would be required to provide information to children in a language that the child can easily understand, provide children with a “right to be forgotten” online, and provide children with certain default, age-appropriate privacy settings. In addition, the proposed Data Protection Regulation would require verifiable parental consent before personal data of children under the age of 13 could be processed in the context of information society services.