On June 14, 2022, representatives of the EU’s Consumer Protection Cooperation (CPC) Network, together with several national data protection authorities in the EU and the secretariat of the European Data Protection Board (“EDPB”), endorsed five key principles for fair advertising to children (see press release here).  These recommendations are based on relevant requirements in EU data and consumer protection laws.

According to the authorities, this joint initiative arises from the proliferation of digital business models that increasingly rely on the use of personal data for commercial purposes, which may be subject to specific rules under both data privacy and consumer protection legislation in Europe. 

In their joint statement, the authorities cited research indicating that children (defined as any individual below the age of 18 years old) are unable able to recognize certain forms of advertising — particularly ads that are deeply embedded in the context of digital media and online games — and as a result, they are particularly susceptible to certain forms of advertising potentially inappropriate for children.  Therefore, the authorities published these key principles for businesses to apply in order to (1) avoid practices that can be harmful for children and (2) better inform children about when and how their data is used for advertising purposes.

The five advertising principles are:

  1. Take into account the specific vulnerabilities of children when designing advertising or marketing techniques that are likely to target children (in particular, do not deceive or unduly influence them, and consider whether certain types of personalized marketing are inappropriate for them altogether);
  2. Do not exploit the age or credulity of children when engaged in marketing;
  3. Explain to children, in a manner that is appropriate and clear to them, whenever general marketing content is addressed to them or is likely to be seen by them;
  4. Do not target, urge or prompt children to purchase in-app or in-game content, and games marketed “for free” should not require in-app or in-game purchases to continue playing them in a “satisfactory manner”; and
  5. Do not profile children for advertising purposes. 

The authorities emphasize that these five key principles are without prejudice to applicable EU laws, particularly in the areas of consumer protection and data privacy, including any applicable national implementing rules. 

These principles follow a wave of recent child-oriented standards published by European data protection authorities, including (among others) the UK ICO’s Age Appropriate Design Code (see our blog posts here and here), the Irish DPC’s Fundamentals for a Child-Oriented Approach to Data Processing (see our blog posts here, here and here), and the French CNIL’s Eight Recommendations for Protecting Children Online (see our blog post here). 

Moreover, the latest draft of the EU’s Digital Services Act, which has been provisionally agreed by the European Parliament and the Council, requires providers of digital services to implement specific safeguards for protecting children.  Among other things, it requires putting in place “appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors, on their service”.  It also prohibits providers from showing targeted advertising on their platforms using personal data of individuals who they are “aware with reasonable certainty” to be minors. 

These developments demonstrate the continued focus of European lawmakers and regulators on safeguarding the interests of children, and the importance of businesses staying apprised of these evolving rules and putting in place appropriate measures to ensure compliance.  

The Covington team will keep monitoring any developments in the area of children’s privacy and is happy to assist with any inquiries on the topic.

On May 4, 2022, the General Court of the EU handed down a decision that helps clarify the standard of proof required to demonstrate that information that does not identify someone by name constitutes “personal data” under EU data protection law.  The court also clarifies that the burden of proof falls on the entity alleging that the information is personal data.

The case concerns an online press release published by the European Anti-Fraud Office’s (“OLAF”) announcing that it had determined that a Greek scientist had committed fraud using EU funds intended to finance a research project.  Among other things, the scientist alleged that the press release contained “personal data” about her and, therefore, OLAF breached data protection law because it did not have a legal basis to disseminate her “personal data”.  She also alleged that OLAF’s press release had enabled two journalists to identify her and write each an article mentioning her by name.

The court disagreed with the position taken by the scientist, holding that the she was not able to demonstrate that the published information enabled her identification and, therefore, it had not demonstrated that the information was “personal data”.  It also decided that OLAF was not responsible for the news articles that identified the scientist by name.

Continue Reading General Court of the EU Finds that Individual was Unable to Prove that Information Published Online Constitutes “Personal Data”

Nine million texts are sent daily in Ireland, a huge increase on when the first text was sent in 1992.  All are subject to the data retention and access regime currently in place under the Communications (Retention of Data) Act 2011.  That regime has now been given the kiss of death by the Court of Justice of the European Union (“CJEU”) in its recent decision on a referral by the Irish Supreme Court dealing with the validity of electronic communications evidence collected under it.

The legislation, brought in to transpose EU Directive 2006/24, regulates the retention of data by electronic communications providers and access to that data by state authorities.

Continue Reading CJEU Strikes Down Metadata Collection in Irish Criminal Case

On April 12, at the International Association of Privacy Professionals’ global privacy conference, Colorado Attorney General Phil Weiser gave remarks on his office’s approach to the rulemaking and enforcement of the Colorado Privacy Act. Continue Reading Colorado Attorney General Remarks on CPA Rulemaking

The German Conference of Independent Supervisory Authorities (“DSK”) published on March 23, 2022 a statement on scientific research and data protection (see here, in German).  The DSK published the statement in response to the German Government’s initiative on a general law on research data as part of its Open Data Strategy, announced on July 6, 2021.  The DSK also refers to the Government’s intention to introduce a law on the use of health data, including the storage of data in electronic health records. Continue Reading German Supervisory Authorities Publish Paper on Scientific Research and Data Protection

The California Privacy Protection Agency (“CPPA”) held two informational hearings on March 29, 2022 and March 30, 2022, in anticipation of its upcoming rulemaking later this year.  While the CPPA Board was present throughout the hearings, its members did not present any views as part of the program.  The speakers covered the following topics of note: Continue Reading California Privacy Protection Agency Holds Informational Hearings

On February 24, 2022, the Irish Data Protection Commission (“DPC”) published its 2021 annual report setting out its activities and outcomes for last year (see press release here and the full report here).  At 120 pages long, it is detailed and specific, and in places, comes with a targeted and reflective commentary.  Overall, it provides readers with useful insights into the work of a supervisory authority at the forefront of Europe’s data protection whirlwinds.

Continue Reading Irish Data Protection Commission Publishes 2021 Annual Report

On February 23, 2022, the European Commission published the draft EU Regulation on harmonized rules on fair access to and use of data, also referred to as the “Data Act” (available here).  The Data Act is just the latest EU legislative initiative, sitting alongside the draft Data Governance Act, Digital Services Act, and Digital Markets Act, motivated by the EU’s vision to create a single market for data and to facilitate greater access to data.

Among other things, the proposed Regulation:

  • grants “users” of connected “products” and “related services” – meaning a digital service incorporated in or inter-connected with a product in such a way that its absence would prevent the product from performing one of its functions – offered in the EU rights to access and port to third parties the data generated through their use of these products and services (including both personal and non-personal data);
  • requires manufacturers of these products and services to facilitate the exercise of these rights, including by designing them in such a way that any users – which may be natural and legal persons – can access the data they generate;
  • requires parties with the right, obligation or ability to make available certain data (including through the Data Act itself) – so-called ”data holders” – to make available to users the data that the users themselves generate, upon request and “without undue delay, free of charge, and where applicable, continuously and in real-time”;
  • requires data holders to enter into a contract with other third-party “data recipients” on data sharing terms that are fair, reasonable and non-discriminatory; relatedly, any compensation agreed between the parties must be “reasonable” and the basis for calculating the compensation transparent, with special rules set out for micro, small or medium-sized data recipients to facilitate their access to the data at reduced cost;
  • authorizes public sector bodies and Union institutions, agencies or bodies to request access to the data in “exceptional need” situations;
  • requires certain digital service providers, such as cloud and edge service providers, to implement safeguards that protect non-personal data from being accessed outside the EU where this would create a conflict with EU or Member State law;
  • requires such data processing service providers to make it easy for the customers of such services to switch or port their data to third-party services; and
  • imposes interoperability requirements on operators of “data spaces”.

As a next step, the Council of the EU and the European Parliament will analyze the draft Regulation, propose amendments and strive to reach a compromise text that both institutions can agree upon.  Below, we discuss the key provisions of the Data Act in more detail. Continue Reading European Commission Publishes Draft Data Act

One of every five people (20.5%) in Ireland are children under the age of 14.  This constitutes the highest proportion of children in the EU, where the average was 15.2% in 2019.  Ireland’s proportion of young people under the age of 30 is also the highest in the EU, at 39%.  It’s an influential figure for Irish policy makers and regulators, who have strengthened their approach to protection of children’s personal data in recent years.  This greater emphasis on children’s rights is due to a number of additional intersecting dynamics including EU law, child abuse scandals, a rise in cyberbullying, and a growing consensus that children face heightened digital risks.  These dynamics have also informed the planned establishment of an Online Safety Commissioner, currently advancing as part of the Online Safety and Media Regulation Bill just published and currently receiving strong media attention.

Together with the Irish DPC role as lead regulator for many leading technology and social media companies, these legal and cultural headwinds provide the context within which the DPC aims to develop strong child data protection standards.

Introduction

Following extensive public consultation, with experts as well as school children, the DPC has issued comprehensive guidance on the processing of children’s data.  Entitled “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing,” the guidance sets out 14 principles (referred to as “the Fundamentals”) for organizations engaged in processing the personal data of children.

In addition to the usual GDPR expectations, the specific Fundamentals also include:

  • Zero interference with a child’s best interests, where organizations rely on legitimate interests as their legal basis for processing;
  • “Know your customer” requirements focusing on child-oriented transparency; and
  • Specific guidance around age verification and consent

The overall aim of the Fundamentals, in protecting the best interests of children, is to at least set a default floor of high standardised protection for all data subjects where children may form part of a mixed user audience.

Continue Reading Irish DPC Publishes Guidance On Processing Children’s Personal Data

There has been a substantial increase in the use of the Internet across the African continent, aided by ongoing investment into local digital infrastructure, reduction in the associated costs, and improved user access. This has allowed both individuals, and private and public entities, the ability to access, collect, process and/or disseminate personal data more easily, which has spurred a number of African countries to enact comprehensive data protection laws and establish data protection authorities. There is also a growing perception among African countries that there is a need to protect their citizen’s personal data, to regulate how public and private entities use personal data, and to establish data protection authorities tasked with enforcing these laws.

While countries like Kenya, Rwanda and South Africa now have comprehensive data protection laws, which share some elements found in the European Union’s General Data Protection Regulation (“GDPR”), many of the proposed data protection laws have specific rules that are different from those in other countries in Africa. Consequently, technology companies conducting business in Africa will be required to keep abreast of the evolving regulatory landscape as it relates to data protection on the continent.

Continue Reading Tech Regulation in Africa: Recently Enacted Data Protection Laws