DPC doing its homework – Public Consultation promotes protection of children’s personal data
The Data Protection Commission undertook a Public Consultation on the Processing of Children’s Personal Data and the Rights of Children as Data Subjects under the GDPR from December 2018 to May 2019 in an effort to promote an understanding of the rights and risks surrounding the processing of personal data relating to children.
The Data Protection Commission (DPC) undertook a Public Consultation on the Processing of Children’s Personal Data and the Rights of Children as Data Subjects under the GDPR from December 2018 to May 2019 in an effort to promote an understanding of the rights and risks surrounding the processing of personal data relating to children.
The DPC’s public consultation was particularly important as the responses submitted will assist it in drafting guidance for children and organisations who process children’s data, and will also serve as a foundation for codes of conduct to promote best practices. It aimed to raise awareness of the express protections of the personal data of children contained in the Data Protection Act 2018 (DPA 2018), which was adopted on 25 May 2018 and which transposes the GDPR into Irish law.
The DPA 2018 sets the age of digital consent at 16 years old. This means that a child must be 16 years old before they (as opposed to the holder of parental responsibility) can provide a valid consent for the processing (such as the collection, storage or use) of his or her personal data by online service providers. While Article 8 of the GDPR allows Member States to nominate the age at which an individual is capable of providing digital consent at a minimum of 13 years old and a maximum of 16 years old, the majority of EU countries have opted to set this limit at 13 years old.
The DPA 2018 also establishes an offence for companies processing the personal data of a child (i.e. an individual under 18 years old) for the purposes of direct marketing, profiling or micro-targeting. However, the relevant section (Section 30) has not yet been commenced as it is regarded as being incompatible with the GDPR and would potentially expose Ireland to proceedings from the EU Commission.
The DPC’s public consultation was divided into two streams, one aimed at adult stakeholders and the other aimed directly at children. As part of the adult consultation (stream I), the DPC received 30 submissions from private, public and civil society organisations. The children’s consultation (stream II) saw packs of lesson plan materials (which had a particular focus on social media) distributed to schools and youth-reach centres across Ireland. The DPC received 50 submissions for stream II of the consultation, which provided insights into the views of approximately 1,200 students of various ages.
In July 2019, the DPC published its Preliminary report on Stream II of the DPC’s public consultation on the processing of children’s personal data and the rights of children as data subjects under the GDPR. That report provides an overview of the themes and issues that children commented on in response to the consultation (in particular, simplicity, transparency, accessibility, flexibility, issues around children’s consent and parental involvement in online activity and children’s attitudes to online advertising).
In September 2019, the DPC published its report on Stream 1 entitled “Whose Rights Are They Anyway? Trends and Highlights from Stream 1 of the DPC’s Public Consultation on Children’s Data Protection Rights”. This report provides an overview of the responses received to each of the 16 questions set out in the consultation document.
There was a significant level of divergence between private and non-private sector participants on several issues, such as whether to offer separate privacy notices for adults and children, or whether the profiling of children for marketing purposes should be allowed. However, some issues appeared to unite participants across sectoral lines, for example, the best strategies for conveying transparency information to minors. Some participants also raised their own additional issues of importance, such as the question of the data protection rights of children with disabilities and the desire for guidance from specialised civil society groups.
The DPC has announced that it will “shortly be publishing a detailed piece of draft guidance to address the issues highlighted in the consultation, and stakeholders will have an opportunity to comment and make submissions on that guidance before it is finalised”. The DPC has also stated that it will “proactively seek to drive industry forward” with a view to developing one or more Codes of Conduct on the processing of children’s personal data “as a top priority in 2020”.
Section 32 of the DPA 2018 requires that the DPC encourage the drawing up of codes of conduct to promote best practices by organisations that process the personal data of children and young people. Article 40 of the GDPR provides that draft codes of conduct may be submitted to the DPC by associations and other bodies representing categories of controllers or processors. The draft code will be approved and published by the DPC if it provides “sufficient appropriate safeguards”.
The DPC has not yet approved any draft codes of conduct. However, the European Data Protection Board issued in June 2019 a set of guidelines which set out the factors to be taken into account by a Supervisory Authority when evaluating a particular draft code.
Significantly, while codes of conduct are not legally binding (in the absence of formal adoption by the Commission through an implementing act), they are a mechanism which can be used by organisations to demonstrate their compliance with the GDPR. For example, Articles 40(2)(j) and 40(3) of the GDPR allow third parties to agree to adhere to approved codes in order to satisfy legal requirements to provide appropriate safeguards in relation to international transfers of personal data to third countries. Compliance with a code of conduct can also act as a mitigating factor when determining administrative fines.
It seems therefore that the DPC will expect industry to produce voluntary codes of practice which it may review and approve under Article 40 GDPR, while it in turn will publish guidance on children’s data issues.
The authors wish to thank Bronágh Carvill for her contribution to this briefing.