Fundamental Changes for Processing of Children’s Data – Online and Offline

The Data Protection Commission (DPC) has recently published new guidance “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing”.

Essentially the Fundamentals specifies that organisations providing a service that is directed at or intended to be accessed by children should ensure child-specific data protection measures are in place to enhance the level of protection afforded to children against the data processing risks posed to them by their use of or access to the service.

The Fundamentals follows an extensive consultative process, including submissions from stakeholders and children. The Fundamentals have been drawn up to bring about improvements in standards of data processing of children’s data.

In practice, queries around processing of children’s data often involve balancing competing interests of the child and those with a right of say in the child’s welfare and protection, their parent and legal guardian. The Fundamentals provides helpful factors for organisations when meeting this issue.

This article written by Clare Daly, Child Law Solicitor gives an overview of the obligations for organisations providing services directed at children, requiring the processing of children’s personal data. The question arises:  can others seek to exercise a child’s data rights?

Who Should Comply?

The Fundamentals applies primarily to any organisations that provide services directed at, intended for or likely to be accessed by children. In practical terms, the guidance is aimed at services used by significant numbers of children, including online such as social media, and offline, such as sports clubs; even if the service in question was not primarily intended for children or originally designed with them in mind.

The guidance says that a service that is directed at or intended to be accessed by children will generally be self-evident from the manner in which the service markets, describes or promotes itself. However, services which have mixed-user audiences i.e. including children, may be less obvious.

The Fundamentals are not restricted to online activities, and the guidance specifically makes reference to offline, such as educational providers, sports and social clubs and communities, and health and social support providers amongst others.

In a digital context, social media, media sharing, gaming, entertainment, educational, advocacy, health and social care/support services are referenced in terms of applicable websites, apps, for example.

What are the Standards of Protection?

Children enjoy the same data protection rights as adults. The guidance notes that:

The GDPR is about empowering data subjects and giving them control over their personal data, including through their data protection rights, and children are no exception to this.

Crucially the guidance also provides:

There tends to be a general misconception that children do not have the same data protection rights as adults, but this is not the case. Children have all of the same rights as adults over their personal data – it is still their personal data and does not belong to anyone else, such as a parent or guardian.

Moreover, the GDPR requires organisations to implement higher standards of protection when processing children’s personal data, such as around transparency, the right to be forgotten and as regards profiling or automated decision- making.

How are these protections applied in practice?

The guidance sets out the baseline expectations of the DPC for organisations that process children’s data, by way of 14 core fundamentals which organisation should follow to enhance protections for children when processing their personal data:

1. Floor of protection
2. Clear-cut consent
3. Zero interference
4. Know your audience
5. Information in every instance
6. Child-oriented transparency
7. Let children have their say
8. Consent doesn’t change childhood
9. Your platform your responsibility
10. Don’t shut out child users or downgrade their experience
11. Minimum user ages aren’t an excuse
12. A precautionary approach to profiling
13. Do a DPIA (Data Protection Impact Assessment)
14. Bake it in

The guidance also seeks to prioritise the best interests of the child so that the processing of children’s personal data does not interfere with, the best interests of the child.

In what circumstances can a parent or legal guardian exercise their child’s data protection rights?

A legal guardian has a right of say in their child’s upbringing and, as such, may seek to exercise the data protection rights of their child where it is in the best interests of the child to do so.

A parent/guardian of a child should be able to access their child’s personal data, insofar as it is in the best interests of the child. There is a rebuttable presumption that a guardian is acting in the best interests of their child unless there is evidence to the contrary.

The new guidance considers that the following (non-exhaustive list of) factors should also be considered by an organisation in deciding whether it is in the best interests of the child that a legal guardian exercise their child’s data protection rights:

1. The age of the child – the closer the child is to the age of 18, the more likely it is that an organisation holding the child’s personal data should deal directly with the child themselves.
2. The nature of the personal data and the processing being carried out – this should include consideration of the sensitivity/confidentiality of the personal data and the basis upon which it has been provided by or shared by the child with the organisation which holds it.
3. The nature of the relationship between the child and the parent/guardian – e.g. are there any court orders relating to parental access/responsibility/custody/child protection etc. in existence?
4. The purpose for which the parent(s)/ guardian(s) seek(s) to exercise the child’s data protection rights.
5. Whether the child would, or does in fact, consent to the parent(s)/guardian(s) exercising their data protection rights and any views or opinions expressed by the child.
6. Whether allowing the parent(s)/ guardian(s) to exercise the child’s data protection rights would cause harm/distress to the child in any way.
7. Whether there are any sectoral rules or laws which apply to the particular context in which the parent(s)/ guardian(s) is/ are seeking to exercise the child’s data protection rights.

Conclusion:

The Fundamentals sets out the baseline expectations required by the DPC when organisations are providing services directed at children. At a practical level the guidance is a useful tool when organisations are tasked with assessing whether another person can step into a child’s shoes and exercise that child’s data rights. In the first instance, the question to be addressed is: what is in the best interest of the child?

If you have a query relating to this or any child care matter, please contact a member of our Child Care Team.