In recent weeks, the Office of the Irish Data Protection Commissioner (DPC) announced its participation in the Global Privacy Enforcement Network’s (GPEN) annual privacy ‘sweep’. The focus of the 2015 sweep is the data privacy practices of websites and apps aimed at or popular among children. This announcement follows last year’s sweep which focused on app privacy compliance and discovered that a significant majority of apps did not provide enough information about how consumers’ data would be used.

This year’s theme was chosen as many DPAs had identified children as a key area of focus, given the spread of websites and mobile apps targeted at or popular among this demographic. The study involves a co-ordinated effort by 26 data protection authorities (DPAs) from around the world, with the initial investigation having been conducted between 11 May and 15 May 2015. Any issues identified during the sweep will result in follow-up work such as outreach to organisations, deeper analysis of app privacy provisions and possible enforcement action.

Background to GPEN

GPEN was established in 2008, following a recommendation by the OECD. Its goal is to foster cross-border cooperation among DPAs. This establishment of GPEN is motivated by the fact that commerce and consumer activity increasingly relies on the seamless flow of personal information across borders. The members of GPEN seek to work together to strengthen personal privacy protections in this global context. The informal network is comprised of approximately 50 DPAs across some 39 jurisdictions.

What will the 2015 sweep target?

This year’s sweep will target websites and apps aimed at children, such as gaming websites, social networks and educational websites. Participating DPAs may choose to focus on either locally-developed apps and websites or those of multinational application.

As part of the initiative, participating DPAs will assess whether:

  • the apps and websites examined collect personal information from children and, if so, whether protective controls exist to limit such collection;
  • the apps and websites reviewed seek parental involvement and whether they allow users to be redirected off the site to third party sites; 
  • the ease with which one can request the deletion of personal information submitted by children; and
  • privacy communications are tailored to the appropriate age group through methods such as simple language, large print, audio and animation.

In addition to the above, some of the more general goals of the sweep include:

  • increasing public and business awareness of privacy rights and responsibilities;
  • encouraging compliance with privacy legislation;
  • identifying concerns that may be addressed through targeted education and / or enforcement; and
  • enhancing cooperation amongst privacy enforcement authorities.

Commenting on the sweep, the Irish DPC, Helen Dixon, said:

Websites and apps are useful and enjoyable for both children and their parents. However there is legitimate concern about the kind of data being collected by service providers via websites and apps that are popular with children, and how it is used and stored. How service providers communicate data and privacy issues to parents and children also merits investigation. My office is delighted to be taking part in this worthwhile and timely GPEN Sweep.”

Results of the Sweep

The results of this year’s sweep will be compiled and published in the autumn. Participating DPAs are aiming to develop a global picture of the privacy practices of websites and apps directed at children and to identify practices common to certain countries. As with previous sweeps, following the publication of results we can expect DPAs to issue new guidance. It is also likely that a joint letter will be written to those organisations whose practices have been identified as requiring improvement.

How the law currently stands

There is a contrast in the ways in which US and EU law handle the collection of children’s information. US Federal law contains a specific statute, COPPA, which regulates the collection of children’s information. In contrast, the EU Data Protection Directive and Irish Data Protection Acts 1988 and 2003 do not contain detailed, specific rules dealing with the processing of children’s information. Despite this, regulators, including the DPC, take a pro-child approach when interpreting general rules of data protection law.

Additional clarification on the rules governing this issue is expected to be included in the proposed EU Data Protection Regulation. The results of the sweep may prove valuable in informing the proposed Regulation in respect of provisions concerning the data protection rights of children.