Children are provided a specific protection under the GDPR. Recital 38 of the GDPR states that:
“Children require specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.”
Helpfully, the UK Information Commissioner’s Office has now published a draft guidance on children and the GDPR, and the draft guidance is freely available online here https://ico.org.uk/media/about-the-ico/consultations/2172913/children-and-the-gdpr-consultation-guidance-20171221.pdf
The Information Commissioner is seeking comments on foot of the draft and, in the meantime, the draft working document itself is being published to provide some clarity and certainty for organisations.
In the introduction to the draft guidance, a helpful summary under the title “What’s New?” is set out as regards the incoming GDPR and the changes that will result, and it provides that:
- “If you rely on consent as your lawful basis for processing personal data when offering an ISS (online service) directly to children, only children aged 13 or over are able provide their own consent. You may therefore need to verify that anyone giving their own consent in these circumstances is old enough to do so.
- For children under this age you need to get consent from whoever holds parental responsibility for them - unless the ISS (online service) you offer is an online preventive or counselling service.
- You must make reasonable efforts (using available technology) to verify that the person giving consent does, in fact, hold parental responsibility for the child.
- Children merit specific protection when you are collecting their personal data and using it for marketing purposes or creating personality or user profiles.
- You should not usually make decisions about children based solely on automated processing if this will have a legal or similarly significant effect on them. The circumstances in which the GDPR allows you to make such decisions are limited and only apply if you have suitable measures to protect the interests of the child in place.
- You must write clear and age-appropriate privacy notices for children.
- The right to have personal data erased is particularly relevant when the individual gave their consent to processing when they were a child.”
Fairness, transparency and accountability are essential for all data processing, but this is especially relevant when children are accessing online services. The Information Commissioner states that anyone offering online services to children will have to ensure that they are addressed in plain, clear language that they can understand.
There are new rules concerning areas such as automated decision-making, the right to erasure and also around consent. The Information Commissioners office also stressed that where an organisation is providing online services to children and they are relying on the basis of consent, they will need to take action now to get valid consent in place before May.
The guidance is helpful and informative from the Irish perspective. As we await the provisions of the Data Protection Act 2018 it remains to be seen exactly what provisions will be brought into force, particularly as regards the special protections that must be put in place as regard a child’s personal data.