The ICO has recently published draft guidance about the special considerations that must be given to the rights of children under the General Data Protection Regulation. In 2017, Ofcom reported that 53% of children aged 3-4 access the internet and that figure reaches 99% for those aged 12 to 15 (Ofcom, Children and Parents: Media Use and Attitudes Report, 29 November 2017). In today’s world where children intuitively use technology as part of their learning and play it is important that today’s legislation reflects this and provides the necessary protection. The Data Protection Act 1998 does not provide specific provisions dealing with children’s data but the GDPR and the Data Protection Bill specifically address this issue.
Recital 38 of the GDPR states the following: “Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data”.
Under Article 8 of the GDPR, only children aged 16 or over can consent to the processing of their personal data in relation to the offer of information society services. However, the GDPR allows Member States to lower that age limit to no less than 13 years and in the current draft of the Data Protection Bill, the UK has chosen to exercise that option and reduce the age of consent to 13. Where children are under the age of 13 then the consent must be given by the person who has parental responsibility for that child, except where the services are for preventative or counselling services. In this respect the Article 29 Working Party guidance suggests that a proportionate approach is taken to identifying whether the person providing consent does have parental responsibility.
When the Data Protection Bill was discussed in the House of Lords the age of consent for information security services was an area of discussion and concern as some members of the House of Lords thought the age of 13 was too low and some felt that it reflected reality as this is the minimum age used by many social media providers. However no amendments to the Bill have been made so far in this respect.
The Data Protection Bill has been amended since the first reading and section 124 of the Bill now provides for the ICO to prepare an age-appropriate design code. The code of practice must contain guidance about the standards of age-appropriate design of relevant information society services which are likely to be accessed by children.
At the end of 2017, the ICO published draft guidance on children and the GDPR which includes guidance on information society services. When referring to children the ICO is referring to those aged under 18, in accordance with the UN Convention on the Rights of the Child. The guidance is only in draft form at the moment and is out for consultation before final guidance is published and the consultation period ends on 28 February 2018. The draft guidance though is a useful guide to the ICO’s approach to the processing of children’s data and the protection they expect it to be given.
By way of summary, some of the areas focused on by the guidance are as follows:
Data Privacy Notices and Consent
- Where children are going to be users of a service that will process their data then organisations need to consider how they will clearly articulate their data privacy notice in a suitable and engaging manner. The ICO draft guidance sets out that when an organisation relies on consent as the basis of processing a child’s data then the child must understand what they are consenting to and so the messaging around that needs to be clear.
- The guidance further suggests that even if an organisation relies on the consent of the person with parental responsibility, there should be two versions of the privacy notice, one for the person with parental responsibility and one for the child.
Consultation
- When designing a system that will carry out processing of children’s data, the ICO draft guidance suggests that organisations consult with children. The ICO also points to the UN Convention on the Rights of the Child in this respect which provides the right for children to express their views in matters affecting them.
Right of Erasure
- Another area that the guidance focuses on is that the right of erasure is particularly relevant where the data subject gave consent to the processing of their data as a child. This is set out at Recital 65 of the GDPR: “That right [the right to erasure] is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved”.
- This is a point to consider when organisation create policies around the right to erasure.
Automated Decision Making
- The GDPR gives further guidance as to children’s rights in the context of automated decision making and the ICO draft guidance again emphasises that children must have clear information about how their data is processed in this regard.
- Article 22 sets out the circumstances in which a data subject can be subject to a decision based solely on automated processing which produces legal effects concerning the data subject. Article 22 does not set out different circumstances for children so the conditions apply to both adults and children. However the ICO draft guidance points towards Recital 17 which suggests that such processing “should not concern a child”.
The ICO Grants Programme is supporting research to be carried out by the London School of Economics into Children’s online privacy. That research is due to run from February 2018 to February 2019 so will hopefully look at the impact of the GDPR.
One of the aims of the GDPR is provide legislation that reflects the technology we use today and as part of that it must reflect the users of that technology. We must now look to see if any changes are made to the final version of the Data Protection Bill to address any of the concerns raised by the House of Lords and await the final version of the ICO guidance.
