Draft guidance on children and the General Data Protection Regulation (EU) 2016/679 (GDPR) has been published by the Information Commissioner’s Office (ICO) and remains open for consultation until 28 February 2018.
The guidance sets out the changes in dealing with children’s personal data which will come into force on 25th May. Recital 38 acknowledges that there are particular safeguards required when dealing with children’s personal data as a child data subject may be less aware of the risks, consequences and their rights in relation to the processing of their personal data.
Key changes identified in the guidance include:
- Where online services are provided to a child, and consent is relied on as the basis for processing, only children aged 13 or over are able to give consent. For children younger than 13, consent must be given by a person with parental responsibility for the child. The only exception to this requirement is where the online service is a preventive or counselling service.
- Providers relying on consent as their basis for processing will need to verify that anyone providing their consent is in fact old enough to do so. The GDPR also requires the service provider to use reasonable efforts in ensuring that any holder of parental responsibility purporting to give consent on behalf of the child is in fact able to so do and recommends using available technology to verify this.
- Particular care must be taken when children’s personal data is used for marketing purposes or for creating user or personality profiles.
- The GDPR gives children the right not to be subject to decisions based solely on automated processing where these have a legal or other significant effect on them. Although there are specific exceptions to this provision, the GDPR clearly sets out that this should not be the norm and any processers currently making such automated decisions should review their processing activities carefully.
- Age-appropriate privacy notices must be displayed for children and should highlight, in particular, the right to have personal data erased.
Any service provider processing the personal data of children is advised to consult with children when designing their processing and consider this additional need for protection from the outset, going so far as to design their system and processing with this obligation in mind. Conducting a Data Protection Impact Assessment will help with this process.
It remains to be seen what, if any, changes will be made as a result of the consultation. All online service providers should bear in mind that even if a service isn’t targeted at children, they may end up processing children’s personal data anyway. In this situation, the risks should be calculated and appropriate safeguards or preventive measures put in place.
Overall, there are some new requirements introduced by the GDPR regarding the processing of children’s personal data and processors should ensure they have adopted appropriate procedures and considered their activities in line with the enhanced protections for children ahead of the 25th May.