Children’s Rights and the GDPR
The General Data Protection Regulation (“GDPR”) applies to both children and adults alike and includes certain child-specific clauses that aim to protect the data of children. Children merit additional protections because they are less likely to be familiar with the risks, consequences and safeguards regarding their personal and public data.
The GDPR has a non-standardized definition of a child, with the default age set to those sixteen years old and below. Member States are permitted to lower the age cap to define children in the GDPR, but to no younger than thirteen years old. This is an option nearly half the Member States have exercised.
As part of the implementation of the GDPR, European regulators have begun developing guidance on how they view children’s data privacy rights. Recently the UK Information Commissioner’s office began developing an Age Appropriate Design Code (the “Code”) to inform organizations seeking consent to use children’s data. The Information Commissioner’s current call for evidence seeks evidence from bodies representing the interests of children or parents, child development experts, and online service providers. This evidence will be taken into consideration while developing the Code in order to provide clear guidelines and expectations of age-appropriate design standards to providers of online information society services.
The best way to comply with the GDPR’s regulation of the data of children is to understand the relevant provisions of the legislation very well. In particular, the GDPR’s provisions regarding informed consent, the right to erasure, and automated decision making are relevant to organizations which may be processing a child’s data.
Article 6 of the GDPR requires data controllers to have at least one lawful basis in order to process and collect data. Consent is one such lawful basis by which this may occur. However, children, as defined by individual Member States, may not consent to the collection or processing of their data. Data controllers are responsible for undertaking reasonable efforts in order to confirm that the data supplier is old enough to consent. If it is determined that the data supplier is a child, then data controllers must make reasonable efforts to verify that consent is given or authorized by whoever holds parental responsibility for the child. The European Union has yet to adopt any specific mechanisms for age verification and parental consent, and it remains to be seen what will and will not qualify as “reasonable efforts” by data controllers to confirm age-appropriate consent.
When consent is granted on behalf of a child, the child whose data is being collected must be informed of their right to withdraw consent at any time. Children are also entitled to be informed as to how their data is being used and what rights they have with respect to their data. These notices must be addressed to the child in plain and age-appropriate language. The GDPR has included this with the aim of alleviating the power imbalance between data controllers and children when relying upon consent as the legal basis for processing children’s personal data.
Right to erasure
Data subjects may withdraw consent and exercise the right to have their personal and public data erased and no longer processed. Data controllers have one month to respond to a request, which may be made verbally or in writing. This right applies to adults and children alike, however Article 17 of the GDPR emphasises the importance of this right when personal data is collected from children, regardless of the data subject’s current age. The process by which a child or adult may request that their data be erased must be designed in a such a way that a child could make this request with ease.
The practical scope of the right to erasure as it pertains to third-party controllers, electronic copies and physical backups remains to be seen. This may be particularly difficult when adults exercise this right long after the data from their childhood was collected.
Solely automated decision making
Children have the right to be informed of when their personal and public data is being used for advertising purposes. Upon request, a data controller must cease profiling and direct marketing to children. The GDPR states that solely automated decisions should not be made using children’s data and that the decision to do so must be based on the exceptions listed in Article 22(2) and have sufficient measures in place to protect children’s’ best interests.
What does this mean for North American organizations?
The GDPR’s significance to organizations in Canada depends upon whether Canada will be recognized as having equivalent data protection legislation. The GDPR repeals and replaces the 1995 Data Protection Directive, which had previously determined Canada’s “adequate status” in virtue of the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Canada’s adequacy status will be revaluated according to the GDPR standard. Possible discrepancies between PIPEDA and the GDPR, including those pertaining to the rights of children, were drivers for the House of Commons Standing Committee on Access to Information, Privacy and Ethics recommendation to update PIPEDA. Other jurisdictions, such as California, have recently updated their data protection statutes as well.
Even if not physically located in Europe, North American organizations are not outside the scope of the GDPR. Organizations that collect or process data from data subjects in the EU must determine how they will comply with the non-standardized definitions of children of Member States. The knock on effect of the efforts required to comply with the GDPR is that organizations may simply engage in GDPR compliant practices as their global standard or engage in geo-blocking since this is easier than selective application of compliance measures.
For more information, please visit our Cybersecurity Privacy & Data Management Group’s webpage.
Tandia Hantho, a law student at McCarthy Tétrault's Toronto office, co-wrote this article.