On 17 December 2021, following a public consultation, the Irish Data Protection Commission (DPC) published the final version of its guidance on processing children’s personal data, entitled “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing” – also known as the “Fundamentals”. The Fundamentals set out 14 key principles and practical recommendations for organisations to follow when processing children’s data.
The Fundamentals are similar to the UK ICO’s Age Appropriate Design Code (AADC) and its 15 standards, with the principle that the processing must be in the best interests of the child underpinning both, as taken from the UN Convention on the Rights of the Child, and “children” being individuals up to the age of 18. Both cover key points around transparency and information appropriate for children and the importance of determining the age of service users and they both recommend that organisations carry out data protection impact assessments for processing children’s data.
A key area in the AADC that received a lot of attention is default settings. The Fundamentals also focus on design and default settings including for data sharing, privacy settings, geolocation, profiling for marketing or advertising, and nudge techniques. The Fundamentals state that service providers should not profile children and/or carry out automated decision making for marketing or advertising purposes, unless they can clearly demonstrate how and why it is in the best interests of the child.
However, there are some differences between them, notably:
- The AADC only applies to online services but the Fundamentals also apply to offline services (including educational providers, sports and social clubs and communities, and health and social support providers).
- The Fundamentals say more on the topic of consent, including stating that a higher burden applies to technology and internet organisations to both verify age and consent where relied upon. Remember, in England and Wales and Northern Ireland the age of consent for online data protection purposes is 13 years old; in Scotland it is 12 years old; and in Ireland it is 16 years old.
- The Fundamentals also provide that children should be able to raise questions with organisations directly (e.g. via instant chat or a privacy dashboard) regarding the transparency of information they received.
- The Fundamentals do not contain specific recommendations for the type and detail of information that should be provided to different age groups, as is the case under the AADC with its developmental stages.
- The Fundamentals state that, where default privacy settings are changed at the end of a user session, the setting should return to the default setting. The AADC takes a different approach, stating that when users change their settings, they should be given a choice whether to change settings permanently or for the current session only.
- The Fundamentals provide that, if a service is directed or likely to be used by children, an organisation cannot bypass its obligations by shutting out children or depriving them of a rich user experience. There is no corresponding requirement in the AADC.
- The “bake it in” fundamental also covers a number of areas not dealt with under the AADC, including user choice, personal data breaches and security.
Perhaps the most important difference to note however are that, unlike the grace period under the AADC, the Fundamentals have immediate application and operational effect and now form the basis for the DPC’s approach to supervision, regulation and enforcement in the area of processing of children’s personal data.