Earlier this month, the European Data Protection Board (EDPB) dropped its latest statement on age assurance, listing 10 key principles to follow. 

The statement forms part of the EU Digital Services Act working group on child protection (see our latest Online Harms comparison table here). It also sits alongside the Audio-Visual Media Directive, initiatives such as Better Internet for Kids (BIOC), individual Member State codes and guidance on processing children’s personal data, and of course the UK’s own Online Safety Act developments around age assurance. Therefore, being such a hot topic for regulators currently around the world, guidance from a body such as the EDPB is welcomed. However, overall, there is not much really that is new here, no surprises but also little practical additional insight beyond what service providers would already know.

The key points to note are: 

• Service providers should conduct age assurance without infringing on the user’s rights and freedoms, including the prevention of any data protection risks. Always think BIOC.
• The statement permits a risk-based approach to age assurance (i.e., the age assurance method used can depend on the risks the processing creates for the child and what level of age certainty is required) and does not mandate the adoption of any one solution. 
• It emphasises that controllers should only process personal data that is strictly necessary for the purpose of age assurance to offer an age-appropriate experience. 
• The effectiveness of age assurance should be evaluated against several criteria, including accessibility, reliability, and robustness. Age assurance methods should be accessible and easy to complete; proven to be accurate and consistent; and there should be viable alternatives to prove age where users cannot or do not want to use a specific method of age assurance. 
• Controllers should be transparent about how personal data is being used in the age assurance process, and make sure this information is clear and easy for children to understand. 
• If there is any automated decision making involved in the process, this must comply with GDPR requirements. 
• With data protection by design at default at the forefront, the EDPB recommends that consideration is given to technologies favouring user-held data and secure local processing (device-based), allowing properties such as unlinkability and selective disclosure of information. 
• Security measures are still highly important to protect age assurance data. 
• Given the involvement of a range of different stakeholders, governance is key so that service providers and any third parties involved are accountable for demonstrating compliance and understanding the delegation of responsibility.